From 3de9778fbc586b415f339ace36a42f99cd4e0ce5970dbc5e94baa482067868e6 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Tue, 6 Oct 2020 15:06:19 +0000 Subject: [PATCH 01/35] Accepting request 832021 from security:SELinux Policy is in better state now and should be fine for people with basic SELinux knowledge OBS-URL: https://build.opensuse.org/request/show/832021 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=1 --- booleans-minimum.conf | 83 +++-- booleans-mls.conf | 236 +-------------- booleans-targeted.conf | 245 ++------------- distro_suse_to_distro_redhat.patch | 209 ------------- dontaudit_interface_kmod_tmpfs.patch | 41 --- fedora-policy-20221019.tar.bz2 | 3 - fedora-policy.20200717.tar.bz2 | 3 + file_contexts.subs_dist | 1 - fix_alsa.patch | 15 - fix_apache.patch | 10 +- fix_auditd.patch | 12 - fix_authlogin.patch | 12 +- fix_bitlbee.patch | 12 - fix_chronyd.patch | 17 +- fix_cloudform.patch | 13 - fix_colord.patch | 18 +- fix_corecommand.patch | 11 +- fix_cron.patch | 29 +- fix_dbus.patch | 12 +- fix_dnsmasq.patch | 12 - fix_dovecot.patch | 15 - fix_firewalld.patch | 14 +- fix_gift.patch | 9 + fix_hadoop.patch | 30 ++ fix_hypervkvp.patch | 15 - fix_init.patch | 66 ++-- fix_iptables.patch | 10 +- fix_kernel_sysctl.patch | 26 -- fix_libraries.patch | 13 - fix_locallogin.patch | 14 +- fix_logging.patch | 14 +- fix_logrotate.patch | 8 +- fix_nagios.patch | 2 +- fix_networkmanager.patch | 69 +---- fix_nscd.patch | 14 +- fix_policykit.patch | 13 + fix_postfix.patch | 38 +-- fix_rpm.patch | 26 +- fix_selinuxutil.patch | 21 +- fix_snapper.patch | 18 +- fix_sysnetwork.patch | 8 +- fix_systemd.patch | 32 +- fix_systemd_watch.patch | 17 -- fix_thunderbird.patch | 8 +- fix_unconfined.patch | 8 +- fix_unconfineduser.patch | 12 +- fix_unprivuser.patch | 8 +- fix_userdomain.patch | 12 - fix_usermanage.patch | 10 +- fix_wine.patch | 23 -- fix_xserver.patch | 45 +-- modules-minimum-base.conf | 8 + modules-minimum-contrib.conf | 14 + modules-targeted-base.conf | 14 +- modules-targeted-contrib.conf | 14 + rebootmgr.fc | 1 - rebootmgr.if | 61 ---- rebootmgr.te | 37 --- rtorrent.fc | 2 +- rtorrent.if | 158 +++++----- rtorrent.te | 85 +++--- selinux-policy.changes | 435 --------------------------- selinux-policy.spec | 168 ++++++----- suse_specific.patch | 13 + systemd_domain_dyntrans_type.patch | 13 - update.sh | 18 +- users-minimum | 1 - users-mls | 2 - users-targeted | 3 - wicked.fc | 1 - wicked.te | 8 +- 71 files changed, 617 insertions(+), 2051 deletions(-) delete mode 100644 distro_suse_to_distro_redhat.patch delete mode 100644 dontaudit_interface_kmod_tmpfs.patch delete mode 100644 fedora-policy-20221019.tar.bz2 create mode 100644 fedora-policy.20200717.tar.bz2 delete mode 100644 fix_alsa.patch delete mode 100644 fix_auditd.patch delete mode 100644 fix_bitlbee.patch delete mode 100644 fix_cloudform.patch delete mode 100644 fix_dnsmasq.patch delete mode 100644 fix_dovecot.patch create mode 100644 fix_gift.patch create mode 100644 fix_hadoop.patch delete mode 100644 fix_hypervkvp.patch delete mode 100644 fix_kernel_sysctl.patch delete mode 100644 fix_libraries.patch create mode 100644 fix_policykit.patch delete mode 100644 fix_systemd_watch.patch delete mode 100644 fix_userdomain.patch delete mode 100644 fix_wine.patch delete mode 100644 rebootmgr.fc delete mode 100644 rebootmgr.if delete mode 100644 rebootmgr.te create mode 100644 suse_specific.patch delete mode 100644 systemd_domain_dyntrans_type.patch diff --git a/booleans-minimum.conf b/booleans-minimum.conf index 5185257..2e00a7a 100644 --- a/booleans-minimum.conf +++ b/booleans-minimum.conf @@ -4,19 +4,19 @@ allow_execmem = false # Allow making a modified private filemapping executable (text relocation). # -selinuxuser_execmod = false +allow_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # -selinuxuser_execstack = false +allow_execstack = true # Allow ftpd to read cifs directories. # -ftpd_use_cifs = false +allow_ftpd_use_cifs = false # Allow ftpd to read nfs directories. # -ftpd_use_nfs = false +allow_ftpd_use_nfs = false # Allow ftp servers to modify public filesused for public file transfer services. # @@ -24,7 +24,7 @@ allow_ftpd_anon_write = false # Allow gssd to read temp directory. # -gssd_read_tmp = true +allow_gssd_read_tmp = true # Allow Apache to modify public filesused for public file transfer services. # @@ -32,7 +32,7 @@ allow_httpd_anon_write = false # Allow Apache to use mod_auth_pam module # -httpd_mod_auth_pam = false +allow_httpd_mod_auth_pam = false # Allow system to run with kerberos # @@ -44,7 +44,7 @@ allow_rsync_anon_write = false # Allow sasl to read shadow # -saslauthd_read_shadow = false +allow_saslauthd_read_shadow = false # Allow samba to modify public filesused for public file transfer services. # @@ -56,7 +56,7 @@ allow_ypbind = false # Allow zebra to write it own configuration files # -zebra_write_config = false +allow_zebra_write_config = false # Enable extra rules in the cron domainto support fcron. # @@ -148,35 +148,55 @@ user_ping = false # allow host key based authentication # -ssh_keysign = false +allow_ssh_keysign = false # Allow pppd to be run for a regular user # pppd_for_user = false +# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted +# +read_untrusted_content = false + # Allow spamd to write to users homedirs # spamd_enable_home_dirs = false +# Allow regular users direct mouse access +# +user_direct_mouse = false + +# Allow users to read system messages. +# +user_dmesg = false + # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) # -user_rw_noexattrfile = true +user_rw_noexattrfile = false # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. # user_tcp_server = false +# Allow w to display everyone +# +user_ttyfile_stat = false + +# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. +# +write_untrusted_content = false + # Allow all domains to talk to ttys # -daemons_use_tty = false +allow_daemons_use_tty = false # Allow login domains to polyinstatiate directories # -polyinstantiation_enabled = false +allow_polyinstantiation = false # Allow all domains to dump core # -daemons_dump_core = true +allow_daemons_dump_core = true # Allow samba to act as the domain controller # @@ -188,24 +208,36 @@ samba_run_unconfined = false # Allows XServer to execute writable memory # -xserver_execmem = false +allow_xserver_execmem = false # disallow guest accounts to execute files that they can create # -guest_exec_content = false -xguest_exec_content = false +allow_guest_exec_content = false +allow_xguest_exec_content = false + +# Only allow browser to use the web +# +browser_confine_xguest=false # Allow postfix locat to write to mail spool # -postfix_local_write_mail_spool = false +allow_postfix_local_write_mail_spool=false # Allow common users to read/write noexattrfile systems # -user_rw_noexattrfile = true +user_rw_noexattrfile=true # Allow qemu to connect fully to the network # -qemu_full_network = true +qemu_full_network=true + +# Allow nsplugin execmem/execstack for bad plugins +# +allow_nsplugin_execmem=true + +# Allow unconfined domain to transition to confined domain +# +allow_unconfined_nsplugin_transition=true # System uses init upstart program # @@ -213,20 +245,9 @@ init_upstart = true # Allow mount to mount any file/dir # -mount_anyfile = true +allow_mount_anyfile = true # Allow all domains to mmap files # domain_can_mmap_files = true -# Allow confined applications to use nscd shared memory -# -nscd_use_shm = true - -# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox -# -unconfined_chrome_sandbox_transition = true - -# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. -# -unconfined_mozilla_plugin_transition = true diff --git a/booleans-mls.conf b/booleans-mls.conf index 3892f99..6b75dd8 100644 --- a/booleans-mls.conf +++ b/booleans-mls.conf @@ -1,232 +1,6 @@ -# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. -# -allow_execmem = false - -# Allow making a modified private filemapping executable (text relocation). -# -selinuxuser_execmod = false - -# Allow making the stack executable via mprotect.Also requires allow_execmem. -# -selinuxuser_execstack = false - -# Allow ftpd to read cifs directories. -# -ftpd_use_cifs = false - -# Allow ftpd to read nfs directories. -# -ftpd_use_nfs = false - -# Allow ftp servers to modify public filesused for public file transfer services. -# -allow_ftpd_anon_write = false - -# Allow gssd to read temp directory. -# -gssd_read_tmp = true - -# Allow Apache to modify public filesused for public file transfer services. -# -allow_httpd_anon_write = false - -# Allow Apache to use mod_auth_pam module -# -httpd_mod_auth_pam = false - -# Allow system to run with kerberos -# -allow_kerberos = true - -# Allow rsync to modify public filesused for public file transfer services. -# -allow_rsync_anon_write = false - -# Allow sasl to read shadow -# -saslauthd_read_shadow = false - -# Allow samba to modify public filesused for public file transfer services. -# -allow_smbd_anon_write = false - -# Allow system to run with NIS -# -allow_ypbind = false - -# Allow zebra to write it own configuration files -# -zebra_write_config = false - -# Enable extra rules in the cron domainto support fcron. -# -fcron_crond = false - -# -# allow httpd to connect to mysql/posgresql -httpd_can_network_connect_db = false - -# -# allow httpd to send dbus messages to avahi -httpd_dbus_avahi = true - -# -# allow httpd to network relay -httpd_can_network_relay = false - -# Allow httpd to use built in scripting (usually php) -# -httpd_builtin_scripting = true - -# Allow http daemon to tcp connect -# -httpd_can_network_connect = false - -# Allow httpd cgi support -# -httpd_enable_cgi = true - -# Allow httpd to act as a FTP server bylistening on the ftp port. -# -httpd_enable_ftp_server = false - -# Allow httpd to read home directories -# -httpd_enable_homedirs = false - -# Run SSI execs in system CGI script domain. -# -httpd_ssi_exec = false - -# Allow http daemon to communicate with the TTY -# -httpd_tty_comm = false - -# Run CGI in the main httpd domain -# -httpd_unified = false - -# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. -# -named_write_master_zones = false - -# Allow nfs to be exported read/write. -# -nfs_export_all_rw = true - -# Allow nfs to be exported read only -# -nfs_export_all_ro = true - -# Allow pppd to load kernel modules for certain modems -# -pppd_can_insmod = false - -# Allow reading of default_t files. -# -read_default_t = false - -# Allow samba to export user home directories. -# -samba_enable_home_dirs = false - -# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. -# -squid_connect_any = false - -# Support NFS home directories -# -use_nfs_home_dirs = true - -# Support SAMBA home directories -# -use_samba_home_dirs = false - -# Control users use of ping and traceroute -# -user_ping = false - -# allow host key based authentication -# -ssh_keysign = false - -# Allow pppd to be run for a regular user -# -pppd_for_user = false - -# Allow spamd to write to users homedirs -# -spamd_enable_home_dirs = false - -# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) -# -user_rw_noexattrfile = true - -# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. -# -user_tcp_server = false - -# Allow all domains to talk to ttys -# -daemons_use_tty = false - -# Allow login domains to polyinstatiate directories -# -polyinstantiation_enabled = false - -# Allow all domains to dump core -# -daemons_dump_core = true - -# Allow samba to act as the domain controller -# -samba_domain_controller = false - -# Allow samba to export user home directories. -# -samba_run_unconfined = false - -# Allows XServer to execute writable memory -# -xserver_execmem = false - -# disallow guest accounts to execute files that they can create -# -guest_exec_content = false -xguest_exec_content = false - -# Allow postfix locat to write to mail spool -# -postfix_local_write_mail_spool = false - -# Allow common users to read/write noexattrfile systems -# -user_rw_noexattrfile = true - -# Allow qemu to connect fully to the network -# -qemu_full_network = true - -# System uses init upstart program -# -init_upstart = true - -# Allow mount to mount any file/dir -# +kerberos_enabled = true mount_anyfile = true - -# Allow all domains to mmap files -# -domain_can_mmap_files = true - -# Allow confined applications to use nscd shared memory -# -nscd_use_shm = true - -# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox -# -unconfined_chrome_sandbox_transition = false - -# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. -# -unconfined_mozilla_plugin_transition = false +polyinstantiation_enabled = true +ftpd_is_daemon = true +selinuxuser_ping = true +xserver_object_manager = true diff --git a/booleans-targeted.conf b/booleans-targeted.conf index 5185257..d8cf568 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -1,232 +1,23 @@ -# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. -# -allow_execmem = false - -# Allow making a modified private filemapping executable (text relocation). -# -selinuxuser_execmod = false - -# Allow making the stack executable via mprotect.Also requires allow_execmem. -# -selinuxuser_execstack = false - -# Allow ftpd to read cifs directories. -# -ftpd_use_cifs = false - -# Allow ftpd to read nfs directories. -# -ftpd_use_nfs = false - -# Allow ftp servers to modify public filesused for public file transfer services. -# -allow_ftpd_anon_write = false - -# Allow gssd to read temp directory. -# gssd_read_tmp = true - -# Allow Apache to modify public filesused for public file transfer services. -# -allow_httpd_anon_write = false - -# Allow Apache to use mod_auth_pam module -# -httpd_mod_auth_pam = false - -# Allow system to run with kerberos -# -allow_kerberos = true - -# Allow rsync to modify public filesused for public file transfer services. -# -allow_rsync_anon_write = false - -# Allow sasl to read shadow -# -saslauthd_read_shadow = false - -# Allow samba to modify public filesused for public file transfer services. -# -allow_smbd_anon_write = false - -# Allow system to run with NIS -# -allow_ypbind = false - -# Allow zebra to write it own configuration files -# -zebra_write_config = false - -# Enable extra rules in the cron domainto support fcron. -# -fcron_crond = false - -# -# allow httpd to connect to mysql/posgresql -httpd_can_network_connect_db = false - -# -# allow httpd to send dbus messages to avahi -httpd_dbus_avahi = true - -# -# allow httpd to network relay -httpd_can_network_relay = false - -# Allow httpd to use built in scripting (usually php) -# httpd_builtin_scripting = true - -# Allow http daemon to tcp connect -# -httpd_can_network_connect = false - -# Allow httpd cgi support -# httpd_enable_cgi = true - -# Allow httpd to act as a FTP server bylistening on the ftp port. -# -httpd_enable_ftp_server = false - -# Allow httpd to read home directories -# -httpd_enable_homedirs = false - -# Run SSI execs in system CGI script domain. -# -httpd_ssi_exec = false - -# Allow http daemon to communicate with the TTY -# -httpd_tty_comm = false - -# Run CGI in the main httpd domain -# -httpd_unified = false - -# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. -# -named_write_master_zones = false - -# Allow nfs to be exported read/write. -# -nfs_export_all_rw = true - -# Allow nfs to be exported read only -# -nfs_export_all_ro = true - -# Allow pppd to load kernel modules for certain modems -# -pppd_can_insmod = false - -# Allow reading of default_t files. -# -read_default_t = false - -# Allow samba to export user home directories. -# -samba_enable_home_dirs = false - -# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. -# -squid_connect_any = false - -# Support NFS home directories -# -use_nfs_home_dirs = true - -# Support SAMBA home directories -# -use_samba_home_dirs = false - -# Control users use of ping and traceroute -# -user_ping = false - -# allow host key based authentication -# -ssh_keysign = false - -# Allow pppd to be run for a regular user -# -pppd_for_user = false - -# Allow spamd to write to users homedirs -# -spamd_enable_home_dirs = false - -# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) -# -user_rw_noexattrfile = true - -# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. -# -user_tcp_server = false - -# Allow all domains to talk to ttys -# -daemons_use_tty = false - -# Allow login domains to polyinstatiate directories -# -polyinstantiation_enabled = false - -# Allow all domains to dump core -# -daemons_dump_core = true - -# Allow samba to act as the domain controller -# -samba_domain_controller = false - -# Allow samba to export user home directories. -# -samba_run_unconfined = false - -# Allows XServer to execute writable memory -# -xserver_execmem = false - -# disallow guest accounts to execute files that they can create -# -guest_exec_content = false -xguest_exec_content = false - -# Allow postfix locat to write to mail spool -# -postfix_local_write_mail_spool = false - -# Allow common users to read/write noexattrfile systems -# -user_rw_noexattrfile = true - -# Allow qemu to connect fully to the network -# -qemu_full_network = true - -# System uses init upstart program -# -init_upstart = true - -# Allow mount to mount any file/dir -# +kerberos_enabled = true mount_anyfile = true - -# Allow all domains to mmap files -# -domain_can_mmap_files = true - -# Allow confined applications to use nscd shared memory -# +nfs_export_all_ro = true +nfs_export_all_rw = true nscd_use_shm = true - -# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox -# -unconfined_chrome_sandbox_transition = true - -# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. -# -unconfined_mozilla_plugin_transition = true +openvpn_enable_homedirs = true +postfix_local_write_mail_spool= true +pppd_can_insmod = false +privoxy_connect_any = true +selinuxuser_direct_dri_enabled = true +selinuxuser_rw_noexattrfile = true +selinuxuser_ping = true +squid_connect_any = true +telepathy_tcp_connect_generic_network_ports=true +unconfined_chrome_sandbox_transition=true +unconfined_mozilla_plugin_transition=true +xguest_exec_content = true +mozilla_plugin_can_network_connect = true +# Allow all domains to mmap files +domain_can_mmap_files = true diff --git a/distro_suse_to_distro_redhat.patch b/distro_suse_to_distro_redhat.patch deleted file mode 100644 index c11814e..0000000 --- a/distro_suse_to_distro_redhat.patch +++ /dev/null @@ -1,209 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/apache.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/apache.fc -+++ fedora-policy-20221019/policy/modules/contrib/apache.fc -@@ -74,7 +74,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.* - /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) - /usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) - ') - -Index: fedora-policy-20221019/policy/modules/contrib/cron.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc -+++ fedora-policy-20221019/policy/modules/contrib/cron.fc -@@ -51,7 +51,7 @@ ifdef(`distro_gentoo',` - /var/spool/cron/lastrun/[^/]* -- <> - ') - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) - /var/spool/cron/lastrun/[^/]* -- <> - /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -@@ -70,7 +70,7 @@ ifdef(`distro_gentoo',` - /var/spool/cron/lastrun/[^/]* -- <> - ') - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) - /var/spool/cron/lastrun/[^/]* -- <> - /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc -+++ fedora-policy-20221019/policy/modules/contrib/rpm.fc -@@ -80,7 +80,7 @@ ifdef(`distro_redhat', ` - /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) - - # SuSE --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) - /sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) - /var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -Index: fedora-policy-20221019/policy/modules/kernel/corecommands.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/kernel/corecommands.fc -+++ fedora-policy-20221019/policy/modules/kernel/corecommands.fc -@@ -462,7 +462,7 @@ ifdef(`distro_redhat', ` - /usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0) - ') - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/ssh/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -491,7 +491,7 @@ ifdef(`distro_suse', ` - /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) - /var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0) - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) - ') - -Index: fedora-policy-20221019/policy/modules/kernel/devices.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/kernel/devices.fc -+++ fedora-policy-20221019/policy/modules/kernel/devices.fc -@@ -148,7 +148,7 @@ - /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) - /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) - /dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0) --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) - ') - /dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0) -Index: fedora-policy-20221019/policy/modules/kernel/files.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20221019/policy/modules/kernel/files.fc -@@ -22,7 +22,7 @@ ifdef(`distro_redhat',` - /[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) - ') - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - /success -- gen_context(system_u:object_r:etc_runtime_t,s0) - ') - -@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', ` - /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) - ') - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) - ') -Index: fedora-policy-20221019/policy/modules/services/xserver.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/services/xserver.fc -+++ fedora-policy-20221019/policy/modules/services/xserver.fc -@@ -189,7 +189,7 @@ ifndef(`distro_debian',` - /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) - /var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) - ') - -Index: fedora-policy-20221019/policy/modules/system/authlogin.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/authlogin.fc -+++ fedora-policy-20221019/policy/modules/system/authlogin.fc -@@ -31,7 +31,7 @@ HOME_DIR/\.google_authenticator~ gen_co - /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) - /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - ') - -Index: fedora-policy-20221019/policy/modules/system/init.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/init.fc -+++ fedora-policy-20221019/policy/modules/system/init.fc -@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', ` - /var/run/svscan\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) - ') - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /var/run/bootsplashctl -p gen_context(system_u:object_r:initrc_var_run_t,s0) - /var/run/keymap -- gen_context(system_u:object_r:initrc_var_run_t,s0) - /var/run/numlock-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) -Index: fedora-policy-20221019/policy/modules/system/init.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/init.te -+++ fedora-policy-20221019/policy/modules/system/init.te -@@ -1334,7 +1334,7 @@ ifdef(`distro_redhat',` - ') - ') - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - optional_policy(` - # set permissions on /tmp/.X11-unix - xserver_setattr_xdm_tmp_dirs(initrc_t) -Index: fedora-policy-20221019/policy/modules/system/libraries.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/libraries.fc -+++ fedora-policy-20221019/policy/modules/system/libraries.fc -@@ -329,7 +329,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_ - /var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) - /usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) - ') - -Index: fedora-policy-20221019/policy/modules/system/locallogin.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/locallogin.te -+++ fedora-policy-20221019/policy/modules/system/locallogin.te -@@ -274,7 +274,7 @@ ifdef(`enable_mls',` - ') - - # suse and debian do not use pam with sulogin... --ifdef(`distro_suse', `define(`sulogin_no_pam')') -+ifdef(`distro_redhat', `define(`sulogin_no_pam')') - ifdef(`distro_debian', `define(`sulogin_no_pam')') - - allow sulogin_t self:capability sys_tty_config; -Index: fedora-policy-20221019/policy/modules/system/logging.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/logging.fc -+++ fedora-policy-20221019/policy/modules/system/logging.fc -@@ -46,7 +46,7 @@ - /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,mls_systemhigh) - /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0) - ') - -Index: fedora-policy-20221019/policy/modules/system/logging.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/logging.te -+++ fedora-policy-20221019/policy/modules/system/logging.te -@@ -682,7 +682,7 @@ ifdef(`distro_gentoo',` - term_dontaudit_setattr_unallocated_ttys(syslogd_t) - ') - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel - files_var_lib_filetrans(syslogd_t, devlog_t, sock_file) - ') diff --git a/dontaudit_interface_kmod_tmpfs.patch b/dontaudit_interface_kmod_tmpfs.patch deleted file mode 100644 index 031ead4..0000000 --- a/dontaudit_interface_kmod_tmpfs.patch +++ /dev/null @@ -1,41 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/services/xserver.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/services/xserver.te -+++ fedora-policy-20221019/policy/modules/services/xserver.te -@@ -764,6 +764,10 @@ userdom_mounton_tmp_sockets(xdm_t) - userdom_nnp_transition_login_userdomain(xdm_t) - userdom_watch_user_home_dirs(xdm_t) - -+# SUSE uses startproc to start the display manager. While checking for running processes -+# it goes over all running instances, triggering AVCs -+modutils_dontaudit_kmod_tmpfs_getattr(xdm_t) -+ - #userdom_home_manager(xdm_t) - tunable_policy(`xdm_write_home',` - userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file }) -Index: fedora-policy-20221019/policy/modules/system/modutils.if -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/modutils.if -+++ fedora-policy-20221019/policy/modules/system/modutils.if -@@ -507,3 +507,21 @@ interface(`modules_filetrans_named_conte - #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols") - #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin") - ') -+ -+####################################### -+## -+## Don't audit accesses to tmp file type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`modutils_dontaudit_kmod_tmpfs_getattr',` -+ gen_require(` -+ type kmod_tmpfs_t; -+ ') -+ -+ dontaudit $1 kmod_tmpfs_t:file { getattr }; -+') diff --git a/fedora-policy-20221019.tar.bz2 b/fedora-policy-20221019.tar.bz2 deleted file mode 100644 index 6fb0487..0000000 --- a/fedora-policy-20221019.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e2cfe78d728e0b94dfbdc81413f6ede0a0f0e6064de4f6628fa7328d1f4d2ede -size 733130 diff --git a/fedora-policy.20200717.tar.bz2 b/fedora-policy.20200717.tar.bz2 new file mode 100644 index 0000000..69fa9bc --- /dev/null +++ b/fedora-policy.20200717.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9cce9137b42c72c260c989e8a35153681b4fda9c9bcabda80816393683cd0304 +size 752394 diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist index beaff36..767073d 100644 --- a/file_contexts.subs_dist +++ b/file_contexts.subs_dist @@ -14,4 +14,3 @@ /var/run/netconfig /etc /var/adm/netconfig/md5/etc /etc /var/adm/netconfig/md5/var /var -/usr/etc /etc diff --git a/fix_alsa.patch b/fix_alsa.patch deleted file mode 100644 index 0e6b04c..0000000 --- a/fix_alsa.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/alsa.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/alsa.te -+++ fedora-policy-20221019/policy/modules/contrib/alsa.te -@@ -104,6 +104,10 @@ userdom_manage_unpriv_user_semaphores(al - userdom_manage_unpriv_user_shared_mem(alsa_t) - userdom_search_user_home_dirs(alsa_t) - -+optional_policy(` -+ gnome_read_home_config(alsa_t) -+') -+ - ifdef(`distro_debian',` - term_dontaudit_use_unallocated_ttys(alsa_t) - diff --git a/fix_apache.patch b/fix_apache.patch index 6b24b83..e097a03 100644 --- a/fix_apache.patch +++ b/fix_apache.patch @@ -1,10 +1,10 @@ -Index: fedora-policy-20221019/policy/modules/contrib/apache.if +Index: fedora-policy/policy/modules/contrib/apache.if =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/apache.if -+++ fedora-policy-20221019/policy/modules/contrib/apache.if -@@ -2007,3 +2007,25 @@ interface(`apache_read_semaphores',` +--- fedora-policy.orig/policy/modules/contrib/apache.if ++++ fedora-policy/policy/modules/contrib/apache.if +@@ -1967,3 +1967,25 @@ interface(`apache_ioctl_stream_sockets', - allow $1 httpd_t:sem r_sem_perms; + allow $1 httpd_t:unix_stream_socket ioctl; ') + +####################################### diff --git a/fix_auditd.patch b/fix_auditd.patch deleted file mode 100644 index d4d94e0..0000000 --- a/fix_auditd.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20211111/policy/modules/system/logging.if -=================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/logging.if -+++ fedora-policy-20211111/policy/modules/system/logging.if -@@ -431,6 +431,7 @@ interface(`logging_manage_audit_config', - - files_search_etc($1) - manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -+ allow $1 auditd_etc_t:dir mounton; - ') - - ######################################## diff --git a/fix_authlogin.patch b/fix_authlogin.patch index 7220120..a91f07d 100644 --- a/fix_authlogin.patch +++ b/fix_authlogin.patch @@ -1,10 +1,10 @@ -Index: fedora-policy-20211111/policy/modules/system/authlogin.fc +Index: fedora-policy/policy/modules/system/authlogin.fc =================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/authlogin.fc -+++ fedora-policy-20211111/policy/modules/system/authlogin.fc -@@ -56,6 +56,7 @@ ifdef(`distro_gentoo', ` - /usr/libexec/chkpwd/tcb_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - /usr/libexec/chkpwd/tcb_updpwd -- gen_context(system_u:object_r:updpwd_exec_t,s0) +--- fedora-policy.orig/policy/modules/system/authlogin.fc ++++ fedora-policy/policy/modules/system/authlogin.fc +@@ -47,6 +47,7 @@ ifdef(`distro_gentoo', ` + /usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + /usr/libexec/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) +/usr/lib/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) diff --git a/fix_bitlbee.patch b/fix_bitlbee.patch deleted file mode 100644 index 2ce1749..0000000 --- a/fix_bitlbee.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20220124/policy/modules/contrib/bitlbee.fc -=================================================================== ---- fedora-policy-20220124.orig/policy/modules/contrib/bitlbee.fc -+++ fedora-policy-20220124/policy/modules/contrib/bitlbee.fc -@@ -9,6 +9,5 @@ - - /var/log/bip.* gen_context(system_u:object_r:bitlbee_log_t,s0) - --/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0) --/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0) -+/var/run/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0) - /var/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0) diff --git a/fix_chronyd.patch b/fix_chronyd.patch index beabc0d..5521738 100644 --- a/fix_chronyd.patch +++ b/fix_chronyd.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te +Index: fedora-policy/policy/modules/contrib/chronyd.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.te -+++ fedora-policy-20221019/policy/modules/contrib/chronyd.te -@@ -144,6 +144,14 @@ systemd_exec_systemctl(chronyd_t) +--- fedora-policy.orig/policy/modules/contrib/chronyd.te ++++ fedora-policy/policy/modules/contrib/chronyd.te +@@ -136,6 +136,14 @@ systemd_exec_systemctl(chronyd_t) userdom_dgram_send(chronyd_t) optional_policy(` @@ -17,16 +17,15 @@ Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te cron_dgram_send(chronyd_t) ') -Index: fedora-policy-20221019/policy/modules/contrib/chronyd.fc +Index: fedora-policy/policy/modules/contrib/chronyd.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.fc -+++ fedora-policy-20221019/policy/modules/contrib/chronyd.fc -@@ -6,6 +6,8 @@ +--- fedora-policy.orig/policy/modules/contrib/chronyd.fc ++++ fedora-policy/policy/modules/contrib/chronyd.fc +@@ -6,6 +6,7 @@ /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) /usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) +/usr/lib/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) -+/usr/libexec/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) /usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0) diff --git a/fix_cloudform.patch b/fix_cloudform.patch deleted file mode 100644 index cac7161..0000000 --- a/fix_cloudform.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/cloudform.te -=================================================================== ---- cloudform.te 2022-07-18 14:06:56.735383426 +0200 -+++ cloudform.te.new 2022-07-18 14:07:36.003069544 +0200 -@@ -81,6 +81,8 @@ - - init_dbus_chat(cloud_init_t) - -+snapper_dbus_chat(cloud_init_t) -+ - kernel_read_network_state(cloud_init_t) - - corenet_tcp_connect_http_port(cloud_init_t) diff --git a/fix_colord.patch b/fix_colord.patch index 763641f..c11b27b 100644 --- a/fix_colord.patch +++ b/fix_colord.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20211111/policy/modules/contrib/colord.fc +Index: fedora-policy/policy/modules/contrib/colord.fc =================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/colord.fc -+++ fedora-policy-20211111/policy/modules/contrib/colord.fc +--- fedora-policy.orig/policy/modules/contrib/colord.fc ++++ fedora-policy/policy/modules/contrib/colord.fc @@ -6,6 +6,8 @@ /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) @@ -11,15 +11,3 @@ Index: fedora-policy-20211111/policy/modules/contrib/colord.fc /usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0) -Index: fedora-policy-20211111/policy/modules/contrib/colord.te -=================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/colord.te -+++ fedora-policy-20211111/policy/modules/contrib/colord.te -@@ -17,6 +17,7 @@ type colord_t; - type colord_exec_t; - dbus_system_domain(colord_t, colord_exec_t) - init_daemon_domain(colord_t, colord_exec_t) -+init_nnp_daemon_domain(colord_t) - - type colord_tmp_t; - files_tmp_file(colord_tmp_t) diff --git a/fix_corecommand.patch b/fix_corecommand.patch index 60362f2..5593a71 100644 --- a/fix_corecommand.patch +++ b/fix_corecommand.patch @@ -45,16 +45,7 @@ Index: fedora-policy/policy/modules/kernel/corecommands.fc /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -324,6 +344,8 @@ ifdef(`distro_gentoo',` - - /usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0) - -+/usr/lib/build/.* -- gen_context(system_u:object_r:bin_t,s0) -+ - /usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0) -@@ -391,6 +413,7 @@ ifdef(`distro_debian',` +@@ -391,6 +411,7 @@ ifdef(`distro_debian',` /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0) ') diff --git a/fix_cron.patch b/fix_cron.patch index 203162a..523bc59 100644 --- a/fix_cron.patch +++ b/fix_cron.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20221019/policy/modules/contrib/cron.fc +Index: fedora-policy/policy/modules/contrib/cron.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc -+++ fedora-policy-20221019/policy/modules/contrib/cron.fc +--- fedora-policy.orig/policy/modules/contrib/cron.fc ++++ fedora-policy/policy/modules/contrib/cron.fc @@ -34,7 +34,7 @@ /var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) @@ -11,32 +11,21 @@ Index: fedora-policy-20221019/policy/modules/contrib/cron.fc /var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) /var/spool/cron/crontabs/.* -- <> -@@ -55,6 +55,10 @@ ifdef(`distro_redhat', ` - /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) - /var/spool/cron/lastrun/[^/]* -- <> - /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -+ -+/var/spool/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) -+/var/spool/atjobs/.SEQ -- gen_context(system_u:object_r:user_cron_spool_t,s0) -+/var/spool/atjobs/[^/]* -- <> - ') - - ifdef(`distro_debian',` -@@ -69,9 +73,3 @@ ifdef(`distro_gentoo',` +@@ -69,9 +69,3 @@ ifdef(`distro_gentoo',` /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) /var/spool/cron/lastrun/[^/]* -- <> ') - --ifdef(`distro_redhat', ` +-ifdef(`distro_suse', ` -/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) -/var/spool/cron/lastrun/[^/]* -- <> -/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -') -Index: fedora-policy-20221019/policy/modules/contrib/cron.if +Index: fedora-policy/policy/modules/contrib/cron.if =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/cron.if -+++ fedora-policy-20221019/policy/modules/contrib/cron.if -@@ -1075,7 +1075,7 @@ interface(`cron_generic_log_filetrans_lo +--- fedora-policy.orig/policy/modules/contrib/cron.if ++++ fedora-policy/policy/modules/contrib/cron.if +@@ -1031,7 +1031,7 @@ interface(`cron_generic_log_filetrans_lo # interface(`cron_system_spool_entrypoint',` gen_require(` diff --git a/fix_dbus.patch b/fix_dbus.patch index 64ab643..0387af9 100644 --- a/fix_dbus.patch +++ b/fix_dbus.patch @@ -1,11 +1,11 @@ -Index: fedora-policy-20211111/policy/modules/contrib/dbus.te +Index: fedora-policy/policy/modules/contrib/dbus.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/dbus.te -+++ fedora-policy-20211111/policy/modules/contrib/dbus.te -@@ -81,6 +81,7 @@ manage_dirs_pattern(system_dbusd_t, syst +--- fedora-policy.orig/policy/modules/contrib/dbus.te 2020-02-25 08:22:02.846623845 +0000 ++++ fedora-policy/policy/modules/contrib/dbus.te 2020-02-25 08:22:31.991108418 +0000 +@@ -80,6 +80,7 @@ read_lnk_files_pattern(system_dbusd_t, d + manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) - manage_sock_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) - files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file sock_file }) + files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) +allow system_dbusd_t system_dbusd_tmp_t:file execute; manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) diff --git a/fix_dnsmasq.patch b/fix_dnsmasq.patch deleted file mode 100644 index 0471529..0000000 --- a/fix_dnsmasq.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20220519/policy/modules/contrib/dnsmasq.te -=================================================================== ---- fedora-policy-20220519.orig/policy/modules/contrib/dnsmasq.te -+++ fedora-policy-20220519/policy/modules/contrib/dnsmasq.te -@@ -115,6 +115,7 @@ libs_exec_ldconfig(dnsmasq_t) - logging_send_syslog_msg(dnsmasq_t) - - miscfiles_read_public_files(dnsmasq_t) -+sysnet_manage_config_dirs(dnsmasq_t) - - userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) - userdom_dontaudit_search_user_home_dirs(dnsmasq_t) diff --git a/fix_dovecot.patch b/fix_dovecot.patch deleted file mode 100644 index f88cff1..0000000 --- a/fix_dovecot.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: fedora-policy-20210419/policy/modules/contrib/dovecot.fc -=================================================================== ---- fedora-policy-20210419.orig/policy/modules/contrib/dovecot.fc -+++ fedora-policy-20210419/policy/modules/contrib/dovecot.fc -@@ -34,6 +34,10 @@ ifdef(`distro_redhat', ` - /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) - ') - -+/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -+/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -+ - # - # /var - # diff --git a/fix_firewalld.patch b/fix_firewalld.patch index 1e455b7..5b5e67e 100644 --- a/fix_firewalld.patch +++ b/fix_firewalld.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20211111/policy/modules/contrib/firewalld.te +Index: fedora-policy/policy/modules/contrib/firewalld.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/firewalld.te -+++ fedora-policy-20211111/policy/modules/contrib/firewalld.te -@@ -131,6 +131,7 @@ optional_policy(` +--- fedora-policy.orig/policy/modules/contrib/firewalld.te 2020-02-24 08:16:03.798820784 +0000 ++++ fedora-policy/policy/modules/contrib/firewalld.te 2020-02-24 08:18:03.164764310 +0000 +@@ -129,6 +129,7 @@ optional_policy(` ') optional_policy(` @@ -10,10 +10,10 @@ Index: fedora-policy-20211111/policy/modules/contrib/firewalld.te iptables_domtrans(firewalld_t) iptables_read_var_run(firewalld_t) ') -Index: fedora-policy-20211111/policy/modules/system/iptables.if +Index: fedora-policy/policy/modules/system/iptables.if =================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/iptables.if -+++ fedora-policy-20211111/policy/modules/system/iptables.if +--- fedora-policy.orig/policy/modules/system/iptables.if 2020-02-19 09:36:25.440182406 +0000 ++++ fedora-policy/policy/modules/system/iptables.if 2020-02-24 08:17:53.076600108 +0000 @@ -2,6 +2,25 @@ ######################################## diff --git a/fix_gift.patch b/fix_gift.patch new file mode 100644 index 0000000..191375e --- /dev/null +++ b/fix_gift.patch @@ -0,0 +1,9 @@ +Index: fedora-policy/policy/modules/contrib/gift.te +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/gift.te 2019-08-05 09:39:48.645670248 +0200 ++++ fedora-policy/policy/modules/contrib/gift.te 2019-08-05 10:05:44.787808191 +0200 +@@ -113,4 +113,3 @@ files_read_etc_runtime_files(giftd_t) + sysnet_dns_name_resolve(giftd_t) + + userdom_use_inherited_user_terminals(giftd_t) +-userdom_home_manager(gitd_t) diff --git a/fix_hadoop.patch b/fix_hadoop.patch new file mode 100644 index 0000000..b679cd8 --- /dev/null +++ b/fix_hadoop.patch @@ -0,0 +1,30 @@ +Index: fedora-policy/policy/modules/roles/sysadm.te +=================================================================== +--- fedora-policy.orig/policy/modules/roles/sysadm.te ++++ fedora-policy/policy/modules/roles/sysadm.te +@@ -293,10 +293,6 @@ optional_policy(` + ') + + optional_policy(` +- hadoop_role(sysadm_r, sysadm_t) +-') +- +-optional_policy(` + iotop_run(sysadm_t, sysadm_r) + ') + +Index: fedora-policy/policy/modules/roles/unprivuser.te +=================================================================== +--- fedora-policy.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy/policy/modules/roles/unprivuser.te +@@ -200,10 +200,6 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` +- hadoop_role(user_r, user_t) +- ') +- +- optional_policy(` + irc_role(user_r, user_t) + ') + diff --git a/fix_hypervkvp.patch b/fix_hypervkvp.patch deleted file mode 100644 index 3cac649..0000000 --- a/fix_hypervkvp.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc -=================================================================== ---- fedora-policy-20220124.orig/policy/modules/contrib/hypervkvp.fc -+++ fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc -@@ -3,8 +3,10 @@ - /usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0) - - /usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) -+/usr/lib/hyper-v/bin/.*kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) - /usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) - - /usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0) -+/usr/lib/hyper-v/bin/.*vss_daemon -- gen_context(system_u:object_r:hypervvssd_exec_t,s0) - - /var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0) diff --git a/fix_init.patch b/fix_init.patch index 29df1c9..ffbff36 100644 --- a/fix_init.patch +++ b/fix_init.patch @@ -1,17 +1,16 @@ -Index: fedora-policy-20221019/policy/modules/system/init.te +Index: fedora-policy/policy/modules/system/init.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/init.te -+++ fedora-policy-20221019/policy/modules/system/init.te -@@ -269,6 +269,8 @@ corecmd_exec_bin(init_t) +--- fedora-policy.orig/policy/modules/system/init.te ++++ fedora-policy/policy/modules/system/init.te +@@ -257,6 +257,7 @@ corecmd_exec_bin(init_t) corenet_all_recvfrom_netlabel(init_t) corenet_tcp_bind_all_ports(init_t) corenet_udp_bind_all_ports(init_t) +corenet_udp_bind_generic_node(init_t) -+corenet_tcp_bind_generic_node(init_t) dev_create_all_files(init_t) dev_create_all_chr_files(init_t) -@@ -398,6 +400,7 @@ logging_manage_audit_config(init_t) +@@ -378,6 +379,7 @@ logging_manage_audit_config(init_t) logging_create_syslog_netlink_audit_socket(init_t) logging_write_var_log_dirs(init_t) logging_manage_var_log_symlinks(init_t) @@ -19,7 +18,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te seutil_read_config(init_t) seutil_read_login_config(init_t) -@@ -450,9 +453,19 @@ ifdef(`distro_redhat',` +@@ -427,10 +429,15 @@ ifdef(`distro_redhat',` corecmd_shell_domtrans(init_t, initrc_t) storage_raw_rw_fixed_disk(init_t) @@ -27,19 +26,15 @@ Index: fedora-policy-20221019/policy/modules/system/init.te sysnet_read_dhcpc_state(init_t) -+# bsc#1197610, find a better, generic solution -+optional_policy(` -+ mta_getattr_spool(init_t) -+') -+ -+optional_policy(` -+ networkmanager_initrc_read_lnk_files(init_t) -+') -+ optional_policy(` - anaconda_stream_connect(init_t) - anaconda_create_unix_stream_sockets(init_t) -@@ -584,10 +597,10 @@ tunable_policy(`init_audit_control',` ++ networkmanager_initrc_read_lnk_files(init_t) ++') ++ ++optional_policy(` + bootloader_domtrans(init_t) + ') + +@@ -544,7 +551,7 @@ tunable_policy(`init_create_dirs',` allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -47,12 +42,8 @@ Index: fedora-policy-20221019/policy/modules/system/init.te +allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec execmem }; allow init_t self:process { getcap setcap }; allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom }; --allow init_t self:netlink_kobject_uevent_socket create_socket_perms; -+allow init_t self:netlink_kobject_uevent_socket create_socket_perms; - allow init_t self:netlink_selinux_socket create_socket_perms; - allow init_t self:unix_dgram_socket lock; - # Until systemd is fixed -@@ -647,6 +660,7 @@ files_delete_all_spool_sockets(init_t) + allow init_t self:netlink_kobject_uevent_socket create_socket_perms; +@@ -606,6 +613,7 @@ files_delete_all_spool_sockets(init_t) files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -60,16 +51,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -684,7 +698,7 @@ fs_list_all(init_t) - fs_list_auto_mountpoints(init_t) - fs_register_binary_executable_type(init_t) - fs_relabel_tmpfs_sock_file(init_t) --fs_rw_tmpfs_files(init_t) -+fs_rw_tmpfs_files(init_t) - fs_relabel_cgroup_dirs(init_t) - fs_search_cgroup_dirs(init_t) - # for network namespaces -@@ -740,6 +754,7 @@ systemd_write_inherited_logind_sessions_ +@@ -698,6 +706,7 @@ systemd_write_inherited_logind_sessions_ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -77,7 +59,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1596,6 +1611,8 @@ optional_policy(` +@@ -1543,6 +1552,8 @@ optional_policy(` optional_policy(` postfix_list_spool(initrc_t) @@ -86,3 +68,15 @@ Index: fedora-policy-20221019/policy/modules/system/init.te ') optional_policy(` +Index: fedora-policy/policy/modules/system/init.if +=================================================================== +--- fedora-policy.orig/policy/modules/system/init.if ++++ fedora-policy/policy/modules/system/init.if +@@ -3205,6 +3205,7 @@ interface(`init_filetrans_named_content' + files_etc_filetrans($1, machineid_t, file, "machine-id" ) + files_pid_filetrans($1, initctl_t, fifo_file, "fifo" ) + init_pid_filetrans($1, systemd_unit_file_t, dir, "generator") ++ init_pid_filetrans($1, systemd_unit_file_t, dir, "generator.late") + init_pid_filetrans($1, systemd_unit_file_t, dir, "system") + ') + diff --git a/fix_iptables.patch b/fix_iptables.patch index bb149fd..5100015 100644 --- a/fix_iptables.patch +++ b/fix_iptables.patch @@ -1,9 +1,9 @@ -Index: fedora-policy-20220428/policy/modules/system/iptables.te +Index: fedora-policy/policy/modules/system/iptables.te =================================================================== ---- fedora-policy-20220428.orig/policy/modules/system/iptables.te -+++ fedora-policy-20220428/policy/modules/system/iptables.te -@@ -76,6 +76,7 @@ kernel_read_network_state(iptables_t) - kernel_read_kernel_sysctls(iptables_t) +--- fedora-policy.orig/policy/modules/system/iptables.te 2020-02-19 09:36:25.440182406 +0000 ++++ fedora-policy/policy/modules/system/iptables.te 2020-02-21 12:19:23.060595602 +0000 +@@ -76,6 +76,7 @@ kernel_read_kernel_sysctls(iptables_t) + kernel_read_usermodehelper_state(iptables_t) kernel_use_fds(iptables_t) kernel_rw_net_sysctls(iptables_t) +kernel_rw_pipes(iptables_t) diff --git a/fix_kernel_sysctl.patch b/fix_kernel_sysctl.patch deleted file mode 100644 index 4769ca5..0000000 --- a/fix_kernel_sysctl.patch +++ /dev/null @@ -1,26 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/kernel/files.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20221019/policy/modules/kernel/files.fc -@@ -242,6 +242,8 @@ ifdef(`distro_redhat',` - /usr/lib/ostree-boot(/.*)? gen_context(system_u:object_r:usr_t,s0) - /usr/lib/modules(/.*)/vmlinuz -- gen_context(system_u:object_r:usr_t,s0) - /usr/lib/modules(/.*)/initramfs.img -- gen_context(system_u:object_r:usr_t,s0) -+/usr/lib/modules(/.*)/sysctl.conf -- gen_context(system_u:object_r:usr_t,s0) -+/usr/lib/modules(/.*)/System.map -- gen_context(system_u:object_r:system_map_t,s0) - - /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) - -Index: fedora-policy-20221019/policy/modules/system/systemd.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/systemd.te -+++ fedora-policy-20221019/policy/modules/system/systemd.te -@@ -1105,6 +1105,8 @@ init_stream_connect(systemd_sysctl_t) - logging_send_syslog_msg(systemd_sysctl_t) - - systemd_read_efivarfs(systemd_sysctl_t) -+# kernel specific sysctl.conf may be in modules dir -+allow systemd_sysctl_t modules_object_t:dir search; - - ####################################### - # diff --git a/fix_libraries.patch b/fix_libraries.patch deleted file mode 100644 index a6a228f..0000000 --- a/fix_libraries.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-policy-20210419/policy/modules/system/libraries.fc -=================================================================== ---- fedora-policy-20210419.orig/policy/modules/system/libraries.fc -+++ fedora-policy-20210419/policy/modules/system/libraries.fc -@@ -124,6 +124,8 @@ ifdef(`distro_redhat',` - - /usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) - -+/usr/lib/libreoffice/program/resource.* -- gen_context(system_u:object_r:lib_t,s0) -+ - /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) - - /usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/fix_locallogin.patch b/fix_locallogin.patch index cdee73c..6247e22 100644 --- a/fix_locallogin.patch +++ b/fix_locallogin.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220624/policy/modules/system/locallogin.te +Index: fedora-policy/policy/modules/system/locallogin.te =================================================================== ---- fedora-policy-20220624.orig/policy/modules/system/locallogin.te -+++ fedora-policy-20220624/policy/modules/system/locallogin.te +--- fedora-policy.orig/policy/modules/system/locallogin.te 2020-02-19 09:36:25.440182406 +0000 ++++ fedora-policy/policy/modules/system/locallogin.te 2020-02-21 08:52:35.961803038 +0000 @@ -63,6 +63,7 @@ kernel_read_system_state(local_login_t) kernel_read_kernel_sysctls(local_login_t) kernel_search_key(local_login_t) @@ -10,11 +10,3 @@ Index: fedora-policy-20220624/policy/modules/system/locallogin.te corecmd_list_bin(local_login_t) corecmd_read_bin_symlinks(local_login_t) -@@ -137,6 +138,7 @@ auth_rw_faillog(local_login_t) - auth_manage_pam_console_data(local_login_t) - auth_domtrans_pam_console(local_login_t) - auth_use_nsswitch(local_login_t) -+auth_read_shadow(local_login_t) - - init_dontaudit_use_fds(local_login_t) - init_stream_connect(local_login_t) diff --git a/fix_logging.patch b/fix_logging.patch index 8a74cb7..95c45a7 100644 --- a/fix_logging.patch +++ b/fix_logging.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220624/policy/modules/system/logging.fc +Index: fedora-policy/policy/modules/system/logging.fc =================================================================== ---- fedora-policy-20220624.orig/policy/modules/system/logging.fc -+++ fedora-policy-20220624/policy/modules/system/logging.fc +--- fedora-policy.orig/policy/modules/system/logging.fc ++++ fedora-policy/policy/modules/system/logging.fc @@ -3,6 +3,8 @@ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) @@ -19,11 +19,11 @@ Index: fedora-policy-20220624/policy/modules/system/logging.fc /var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) -Index: fedora-policy-20220624/policy/modules/system/logging.if +Index: fedora-policy/policy/modules/system/logging.if =================================================================== ---- fedora-policy-20220624.orig/policy/modules/system/logging.if -+++ fedora-policy-20220624/policy/modules/system/logging.if -@@ -1788,3 +1788,22 @@ interface(`logging_dgram_send',` +--- fedora-policy.orig/policy/modules/system/logging.if ++++ fedora-policy/policy/modules/system/logging.if +@@ -1686,3 +1686,22 @@ interface(`logging_dgram_send',` allow $1 syslogd_t:unix_dgram_socket sendto; ') diff --git a/fix_logrotate.patch b/fix_logrotate.patch index 7cb2f23..1b6fe37 100644 --- a/fix_logrotate.patch +++ b/fix_logrotate.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210628/policy/modules/contrib/logrotate.te +Index: fedora-policy/policy/modules/contrib/logrotate.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/logrotate.te -+++ fedora-policy-20210628/policy/modules/contrib/logrotate.te -@@ -104,6 +104,7 @@ files_var_lib_filetrans(logrotate_t, log +--- fedora-policy.orig/policy/modules/contrib/logrotate.te ++++ fedora-policy/policy/modules/contrib/logrotate.te +@@ -107,6 +107,7 @@ files_var_lib_filetrans(logrotate_t, log kernel_read_system_state(logrotate_t) kernel_read_kernel_sysctls(logrotate_t) diff --git a/fix_nagios.patch b/fix_nagios.patch index 08fdbf0..ddb660c 100644 --- a/fix_nagios.patch +++ b/fix_nagios.patch @@ -14,7 +14,7 @@ Index: fedora-policy/policy/modules/contrib/nagios.te =================================================================== --- fedora-policy.orig/policy/modules/contrib/nagios.te +++ fedora-policy/policy/modules/contrib/nagios.te -@@ -161,6 +161,7 @@ allow nagios_t nagios_spool_t:file map; +@@ -157,6 +157,7 @@ allow nagios_t nagios_spool_t:file map; manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index 91a7087..40b77db 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te +Index: fedora-policy/policy/modules/contrib/networkmanager.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.te -@@ -275,6 +275,9 @@ userdom_read_home_certs(NetworkManager_t +--- fedora-policy.orig/policy/modules/contrib/networkmanager.te ++++ fedora-policy/policy/modules/contrib/networkmanager.te +@@ -236,6 +236,9 @@ userdom_read_home_certs(NetworkManager_t userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) @@ -12,18 +12,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(NetworkManager_t) ') -@@ -284,6 +287,10 @@ tunable_policy(`use_samba_home_dirs',` - ') - - optional_policy(` -+ nis_systemctl_ypbind(NetworkManager_t) -+') -+ -+optional_policy(` - avahi_domtrans(NetworkManager_t) - avahi_kill(NetworkManager_t) - avahi_signal(NetworkManager_t) -@@ -292,6 +299,14 @@ optional_policy(` +@@ -253,6 +256,14 @@ optional_policy(` ') optional_policy(` @@ -38,39 +27,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_kill(NetworkManager_t) -@@ -419,6 +434,8 @@ optional_policy(` - nscd_kill(NetworkManager_t) - nscd_initrc_domtrans(NetworkManager_t) - nscd_systemctl(NetworkManager_t) -+ nscd_socket_use(NetworkManager_dispatcher_tlp_t) -+ nscd_socket_use(NetworkManager_dispatcher_custom_t) - ') - - optional_policy(` -@@ -606,6 +623,7 @@ files_manage_etc_files(NetworkManager_di - - init_status(NetworkManager_dispatcher_cloud_t) - init_status(NetworkManager_dispatcher_ddclient_t) -+init_status(NetworkManager_dispatcher_custom_t) - init_append_stream_sockets(networkmanager_dispatcher_plugin) - init_ioctl_stream_sockets(networkmanager_dispatcher_plugin) - init_stream_connect(networkmanager_dispatcher_plugin) -@@ -621,6 +639,10 @@ optional_policy(` - ') - - optional_policy(` -+ nscd_shm_use(NetworkManager_dispatcher_chronyc_t) -+') -+ -+optional_policy(` - cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t) - ') - -Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if +Index: fedora-policy/policy/modules/contrib/networkmanager.if =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.if -@@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran +--- fedora-policy.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy/policy/modules/contrib/networkmanager.if +@@ -114,6 +114,24 @@ interface(`networkmanager_initrc_domtran init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ') @@ -95,15 +56,3 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if ######################################## ## ## Execute NetworkManager server in the NetworkManager domain. -Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.fc -+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.fc -@@ -24,6 +24,7 @@ - /usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0) - /usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0) - /usr/lib/NetworkManager/dispatcher\.d/11-dhclient -- gen_context(system_u:object_r:NetworkManager_dispatcher_dhclient_script_t,s0) -+/usr/lib/NetworkManager/dispatcher\.d/20-chrony -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) - /usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) - /usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) - /usr/lib/NetworkManager/dispatcher\.d/30-winbind -- gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0) diff --git a/fix_nscd.patch b/fix_nscd.patch index 56a7c50..1bea723 100644 --- a/fix_nscd.patch +++ b/fix_nscd.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210628/policy/modules/contrib/nscd.fc +Index: fedora-policy/policy/modules/contrib/nscd.fc =================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/nscd.fc -+++ fedora-policy-20210628/policy/modules/contrib/nscd.fc +--- fedora-policy.orig/policy/modules/contrib/nscd.fc ++++ fedora-policy/policy/modules/contrib/nscd.fc @@ -8,8 +8,10 @@ /var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) @@ -14,11 +14,11 @@ Index: fedora-policy-20210628/policy/modules/contrib/nscd.fc /usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0) + -Index: fedora-policy-20210628/policy/modules/contrib/nscd.te +Index: fedora-policy/policy/modules/contrib/nscd.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/nscd.te -+++ fedora-policy-20210628/policy/modules/contrib/nscd.te -@@ -130,6 +130,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns +--- fedora-policy.orig/policy/modules/contrib/nscd.te ++++ fedora-policy/policy/modules/contrib/nscd.te +@@ -127,6 +127,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns userdom_dontaudit_search_user_home_dirs(nscd_t) optional_policy(` diff --git a/fix_policykit.patch b/fix_policykit.patch new file mode 100644 index 0000000..1ce0185 --- /dev/null +++ b/fix_policykit.patch @@ -0,0 +1,13 @@ +Index: fedora-policy/policy/modules/contrib/policykit.te +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/policykit.te 2020-02-21 13:28:23.080385220 +0000 ++++ fedora-policy/policy/modules/contrib/policykit.te 2020-02-21 13:31:09.023086041 +0000 +@@ -98,6 +98,8 @@ userdom_getattr_all_users(policykit_t) + userdom_read_all_users_state(policykit_t) + userdom_dontaudit_search_admin_dir(policykit_t) + ++policykit_dbus_chat(policykit_t) ++ + optional_policy(` + dbus_system_domain(policykit_t, policykit_exec_t) + diff --git a/fix_postfix.patch b/fix_postfix.patch index 9b7fb86..3f9b14f 100644 --- a/fix_postfix.patch +++ b/fix_postfix.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc +Index: fedora-policy/policy/modules/contrib/postfix.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/postfix.fc -+++ fedora-policy-20221019/policy/modules/contrib/postfix.fc -@@ -1,37 +1,21 @@ +--- fedora-policy.orig/policy/modules/contrib/postfix.fc ++++ fedora-policy/policy/modules/contrib/postfix.fc +@@ -1,37 +1,20 @@ # postfix -/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) -/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) @@ -41,7 +41,6 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc +/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) +/etc/postfix/chroot-update -- gen_context(system_u:object_r:postfix_exec_t,s0) +/usr/lib/postfix/bin/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -+/usr/lib/postfix/systemd/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) +/usr/lib/postfix/bin/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) +/usr/lib/postfix/bin/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) +/usr/lib/postfix/bin/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) @@ -57,7 +56,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -@@ -45,13 +29,16 @@ ifdef(`distro_redhat', ` +@@ -45,6 +28,9 @@ ifdef(`distro_redhat', ` /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) @@ -67,28 +66,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc /var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) /var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) - /var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) - /var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) - /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) --/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) -+/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) - /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) - /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) - /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) -Index: fedora-policy-20221019/policy/modules/contrib/postfix.te +Index: fedora-policy/policy/modules/contrib/postfix.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/postfix.te -+++ fedora-policy-20221019/policy/modules/contrib/postfix.te -@@ -121,6 +121,8 @@ allow postfix_master_t self:udp_socket c - allow postfix_master_t postfix_etc_t:dir rw_dir_perms; - allow postfix_master_t postfix_etc_t:file rw_file_perms; - mta_filetrans_aliases(postfix_master_t, postfix_etc_t) -+# SUSE also runs this on /etc/alias -+mta_filetrans_aliases(postfix_master_t, etc_t) - - can_exec(postfix_master_t, postfix_exec_t) - -@@ -447,6 +449,14 @@ logging_send_syslog_msg(postfix_map_t) +--- fedora-policy.orig/policy/modules/contrib/postfix.te ++++ fedora-policy/policy/modules/contrib/postfix.te +@@ -447,6 +447,14 @@ logging_send_syslog_msg(postfix_map_t) userdom_use_inherited_user_ptys(postfix_map_t) @@ -103,7 +85,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.te optional_policy(` locallogin_dontaudit_use_fds(postfix_map_t) ') -@@ -687,6 +697,14 @@ corenet_tcp_connect_spamd_port(postfix_m +@@ -687,6 +695,14 @@ corenet_tcp_connect_spamd_port(postfix_m files_search_all_mountpoints(postfix_smtp_t) optional_policy(` diff --git a/fix_rpm.patch b/fix_rpm.patch index 67cf3c4..6dc895d 100644 --- a/fix_rpm.patch +++ b/fix_rpm.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc +Index: fedora-policy/policy/modules/contrib/rpm.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc -+++ fedora-policy-20221019/policy/modules/contrib/rpm.fc -@@ -18,6 +18,10 @@ +--- fedora-policy.orig/policy/modules/contrib/rpm.fc ++++ fedora-policy/policy/modules/contrib/rpm.fc +@@ -17,6 +17,10 @@ /usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -13,7 +13,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -56,6 +60,8 @@ ifdef(`distro_redhat', ` +@@ -54,6 +58,8 @@ ifdef(`distro_redhat', ` /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) @@ -22,11 +22,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -Index: fedora-policy-20221019/policy/modules/contrib/rpm.if +Index: fedora-policy/policy/modules/contrib/rpm.if =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/rpm.if -+++ fedora-policy-20221019/policy/modules/contrib/rpm.if -@@ -515,8 +515,10 @@ interface(`rpm_named_filetrans',` +--- fedora-policy.orig/policy/modules/contrib/rpm.if ++++ fedora-policy/policy/modules/contrib/rpm.if +@@ -431,8 +431,10 @@ interface(`rpm_named_filetrans',` logging_log_named_filetrans($1, rpm_log_t, file, "yum.log") logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log") logging_log_named_filetrans($1, rpm_log_t, file, "up2date") @@ -37,11 +37,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.if files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm") -Index: fedora-policy-20221019/policy/modules/kernel/files.fc +Index: fedora-policy/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20221019/policy/modules/kernel/files.fc -@@ -67,6 +67,7 @@ ifdef(`distro_redhat',` +--- fedora-policy.orig/policy/modules/kernel/files.fc ++++ fedora-policy/policy/modules/kernel/files.fc +@@ -67,6 +67,7 @@ ifdef(`distro_suse',` /etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) /etc/yum\.repos\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0) diff --git a/fix_selinuxutil.patch b/fix_selinuxutil.patch index 84e87ac..fb0148d 100644 --- a/fix_selinuxutil.patch +++ b/fix_selinuxutil.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te +Index: fedora-policy/policy/modules/system/selinuxutil.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/system/selinuxutil.te -+++ fedora-policy-20210628/policy/modules/system/selinuxutil.te +--- fedora-policy.orig/policy/modules/system/selinuxutil.te 2020-02-19 09:36:25.444182470 +0000 ++++ fedora-policy/policy/modules/system/selinuxutil.te 2020-02-24 07:57:26.556813139 +0000 @@ -238,6 +238,10 @@ ifdef(`hide_broken_symptoms',` ') @@ -13,7 +13,7 @@ Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te portage_dontaudit_use_fds(load_policy_t) ') -@@ -618,6 +622,10 @@ logging_send_audit_msgs(setfiles_t) +@@ -613,6 +617,10 @@ logging_send_audit_msgs(setfiles_t) logging_send_syslog_msg(setfiles_t) optional_policy(` @@ -24,16 +24,3 @@ Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te cloudform_dontaudit_write_cloud_log(setfiles_t) ') -Index: fedora-policy-20210628/policy/modules/system/selinuxutil.if -=================================================================== ---- fedora-policy-20210628.orig/policy/modules/system/selinuxutil.if -+++ fedora-policy-20210628/policy/modules/system/selinuxutil.if -@@ -795,6 +795,8 @@ interface(`seutil_dontaudit_read_config' - - dontaudit $1 selinux_config_t:dir search_dir_perms; - dontaudit $1 selinux_config_t:file read_file_perms; -+ # /etc/selinux/config was a link to /etc/sysconfig/selinux-policy, ignore read attemps -+ dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms; - ') - - ######################################## diff --git a/fix_snapper.patch b/fix_snapper.patch index 045bc12..e52343a 100644 --- a/fix_snapper.patch +++ b/fix_snapper.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20221019/policy/modules/contrib/snapper.te +Index: fedora-policy/policy/modules/contrib/snapper.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/snapper.te -+++ fedora-policy-20221019/policy/modules/contrib/snapper.te +--- fedora-policy.orig/policy/modules/contrib/snapper.te ++++ fedora-policy/policy/modules/contrib/snapper.te @@ -18,6 +18,9 @@ files_config_file(snapperd_conf_t) type snapperd_data_t; files_type(snapperd_data_t) @@ -23,25 +23,21 @@ Index: fedora-policy-20221019/policy/modules/contrib/snapper.te kernel_setsched(snapperd_t) domain_read_all_domains_state(snapperd_t) -@@ -73,6 +80,14 @@ storage_raw_read_fixed_disk(snapperd_t) +@@ -73,6 +80,10 @@ storage_raw_read_fixed_disk(snapperd_t) auth_use_nsswitch(snapperd_t) optional_policy(` + packagekit_dbus_chat(snapperd_t) +') + -+optional_policy(` -+ rpm_dbus_chat(snapperd_t) -+') -+ +optional_policy(` cron_system_entry(snapperd_t, snapperd_exec_t) ') -Index: fedora-policy-20221019/policy/modules/contrib/snapper.fc +Index: fedora-policy/policy/modules/contrib/snapper.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/snapper.fc -+++ fedora-policy-20221019/policy/modules/contrib/snapper.fc +--- fedora-policy.orig/policy/modules/contrib/snapper.fc ++++ fedora-policy/policy/modules/contrib/snapper.fc @@ -7,9 +7,17 @@ /var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0) diff --git a/fix_sysnetwork.patch b/fix_sysnetwork.patch index b7f0b13..844d87f 100644 --- a/fix_sysnetwork.patch +++ b/fix_sysnetwork.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/system/sysnetwork.fc +Index: fedora-policy/policy/modules/system/sysnetwork.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/sysnetwork.fc -+++ fedora-policy-20221019/policy/modules/system/sysnetwork.fc -@@ -103,6 +103,8 @@ ifdef(`distro_debian',` +--- fedora-policy.orig/policy/modules/system/sysnetwork.fc ++++ fedora-policy/policy/modules/system/sysnetwork.fc +@@ -102,6 +102,8 @@ ifdef(`distro_debian',` /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') diff --git a/fix_systemd.patch b/fix_systemd.patch index 1576754..5dbba95 100644 --- a/fix_systemd.patch +++ b/fix_systemd.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/system/systemd.te +Index: fedora-policy/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/systemd.te -+++ fedora-policy-20221019/policy/modules/system/systemd.te -@@ -381,6 +381,10 @@ userdom_manage_user_tmp_chr_files(system +--- fedora-policy.orig/policy/modules/system/systemd.te ++++ fedora-policy/policy/modules/system/systemd.te +@@ -332,6 +332,10 @@ userdom_manage_user_tmp_chr_files(system xserver_dbus_chat(systemd_logind_t) optional_policy(` @@ -13,8 +13,8 @@ Index: fedora-policy-20221019/policy/modules/system/systemd.te apache_read_tmp_files(systemd_logind_t) ') -@@ -863,6 +867,10 @@ optional_policy(` - dbus_system_bus_client(systemd_localed_t) +@@ -823,6 +827,10 @@ optional_policy(` + dbus_connect_system_bus(systemd_hostnamed_t) ') +optional_policy(` @@ -23,22 +23,4 @@ Index: fedora-policy-20221019/policy/modules/system/systemd.te + ####################################### # - # Hostnamed policy -@@ -1158,7 +1166,7 @@ systemd_read_efivarfs(systemd_hwdb_t) - # systemd_gpt_generator domain - # - --allow systemd_gpt_generator_t self:capability sys_rawio; -+allow systemd_gpt_generator_t self:capability { sys_rawio sys_admin}; - allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms; - - dev_read_sysfs(systemd_gpt_generator_t) -@@ -1185,6 +1193,8 @@ systemd_unit_file_filetrans(systemd_gpt_ - systemd_create_unit_file_dirs(systemd_gpt_generator_t) - systemd_create_unit_file_lnk(systemd_gpt_generator_t) - -+kernel_dgram_send(systemd_gpt_generator_t) -+ - optional_policy(` - udev_read_pid_files(systemd_gpt_generator_t) - ') + # rfkill policy diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch deleted file mode 100644 index 530f381..0000000 --- a/fix_systemd_watch.patch +++ /dev/null @@ -1,17 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/system/systemd.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/systemd.te -+++ fedora-policy-20221019/policy/modules/system/systemd.te -@@ -1508,6 +1508,12 @@ fstools_rw_swap_files(systemd_sleep_t) - storage_getattr_fixed_disk_dev(systemd_sleep_t) - storage_getattr_removable_dev(systemd_sleep_t) - -+####################################### -+# -+# Allow systemd to watch certificate dir for ca-certificates -+# -+watch_dirs_pattern(init_t,cert_t,cert_t) -+ - optional_policy(` - sysstat_domtrans(systemd_sleep_t) - ') diff --git a/fix_thunderbird.patch b/fix_thunderbird.patch index 159afc4..0e2ee48 100644 --- a/fix_thunderbird.patch +++ b/fix_thunderbird.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210628/policy/modules/contrib/thunderbird.te +Index: fedora-policy/policy/modules/contrib/thunderbird.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/thunderbird.te -+++ fedora-policy-20210628/policy/modules/contrib/thunderbird.te -@@ -138,7 +138,6 @@ optional_policy(` +--- fedora-policy.orig/policy/modules/contrib/thunderbird.te ++++ fedora-policy/policy/modules/contrib/thunderbird.te +@@ -139,7 +139,6 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(thunderbird_t) gnome_domtrans_gconfd(thunderbird_t) diff --git a/fix_unconfined.patch b/fix_unconfined.patch index 815055b..468bdf3 100644 --- a/fix_unconfined.patch +++ b/fix_unconfined.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20221019/policy/modules/system/unconfined.te +Index: fedora-policy/policy/modules/system/unconfined.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/unconfined.te -+++ fedora-policy-20221019/policy/modules/system/unconfined.te +--- fedora-policy.orig/policy/modules/system/unconfined.te ++++ fedora-policy/policy/modules/system/unconfined.te @@ -1,5 +1,10 @@ policy_module(unconfined, 3.5.0) @@ -13,7 +13,7 @@ Index: fedora-policy-20221019/policy/modules/system/unconfined.te ######################################## # # Declarations -@@ -45,3 +50,6 @@ optional_policy(` +@@ -39,3 +44,6 @@ optional_policy(` optional_policy(` container_runtime_domtrans(unconfined_service_t) ') diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch index 017c8f7..36ae7e1 100644 --- a/fix_unconfineduser.patch +++ b/fix_unconfineduser.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te +Index: fedora-policy/policy/modules/roles/unconfineduser.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/roles/unconfineduser.te -+++ fedora-policy-20221019/policy/modules/roles/unconfineduser.te -@@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all' +--- fedora-policy.orig/policy/modules/roles/unconfineduser.te ++++ fedora-policy/policy/modules/roles/unconfineduser.te +@@ -120,6 +120,11 @@ tunable_policy(`unconfined_dyntrans_all' domain_dyntrans(unconfined_t) ') @@ -14,7 +14,7 @@ Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te optional_policy(` gen_require(` type unconfined_t; -@@ -214,6 +219,10 @@ optional_policy(` +@@ -210,6 +215,10 @@ optional_policy(` ') optional_policy(` @@ -25,7 +25,7 @@ Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te chrome_role_notrans(unconfined_r, unconfined_t) tunable_policy(`unconfined_chrome_sandbox_transition',` -@@ -248,6 +257,18 @@ optional_policy(` +@@ -244,6 +253,18 @@ optional_policy(` dbus_stub(unconfined_t) optional_policy(` diff --git a/fix_unprivuser.patch b/fix_unprivuser.patch index 70fe21e..28f2e24 100644 --- a/fix_unprivuser.patch +++ b/fix_unprivuser.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/roles/unprivuser.te +Index: fedora-policy/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20221019/policy/modules/roles/unprivuser.te -@@ -300,6 +300,13 @@ ifndef(`distro_redhat',` +--- fedora-policy.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy/policy/modules/roles/unprivuser.te +@@ -289,6 +289,13 @@ ifndef(`distro_redhat',` ') optional_policy(` diff --git a/fix_userdomain.patch b/fix_userdomain.patch deleted file mode 100644 index 6691ad8..0000000 --- a/fix_userdomain.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20220624/policy/modules/system/userdomain.if -=================================================================== ---- fedora-policy-20220624.orig/policy/modules/system/userdomain.if -+++ fedora-policy-20220624/policy/modules/system/userdomain.if -@@ -1497,6 +1497,7 @@ tunable_policy(`deny_bluetooth',`',` - - # port access is audited even if dac would not have allowed it, so dontaudit it here - # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) -+ corenet_dontaudit_udp_bind_all_rpc_ports($1_t) - # Need the following rule to allow users to run vpnc - corenet_tcp_bind_xserver_port($1_t) - corenet_tcp_bind_generic_node($1_usertype) diff --git a/fix_usermanage.patch b/fix_usermanage.patch index a7d1bee..b82e968 100644 --- a/fix_usermanage.patch +++ b/fix_usermanage.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220428/policy/modules/admin/usermanage.te +Index: fedora-policy/policy/modules/admin/usermanage.te =================================================================== ---- fedora-policy-20220428.orig/policy/modules/admin/usermanage.te -+++ fedora-policy-20220428/policy/modules/admin/usermanage.te +--- fedora-policy.orig/policy/modules/admin/usermanage.te ++++ fedora-policy/policy/modules/admin/usermanage.te @@ -226,6 +226,7 @@ allow groupadd_t self:unix_dgram_socket allow groupadd_t self:unix_stream_socket create_stream_socket_perms; allow groupadd_t self:unix_dgram_socket sendto; @@ -10,7 +10,7 @@ Index: fedora-policy-20220428/policy/modules/admin/usermanage.te fs_getattr_xattr_fs(groupadd_t) fs_search_auto_mountpoints(groupadd_t) -@@ -538,6 +539,7 @@ allow useradd_t self:unix_dgram_socket c +@@ -529,6 +530,7 @@ allow useradd_t self:unix_dgram_socket c allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -18,7 +18,7 @@ Index: fedora-policy-20220428/policy/modules/admin/usermanage.te manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) -@@ -546,6 +548,8 @@ files_pid_filetrans(useradd_t, useradd_v +@@ -537,6 +539,8 @@ files_pid_filetrans(useradd_t, useradd_v # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) diff --git a/fix_wine.patch b/fix_wine.patch deleted file mode 100644 index 17698f2..0000000 --- a/fix_wine.patch +++ /dev/null @@ -1,23 +0,0 @@ -Index: fedora-policy-20220428/policy/modules/system/libraries.fc -=================================================================== ---- fedora-policy-20220428.orig/policy/modules/system/libraries.fc -+++ fedora-policy-20220428/policy/modules/system/libraries.fc -@@ -90,7 +90,7 @@ ifdef(`distro_redhat',` - /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) - /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/opt/cx.*/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/cx.*/lib/wine/.+\.(so|dll) -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) - /opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -173,7 +173,8 @@ ifdef(`distro_redhat',` - /usr/lib/systemd/libsystemd-.+\.so.* -- gen_context(system_u:object_r:lib_t,s0) - - /usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) --/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/wine/*-windows/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - diff --git a/fix_xserver.patch b/fix_xserver.patch index a8fd6e8..14f6700 100644 --- a/fix_xserver.patch +++ b/fix_xserver.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20221019/policy/modules/services/xserver.fc +Index: fedora-policy/policy/modules/services/xserver.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/services/xserver.fc -+++ fedora-policy-20221019/policy/modules/services/xserver.fc +--- fedora-policy.orig/policy/modules/services/xserver.fc ++++ fedora-policy/policy/modules/services/xserver.fc @@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) @@ -18,15 +18,7 @@ Index: fedora-policy-20221019/policy/modules/services/xserver.fc /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0) -@@ -114,6 +116,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ - /usr/bin/Xwayland -- gen_context(system_u:object_r:xserver_exec_t,s0) - /usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0) - /usr/bin/nvidia.* -- gen_context(system_u:object_r:xserver_exec_t,s0) -+/usr/bin/greetd -- gen_context(system_u:object_r:xdm_exec_t,s0) - - /usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0) - /usr/libexec/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -137,6 +140,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ +@@ -135,6 +137,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0) /usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0) @@ -34,30 +26,13 @@ Index: fedora-policy-20221019/policy/modules/services/xserver.fc ifndef(`distro_debian',` /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) ') -@@ -155,6 +159,7 @@ ifndef(`distro_debian',` - /var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) - /var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) -+/var/lib/greetd(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - - /var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - /var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -@@ -184,6 +189,8 @@ ifndef(`distro_debian',` - /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - /var/run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/greetd[^/]*\.sock -s gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/greetd\.run -- gen_context(system_u:object_r:xdm_var_run_t,s0) - - /var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) - /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) -Index: fedora-policy-20221019/policy/modules/services/xserver.te +Index: fedora-policy/policy/modules/services/xserver.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/services/xserver.te -+++ fedora-policy-20221019/policy/modules/services/xserver.te -@@ -475,6 +475,10 @@ userdom_dontaudit_read_admin_home_lnk_fi - - kernel_read_vm_sysctls(xdm_t) +--- fedora-policy.orig/policy/modules/services/xserver.te ++++ fedora-policy/policy/modules/services/xserver.te +@@ -477,6 +477,10 @@ userdom_delete_user_home_content_files(x + userdom_signull_unpriv_users(xdm_t) + userdom_dontaudit_read_admin_home_lnk_files(xdm_t) +files_manage_generic_pids_symlinks(xdm_t) +userdom_manage_user_home_content_dirs(xdm_t) diff --git a/modules-minimum-base.conf b/modules-minimum-base.conf index 853e975..8774301 100644 --- a/modules-minimum-base.conf +++ b/modules-minimum-base.conf @@ -392,6 +392,13 @@ udev = module # unconfined = module +# Layer: system +# Module: kdbus +# +# Policy for kdbus. +# +kdbus = module + # Layer: admin # Module: rpm # @@ -412,3 +419,4 @@ packagekit = module # Name service cache daemon # nscd = module + diff --git a/modules-minimum-contrib.conf b/modules-minimum-contrib.conf index cde391b..1be2194 100644 --- a/modules-minimum-contrib.conf +++ b/modules-minimum-contrib.conf @@ -342,6 +342,13 @@ cmirrord = module # cobbler = module +# Layer: contrib +# Module: cockpit +# +# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines. +# +cockpit = module + # Layer: services # Module: collectd # @@ -2360,6 +2367,13 @@ minissdpd = module # freeipmi = module +# Layer: contrib +# Module: freeipmi +# +# ipa policy module contain SELinux policies for IPA services +# +ipa = module + # Layer: contrib # Module: mirrormanager # diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf index 5e255b5..202da6f 100644 --- a/modules-targeted-base.conf +++ b/modules-targeted-base.conf @@ -392,6 +392,13 @@ udev = module # unconfined = module +# Layer: system +# Module: kdbus +# +# Policy for kdbus. +# +kdbus = module + # Layer: contrib # Module: packagekit # @@ -412,10 +419,3 @@ rtorrent = module # Policy for wicked # wicked = module - -# Layer: system -# Module: rebootmgr -# -# Policy for rebootmgr -# -rebootmgr = module diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 54a2b38..9182671 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -342,6 +342,13 @@ cmirrord = module # cobbler = module +# Layer: contrib +# Module: cockpit +# +# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines. +# +cockpit = module + # Layer: services # Module: collectd # @@ -2374,6 +2381,13 @@ minissdpd = module # freeipmi = module +# Layer: contrib +# Module: freeipmi +# +# ipa policy module contain SELinux policies for IPA services +# +ipa = module + # Layer: contrib # Module: mirrormanager # diff --git a/rebootmgr.fc b/rebootmgr.fc deleted file mode 100644 index 156f78f..0000000 --- a/rebootmgr.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/rebootmgrd -- gen_context(system_u:object_r:rebootmgr_exec_t,s0) diff --git a/rebootmgr.if b/rebootmgr.if deleted file mode 100644 index bb42f80..0000000 --- a/rebootmgr.if +++ /dev/null @@ -1,61 +0,0 @@ - -## policy for rebootmgr - -######################################## -## -## Execute rebootmgr_exec_t in the rebootmgr domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rebootmgr_domtrans',` - gen_require(` - type rebootmgr_t, rebootmgr_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t) -') - -###################################### -## -## Execute rebootmgr in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`rebootmgr_exec',` - gen_require(` - type rebootmgr_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rebootmgr_exec_t) -') - -######################################## -## -## Send and receive messages from -## rebootmgr over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`rebootmgr_dbus_chat',` - gen_require(` - type rebootmgr_t; - class dbus send_msg; - ') - - allow $1 rebootmgr_t:dbus send_msg; - allow rebootmgr_t $1:dbus send_msg; -') diff --git a/rebootmgr.te b/rebootmgr.te deleted file mode 100644 index 4b4e6ab..0000000 --- a/rebootmgr.te +++ /dev/null @@ -1,37 +0,0 @@ -policy_module(rebootmgr, 1.0.0) - -######################################## -# -# Declarations -# - -type rebootmgr_t; -type rebootmgr_exec_t; -init_daemon_domain(rebootmgr_t, rebootmgr_exec_t) - -######################################## -# -# rebootmgr local policy -# -allow rebootmgr_t self:process { fork }; -allow rebootmgr_t self:fifo_file rw_fifo_file_perms; -allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms; - -domain_use_interactive_fds(rebootmgr_t) - -files_manage_etc_files(rebootmgr_t) - -logging_send_syslog_msg(rebootmgr_t) - -miscfiles_read_localization(rebootmgr_t) - -systemd_start_power_services(rebootmgr_t) - -systemd_dbus_chat_logind(rebootmgr_t) - -unconfined_dbus_chat(rebootmgr_t) - -optional_policy(` - dbus_system_bus_client(rebootmgr_t) - dbus_connect_system_bus(rebootmgr_t) -') diff --git a/rtorrent.fc b/rtorrent.fc index 562f8ad..24f879f 100644 --- a/rtorrent.fc +++ b/rtorrent.fc @@ -1 +1 @@ -/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0) +/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0) diff --git a/rtorrent.if b/rtorrent.if index 9ea4193..830e349 100644 --- a/rtorrent.if +++ b/rtorrent.if @@ -1,71 +1,6 @@ +## Policy for rtorrent. -## policy for rtorrent - -######################################## -## -## Execute rtorrent_exec_t in the rtorrent domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rtorrent_domtrans',` - gen_require(` - type rtorrent_t, rtorrent_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rtorrent_exec_t, rtorrent_t) -') - -###################################### -## -## Execute rtorrent in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`rtorrent_exec',` - gen_require(` - type rtorrent_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rtorrent_exec_t) -') - -######################################## -## -## Execute rtorrent in the rtorrent domain, and -## allow the specified role the rtorrent domain. -## -## -## -## Domain allowed to transition -## -## -## -## -## The role to be allowed the rtorrent domain. -## -## -# -interface(`rtorrent_run',` - gen_require(` - type rtorrent_t; - attribute_role rtorrent_roles; - ') - - rtorrent_domtrans($1) - roleattribute $2 rtorrent_roles; -') - -######################################## +############################################################ ## ## Role access for rtorrent ## @@ -82,14 +17,95 @@ interface(`rtorrent_run',` # interface(`rtorrent_role',` gen_require(` - type rtorrent_t; - attribute_role rtorrent_roles; + attribute_role rtorrent_roles; + type rtorrent_t, rtorrent_exec_t; ') roleattribute $1 rtorrent_roles; - rtorrent_domtrans($2) + # transition from the userdomain to the derived domain + domtrans_pattern($2, rtorrent_exec_t, rtorrent_t) + # allow ps to show rtorrent ps_process_pattern($2, rtorrent_t) - allow $2 rtorrent_t:process { signull signal sigkill }; + allow $2 rtorrent_t:process { signull sigstop signal sigkill }; + + ifdef(`hide_broken_symptoms',` + #Leaked File Descriptors + dontaudit rtorrent_t $2:fifo_file rw_fifo_file_perms; + ') +') + +######################################## +## +## Transition to a user torrent domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`rtorrent_domtrans',` + gen_require(` + type rtorrent_t, rtorrent_exec_t; + ') + + domtrans_pattern($1, rtorrent_exec_t, rtorrent_t) +') + +###################################### +## +## Execute torrent in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`rtorrent_exec',` + gen_require(` + type rtorrent_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, rtorrent_exec_t) +') + +###################################### +## +## Make rtorrent an entrypoint for +## the specified domain. +## +## +## +## The domain for which cifs_t is an entrypoint. +## +## +# +interface(`rtorrent_entry_type',` + gen_require(` + type rtorrent_exec_t; + ') + + domain_entry_file($1, rtorrent_exec_t) +') + +######################################## +## +## Send generic signals to user rtorrent processes. +## +## +## +## Domain allowed access. +## +## +# +interface(`rtorrent_signal',` + gen_require(` + type rtorrent_t; + ') + + allow $1 rtorrent_t:process signal; ') diff --git a/rtorrent.te b/rtorrent.te index 996f7a7..dcf4d43 100644 --- a/rtorrent.te +++ b/rtorrent.te @@ -1,4 +1,4 @@ -policy_module(rtorrent, 1.0.0) +policy_module(rtorrent, 1.0.1) ######################################## # @@ -18,84 +18,81 @@ gen_tunable(rtorrent_send_mails, false) ## gen_tunable(rtorrent_enable_rutorrent, false) -## -##

-## Allow rtorrent to execute helper scripts in home directories -##

-## -gen_tunable(rtorrent_exec_scripts, false) +attribute rtorrentdomain; attribute_role rtorrent_roles; roleattribute system_r rtorrent_roles; type rtorrent_t; type rtorrent_exec_t; -application_domain(rtorrent_t, rtorrent_exec_t) +userdom_user_application_domain(rtorrent_t, rtorrent_exec_t) role rtorrent_roles types rtorrent_t; ######################################## # # rtorrent local policy # -allow rtorrent_t self:process { fork signal_perms }; -allow rtorrent_t self:fifo_file manage_fifo_file_perms; -allow rtorrent_t self:unix_stream_socket create_stream_socket_perms; - -domain_use_interactive_fds(rtorrent_t) - -files_read_etc_files(rtorrent_t) - -miscfiles_read_localization(rtorrent_t) - -sysnet_dns_name_resolve(rtorrent_t) - -optional_policy(` - gen_require(` - type staff_t; - role staff_r; - ') - - rtorrent_run(staff_t, staff_r) -') +corenet_tcp_bind_commplex_main_port(rtorrent_t) type rtorrent_port_t; corenet_port(rtorrent_port_t) allow rtorrent_t rtorrent_port_t:tcp_socket name_bind; userdom_read_user_home_content_symlinks(rtorrent_t) -userdom_manage_user_home_content_files(rtorrent_t) -userdom_manage_user_home_content_dirs(rtorrent_t) -allow rtorrent_t self:tcp_socket { accept listen }; +allow rtorrent_t self:process setpgid; +allow rtorrent_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; +allow rtorrent_t self:fifo_file rw_fifo_file_perms; +allow rtorrent_t self:tcp_socket create_stream_socket_perms; +allow rtorrent_t self:unix_stream_socket connectto; +allow rtorrent_t self:netlink_route_socket { bind create nlmsg_read }; +allow rtorrent_t self:udp_socket { connect create getattr }; +nscd_shm_use(rtorrent_t) + +#corecmd_exec_shell(rtorrent_t) +corecmd_exec_bin(rtorrent_t) +# execute helper scripts +userdom_exec_user_bin_files(rtorrent_t) + +corenet_all_recvfrom_netlabel(rtorrent_t) +corenet_tcp_sendrecv_generic_if(rtorrent_t) +corenet_udp_sendrecv_generic_if(rtorrent_t) +corenet_tcp_sendrecv_generic_node(rtorrent_t) +corenet_udp_sendrecv_generic_node(rtorrent_t) +corenet_tcp_sendrecv_all_ports(rtorrent_t) +corenet_udp_sendrecv_all_ports(rtorrent_t) corenet_tcp_connect_all_ports(rtorrent_t) +corenet_sendrecv_all_client_packets(rtorrent_t) +corenet_udp_bind_all_unreserved_ports(rtorrent_t) +domain_use_interactive_fds(rtorrent_t) +auth_use_nsswitch(rtorrent_t) +miscfiles_map_generic_certs(rtorrent_t) fs_getattr_xattr_fs(rtorrent_t) userdom_use_inherited_user_terminals(rtorrent_t) -# this might be to much +userdom_manage_user_home_content_files(rtorrent_t) +userdom_manage_user_home_content_dirs(rtorrent_t) userdom_home_manager(rtorrent_t) userdom_filetrans_home_content(rtorrent_t) +userdom_stream_connect(rtorrent_t) optional_policy(` - tunable_policy(`rtorrent_send_mails',` - userdom_exec_user_bin_files(rtorrent_t) - userdom_exec_user_home_content_files(rtorrent_t) - files_manage_generic_tmp_files(rtorrent_t) - mta_send_mail(rtorrent_t) - ') + tunable_policy(`rtorrent_send_mails',` + userdom_exec_user_bin_files(rtorrent_t) + userdom_exec_user_home_content_files(rtorrent_t) + files_manage_generic_tmp_files(rtorrent_t) + mta_send_mail(rtorrent_t) + ') ') optional_policy(` + apache_manage_sys_content(rtorrent_t) + tunable_policy(`rtorrent_enable_rutorrent',` - apache_manage_sys_content(rtorrent_t) apache_exec_sys_content(rtorrent_t) ') ') -tunable_policy(`rtorrent_exec_scripts',` - # execute helper scripts - corecmd_exec_bin(rtorrent_t) - userdom_exec_user_bin_files(rtorrent_t) -') diff --git a/selinux-policy.changes b/selinux-policy.changes index 66c1d72..8ba73f0 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,438 +1,3 @@ -------------------------------------------------------------------- -Wed Oct 19 11:45:57 UTC 2022 - Johannes Segitz - -- Update to version 20221019. Refreshed: - * distro_suse_to_distro_redhat.patch - * fix_apache.patch - * fix_chronyd.patch - * fix_cron.patch - * fix_init.patch - * fix_kernel_sysctl.patch - * fix_networkmanager.patch - * fix_rpm.patch - * fix_sysnetwork.patch - * fix_systemd.patch - * fix_systemd_watch.patch - * fix_unconfined.patch - * fix_unconfineduser.patch - * fix_unprivuser.patch - * fix_xserver.patch -- Dropped fix_cockpit.patch as this is now packaged with cockpit itself -- Remove the ipa module, freeip ships their own module -- Added fix_alsa.patch to allow reading of config files in home directories -- Extended fix_networkmanager.patch and fix_postfix.patch to account - for SUSE systems -- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc - queries the running processes -- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus - -------------------------------------------------------------------- -Fri Sep 30 07:14:49 UTC 2022 - Johannes Segitz - -- Updated quilt couldn't unpack tarball. This will cause ongoing issues - so drop the sed statement in the %prep section and add - distro_suse_to_distro_redhat.patch to add the necessary changes - via a patch - -------------------------------------------------------------------- -Thu Sep 29 12:54:15 UTC 2022 - Johannes Segitz - -- Update fix_networkmanager.patch to ensure NetworkManager chrony - dispatcher is properly labled and update fix_chronyd.patch to ensure - chrony helper script has proper label to be used by NetworkManager. - Also allow NetworkManager_dispatcher_custom_t to query systemd status - (bsc#1203824) - -------------------------------------------------------------------- -Tue Sep 27 13:00:35 UTC 2022 - Filippo Bonazzi - -- Update fix_xserver.patch to add greetd support (bsc#1198559) - -------------------------------------------------------------------- -Mon Sep 12 06:47:56 UTC 2022 - Johannes Segitz - -- Revamped rtorrent module - -------------------------------------------------------------------- -Fri Aug 26 06:08:23 UTC 2022 - Thorsten Kukuk - -- Move SUSE directory from manual page section to html docu - -------------------------------------------------------------------- -Wed Jul 27 14:00:55 UTC 2022 - Hu - -- fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t - and NetworkManager_dispatcher_custom_t to access nscd socket - (bsc#1201741) - -------------------------------------------------------------------- -Thu Jul 26 10:50:21 UTC 2022 - Zdenek Kubala - -- Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper - (bnc#1201015) - -------------------------------------------------------------------- -Thu Jul 14 08:44:12 UTC 2022 - Johannes Segitz - -- Update to version 20220714. Refreshed: - * fix_init.patch - * fix_systemd_watch.patch - -------------------------------------------------------------------- -Wed Jul 13 07:48:41 UTC 2022 - Johannes Segitz - -- Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for - systemd_gpt_generator_t (bsc#1200911) - -------------------------------------------------------------------- -Mon Jul 11 13:45:04 UTC 2022 - Johannes Segitz - -- postfix: Label PID files and some helpers correctly (bsc#1197242) - -------------------------------------------------------------------- -Fri Jun 24 12:51:40 UTC 2022 - Johannes Segitz - -- Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984) - -------------------------------------------------------------------- -Fri Jun 24 06:32:55 UTC 2022 - Johannes Segitz - -- Update to version 20220624. Refreshed: - * fix_init.patch - * fix_kernel_sysctl.patch - * fix_logging.patch - * fix_networkmanager.patch - * fix_unprivuser.patch - Dropped fix_hadoop.patch, not necessary anymore -* Updated fix_locallogin.patch to allow accesses for nss-systemd - (bsc#1199630) - -------------------------------------------------------------------- -Fri May 20 13:46:47 UTC 2022 - Johannes Segitz - -- Update to version 20220520 to pass stricter 3.4 toolchain checks - -------------------------------------------------------------------- -Fri May 20 09:14:58 UTC 2022 - Johannes Segitz - -- Update to version 20220428. Refreshed: - * fix_apache.patch - * fix_hadoop.patch - * fix_init.patch - * fix_iptables.patch - * fix_kernel_sysctl.patch - * fix_networkmanager.patch - * fix_systemd.patch - * fix_systemd_watch.patch - * fix_unprivuser.patch - * fix_usermanage.patch - * fix_wine.patch - -------------------------------------------------------------------- -Thu May 19 12:25:31 UTC 2022 - Johannes Segitz -- Add fix_dnsmasq.patch to fix problems with virtualization on Microos - (bsc#1199518) - -------------------------------------------------------------------- -Tue May 3 13:18:38 UTC 2022 - Johannes Segitz - -- Modified fix_init.patch to allow init to setup contrained environment - for accountsservice. This needs a better, more general solution - (bsc#1197610) - -------------------------------------------------------------------- -Mon May 2 11:27:49 UTC 2022 - Johannes Segitz - -- Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition. - This happens in certain boot conditions (bsc#1182500) -- Changed fix_unconfineduser.patch to not transition into ldconfig_t - from unconfined_t (bsc#1197169) -------------------------------------------------------------------- -Thu Feb 17 12:24:13 UTC 2022 - Klaus Kämpf - -- use %license tag for COPYING file - -------------------------------------------------------------------- -Thu Feb 10 09:04:08 UTC 2022 - Johannes Segitz - -- Updated fix_cron.patch. Adjust labeling for at (bsc#1195683) - -------------------------------------------------------------------- -Wed Feb 9 16:04:09 UTC 2022 - Filippo Bonazzi - -- Fix bitlbee runtime directory (bsc#1193230) - * add fix_bitlbee.patch - -------------------------------------------------------------------- -Mon Jan 24 07:33:34 UTC 2022 - Johannes Segitz - -- Update to version 20220124. Refreshed: - * fix_hadoop.patch - * fix_init.patch - * fix_kernel_sysctl.patch - * fix_systemd.patch - * fix_systemd_watch.patch -- Added fix_hypervkvp.patch to fix issues with hyperv labeling - (bsc#1193987) - -------------------------------------------------------------------- -Fri Jan 14 15:07:00 UTC 2022 - Johannes Segitz - -- Allow colord to use systemd hardenings (bsc#1194631) - -------------------------------------------------------------------- -Thu Nov 11 14:21:47 UTC 2021 - Johannes Segitz - -- Update to version 20211111. Refreshed: - * fix_dbus.patch - * fix_systemd.patch - * fix_authlogin.patch - * fix_auditd.patch - * fix_kernel_sysctl.patch - * fix_networkmanager.patch - * fix_chronyd.patch - * fix_unconfineduser.patch - * fix_unconfined.patch - * fix_firewalld.patch - * fix_init.patch - * fix_xserver.patch - * fix_logging.patch - * fix_hadoop.patch - -------------------------------------------------------------------- -Mon Oct 25 11:35:24 UTC 2021 - Marcus Meissner - -- fix_wine.patch: give Wine .dll same context as .so (bsc#1191976) - -------------------------------------------------------------------- -Tue Sep 28 12:44:22 UTC 2021 - Enzo Matsumiya - -- Fix auditd service start with systemd hardening directives (boo#1190918) - * add fix_auditd.patch - -------------------------------------------------------------------- -Thu Sep 2 08:45:24 UTC 2021 - Johannes Segitz - -- Modified fix_systemd.patch to allow systemd gpt generator access to - udev files (bsc#1189280) - -------------------------------------------------------------------- -Fri Aug 27 13:07:54 UTC 2021 - Ales Kedroutek - -- fix rebootmgr does not trigger the reboot properly (boo#1189878) - * fix managing /etc/rebootmgr.conf - * allow rebootmgr_t to cope with systemd and dbus messaging - -------------------------------------------------------------------- -Thu Aug 26 07:37:05 UTC 2021 - Johannes Segitz - -- Properly label cockpit files -- Allow wicked to communicate with network manager on DBUS (bsc#1188331) - -------------------------------------------------------------------- -Mon Aug 23 15:43:28 UTC 2021 - Ales Kedroutek - -- Added policy module for rebootmgr (jsc#SMO-28) - -------------------------------------------------------------------- -Tue Aug 17 16:03:08 UTC 2021 - Ludwig Nussel - -- Allow systemd-sysctl to read kernel specific sysctl.conf - (fix_kernel_sysctl.patch, boo#1184804) - -------------------------------------------------------------------- -Tue Aug 10 08:31:16 UTC 2021 - Ludwig Nussel - -- Fix quoting in postInstall macro - -------------------------------------------------------------------- -Fri Jul 16 07:11:57 UTC 2021 - Johannes Segitz - -- Update to version 20210716 -- Remove interfaces for container module before building the package - (bsc#1188184) -- Updated - * fix_init.patch - * fix_systemd_watch.patch - to adapt to upstream changes - -------------------------------------------------------------------- -Thu Jul 15 15:45:57 UTC 2021 - Callum Farmer - -- Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing - here - -------------------------------------------------------------------- -Tue Jul 6 13:55:19 UTC 2021 - Alberto Planas Dominguez - -- Add tabrmd SELinux modules from upstream (bsc#1187925) - https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux -- Automatic spec-cleaner to fix ordering and misaligned spaces - -------------------------------------------------------------------- -Mon Jun 28 08:11:25 UTC 2021 - Johannes Segitz - -- Update to version 20210419 -- Dropped fix_gift.patch, module was removed -- Updated wicked.te to removed dropped interface -- Refreshed: - * fix_cockpit.patch - * fix_hadoop.patch - * fix_init.patch - * fix_logging.patch - * fix_logrotate.patch - * fix_networkmanager.patch - * fix_nscd.patch - * fix_rpm.patch - * fix_selinuxutil.patch - * fix_systemd.patch - * fix_systemd_watch.patch - * fix_thunderbird.patch - * fix_unconfined.patch - * fix_unconfineduser.patch - * fix_unprivuser.patch - * fix_xserver.patch - -------------------------------------------------------------------- -Tue May 18 11:10:59 UTC 2021 - Ludwig Nussel - -- allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units - that trigger on changes in those. - Added fix_systemd_watch.patch -- own /usr/share/selinux/packages/$SELINUXTYPE/ and - /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install - files there - -------------------------------------------------------------------- -Wed Apr 28 15:18:37 UTC 2021 - Ludwig Nussel - -- allow cockpit socket to bind nodes (fix_cockpit.patch) -- use %autosetup to get rid of endless patch lines - -------------------------------------------------------------------- -Tue Apr 27 06:30:08 UTC 2021 - Johannes Segitz - -- Updated fix_networkmanager.patch to allow NetworkManager to watch - its configuration directories -- Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207) - -------------------------------------------------------------------- -Mon Apr 26 07:16:10 UTC 2021 - Johannes Segitz - -- Added Recommends for selinux-autorelabel (bsc#1181837) -- Prevent libreoffice fonts from changing types on every relabel - (bsc#1185265). Added fix_libraries.patch - -------------------------------------------------------------------- -Fri Apr 23 10:50:24 UTC 2021 - Johannes Segitz - -- Transition unconfined users to ldconfig type (bsc#1183121). - Extended fix_unconfineduser.patch - -------------------------------------------------------------------- -Mon Apr 19 11:37:49 UTC 2021 - Johannes Segitz - -- Update to version 20210419 -- Refreshed: - * fix_dbus.patch - * fix_hadoop.patch - * fix_init.patch - * fix_unprivuser.patch - -------------------------------------------------------------------- -Fri Mar 12 10:36:06 UTC 2021 - Ales Kedroutek - -- Adjust fix_init.patch to allow systemd to do sd-listen on - tcp socket [bsc#1183177] - -------------------------------------------------------------------- -Tue Mar 9 13:39:11 UTC 2021 - Johannes Segitz - -- Update to version 20210309 -- Refreshed - * fix_systemd.patch - * fix_selinuxutil.patch - * fix_iptables.patch - * fix_init.patch - * fix_logging.patch - * fix_nscd.patch - * fix_hadoop.patch - * fix_unconfineduser.patch - * fix_chronyd.patch - * fix_networkmanager.patch - * fix_cron.patch - * fix_usermanage.patch - * fix_unprivuser.patch - * fix_rpm.patch -- Ensure that /usr/etc is labeled according to /etc rules - -------------------------------------------------------------------- -Tue Feb 23 13:53:40 UTC 2021 - Thorsten Kukuk - -- Update to version 20210223 -- Change name of tar file to a more common schema to allow - parallel installation of several source versions -- Adjust fix_init.patch - -------------------------------------------------------------------- -Mon Jan 11 09:29:18 UTC 2021 - Thorsten Kukuk - -- Update to version 20210111 - - Drop fix_policykit.patch (integrated upstream) - - Adjust fix_iptables.patch - - update container policy - -------------------------------------------------------------------- -Tue Nov 10 08:52:35 UTC 2020 - Johannes Segitz - -- Updated fix_corecommand.patch to set correct types for the OBS - build tools - -------------------------------------------------------------------- -Thu Oct 29 08:47:51 UTC 2020 - Thorsten Kukuk - -- wicked.fc: add libexec directories -- Update to version 20201029 - - update container policy - -------------------------------------------------------------------- -Fri Oct 16 08:50:06 UTC 2020 - Thorsten Kukuk - -- Update to version 20201016 -- Use python3 to build (fc_sort.c was replaced by fc_sort.py which - uses python3) -- Drop SELINUX=disabled, "selinux=0" kernel commandline option has - to be used instead. New default is "permissive" [bsc#1176923]. - -------------------------------------------------------------------- -Tue Sep 10 07:16:50 UTC 2020 - Johannes Segitz - -- Update to version 20200910. Refreshed - * fix_authlogin.patch - * fix_nagios.patch - * fix_systemd.patch - * fix_usermanage.patch -- Delete suse_specific.patch, moved content into fix_selinuxutil.patch -- Cleanup of booleans-* presets - * Enabled - user_rw_noexattrfile - unconfined_chrome_sandbox_transition - unconfined_mozilla_plugin_transition - for the minimal policy - * Disabled - xserver_object_manager - for the MLS policy - * Disabled - openvpn_enable_homedirs - privoxy_connect_any - selinuxuser_direct_dri_enabled - selinuxuser_ping (aka user_ping) - squid_connect_any - telepathy_tcp_connect_generic_network_ports - for the targeted policy - Change your local config if you need them -- Build HTML version of manpages for the -devel package - ------------------------------------------------------------------- Thu Sep 3 07:47:52 UTC 2020 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 5da319d..4bc4815 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,7 +1,7 @@ # # spec file for package selinux-policy # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,12 +12,12 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # - +# TODO: This turns on distro-specific policies. # There are almost no SUSE specific modifications available in the policy, so we utilize the -# ones used by redhat and include also the SUSE specific ones (distro_suse_to_distro_redhat.patch) +# ones used by redhat and include also the SUSE specific ones (see sed statement below) %define distro redhat %define ubac n %define polyinstatiate n @@ -33,9 +33,9 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20221019 +Version: 20200717 Release: 0 -Source: fedora-policy-%{version}.tar.bz2 +Source: fedora-policy.%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc Source10: modules-targeted-base.conf @@ -65,6 +65,7 @@ Source52: users-minimum Source60: selinux-policy.conf +Source90: selinux-policy-rpmlintrc Source91: Makefile.devel Source92: customizable_types #Source93: config.tgz @@ -81,23 +82,22 @@ Source125: rtorrent.fc Source126: wicked.te Source127: wicked.if Source128: wicked.fc -Source129: rebootmgr.te -Source130: rebootmgr.if -Source131: rebootmgr.fc -Patch000: distro_suse_to_distro_redhat.patch Patch001: fix_djbdns.patch Patch002: fix_dbus.patch +Patch003: fix_gift.patch Patch004: fix_java.patch +Patch005: fix_hadoop.patch Patch006: fix_thunderbird.patch -Patch007: fix_postfix.patch -Patch008: fix_nscd.patch -Patch009: fix_sysnetwork.patch -Patch010: fix_logging.patch +Patch007: fix_postfix.patch +Patch008: fix_nscd.patch +Patch009: fix_sysnetwork.patch +Patch010: fix_logging.patch Patch011: fix_xserver.patch Patch012: fix_miscfiles.patch Patch013: fix_init.patch Patch014: fix_locallogin.patch +Patch015: fix_policykit.patch Patch016: fix_iptables.patch Patch017: fix_irqbalance.patch Patch018: fix_ntp.patch @@ -123,33 +123,17 @@ Patch039: fix_cron.patch Patch040: fix_usermanage.patch Patch041: fix_smartmon.patch Patch042: fix_geoclue.patch +Patch043: suse_specific.patch Patch044: fix_authlogin.patch Patch045: fix_screen.patch Patch046: fix_unprivuser.patch Patch047: fix_rpm.patch Patch048: fix_apache.patch Patch049: fix_nis.patch -Patch050: fix_libraries.patch -Patch051: fix_dovecot.patch -# https://github.com/cockpit-project/cockpit/pull/15758 -#Patch052: fix_cockpit.patch -Patch053: fix_systemd_watch.patch -# kernel specific sysctl.conf (boo#1184804) -Patch054: fix_kernel_sysctl.patch -Patch055: fix_auditd.patch -Patch056: fix_wine.patch -Patch057: fix_hypervkvp.patch -Patch058: fix_bitlbee.patch -Patch059: systemd_domain_dyntrans_type.patch -Patch060: fix_dnsmasq.patch -Patch061: fix_userdomain.patch -Patch062: fix_cloudform.patch -Patch063: fix_alsa.patch -Patch064: dontaudit_interface_kmod_tmpfs.patch -Patch100: sedoctool.patch +Patch100: sedoctool.patch -URL: https://github.com/fedora-selinux/selinux-policy.git +Url: https://github.com/fedora-selinux/selinux-policy.git BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch BuildRequires: checkpolicy @@ -157,9 +141,8 @@ BuildRequires: gawk BuildRequires: libxml2-tools BuildRequires: m4 BuildRequires: policycoreutils -BuildRequires: policycoreutils-devel -BuildRequires: python3 BuildRequires: python3-policycoreutils +BuildRequires: policycoreutils-devel # we need selinuxenabled Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): pam-config @@ -170,9 +153,7 @@ Recommends: audit Recommends: selinux-tools # for audit2allow Recommends: python3-policycoreutils -Recommends: container-selinux Recommends: policycoreutils-python-utils -Recommends: selinux-autorelabel %define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 @@ -198,7 +179,6 @@ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \ %{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ -%{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ @@ -226,8 +206,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ %dir %attr(700,root,root) %{_sharedstatedir}/selinux/%1/active/modules \ %dir %{_sharedstatedir}/selinux/%1/active/modules/100 \ -%dir %{_sharedstatedir}/selinux/%1/active/modules/200 \ -%dir %{_sharedstatedir}/selinux/%1/active/modules/400 \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ %dir %{_sysconfdir}/selinux/%1/policy/ \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.* \ @@ -268,7 +246,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ %dir %{_datadir}/selinux/%1 \ -%dir %{_datadir}/selinux/packages/%1 \ %{_datadir}/selinux/%1/base.lst \ %{_datadir}/selinux/%1/modules-base.lst \ %{_datadir}/selinux/%1/modules-contrib.lst \ @@ -280,7 +257,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %{_sharedstatedir}/selinux/%1/active/seusers \ %{_sharedstatedir}/selinux/%1/active/file_contexts \ %{_sharedstatedir}/selinux/%1/active/policy.kern \ -%{_sharedstatedir}/selinux/%1/active/modules_checksum \ %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ @@ -320,9 +296,9 @@ fi; %define postInstall() \ . %{_sysconfdir}/selinux/config; \ -if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \ - rm %{_sysconfdir}/selinux/%2/.rebuild; \ - /usr/sbin/semodule -B -n -s %2; \ +if [ -e %{_sysconfdir}/selinux/%%2/.rebuild ]; then \ + rm %{_sysconfdir}/selinux/%%2/.rebuild; \ + /usr/sbin/semodule -B -n -s %%2; \ fi; \ if [ -n "${TRANSACTIONAL_UPDATE}" ]; then \ touch /etc/selinux/.autorelabel \ @@ -370,18 +346,18 @@ creating other policies. %files %defattr(-,root,root,-) -%license COPYING +%doc COPYING %dir %{_datadir}/selinux %dir %{_datadir}/selinux/packages %dir %{_sysconfdir}/selinux %ghost %config(noreplace) %{_sysconfdir}/selinux/config +#%ghost %{_sysconfdir}/sysconfig/selinux-policy %{_tmpfilesdir}/selinux-policy.conf %{_rpmconfigdir}/macros.d/macros.selinux-policy %package sandbox -Summary: SELinux policy sandbox -Group: System/Management -Requires(pre): selinux-policy-targeted = %{version}-%{release} +Summary: SELinux policy sandbox +Requires(pre): selinux-policy-targeted = %{version}-%{release} %description sandbox SELinux sandbox policy used for the policycoreutils-sandbox package @@ -408,13 +384,66 @@ fi; exit 0 %prep -%autosetup -n fedora-policy-%{version} -p1 +%setup -n fedora-policy +%patch001 -p1 +%patch002 -p1 +%patch003 -p1 +%patch004 -p1 +%patch005 -p1 +%patch006 -p1 +%patch007 -p1 +%patch008 -p1 +%patch009 -p1 +%patch010 -p1 +%patch011 -p1 +%patch012 -p1 +%patch013 -p1 +%patch014 -p1 +%patch015 -p1 +%patch016 -p1 +%patch017 -p1 +%patch018 -p1 +%patch019 -p1 +%patch020 -p1 +%patch021 -p1 +%patch022 -p1 +%patch024 -p1 +%patch025 -p1 +%patch026 -p1 +%patch027 -p1 +%patch028 -p1 +%patch029 -p1 +%patch030 -p1 +#% patch031 -p1 +%patch032 -p1 +%patch033 -p1 +%patch034 -p1 +%patch035 -p1 +%patch036 -p1 +%patch037 -p1 +%patch038 -p1 +%patch039 -p1 +%patch040 -p1 +%patch041 -p1 +%patch042 -p1 +%patch043 -p1 +%patch044 -p1 +%patch045 -p1 +%patch046 -p1 +%patch047 -p1 +%patch048 -p1 +%patch049 -p1 + +%patch100 -p1 +find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \; %build %install mkdir -p %{buildroot}%{_sysconfdir}/selinux touch %{buildroot}%{_sysconfdir}/selinux/config +#mkdir -p %{buildroot}%{_sysconfdir}/sysconfig +#touch %{buildroot}%{_sysconfdir}/sysconfig/selinux-policy mkdir -p %{buildroot}%{_tmpfilesdir} cp %{SOURCE60} %{buildroot}%{_tmpfilesdir} @@ -428,14 +457,15 @@ sed -i 's|SELINUXSTOREPATH|%{_sharedstatedir}/selinux|' %{buildroot}%{_rpmconfig mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ -mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/ +mkdir -p %{buildroot}%{_datadir}/selinux/packages + mkdir selinux_config for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do cp $i selinux_config done -for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do +for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do cp $i policy/modules/contrib done @@ -482,13 +512,11 @@ mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/seli install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ -%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} -mkdir %{buildroot}%{_datadir}/selinux/devel/html -mv %{buildroot}%{_datadir}/man/man8/SUSE %{buildroot}%{_datadir}/selinux/devel/html -mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html -mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html -rm %{buildroot}%{_mandir}/man8/container_selinux.8* -rm %{buildroot}%{_datadir}/selinux/devel/include/services/container.if +#XXX what's missing for html? +#%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} +#mkdir %{buildroot}%{_datadir}/selinux/devel/html +#mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html +#mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html %post if [ ! -s %{_sysconfdir}/selinux/config ]; then @@ -497,15 +525,14 @@ if [ ! -s %{_sysconfdir}/selinux/config ]; then if [ -f %{_sysconfdir}/sysconfig/selinux-policy ]; then mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config else + # XXX right default for SELINUXTYPE? echo " # This file controls the state of SELinux on the system. -# SELinux can be completly disabled with the \"selinux=0\" kernel -# commandline option. -# # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. -SELINUX=permissive +# disabled - No SELinux policy is loaded. +SELINUX=disabled # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. @@ -532,7 +559,9 @@ if [ $1 -eq 0 ]; then \ if [ "$SELINUXTYPE" = "$2" ]; then \ %{_sbindir}/setenforce 0 2> /dev/null \ if [ -s %{_sysconfdir}/selinux/config ]; then \ - sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config \ + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config \ + else \ + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config \ fi \ fi \ pam-config -d --selinux \ @@ -542,12 +571,15 @@ exit 0 %postun if [ $1 = 0 ]; then %{_sbindir}/setenforce 0 2> /dev/null - if [ -s %{_sysconfdir}/selinux/config ]; then - sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config fi fi exit 0 + %package devel Summary: SELinux policy devel Group: System/Management @@ -562,10 +594,7 @@ SELinux policy development and man page package %files devel %defattr(-,root,root,-) %doc %{_datadir}/man/ru/man8/* -%doc %{_datadir}/man/man8/* %dir %{_datadir}/selinux/devel -%dir %{_datadir}/selinux/devel/html/ -%doc %{_datadir}/selinux/devel/html/* %dir %{_datadir}/selinux/devel/include %{_datadir}/selinux/devel/include/* %{_datadir}/selinux/devel/Makefile @@ -625,6 +654,7 @@ Requires(pre): /usr/bin/awk Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} + %description minimum SELinux Reference policy minimum base module. diff --git a/suse_specific.patch b/suse_specific.patch new file mode 100644 index 0000000..00b9c83 --- /dev/null +++ b/suse_specific.patch @@ -0,0 +1,13 @@ +Index: fedora-policy/policy/modules/system/selinuxutil.if +=================================================================== +--- fedora-policy.orig/policy/modules/system/selinuxutil.if ++++ fedora-policy/policy/modules/system/selinuxutil.if +@@ -777,6 +777,8 @@ interface(`seutil_dontaudit_read_config' + + dontaudit $1 selinux_config_t:dir search_dir_perms; + dontaudit $1 selinux_config_t:file read_file_perms; ++ # /etc/selinux/config is often a link to /etc/sysconfig/selinux-policy ++ dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms; + ') + + ######################################## diff --git a/systemd_domain_dyntrans_type.patch b/systemd_domain_dyntrans_type.patch deleted file mode 100644 index 8376c95..0000000 --- a/systemd_domain_dyntrans_type.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-policy-20220124/policy/modules/system/init.te -=================================================================== ---- fedora-policy-20220124.orig/policy/modules/system/init.te -+++ fedora-policy-20220124/policy/modules/system/init.te -@@ -179,6 +179,8 @@ allow init_t self:tcp_socket { listen ac - allow init_t self:packet_socket create_socket_perms; - allow init_t self:key manage_key_perms; - allow init_t self:bpf { map_create map_read map_write prog_load prog_run }; -+domain_dyntrans_type(init_t) -+allow init_t self:process { dyntransition setcurrent }; - - # is ~sys_module really needed? observed: - # sys_boot diff --git a/update.sh b/update.sh index 92f709c..3db7a02 100644 --- a/update.sh +++ b/update.sh @@ -4,19 +4,21 @@ date=$(date '+%Y%m%d') echo Update to $date -rm -rf fedora-policy container-selinux +rm -rf fedora-policy container-selinux selinux-policy-contrib git clone --depth 1 https://github.com/fedora-selinux/selinux-policy.git +git clone --depth 1 https://github.com/fedora-selinux/selinux-policy-contrib.git git clone --depth 1 https://github.com/containers/container-selinux.git -mv selinux-policy fedora-policy-$date -rm -rf fedora-policy-$date/.git* -mv container-selinux/container.* fedora-policy-$date/policy/modules/services/ +mv selinux-policy fedora-policy +rm -rf fedora-policy/.git* +mv selinux-policy-contrib/* fedora-policy/policy/modules/contrib/ +mv container-selinux/* fedora-policy/policy/modules/contrib/ -rm -f fedora-policy?$date.tar* -tar cf fedora-policy-$date.tar fedora-policy-$date -bzip2 fedora-policy-$date.tar -rm -rf fedora-policy-$date container-selinux +rm -f fedora-policy.$date.tar* +tar cf fedora-policy.$date.tar fedora-policy +bzip2 fedora-policy.$date.tar +rm -rf fedora-policy container-selinux selinux-policy-contrib sed -i -e "s/^Version:.*/Version: $date/" selinux-policy.spec diff --git a/users-minimum b/users-minimum index 8ccacae..e49103c 100644 --- a/users-minimum +++ b/users-minimum @@ -36,4 +36,3 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/users-mls b/users-mls index 167ba7c..4de9d57 100644 --- a/users-mls +++ b/users-mls @@ -36,5 +36,3 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(guest_u, user, guest_r, s0, s0) -gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/users-targeted b/users-targeted index e943336..e49103c 100644 --- a/users-targeted +++ b/users-targeted @@ -36,6 +36,3 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) -gen_user(guest_u, user, guest_r, s0, s0) -gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/wicked.fc b/wicked.fc index 95a44f8..1f98ad1 100644 --- a/wicked.fc +++ b/wicked.fc @@ -19,7 +19,6 @@ /usr/sbin/rcwicked.* -- gen_context(system_u:object_r:wicked_initrc_exec_t,s0) /usr/lib/wicked/bin(/.*)? gen_context(system_u:object_r:wicked_exec_t,s0) -/usr/libexec/wicked/bin(/.*)? gen_context(system_u:object_r:wicked_exec_t,s0) #/usr/lib64/libwicked-0.6.63.so diff --git a/wicked.te b/wicked.te index a5f49ed..3e9849b 100644 --- a/wicked.te +++ b/wicked.te @@ -326,6 +326,10 @@ optional_policy(` fcoe_dgram_send_fcoemon(wicked_t) ') +optional_policy(` + hal_write_log(wicked_t) +') + optional_policy(` howl_signal(wicked_t) ') @@ -494,10 +498,6 @@ optional_policy(` virt_dbus_chat(wicked_t) ') -optional_policy(` - networkmanager_dbus_chat(wicked_t) -') - #tunable_policy(`use_ecryptfs_home_dirs',` #fs_manage_ecryptfs_files(wicked_t) #') From 2425f1bc15be55d8fa783d2ca2362e3d39e709daa208fc32001670d7b8f86e0b Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Wed, 7 Oct 2020 12:18:21 +0000 Subject: [PATCH 02/35] Accepting request 839873 from security:SELinux Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/839873 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=2 --- booleans-minimum.conf | 83 +++++------- booleans-mls.conf | 236 +++++++++++++++++++++++++++++++- booleans-targeted.conf | 241 ++++++++++++++++++++++++++++++--- fedora-policy.20200717.tar.bz2 | 3 - fedora-policy.20200910.tar.bz2 | 3 + fix_authlogin.patch | 2 +- fix_nagios.patch | 2 +- fix_selinuxutil.patch | 13 ++ fix_systemd.patch | 2 +- fix_usermanage.patch | 4 +- modules-minimum-base.conf | 7 - modules-targeted-base.conf | 7 - selinux-policy.changes | 29 ++++ selinux-policy.spec | 25 ++-- suse_specific.patch | 13 -- update.sh | 2 +- 16 files changed, 549 insertions(+), 123 deletions(-) delete mode 100644 fedora-policy.20200717.tar.bz2 create mode 100644 fedora-policy.20200910.tar.bz2 delete mode 100644 suse_specific.patch diff --git a/booleans-minimum.conf b/booleans-minimum.conf index 2e00a7a..5185257 100644 --- a/booleans-minimum.conf +++ b/booleans-minimum.conf @@ -4,19 +4,19 @@ allow_execmem = false # Allow making a modified private filemapping executable (text relocation). # -allow_execmod = false +selinuxuser_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # -allow_execstack = true +selinuxuser_execstack = false # Allow ftpd to read cifs directories. # -allow_ftpd_use_cifs = false +ftpd_use_cifs = false # Allow ftpd to read nfs directories. # -allow_ftpd_use_nfs = false +ftpd_use_nfs = false # Allow ftp servers to modify public filesused for public file transfer services. # @@ -24,7 +24,7 @@ allow_ftpd_anon_write = false # Allow gssd to read temp directory. # -allow_gssd_read_tmp = true +gssd_read_tmp = true # Allow Apache to modify public filesused for public file transfer services. # @@ -32,7 +32,7 @@ allow_httpd_anon_write = false # Allow Apache to use mod_auth_pam module # -allow_httpd_mod_auth_pam = false +httpd_mod_auth_pam = false # Allow system to run with kerberos # @@ -44,7 +44,7 @@ allow_rsync_anon_write = false # Allow sasl to read shadow # -allow_saslauthd_read_shadow = false +saslauthd_read_shadow = false # Allow samba to modify public filesused for public file transfer services. # @@ -56,7 +56,7 @@ allow_ypbind = false # Allow zebra to write it own configuration files # -allow_zebra_write_config = false +zebra_write_config = false # Enable extra rules in the cron domainto support fcron. # @@ -148,55 +148,35 @@ user_ping = false # allow host key based authentication # -allow_ssh_keysign = false +ssh_keysign = false # Allow pppd to be run for a regular user # pppd_for_user = false -# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted -# -read_untrusted_content = false - # Allow spamd to write to users homedirs # spamd_enable_home_dirs = false -# Allow regular users direct mouse access -# -user_direct_mouse = false - -# Allow users to read system messages. -# -user_dmesg = false - # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) # -user_rw_noexattrfile = false +user_rw_noexattrfile = true # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. # user_tcp_server = false -# Allow w to display everyone -# -user_ttyfile_stat = false - -# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. -# -write_untrusted_content = false - # Allow all domains to talk to ttys # -allow_daemons_use_tty = false +daemons_use_tty = false # Allow login domains to polyinstatiate directories # -allow_polyinstantiation = false +polyinstantiation_enabled = false # Allow all domains to dump core # -allow_daemons_dump_core = true +daemons_dump_core = true # Allow samba to act as the domain controller # @@ -208,36 +188,24 @@ samba_run_unconfined = false # Allows XServer to execute writable memory # -allow_xserver_execmem = false +xserver_execmem = false # disallow guest accounts to execute files that they can create # -allow_guest_exec_content = false -allow_xguest_exec_content = false - -# Only allow browser to use the web -# -browser_confine_xguest=false +guest_exec_content = false +xguest_exec_content = false # Allow postfix locat to write to mail spool # -allow_postfix_local_write_mail_spool=false +postfix_local_write_mail_spool = false # Allow common users to read/write noexattrfile systems # -user_rw_noexattrfile=true +user_rw_noexattrfile = true # Allow qemu to connect fully to the network # -qemu_full_network=true - -# Allow nsplugin execmem/execstack for bad plugins -# -allow_nsplugin_execmem=true - -# Allow unconfined domain to transition to confined domain -# -allow_unconfined_nsplugin_transition=true +qemu_full_network = true # System uses init upstart program # @@ -245,9 +213,20 @@ init_upstart = true # Allow mount to mount any file/dir # -allow_mount_anyfile = true +mount_anyfile = true # Allow all domains to mmap files # domain_can_mmap_files = true +# Allow confined applications to use nscd shared memory +# +nscd_use_shm = true + +# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox +# +unconfined_chrome_sandbox_transition = true + +# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. +# +unconfined_mozilla_plugin_transition = true diff --git a/booleans-mls.conf b/booleans-mls.conf index 6b75dd8..3892f99 100644 --- a/booleans-mls.conf +++ b/booleans-mls.conf @@ -1,6 +1,232 @@ -kerberos_enabled = true +# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. +# +allow_execmem = false + +# Allow making a modified private filemapping executable (text relocation). +# +selinuxuser_execmod = false + +# Allow making the stack executable via mprotect.Also requires allow_execmem. +# +selinuxuser_execstack = false + +# Allow ftpd to read cifs directories. +# +ftpd_use_cifs = false + +# Allow ftpd to read nfs directories. +# +ftpd_use_nfs = false + +# Allow ftp servers to modify public filesused for public file transfer services. +# +allow_ftpd_anon_write = false + +# Allow gssd to read temp directory. +# +gssd_read_tmp = true + +# Allow Apache to modify public filesused for public file transfer services. +# +allow_httpd_anon_write = false + +# Allow Apache to use mod_auth_pam module +# +httpd_mod_auth_pam = false + +# Allow system to run with kerberos +# +allow_kerberos = true + +# Allow rsync to modify public filesused for public file transfer services. +# +allow_rsync_anon_write = false + +# Allow sasl to read shadow +# +saslauthd_read_shadow = false + +# Allow samba to modify public filesused for public file transfer services. +# +allow_smbd_anon_write = false + +# Allow system to run with NIS +# +allow_ypbind = false + +# Allow zebra to write it own configuration files +# +zebra_write_config = false + +# Enable extra rules in the cron domainto support fcron. +# +fcron_crond = false + +# +# allow httpd to connect to mysql/posgresql +httpd_can_network_connect_db = false + +# +# allow httpd to send dbus messages to avahi +httpd_dbus_avahi = true + +# +# allow httpd to network relay +httpd_can_network_relay = false + +# Allow httpd to use built in scripting (usually php) +# +httpd_builtin_scripting = true + +# Allow http daemon to tcp connect +# +httpd_can_network_connect = false + +# Allow httpd cgi support +# +httpd_enable_cgi = true + +# Allow httpd to act as a FTP server bylistening on the ftp port. +# +httpd_enable_ftp_server = false + +# Allow httpd to read home directories +# +httpd_enable_homedirs = false + +# Run SSI execs in system CGI script domain. +# +httpd_ssi_exec = false + +# Allow http daemon to communicate with the TTY +# +httpd_tty_comm = false + +# Run CGI in the main httpd domain +# +httpd_unified = false + +# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. +# +named_write_master_zones = false + +# Allow nfs to be exported read/write. +# +nfs_export_all_rw = true + +# Allow nfs to be exported read only +# +nfs_export_all_ro = true + +# Allow pppd to load kernel modules for certain modems +# +pppd_can_insmod = false + +# Allow reading of default_t files. +# +read_default_t = false + +# Allow samba to export user home directories. +# +samba_enable_home_dirs = false + +# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. +# +squid_connect_any = false + +# Support NFS home directories +# +use_nfs_home_dirs = true + +# Support SAMBA home directories +# +use_samba_home_dirs = false + +# Control users use of ping and traceroute +# +user_ping = false + +# allow host key based authentication +# +ssh_keysign = false + +# Allow pppd to be run for a regular user +# +pppd_for_user = false + +# Allow spamd to write to users homedirs +# +spamd_enable_home_dirs = false + +# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) +# +user_rw_noexattrfile = true + +# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. +# +user_tcp_server = false + +# Allow all domains to talk to ttys +# +daemons_use_tty = false + +# Allow login domains to polyinstatiate directories +# +polyinstantiation_enabled = false + +# Allow all domains to dump core +# +daemons_dump_core = true + +# Allow samba to act as the domain controller +# +samba_domain_controller = false + +# Allow samba to export user home directories. +# +samba_run_unconfined = false + +# Allows XServer to execute writable memory +# +xserver_execmem = false + +# disallow guest accounts to execute files that they can create +# +guest_exec_content = false +xguest_exec_content = false + +# Allow postfix locat to write to mail spool +# +postfix_local_write_mail_spool = false + +# Allow common users to read/write noexattrfile systems +# +user_rw_noexattrfile = true + +# Allow qemu to connect fully to the network +# +qemu_full_network = true + +# System uses init upstart program +# +init_upstart = true + +# Allow mount to mount any file/dir +# mount_anyfile = true -polyinstantiation_enabled = true -ftpd_is_daemon = true -selinuxuser_ping = true -xserver_object_manager = true + +# Allow all domains to mmap files +# +domain_can_mmap_files = true + +# Allow confined applications to use nscd shared memory +# +nscd_use_shm = true + +# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox +# +unconfined_chrome_sandbox_transition = false + +# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. +# +unconfined_mozilla_plugin_transition = false diff --git a/booleans-targeted.conf b/booleans-targeted.conf index d8cf568..5185257 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -1,23 +1,232 @@ +# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. +# +allow_execmem = false + +# Allow making a modified private filemapping executable (text relocation). +# +selinuxuser_execmod = false + +# Allow making the stack executable via mprotect.Also requires allow_execmem. +# +selinuxuser_execstack = false + +# Allow ftpd to read cifs directories. +# +ftpd_use_cifs = false + +# Allow ftpd to read nfs directories. +# +ftpd_use_nfs = false + +# Allow ftp servers to modify public filesused for public file transfer services. +# +allow_ftpd_anon_write = false + +# Allow gssd to read temp directory. +# gssd_read_tmp = true + +# Allow Apache to modify public filesused for public file transfer services. +# +allow_httpd_anon_write = false + +# Allow Apache to use mod_auth_pam module +# +httpd_mod_auth_pam = false + +# Allow system to run with kerberos +# +allow_kerberos = true + +# Allow rsync to modify public filesused for public file transfer services. +# +allow_rsync_anon_write = false + +# Allow sasl to read shadow +# +saslauthd_read_shadow = false + +# Allow samba to modify public filesused for public file transfer services. +# +allow_smbd_anon_write = false + +# Allow system to run with NIS +# +allow_ypbind = false + +# Allow zebra to write it own configuration files +# +zebra_write_config = false + +# Enable extra rules in the cron domainto support fcron. +# +fcron_crond = false + +# +# allow httpd to connect to mysql/posgresql +httpd_can_network_connect_db = false + +# +# allow httpd to send dbus messages to avahi +httpd_dbus_avahi = true + +# +# allow httpd to network relay +httpd_can_network_relay = false + +# Allow httpd to use built in scripting (usually php) +# httpd_builtin_scripting = true + +# Allow http daemon to tcp connect +# +httpd_can_network_connect = false + +# Allow httpd cgi support +# httpd_enable_cgi = true -kerberos_enabled = true -mount_anyfile = true -nfs_export_all_ro = true + +# Allow httpd to act as a FTP server bylistening on the ftp port. +# +httpd_enable_ftp_server = false + +# Allow httpd to read home directories +# +httpd_enable_homedirs = false + +# Run SSI execs in system CGI script domain. +# +httpd_ssi_exec = false + +# Allow http daemon to communicate with the TTY +# +httpd_tty_comm = false + +# Run CGI in the main httpd domain +# +httpd_unified = false + +# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. +# +named_write_master_zones = false + +# Allow nfs to be exported read/write. +# nfs_export_all_rw = true -nscd_use_shm = true -openvpn_enable_homedirs = true -postfix_local_write_mail_spool= true + +# Allow nfs to be exported read only +# +nfs_export_all_ro = true + +# Allow pppd to load kernel modules for certain modems +# pppd_can_insmod = false -privoxy_connect_any = true -selinuxuser_direct_dri_enabled = true -selinuxuser_rw_noexattrfile = true -selinuxuser_ping = true -squid_connect_any = true -telepathy_tcp_connect_generic_network_ports=true -unconfined_chrome_sandbox_transition=true -unconfined_mozilla_plugin_transition=true -xguest_exec_content = true -mozilla_plugin_can_network_connect = true + +# Allow reading of default_t files. +# +read_default_t = false + +# Allow samba to export user home directories. +# +samba_enable_home_dirs = false + +# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. +# +squid_connect_any = false + +# Support NFS home directories +# +use_nfs_home_dirs = true + +# Support SAMBA home directories +# +use_samba_home_dirs = false + +# Control users use of ping and traceroute +# +user_ping = false + +# allow host key based authentication +# +ssh_keysign = false + +# Allow pppd to be run for a regular user +# +pppd_for_user = false + +# Allow spamd to write to users homedirs +# +spamd_enable_home_dirs = false + +# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) +# +user_rw_noexattrfile = true + +# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. +# +user_tcp_server = false + +# Allow all domains to talk to ttys +# +daemons_use_tty = false + +# Allow login domains to polyinstatiate directories +# +polyinstantiation_enabled = false + +# Allow all domains to dump core +# +daemons_dump_core = true + +# Allow samba to act as the domain controller +# +samba_domain_controller = false + +# Allow samba to export user home directories. +# +samba_run_unconfined = false + +# Allows XServer to execute writable memory +# +xserver_execmem = false + +# disallow guest accounts to execute files that they can create +# +guest_exec_content = false +xguest_exec_content = false + +# Allow postfix locat to write to mail spool +# +postfix_local_write_mail_spool = false + +# Allow common users to read/write noexattrfile systems +# +user_rw_noexattrfile = true + +# Allow qemu to connect fully to the network +# +qemu_full_network = true + +# System uses init upstart program +# +init_upstart = true + +# Allow mount to mount any file/dir +# +mount_anyfile = true + # Allow all domains to mmap files +# domain_can_mmap_files = true + +# Allow confined applications to use nscd shared memory +# +nscd_use_shm = true + +# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox +# +unconfined_chrome_sandbox_transition = true + +# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. +# +unconfined_mozilla_plugin_transition = true diff --git a/fedora-policy.20200717.tar.bz2 b/fedora-policy.20200717.tar.bz2 deleted file mode 100644 index 69fa9bc..0000000 --- a/fedora-policy.20200717.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9cce9137b42c72c260c989e8a35153681b4fda9c9bcabda80816393683cd0304 -size 752394 diff --git a/fedora-policy.20200910.tar.bz2 b/fedora-policy.20200910.tar.bz2 new file mode 100644 index 0000000..6a48fb8 --- /dev/null +++ b/fedora-policy.20200910.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7e8acb185a5abf179037ca0531d312d327df52c0b201128e84d22afe730c8b96 +size 738509 diff --git a/fix_authlogin.patch b/fix_authlogin.patch index a91f07d..4592a10 100644 --- a/fix_authlogin.patch +++ b/fix_authlogin.patch @@ -2,7 +2,7 @@ Index: fedora-policy/policy/modules/system/authlogin.fc =================================================================== --- fedora-policy.orig/policy/modules/system/authlogin.fc +++ fedora-policy/policy/modules/system/authlogin.fc -@@ -47,6 +47,7 @@ ifdef(`distro_gentoo', ` +@@ -49,6 +49,7 @@ ifdef(`distro_gentoo', ` /usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /usr/libexec/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) diff --git a/fix_nagios.patch b/fix_nagios.patch index ddb660c..08fdbf0 100644 --- a/fix_nagios.patch +++ b/fix_nagios.patch @@ -14,7 +14,7 @@ Index: fedora-policy/policy/modules/contrib/nagios.te =================================================================== --- fedora-policy.orig/policy/modules/contrib/nagios.te +++ fedora-policy/policy/modules/contrib/nagios.te -@@ -157,6 +157,7 @@ allow nagios_t nagios_spool_t:file map; +@@ -161,6 +161,7 @@ allow nagios_t nagios_spool_t:file map; manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) diff --git a/fix_selinuxutil.patch b/fix_selinuxutil.patch index fb0148d..41024ad 100644 --- a/fix_selinuxutil.patch +++ b/fix_selinuxutil.patch @@ -24,3 +24,16 @@ Index: fedora-policy/policy/modules/system/selinuxutil.te cloudform_dontaudit_write_cloud_log(setfiles_t) ') +Index: fedora-policy/policy/modules/system/selinuxutil.if +=================================================================== +--- fedora-policy.orig/policy/modules/system/selinuxutil.if ++++ fedora-policy/policy/modules/system/selinuxutil.if +@@ -777,6 +777,8 @@ interface(`seutil_dontaudit_read_config' + + dontaudit $1 selinux_config_t:dir search_dir_perms; + dontaudit $1 selinux_config_t:file read_file_perms; ++ # /etc/selinux/config was a link to /etc/sysconfig/selinux-policy, ignore read attemps ++ dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms; + ') + + ######################################## diff --git a/fix_systemd.patch b/fix_systemd.patch index 5dbba95..75fe45b 100644 --- a/fix_systemd.patch +++ b/fix_systemd.patch @@ -13,7 +13,7 @@ Index: fedora-policy/policy/modules/system/systemd.te apache_read_tmp_files(systemd_logind_t) ') -@@ -823,6 +827,10 @@ optional_policy(` +@@ -828,6 +832,10 @@ optional_policy(` dbus_connect_system_bus(systemd_hostnamed_t) ') diff --git a/fix_usermanage.patch b/fix_usermanage.patch index b82e968..7327373 100644 --- a/fix_usermanage.patch +++ b/fix_usermanage.patch @@ -10,7 +10,7 @@ Index: fedora-policy/policy/modules/admin/usermanage.te fs_getattr_xattr_fs(groupadd_t) fs_search_auto_mountpoints(groupadd_t) -@@ -529,6 +530,7 @@ allow useradd_t self:unix_dgram_socket c +@@ -530,6 +531,7 @@ allow useradd_t self:unix_dgram_socket c allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -18,7 +18,7 @@ Index: fedora-policy/policy/modules/admin/usermanage.te manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) -@@ -537,6 +539,8 @@ files_pid_filetrans(useradd_t, useradd_v +@@ -538,6 +540,8 @@ files_pid_filetrans(useradd_t, useradd_v # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) diff --git a/modules-minimum-base.conf b/modules-minimum-base.conf index 8774301..d90e3cb 100644 --- a/modules-minimum-base.conf +++ b/modules-minimum-base.conf @@ -392,13 +392,6 @@ udev = module # unconfined = module -# Layer: system -# Module: kdbus -# -# Policy for kdbus. -# -kdbus = module - # Layer: admin # Module: rpm # diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf index 202da6f..f5bcc4c 100644 --- a/modules-targeted-base.conf +++ b/modules-targeted-base.conf @@ -392,13 +392,6 @@ udev = module # unconfined = module -# Layer: system -# Module: kdbus -# -# Policy for kdbus. -# -kdbus = module - # Layer: contrib # Module: packagekit # diff --git a/selinux-policy.changes b/selinux-policy.changes index 8ba73f0..4424e20 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Tue Sep 10 07:16:50 UTC 2020 - Johannes Segitz + +- Update to version 20200910. Refreshed + * fix_authlogin.patch + * fix_nagios.patch + * fix_systemd.patch + * fix_usermanage.patch +- Delete suse_specific.patch, moved content into fix_selinuxutil.patch +- Cleanup of booleans-* presets + * Enabled + user_rw_noexattrfile + unconfined_chrome_sandbox_transition + unconfined_mozilla_plugin_transition + for the minimal policy + * Disabled + xserver_object_manager + for the MLS policy + * Disabled + openvpn_enable_homedirs + privoxy_connect_any + selinuxuser_direct_dri_enabled + selinuxuser_ping (aka user_ping) + squid_connect_any + telepathy_tcp_connect_generic_network_ports + for the targeted policy + Change your local config if you need them +- Build HTML version of manpages for the -devel package + ------------------------------------------------------------------- Thu Sep 3 07:47:52 UTC 2020 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 4bc4815..1940dce 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -15,7 +15,6 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# TODO: This turns on distro-specific policies. # There are almost no SUSE specific modifications available in the policy, so we utilize the # ones used by redhat and include also the SUSE specific ones (see sed statement below) %define distro redhat @@ -33,7 +32,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20200717 +Version: 20200910 Release: 0 Source: fedora-policy.%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc @@ -65,7 +64,6 @@ Source52: users-minimum Source60: selinux-policy.conf -Source90: selinux-policy-rpmlintrc Source91: Makefile.devel Source92: customizable_types #Source93: config.tgz @@ -123,7 +121,7 @@ Patch039: fix_cron.patch Patch040: fix_usermanage.patch Patch041: fix_smartmon.patch Patch042: fix_geoclue.patch -Patch043: suse_specific.patch +#Patch043: suse_specific.patch Patch044: fix_authlogin.patch Patch045: fix_screen.patch Patch046: fix_unprivuser.patch @@ -154,6 +152,7 @@ Recommends: selinux-tools # for audit2allow Recommends: python3-policycoreutils Recommends: policycoreutils-python-utils +Recommends: container-selinux %define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 @@ -351,7 +350,6 @@ creating other policies. %dir %{_datadir}/selinux/packages %dir %{_sysconfdir}/selinux %ghost %config(noreplace) %{_sysconfdir}/selinux/config -#%ghost %{_sysconfdir}/sysconfig/selinux-policy %{_tmpfilesdir}/selinux-policy.conf %{_rpmconfigdir}/macros.d/macros.selinux-policy @@ -426,7 +424,7 @@ exit 0 %patch040 -p1 %patch041 -p1 %patch042 -p1 -%patch043 -p1 +#% patch043 -p1 %patch044 -p1 %patch045 -p1 %patch046 -p1 @@ -442,8 +440,6 @@ find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \; %install mkdir -p %{buildroot}%{_sysconfdir}/selinux touch %{buildroot}%{_sysconfdir}/selinux/config -#mkdir -p %{buildroot}%{_sysconfdir}/sysconfig -#touch %{buildroot}%{_sysconfdir}/sysconfig/selinux-policy mkdir -p %{buildroot}%{_tmpfilesdir} cp %{SOURCE60} %{buildroot}%{_tmpfilesdir} @@ -512,11 +508,10 @@ mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/seli install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ -#XXX what's missing for html? -#%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} -#mkdir %{buildroot}%{_datadir}/selinux/devel/html -#mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html -#mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html +%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} +mkdir %{buildroot}%{_datadir}/selinux/devel/html +mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html +mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html %post if [ ! -s %{_sysconfdir}/selinux/config ]; then @@ -525,7 +520,6 @@ if [ ! -s %{_sysconfdir}/selinux/config ]; then if [ -f %{_sysconfdir}/sysconfig/selinux-policy ]; then mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config else - # XXX right default for SELINUXTYPE? echo " # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: @@ -594,7 +588,10 @@ SELinux policy development and man page package %files devel %defattr(-,root,root,-) %doc %{_datadir}/man/ru/man8/* +%doc %{_datadir}/man/man8/* %dir %{_datadir}/selinux/devel +%dir %{_datadir}/selinux/devel/html/ +%doc %{_datadir}/selinux/devel/html/* %dir %{_datadir}/selinux/devel/include %{_datadir}/selinux/devel/include/* %{_datadir}/selinux/devel/Makefile diff --git a/suse_specific.patch b/suse_specific.patch deleted file mode 100644 index 00b9c83..0000000 --- a/suse_specific.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-policy/policy/modules/system/selinuxutil.if -=================================================================== ---- fedora-policy.orig/policy/modules/system/selinuxutil.if -+++ fedora-policy/policy/modules/system/selinuxutil.if -@@ -777,6 +777,8 @@ interface(`seutil_dontaudit_read_config' - - dontaudit $1 selinux_config_t:dir search_dir_perms; - dontaudit $1 selinux_config_t:file read_file_perms; -+ # /etc/selinux/config is often a link to /etc/sysconfig/selinux-policy -+ dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms; - ') - - ######################################## diff --git a/update.sh b/update.sh index 3db7a02..b08321d 100644 --- a/update.sh +++ b/update.sh @@ -13,7 +13,7 @@ git clone --depth 1 https://github.com/containers/container-selinux.git mv selinux-policy fedora-policy rm -rf fedora-policy/.git* mv selinux-policy-contrib/* fedora-policy/policy/modules/contrib/ -mv container-selinux/* fedora-policy/policy/modules/contrib/ +mv container-selinux/container.* fedora-policy/policy/modules/contrib/ rm -f fedora-policy.$date.tar* tar cf fedora-policy.$date.tar fedora-policy From b4b02dcd1a1a2e178fdf3ce58b497fad2d02162ca3a710666405476f00ba82d5 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Fri, 23 Oct 2020 10:20:12 +0000 Subject: [PATCH 03/35] Accepting request 842814 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/842814 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=3 --- fedora-policy.20200910.tar.bz2 | 3 --- fedora-policy.20201016.tar.bz2 | 3 +++ selinux-policy.changes | 9 +++++++ selinux-policy.spec | 44 ++++++++++++++++------------------ 4 files changed, 33 insertions(+), 26 deletions(-) delete mode 100644 fedora-policy.20200910.tar.bz2 create mode 100644 fedora-policy.20201016.tar.bz2 diff --git a/fedora-policy.20200910.tar.bz2 b/fedora-policy.20200910.tar.bz2 deleted file mode 100644 index 6a48fb8..0000000 --- a/fedora-policy.20200910.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7e8acb185a5abf179037ca0531d312d327df52c0b201128e84d22afe730c8b96 -size 738509 diff --git a/fedora-policy.20201016.tar.bz2 b/fedora-policy.20201016.tar.bz2 new file mode 100644 index 0000000..87f1b9d --- /dev/null +++ b/fedora-policy.20201016.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3ff25d1c2affe7d2361d8f00f32ff95d5114439051fa596373ddc4a43a8119eb +size 716245 diff --git a/selinux-policy.changes b/selinux-policy.changes index 4424e20..98c3788 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Oct 16 08:50:06 UTC 2020 - Thorsten Kukuk + +- Update to version 20201016 +- Use python3 to build (fc_sort.c was replaced by fc_sort.py which + uses python3) +- Drop SELINUX=disabled, "selinux=0" kernel commandline option has + to be used instead. New default is "permissive" [bsc#1176923]. + ------------------------------------------------------------------- Tue Sep 10 07:16:50 UTC 2020 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 1940dce..9d70bba 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,7 +1,7 @@ # # spec file for package selinux-policy # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,9 +12,10 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # + # There are almost no SUSE specific modifications available in the policy, so we utilize the # ones used by redhat and include also the SUSE specific ones (see sed statement below) %define distro redhat @@ -32,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20200910 +Version: 20201016 Release: 0 Source: fedora-policy.%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc @@ -87,10 +88,10 @@ Patch003: fix_gift.patch Patch004: fix_java.patch Patch005: fix_hadoop.patch Patch006: fix_thunderbird.patch -Patch007: fix_postfix.patch -Patch008: fix_nscd.patch -Patch009: fix_sysnetwork.patch -Patch010: fix_logging.patch +Patch007: fix_postfix.patch +Patch008: fix_nscd.patch +Patch009: fix_sysnetwork.patch +Patch010: fix_logging.patch Patch011: fix_xserver.patch Patch012: fix_miscfiles.patch Patch013: fix_init.patch @@ -129,9 +130,9 @@ Patch047: fix_rpm.patch Patch048: fix_apache.patch Patch049: fix_nis.patch -Patch100: sedoctool.patch +Patch100: sedoctool.patch -Url: https://github.com/fedora-selinux/selinux-policy.git +URL: https://github.com/fedora-selinux/selinux-policy.git BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch BuildRequires: checkpolicy @@ -139,8 +140,9 @@ BuildRequires: gawk BuildRequires: libxml2-tools BuildRequires: m4 BuildRequires: policycoreutils -BuildRequires: python3-policycoreutils BuildRequires: policycoreutils-devel +BuildRequires: python3 +BuildRequires: python3-policycoreutils # we need selinuxenabled Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): pam-config @@ -354,7 +356,8 @@ creating other policies. %{_rpmconfigdir}/macros.d/macros.selinux-policy %package sandbox -Summary: SELinux policy sandbox +Summary: SELinux policy sandbox +Group: System/Management Requires(pre): selinux-policy-targeted = %{version}-%{release} %description sandbox @@ -455,7 +458,6 @@ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_datadir}/selinux/packages - mkdir selinux_config for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do cp $i selinux_config @@ -522,11 +524,13 @@ if [ ! -s %{_sysconfdir}/selinux/config ]; then else echo " # This file controls the state of SELinux on the system. +# SELinux can be completly disabled with the \"selinux=0\" kernel +# commandline option. +# # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. -# disabled - No SELinux policy is loaded. -SELINUX=disabled +SELINUX=permissive # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. @@ -553,9 +557,7 @@ if [ $1 -eq 0 ]; then \ if [ "$SELINUXTYPE" = "$2" ]; then \ %{_sbindir}/setenforce 0 2> /dev/null \ if [ -s %{_sysconfdir}/selinux/config ]; then \ - sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config \ - else \ - echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config \ + sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config \ fi \ fi \ pam-config -d --selinux \ @@ -565,15 +567,12 @@ exit 0 %postun if [ $1 = 0 ]; then %{_sbindir}/setenforce 0 2> /dev/null - if [ ! -s %{_sysconfdir}/selinux/config ]; then - echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config - else - sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + if [ -s %{_sysconfdir}/selinux/config ]; then + sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config fi fi exit 0 - %package devel Summary: SELinux policy devel Group: System/Management @@ -651,7 +650,6 @@ Requires(pre): /usr/bin/awk Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} - %description minimum SELinux Reference policy minimum base module. From ef24e4da10e9280d55363e09d51dbec34b82822e4951c7ad74024954a81a5464 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Mon, 2 Nov 2020 13:04:02 +0000 Subject: [PATCH 04/35] Accepting request 844986 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/844986 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=4 --- fedora-policy.20201016.tar.bz2 | 3 --- fedora-policy.20201029.tar.bz2 | 3 +++ selinux-policy.changes | 7 +++++++ selinux-policy.spec | 2 +- wicked.fc | 1 + 5 files changed, 12 insertions(+), 4 deletions(-) delete mode 100644 fedora-policy.20201016.tar.bz2 create mode 100644 fedora-policy.20201029.tar.bz2 diff --git a/fedora-policy.20201016.tar.bz2 b/fedora-policy.20201016.tar.bz2 deleted file mode 100644 index 87f1b9d..0000000 --- a/fedora-policy.20201016.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3ff25d1c2affe7d2361d8f00f32ff95d5114439051fa596373ddc4a43a8119eb -size 716245 diff --git a/fedora-policy.20201029.tar.bz2 b/fedora-policy.20201029.tar.bz2 new file mode 100644 index 0000000..a5666d7 --- /dev/null +++ b/fedora-policy.20201029.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e62dbd68d35cf894627b3d409523de8ea4e57c95c68c5fb20162b02cd57f365a +size 716344 diff --git a/selinux-policy.changes b/selinux-policy.changes index 98c3788..90bcaca 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Oct 29 08:47:51 UTC 2020 - Thorsten Kukuk + +- wicked.fc: add libexec directories +- Update to version 20201029 + - update container policy + ------------------------------------------------------------------- Fri Oct 16 08:50:06 UTC 2020 - Thorsten Kukuk diff --git a/selinux-policy.spec b/selinux-policy.spec index 9d70bba..394776c 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20201016 +Version: 20201029 Release: 0 Source: fedora-policy.%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc diff --git a/wicked.fc b/wicked.fc index 1f98ad1..95a44f8 100644 --- a/wicked.fc +++ b/wicked.fc @@ -19,6 +19,7 @@ /usr/sbin/rcwicked.* -- gen_context(system_u:object_r:wicked_initrc_exec_t,s0) /usr/lib/wicked/bin(/.*)? gen_context(system_u:object_r:wicked_exec_t,s0) +/usr/libexec/wicked/bin(/.*)? gen_context(system_u:object_r:wicked_exec_t,s0) #/usr/lib64/libwicked-0.6.63.so From 6c79f08d5be25b66478ea9649d3ccd8de6ab385cb4454eaccbdd544097ec0c04 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Fri, 13 Nov 2020 17:54:46 +0000 Subject: [PATCH 05/35] Accepting request 847443 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/847443 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=5 --- fix_corecommand.patch | 11 ++++++++++- selinux-policy.changes | 6 ++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/fix_corecommand.patch b/fix_corecommand.patch index 5593a71..60362f2 100644 --- a/fix_corecommand.patch +++ b/fix_corecommand.patch @@ -45,7 +45,16 @@ Index: fedora-policy/policy/modules/kernel/corecommands.fc /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -391,6 +411,7 @@ ifdef(`distro_debian',` +@@ -324,6 +344,8 @@ ifdef(`distro_gentoo',` + + /usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0) + ++/usr/lib/build/.* -- gen_context(system_u:object_r:bin_t,s0) ++ + /usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0) +@@ -391,6 +413,7 @@ ifdef(`distro_debian',` /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0) ') diff --git a/selinux-policy.changes b/selinux-policy.changes index 90bcaca..0d0a5fa 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Nov 10 08:52:35 UTC 2020 - Johannes Segitz + +- Updated fix_corecommand.patch to set correct types for the OBS + build tools + ------------------------------------------------------------------- Thu Oct 29 08:47:51 UTC 2020 - Thorsten Kukuk From 4ffa4ec7ef71828f1d0fb0df0108e8390d731b9a6d8b827a4a8a53b949fc5314 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Fri, 15 Jan 2021 18:44:19 +0000 Subject: [PATCH 06/35] Accepting request 862277 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/862277 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=6 --- fedora-policy.20201029.tar.bz2 | 3 --- fedora-policy.20210111.tar.bz2 | 3 +++ fix_iptables.patch | 4 ++-- fix_policykit.patch | 13 ------------- selinux-policy.changes | 8 ++++++++ selinux-policy.spec | 6 ++---- update.sh | 6 ++---- 7 files changed, 17 insertions(+), 26 deletions(-) delete mode 100644 fedora-policy.20201029.tar.bz2 create mode 100644 fedora-policy.20210111.tar.bz2 delete mode 100644 fix_policykit.patch diff --git a/fedora-policy.20201029.tar.bz2 b/fedora-policy.20201029.tar.bz2 deleted file mode 100644 index a5666d7..0000000 --- a/fedora-policy.20201029.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e62dbd68d35cf894627b3d409523de8ea4e57c95c68c5fb20162b02cd57f365a -size 716344 diff --git a/fedora-policy.20210111.tar.bz2 b/fedora-policy.20210111.tar.bz2 new file mode 100644 index 0000000..3c7fc75 --- /dev/null +++ b/fedora-policy.20210111.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6b79293eb39ccccb68464902cae1a2665522dee82c70323d58e78fca05a1ee8b +size 717105 diff --git a/fix_iptables.patch b/fix_iptables.patch index 5100015..1e1b45f 100644 --- a/fix_iptables.patch +++ b/fix_iptables.patch @@ -2,8 +2,8 @@ Index: fedora-policy/policy/modules/system/iptables.te =================================================================== --- fedora-policy.orig/policy/modules/system/iptables.te 2020-02-19 09:36:25.440182406 +0000 +++ fedora-policy/policy/modules/system/iptables.te 2020-02-21 12:19:23.060595602 +0000 -@@ -76,6 +76,7 @@ kernel_read_kernel_sysctls(iptables_t) - kernel_read_usermodehelper_state(iptables_t) +@@ -76,6 +76,7 @@ kernel_read_network_state(iptables_t) + kernel_read_kernel_sysctls(iptables_t) kernel_use_fds(iptables_t) kernel_rw_net_sysctls(iptables_t) +kernel_rw_pipes(iptables_t) diff --git a/fix_policykit.patch b/fix_policykit.patch deleted file mode 100644 index 1ce0185..0000000 --- a/fix_policykit.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/policykit.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/policykit.te 2020-02-21 13:28:23.080385220 +0000 -+++ fedora-policy/policy/modules/contrib/policykit.te 2020-02-21 13:31:09.023086041 +0000 -@@ -98,6 +98,8 @@ userdom_getattr_all_users(policykit_t) - userdom_read_all_users_state(policykit_t) - userdom_dontaudit_search_admin_dir(policykit_t) - -+policykit_dbus_chat(policykit_t) -+ - optional_policy(` - dbus_system_domain(policykit_t, policykit_exec_t) - diff --git a/selinux-policy.changes b/selinux-policy.changes index 0d0a5fa..e2f5648 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Jan 11 09:29:18 UTC 2021 - Thorsten Kukuk + +- Update to version 20210111 + - Drop fix_policykit.patch (integrated upstream) + - Adjust fix_iptables.patch + - update container policy + ------------------------------------------------------------------- Tue Nov 10 08:52:35 UTC 2020 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 394776c..71d3648 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,7 +1,7 @@ # # spec file for package selinux-policy # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20201029 +Version: 20210111 Release: 0 Source: fedora-policy.%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc @@ -96,7 +96,6 @@ Patch011: fix_xserver.patch Patch012: fix_miscfiles.patch Patch013: fix_init.patch Patch014: fix_locallogin.patch -Patch015: fix_policykit.patch Patch016: fix_iptables.patch Patch017: fix_irqbalance.patch Patch018: fix_ntp.patch @@ -400,7 +399,6 @@ exit 0 %patch012 -p1 %patch013 -p1 %patch014 -p1 -%patch015 -p1 %patch016 -p1 %patch017 -p1 %patch018 -p1 diff --git a/update.sh b/update.sh index b08321d..7af332b 100644 --- a/update.sh +++ b/update.sh @@ -4,21 +4,19 @@ date=$(date '+%Y%m%d') echo Update to $date -rm -rf fedora-policy container-selinux selinux-policy-contrib +rm -rf fedora-policy container-selinux git clone --depth 1 https://github.com/fedora-selinux/selinux-policy.git -git clone --depth 1 https://github.com/fedora-selinux/selinux-policy-contrib.git git clone --depth 1 https://github.com/containers/container-selinux.git mv selinux-policy fedora-policy rm -rf fedora-policy/.git* -mv selinux-policy-contrib/* fedora-policy/policy/modules/contrib/ mv container-selinux/container.* fedora-policy/policy/modules/contrib/ rm -f fedora-policy.$date.tar* tar cf fedora-policy.$date.tar fedora-policy bzip2 fedora-policy.$date.tar -rm -rf fedora-policy container-selinux selinux-policy-contrib +rm -rf fedora-policy container-selinux sed -i -e "s/^Version:.*/Version: $date/" selinux-policy.spec From 2deb9860fade94d372eddc586842b5bc986c5b79bf985729db59acc0f4b39d63 Mon Sep 17 00:00:00 2001 From: Richard Brown Date: Tue, 2 Mar 2021 11:27:42 +0000 Subject: [PATCH 07/35] Accepting request 874853 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/874853 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=7 --- fedora-policy-20210223.tar.bz2 | 3 ++ fedora-policy.20210111.tar.bz2 | 3 -- fix_init.patch | 60 ++++++++++++++++++++-------------- selinux-policy.changes | 8 +++++ selinux-policy.spec | 6 ++-- update.sh | 14 ++++---- 6 files changed, 56 insertions(+), 38 deletions(-) create mode 100644 fedora-policy-20210223.tar.bz2 delete mode 100644 fedora-policy.20210111.tar.bz2 diff --git a/fedora-policy-20210223.tar.bz2 b/fedora-policy-20210223.tar.bz2 new file mode 100644 index 0000000..d7b2014 --- /dev/null +++ b/fedora-policy-20210223.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:516f56e5a18c26d521edd8046ce05f9b7ce4fc3a3fcd365613fead98355ed70d +size 720664 diff --git a/fedora-policy.20210111.tar.bz2 b/fedora-policy.20210111.tar.bz2 deleted file mode 100644 index 3c7fc75..0000000 --- a/fedora-policy.20210111.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6b79293eb39ccccb68464902cae1a2665522dee82c70323d58e78fca05a1ee8b -size 717105 diff --git a/fix_init.patch b/fix_init.patch index ffbff36..f5e5d71 100644 --- a/fix_init.patch +++ b/fix_init.patch @@ -1,8 +1,16 @@ -Index: fedora-policy/policy/modules/system/init.te -=================================================================== ---- fedora-policy.orig/policy/modules/system/init.te -+++ fedora-policy/policy/modules/system/init.te -@@ -257,6 +257,7 @@ corecmd_exec_bin(init_t) +--- fedora-policy/policy/modules/system/init.if 2021-02-23 14:51:08.683163653 +0100 ++++ fedora-policy/policy/modules/system/init.if 2021-02-23 15:04:46.397087937 +0100 +@@ -3242,6 +3242,7 @@ + files_etc_filetrans($1, machineid_t, file, "machine-id" ) + files_pid_filetrans($1, initctl_t, fifo_file, "fifo" ) + init_pid_filetrans($1, systemd_unit_file_t, dir, "generator") ++ init_pid_filetrans($1, systemd_unit_file_t, dir, "generator.late") + init_pid_filetrans($1, systemd_unit_file_t, dir, "system") + ') + +--- fedora-policy/policy/modules/system/init.te 2021-02-23 14:51:08.683163653 +0100 ++++ fedora-policy/policy/modules/system/init.te 2021-02-23 15:06:10.293290652 +0100 +@@ -262,6 +262,7 @@ corenet_all_recvfrom_netlabel(init_t) corenet_tcp_bind_all_ports(init_t) corenet_udp_bind_all_ports(init_t) @@ -10,7 +18,7 @@ Index: fedora-policy/policy/modules/system/init.te dev_create_all_files(init_t) dev_create_all_chr_files(init_t) -@@ -378,6 +379,7 @@ logging_manage_audit_config(init_t) +@@ -388,6 +389,7 @@ logging_create_syslog_netlink_audit_socket(init_t) logging_write_var_log_dirs(init_t) logging_manage_var_log_symlinks(init_t) @@ -18,23 +26,24 @@ Index: fedora-policy/policy/modules/system/init.te seutil_read_config(init_t) seutil_read_login_config(init_t) -@@ -427,10 +429,15 @@ ifdef(`distro_redhat',` +@@ -437,11 +439,16 @@ corecmd_shell_domtrans(init_t, initrc_t) storage_raw_rw_fixed_disk(init_t) +storage_raw_read_removable_device(init_t) sysnet_read_dhcpc_state(init_t) + sysnet_watch_config(init_t) optional_policy(` -+ networkmanager_initrc_read_lnk_files(init_t) ++ networkmanager_initrc_read_lnk_files(init_t) +') + +optional_policy(` bootloader_domtrans(init_t) ') -@@ -544,7 +551,7 @@ tunable_policy(`init_create_dirs',` +@@ -555,10 +562,10 @@ allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -42,8 +51,12 @@ Index: fedora-policy/policy/modules/system/init.te +allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec execmem }; allow init_t self:process { getcap setcap }; allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom }; - allow init_t self:netlink_kobject_uevent_socket create_socket_perms; -@@ -606,6 +613,7 @@ files_delete_all_spool_sockets(init_t) +-allow init_t self:netlink_kobject_uevent_socket create_socket_perms; ++allow init_t self:netlink_kobject_uevent_socket create_socket_perms; + allow init_t self:netlink_selinux_socket create_socket_perms; + allow init_t self:unix_dgram_socket lock; + # Until systemd is fixed +@@ -616,6 +623,7 @@ files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -51,7 +64,16 @@ Index: fedora-policy/policy/modules/system/init.te files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -698,6 +706,7 @@ systemd_write_inherited_logind_sessions_ +@@ -652,7 +660,7 @@ + fs_list_auto_mountpoints(init_t) + fs_register_binary_executable_type(init_t) + fs_relabel_tmpfs_sock_file(init_t) +-fs_rw_tmpfs_files(init_t) ++fs_rw_tmpfs_files(init_t) + fs_relabel_cgroup_dirs(init_t) + fs_search_cgroup_dirs(init_t) + # for network namespaces +@@ -708,6 +716,7 @@ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -59,7 +81,7 @@ Index: fedora-policy/policy/modules/system/init.te auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1543,6 +1552,8 @@ optional_policy(` +@@ -1561,6 +1570,8 @@ optional_policy(` postfix_list_spool(initrc_t) @@ -68,15 +90,3 @@ Index: fedora-policy/policy/modules/system/init.te ') optional_policy(` -Index: fedora-policy/policy/modules/system/init.if -=================================================================== ---- fedora-policy.orig/policy/modules/system/init.if -+++ fedora-policy/policy/modules/system/init.if -@@ -3205,6 +3205,7 @@ interface(`init_filetrans_named_content' - files_etc_filetrans($1, machineid_t, file, "machine-id" ) - files_pid_filetrans($1, initctl_t, fifo_file, "fifo" ) - init_pid_filetrans($1, systemd_unit_file_t, dir, "generator") -+ init_pid_filetrans($1, systemd_unit_file_t, dir, "generator.late") - init_pid_filetrans($1, systemd_unit_file_t, dir, "system") - ') - diff --git a/selinux-policy.changes b/selinux-policy.changes index e2f5648..657ce88 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Feb 23 13:53:40 UTC 2021 - Thorsten Kukuk + +- Update to version 20210223 +- Change name of tar file to a more common schema to allow + parallel installation of several source versions +- Adjust fix_init.patch + ------------------------------------------------------------------- Mon Jan 11 09:29:18 UTC 2021 - Thorsten Kukuk diff --git a/selinux-policy.spec b/selinux-policy.spec index 71d3648..24f141a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,9 +33,9 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20210111 +Version: 20210223 Release: 0 -Source: fedora-policy.%{version}.tar.bz2 +Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc Source10: modules-targeted-base.conf @@ -384,7 +384,7 @@ fi; exit 0 %prep -%setup -n fedora-policy +%setup -n fedora-policy-%{version} %patch001 -p1 %patch002 -p1 %patch003 -p1 diff --git a/update.sh b/update.sh index 7af332b..a2790b1 100644 --- a/update.sh +++ b/update.sh @@ -9,14 +9,14 @@ rm -rf fedora-policy container-selinux git clone --depth 1 https://github.com/fedora-selinux/selinux-policy.git git clone --depth 1 https://github.com/containers/container-selinux.git -mv selinux-policy fedora-policy -rm -rf fedora-policy/.git* -mv container-selinux/container.* fedora-policy/policy/modules/contrib/ +mv selinux-policy fedora-policy-$date +rm -rf fedora-policy-$date/.git* +mv container-selinux/container.* fedora-policy-$date/policy/modules/contrib/ -rm -f fedora-policy.$date.tar* -tar cf fedora-policy.$date.tar fedora-policy -bzip2 fedora-policy.$date.tar -rm -rf fedora-policy container-selinux +rm -f fedora-policy?$date.tar* +tar cf fedora-policy-$date.tar fedora-policy-$date +bzip2 fedora-policy-$date.tar +rm -rf fedora-policy-$date container-selinux sed -i -e "s/^Version:.*/Version: $date/" selinux-policy.spec From b3cf18cf4db09bf843a3b1a459b35eea0255fe5df483ab60107d3de5dc771139 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Wed, 24 Mar 2021 15:08:51 +0000 Subject: [PATCH 08/35] Accepting request 878582 from security:SELinux big toolchain update, please stage together. so versions change, so this has high potential to break stuff. Probably best to stage it isolated OBS-URL: https://build.opensuse.org/request/show/878582 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=8 --- fedora-policy-20210223.tar.bz2 | 3 --- fedora-policy-20210309.tar.bz2 | 3 +++ file_contexts.subs_dist | 1 + fix_chronyd.patch | 14 +++++++------- fix_cron.patch | 14 +++++++------- fix_hadoop.patch | 14 +++++++------- fix_init.patch | 31 ++++++++++++++++++------------- fix_iptables.patch | 8 ++++---- fix_logging.patch | 14 +++++++------- fix_networkmanager.patch | 16 ++++++++-------- fix_nscd.patch | 14 +++++++------- fix_rpm.patch | 24 ++++++++++++------------ fix_selinuxutil.patch | 14 +++++++------- fix_systemd.patch | 12 ++++++------ fix_unconfineduser.patch | 12 ++++++------ fix_unprivuser.patch | 8 ++++---- fix_usermanage.patch | 10 +++++----- selinux-policy.changes | 27 +++++++++++++++++++++++++++ selinux-policy.spec | 2 +- 19 files changed, 137 insertions(+), 104 deletions(-) delete mode 100644 fedora-policy-20210223.tar.bz2 create mode 100644 fedora-policy-20210309.tar.bz2 diff --git a/fedora-policy-20210223.tar.bz2 b/fedora-policy-20210223.tar.bz2 deleted file mode 100644 index d7b2014..0000000 --- a/fedora-policy-20210223.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:516f56e5a18c26d521edd8046ce05f9b7ce4fc3a3fcd365613fead98355ed70d -size 720664 diff --git a/fedora-policy-20210309.tar.bz2 b/fedora-policy-20210309.tar.bz2 new file mode 100644 index 0000000..73d6e7d --- /dev/null +++ b/fedora-policy-20210309.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1be28f48aa50cfd99922a255ed86a9878f721b502882b1843608c8d3a6cc3181 +size 720666 diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist index 767073d..beaff36 100644 --- a/file_contexts.subs_dist +++ b/file_contexts.subs_dist @@ -14,3 +14,4 @@ /var/run/netconfig /etc /var/adm/netconfig/md5/etc /etc /var/adm/netconfig/md5/var /var +/usr/etc /etc diff --git a/fix_chronyd.patch b/fix_chronyd.patch index 5521738..e67a7cb 100644 --- a/fix_chronyd.patch +++ b/fix_chronyd.patch @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/contrib/chronyd.te +Index: fedora-policy-20210309/policy/modules/contrib/chronyd.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/chronyd.te -+++ fedora-policy/policy/modules/contrib/chronyd.te -@@ -136,6 +136,14 @@ systemd_exec_systemctl(chronyd_t) +--- fedora-policy-20210309.orig/policy/modules/contrib/chronyd.te ++++ fedora-policy-20210309/policy/modules/contrib/chronyd.te +@@ -140,6 +140,14 @@ systemd_exec_systemctl(chronyd_t) userdom_dgram_send(chronyd_t) optional_policy(` @@ -17,10 +17,10 @@ Index: fedora-policy/policy/modules/contrib/chronyd.te cron_dgram_send(chronyd_t) ') -Index: fedora-policy/policy/modules/contrib/chronyd.fc +Index: fedora-policy-20210309/policy/modules/contrib/chronyd.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/chronyd.fc -+++ fedora-policy/policy/modules/contrib/chronyd.fc +--- fedora-policy-20210309.orig/policy/modules/contrib/chronyd.fc ++++ fedora-policy-20210309/policy/modules/contrib/chronyd.fc @@ -6,6 +6,7 @@ /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) diff --git a/fix_cron.patch b/fix_cron.patch index 523bc59..6f6a125 100644 --- a/fix_cron.patch +++ b/fix_cron.patch @@ -1,7 +1,7 @@ -Index: fedora-policy/policy/modules/contrib/cron.fc +Index: fedora-policy-20210309/policy/modules/contrib/cron.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/cron.fc -+++ fedora-policy/policy/modules/contrib/cron.fc +--- fedora-policy-20210309.orig/policy/modules/contrib/cron.fc ++++ fedora-policy-20210309/policy/modules/contrib/cron.fc @@ -34,7 +34,7 @@ /var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) @@ -21,11 +21,11 @@ Index: fedora-policy/policy/modules/contrib/cron.fc -/var/spool/cron/lastrun/[^/]* -- <> -/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -') -Index: fedora-policy/policy/modules/contrib/cron.if +Index: fedora-policy-20210309/policy/modules/contrib/cron.if =================================================================== ---- fedora-policy.orig/policy/modules/contrib/cron.if -+++ fedora-policy/policy/modules/contrib/cron.if -@@ -1031,7 +1031,7 @@ interface(`cron_generic_log_filetrans_lo +--- fedora-policy-20210309.orig/policy/modules/contrib/cron.if ++++ fedora-policy-20210309/policy/modules/contrib/cron.if +@@ -1057,7 +1057,7 @@ interface(`cron_generic_log_filetrans_lo # interface(`cron_system_spool_entrypoint',` gen_require(` diff --git a/fix_hadoop.patch b/fix_hadoop.patch index b679cd8..901327b 100644 --- a/fix_hadoop.patch +++ b/fix_hadoop.patch @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/roles/sysadm.te +Index: fedora-policy-20210309/policy/modules/roles/sysadm.te =================================================================== ---- fedora-policy.orig/policy/modules/roles/sysadm.te -+++ fedora-policy/policy/modules/roles/sysadm.te -@@ -293,10 +293,6 @@ optional_policy(` +--- fedora-policy-20210309.orig/policy/modules/roles/sysadm.te ++++ fedora-policy-20210309/policy/modules/roles/sysadm.te +@@ -298,10 +298,6 @@ optional_policy(` ') optional_policy(` @@ -13,10 +13,10 @@ Index: fedora-policy/policy/modules/roles/sysadm.te iotop_run(sysadm_t, sysadm_r) ') -Index: fedora-policy/policy/modules/roles/unprivuser.te +Index: fedora-policy-20210309/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy/policy/modules/roles/unprivuser.te +--- fedora-policy-20210309.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20210309/policy/modules/roles/unprivuser.te @@ -200,10 +200,6 @@ ifndef(`distro_redhat',` ') diff --git a/fix_init.patch b/fix_init.patch index f5e5d71..83ceac0 100644 --- a/fix_init.patch +++ b/fix_init.patch @@ -1,6 +1,8 @@ ---- fedora-policy/policy/modules/system/init.if 2021-02-23 14:51:08.683163653 +0100 -+++ fedora-policy/policy/modules/system/init.if 2021-02-23 15:04:46.397087937 +0100 -@@ -3242,6 +3242,7 @@ +Index: fedora-policy-20210309/policy/modules/system/init.if +=================================================================== +--- fedora-policy-20210309.orig/policy/modules/system/init.if ++++ fedora-policy-20210309/policy/modules/system/init.if +@@ -3242,6 +3242,7 @@ interface(`init_filetrans_named_content' files_etc_filetrans($1, machineid_t, file, "machine-id" ) files_pid_filetrans($1, initctl_t, fifo_file, "fifo" ) init_pid_filetrans($1, systemd_unit_file_t, dir, "generator") @@ -8,17 +10,20 @@ init_pid_filetrans($1, systemd_unit_file_t, dir, "system") ') ---- fedora-policy/policy/modules/system/init.te 2021-02-23 14:51:08.683163653 +0100 -+++ fedora-policy/policy/modules/system/init.te 2021-02-23 15:06:10.293290652 +0100 -@@ -262,6 +262,7 @@ +Index: fedora-policy-20210309/policy/modules/system/init.te +=================================================================== +--- fedora-policy-20210309.orig/policy/modules/system/init.te ++++ fedora-policy-20210309/policy/modules/system/init.te +@@ -262,6 +262,8 @@ corecmd_exec_bin(init_t) corenet_all_recvfrom_netlabel(init_t) corenet_tcp_bind_all_ports(init_t) corenet_udp_bind_all_ports(init_t) +corenet_udp_bind_generic_node(init_t) ++corenet_tcp_bind_generic_node(init_t) dev_create_all_files(init_t) dev_create_all_chr_files(init_t) -@@ -388,6 +389,7 @@ +@@ -390,6 +391,7 @@ logging_manage_audit_config(init_t) logging_create_syslog_netlink_audit_socket(init_t) logging_write_var_log_dirs(init_t) logging_manage_var_log_symlinks(init_t) @@ -26,7 +31,7 @@ seutil_read_config(init_t) seutil_read_login_config(init_t) -@@ -437,11 +439,16 @@ +@@ -439,11 +441,16 @@ ifdef(`distro_redhat',` corecmd_shell_domtrans(init_t, initrc_t) storage_raw_rw_fixed_disk(init_t) @@ -43,7 +48,7 @@ bootloader_domtrans(init_t) ') -@@ -555,10 +562,10 @@ +@@ -557,10 +564,10 @@ tunable_policy(`init_create_dirs',` allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -56,7 +61,7 @@ allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; # Until systemd is fixed -@@ -616,6 +623,7 @@ +@@ -618,6 +625,7 @@ files_delete_all_spool_sockets(init_t) files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -64,7 +69,7 @@ files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -652,7 +660,7 @@ +@@ -654,7 +662,7 @@ fs_list_all(init_t) fs_list_auto_mountpoints(init_t) fs_register_binary_executable_type(init_t) fs_relabel_tmpfs_sock_file(init_t) @@ -73,7 +78,7 @@ fs_relabel_cgroup_dirs(init_t) fs_search_cgroup_dirs(init_t) # for network namespaces -@@ -708,6 +716,7 @@ +@@ -710,6 +718,7 @@ systemd_write_inherited_logind_sessions_ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -81,7 +86,7 @@ auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1561,6 +1570,8 @@ +@@ -1563,6 +1572,8 @@ optional_policy(` optional_policy(` postfix_list_spool(initrc_t) diff --git a/fix_iptables.patch b/fix_iptables.patch index 1e1b45f..6c71cb9 100644 --- a/fix_iptables.patch +++ b/fix_iptables.patch @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/system/iptables.te +Index: fedora-policy-20210309/policy/modules/system/iptables.te =================================================================== ---- fedora-policy.orig/policy/modules/system/iptables.te 2020-02-19 09:36:25.440182406 +0000 -+++ fedora-policy/policy/modules/system/iptables.te 2020-02-21 12:19:23.060595602 +0000 -@@ -76,6 +76,7 @@ kernel_read_network_state(iptables_t) +--- fedora-policy-20210309.orig/policy/modules/system/iptables.te ++++ fedora-policy-20210309/policy/modules/system/iptables.te +@@ -74,6 +74,7 @@ kernel_read_network_state(iptables_t) kernel_read_kernel_sysctls(iptables_t) kernel_use_fds(iptables_t) kernel_rw_net_sysctls(iptables_t) diff --git a/fix_logging.patch b/fix_logging.patch index 95c45a7..9014ac6 100644 --- a/fix_logging.patch +++ b/fix_logging.patch @@ -1,7 +1,7 @@ -Index: fedora-policy/policy/modules/system/logging.fc +Index: fedora-policy-20210309/policy/modules/system/logging.fc =================================================================== ---- fedora-policy.orig/policy/modules/system/logging.fc -+++ fedora-policy/policy/modules/system/logging.fc +--- fedora-policy-20210309.orig/policy/modules/system/logging.fc ++++ fedora-policy-20210309/policy/modules/system/logging.fc @@ -3,6 +3,8 @@ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) @@ -19,11 +19,11 @@ Index: fedora-policy/policy/modules/system/logging.fc /var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) -Index: fedora-policy/policy/modules/system/logging.if +Index: fedora-policy-20210309/policy/modules/system/logging.if =================================================================== ---- fedora-policy.orig/policy/modules/system/logging.if -+++ fedora-policy/policy/modules/system/logging.if -@@ -1686,3 +1686,22 @@ interface(`logging_dgram_send',` +--- fedora-policy-20210309.orig/policy/modules/system/logging.if ++++ fedora-policy-20210309/policy/modules/system/logging.if +@@ -1722,3 +1722,22 @@ interface(`logging_dgram_send',` allow $1 syslogd_t:unix_dgram_socket sendto; ') diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index 40b77db..6111ead 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/contrib/networkmanager.te +Index: fedora-policy-20210309/policy/modules/contrib/networkmanager.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy/policy/modules/contrib/networkmanager.te -@@ -236,6 +236,9 @@ userdom_read_home_certs(NetworkManager_t +--- fedora-policy-20210309.orig/policy/modules/contrib/networkmanager.te ++++ fedora-policy-20210309/policy/modules/contrib/networkmanager.te +@@ -241,6 +241,9 @@ userdom_read_home_certs(NetworkManager_t userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) @@ -12,7 +12,7 @@ Index: fedora-policy/policy/modules/contrib/networkmanager.te tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(NetworkManager_t) ') -@@ -253,6 +256,14 @@ optional_policy(` +@@ -258,6 +261,14 @@ optional_policy(` ') optional_policy(` @@ -27,10 +27,10 @@ Index: fedora-policy/policy/modules/contrib/networkmanager.te bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_kill(NetworkManager_t) -Index: fedora-policy/policy/modules/contrib/networkmanager.if +Index: fedora-policy-20210309/policy/modules/contrib/networkmanager.if =================================================================== ---- fedora-policy.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy/policy/modules/contrib/networkmanager.if +--- fedora-policy-20210309.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy-20210309/policy/modules/contrib/networkmanager.if @@ -114,6 +114,24 @@ interface(`networkmanager_initrc_domtran init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ') diff --git a/fix_nscd.patch b/fix_nscd.patch index 1bea723..2f35b73 100644 --- a/fix_nscd.patch +++ b/fix_nscd.patch @@ -1,7 +1,7 @@ -Index: fedora-policy/policy/modules/contrib/nscd.fc +Index: fedora-policy-20210309/policy/modules/contrib/nscd.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/nscd.fc -+++ fedora-policy/policy/modules/contrib/nscd.fc +--- fedora-policy-20210309.orig/policy/modules/contrib/nscd.fc ++++ fedora-policy-20210309/policy/modules/contrib/nscd.fc @@ -8,8 +8,10 @@ /var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) @@ -14,11 +14,11 @@ Index: fedora-policy/policy/modules/contrib/nscd.fc /usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0) + -Index: fedora-policy/policy/modules/contrib/nscd.te +Index: fedora-policy-20210309/policy/modules/contrib/nscd.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/nscd.te -+++ fedora-policy/policy/modules/contrib/nscd.te -@@ -127,6 +127,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns +--- fedora-policy-20210309.orig/policy/modules/contrib/nscd.te ++++ fedora-policy-20210309/policy/modules/contrib/nscd.te +@@ -131,6 +131,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns userdom_dontaudit_search_user_home_dirs(nscd_t) optional_policy(` diff --git a/fix_rpm.patch b/fix_rpm.patch index 6dc895d..0545aa8 100644 --- a/fix_rpm.patch +++ b/fix_rpm.patch @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/contrib/rpm.fc +Index: fedora-policy-20210309/policy/modules/contrib/rpm.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/rpm.fc -+++ fedora-policy/policy/modules/contrib/rpm.fc -@@ -17,6 +17,10 @@ +--- fedora-policy-20210309.orig/policy/modules/contrib/rpm.fc ++++ fedora-policy-20210309/policy/modules/contrib/rpm.fc +@@ -18,6 +18,10 @@ /usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -13,7 +13,7 @@ Index: fedora-policy/policy/modules/contrib/rpm.fc /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -54,6 +58,8 @@ ifdef(`distro_redhat', ` +@@ -55,6 +59,8 @@ ifdef(`distro_redhat', ` /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) @@ -22,11 +22,11 @@ Index: fedora-policy/policy/modules/contrib/rpm.fc /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -Index: fedora-policy/policy/modules/contrib/rpm.if +Index: fedora-policy-20210309/policy/modules/contrib/rpm.if =================================================================== ---- fedora-policy.orig/policy/modules/contrib/rpm.if -+++ fedora-policy/policy/modules/contrib/rpm.if -@@ -431,8 +431,10 @@ interface(`rpm_named_filetrans',` +--- fedora-policy-20210309.orig/policy/modules/contrib/rpm.if ++++ fedora-policy-20210309/policy/modules/contrib/rpm.if +@@ -476,8 +476,10 @@ interface(`rpm_named_filetrans',` logging_log_named_filetrans($1, rpm_log_t, file, "yum.log") logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log") logging_log_named_filetrans($1, rpm_log_t, file, "up2date") @@ -37,10 +37,10 @@ Index: fedora-policy/policy/modules/contrib/rpm.if files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm") -Index: fedora-policy/policy/modules/kernel/files.fc +Index: fedora-policy-20210309/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy.orig/policy/modules/kernel/files.fc -+++ fedora-policy/policy/modules/kernel/files.fc +--- fedora-policy-20210309.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20210309/policy/modules/kernel/files.fc @@ -67,6 +67,7 @@ ifdef(`distro_suse',` /etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) diff --git a/fix_selinuxutil.patch b/fix_selinuxutil.patch index 41024ad..831ee7c 100644 --- a/fix_selinuxutil.patch +++ b/fix_selinuxutil.patch @@ -1,7 +1,7 @@ -Index: fedora-policy/policy/modules/system/selinuxutil.te +Index: fedora-policy-20210309/policy/modules/system/selinuxutil.te =================================================================== ---- fedora-policy.orig/policy/modules/system/selinuxutil.te 2020-02-19 09:36:25.444182470 +0000 -+++ fedora-policy/policy/modules/system/selinuxutil.te 2020-02-24 07:57:26.556813139 +0000 +--- fedora-policy-20210309.orig/policy/modules/system/selinuxutil.te ++++ fedora-policy-20210309/policy/modules/system/selinuxutil.te @@ -238,6 +238,10 @@ ifdef(`hide_broken_symptoms',` ') @@ -13,7 +13,7 @@ Index: fedora-policy/policy/modules/system/selinuxutil.te portage_dontaudit_use_fds(load_policy_t) ') -@@ -613,6 +617,10 @@ logging_send_audit_msgs(setfiles_t) +@@ -619,6 +623,10 @@ logging_send_audit_msgs(setfiles_t) logging_send_syslog_msg(setfiles_t) optional_policy(` @@ -24,10 +24,10 @@ Index: fedora-policy/policy/modules/system/selinuxutil.te cloudform_dontaudit_write_cloud_log(setfiles_t) ') -Index: fedora-policy/policy/modules/system/selinuxutil.if +Index: fedora-policy-20210309/policy/modules/system/selinuxutil.if =================================================================== ---- fedora-policy.orig/policy/modules/system/selinuxutil.if -+++ fedora-policy/policy/modules/system/selinuxutil.if +--- fedora-policy-20210309.orig/policy/modules/system/selinuxutil.if ++++ fedora-policy-20210309/policy/modules/system/selinuxutil.if @@ -777,6 +777,8 @@ interface(`seutil_dontaudit_read_config' dontaudit $1 selinux_config_t:dir search_dir_perms; diff --git a/fix_systemd.patch b/fix_systemd.patch index 75fe45b..cd39f53 100644 --- a/fix_systemd.patch +++ b/fix_systemd.patch @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/system/systemd.te +Index: fedora-policy-20210309/policy/modules/system/systemd.te =================================================================== ---- fedora-policy.orig/policy/modules/system/systemd.te -+++ fedora-policy/policy/modules/system/systemd.te -@@ -332,6 +332,10 @@ userdom_manage_user_tmp_chr_files(system +--- fedora-policy-20210309.orig/policy/modules/system/systemd.te ++++ fedora-policy-20210309/policy/modules/system/systemd.te +@@ -347,6 +347,10 @@ userdom_manage_user_tmp_chr_files(system xserver_dbus_chat(systemd_logind_t) optional_policy(` @@ -13,8 +13,8 @@ Index: fedora-policy/policy/modules/system/systemd.te apache_read_tmp_files(systemd_logind_t) ') -@@ -828,6 +832,10 @@ optional_policy(` - dbus_connect_system_bus(systemd_hostnamed_t) +@@ -853,6 +857,10 @@ optional_policy(` + udev_read_pid_files(systemd_hostnamed_t) ') +optional_policy(` diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch index 36ae7e1..2ab2e84 100644 --- a/fix_unconfineduser.patch +++ b/fix_unconfineduser.patch @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/roles/unconfineduser.te +Index: fedora-policy-20210309/policy/modules/roles/unconfineduser.te =================================================================== ---- fedora-policy.orig/policy/modules/roles/unconfineduser.te -+++ fedora-policy/policy/modules/roles/unconfineduser.te -@@ -120,6 +120,11 @@ tunable_policy(`unconfined_dyntrans_all' +--- fedora-policy-20210309.orig/policy/modules/roles/unconfineduser.te ++++ fedora-policy-20210309/policy/modules/roles/unconfineduser.te +@@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all' domain_dyntrans(unconfined_t) ') @@ -14,7 +14,7 @@ Index: fedora-policy/policy/modules/roles/unconfineduser.te optional_policy(` gen_require(` type unconfined_t; -@@ -210,6 +215,10 @@ optional_policy(` +@@ -214,6 +219,10 @@ optional_policy(` ') optional_policy(` @@ -25,7 +25,7 @@ Index: fedora-policy/policy/modules/roles/unconfineduser.te chrome_role_notrans(unconfined_r, unconfined_t) tunable_policy(`unconfined_chrome_sandbox_transition',` -@@ -244,6 +253,18 @@ optional_policy(` +@@ -248,6 +257,18 @@ optional_policy(` dbus_stub(unconfined_t) optional_policy(` diff --git a/fix_unprivuser.patch b/fix_unprivuser.patch index 28f2e24..4db22cf 100644 --- a/fix_unprivuser.patch +++ b/fix_unprivuser.patch @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/roles/unprivuser.te +Index: fedora-policy-20210309/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy/policy/modules/roles/unprivuser.te -@@ -289,6 +289,13 @@ ifndef(`distro_redhat',` +--- fedora-policy-20210309.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20210309/policy/modules/roles/unprivuser.te +@@ -282,6 +282,13 @@ ifndef(`distro_redhat',` ') optional_policy(` diff --git a/fix_usermanage.patch b/fix_usermanage.patch index 7327373..391cc2f 100644 --- a/fix_usermanage.patch +++ b/fix_usermanage.patch @@ -1,7 +1,7 @@ -Index: fedora-policy/policy/modules/admin/usermanage.te +Index: fedora-policy-20210309/policy/modules/admin/usermanage.te =================================================================== ---- fedora-policy.orig/policy/modules/admin/usermanage.te -+++ fedora-policy/policy/modules/admin/usermanage.te +--- fedora-policy-20210309.orig/policy/modules/admin/usermanage.te ++++ fedora-policy-20210309/policy/modules/admin/usermanage.te @@ -226,6 +226,7 @@ allow groupadd_t self:unix_dgram_socket allow groupadd_t self:unix_stream_socket create_stream_socket_perms; allow groupadd_t self:unix_dgram_socket sendto; @@ -10,7 +10,7 @@ Index: fedora-policy/policy/modules/admin/usermanage.te fs_getattr_xattr_fs(groupadd_t) fs_search_auto_mountpoints(groupadd_t) -@@ -530,6 +531,7 @@ allow useradd_t self:unix_dgram_socket c +@@ -529,6 +530,7 @@ allow useradd_t self:unix_dgram_socket c allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -18,7 +18,7 @@ Index: fedora-policy/policy/modules/admin/usermanage.te manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) -@@ -538,6 +540,8 @@ files_pid_filetrans(useradd_t, useradd_v +@@ -537,6 +539,8 @@ files_pid_filetrans(useradd_t, useradd_v # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) diff --git a/selinux-policy.changes b/selinux-policy.changes index 657ce88..fa2ba64 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,30 @@ +------------------------------------------------------------------- +Fri Mar 12 10:36:06 UTC 2021 - Ales Kedroutek + +- Adjust fix_init.patch to allow systemd to do sd-listen on + tcp socket [bsc#1183177] + +------------------------------------------------------------------- +Tue Mar 9 13:39:11 UTC 2021 - Johannes Segitz + +- Update to version 20210309 +- Refreshed + * fix_systemd.patch + * fix_selinuxutil.patch + * fix_iptables.patch + * fix_init.patch + * fix_logging.patch + * fix_nscd.patch + * fix_hadoop.patch + * fix_unconfineduser.patch + * fix_chronyd.patch + * fix_networkmanager.patch + * fix_cron.patch + * fix_usermanage.patch + * fix_unprivuser.patch + * fix_rpm.patch +- Ensure that /usr/etc is labeled according to /etc rules + ------------------------------------------------------------------- Tue Feb 23 13:53:40 UTC 2021 - Thorsten Kukuk diff --git a/selinux-policy.spec b/selinux-policy.spec index 24f141a..0e9359b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20210223 +Version: 20210309 Release: 0 Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc From 46cba05af65607cb7cbda88599c7081d16d489272ffb60bdbf45abf8231d1246 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Thu, 22 Apr 2021 16:03:46 +0000 Subject: [PATCH 09/35] Accepting request 886701 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/886701 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=9 --- fedora-policy-20210309.tar.bz2 | 3 --- fedora-policy-20210419.tar.bz2 | 3 +++ fix_dbus.patch | 8 ++++---- fix_hadoop.patch | 14 +++++++------- fix_init.patch | 28 ++++++++++++++-------------- fix_unprivuser.patch | 8 ++++---- selinux-policy.changes | 10 ++++++++++ selinux-policy.spec | 2 +- 8 files changed, 43 insertions(+), 33 deletions(-) delete mode 100644 fedora-policy-20210309.tar.bz2 create mode 100644 fedora-policy-20210419.tar.bz2 diff --git a/fedora-policy-20210309.tar.bz2 b/fedora-policy-20210309.tar.bz2 deleted file mode 100644 index 73d6e7d..0000000 --- a/fedora-policy-20210309.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1be28f48aa50cfd99922a255ed86a9878f721b502882b1843608c8d3a6cc3181 -size 720666 diff --git a/fedora-policy-20210419.tar.bz2 b/fedora-policy-20210419.tar.bz2 new file mode 100644 index 0000000..549e8d7 --- /dev/null +++ b/fedora-policy-20210419.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ad36b63becbe4fb8a7ac5597b58360c8ebaf7f15ec6681d3170ec16dc2e7a650 +size 721823 diff --git a/fix_dbus.patch b/fix_dbus.patch index 0387af9..3a50979 100644 --- a/fix_dbus.patch +++ b/fix_dbus.patch @@ -1,11 +1,11 @@ -Index: fedora-policy/policy/modules/contrib/dbus.te +Index: fedora-policy-20210419/policy/modules/contrib/dbus.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/dbus.te 2020-02-25 08:22:02.846623845 +0000 -+++ fedora-policy/policy/modules/contrib/dbus.te 2020-02-25 08:22:31.991108418 +0000 +--- fedora-policy-20210419.orig/policy/modules/contrib/dbus.te ++++ fedora-policy-20210419/policy/modules/contrib/dbus.te @@ -80,6 +80,7 @@ read_lnk_files_pattern(system_dbusd_t, d manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) - files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) + files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file sock_file }) +allow system_dbusd_t system_dbusd_tmp_t:file execute; manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) diff --git a/fix_hadoop.patch b/fix_hadoop.patch index 901327b..0a8ee6c 100644 --- a/fix_hadoop.patch +++ b/fix_hadoop.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210309/policy/modules/roles/sysadm.te +Index: fedora-policy-20210419/policy/modules/roles/sysadm.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/roles/sysadm.te -+++ fedora-policy-20210309/policy/modules/roles/sysadm.te +--- fedora-policy-20210419.orig/policy/modules/roles/sysadm.te ++++ fedora-policy-20210419/policy/modules/roles/sysadm.te @@ -298,10 +298,6 @@ optional_policy(` ') @@ -13,11 +13,11 @@ Index: fedora-policy-20210309/policy/modules/roles/sysadm.te iotop_run(sysadm_t, sysadm_r) ') -Index: fedora-policy-20210309/policy/modules/roles/unprivuser.te +Index: fedora-policy-20210419/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20210309/policy/modules/roles/unprivuser.te -@@ -200,10 +200,6 @@ ifndef(`distro_redhat',` +--- fedora-policy-20210419.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20210419/policy/modules/roles/unprivuser.te +@@ -209,10 +209,6 @@ ifndef(`distro_redhat',` ') optional_policy(` diff --git a/fix_init.patch b/fix_init.patch index 83ceac0..925d9c9 100644 --- a/fix_init.patch +++ b/fix_init.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210309/policy/modules/system/init.if +Index: fedora-policy-20210419/policy/modules/system/init.if =================================================================== ---- fedora-policy-20210309.orig/policy/modules/system/init.if -+++ fedora-policy-20210309/policy/modules/system/init.if +--- fedora-policy-20210419.orig/policy/modules/system/init.if ++++ fedora-policy-20210419/policy/modules/system/init.if @@ -3242,6 +3242,7 @@ interface(`init_filetrans_named_content' files_etc_filetrans($1, machineid_t, file, "machine-id" ) files_pid_filetrans($1, initctl_t, fifo_file, "fifo" ) @@ -10,11 +10,11 @@ Index: fedora-policy-20210309/policy/modules/system/init.if init_pid_filetrans($1, systemd_unit_file_t, dir, "system") ') -Index: fedora-policy-20210309/policy/modules/system/init.te +Index: fedora-policy-20210419/policy/modules/system/init.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/system/init.te -+++ fedora-policy-20210309/policy/modules/system/init.te -@@ -262,6 +262,8 @@ corecmd_exec_bin(init_t) +--- fedora-policy-20210419.orig/policy/modules/system/init.te ++++ fedora-policy-20210419/policy/modules/system/init.te +@@ -269,6 +269,8 @@ corecmd_exec_bin(init_t) corenet_all_recvfrom_netlabel(init_t) corenet_tcp_bind_all_ports(init_t) corenet_udp_bind_all_ports(init_t) @@ -23,7 +23,7 @@ Index: fedora-policy-20210309/policy/modules/system/init.te dev_create_all_files(init_t) dev_create_all_chr_files(init_t) -@@ -390,6 +391,7 @@ logging_manage_audit_config(init_t) +@@ -397,6 +399,7 @@ logging_manage_audit_config(init_t) logging_create_syslog_netlink_audit_socket(init_t) logging_write_var_log_dirs(init_t) logging_manage_var_log_symlinks(init_t) @@ -31,7 +31,7 @@ Index: fedora-policy-20210309/policy/modules/system/init.te seutil_read_config(init_t) seutil_read_login_config(init_t) -@@ -439,11 +441,16 @@ ifdef(`distro_redhat',` +@@ -446,11 +449,16 @@ ifdef(`distro_redhat',` corecmd_shell_domtrans(init_t, initrc_t) storage_raw_rw_fixed_disk(init_t) @@ -48,7 +48,7 @@ Index: fedora-policy-20210309/policy/modules/system/init.te bootloader_domtrans(init_t) ') -@@ -557,10 +564,10 @@ tunable_policy(`init_create_dirs',` +@@ -568,10 +576,10 @@ tunable_policy(`init_audit_control',` allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -61,7 +61,7 @@ Index: fedora-policy-20210309/policy/modules/system/init.te allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; # Until systemd is fixed -@@ -618,6 +625,7 @@ files_delete_all_spool_sockets(init_t) +@@ -629,6 +637,7 @@ files_delete_all_spool_sockets(init_t) files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -69,7 +69,7 @@ Index: fedora-policy-20210309/policy/modules/system/init.te files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -654,7 +662,7 @@ fs_list_all(init_t) +@@ -665,7 +674,7 @@ fs_list_all(init_t) fs_list_auto_mountpoints(init_t) fs_register_binary_executable_type(init_t) fs_relabel_tmpfs_sock_file(init_t) @@ -78,7 +78,7 @@ Index: fedora-policy-20210309/policy/modules/system/init.te fs_relabel_cgroup_dirs(init_t) fs_search_cgroup_dirs(init_t) # for network namespaces -@@ -710,6 +718,7 @@ systemd_write_inherited_logind_sessions_ +@@ -721,6 +730,7 @@ systemd_write_inherited_logind_sessions_ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -86,7 +86,7 @@ Index: fedora-policy-20210309/policy/modules/system/init.te auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1563,6 +1572,8 @@ optional_policy(` +@@ -1574,6 +1584,8 @@ optional_policy(` optional_policy(` postfix_list_spool(initrc_t) diff --git a/fix_unprivuser.patch b/fix_unprivuser.patch index 4db22cf..26ac928 100644 --- a/fix_unprivuser.patch +++ b/fix_unprivuser.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210309/policy/modules/roles/unprivuser.te +Index: fedora-policy-20210419/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20210309/policy/modules/roles/unprivuser.te -@@ -282,6 +282,13 @@ ifndef(`distro_redhat',` +--- fedora-policy-20210419.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20210419/policy/modules/roles/unprivuser.te +@@ -291,6 +291,13 @@ ifndef(`distro_redhat',` ') optional_policy(` diff --git a/selinux-policy.changes b/selinux-policy.changes index fa2ba64..248ee11 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Apr 19 11:37:49 UTC 2021 - Johannes Segitz + +- Update to version 20210419 +- Refreshed: + * fix_dbus.patch + * fix_hadoop.patch + * fix_init.patch + * fix_unprivuser.patch + ------------------------------------------------------------------- Fri Mar 12 10:36:06 UTC 2021 - Ales Kedroutek diff --git a/selinux-policy.spec b/selinux-policy.spec index 0e9359b..ec2eeb2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20210309 +Version: 20210419 Release: 0 Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc From 97706409758f15a6f20b8e132b9dfbf6f5932e283aad27c7360f47a014ade298 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Thu, 29 Apr 2021 20:44:23 +0000 Subject: [PATCH 10/35] Accepting request 888543 from security:SELinux - Added Recommends for selinux-autorelabel (bsc#1181837) - Prevent libreoffice fonts from changing types on every relabel (bsc#1185265). Added fix_libraries.patch - Transition unconfined users to ldconfig type (bsc#1183121). Extended fix_unconfineduser.patch OBS-URL: https://build.opensuse.org/request/show/888543 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=10 --- fix_libraries.patch | 13 +++++++++++++ fix_unconfineduser.patch | 17 ++++++++++++++--- selinux-policy.changes | 13 +++++++++++++ selinux-policy.spec | 3 +++ 4 files changed, 43 insertions(+), 3 deletions(-) create mode 100644 fix_libraries.patch diff --git a/fix_libraries.patch b/fix_libraries.patch new file mode 100644 index 0000000..a6a228f --- /dev/null +++ b/fix_libraries.patch @@ -0,0 +1,13 @@ +Index: fedora-policy-20210419/policy/modules/system/libraries.fc +=================================================================== +--- fedora-policy-20210419.orig/policy/modules/system/libraries.fc ++++ fedora-policy-20210419/policy/modules/system/libraries.fc +@@ -124,6 +124,8 @@ ifdef(`distro_redhat',` + + /usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) + ++/usr/lib/libreoffice/program/resource.* -- gen_context(system_u:object_r:lib_t,s0) ++ + /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch index 2ab2e84..55b9dda 100644 --- a/fix_unconfineduser.patch +++ b/fix_unconfineduser.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210309/policy/modules/roles/unconfineduser.te +Index: fedora-policy-20210419/policy/modules/roles/unconfineduser.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/roles/unconfineduser.te -+++ fedora-policy-20210309/policy/modules/roles/unconfineduser.te +--- fedora-policy-20210419.orig/policy/modules/roles/unconfineduser.te ++++ fedora-policy-20210419/policy/modules/roles/unconfineduser.te @@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all' domain_dyntrans(unconfined_t) ') @@ -44,3 +44,14 @@ Index: fedora-policy-20210309/policy/modules/roles/unconfineduser.te bluetooth_dbus_chat(unconfined_t) ') +@@ -311,6 +332,10 @@ optional_policy(` + ') + + optional_policy(` ++ libs_run_ldconfig(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` + firstboot_run(unconfined_t, unconfined_r) + ') + diff --git a/selinux-policy.changes b/selinux-policy.changes index 248ee11..ea9b543 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Mon Apr 26 07:16:10 UTC 2021 - Johannes Segitz + +- Added Recommends for selinux-autorelabel (bsc#1181837) +- Prevent libreoffice fonts from changing types on every relabel + (bsc#1185265). Added fix_libraries.patch + +------------------------------------------------------------------- +Fri Apr 23 10:50:24 UTC 2021 - Johannes Segitz + +- Transition unconfined users to ldconfig type (bsc#1183121). + Extended fix_unconfineduser.patch + ------------------------------------------------------------------- Mon Apr 19 11:37:49 UTC 2021 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index ec2eeb2..7dcde59 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -128,6 +128,7 @@ Patch046: fix_unprivuser.patch Patch047: fix_rpm.patch Patch048: fix_apache.patch Patch049: fix_nis.patch +Patch050: fix_libraries.patch Patch100: sedoctool.patch @@ -154,6 +155,7 @@ Recommends: selinux-tools Recommends: python3-policycoreutils Recommends: policycoreutils-python-utils Recommends: container-selinux +Recommends: selinux-autorelabel %define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 @@ -432,6 +434,7 @@ exit 0 %patch047 -p1 %patch048 -p1 %patch049 -p1 +%patch050 -p1 %patch100 -p1 find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \; From 231c1bddccf0e04a70dbc995ec75f9de411882bc7685b7a998f06715618326b2 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Fri, 7 May 2021 14:45:22 +0000 Subject: [PATCH 11/35] Accepting request 890550 from security:SELinux Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/890550 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=11 --- fix_dovecot.patch | 15 +++++++++++++++ fix_networkmanager.patch | 24 ++++++++++++++++-------- selinux-policy.changes | 7 +++++++ selinux-policy.spec | 3 ++- 4 files changed, 40 insertions(+), 9 deletions(-) create mode 100644 fix_dovecot.patch diff --git a/fix_dovecot.patch b/fix_dovecot.patch new file mode 100644 index 0000000..f88cff1 --- /dev/null +++ b/fix_dovecot.patch @@ -0,0 +1,15 @@ +Index: fedora-policy-20210419/policy/modules/contrib/dovecot.fc +=================================================================== +--- fedora-policy-20210419.orig/policy/modules/contrib/dovecot.fc ++++ fedora-policy-20210419/policy/modules/contrib/dovecot.fc +@@ -34,6 +34,10 @@ ifdef(`distro_redhat', ` + /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) + ') + ++/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) ++/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ++/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) ++ + # + # /var + # diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index 6111ead..50a8781 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -1,8 +1,16 @@ -Index: fedora-policy-20210309/policy/modules/contrib/networkmanager.te +Index: fedora-policy-20210419/policy/modules/contrib/networkmanager.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy-20210309/policy/modules/contrib/networkmanager.te -@@ -241,6 +241,9 @@ userdom_read_home_certs(NetworkManager_t +--- fedora-policy-20210419.orig/policy/modules/contrib/networkmanager.te ++++ fedora-policy-20210419/policy/modules/contrib/networkmanager.te +@@ -97,6 +97,7 @@ read_files_pattern(NetworkManager_t, Net + read_lnk_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) + + list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) ++watch_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) + read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) + read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) + +@@ -241,6 +242,9 @@ userdom_read_home_certs(NetworkManager_t userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) @@ -12,7 +20,7 @@ Index: fedora-policy-20210309/policy/modules/contrib/networkmanager.te tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(NetworkManager_t) ') -@@ -258,6 +261,14 @@ optional_policy(` +@@ -258,6 +262,14 @@ optional_policy(` ') optional_policy(` @@ -27,10 +35,10 @@ Index: fedora-policy-20210309/policy/modules/contrib/networkmanager.te bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_kill(NetworkManager_t) -Index: fedora-policy-20210309/policy/modules/contrib/networkmanager.if +Index: fedora-policy-20210419/policy/modules/contrib/networkmanager.if =================================================================== ---- fedora-policy-20210309.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20210309/policy/modules/contrib/networkmanager.if +--- fedora-policy-20210419.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy-20210419/policy/modules/contrib/networkmanager.if @@ -114,6 +114,24 @@ interface(`networkmanager_initrc_domtran init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ') diff --git a/selinux-policy.changes b/selinux-policy.changes index ea9b543..e63e4c5 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Apr 27 06:30:08 UTC 2021 - Johannes Segitz + +- Updated fix_networkmanager.patch to allow NetworkManager to watch + its configuration directories +- Added fix_dovecot.patch to fix dovecot authentication (bsc#1182207) + ------------------------------------------------------------------- Mon Apr 26 07:16:10 UTC 2021 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 7dcde59..f0b2d64 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -121,7 +121,6 @@ Patch039: fix_cron.patch Patch040: fix_usermanage.patch Patch041: fix_smartmon.patch Patch042: fix_geoclue.patch -#Patch043: suse_specific.patch Patch044: fix_authlogin.patch Patch045: fix_screen.patch Patch046: fix_unprivuser.patch @@ -129,6 +128,7 @@ Patch047: fix_rpm.patch Patch048: fix_apache.patch Patch049: fix_nis.patch Patch050: fix_libraries.patch +Patch051: fix_dovecot.patch Patch100: sedoctool.patch @@ -435,6 +435,7 @@ exit 0 %patch048 -p1 %patch049 -p1 %patch050 -p1 +%patch051 -p1 %patch100 -p1 find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \; From e5ddc01c223e73b1d127131a7bbb0a6116c6bb1f1de18262d0a20eeabeb5ec28 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Thu, 20 May 2021 17:24:24 +0000 Subject: [PATCH 12/35] Accepting request 893917 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/893917 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=12 --- fix_cockpit.patch | 28 +++++++++++++++++++++ selinux-policy.changes | 6 +++++ selinux-policy.spec | 55 +++--------------------------------------- 3 files changed, 37 insertions(+), 52 deletions(-) create mode 100644 fix_cockpit.patch diff --git a/fix_cockpit.patch b/fix_cockpit.patch new file mode 100644 index 0000000..ed97de0 --- /dev/null +++ b/fix_cockpit.patch @@ -0,0 +1,28 @@ +From d63e6cf43bfe32d53b371b6920d4c09431647ddd Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Wed, 28 Apr 2021 17:09:49 +0200 +Subject: [PATCH] cockpit: allow cockpit socket to bind nodes + +Looks like this setting is implicit with kerberos enabled. +cockpit.socket fails to start if kerberos_enabled=false +--- + policy/modules/contrib/cockpit.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/cockpit.te b/policy/modules/contrib/cockpit.te +index a160ca6b6..5984711fa 100644 +--- a/policy/modules/contrib/cockpit.te ++++ b/policy/modules/contrib/cockpit.te +@@ -52,7 +52,9 @@ can_exec(cockpit_ws_t,cockpit_session_exec_t) + dev_read_urand(cockpit_ws_t) # for authkey + dev_read_rand(cockpit_ws_t) # for libssh + ++# cockpit-ws allows connections on websm port + corenet_tcp_bind_websm_port(cockpit_ws_t) ++corenet_tcp_bind_generic_node(cockpit_ws_t) + + # cockpit-ws can connect to other hosts via ssh + corenet_tcp_connect_ssh_port(cockpit_ws_t) +-- +2.26.2 + diff --git a/selinux-policy.changes b/selinux-policy.changes index e63e4c5..06eeea7 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Apr 28 15:18:37 UTC 2021 - Ludwig Nussel + +- allow cockpit socket to bind nodes (fix_cockpit.patch) +- use %autosetup to get rid of endless patch lines + ------------------------------------------------------------------- Tue Apr 27 06:30:08 UTC 2021 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index f0b2d64..cab891b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -129,6 +129,8 @@ Patch048: fix_apache.patch Patch049: fix_nis.patch Patch050: fix_libraries.patch Patch051: fix_dovecot.patch +# https://github.com/cockpit-project/cockpit/pull/15758 +Patch052: fix_cockpit.patch Patch100: sedoctool.patch @@ -386,58 +388,7 @@ fi; exit 0 %prep -%setup -n fedora-policy-%{version} -%patch001 -p1 -%patch002 -p1 -%patch003 -p1 -%patch004 -p1 -%patch005 -p1 -%patch006 -p1 -%patch007 -p1 -%patch008 -p1 -%patch009 -p1 -%patch010 -p1 -%patch011 -p1 -%patch012 -p1 -%patch013 -p1 -%patch014 -p1 -%patch016 -p1 -%patch017 -p1 -%patch018 -p1 -%patch019 -p1 -%patch020 -p1 -%patch021 -p1 -%patch022 -p1 -%patch024 -p1 -%patch025 -p1 -%patch026 -p1 -%patch027 -p1 -%patch028 -p1 -%patch029 -p1 -%patch030 -p1 -#% patch031 -p1 -%patch032 -p1 -%patch033 -p1 -%patch034 -p1 -%patch035 -p1 -%patch036 -p1 -%patch037 -p1 -%patch038 -p1 -%patch039 -p1 -%patch040 -p1 -%patch041 -p1 -%patch042 -p1 -#% patch043 -p1 -%patch044 -p1 -%patch045 -p1 -%patch046 -p1 -%patch047 -p1 -%patch048 -p1 -%patch049 -p1 -%patch050 -p1 -%patch051 -p1 - -%patch100 -p1 +%autosetup -n fedora-policy-%{version} -p1 find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \; %build From aea4a827c00f7441728f58fa8ff96aa4b8a32477bd2e1538093e40372891ef1d Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Sun, 23 May 2021 21:30:29 +0000 Subject: [PATCH 13/35] Accepting request 894727 from security:SELinux - allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units that trigger on changes in those. Added fix_systemd_watch.patch - own /usr/share/selinux/packages/$SELINUXTYPE/ and /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install files there OBS-URL: https://build.opensuse.org/request/show/894727 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=13 --- fix_systemd_watch.patch | 38 ++++++++++++++++++++++++++++++++++++++ selinux-policy.changes | 10 ++++++++++ selinux-policy.spec | 7 ++++++- 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 fix_systemd_watch.patch diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch new file mode 100644 index 0000000..fb52641 --- /dev/null +++ b/fix_systemd_watch.patch @@ -0,0 +1,38 @@ +Index: fedora-policy-20210419/policy/modules/system/systemd.te +=================================================================== +--- fedora-policy-20210419.orig/policy/modules/system/systemd.te ++++ fedora-policy-20210419/policy/modules/system/systemd.te +@@ -1357,3 +1357,10 @@ fstools_rw_swap_files(systemd_sleep_t) + + # systemd-sleep needs to getattr swap partitions + storage_getattr_fixed_disk_dev(systemd_sleep_t) ++ ++ ++####################################### ++# ++# Allow systemd to watch certificate dir for ca-certificates ++# ++watch_dirs_pattern(init_t,cert_t,cert_t) +Index: fedora-policy-20210419/policy/modules/system/init.te +=================================================================== +--- fedora-policy-20210419.orig/policy/modules/system/init.te ++++ fedora-policy-20210419/policy/modules/system/init.te +@@ -317,7 +317,10 @@ files_etc_filetrans_etc_runtime(init_t, + # Run /etc/X11/prefdm: + files_exec_etc_files(init_t) + files_watch_etc_dirs(init_t) ++files_watch_etc_files(init_t) + files_read_usr_files(init_t) ++files_watch_usr_dirs(init_t) ++files_watch_usr_files(init_t) + files_watch_root_dirs(init_t) + files_write_root_dirs(init_t) + files_watch_var_dirs(init_t) +@@ -334,6 +337,7 @@ files_remount_rootfs(init_t) + files_create_var_dirs(init_t) + files_watch_home(init_t) + files_watch_all_pid(init_t) ++watch_dirs_pattern(init_t,lib_t,lib_t) + + fs_list_inotifyfs(init_t) + # cjp: this may be related to /dev/log diff --git a/selinux-policy.changes b/selinux-policy.changes index 06eeea7..bdbda71 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue May 18 11:10:59 UTC 2021 - Ludwig Nussel + +- allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units + that trigger on changes in those. + Added fix_systemd_watch.patch +- own /usr/share/selinux/packages/$SELINUXTYPE/ and + /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install + files there + ------------------------------------------------------------------- Wed Apr 28 15:18:37 UTC 2021 - Ludwig Nussel diff --git a/selinux-policy.spec b/selinux-policy.spec index cab891b..f3168b3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -131,6 +131,7 @@ Patch050: fix_libraries.patch Patch051: fix_dovecot.patch # https://github.com/cockpit-project/cockpit/pull/15758 Patch052: fix_cockpit.patch +Patch053: fix_systemd_watch.patch Patch100: sedoctool.patch @@ -183,6 +184,7 @@ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \ %{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ +%{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ @@ -210,6 +212,8 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ %dir %attr(700,root,root) %{_sharedstatedir}/selinux/%1/active/modules \ %dir %{_sharedstatedir}/selinux/%1/active/modules/100 \ +%dir %{_sharedstatedir}/selinux/%1/active/modules/200 \ +%dir %{_sharedstatedir}/selinux/%1/active/modules/400 \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ %dir %{_sysconfdir}/selinux/%1/policy/ \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.* \ @@ -250,6 +254,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ %dir %{_datadir}/selinux/%1 \ +%dir %{_datadir}/selinux/packages/%1 \ %{_datadir}/selinux/%1/base.lst \ %{_datadir}/selinux/%1/modules-base.lst \ %{_datadir}/selinux/%1/modules-contrib.lst \ @@ -409,7 +414,7 @@ sed -i 's|SELINUXSTOREPATH|%{_sharedstatedir}/selinux|' %{buildroot}%{_rpmconfig mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ -mkdir -p %{buildroot}%{_datadir}/selinux/packages +mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/ mkdir selinux_config for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do From 3baf5bcdf6b676e69ef38520a86c8be1f06fe89cbc771f64a2c5340e36138445 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Sun, 11 Jul 2021 23:24:43 +0000 Subject: [PATCH 14/35] Accepting request 904732 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/904732 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=14 --- modules-targeted-base.conf | 7 +++++++ selinux-policy.changes | 7 +++++++ selinux-policy.spec | 9 ++++++--- tabrmd.fc | 2 ++ tabrmd.if | 1 + tabrmd.te | 29 +++++++++++++++++++++++++++++ 6 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 tabrmd.fc create mode 100644 tabrmd.if create mode 100644 tabrmd.te diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf index f5bcc4c..3c380c0 100644 --- a/modules-targeted-base.conf +++ b/modules-targeted-base.conf @@ -412,3 +412,10 @@ rtorrent = module # Policy for wicked # wicked = module + +# Layer: contrib +# Module: tabrmd +# +# Policy for tabrmd +# +tabrmd = module diff --git a/selinux-policy.changes b/selinux-policy.changes index bdbda71..b4cf233 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Jul 6 13:55:19 UTC 2021 - Alberto Planas Dominguez + +- Add tabrmd SELinux modules from upstream (bsc#1187925) + https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux +- Automatic spec-cleaner to fix ordering and misaligned spaces + ------------------------------------------------------------------- Tue May 18 11:10:59 UTC 2021 - Ludwig Nussel diff --git a/selinux-policy.spec b/selinux-policy.spec index f3168b3..4687a5f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -81,6 +81,9 @@ Source125: rtorrent.fc Source126: wicked.te Source127: wicked.if Source128: wicked.fc +Source129: tabrmd.te +Source130: tabrmd.if +Source131: tabrmd.fc Patch001: fix_djbdns.patch Patch002: fix_dbus.patch @@ -156,8 +159,8 @@ Recommends: audit Recommends: selinux-tools # for audit2allow Recommends: python3-policycoreutils -Recommends: policycoreutils-python-utils Recommends: container-selinux +Recommends: policycoreutils-python-utils Recommends: selinux-autorelabel %define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 @@ -366,7 +369,7 @@ creating other policies. %package sandbox Summary: SELinux policy sandbox Group: System/Management -Requires(pre): selinux-policy-targeted = %{version}-%{release} +Requires(pre): selinux-policy-targeted = %{version}-%{release} %description sandbox SELinux sandbox policy used for the policycoreutils-sandbox package @@ -421,7 +424,7 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} cp $i selinux_config done -for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do +for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do cp $i policy/modules/contrib done diff --git a/tabrmd.fc b/tabrmd.fc new file mode 100644 index 0000000..9f9ec1e --- /dev/null +++ b/tabrmd.fc @@ -0,0 +1,2 @@ +/usr/sbin/tpm2-abrmd -- gen_context(system_u:object_r:tabrmd_exec_t,s0) +/usr/local/sbin/tpm2-abrmd -- gen_context(system_u:object_r:tabrmd_exec_t,s0) diff --git a/tabrmd.if b/tabrmd.if new file mode 100644 index 0000000..5846dc1 --- /dev/null +++ b/tabrmd.if @@ -0,0 +1 @@ +## diff --git a/tabrmd.te b/tabrmd.te new file mode 100644 index 0000000..b0f8af4 --- /dev/null +++ b/tabrmd.te @@ -0,0 +1,29 @@ +policy_module(tabrmd, 0.0.2) + +######################################## +# +# Declarations +# + +gen_tunable(`tabrmd_connect_all_unreserved', false) + +type tabrmd_t; +type tabrmd_exec_t; +init_daemon_domain(tabrmd_t, tabrmd_exec_t) + +allow tabrmd_t self:unix_dgram_socket { create_socket_perms }; + +dev_rw_tpm(tabrmd_t) +logging_send_syslog_msg(tabrmd_t) +sysnet_dns_name_resolve(tabrmd_t) + +optional_policy(` + dbus_stub() + dbus_system_domain(tabrmd_t, tabrmd_exec_t) + allow system_dbusd_t tabrmd_t:unix_stream_socket rw_stream_socket_perms; + fwupd_dbus_chat(tabrmd_t) +') + +tunable_policy(`tabrmd_connect_all_unreserved',` + corenet_tcp_connect_all_unreserved_ports(tabrmd_t) +') From c8394980d848f3bf3aaba0a2550817233cfb5308506e7d404af4d56dee7a5159 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Mon, 2 Aug 2021 10:04:33 +0000 Subject: [PATCH 15/35] Accepting request 909370 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/909370 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=15 --- fedora-policy-20210419.tar.bz2 | 3 --- fedora-policy-20210716.tar.bz2 | 3 +++ fix_cockpit.patch | 13 +++++------ fix_gift.patch | 9 -------- fix_hadoop.patch | 16 ++++++------- fix_init.patch | 31 +++++++++++++------------ fix_logging.patch | 14 ++++++------ fix_logrotate.patch | 8 +++---- fix_networkmanager.patch | 24 +++++++------------- fix_nscd.patch | 14 ++++++------ fix_rpm.patch | 20 ++++++++--------- fix_selinuxutil.patch | 16 ++++++------- fix_systemd.patch | 8 +++---- fix_systemd_watch.patch | 39 ++++++++------------------------ fix_thunderbird.patch | 8 +++---- fix_unconfined.patch | 8 +++---- fix_unconfineduser.patch | 14 ++++++------ fix_unprivuser.patch | 8 +++---- fix_xserver.patch | 16 ++++++------- modules-targeted-base.conf | 7 ------ selinux-policy.changes | 41 ++++++++++++++++++++++++++++++++++ selinux-policy.spec | 10 ++++----- tabrmd.fc | 2 -- tabrmd.if | 1 - tabrmd.te | 29 ------------------------ update.sh | 2 +- wicked.te | 4 ---- 27 files changed, 161 insertions(+), 207 deletions(-) delete mode 100644 fedora-policy-20210419.tar.bz2 create mode 100644 fedora-policy-20210716.tar.bz2 delete mode 100644 fix_gift.patch delete mode 100644 tabrmd.fc delete mode 100644 tabrmd.if delete mode 100644 tabrmd.te diff --git a/fedora-policy-20210419.tar.bz2 b/fedora-policy-20210419.tar.bz2 deleted file mode 100644 index 549e8d7..0000000 --- a/fedora-policy-20210419.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ad36b63becbe4fb8a7ac5597b58360c8ebaf7f15ec6681d3170ec16dc2e7a650 -size 721823 diff --git a/fedora-policy-20210716.tar.bz2 b/fedora-policy-20210716.tar.bz2 new file mode 100644 index 0000000..f558fe3 --- /dev/null +++ b/fedora-policy-20210716.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c72911f7b3d31ad5988df36f18c96337a5870044fc42be38dc6bbdd9caa95682 +size 710155 diff --git a/fix_cockpit.patch b/fix_cockpit.patch index ed97de0..d4eae49 100644 --- a/fix_cockpit.patch +++ b/fix_cockpit.patch @@ -9,11 +9,11 @@ cockpit.socket fails to start if kerberos_enabled=false policy/modules/contrib/cockpit.te | 2 ++ 1 file changed, 2 insertions(+) -diff --git a/policy/modules/contrib/cockpit.te b/policy/modules/contrib/cockpit.te -index a160ca6b6..5984711fa 100644 ---- a/policy/modules/contrib/cockpit.te -+++ b/policy/modules/contrib/cockpit.te -@@ -52,7 +52,9 @@ can_exec(cockpit_ws_t,cockpit_session_exec_t) +Index: fedora-policy-20210628/policy/modules/contrib/cockpit.te +=================================================================== +--- fedora-policy-20210628.orig/policy/modules/contrib/cockpit.te ++++ fedora-policy-20210628/policy/modules/contrib/cockpit.te +@@ -51,7 +51,9 @@ can_exec(cockpit_ws_t,cockpit_session_ex dev_read_urand(cockpit_ws_t) # for authkey dev_read_rand(cockpit_ws_t) # for libssh @@ -23,6 +23,3 @@ index a160ca6b6..5984711fa 100644 # cockpit-ws can connect to other hosts via ssh corenet_tcp_connect_ssh_port(cockpit_ws_t) --- -2.26.2 - diff --git a/fix_gift.patch b/fix_gift.patch deleted file mode 100644 index 191375e..0000000 --- a/fix_gift.patch +++ /dev/null @@ -1,9 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/gift.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/gift.te 2019-08-05 09:39:48.645670248 +0200 -+++ fedora-policy/policy/modules/contrib/gift.te 2019-08-05 10:05:44.787808191 +0200 -@@ -113,4 +113,3 @@ files_read_etc_runtime_files(giftd_t) - sysnet_dns_name_resolve(giftd_t) - - userdom_use_inherited_user_terminals(giftd_t) --userdom_home_manager(gitd_t) diff --git a/fix_hadoop.patch b/fix_hadoop.patch index 0a8ee6c..99c9878 100644 --- a/fix_hadoop.patch +++ b/fix_hadoop.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210419/policy/modules/roles/sysadm.te +Index: fedora-policy-20210628/policy/modules/roles/sysadm.te =================================================================== ---- fedora-policy-20210419.orig/policy/modules/roles/sysadm.te -+++ fedora-policy-20210419/policy/modules/roles/sysadm.te -@@ -298,10 +298,6 @@ optional_policy(` +--- fedora-policy-20210628.orig/policy/modules/roles/sysadm.te ++++ fedora-policy-20210628/policy/modules/roles/sysadm.te +@@ -295,10 +295,6 @@ optional_policy(` ') optional_policy(` @@ -13,11 +13,11 @@ Index: fedora-policy-20210419/policy/modules/roles/sysadm.te iotop_run(sysadm_t, sysadm_r) ') -Index: fedora-policy-20210419/policy/modules/roles/unprivuser.te +Index: fedora-policy-20210628/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20210419.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20210419/policy/modules/roles/unprivuser.te -@@ -209,10 +209,6 @@ ifndef(`distro_redhat',` +--- fedora-policy-20210628.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20210628/policy/modules/roles/unprivuser.te +@@ -205,10 +205,6 @@ ifndef(`distro_redhat',` ') optional_policy(` diff --git a/fix_init.patch b/fix_init.patch index 925d9c9..ed85022 100644 --- a/fix_init.patch +++ b/fix_init.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210419/policy/modules/system/init.if +Index: fedora-policy-20210716/policy/modules/system/init.if =================================================================== ---- fedora-policy-20210419.orig/policy/modules/system/init.if -+++ fedora-policy-20210419/policy/modules/system/init.if -@@ -3242,6 +3242,7 @@ interface(`init_filetrans_named_content' +--- fedora-policy-20210716.orig/policy/modules/system/init.if ++++ fedora-policy-20210716/policy/modules/system/init.if +@@ -3296,6 +3296,7 @@ interface(`init_filetrans_named_content' files_etc_filetrans($1, machineid_t, file, "machine-id" ) files_pid_filetrans($1, initctl_t, fifo_file, "fifo" ) init_pid_filetrans($1, systemd_unit_file_t, dir, "generator") @@ -10,11 +10,11 @@ Index: fedora-policy-20210419/policy/modules/system/init.if init_pid_filetrans($1, systemd_unit_file_t, dir, "system") ') -Index: fedora-policy-20210419/policy/modules/system/init.te +Index: fedora-policy-20210716/policy/modules/system/init.te =================================================================== ---- fedora-policy-20210419.orig/policy/modules/system/init.te -+++ fedora-policy-20210419/policy/modules/system/init.te -@@ -269,6 +269,8 @@ corecmd_exec_bin(init_t) +--- fedora-policy-20210716.orig/policy/modules/system/init.te ++++ fedora-policy-20210716/policy/modules/system/init.te +@@ -267,6 +267,8 @@ corecmd_exec_bin(init_t) corenet_all_recvfrom_netlabel(init_t) corenet_tcp_bind_all_ports(init_t) corenet_udp_bind_all_ports(init_t) @@ -23,7 +23,7 @@ Index: fedora-policy-20210419/policy/modules/system/init.te dev_create_all_files(init_t) dev_create_all_chr_files(init_t) -@@ -397,6 +399,7 @@ logging_manage_audit_config(init_t) +@@ -391,6 +393,7 @@ logging_manage_audit_config(init_t) logging_create_syslog_netlink_audit_socket(init_t) logging_write_var_log_dirs(init_t) logging_manage_var_log_symlinks(init_t) @@ -31,14 +31,13 @@ Index: fedora-policy-20210419/policy/modules/system/init.te seutil_read_config(init_t) seutil_read_login_config(init_t) -@@ -446,11 +449,16 @@ ifdef(`distro_redhat',` +@@ -441,10 +444,15 @@ ifdef(`distro_redhat',` corecmd_shell_domtrans(init_t, initrc_t) storage_raw_rw_fixed_disk(init_t) +storage_raw_read_removable_device(init_t) sysnet_read_dhcpc_state(init_t) - sysnet_watch_config(init_t) optional_policy(` + networkmanager_initrc_read_lnk_files(init_t) @@ -48,7 +47,7 @@ Index: fedora-policy-20210419/policy/modules/system/init.te bootloader_domtrans(init_t) ') -@@ -568,10 +576,10 @@ tunable_policy(`init_audit_control',` +@@ -562,10 +570,10 @@ tunable_policy(`init_audit_control',` allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -61,7 +60,7 @@ Index: fedora-policy-20210419/policy/modules/system/init.te allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; # Until systemd is fixed -@@ -629,6 +637,7 @@ files_delete_all_spool_sockets(init_t) +@@ -623,6 +631,7 @@ files_delete_all_spool_sockets(init_t) files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -69,7 +68,7 @@ Index: fedora-policy-20210419/policy/modules/system/init.te files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -665,7 +674,7 @@ fs_list_all(init_t) +@@ -659,7 +668,7 @@ fs_list_all(init_t) fs_list_auto_mountpoints(init_t) fs_register_binary_executable_type(init_t) fs_relabel_tmpfs_sock_file(init_t) @@ -78,7 +77,7 @@ Index: fedora-policy-20210419/policy/modules/system/init.te fs_relabel_cgroup_dirs(init_t) fs_search_cgroup_dirs(init_t) # for network namespaces -@@ -721,6 +730,7 @@ systemd_write_inherited_logind_sessions_ +@@ -715,6 +724,7 @@ systemd_write_inherited_logind_sessions_ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -86,7 +85,7 @@ Index: fedora-policy-20210419/policy/modules/system/init.te auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1574,6 +1584,8 @@ optional_policy(` +@@ -1556,6 +1566,8 @@ optional_policy(` optional_policy(` postfix_list_spool(initrc_t) diff --git a/fix_logging.patch b/fix_logging.patch index 9014ac6..8f3a10d 100644 --- a/fix_logging.patch +++ b/fix_logging.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210309/policy/modules/system/logging.fc +Index: fedora-policy-20210628/policy/modules/system/logging.fc =================================================================== ---- fedora-policy-20210309.orig/policy/modules/system/logging.fc -+++ fedora-policy-20210309/policy/modules/system/logging.fc +--- fedora-policy-20210628.orig/policy/modules/system/logging.fc ++++ fedora-policy-20210628/policy/modules/system/logging.fc @@ -3,6 +3,8 @@ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) @@ -19,11 +19,11 @@ Index: fedora-policy-20210309/policy/modules/system/logging.fc /var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) -Index: fedora-policy-20210309/policy/modules/system/logging.if +Index: fedora-policy-20210628/policy/modules/system/logging.if =================================================================== ---- fedora-policy-20210309.orig/policy/modules/system/logging.if -+++ fedora-policy-20210309/policy/modules/system/logging.if -@@ -1722,3 +1722,22 @@ interface(`logging_dgram_send',` +--- fedora-policy-20210628.orig/policy/modules/system/logging.if ++++ fedora-policy-20210628/policy/modules/system/logging.if +@@ -1782,3 +1782,22 @@ interface(`logging_dgram_send',` allow $1 syslogd_t:unix_dgram_socket sendto; ') diff --git a/fix_logrotate.patch b/fix_logrotate.patch index 1b6fe37..7cb2f23 100644 --- a/fix_logrotate.patch +++ b/fix_logrotate.patch @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/contrib/logrotate.te +Index: fedora-policy-20210628/policy/modules/contrib/logrotate.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/logrotate.te -+++ fedora-policy/policy/modules/contrib/logrotate.te -@@ -107,6 +107,7 @@ files_var_lib_filetrans(logrotate_t, log +--- fedora-policy-20210628.orig/policy/modules/contrib/logrotate.te ++++ fedora-policy-20210628/policy/modules/contrib/logrotate.te +@@ -104,6 +104,7 @@ files_var_lib_filetrans(logrotate_t, log kernel_read_system_state(logrotate_t) kernel_read_kernel_sysctls(logrotate_t) diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index 50a8781..abaa320 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -1,16 +1,8 @@ -Index: fedora-policy-20210419/policy/modules/contrib/networkmanager.te +Index: fedora-policy-20210628/policy/modules/contrib/networkmanager.te =================================================================== ---- fedora-policy-20210419.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy-20210419/policy/modules/contrib/networkmanager.te -@@ -97,6 +97,7 @@ read_files_pattern(NetworkManager_t, Net - read_lnk_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) - - list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) -+watch_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) - read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) - read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t) - -@@ -241,6 +242,9 @@ userdom_read_home_certs(NetworkManager_t +--- fedora-policy-20210628.orig/policy/modules/contrib/networkmanager.te ++++ fedora-policy-20210628/policy/modules/contrib/networkmanager.te +@@ -243,6 +243,9 @@ userdom_read_home_certs(NetworkManager_t userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) @@ -20,7 +12,7 @@ Index: fedora-policy-20210419/policy/modules/contrib/networkmanager.te tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(NetworkManager_t) ') -@@ -258,6 +262,14 @@ optional_policy(` +@@ -260,6 +263,14 @@ optional_policy(` ') optional_policy(` @@ -35,10 +27,10 @@ Index: fedora-policy-20210419/policy/modules/contrib/networkmanager.te bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_kill(NetworkManager_t) -Index: fedora-policy-20210419/policy/modules/contrib/networkmanager.if +Index: fedora-policy-20210628/policy/modules/contrib/networkmanager.if =================================================================== ---- fedora-policy-20210419.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20210419/policy/modules/contrib/networkmanager.if +--- fedora-policy-20210628.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy-20210628/policy/modules/contrib/networkmanager.if @@ -114,6 +114,24 @@ interface(`networkmanager_initrc_domtran init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ') diff --git a/fix_nscd.patch b/fix_nscd.patch index 2f35b73..56a7c50 100644 --- a/fix_nscd.patch +++ b/fix_nscd.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210309/policy/modules/contrib/nscd.fc +Index: fedora-policy-20210628/policy/modules/contrib/nscd.fc =================================================================== ---- fedora-policy-20210309.orig/policy/modules/contrib/nscd.fc -+++ fedora-policy-20210309/policy/modules/contrib/nscd.fc +--- fedora-policy-20210628.orig/policy/modules/contrib/nscd.fc ++++ fedora-policy-20210628/policy/modules/contrib/nscd.fc @@ -8,8 +8,10 @@ /var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) @@ -14,11 +14,11 @@ Index: fedora-policy-20210309/policy/modules/contrib/nscd.fc /usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0) + -Index: fedora-policy-20210309/policy/modules/contrib/nscd.te +Index: fedora-policy-20210628/policy/modules/contrib/nscd.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/contrib/nscd.te -+++ fedora-policy-20210309/policy/modules/contrib/nscd.te -@@ -131,6 +131,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns +--- fedora-policy-20210628.orig/policy/modules/contrib/nscd.te ++++ fedora-policy-20210628/policy/modules/contrib/nscd.te +@@ -130,6 +130,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns userdom_dontaudit_search_user_home_dirs(nscd_t) optional_policy(` diff --git a/fix_rpm.patch b/fix_rpm.patch index 0545aa8..e5d9b7c 100644 --- a/fix_rpm.patch +++ b/fix_rpm.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210309/policy/modules/contrib/rpm.fc +Index: fedora-policy-20210628/policy/modules/contrib/rpm.fc =================================================================== ---- fedora-policy-20210309.orig/policy/modules/contrib/rpm.fc -+++ fedora-policy-20210309/policy/modules/contrib/rpm.fc +--- fedora-policy-20210628.orig/policy/modules/contrib/rpm.fc ++++ fedora-policy-20210628/policy/modules/contrib/rpm.fc @@ -18,6 +18,10 @@ /usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -22,11 +22,11 @@ Index: fedora-policy-20210309/policy/modules/contrib/rpm.fc /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -Index: fedora-policy-20210309/policy/modules/contrib/rpm.if +Index: fedora-policy-20210628/policy/modules/contrib/rpm.if =================================================================== ---- fedora-policy-20210309.orig/policy/modules/contrib/rpm.if -+++ fedora-policy-20210309/policy/modules/contrib/rpm.if -@@ -476,8 +476,10 @@ interface(`rpm_named_filetrans',` +--- fedora-policy-20210628.orig/policy/modules/contrib/rpm.if ++++ fedora-policy-20210628/policy/modules/contrib/rpm.if +@@ -479,8 +479,10 @@ interface(`rpm_named_filetrans',` logging_log_named_filetrans($1, rpm_log_t, file, "yum.log") logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log") logging_log_named_filetrans($1, rpm_log_t, file, "up2date") @@ -37,10 +37,10 @@ Index: fedora-policy-20210309/policy/modules/contrib/rpm.if files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm") -Index: fedora-policy-20210309/policy/modules/kernel/files.fc +Index: fedora-policy-20210628/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy-20210309.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20210309/policy/modules/kernel/files.fc +--- fedora-policy-20210628.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20210628/policy/modules/kernel/files.fc @@ -67,6 +67,7 @@ ifdef(`distro_suse',` /etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) diff --git a/fix_selinuxutil.patch b/fix_selinuxutil.patch index 831ee7c..84e87ac 100644 --- a/fix_selinuxutil.patch +++ b/fix_selinuxutil.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210309/policy/modules/system/selinuxutil.te +Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/system/selinuxutil.te -+++ fedora-policy-20210309/policy/modules/system/selinuxutil.te +--- fedora-policy-20210628.orig/policy/modules/system/selinuxutil.te ++++ fedora-policy-20210628/policy/modules/system/selinuxutil.te @@ -238,6 +238,10 @@ ifdef(`hide_broken_symptoms',` ') @@ -13,7 +13,7 @@ Index: fedora-policy-20210309/policy/modules/system/selinuxutil.te portage_dontaudit_use_fds(load_policy_t) ') -@@ -619,6 +623,10 @@ logging_send_audit_msgs(setfiles_t) +@@ -618,6 +622,10 @@ logging_send_audit_msgs(setfiles_t) logging_send_syslog_msg(setfiles_t) optional_policy(` @@ -24,11 +24,11 @@ Index: fedora-policy-20210309/policy/modules/system/selinuxutil.te cloudform_dontaudit_write_cloud_log(setfiles_t) ') -Index: fedora-policy-20210309/policy/modules/system/selinuxutil.if +Index: fedora-policy-20210628/policy/modules/system/selinuxutil.if =================================================================== ---- fedora-policy-20210309.orig/policy/modules/system/selinuxutil.if -+++ fedora-policy-20210309/policy/modules/system/selinuxutil.if -@@ -777,6 +777,8 @@ interface(`seutil_dontaudit_read_config' +--- fedora-policy-20210628.orig/policy/modules/system/selinuxutil.if ++++ fedora-policy-20210628/policy/modules/system/selinuxutil.if +@@ -795,6 +795,8 @@ interface(`seutil_dontaudit_read_config' dontaudit $1 selinux_config_t:dir search_dir_perms; dontaudit $1 selinux_config_t:file read_file_perms; diff --git a/fix_systemd.patch b/fix_systemd.patch index cd39f53..02f834e 100644 --- a/fix_systemd.patch +++ b/fix_systemd.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210309/policy/modules/system/systemd.te +Index: fedora-policy-20210628/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/system/systemd.te -+++ fedora-policy-20210309/policy/modules/system/systemd.te +--- fedora-policy-20210628.orig/policy/modules/system/systemd.te ++++ fedora-policy-20210628/policy/modules/system/systemd.te @@ -347,6 +347,10 @@ userdom_manage_user_tmp_chr_files(system xserver_dbus_chat(systemd_logind_t) @@ -13,7 +13,7 @@ Index: fedora-policy-20210309/policy/modules/system/systemd.te apache_read_tmp_files(systemd_logind_t) ') -@@ -853,6 +857,10 @@ optional_policy(` +@@ -854,6 +858,10 @@ optional_policy(` udev_read_pid_files(systemd_hostnamed_t) ') diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch index fb52641..65b98c8 100644 --- a/fix_systemd_watch.patch +++ b/fix_systemd_watch.patch @@ -1,38 +1,17 @@ -Index: fedora-policy-20210419/policy/modules/system/systemd.te +Index: fedora-policy-20210716/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20210419.orig/policy/modules/system/systemd.te -+++ fedora-policy-20210419/policy/modules/system/systemd.te -@@ -1357,3 +1357,10 @@ fstools_rw_swap_files(systemd_sleep_t) - +--- fedora-policy-20210716.orig/policy/modules/system/systemd.te ++++ fedora-policy-20210716/policy/modules/system/systemd.te +@@ -1396,6 +1396,12 @@ fstools_rw_swap_files(systemd_sleep_t) # systemd-sleep needs to getattr swap partitions storage_getattr_fixed_disk_dev(systemd_sleep_t) -+ -+ + +####################################### +# +# Allow systemd to watch certificate dir for ca-certificates +# +watch_dirs_pattern(init_t,cert_t,cert_t) -Index: fedora-policy-20210419/policy/modules/system/init.te -=================================================================== ---- fedora-policy-20210419.orig/policy/modules/system/init.te -+++ fedora-policy-20210419/policy/modules/system/init.te -@@ -317,7 +317,10 @@ files_etc_filetrans_etc_runtime(init_t, - # Run /etc/X11/prefdm: - files_exec_etc_files(init_t) - files_watch_etc_dirs(init_t) -+files_watch_etc_files(init_t) - files_read_usr_files(init_t) -+files_watch_usr_dirs(init_t) -+files_watch_usr_files(init_t) - files_watch_root_dirs(init_t) - files_write_root_dirs(init_t) - files_watch_var_dirs(init_t) -@@ -334,6 +337,7 @@ files_remount_rootfs(init_t) - files_create_var_dirs(init_t) - files_watch_home(init_t) - files_watch_all_pid(init_t) -+watch_dirs_pattern(init_t,lib_t,lib_t) - - fs_list_inotifyfs(init_t) - # cjp: this may be related to /dev/log ++ + optional_policy(` + sysstat_domtrans(systemd_sleep_t) + ') diff --git a/fix_thunderbird.patch b/fix_thunderbird.patch index 0e2ee48..159afc4 100644 --- a/fix_thunderbird.patch +++ b/fix_thunderbird.patch @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/contrib/thunderbird.te +Index: fedora-policy-20210628/policy/modules/contrib/thunderbird.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/thunderbird.te -+++ fedora-policy/policy/modules/contrib/thunderbird.te -@@ -139,7 +139,6 @@ optional_policy(` +--- fedora-policy-20210628.orig/policy/modules/contrib/thunderbird.te ++++ fedora-policy-20210628/policy/modules/contrib/thunderbird.te +@@ -138,7 +138,6 @@ optional_policy(` optional_policy(` gnome_stream_connect_gconf(thunderbird_t) gnome_domtrans_gconfd(thunderbird_t) diff --git a/fix_unconfined.patch b/fix_unconfined.patch index 468bdf3..114c71d 100644 --- a/fix_unconfined.patch +++ b/fix_unconfined.patch @@ -1,7 +1,7 @@ -Index: fedora-policy/policy/modules/system/unconfined.te +Index: fedora-policy-20210628/policy/modules/system/unconfined.te =================================================================== ---- fedora-policy.orig/policy/modules/system/unconfined.te -+++ fedora-policy/policy/modules/system/unconfined.te +--- fedora-policy-20210628.orig/policy/modules/system/unconfined.te ++++ fedora-policy-20210628/policy/modules/system/unconfined.te @@ -1,5 +1,10 @@ policy_module(unconfined, 3.5.0) @@ -13,7 +13,7 @@ Index: fedora-policy/policy/modules/system/unconfined.te ######################################## # # Declarations -@@ -39,3 +44,6 @@ optional_policy(` +@@ -41,3 +46,6 @@ optional_policy(` optional_policy(` container_runtime_domtrans(unconfined_service_t) ') diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch index 55b9dda..0161703 100644 --- a/fix_unconfineduser.patch +++ b/fix_unconfineduser.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210419/policy/modules/roles/unconfineduser.te +Index: fedora-policy-20210628/policy/modules/roles/unconfineduser.te =================================================================== ---- fedora-policy-20210419.orig/policy/modules/roles/unconfineduser.te -+++ fedora-policy-20210419/policy/modules/roles/unconfineduser.te -@@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all' +--- fedora-policy-20210628.orig/policy/modules/roles/unconfineduser.te ++++ fedora-policy-20210628/policy/modules/roles/unconfineduser.te +@@ -126,6 +126,11 @@ tunable_policy(`unconfined_dyntrans_all' domain_dyntrans(unconfined_t) ') @@ -14,7 +14,7 @@ Index: fedora-policy-20210419/policy/modules/roles/unconfineduser.te optional_policy(` gen_require(` type unconfined_t; -@@ -214,6 +219,10 @@ optional_policy(` +@@ -212,6 +217,10 @@ optional_policy(` ') optional_policy(` @@ -25,7 +25,7 @@ Index: fedora-policy-20210419/policy/modules/roles/unconfineduser.te chrome_role_notrans(unconfined_r, unconfined_t) tunable_policy(`unconfined_chrome_sandbox_transition',` -@@ -248,6 +257,18 @@ optional_policy(` +@@ -246,6 +255,18 @@ optional_policy(` dbus_stub(unconfined_t) optional_policy(` @@ -44,7 +44,7 @@ Index: fedora-policy-20210419/policy/modules/roles/unconfineduser.te bluetooth_dbus_chat(unconfined_t) ') -@@ -311,6 +332,10 @@ optional_policy(` +@@ -309,6 +330,10 @@ optional_policy(` ') optional_policy(` diff --git a/fix_unprivuser.patch b/fix_unprivuser.patch index 26ac928..f23ba18 100644 --- a/fix_unprivuser.patch +++ b/fix_unprivuser.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210419/policy/modules/roles/unprivuser.te +Index: fedora-policy-20210628/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20210419.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20210419/policy/modules/roles/unprivuser.te -@@ -291,6 +291,13 @@ ifndef(`distro_redhat',` +--- fedora-policy-20210628.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20210628/policy/modules/roles/unprivuser.te +@@ -287,6 +287,13 @@ ifndef(`distro_redhat',` ') optional_policy(` diff --git a/fix_xserver.patch b/fix_xserver.patch index 14f6700..785494c 100644 --- a/fix_xserver.patch +++ b/fix_xserver.patch @@ -1,7 +1,7 @@ -Index: fedora-policy/policy/modules/services/xserver.fc +Index: fedora-policy-20210628/policy/modules/services/xserver.fc =================================================================== ---- fedora-policy.orig/policy/modules/services/xserver.fc -+++ fedora-policy/policy/modules/services/xserver.fc +--- fedora-policy-20210628.orig/policy/modules/services/xserver.fc ++++ fedora-policy-20210628/policy/modules/services/xserver.fc @@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) @@ -18,7 +18,7 @@ Index: fedora-policy/policy/modules/services/xserver.fc /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0) -@@ -135,6 +137,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ +@@ -136,6 +138,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0) /usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0) @@ -26,11 +26,11 @@ Index: fedora-policy/policy/modules/services/xserver.fc ifndef(`distro_debian',` /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) ') -Index: fedora-policy/policy/modules/services/xserver.te +Index: fedora-policy-20210628/policy/modules/services/xserver.te =================================================================== ---- fedora-policy.orig/policy/modules/services/xserver.te -+++ fedora-policy/policy/modules/services/xserver.te -@@ -477,6 +477,10 @@ userdom_delete_user_home_content_files(x +--- fedora-policy-20210628.orig/policy/modules/services/xserver.te ++++ fedora-policy-20210628/policy/modules/services/xserver.te +@@ -473,6 +473,10 @@ userdom_delete_user_home_content_files(x userdom_signull_unpriv_users(xdm_t) userdom_dontaudit_read_admin_home_lnk_files(xdm_t) diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf index 3c380c0..f5bcc4c 100644 --- a/modules-targeted-base.conf +++ b/modules-targeted-base.conf @@ -412,10 +412,3 @@ rtorrent = module # Policy for wicked # wicked = module - -# Layer: contrib -# Module: tabrmd -# -# Policy for tabrmd -# -tabrmd = module diff --git a/selinux-policy.changes b/selinux-policy.changes index b4cf233..a097bed 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Fri Jul 16 07:11:57 UTC 2021 - Johannes Segitz + +- Update to version 20210716 +- Remove interfaces for container module before building the package + (bsc#1188184) +- Updated + * fix_init.patch + * fix_systemd_watch.patch + to adapt to upstream changes + +------------------------------------------------------------------- +Thu Jul 15 15:45:57 UTC 2021 - Callum Farmer + +- Use tabrmd SELinux modules from tpm2.0-abrmd instead of storing + here + ------------------------------------------------------------------- Tue Jul 6 13:55:19 UTC 2021 - Alberto Planas Dominguez @@ -5,6 +22,30 @@ Tue Jul 6 13:55:19 UTC 2021 - Alberto Planas Dominguez https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux - Automatic spec-cleaner to fix ordering and misaligned spaces +------------------------------------------------------------------- +Mon Jun 28 08:11:25 UTC 2021 - Johannes Segitz + +- Update to version 20210419 +- Dropped fix_gift.patch, module was removed +- Updated wicked.te to removed dropped interface +- Refreshed: + * fix_cockpit.patch + * fix_hadoop.patch + * fix_init.patch + * fix_logging.patch + * fix_logrotate.patch + * fix_networkmanager.patch + * fix_nscd.patch + * fix_rpm.patch + * fix_selinuxutil.patch + * fix_systemd.patch + * fix_systemd_watch.patch + * fix_thunderbird.patch + * fix_unconfined.patch + * fix_unconfineduser.patch + * fix_unprivuser.patch + * fix_xserver.patch + ------------------------------------------------------------------- Tue May 18 11:10:59 UTC 2021 - Ludwig Nussel diff --git a/selinux-policy.spec b/selinux-policy.spec index 4687a5f..413e576 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20210419 +Version: 20210716 Release: 0 Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc @@ -81,13 +81,9 @@ Source125: rtorrent.fc Source126: wicked.te Source127: wicked.if Source128: wicked.fc -Source129: tabrmd.te -Source130: tabrmd.if -Source131: tabrmd.fc Patch001: fix_djbdns.patch Patch002: fix_dbus.patch -Patch003: fix_gift.patch Patch004: fix_java.patch Patch005: fix_hadoop.patch Patch006: fix_thunderbird.patch @@ -424,7 +420,7 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} cp $i selinux_config done -for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do +for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do cp $i policy/modules/contrib done @@ -475,6 +471,8 @@ install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ mkdir %{buildroot}%{_datadir}/selinux/devel/html mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html +rm %{buildroot}%{_mandir}/man8/container_selinux.8* +rm %{buildroot}%{_datadir}/selinux/devel/include/services/container.if %post if [ ! -s %{_sysconfdir}/selinux/config ]; then diff --git a/tabrmd.fc b/tabrmd.fc deleted file mode 100644 index 9f9ec1e..0000000 --- a/tabrmd.fc +++ /dev/null @@ -1,2 +0,0 @@ -/usr/sbin/tpm2-abrmd -- gen_context(system_u:object_r:tabrmd_exec_t,s0) -/usr/local/sbin/tpm2-abrmd -- gen_context(system_u:object_r:tabrmd_exec_t,s0) diff --git a/tabrmd.if b/tabrmd.if deleted file mode 100644 index 5846dc1..0000000 --- a/tabrmd.if +++ /dev/null @@ -1 +0,0 @@ -## diff --git a/tabrmd.te b/tabrmd.te deleted file mode 100644 index b0f8af4..0000000 --- a/tabrmd.te +++ /dev/null @@ -1,29 +0,0 @@ -policy_module(tabrmd, 0.0.2) - -######################################## -# -# Declarations -# - -gen_tunable(`tabrmd_connect_all_unreserved', false) - -type tabrmd_t; -type tabrmd_exec_t; -init_daemon_domain(tabrmd_t, tabrmd_exec_t) - -allow tabrmd_t self:unix_dgram_socket { create_socket_perms }; - -dev_rw_tpm(tabrmd_t) -logging_send_syslog_msg(tabrmd_t) -sysnet_dns_name_resolve(tabrmd_t) - -optional_policy(` - dbus_stub() - dbus_system_domain(tabrmd_t, tabrmd_exec_t) - allow system_dbusd_t tabrmd_t:unix_stream_socket rw_stream_socket_perms; - fwupd_dbus_chat(tabrmd_t) -') - -tunable_policy(`tabrmd_connect_all_unreserved',` - corenet_tcp_connect_all_unreserved_ports(tabrmd_t) -') diff --git a/update.sh b/update.sh index a2790b1..92f709c 100644 --- a/update.sh +++ b/update.sh @@ -11,7 +11,7 @@ git clone --depth 1 https://github.com/containers/container-selinux.git mv selinux-policy fedora-policy-$date rm -rf fedora-policy-$date/.git* -mv container-selinux/container.* fedora-policy-$date/policy/modules/contrib/ +mv container-selinux/container.* fedora-policy-$date/policy/modules/services/ rm -f fedora-policy?$date.tar* tar cf fedora-policy-$date.tar fedora-policy-$date diff --git a/wicked.te b/wicked.te index 3e9849b..8441a29 100644 --- a/wicked.te +++ b/wicked.te @@ -326,10 +326,6 @@ optional_policy(` fcoe_dgram_send_fcoemon(wicked_t) ') -optional_policy(` - hal_write_log(wicked_t) -') - optional_policy(` howl_signal(wicked_t) ') From feeb03e48be012bf8d86ef8bbbd71292f9b66a6e19e13dc8b0d5320130b6b38c Mon Sep 17 00:00:00 2001 From: Richard Brown Date: Thu, 19 Aug 2021 11:39:01 +0000 Subject: [PATCH 16/35] Accepting request 912873 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/912873 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=16 --- fix_kernel_sysctl.patch | 26 ++++++++++++++++++++++++++ selinux-policy.changes | 11 +++++++++++ selinux-policy.spec | 8 +++++--- 3 files changed, 42 insertions(+), 3 deletions(-) create mode 100644 fix_kernel_sysctl.patch diff --git a/fix_kernel_sysctl.patch b/fix_kernel_sysctl.patch new file mode 100644 index 0000000..757d195 --- /dev/null +++ b/fix_kernel_sysctl.patch @@ -0,0 +1,26 @@ +Index: fedora-policy-20210716/policy/modules/kernel/files.fc +=================================================================== +--- fedora-policy-20210716.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20210716/policy/modules/kernel/files.fc +@@ -236,6 +236,8 @@ ifdef(`distro_redhat',` + /usr/lib/ostree-boot(/.*)? gen_context(system_u:object_r:usr_t,s0) + /usr/lib/modules(/.*)/vmlinuz -- gen_context(system_u:object_r:usr_t,s0) + /usr/lib/modules(/.*)/initramfs.img -- gen_context(system_u:object_r:usr_t,s0) ++/usr/lib/modules(/.*)/sysctl.conf -- gen_context(system_u:object_r:usr_t,s0) ++/usr/lib/modules(/.*)/System.map -- gen_context(system_u:object_r:system_map_t,s0) + + /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) + +Index: fedora-policy-20210716/policy/modules/system/systemd.te +=================================================================== +--- fedora-policy-20210716.orig/policy/modules/system/systemd.te ++++ fedora-policy-20210716/policy/modules/system/systemd.te +@@ -1027,6 +1027,8 @@ init_stream_connect(systemd_sysctl_t) + logging_send_syslog_msg(systemd_sysctl_t) + + systemd_read_efivarfs(systemd_sysctl_t) ++# kernel specific sysctl.conf may be in modules dir ++allow systemd_sysctl_t modules_object_t:dir search; + + ####################################### + # diff --git a/selinux-policy.changes b/selinux-policy.changes index a097bed..2c52444 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Tue Aug 17 16:03:08 UTC 2021 - Ludwig Nussel + +- Allow systemd-sysctl to read kernel specific sysctl.conf + (fix_kernel_sysctl.patch, boo#1184804) + +------------------------------------------------------------------- +Tue Aug 10 08:31:16 UTC 2021 - Ludwig Nussel + +- Fix quoting in postInstall macro + ------------------------------------------------------------------- Fri Jul 16 07:11:57 UTC 2021 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 413e576..dce81b7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -131,6 +131,8 @@ Patch051: fix_dovecot.patch # https://github.com/cockpit-project/cockpit/pull/15758 Patch052: fix_cockpit.patch Patch053: fix_systemd_watch.patch +# kernel specific sysctl.conf (boo#1184804) +Patch054: fix_kernel_sysctl.patch Patch100: sedoctool.patch @@ -304,9 +306,9 @@ fi; %define postInstall() \ . %{_sysconfdir}/selinux/config; \ -if [ -e %{_sysconfdir}/selinux/%%2/.rebuild ]; then \ - rm %{_sysconfdir}/selinux/%%2/.rebuild; \ - /usr/sbin/semodule -B -n -s %%2; \ +if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \ + rm %{_sysconfdir}/selinux/%2/.rebuild; \ + /usr/sbin/semodule -B -n -s %2; \ fi; \ if [ -n "${TRANSACTIONAL_UPDATE}" ]; then \ touch /etc/selinux/.autorelabel \ From 33d04f1b0d3ce35662bdbab3a443dd30ac7f40bbf58e86f0b9329b26ea3f8007 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Thu, 2 Sep 2021 21:20:08 +0000 Subject: [PATCH 17/35] Accepting request 915717 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/915717 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=17 --- fix_cockpit.patch | 28 +++++++++++++++-- fix_systemd.patch | 19 ++++++++---- modules-minimum-base.conf | 1 - modules-targeted-base.conf | 7 +++++ rebootmgr.fc | 1 + rebootmgr.if | 61 ++++++++++++++++++++++++++++++++++++++ rebootmgr.te | 37 +++++++++++++++++++++++ selinux-policy.changes | 24 +++++++++++++++ selinux-policy.spec | 5 +++- wicked.te | 4 +++ 10 files changed, 177 insertions(+), 10 deletions(-) create mode 100644 rebootmgr.fc create mode 100644 rebootmgr.if create mode 100644 rebootmgr.te diff --git a/fix_cockpit.patch b/fix_cockpit.patch index d4eae49..99c363e 100644 --- a/fix_cockpit.patch +++ b/fix_cockpit.patch @@ -9,10 +9,10 @@ cockpit.socket fails to start if kerberos_enabled=false policy/modules/contrib/cockpit.te | 2 ++ 1 file changed, 2 insertions(+) -Index: fedora-policy-20210628/policy/modules/contrib/cockpit.te +Index: fedora-policy-20210716/policy/modules/contrib/cockpit.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/cockpit.te -+++ fedora-policy-20210628/policy/modules/contrib/cockpit.te +--- fedora-policy-20210716.orig/policy/modules/contrib/cockpit.te ++++ fedora-policy-20210716/policy/modules/contrib/cockpit.te @@ -51,7 +51,9 @@ can_exec(cockpit_ws_t,cockpit_session_ex dev_read_urand(cockpit_ws_t) # for authkey dev_read_rand(cockpit_ws_t) # for libssh @@ -23,3 +23,25 @@ Index: fedora-policy-20210628/policy/modules/contrib/cockpit.te # cockpit-ws can connect to other hosts via ssh corenet_tcp_connect_ssh_port(cockpit_ws_t) +Index: fedora-policy-20210716/policy/modules/contrib/cockpit.fc +=================================================================== +--- fedora-policy-20210716.orig/policy/modules/contrib/cockpit.fc ++++ fedora-policy-20210716/policy/modules/contrib/cockpit.fc +@@ -3,12 +3,12 @@ + /usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) + /etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) + +-/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) +-/usr/libexec/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) +-/usr/libexec/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) ++/usr/lib(exec)?/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) ++/usr/lib(exec)?/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) ++/usr/lib(exec)?/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) + +-/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) +-/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) ++/usr/lib(exec)?/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) ++/usr/lib(exec)?/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) + + /usr/share/cockpit/motd/update-motd -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) + diff --git a/fix_systemd.patch b/fix_systemd.patch index 02f834e..bdab982 100644 --- a/fix_systemd.patch +++ b/fix_systemd.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210628/policy/modules/system/systemd.te +Index: fedora-policy-20210716/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/system/systemd.te -+++ fedora-policy-20210628/policy/modules/system/systemd.te -@@ -347,6 +347,10 @@ userdom_manage_user_tmp_chr_files(system +--- fedora-policy-20210716.orig/policy/modules/system/systemd.te ++++ fedora-policy-20210716/policy/modules/system/systemd.te +@@ -352,6 +352,10 @@ userdom_manage_user_tmp_chr_files(system xserver_dbus_chat(systemd_logind_t) optional_policy(` @@ -13,7 +13,7 @@ Index: fedora-policy-20210628/policy/modules/system/systemd.te apache_read_tmp_files(systemd_logind_t) ') -@@ -854,6 +858,10 @@ optional_policy(` +@@ -859,6 +863,10 @@ optional_policy(` udev_read_pid_files(systemd_hostnamed_t) ') @@ -24,3 +24,12 @@ Index: fedora-policy-20210628/policy/modules/system/systemd.te ####################################### # # rfkill policy +@@ -1097,6 +1105,8 @@ systemd_unit_file_filetrans(systemd_gpt_ + systemd_create_unit_file_dirs(systemd_gpt_generator_t) + systemd_create_unit_file_lnk(systemd_gpt_generator_t) + ++udev_read_pid_files(systemd_gpt_generator_t) ++ + ####################################### + # + # systemd_resolved domain diff --git a/modules-minimum-base.conf b/modules-minimum-base.conf index d90e3cb..853e975 100644 --- a/modules-minimum-base.conf +++ b/modules-minimum-base.conf @@ -412,4 +412,3 @@ packagekit = module # Name service cache daemon # nscd = module - diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf index f5bcc4c..5e255b5 100644 --- a/modules-targeted-base.conf +++ b/modules-targeted-base.conf @@ -412,3 +412,10 @@ rtorrent = module # Policy for wicked # wicked = module + +# Layer: system +# Module: rebootmgr +# +# Policy for rebootmgr +# +rebootmgr = module diff --git a/rebootmgr.fc b/rebootmgr.fc new file mode 100644 index 0000000..156f78f --- /dev/null +++ b/rebootmgr.fc @@ -0,0 +1 @@ +/usr/sbin/rebootmgrd -- gen_context(system_u:object_r:rebootmgr_exec_t,s0) diff --git a/rebootmgr.if b/rebootmgr.if new file mode 100644 index 0000000..bb42f80 --- /dev/null +++ b/rebootmgr.if @@ -0,0 +1,61 @@ + +## policy for rebootmgr + +######################################## +## +## Execute rebootmgr_exec_t in the rebootmgr domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`rebootmgr_domtrans',` + gen_require(` + type rebootmgr_t, rebootmgr_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t) +') + +###################################### +## +## Execute rebootmgr in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`rebootmgr_exec',` + gen_require(` + type rebootmgr_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, rebootmgr_exec_t) +') + +######################################## +## +## Send and receive messages from +## rebootmgr over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`rebootmgr_dbus_chat',` + gen_require(` + type rebootmgr_t; + class dbus send_msg; + ') + + allow $1 rebootmgr_t:dbus send_msg; + allow rebootmgr_t $1:dbus send_msg; +') diff --git a/rebootmgr.te b/rebootmgr.te new file mode 100644 index 0000000..4b4e6ab --- /dev/null +++ b/rebootmgr.te @@ -0,0 +1,37 @@ +policy_module(rebootmgr, 1.0.0) + +######################################## +# +# Declarations +# + +type rebootmgr_t; +type rebootmgr_exec_t; +init_daemon_domain(rebootmgr_t, rebootmgr_exec_t) + +######################################## +# +# rebootmgr local policy +# +allow rebootmgr_t self:process { fork }; +allow rebootmgr_t self:fifo_file rw_fifo_file_perms; +allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms; + +domain_use_interactive_fds(rebootmgr_t) + +files_manage_etc_files(rebootmgr_t) + +logging_send_syslog_msg(rebootmgr_t) + +miscfiles_read_localization(rebootmgr_t) + +systemd_start_power_services(rebootmgr_t) + +systemd_dbus_chat_logind(rebootmgr_t) + +unconfined_dbus_chat(rebootmgr_t) + +optional_policy(` + dbus_system_bus_client(rebootmgr_t) + dbus_connect_system_bus(rebootmgr_t) +') diff --git a/selinux-policy.changes b/selinux-policy.changes index 2c52444..7f72bd1 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Thu Sep 2 08:45:24 UTC 2021 - Johannes Segitz + +- Modified fix_systemd.patch to allow systemd gpt generator access to + udev files (bsc#1189280) + +------------------------------------------------------------------- +Fri Aug 27 13:07:54 UTC 2021 - Ales Kedroutek + +- fix rebootmgr does not trigger the reboot properly (boo#1189878) + * fix managing /etc/rebootmgr.conf + * allow rebootmgr_t to cope with systemd and dbus messaging + +------------------------------------------------------------------- +Thu Aug 26 07:37:05 UTC 2021 - Johannes Segitz + +- Properly label cockpit files +- Allow wicked to communicate with network manager on DBUS (bsc#1188331) + +------------------------------------------------------------------- +Mon Aug 23 15:43:28 UTC 2021 - Ales Kedroutek + +- Added policy module for rebootmgr (jsc#SMO-28) + ------------------------------------------------------------------- Tue Aug 17 16:03:08 UTC 2021 - Ludwig Nussel diff --git a/selinux-policy.spec b/selinux-policy.spec index dce81b7..22171f3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -81,6 +81,9 @@ Source125: rtorrent.fc Source126: wicked.te Source127: wicked.if Source128: wicked.fc +Source129: rebootmgr.te +Source130: rebootmgr.if +Source131: rebootmgr.fc Patch001: fix_djbdns.patch Patch002: fix_dbus.patch @@ -422,7 +425,7 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} cp $i selinux_config done -for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do +for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do cp $i policy/modules/contrib done diff --git a/wicked.te b/wicked.te index 8441a29..a5f49ed 100644 --- a/wicked.te +++ b/wicked.te @@ -494,6 +494,10 @@ optional_policy(` virt_dbus_chat(wicked_t) ') +optional_policy(` + networkmanager_dbus_chat(wicked_t) +') + #tunable_policy(`use_ecryptfs_home_dirs',` #fs_manage_ecryptfs_files(wicked_t) #') From ae689b83ecbf1c1664eaecee9e429594b9c320ca704cbddb1a784652919c0686 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Fri, 1 Oct 2021 20:28:54 +0000 Subject: [PATCH 18/35] Accepting request 922280 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/922280 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=18 --- fix_auditd.patch | 10 ++++++++++ selinux-policy.changes | 6 ++++++ selinux-policy.spec | 1 + 3 files changed, 17 insertions(+) create mode 100644 fix_auditd.patch diff --git a/fix_auditd.patch b/fix_auditd.patch new file mode 100644 index 0000000..59e2004 --- /dev/null +++ b/fix_auditd.patch @@ -0,0 +1,10 @@ +--- a/policy/modules/system/logging.if ++++ b/policy/modules/system/logging.if +@@ -430,6 +430,7 @@ interface(`logging_manage_audit_config', + + files_search_etc($1) + manage_files_pattern($1, auditd_etc_t, auditd_etc_t) ++ allow $1 auditd_etc_t:dir mounton; + ') + + ######################################## diff --git a/selinux-policy.changes b/selinux-policy.changes index 7f72bd1..d51807e 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Sep 28 12:44:22 UTC 2021 - Enzo Matsumiya + +- Fix auditd service start with systemd hardening directives (boo#1190918) + * add fix_auditd.patch + ------------------------------------------------------------------- Thu Sep 2 08:45:24 UTC 2021 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 22171f3..fd3ad19 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -136,6 +136,7 @@ Patch052: fix_cockpit.patch Patch053: fix_systemd_watch.patch # kernel specific sysctl.conf (boo#1184804) Patch054: fix_kernel_sysctl.patch +Patch055: fix_auditd.patch Patch100: sedoctool.patch From 698311c05a4753441f808cf8bc5faae7850e6b692c408c11b5283b5e34356753 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Sat, 30 Oct 2021 21:13:30 +0000 Subject: [PATCH 19/35] Accepting request 927915 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/927915 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=19 --- fix_wine.patch | 23 +++++++++++++++++++++++ selinux-policy.changes | 5 +++++ selinux-policy.spec | 1 + 3 files changed, 29 insertions(+) create mode 100644 fix_wine.patch diff --git a/fix_wine.patch b/fix_wine.patch new file mode 100644 index 0000000..0a5f9d1 --- /dev/null +++ b/fix_wine.patch @@ -0,0 +1,23 @@ +Index: fedora-policy-20210716/policy/modules/system/libraries.fc +=================================================================== +--- fedora-policy-20210716.orig/policy/modules/system/libraries.fc ++++ fedora-policy-20210716/policy/modules/system/libraries.fc +@@ -90,7 +90,7 @@ ifdef(`distro_redhat',` + /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) + /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/opt/cx.*/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/cx.*/lib/wine/.+\.(so|dll) -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) + /opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -173,7 +173,8 @@ ifdef(`distro_redhat',` + /usr/lib/systemd/libsystemd-shared-[0-9]+\.so.* -- gen_context(system_u:object_r:lib_t,s0) + + /usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) +-/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/wine/*-windows/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + diff --git a/selinux-policy.changes b/selinux-policy.changes index d51807e..87e9a1a 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Oct 25 11:35:24 UTC 2021 - Marcus Meissner + +- fix_wine.patch: give Wine .dll same context as .so (bsc#1191976) + ------------------------------------------------------------------- Tue Sep 28 12:44:22 UTC 2021 - Enzo Matsumiya diff --git a/selinux-policy.spec b/selinux-policy.spec index fd3ad19..e916d1e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -137,6 +137,7 @@ Patch053: fix_systemd_watch.patch # kernel specific sysctl.conf (boo#1184804) Patch054: fix_kernel_sysctl.patch Patch055: fix_auditd.patch +Patch056: fix_wine.patch Patch100: sedoctool.patch From d7a7b70dfb36d0bf2bcf5c83794aaef26e6a8942e0aed3e2c21c58b45df230a6 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Mon, 15 Nov 2021 14:26:00 +0000 Subject: [PATCH 20/35] Accepting request 930935 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/930935 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=20 --- fedora-policy-20210716.tar.bz2 | 3 --- fedora-policy-20211111.tar.bz2 | 3 +++ fix_auditd.patch | 8 +++++--- fix_authlogin.patch | 12 ++++++------ fix_chronyd.patch | 14 +++++++------- fix_dbus.patch | 10 +++++----- fix_firewalld.patch | 14 +++++++------- fix_hadoop.patch | 14 +++++++------- fix_init.patch | 26 +++++++++++++------------- fix_kernel_sysctl.patch | 14 +++++++------- fix_logging.patch | 14 +++++++------- fix_networkmanager.patch | 14 +++++++------- fix_systemd.patch | 14 +++++++------- fix_systemd_watch.patch | 10 +++++----- fix_unconfined.patch | 8 ++++---- fix_unconfineduser.patch | 14 +++++++------- fix_xserver.patch | 14 +++++++------- selinux-policy.changes | 19 +++++++++++++++++++ selinux-policy.spec | 2 +- 19 files changed, 124 insertions(+), 103 deletions(-) delete mode 100644 fedora-policy-20210716.tar.bz2 create mode 100644 fedora-policy-20211111.tar.bz2 diff --git a/fedora-policy-20210716.tar.bz2 b/fedora-policy-20210716.tar.bz2 deleted file mode 100644 index f558fe3..0000000 --- a/fedora-policy-20210716.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c72911f7b3d31ad5988df36f18c96337a5870044fc42be38dc6bbdd9caa95682 -size 710155 diff --git a/fedora-policy-20211111.tar.bz2 b/fedora-policy-20211111.tar.bz2 new file mode 100644 index 0000000..eb8aedb --- /dev/null +++ b/fedora-policy-20211111.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:92e84c558e4c1a8d389205ddfc1e8b00f8a872585f01e05a7650b15e55643f2a +size 714235 diff --git a/fix_auditd.patch b/fix_auditd.patch index 59e2004..d4d94e0 100644 --- a/fix_auditd.patch +++ b/fix_auditd.patch @@ -1,6 +1,8 @@ ---- a/policy/modules/system/logging.if -+++ b/policy/modules/system/logging.if -@@ -430,6 +430,7 @@ interface(`logging_manage_audit_config', +Index: fedora-policy-20211111/policy/modules/system/logging.if +=================================================================== +--- fedora-policy-20211111.orig/policy/modules/system/logging.if ++++ fedora-policy-20211111/policy/modules/system/logging.if +@@ -431,6 +431,7 @@ interface(`logging_manage_audit_config', files_search_etc($1) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) diff --git a/fix_authlogin.patch b/fix_authlogin.patch index 4592a10..7220120 100644 --- a/fix_authlogin.patch +++ b/fix_authlogin.patch @@ -1,10 +1,10 @@ -Index: fedora-policy/policy/modules/system/authlogin.fc +Index: fedora-policy-20211111/policy/modules/system/authlogin.fc =================================================================== ---- fedora-policy.orig/policy/modules/system/authlogin.fc -+++ fedora-policy/policy/modules/system/authlogin.fc -@@ -49,6 +49,7 @@ ifdef(`distro_gentoo', ` - /usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - +--- fedora-policy-20211111.orig/policy/modules/system/authlogin.fc ++++ fedora-policy-20211111/policy/modules/system/authlogin.fc +@@ -56,6 +56,7 @@ ifdef(`distro_gentoo', ` + /usr/libexec/chkpwd/tcb_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + /usr/libexec/chkpwd/tcb_updpwd -- gen_context(system_u:object_r:updpwd_exec_t,s0) /usr/libexec/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) +/usr/lib/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) diff --git a/fix_chronyd.patch b/fix_chronyd.patch index e67a7cb..4ec73ce 100644 --- a/fix_chronyd.patch +++ b/fix_chronyd.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210309/policy/modules/contrib/chronyd.te +Index: fedora-policy-20211111/policy/modules/contrib/chronyd.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/contrib/chronyd.te -+++ fedora-policy-20210309/policy/modules/contrib/chronyd.te -@@ -140,6 +140,14 @@ systemd_exec_systemctl(chronyd_t) +--- fedora-policy-20211111.orig/policy/modules/contrib/chronyd.te ++++ fedora-policy-20211111/policy/modules/contrib/chronyd.te +@@ -141,6 +141,14 @@ systemd_exec_systemctl(chronyd_t) userdom_dgram_send(chronyd_t) optional_policy(` @@ -17,10 +17,10 @@ Index: fedora-policy-20210309/policy/modules/contrib/chronyd.te cron_dgram_send(chronyd_t) ') -Index: fedora-policy-20210309/policy/modules/contrib/chronyd.fc +Index: fedora-policy-20211111/policy/modules/contrib/chronyd.fc =================================================================== ---- fedora-policy-20210309.orig/policy/modules/contrib/chronyd.fc -+++ fedora-policy-20210309/policy/modules/contrib/chronyd.fc +--- fedora-policy-20211111.orig/policy/modules/contrib/chronyd.fc ++++ fedora-policy-20211111/policy/modules/contrib/chronyd.fc @@ -6,6 +6,7 @@ /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) diff --git a/fix_dbus.patch b/fix_dbus.patch index 3a50979..64ab643 100644 --- a/fix_dbus.patch +++ b/fix_dbus.patch @@ -1,10 +1,10 @@ -Index: fedora-policy-20210419/policy/modules/contrib/dbus.te +Index: fedora-policy-20211111/policy/modules/contrib/dbus.te =================================================================== ---- fedora-policy-20210419.orig/policy/modules/contrib/dbus.te -+++ fedora-policy-20210419/policy/modules/contrib/dbus.te -@@ -80,6 +80,7 @@ read_lnk_files_pattern(system_dbusd_t, d - manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) +--- fedora-policy-20211111.orig/policy/modules/contrib/dbus.te ++++ fedora-policy-20211111/policy/modules/contrib/dbus.te +@@ -81,6 +81,7 @@ manage_dirs_pattern(system_dbusd_t, syst manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) + manage_sock_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file sock_file }) +allow system_dbusd_t system_dbusd_tmp_t:file execute; diff --git a/fix_firewalld.patch b/fix_firewalld.patch index 5b5e67e..1e455b7 100644 --- a/fix_firewalld.patch +++ b/fix_firewalld.patch @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/contrib/firewalld.te +Index: fedora-policy-20211111/policy/modules/contrib/firewalld.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/firewalld.te 2020-02-24 08:16:03.798820784 +0000 -+++ fedora-policy/policy/modules/contrib/firewalld.te 2020-02-24 08:18:03.164764310 +0000 -@@ -129,6 +129,7 @@ optional_policy(` +--- fedora-policy-20211111.orig/policy/modules/contrib/firewalld.te ++++ fedora-policy-20211111/policy/modules/contrib/firewalld.te +@@ -131,6 +131,7 @@ optional_policy(` ') optional_policy(` @@ -10,10 +10,10 @@ Index: fedora-policy/policy/modules/contrib/firewalld.te iptables_domtrans(firewalld_t) iptables_read_var_run(firewalld_t) ') -Index: fedora-policy/policy/modules/system/iptables.if +Index: fedora-policy-20211111/policy/modules/system/iptables.if =================================================================== ---- fedora-policy.orig/policy/modules/system/iptables.if 2020-02-19 09:36:25.440182406 +0000 -+++ fedora-policy/policy/modules/system/iptables.if 2020-02-24 08:17:53.076600108 +0000 +--- fedora-policy-20211111.orig/policy/modules/system/iptables.if ++++ fedora-policy-20211111/policy/modules/system/iptables.if @@ -2,6 +2,25 @@ ######################################## diff --git a/fix_hadoop.patch b/fix_hadoop.patch index 99c9878..edc1bdc 100644 --- a/fix_hadoop.patch +++ b/fix_hadoop.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210628/policy/modules/roles/sysadm.te +Index: fedora-policy-20211111/policy/modules/roles/sysadm.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/roles/sysadm.te -+++ fedora-policy-20210628/policy/modules/roles/sysadm.te -@@ -295,10 +295,6 @@ optional_policy(` +--- fedora-policy-20211111.orig/policy/modules/roles/sysadm.te ++++ fedora-policy-20211111/policy/modules/roles/sysadm.te +@@ -311,10 +311,6 @@ optional_policy(` ') optional_policy(` @@ -13,10 +13,10 @@ Index: fedora-policy-20210628/policy/modules/roles/sysadm.te iotop_run(sysadm_t, sysadm_r) ') -Index: fedora-policy-20210628/policy/modules/roles/unprivuser.te +Index: fedora-policy-20211111/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20210628/policy/modules/roles/unprivuser.te +--- fedora-policy-20211111.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20211111/policy/modules/roles/unprivuser.te @@ -205,10 +205,6 @@ ifndef(`distro_redhat',` ') diff --git a/fix_init.patch b/fix_init.patch index ed85022..247dad3 100644 --- a/fix_init.patch +++ b/fix_init.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210716/policy/modules/system/init.if +Index: fedora-policy-20211111/policy/modules/system/init.if =================================================================== ---- fedora-policy-20210716.orig/policy/modules/system/init.if -+++ fedora-policy-20210716/policy/modules/system/init.if +--- fedora-policy-20211111.orig/policy/modules/system/init.if ++++ fedora-policy-20211111/policy/modules/system/init.if @@ -3296,6 +3296,7 @@ interface(`init_filetrans_named_content' files_etc_filetrans($1, machineid_t, file, "machine-id" ) files_pid_filetrans($1, initctl_t, fifo_file, "fifo" ) @@ -10,10 +10,10 @@ Index: fedora-policy-20210716/policy/modules/system/init.if init_pid_filetrans($1, systemd_unit_file_t, dir, "system") ') -Index: fedora-policy-20210716/policy/modules/system/init.te +Index: fedora-policy-20211111/policy/modules/system/init.te =================================================================== ---- fedora-policy-20210716.orig/policy/modules/system/init.te -+++ fedora-policy-20210716/policy/modules/system/init.te +--- fedora-policy-20211111.orig/policy/modules/system/init.te ++++ fedora-policy-20211111/policy/modules/system/init.te @@ -267,6 +267,8 @@ corecmd_exec_bin(init_t) corenet_all_recvfrom_netlabel(init_t) corenet_tcp_bind_all_ports(init_t) @@ -23,7 +23,7 @@ Index: fedora-policy-20210716/policy/modules/system/init.te dev_create_all_files(init_t) dev_create_all_chr_files(init_t) -@@ -391,6 +393,7 @@ logging_manage_audit_config(init_t) +@@ -394,6 +396,7 @@ logging_manage_audit_config(init_t) logging_create_syslog_netlink_audit_socket(init_t) logging_write_var_log_dirs(init_t) logging_manage_var_log_symlinks(init_t) @@ -31,7 +31,7 @@ Index: fedora-policy-20210716/policy/modules/system/init.te seutil_read_config(init_t) seutil_read_login_config(init_t) -@@ -441,10 +444,15 @@ ifdef(`distro_redhat',` +@@ -444,10 +447,15 @@ ifdef(`distro_redhat',` corecmd_shell_domtrans(init_t, initrc_t) storage_raw_rw_fixed_disk(init_t) @@ -47,7 +47,7 @@ Index: fedora-policy-20210716/policy/modules/system/init.te bootloader_domtrans(init_t) ') -@@ -562,10 +570,10 @@ tunable_policy(`init_audit_control',` +@@ -570,10 +578,10 @@ tunable_policy(`init_audit_control',` allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -60,7 +60,7 @@ Index: fedora-policy-20210716/policy/modules/system/init.te allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; # Until systemd is fixed -@@ -623,6 +631,7 @@ files_delete_all_spool_sockets(init_t) +@@ -631,6 +639,7 @@ files_delete_all_spool_sockets(init_t) files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -68,7 +68,7 @@ Index: fedora-policy-20210716/policy/modules/system/init.te files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -659,7 +668,7 @@ fs_list_all(init_t) +@@ -667,7 +676,7 @@ fs_list_all(init_t) fs_list_auto_mountpoints(init_t) fs_register_binary_executable_type(init_t) fs_relabel_tmpfs_sock_file(init_t) @@ -77,7 +77,7 @@ Index: fedora-policy-20210716/policy/modules/system/init.te fs_relabel_cgroup_dirs(init_t) fs_search_cgroup_dirs(init_t) # for network namespaces -@@ -715,6 +724,7 @@ systemd_write_inherited_logind_sessions_ +@@ -723,6 +732,7 @@ systemd_write_inherited_logind_sessions_ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -85,7 +85,7 @@ Index: fedora-policy-20210716/policy/modules/system/init.te auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1556,6 +1566,8 @@ optional_policy(` +@@ -1568,6 +1578,8 @@ optional_policy(` optional_policy(` postfix_list_spool(initrc_t) diff --git a/fix_kernel_sysctl.patch b/fix_kernel_sysctl.patch index 757d195..8ed096e 100644 --- a/fix_kernel_sysctl.patch +++ b/fix_kernel_sysctl.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210716/policy/modules/kernel/files.fc +Index: fedora-policy-20211111/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy-20210716.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20210716/policy/modules/kernel/files.fc +--- fedora-policy-20211111.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20211111/policy/modules/kernel/files.fc @@ -236,6 +236,8 @@ ifdef(`distro_redhat',` /usr/lib/ostree-boot(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/lib/modules(/.*)/vmlinuz -- gen_context(system_u:object_r:usr_t,s0) @@ -11,11 +11,11 @@ Index: fedora-policy-20210716/policy/modules/kernel/files.fc /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -Index: fedora-policy-20210716/policy/modules/system/systemd.te +Index: fedora-policy-20211111/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20210716.orig/policy/modules/system/systemd.te -+++ fedora-policy-20210716/policy/modules/system/systemd.te -@@ -1027,6 +1027,8 @@ init_stream_connect(systemd_sysctl_t) +--- fedora-policy-20211111.orig/policy/modules/system/systemd.te ++++ fedora-policy-20211111/policy/modules/system/systemd.te +@@ -1035,6 +1035,8 @@ init_stream_connect(systemd_sysctl_t) logging_send_syslog_msg(systemd_sysctl_t) systemd_read_efivarfs(systemd_sysctl_t) diff --git a/fix_logging.patch b/fix_logging.patch index 8f3a10d..0ae3fec 100644 --- a/fix_logging.patch +++ b/fix_logging.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210628/policy/modules/system/logging.fc +Index: fedora-policy-20211111/policy/modules/system/logging.fc =================================================================== ---- fedora-policy-20210628.orig/policy/modules/system/logging.fc -+++ fedora-policy-20210628/policy/modules/system/logging.fc +--- fedora-policy-20211111.orig/policy/modules/system/logging.fc ++++ fedora-policy-20211111/policy/modules/system/logging.fc @@ -3,6 +3,8 @@ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) @@ -19,11 +19,11 @@ Index: fedora-policy-20210628/policy/modules/system/logging.fc /var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) -Index: fedora-policy-20210628/policy/modules/system/logging.if +Index: fedora-policy-20211111/policy/modules/system/logging.if =================================================================== ---- fedora-policy-20210628.orig/policy/modules/system/logging.if -+++ fedora-policy-20210628/policy/modules/system/logging.if -@@ -1782,3 +1782,22 @@ interface(`logging_dgram_send',` +--- fedora-policy-20211111.orig/policy/modules/system/logging.if ++++ fedora-policy-20211111/policy/modules/system/logging.if +@@ -1787,3 +1787,22 @@ interface(`logging_dgram_send',` allow $1 syslogd_t:unix_dgram_socket sendto; ') diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index abaa320..6dcab29 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210628/policy/modules/contrib/networkmanager.te +Index: fedora-policy-20211111/policy/modules/contrib/networkmanager.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy-20210628/policy/modules/contrib/networkmanager.te +--- fedora-policy-20211111.orig/policy/modules/contrib/networkmanager.te ++++ fedora-policy-20211111/policy/modules/contrib/networkmanager.te @@ -243,6 +243,9 @@ userdom_read_home_certs(NetworkManager_t userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) @@ -27,11 +27,11 @@ Index: fedora-policy-20210628/policy/modules/contrib/networkmanager.te bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_kill(NetworkManager_t) -Index: fedora-policy-20210628/policy/modules/contrib/networkmanager.if +Index: fedora-policy-20211111/policy/modules/contrib/networkmanager.if =================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20210628/policy/modules/contrib/networkmanager.if -@@ -114,6 +114,24 @@ interface(`networkmanager_initrc_domtran +--- fedora-policy-20211111.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy-20211111/policy/modules/contrib/networkmanager.if +@@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ') diff --git a/fix_systemd.patch b/fix_systemd.patch index bdab982..ae8dc7e 100644 --- a/fix_systemd.patch +++ b/fix_systemd.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210716/policy/modules/system/systemd.te +Index: fedora-policy-20211111/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20210716.orig/policy/modules/system/systemd.te -+++ fedora-policy-20210716/policy/modules/system/systemd.te +--- fedora-policy-20211111.orig/policy/modules/system/systemd.te ++++ fedora-policy-20211111/policy/modules/system/systemd.te @@ -352,6 +352,10 @@ userdom_manage_user_tmp_chr_files(system xserver_dbus_chat(systemd_logind_t) @@ -13,7 +13,7 @@ Index: fedora-policy-20210716/policy/modules/system/systemd.te apache_read_tmp_files(systemd_logind_t) ') -@@ -859,6 +863,10 @@ optional_policy(` +@@ -866,6 +870,10 @@ optional_policy(` udev_read_pid_files(systemd_hostnamed_t) ') @@ -24,9 +24,9 @@ Index: fedora-policy-20210716/policy/modules/system/systemd.te ####################################### # # rfkill policy -@@ -1097,6 +1105,8 @@ systemd_unit_file_filetrans(systemd_gpt_ - systemd_create_unit_file_dirs(systemd_gpt_generator_t) - systemd_create_unit_file_lnk(systemd_gpt_generator_t) +@@ -1109,6 +1117,8 @@ optional_policy(` + udev_read_pid_files(systemd_gpt_generator_t) + ') +udev_read_pid_files(systemd_gpt_generator_t) + diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch index 65b98c8..6771ad7 100644 --- a/fix_systemd_watch.patch +++ b/fix_systemd_watch.patch @@ -1,10 +1,10 @@ -Index: fedora-policy-20210716/policy/modules/system/systemd.te +Index: fedora-policy-20211111/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20210716.orig/policy/modules/system/systemd.te -+++ fedora-policy-20210716/policy/modules/system/systemd.te -@@ -1396,6 +1396,12 @@ fstools_rw_swap_files(systemd_sleep_t) - # systemd-sleep needs to getattr swap partitions +--- fedora-policy-20211111.orig/policy/modules/system/systemd.te ++++ fedora-policy-20211111/policy/modules/system/systemd.te +@@ -1415,6 +1415,12 @@ fstools_rw_swap_files(systemd_sleep_t) storage_getattr_fixed_disk_dev(systemd_sleep_t) + storage_getattr_removable_dev(systemd_sleep_t) +####################################### +# diff --git a/fix_unconfined.patch b/fix_unconfined.patch index 114c71d..a9b5b32 100644 --- a/fix_unconfined.patch +++ b/fix_unconfined.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210628/policy/modules/system/unconfined.te +Index: fedora-policy-20211111/policy/modules/system/unconfined.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/system/unconfined.te -+++ fedora-policy-20210628/policy/modules/system/unconfined.te +--- fedora-policy-20211111.orig/policy/modules/system/unconfined.te ++++ fedora-policy-20211111/policy/modules/system/unconfined.te @@ -1,5 +1,10 @@ policy_module(unconfined, 3.5.0) @@ -13,7 +13,7 @@ Index: fedora-policy-20210628/policy/modules/system/unconfined.te ######################################## # # Declarations -@@ -41,3 +46,6 @@ optional_policy(` +@@ -39,3 +44,6 @@ optional_policy(` optional_policy(` container_runtime_domtrans(unconfined_service_t) ') diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch index 0161703..54458d4 100644 --- a/fix_unconfineduser.patch +++ b/fix_unconfineduser.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210628/policy/modules/roles/unconfineduser.te +Index: fedora-policy-20211111/policy/modules/roles/unconfineduser.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/roles/unconfineduser.te -+++ fedora-policy-20210628/policy/modules/roles/unconfineduser.te -@@ -126,6 +126,11 @@ tunable_policy(`unconfined_dyntrans_all' +--- fedora-policy-20211111.orig/policy/modules/roles/unconfineduser.te ++++ fedora-policy-20211111/policy/modules/roles/unconfineduser.te +@@ -122,6 +122,11 @@ tunable_policy(`unconfined_dyntrans_all' domain_dyntrans(unconfined_t) ') @@ -14,7 +14,7 @@ Index: fedora-policy-20210628/policy/modules/roles/unconfineduser.te optional_policy(` gen_require(` type unconfined_t; -@@ -212,6 +217,10 @@ optional_policy(` +@@ -208,6 +213,10 @@ optional_policy(` ') optional_policy(` @@ -25,7 +25,7 @@ Index: fedora-policy-20210628/policy/modules/roles/unconfineduser.te chrome_role_notrans(unconfined_r, unconfined_t) tunable_policy(`unconfined_chrome_sandbox_transition',` -@@ -246,6 +255,18 @@ optional_policy(` +@@ -242,6 +251,18 @@ optional_policy(` dbus_stub(unconfined_t) optional_policy(` @@ -44,7 +44,7 @@ Index: fedora-policy-20210628/policy/modules/roles/unconfineduser.te bluetooth_dbus_chat(unconfined_t) ') -@@ -309,6 +330,10 @@ optional_policy(` +@@ -305,6 +326,10 @@ optional_policy(` ') optional_policy(` diff --git a/fix_xserver.patch b/fix_xserver.patch index 785494c..686a68d 100644 --- a/fix_xserver.patch +++ b/fix_xserver.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210628/policy/modules/services/xserver.fc +Index: fedora-policy-20211111/policy/modules/services/xserver.fc =================================================================== ---- fedora-policy-20210628.orig/policy/modules/services/xserver.fc -+++ fedora-policy-20210628/policy/modules/services/xserver.fc +--- fedora-policy-20211111.orig/policy/modules/services/xserver.fc ++++ fedora-policy-20211111/policy/modules/services/xserver.fc @@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) @@ -18,7 +18,7 @@ Index: fedora-policy-20210628/policy/modules/services/xserver.fc /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0) -@@ -136,6 +138,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ +@@ -137,6 +139,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0) /usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0) @@ -26,10 +26,10 @@ Index: fedora-policy-20210628/policy/modules/services/xserver.fc ifndef(`distro_debian',` /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) ') -Index: fedora-policy-20210628/policy/modules/services/xserver.te +Index: fedora-policy-20211111/policy/modules/services/xserver.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/services/xserver.te -+++ fedora-policy-20210628/policy/modules/services/xserver.te +--- fedora-policy-20211111.orig/policy/modules/services/xserver.te ++++ fedora-policy-20211111/policy/modules/services/xserver.te @@ -473,6 +473,10 @@ userdom_delete_user_home_content_files(x userdom_signull_unpriv_users(xdm_t) userdom_dontaudit_read_admin_home_lnk_files(xdm_t) diff --git a/selinux-policy.changes b/selinux-policy.changes index 87e9a1a..5fc9185 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Thu Nov 11 14:21:47 UTC 2021 - Johannes Segitz + +- Update to version 20211111. Refreshed: + * fix_dbus.patch + * fix_systemd.patch + * fix_authlogin.patch + * fix_auditd.patch + * fix_kernel_sysctl.patch + * fix_networkmanager.patch + * fix_chronyd.patch + * fix_unconfineduser.patch + * fix_unconfined.patch + * fix_firewalld.patch + * fix_init.patch + * fix_xserver.patch + * fix_logging.patch + * fix_hadoop.patch + ------------------------------------------------------------------- Mon Oct 25 11:35:24 UTC 2021 - Marcus Meissner diff --git a/selinux-policy.spec b/selinux-policy.spec index e916d1e..b90c137 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20210716 +Version: 20211111 Release: 0 Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc From bfd2a0a742289d5aeaa3e13563e2696ea9d71f52465b0dd50817dbccb8cb5f00 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Fri, 21 Jan 2022 00:25:14 +0000 Subject: [PATCH 21/35] Accepting request 947458 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/947458 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=21 --- fix_colord.patch | 18 +++++++++++++++--- selinux-policy.changes | 5 +++++ selinux-policy.spec | 2 +- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/fix_colord.patch b/fix_colord.patch index c11b27b..763641f 100644 --- a/fix_colord.patch +++ b/fix_colord.patch @@ -1,7 +1,7 @@ -Index: fedora-policy/policy/modules/contrib/colord.fc +Index: fedora-policy-20211111/policy/modules/contrib/colord.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/colord.fc -+++ fedora-policy/policy/modules/contrib/colord.fc +--- fedora-policy-20211111.orig/policy/modules/contrib/colord.fc ++++ fedora-policy-20211111/policy/modules/contrib/colord.fc @@ -6,6 +6,8 @@ /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) @@ -11,3 +11,15 @@ Index: fedora-policy/policy/modules/contrib/colord.fc /usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0) +Index: fedora-policy-20211111/policy/modules/contrib/colord.te +=================================================================== +--- fedora-policy-20211111.orig/policy/modules/contrib/colord.te ++++ fedora-policy-20211111/policy/modules/contrib/colord.te +@@ -17,6 +17,7 @@ type colord_t; + type colord_exec_t; + dbus_system_domain(colord_t, colord_exec_t) + init_daemon_domain(colord_t, colord_exec_t) ++init_nnp_daemon_domain(colord_t) + + type colord_tmp_t; + files_tmp_file(colord_tmp_t) diff --git a/selinux-policy.changes b/selinux-policy.changes index 5fc9185..87ce04b 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Jan 14 15:07:00 UTC 2022 - Johannes Segitz + +- Allow colord to use systemd hardenings (bsc#1194631) + ------------------------------------------------------------------- Thu Nov 11 14:21:47 UTC 2021 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index b90c137..28271da 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,7 +1,7 @@ # # spec file for package selinux-policy # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed From 80b8756a0fd43c7fa1c32996a1eb0ea674ffb94677adae69be04a5f52c8c385e Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Wed, 26 Jan 2022 20:26:31 +0000 Subject: [PATCH 22/35] Accepting request 948335 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/948335 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=22 --- fedora-policy-20211111.tar.bz2 | 3 --- fedora-policy-20220124.tar.bz2 | 3 +++ fix_hadoop.patch | 14 +++++++------- fix_hypervkvp.patch | 15 +++++++++++++++ fix_init.patch | 28 ++++++++-------------------- fix_kernel_sysctl.patch | 14 +++++++------- fix_systemd.patch | 12 ++++++------ fix_systemd_watch.patch | 8 ++++---- selinux-policy.changes | 12 ++++++++++++ selinux-policy.spec | 3 ++- 10 files changed, 64 insertions(+), 48 deletions(-) delete mode 100644 fedora-policy-20211111.tar.bz2 create mode 100644 fedora-policy-20220124.tar.bz2 create mode 100644 fix_hypervkvp.patch diff --git a/fedora-policy-20211111.tar.bz2 b/fedora-policy-20211111.tar.bz2 deleted file mode 100644 index eb8aedb..0000000 --- a/fedora-policy-20211111.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:92e84c558e4c1a8d389205ddfc1e8b00f8a872585f01e05a7650b15e55643f2a -size 714235 diff --git a/fedora-policy-20220124.tar.bz2 b/fedora-policy-20220124.tar.bz2 new file mode 100644 index 0000000..91d9636 --- /dev/null +++ b/fedora-policy-20220124.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ebec268024dfd05d9563991a424d12892b0eb210d1eab2c484ae424f8fb757c5 +size 725506 diff --git a/fix_hadoop.patch b/fix_hadoop.patch index edc1bdc..4c24161 100644 --- a/fix_hadoop.patch +++ b/fix_hadoop.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20211111/policy/modules/roles/sysadm.te +Index: fedora-policy-20220124/policy/modules/roles/sysadm.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/roles/sysadm.te -+++ fedora-policy-20211111/policy/modules/roles/sysadm.te -@@ -311,10 +311,6 @@ optional_policy(` +--- fedora-policy-20220124.orig/policy/modules/roles/sysadm.te ++++ fedora-policy-20220124/policy/modules/roles/sysadm.te +@@ -315,10 +315,6 @@ optional_policy(` ') optional_policy(` @@ -13,10 +13,10 @@ Index: fedora-policy-20211111/policy/modules/roles/sysadm.te iotop_run(sysadm_t, sysadm_r) ') -Index: fedora-policy-20211111/policy/modules/roles/unprivuser.te +Index: fedora-policy-20220124/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20211111/policy/modules/roles/unprivuser.te +--- fedora-policy-20220124.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20220124/policy/modules/roles/unprivuser.te @@ -205,10 +205,6 @@ ifndef(`distro_redhat',` ') diff --git a/fix_hypervkvp.patch b/fix_hypervkvp.patch new file mode 100644 index 0000000..3cac649 --- /dev/null +++ b/fix_hypervkvp.patch @@ -0,0 +1,15 @@ +Index: fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc +=================================================================== +--- fedora-policy-20220124.orig/policy/modules/contrib/hypervkvp.fc ++++ fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc +@@ -3,8 +3,10 @@ + /usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0) + + /usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) ++/usr/lib/hyper-v/bin/.*kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) + /usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) + + /usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0) ++/usr/lib/hyper-v/bin/.*vss_daemon -- gen_context(system_u:object_r:hypervvssd_exec_t,s0) + + /var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0) diff --git a/fix_init.patch b/fix_init.patch index 247dad3..18063b1 100644 --- a/fix_init.patch +++ b/fix_init.patch @@ -1,19 +1,7 @@ -Index: fedora-policy-20211111/policy/modules/system/init.if +Index: fedora-policy-20220124/policy/modules/system/init.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/init.if -+++ fedora-policy-20211111/policy/modules/system/init.if -@@ -3296,6 +3296,7 @@ interface(`init_filetrans_named_content' - files_etc_filetrans($1, machineid_t, file, "machine-id" ) - files_pid_filetrans($1, initctl_t, fifo_file, "fifo" ) - init_pid_filetrans($1, systemd_unit_file_t, dir, "generator") -+ init_pid_filetrans($1, systemd_unit_file_t, dir, "generator.late") - init_pid_filetrans($1, systemd_unit_file_t, dir, "system") - ') - -Index: fedora-policy-20211111/policy/modules/system/init.te -=================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/init.te -+++ fedora-policy-20211111/policy/modules/system/init.te +--- fedora-policy-20220124.orig/policy/modules/system/init.te ++++ fedora-policy-20220124/policy/modules/system/init.te @@ -267,6 +267,8 @@ corecmd_exec_bin(init_t) corenet_all_recvfrom_netlabel(init_t) corenet_tcp_bind_all_ports(init_t) @@ -47,7 +35,7 @@ Index: fedora-policy-20211111/policy/modules/system/init.te bootloader_domtrans(init_t) ') -@@ -570,10 +578,10 @@ tunable_policy(`init_audit_control',` +@@ -571,10 +579,10 @@ tunable_policy(`init_audit_control',` allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -60,7 +48,7 @@ Index: fedora-policy-20211111/policy/modules/system/init.te allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; # Until systemd is fixed -@@ -631,6 +639,7 @@ files_delete_all_spool_sockets(init_t) +@@ -633,6 +641,7 @@ files_delete_all_spool_sockets(init_t) files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -68,7 +56,7 @@ Index: fedora-policy-20211111/policy/modules/system/init.te files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -667,7 +676,7 @@ fs_list_all(init_t) +@@ -669,7 +678,7 @@ fs_list_all(init_t) fs_list_auto_mountpoints(init_t) fs_register_binary_executable_type(init_t) fs_relabel_tmpfs_sock_file(init_t) @@ -77,7 +65,7 @@ Index: fedora-policy-20211111/policy/modules/system/init.te fs_relabel_cgroup_dirs(init_t) fs_search_cgroup_dirs(init_t) # for network namespaces -@@ -723,6 +732,7 @@ systemd_write_inherited_logind_sessions_ +@@ -725,6 +734,7 @@ systemd_write_inherited_logind_sessions_ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -85,7 +73,7 @@ Index: fedora-policy-20211111/policy/modules/system/init.te auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1568,6 +1578,8 @@ optional_policy(` +@@ -1571,6 +1581,8 @@ optional_policy(` optional_policy(` postfix_list_spool(initrc_t) diff --git a/fix_kernel_sysctl.patch b/fix_kernel_sysctl.patch index 8ed096e..7fb1b7e 100644 --- a/fix_kernel_sysctl.patch +++ b/fix_kernel_sysctl.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20211111/policy/modules/kernel/files.fc +Index: fedora-policy-20220124/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy-20211111.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20211111/policy/modules/kernel/files.fc +--- fedora-policy-20220124.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20220124/policy/modules/kernel/files.fc @@ -236,6 +236,8 @@ ifdef(`distro_redhat',` /usr/lib/ostree-boot(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/lib/modules(/.*)/vmlinuz -- gen_context(system_u:object_r:usr_t,s0) @@ -11,11 +11,11 @@ Index: fedora-policy-20211111/policy/modules/kernel/files.fc /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -Index: fedora-policy-20211111/policy/modules/system/systemd.te +Index: fedora-policy-20220124/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/systemd.te -+++ fedora-policy-20211111/policy/modules/system/systemd.te -@@ -1035,6 +1035,8 @@ init_stream_connect(systemd_sysctl_t) +--- fedora-policy-20220124.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220124/policy/modules/system/systemd.te +@@ -1037,6 +1037,8 @@ init_stream_connect(systemd_sysctl_t) logging_send_syslog_msg(systemd_sysctl_t) systemd_read_efivarfs(systemd_sysctl_t) diff --git a/fix_systemd.patch b/fix_systemd.patch index ae8dc7e..f923439 100644 --- a/fix_systemd.patch +++ b/fix_systemd.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20211111/policy/modules/system/systemd.te +Index: fedora-policy-20220124/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/systemd.te -+++ fedora-policy-20211111/policy/modules/system/systemd.te -@@ -352,6 +352,10 @@ userdom_manage_user_tmp_chr_files(system +--- fedora-policy-20220124.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220124/policy/modules/system/systemd.te +@@ -353,6 +353,10 @@ userdom_manage_user_tmp_chr_files(system xserver_dbus_chat(systemd_logind_t) optional_policy(` @@ -13,7 +13,7 @@ Index: fedora-policy-20211111/policy/modules/system/systemd.te apache_read_tmp_files(systemd_logind_t) ') -@@ -866,6 +870,10 @@ optional_policy(` +@@ -868,6 +872,10 @@ optional_policy(` udev_read_pid_files(systemd_hostnamed_t) ') @@ -24,7 +24,7 @@ Index: fedora-policy-20211111/policy/modules/system/systemd.te ####################################### # # rfkill policy -@@ -1109,6 +1117,8 @@ optional_policy(` +@@ -1115,6 +1123,8 @@ optional_policy(` udev_read_pid_files(systemd_gpt_generator_t) ') diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch index 6771ad7..8f6061d 100644 --- a/fix_systemd_watch.patch +++ b/fix_systemd_watch.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20211111/policy/modules/system/systemd.te +Index: fedora-policy-20220124/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/systemd.te -+++ fedora-policy-20211111/policy/modules/system/systemd.te -@@ -1415,6 +1415,12 @@ fstools_rw_swap_files(systemd_sleep_t) +--- fedora-policy-20220124.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220124/policy/modules/system/systemd.te +@@ -1421,6 +1421,12 @@ fstools_rw_swap_files(systemd_sleep_t) storage_getattr_fixed_disk_dev(systemd_sleep_t) storage_getattr_removable_dev(systemd_sleep_t) diff --git a/selinux-policy.changes b/selinux-policy.changes index 87ce04b..d0049cd 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Mon Jan 24 07:33:34 UTC 2022 - Johannes Segitz + +- Update to version 20220124. Refreshed: + * fix_hadoop.patch + * fix_init.patch + * fix_kernel_sysctl.patch + * fix_systemd.patch + * fix_systemd_watch.patch +- Added fix_hypervkvp.patch to fix issues with hyperv labeling + (bsc#1193987) + ------------------------------------------------------------------- Fri Jan 14 15:07:00 UTC 2022 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 28271da..38c8223 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20211111 +Version: 20220124 Release: 0 Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc @@ -138,6 +138,7 @@ Patch053: fix_systemd_watch.patch Patch054: fix_kernel_sysctl.patch Patch055: fix_auditd.patch Patch056: fix_wine.patch +Patch057: fix_hypervkvp.patch Patch100: sedoctool.patch From 623616946f2bd83703d4ea1040eda23ebfe94a7f447d23752234a103646de0a2 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Fri, 11 Feb 2022 22:07:09 +0000 Subject: [PATCH 23/35] Accepting request 953129 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/953129 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=23 --- fix_bitlbee.patch | 12 ++++++++++++ fix_cron.patch | 25 ++++++++++++++++++------- selinux-policy.changes | 11 +++++++++++ selinux-policy.spec | 1 + 4 files changed, 42 insertions(+), 7 deletions(-) create mode 100644 fix_bitlbee.patch diff --git a/fix_bitlbee.patch b/fix_bitlbee.patch new file mode 100644 index 0000000..2ce1749 --- /dev/null +++ b/fix_bitlbee.patch @@ -0,0 +1,12 @@ +Index: fedora-policy-20220124/policy/modules/contrib/bitlbee.fc +=================================================================== +--- fedora-policy-20220124.orig/policy/modules/contrib/bitlbee.fc ++++ fedora-policy-20220124/policy/modules/contrib/bitlbee.fc +@@ -9,6 +9,5 @@ + + /var/log/bip.* gen_context(system_u:object_r:bitlbee_log_t,s0) + +-/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0) +-/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0) ++/var/run/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0) + /var/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0) diff --git a/fix_cron.patch b/fix_cron.patch index 6f6a125..e2ccb9a 100644 --- a/fix_cron.patch +++ b/fix_cron.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210309/policy/modules/contrib/cron.fc +Index: fedora-policy-20220124/policy/modules/contrib/cron.fc =================================================================== ---- fedora-policy-20210309.orig/policy/modules/contrib/cron.fc -+++ fedora-policy-20210309/policy/modules/contrib/cron.fc +--- fedora-policy-20220124.orig/policy/modules/contrib/cron.fc ++++ fedora-policy-20220124/policy/modules/contrib/cron.fc @@ -34,7 +34,7 @@ /var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) @@ -11,7 +11,18 @@ Index: fedora-policy-20210309/policy/modules/contrib/cron.fc /var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) /var/spool/cron/crontabs/.* -- <> -@@ -69,9 +69,3 @@ ifdef(`distro_gentoo',` +@@ -55,6 +55,10 @@ ifdef(`distro_suse', ` + /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) + /var/spool/cron/lastrun/[^/]* -- <> + /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) ++ ++/var/spool/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) ++/var/spool/atjobs/.SEQ -- gen_context(system_u:object_r:user_cron_spool_t,s0) ++/var/spool/atjobs/[^/]* -- <> + ') + + ifdef(`distro_debian',` +@@ -69,9 +73,3 @@ ifdef(`distro_gentoo',` /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) /var/spool/cron/lastrun/[^/]* -- <> ') @@ -21,10 +32,10 @@ Index: fedora-policy-20210309/policy/modules/contrib/cron.fc -/var/spool/cron/lastrun/[^/]* -- <> -/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -') -Index: fedora-policy-20210309/policy/modules/contrib/cron.if +Index: fedora-policy-20220124/policy/modules/contrib/cron.if =================================================================== ---- fedora-policy-20210309.orig/policy/modules/contrib/cron.if -+++ fedora-policy-20210309/policy/modules/contrib/cron.if +--- fedora-policy-20220124.orig/policy/modules/contrib/cron.if ++++ fedora-policy-20220124/policy/modules/contrib/cron.if @@ -1057,7 +1057,7 @@ interface(`cron_generic_log_filetrans_lo # interface(`cron_system_spool_entrypoint',` diff --git a/selinux-policy.changes b/selinux-policy.changes index d0049cd..971e0ba 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Thu Feb 10 09:04:08 UTC 2022 - Johannes Segitz + +- Updated fix_cron.patch. Adjust labeling for at (bsc#1195683) + +------------------------------------------------------------------- +Wed Feb 9 16:04:09 UTC 2022 - Filippo Bonazzi + +- Fix bitlbee runtime directory (bsc#1193230) + * add fix_bitlbee.patch + ------------------------------------------------------------------- Mon Jan 24 07:33:34 UTC 2022 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 38c8223..137b9fd 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -139,6 +139,7 @@ Patch054: fix_kernel_sysctl.patch Patch055: fix_auditd.patch Patch056: fix_wine.patch Patch057: fix_hypervkvp.patch +Patch058: fix_bitlbee.patch Patch100: sedoctool.patch From 223a3cdd5f8f49c996cfd2f5c69dcc3ecf7dc5460f31e8bf367a3eed44750091 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Sat, 26 Feb 2022 16:01:58 +0000 Subject: [PATCH 24/35] Accepting request 957363 from security:SELinux Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/957363 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=24 --- selinux-policy.changes | 5 +++++ selinux-policy.spec | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/selinux-policy.changes b/selinux-policy.changes index 971e0ba..709306f 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Feb 17 12:24:13 UTC 2022 - Klaus Kämpf + +- use %license tag for COPYING file + ------------------------------------------------------------------- Thu Feb 10 09:04:08 UTC 2022 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 137b9fd..de4fa04 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -363,7 +363,7 @@ creating other policies. %files %defattr(-,root,root,-) -%doc COPYING +%license COPYING %dir %{_datadir}/selinux %dir %{_datadir}/selinux/packages %dir %{_sysconfdir}/selinux From 52a5fe81c35c441efd356d82ec0027c1bbd92160a5c8be92ba58e7505d42a92d Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Mon, 20 Jun 2022 13:36:43 +0000 Subject: [PATCH 25/35] Accepting request 978298 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/978298 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=25 --- fedora-policy-20220124.tar.bz2 | 3 --- fedora-policy-20220520.tar.bz2 | 3 +++ fix_apache.patch | 8 +++--- fix_dnsmasq.patch | 12 +++++++++ fix_hadoop.patch | 14 +++++----- fix_init.patch | 41 ++++++++++++++++++++---------- fix_iptables.patch | 8 +++--- fix_kernel_sysctl.patch | 14 +++++----- fix_networkmanager.patch | 16 ++++++------ fix_systemd.patch | 19 ++++---------- fix_systemd_watch.patch | 8 +++--- fix_unconfineduser.patch | 23 +++++------------ fix_unprivuser.patch | 8 +++--- fix_usermanage.patch | 10 ++++---- fix_wine.patch | 8 +++--- selinux-policy.changes | 40 +++++++++++++++++++++++++++++ selinux-policy.spec | 5 +++- systemd_domain_dyntrans_type.patch | 13 ++++++++++ users-minimum | 1 + users-mls | 2 ++ users-targeted | 3 +++ 21 files changed, 163 insertions(+), 96 deletions(-) delete mode 100644 fedora-policy-20220124.tar.bz2 create mode 100644 fedora-policy-20220520.tar.bz2 create mode 100644 fix_dnsmasq.patch create mode 100644 systemd_domain_dyntrans_type.patch diff --git a/fedora-policy-20220124.tar.bz2 b/fedora-policy-20220124.tar.bz2 deleted file mode 100644 index 91d9636..0000000 --- a/fedora-policy-20220124.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ebec268024dfd05d9563991a424d12892b0eb210d1eab2c484ae424f8fb757c5 -size 725506 diff --git a/fedora-policy-20220520.tar.bz2 b/fedora-policy-20220520.tar.bz2 new file mode 100644 index 0000000..8523e23 --- /dev/null +++ b/fedora-policy-20220520.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:90d1df3189f84ff576e2bd3cf5bc504bac06037d3475ea1904d2b9eda9d164e7 +size 730405 diff --git a/fix_apache.patch b/fix_apache.patch index e097a03..74a1c76 100644 --- a/fix_apache.patch +++ b/fix_apache.patch @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/contrib/apache.if +Index: fedora-policy-20220428/policy/modules/contrib/apache.if =================================================================== ---- fedora-policy.orig/policy/modules/contrib/apache.if -+++ fedora-policy/policy/modules/contrib/apache.if -@@ -1967,3 +1967,25 @@ interface(`apache_ioctl_stream_sockets', +--- fedora-policy-20220428.orig/policy/modules/contrib/apache.if ++++ fedora-policy-20220428/policy/modules/contrib/apache.if +@@ -1989,3 +1989,25 @@ interface(`apache_ioctl_stream_sockets', allow $1 httpd_t:unix_stream_socket ioctl; ') diff --git a/fix_dnsmasq.patch b/fix_dnsmasq.patch new file mode 100644 index 0000000..0471529 --- /dev/null +++ b/fix_dnsmasq.patch @@ -0,0 +1,12 @@ +Index: fedora-policy-20220519/policy/modules/contrib/dnsmasq.te +=================================================================== +--- fedora-policy-20220519.orig/policy/modules/contrib/dnsmasq.te ++++ fedora-policy-20220519/policy/modules/contrib/dnsmasq.te +@@ -115,6 +115,7 @@ libs_exec_ldconfig(dnsmasq_t) + logging_send_syslog_msg(dnsmasq_t) + + miscfiles_read_public_files(dnsmasq_t) ++sysnet_manage_config_dirs(dnsmasq_t) + + userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) + userdom_dontaudit_search_user_home_dirs(dnsmasq_t) diff --git a/fix_hadoop.patch b/fix_hadoop.patch index 4c24161..708fcb9 100644 --- a/fix_hadoop.patch +++ b/fix_hadoop.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220124/policy/modules/roles/sysadm.te +Index: fedora-policy-20220428/policy/modules/roles/sysadm.te =================================================================== ---- fedora-policy-20220124.orig/policy/modules/roles/sysadm.te -+++ fedora-policy-20220124/policy/modules/roles/sysadm.te +--- fedora-policy-20220428.orig/policy/modules/roles/sysadm.te ++++ fedora-policy-20220428/policy/modules/roles/sysadm.te @@ -315,10 +315,6 @@ optional_policy(` ') @@ -13,11 +13,11 @@ Index: fedora-policy-20220124/policy/modules/roles/sysadm.te iotop_run(sysadm_t, sysadm_r) ') -Index: fedora-policy-20220124/policy/modules/roles/unprivuser.te +Index: fedora-policy-20220428/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20220124.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20220124/policy/modules/roles/unprivuser.te -@@ -205,10 +205,6 @@ ifndef(`distro_redhat',` +--- fedora-policy-20220428.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20220428/policy/modules/roles/unprivuser.te +@@ -210,10 +210,6 @@ ifndef(`distro_redhat',` ') optional_policy(` diff --git a/fix_init.patch b/fix_init.patch index 18063b1..f209bdb 100644 --- a/fix_init.patch +++ b/fix_init.patch @@ -1,8 +1,17 @@ -Index: fedora-policy-20220124/policy/modules/system/init.te +Index: fedora-policy-20220428/policy/modules/system/init.te =================================================================== ---- fedora-policy-20220124.orig/policy/modules/system/init.te -+++ fedora-policy-20220124/policy/modules/system/init.te -@@ -267,6 +267,8 @@ corecmd_exec_bin(init_t) +--- fedora-policy-20220428.orig/policy/modules/system/init.te ++++ fedora-policy-20220428/policy/modules/system/init.te +@@ -187,6 +187,8 @@ allow init_t self:bpf { map_create map_r + # setuid (from /sbin/shutdown) + # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot() + ++# bsc#1197610, find a better, generic solution ++allow init_t self:file mounton; + allow init_t self:fifo_file rw_fifo_file_perms; + + allow init_t self:service manage_service_perms; +@@ -267,6 +269,8 @@ corecmd_exec_bin(init_t) corenet_all_recvfrom_netlabel(init_t) corenet_tcp_bind_all_ports(init_t) corenet_udp_bind_all_ports(init_t) @@ -11,7 +20,7 @@ Index: fedora-policy-20220124/policy/modules/system/init.te dev_create_all_files(init_t) dev_create_all_chr_files(init_t) -@@ -394,6 +396,7 @@ logging_manage_audit_config(init_t) +@@ -396,6 +400,7 @@ logging_manage_audit_config(init_t) logging_create_syslog_netlink_audit_socket(init_t) logging_write_var_log_dirs(init_t) logging_manage_var_log_symlinks(init_t) @@ -19,7 +28,7 @@ Index: fedora-policy-20220124/policy/modules/system/init.te seutil_read_config(init_t) seutil_read_login_config(init_t) -@@ -444,10 +447,15 @@ ifdef(`distro_redhat',` +@@ -446,9 +451,19 @@ ifdef(`distro_redhat',` corecmd_shell_domtrans(init_t, initrc_t) storage_raw_rw_fixed_disk(init_t) @@ -27,15 +36,19 @@ Index: fedora-policy-20220124/policy/modules/system/init.te sysnet_read_dhcpc_state(init_t) - optional_policy(` -+ networkmanager_initrc_read_lnk_files(init_t) ++# bsc#1197610, find a better, generic solution ++optional_policy(` ++ mta_getattr_spool(init_t) +') + +optional_policy(` ++ networkmanager_initrc_read_lnk_files(init_t) ++') ++ + optional_policy(` bootloader_domtrans(init_t) ') - -@@ -571,10 +579,10 @@ tunable_policy(`init_audit_control',` +@@ -573,10 +588,10 @@ tunable_policy(`init_audit_control',` allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -48,7 +61,7 @@ Index: fedora-policy-20220124/policy/modules/system/init.te allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; # Until systemd is fixed -@@ -633,6 +641,7 @@ files_delete_all_spool_sockets(init_t) +@@ -635,6 +650,7 @@ files_delete_all_spool_sockets(init_t) files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -56,7 +69,7 @@ Index: fedora-policy-20220124/policy/modules/system/init.te files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -669,7 +678,7 @@ fs_list_all(init_t) +@@ -672,7 +688,7 @@ fs_list_all(init_t) fs_list_auto_mountpoints(init_t) fs_register_binary_executable_type(init_t) fs_relabel_tmpfs_sock_file(init_t) @@ -65,7 +78,7 @@ Index: fedora-policy-20220124/policy/modules/system/init.te fs_relabel_cgroup_dirs(init_t) fs_search_cgroup_dirs(init_t) # for network namespaces -@@ -725,6 +734,7 @@ systemd_write_inherited_logind_sessions_ +@@ -728,6 +744,7 @@ systemd_write_inherited_logind_sessions_ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -73,7 +86,7 @@ Index: fedora-policy-20220124/policy/modules/system/init.te auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1571,6 +1581,8 @@ optional_policy(` +@@ -1578,6 +1595,8 @@ optional_policy(` optional_policy(` postfix_list_spool(initrc_t) diff --git a/fix_iptables.patch b/fix_iptables.patch index 6c71cb9..bb149fd 100644 --- a/fix_iptables.patch +++ b/fix_iptables.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210309/policy/modules/system/iptables.te +Index: fedora-policy-20220428/policy/modules/system/iptables.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/system/iptables.te -+++ fedora-policy-20210309/policy/modules/system/iptables.te -@@ -74,6 +74,7 @@ kernel_read_network_state(iptables_t) +--- fedora-policy-20220428.orig/policy/modules/system/iptables.te ++++ fedora-policy-20220428/policy/modules/system/iptables.te +@@ -76,6 +76,7 @@ kernel_read_network_state(iptables_t) kernel_read_kernel_sysctls(iptables_t) kernel_use_fds(iptables_t) kernel_rw_net_sysctls(iptables_t) diff --git a/fix_kernel_sysctl.patch b/fix_kernel_sysctl.patch index 7fb1b7e..b32448e 100644 --- a/fix_kernel_sysctl.patch +++ b/fix_kernel_sysctl.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220124/policy/modules/kernel/files.fc +Index: fedora-policy-20220428/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy-20220124.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20220124/policy/modules/kernel/files.fc +--- fedora-policy-20220428.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20220428/policy/modules/kernel/files.fc @@ -236,6 +236,8 @@ ifdef(`distro_redhat',` /usr/lib/ostree-boot(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/lib/modules(/.*)/vmlinuz -- gen_context(system_u:object_r:usr_t,s0) @@ -11,11 +11,11 @@ Index: fedora-policy-20220124/policy/modules/kernel/files.fc /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -Index: fedora-policy-20220124/policy/modules/system/systemd.te +Index: fedora-policy-20220428/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20220124.orig/policy/modules/system/systemd.te -+++ fedora-policy-20220124/policy/modules/system/systemd.te -@@ -1037,6 +1037,8 @@ init_stream_connect(systemd_sysctl_t) +--- fedora-policy-20220428.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220428/policy/modules/system/systemd.te +@@ -1052,6 +1052,8 @@ init_stream_connect(systemd_sysctl_t) logging_send_syslog_msg(systemd_sysctl_t) systemd_read_efivarfs(systemd_sysctl_t) diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index 6dcab29..58e611c 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20211111/policy/modules/contrib/networkmanager.te +Index: fedora-policy-20220428/policy/modules/contrib/networkmanager.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy-20211111/policy/modules/contrib/networkmanager.te -@@ -243,6 +243,9 @@ userdom_read_home_certs(NetworkManager_t +--- fedora-policy-20220428.orig/policy/modules/contrib/networkmanager.te ++++ fedora-policy-20220428/policy/modules/contrib/networkmanager.te +@@ -271,6 +271,9 @@ userdom_read_home_certs(NetworkManager_t userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) @@ -12,7 +12,7 @@ Index: fedora-policy-20211111/policy/modules/contrib/networkmanager.te tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(NetworkManager_t) ') -@@ -260,6 +263,14 @@ optional_policy(` +@@ -288,6 +291,14 @@ optional_policy(` ') optional_policy(` @@ -27,10 +27,10 @@ Index: fedora-policy-20211111/policy/modules/contrib/networkmanager.te bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_kill(NetworkManager_t) -Index: fedora-policy-20211111/policy/modules/contrib/networkmanager.if +Index: fedora-policy-20220428/policy/modules/contrib/networkmanager.if =================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20211111/policy/modules/contrib/networkmanager.if +--- fedora-policy-20220428.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy-20220428/policy/modules/contrib/networkmanager.if @@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ') diff --git a/fix_systemd.patch b/fix_systemd.patch index f923439..7b60e25 100644 --- a/fix_systemd.patch +++ b/fix_systemd.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20220124/policy/modules/system/systemd.te +Index: fedora-policy-20220428/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20220124.orig/policy/modules/system/systemd.te -+++ fedora-policy-20220124/policy/modules/system/systemd.te -@@ -353,6 +353,10 @@ userdom_manage_user_tmp_chr_files(system +--- fedora-policy-20220428.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220428/policy/modules/system/systemd.te +@@ -355,6 +355,10 @@ userdom_manage_user_tmp_chr_files(system xserver_dbus_chat(systemd_logind_t) optional_policy(` @@ -13,7 +13,7 @@ Index: fedora-policy-20220124/policy/modules/system/systemd.te apache_read_tmp_files(systemd_logind_t) ') -@@ -868,6 +872,10 @@ optional_policy(` +@@ -882,6 +886,10 @@ optional_policy(` udev_read_pid_files(systemd_hostnamed_t) ') @@ -24,12 +24,3 @@ Index: fedora-policy-20220124/policy/modules/system/systemd.te ####################################### # # rfkill policy -@@ -1115,6 +1123,8 @@ optional_policy(` - udev_read_pid_files(systemd_gpt_generator_t) - ') - -+udev_read_pid_files(systemd_gpt_generator_t) -+ - ####################################### - # - # systemd_resolved domain diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch index 8f6061d..75af5b6 100644 --- a/fix_systemd_watch.patch +++ b/fix_systemd_watch.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20220124/policy/modules/system/systemd.te +Index: fedora-policy-20220428/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20220124.orig/policy/modules/system/systemd.te -+++ fedora-policy-20220124/policy/modules/system/systemd.te -@@ -1421,6 +1421,12 @@ fstools_rw_swap_files(systemd_sleep_t) +--- fedora-policy-20220428.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220428/policy/modules/system/systemd.te +@@ -1445,6 +1445,12 @@ fstools_rw_swap_files(systemd_sleep_t) storage_getattr_fixed_disk_dev(systemd_sleep_t) storage_getattr_removable_dev(systemd_sleep_t) diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch index 54458d4..82632fe 100644 --- a/fix_unconfineduser.patch +++ b/fix_unconfineduser.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20211111/policy/modules/roles/unconfineduser.te +Index: fedora-policy-20220509/policy/modules/roles/unconfineduser.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/roles/unconfineduser.te -+++ fedora-policy-20211111/policy/modules/roles/unconfineduser.te -@@ -122,6 +122,11 @@ tunable_policy(`unconfined_dyntrans_all' +--- fedora-policy-20220509.orig/policy/modules/roles/unconfineduser.te ++++ fedora-policy-20220509/policy/modules/roles/unconfineduser.te +@@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all' domain_dyntrans(unconfined_t) ') @@ -14,7 +14,7 @@ Index: fedora-policy-20211111/policy/modules/roles/unconfineduser.te optional_policy(` gen_require(` type unconfined_t; -@@ -208,6 +213,10 @@ optional_policy(` +@@ -210,6 +215,10 @@ optional_policy(` ') optional_policy(` @@ -25,7 +25,7 @@ Index: fedora-policy-20211111/policy/modules/roles/unconfineduser.te chrome_role_notrans(unconfined_r, unconfined_t) tunable_policy(`unconfined_chrome_sandbox_transition',` -@@ -242,6 +251,18 @@ optional_policy(` +@@ -244,6 +253,18 @@ optional_policy(` dbus_stub(unconfined_t) optional_policy(` @@ -44,14 +44,3 @@ Index: fedora-policy-20211111/policy/modules/roles/unconfineduser.te bluetooth_dbus_chat(unconfined_t) ') -@@ -305,6 +326,10 @@ optional_policy(` - ') - - optional_policy(` -+ libs_run_ldconfig(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` - firstboot_run(unconfined_t, unconfined_r) - ') - diff --git a/fix_unprivuser.patch b/fix_unprivuser.patch index f23ba18..639da39 100644 --- a/fix_unprivuser.patch +++ b/fix_unprivuser.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210628/policy/modules/roles/unprivuser.te +Index: fedora-policy-20220428/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20210628/policy/modules/roles/unprivuser.te -@@ -287,6 +287,13 @@ ifndef(`distro_redhat',` +--- fedora-policy-20220428.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20220428/policy/modules/roles/unprivuser.te +@@ -292,6 +292,13 @@ ifndef(`distro_redhat',` ') optional_policy(` diff --git a/fix_usermanage.patch b/fix_usermanage.patch index 391cc2f..a7d1bee 100644 --- a/fix_usermanage.patch +++ b/fix_usermanage.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210309/policy/modules/admin/usermanage.te +Index: fedora-policy-20220428/policy/modules/admin/usermanage.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/admin/usermanage.te -+++ fedora-policy-20210309/policy/modules/admin/usermanage.te +--- fedora-policy-20220428.orig/policy/modules/admin/usermanage.te ++++ fedora-policy-20220428/policy/modules/admin/usermanage.te @@ -226,6 +226,7 @@ allow groupadd_t self:unix_dgram_socket allow groupadd_t self:unix_stream_socket create_stream_socket_perms; allow groupadd_t self:unix_dgram_socket sendto; @@ -10,7 +10,7 @@ Index: fedora-policy-20210309/policy/modules/admin/usermanage.te fs_getattr_xattr_fs(groupadd_t) fs_search_auto_mountpoints(groupadd_t) -@@ -529,6 +530,7 @@ allow useradd_t self:unix_dgram_socket c +@@ -538,6 +539,7 @@ allow useradd_t self:unix_dgram_socket c allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -18,7 +18,7 @@ Index: fedora-policy-20210309/policy/modules/admin/usermanage.te manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) -@@ -537,6 +539,8 @@ files_pid_filetrans(useradd_t, useradd_v +@@ -546,6 +548,8 @@ files_pid_filetrans(useradd_t, useradd_v # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) diff --git a/fix_wine.patch b/fix_wine.patch index 0a5f9d1..17698f2 100644 --- a/fix_wine.patch +++ b/fix_wine.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210716/policy/modules/system/libraries.fc +Index: fedora-policy-20220428/policy/modules/system/libraries.fc =================================================================== ---- fedora-policy-20210716.orig/policy/modules/system/libraries.fc -+++ fedora-policy-20210716/policy/modules/system/libraries.fc +--- fedora-policy-20220428.orig/policy/modules/system/libraries.fc ++++ fedora-policy-20220428/policy/modules/system/libraries.fc @@ -90,7 +90,7 @@ ifdef(`distro_redhat',` /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) @@ -12,7 +12,7 @@ Index: fedora-policy-20210716/policy/modules/system/libraries.fc /opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -173,7 +173,8 @@ ifdef(`distro_redhat',` - /usr/lib/systemd/libsystemd-shared-[0-9]+\.so.* -- gen_context(system_u:object_r:lib_t,s0) + /usr/lib/systemd/libsystemd-.+\.so.* -- gen_context(system_u:object_r:lib_t,s0) /usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) -/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/selinux-policy.changes b/selinux-policy.changes index 709306f..dea6cfe 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,4 +1,44 @@ ------------------------------------------------------------------- +Fri May 20 13:46:47 UTC 2022 - Johannes Segitz + +- Update to version 20220520 to pass stricter 3.4 toolchain checks + +------------------------------------------------------------------- +Fri May 20 09:14:58 UTC 2022 - Johannes Segitz + +- Update to version 20220428. Refreshed: + * fix_apache.patch + * fix_hadoop.patch + * fix_init.patch + * fix_iptables.patch + * fix_kernel_sysctl.patch + * fix_networkmanager.patch + * fix_systemd.patch + * fix_systemd_watch.patch + * fix_unprivuser.patch + * fix_usermanage.patch + * fix_wine.patch + +------------------------------------------------------------------- +Thu May 19 12:25:31 UTC 2022 - Johannes Segitz +- Add fix_dnsmasq.patch to fix problems with virtualization on Microos + (bsc#1199518) + +------------------------------------------------------------------- +Tue May 3 13:18:38 UTC 2022 - Johannes Segitz + +- Modified fix_init.patch to allow init to setup contrained environment + for accountsservice. This needs a better, more general solution + (bsc#1197610) + +------------------------------------------------------------------- +Mon May 2 11:27:49 UTC 2022 - Johannes Segitz + +- Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition. + This happens in certain boot conditions (bsc#1182500) +- Changed fix_unconfineduser.patch to not transition into ldconfig_t + from unconfined_t (bsc#1197169) +------------------------------------------------------------------- Thu Feb 17 12:24:13 UTC 2022 - Klaus Kämpf - use %license tag for COPYING file diff --git a/selinux-policy.spec b/selinux-policy.spec index de4fa04..dc83c18 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20220124 +Version: 20220520 Release: 0 Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc @@ -140,6 +140,8 @@ Patch055: fix_auditd.patch Patch056: fix_wine.patch Patch057: fix_hypervkvp.patch Patch058: fix_bitlbee.patch +Patch059: systemd_domain_dyntrans_type.patch +Patch060: fix_dnsmasq.patch Patch100: sedoctool.patch @@ -274,6 +276,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %{_sharedstatedir}/selinux/%1/active/seusers \ %{_sharedstatedir}/selinux/%1/active/file_contexts \ %{_sharedstatedir}/selinux/%1/active/policy.kern \ +%{_sharedstatedir}/selinux/%1/active/modules_checksum \ %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ diff --git a/systemd_domain_dyntrans_type.patch b/systemd_domain_dyntrans_type.patch new file mode 100644 index 0000000..8376c95 --- /dev/null +++ b/systemd_domain_dyntrans_type.patch @@ -0,0 +1,13 @@ +Index: fedora-policy-20220124/policy/modules/system/init.te +=================================================================== +--- fedora-policy-20220124.orig/policy/modules/system/init.te ++++ fedora-policy-20220124/policy/modules/system/init.te +@@ -179,6 +179,8 @@ allow init_t self:tcp_socket { listen ac + allow init_t self:packet_socket create_socket_perms; + allow init_t self:key manage_key_perms; + allow init_t self:bpf { map_create map_read map_write prog_load prog_run }; ++domain_dyntrans_type(init_t) ++allow init_t self:process { dyntransition setcurrent }; + + # is ~sys_module really needed? observed: + # sys_boot diff --git a/users-minimum b/users-minimum index e49103c..8ccacae 100644 --- a/users-minimum +++ b/users-minimum @@ -36,3 +36,4 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/users-mls b/users-mls index 4de9d57..167ba7c 100644 --- a/users-mls +++ b/users-mls @@ -36,3 +36,5 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/users-targeted b/users-targeted index e49103c..e943336 100644 --- a/users-targeted +++ b/users-targeted @@ -36,3 +36,6 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) From c7da6b80c08971e342679810181cd8f408c1b2a2745e83cf9b6eab72014d1e4b Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Sat, 25 Jun 2022 08:23:52 +0000 Subject: [PATCH 26/35] Accepting request 984856 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/984856 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=26 --- fedora-policy-20220520.tar.bz2 | 3 --- fedora-policy-20220624.tar.bz2 | 3 +++ fix_hadoop.patch | 30 ------------------------------ fix_init.patch | 22 +++++++++++----------- fix_kernel_sysctl.patch | 14 +++++++------- fix_locallogin.patch | 14 +++++++++++--- fix_logging.patch | 14 +++++++------- fix_networkmanager.patch | 16 ++++++++-------- fix_unprivuser.patch | 8 ++++---- selinux-policy.changes | 13 +++++++++++++ selinux-policy.spec | 3 +-- 11 files changed, 65 insertions(+), 75 deletions(-) delete mode 100644 fedora-policy-20220520.tar.bz2 create mode 100644 fedora-policy-20220624.tar.bz2 delete mode 100644 fix_hadoop.patch diff --git a/fedora-policy-20220520.tar.bz2 b/fedora-policy-20220520.tar.bz2 deleted file mode 100644 index 8523e23..0000000 --- a/fedora-policy-20220520.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:90d1df3189f84ff576e2bd3cf5bc504bac06037d3475ea1904d2b9eda9d164e7 -size 730405 diff --git a/fedora-policy-20220624.tar.bz2 b/fedora-policy-20220624.tar.bz2 new file mode 100644 index 0000000..19e65ab --- /dev/null +++ b/fedora-policy-20220624.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1cd368f29dfa53404b27e8cd3a055bf0a7f78214a4124b53b6ba616d00c7ff3e +size 731909 diff --git a/fix_hadoop.patch b/fix_hadoop.patch deleted file mode 100644 index 708fcb9..0000000 --- a/fix_hadoop.patch +++ /dev/null @@ -1,30 +0,0 @@ -Index: fedora-policy-20220428/policy/modules/roles/sysadm.te -=================================================================== ---- fedora-policy-20220428.orig/policy/modules/roles/sysadm.te -+++ fedora-policy-20220428/policy/modules/roles/sysadm.te -@@ -315,10 +315,6 @@ optional_policy(` - ') - - optional_policy(` -- hadoop_role(sysadm_r, sysadm_t) --') -- --optional_policy(` - iotop_run(sysadm_t, sysadm_r) - ') - -Index: fedora-policy-20220428/policy/modules/roles/unprivuser.te -=================================================================== ---- fedora-policy-20220428.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20220428/policy/modules/roles/unprivuser.te -@@ -210,10 +210,6 @@ ifndef(`distro_redhat',` - ') - - optional_policy(` -- hadoop_role(user_r, user_t) -- ') -- -- optional_policy(` - irc_role(user_r, user_t) - ') - diff --git a/fix_init.patch b/fix_init.patch index f209bdb..239c74b 100644 --- a/fix_init.patch +++ b/fix_init.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220428/policy/modules/system/init.te +Index: fedora-policy-20220624/policy/modules/system/init.te =================================================================== ---- fedora-policy-20220428.orig/policy/modules/system/init.te -+++ fedora-policy-20220428/policy/modules/system/init.te +--- fedora-policy-20220624.orig/policy/modules/system/init.te ++++ fedora-policy-20220624/policy/modules/system/init.te @@ -187,6 +187,8 @@ allow init_t self:bpf { map_create map_r # setuid (from /sbin/shutdown) # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot() @@ -28,7 +28,7 @@ Index: fedora-policy-20220428/policy/modules/system/init.te seutil_read_config(init_t) seutil_read_login_config(init_t) -@@ -446,9 +451,19 @@ ifdef(`distro_redhat',` +@@ -448,9 +453,19 @@ ifdef(`distro_redhat',` corecmd_shell_domtrans(init_t, initrc_t) storage_raw_rw_fixed_disk(init_t) @@ -46,9 +46,9 @@ Index: fedora-policy-20220428/policy/modules/system/init.te +') + optional_policy(` - bootloader_domtrans(init_t) - ') -@@ -573,10 +588,10 @@ tunable_policy(`init_audit_control',` + anaconda_stream_connect(init_t) + anaconda_create_unix_stream_sockets(init_t) +@@ -580,10 +595,10 @@ tunable_policy(`init_audit_control',` allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -61,7 +61,7 @@ Index: fedora-policy-20220428/policy/modules/system/init.te allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; # Until systemd is fixed -@@ -635,6 +650,7 @@ files_delete_all_spool_sockets(init_t) +@@ -642,6 +657,7 @@ files_delete_all_spool_sockets(init_t) files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -69,7 +69,7 @@ Index: fedora-policy-20220428/policy/modules/system/init.te files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -672,7 +688,7 @@ fs_list_all(init_t) +@@ -679,7 +695,7 @@ fs_list_all(init_t) fs_list_auto_mountpoints(init_t) fs_register_binary_executable_type(init_t) fs_relabel_tmpfs_sock_file(init_t) @@ -78,7 +78,7 @@ Index: fedora-policy-20220428/policy/modules/system/init.te fs_relabel_cgroup_dirs(init_t) fs_search_cgroup_dirs(init_t) # for network namespaces -@@ -728,6 +744,7 @@ systemd_write_inherited_logind_sessions_ +@@ -735,6 +751,7 @@ systemd_write_inherited_logind_sessions_ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -86,7 +86,7 @@ Index: fedora-policy-20220428/policy/modules/system/init.te auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1578,6 +1595,8 @@ optional_policy(` +@@ -1589,6 +1606,8 @@ optional_policy(` optional_policy(` postfix_list_spool(initrc_t) diff --git a/fix_kernel_sysctl.patch b/fix_kernel_sysctl.patch index b32448e..bd4527a 100644 --- a/fix_kernel_sysctl.patch +++ b/fix_kernel_sysctl.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20220428/policy/modules/kernel/files.fc +Index: fedora-policy-20220624/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy-20220428.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20220428/policy/modules/kernel/files.fc -@@ -236,6 +236,8 @@ ifdef(`distro_redhat',` +--- fedora-policy-20220624.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20220624/policy/modules/kernel/files.fc +@@ -242,6 +242,8 @@ ifdef(`distro_redhat',` /usr/lib/ostree-boot(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/lib/modules(/.*)/vmlinuz -- gen_context(system_u:object_r:usr_t,s0) /usr/lib/modules(/.*)/initramfs.img -- gen_context(system_u:object_r:usr_t,s0) @@ -11,10 +11,10 @@ Index: fedora-policy-20220428/policy/modules/kernel/files.fc /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -Index: fedora-policy-20220428/policy/modules/system/systemd.te +Index: fedora-policy-20220624/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20220428.orig/policy/modules/system/systemd.te -+++ fedora-policy-20220428/policy/modules/system/systemd.te +--- fedora-policy-20220624.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220624/policy/modules/system/systemd.te @@ -1052,6 +1052,8 @@ init_stream_connect(systemd_sysctl_t) logging_send_syslog_msg(systemd_sysctl_t) diff --git a/fix_locallogin.patch b/fix_locallogin.patch index 6247e22..cdee73c 100644 --- a/fix_locallogin.patch +++ b/fix_locallogin.patch @@ -1,7 +1,7 @@ -Index: fedora-policy/policy/modules/system/locallogin.te +Index: fedora-policy-20220624/policy/modules/system/locallogin.te =================================================================== ---- fedora-policy.orig/policy/modules/system/locallogin.te 2020-02-19 09:36:25.440182406 +0000 -+++ fedora-policy/policy/modules/system/locallogin.te 2020-02-21 08:52:35.961803038 +0000 +--- fedora-policy-20220624.orig/policy/modules/system/locallogin.te ++++ fedora-policy-20220624/policy/modules/system/locallogin.te @@ -63,6 +63,7 @@ kernel_read_system_state(local_login_t) kernel_read_kernel_sysctls(local_login_t) kernel_search_key(local_login_t) @@ -10,3 +10,11 @@ Index: fedora-policy/policy/modules/system/locallogin.te corecmd_list_bin(local_login_t) corecmd_read_bin_symlinks(local_login_t) +@@ -137,6 +138,7 @@ auth_rw_faillog(local_login_t) + auth_manage_pam_console_data(local_login_t) + auth_domtrans_pam_console(local_login_t) + auth_use_nsswitch(local_login_t) ++auth_read_shadow(local_login_t) + + init_dontaudit_use_fds(local_login_t) + init_stream_connect(local_login_t) diff --git a/fix_logging.patch b/fix_logging.patch index 0ae3fec..8a74cb7 100644 --- a/fix_logging.patch +++ b/fix_logging.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20211111/policy/modules/system/logging.fc +Index: fedora-policy-20220624/policy/modules/system/logging.fc =================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/logging.fc -+++ fedora-policy-20211111/policy/modules/system/logging.fc +--- fedora-policy-20220624.orig/policy/modules/system/logging.fc ++++ fedora-policy-20220624/policy/modules/system/logging.fc @@ -3,6 +3,8 @@ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) @@ -19,11 +19,11 @@ Index: fedora-policy-20211111/policy/modules/system/logging.fc /var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) -Index: fedora-policy-20211111/policy/modules/system/logging.if +Index: fedora-policy-20220624/policy/modules/system/logging.if =================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/logging.if -+++ fedora-policy-20211111/policy/modules/system/logging.if -@@ -1787,3 +1787,22 @@ interface(`logging_dgram_send',` +--- fedora-policy-20220624.orig/policy/modules/system/logging.if ++++ fedora-policy-20220624/policy/modules/system/logging.if +@@ -1788,3 +1788,22 @@ interface(`logging_dgram_send',` allow $1 syslogd_t:unix_dgram_socket sendto; ') diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index 58e611c..1a58fe3 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20220428/policy/modules/contrib/networkmanager.te +Index: fedora-policy-20220624/policy/modules/contrib/networkmanager.te =================================================================== ---- fedora-policy-20220428.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy-20220428/policy/modules/contrib/networkmanager.te -@@ -271,6 +271,9 @@ userdom_read_home_certs(NetworkManager_t +--- fedora-policy-20220624.orig/policy/modules/contrib/networkmanager.te ++++ fedora-policy-20220624/policy/modules/contrib/networkmanager.te +@@ -276,6 +276,9 @@ userdom_read_home_certs(NetworkManager_t userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) @@ -12,7 +12,7 @@ Index: fedora-policy-20220428/policy/modules/contrib/networkmanager.te tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(NetworkManager_t) ') -@@ -288,6 +291,14 @@ optional_policy(` +@@ -293,6 +296,14 @@ optional_policy(` ') optional_policy(` @@ -27,10 +27,10 @@ Index: fedora-policy-20220428/policy/modules/contrib/networkmanager.te bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_kill(NetworkManager_t) -Index: fedora-policy-20220428/policy/modules/contrib/networkmanager.if +Index: fedora-policy-20220624/policy/modules/contrib/networkmanager.if =================================================================== ---- fedora-policy-20220428.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20220428/policy/modules/contrib/networkmanager.if +--- fedora-policy-20220624.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy-20220624/policy/modules/contrib/networkmanager.if @@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ') diff --git a/fix_unprivuser.patch b/fix_unprivuser.patch index 639da39..646fcde 100644 --- a/fix_unprivuser.patch +++ b/fix_unprivuser.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20220428/policy/modules/roles/unprivuser.te +Index: fedora-policy-20220624/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20220428.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20220428/policy/modules/roles/unprivuser.te -@@ -292,6 +292,13 @@ ifndef(`distro_redhat',` +--- fedora-policy-20220624.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20220624/policy/modules/roles/unprivuser.te +@@ -296,6 +296,13 @@ ifndef(`distro_redhat',` ') optional_policy(` diff --git a/selinux-policy.changes b/selinux-policy.changes index dea6cfe..170fbc2 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Fri Jun 24 06:32:55 UTC 2022 - Johannes Segitz + +- Update to version 20220624. Refreshed: + * fix_init.patch + * fix_kernel_sysctl.patch + * fix_logging.patch + * fix_networkmanager.patch + * fix_unprivuser.patch + Dropped fix_hadoop.patch, not necessary anymore +* Updated fix_locallogin.patch to allow accesses for nss-systemd + (bsc#1199630) + ------------------------------------------------------------------- Fri May 20 13:46:47 UTC 2022 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index dc83c18..0280976 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20220520 +Version: 20220624 Release: 0 Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc @@ -88,7 +88,6 @@ Source131: rebootmgr.fc Patch001: fix_djbdns.patch Patch002: fix_dbus.patch Patch004: fix_java.patch -Patch005: fix_hadoop.patch Patch006: fix_thunderbird.patch Patch007: fix_postfix.patch Patch008: fix_nscd.patch From ffb5e7da5e40fc47a8684181ea6b68634b3cf948bf70b1b76d27cc150d274ba3 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Wed, 13 Jul 2022 12:55:54 +0000 Subject: [PATCH 27/35] Accepting request 988936 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/988936 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=27 --- fix_postfix.patch | 25 +++++++++++++++++-------- fix_systemd.patch | 24 +++++++++++++++++++++--- fix_userdomain.patch | 12 ++++++++++++ selinux-policy.changes | 16 ++++++++++++++++ selinux-policy.spec | 1 + 5 files changed, 67 insertions(+), 11 deletions(-) create mode 100644 fix_userdomain.patch diff --git a/fix_postfix.patch b/fix_postfix.patch index 3f9b14f..e068681 100644 --- a/fix_postfix.patch +++ b/fix_postfix.patch @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/contrib/postfix.fc +Index: fedora-policy-20220624/policy/modules/contrib/postfix.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/postfix.fc -+++ fedora-policy/policy/modules/contrib/postfix.fc -@@ -1,37 +1,20 @@ +--- fedora-policy-20220624.orig/policy/modules/contrib/postfix.fc ++++ fedora-policy-20220624/policy/modules/contrib/postfix.fc +@@ -1,37 +1,21 @@ # postfix -/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) -/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) @@ -41,6 +41,7 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc +/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) +/etc/postfix/chroot-update -- gen_context(system_u:object_r:postfix_exec_t,s0) +/usr/lib/postfix/bin/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) ++/usr/lib/postfix/systemd/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) +/usr/lib/postfix/bin/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) +/usr/lib/postfix/bin/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) +/usr/lib/postfix/bin/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) @@ -56,7 +57,7 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -@@ -45,6 +28,9 @@ ifdef(`distro_redhat', ` +@@ -45,13 +29,16 @@ ifdef(`distro_redhat', ` /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) @@ -66,10 +67,18 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc /var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) /var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) -Index: fedora-policy/policy/modules/contrib/postfix.te + /var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) + /var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) + /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) +-/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) ++/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) + /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) + /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) + /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) +Index: fedora-policy-20220624/policy/modules/contrib/postfix.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/postfix.te -+++ fedora-policy/policy/modules/contrib/postfix.te +--- fedora-policy-20220624.orig/policy/modules/contrib/postfix.te ++++ fedora-policy-20220624/policy/modules/contrib/postfix.te @@ -447,6 +447,14 @@ logging_send_syslog_msg(postfix_map_t) userdom_use_inherited_user_ptys(postfix_map_t) diff --git a/fix_systemd.patch b/fix_systemd.patch index 7b60e25..867f7e0 100644 --- a/fix_systemd.patch +++ b/fix_systemd.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220428/policy/modules/system/systemd.te +Index: fedora-policy-20220624/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20220428.orig/policy/modules/system/systemd.te -+++ fedora-policy-20220428/policy/modules/system/systemd.te +--- fedora-policy-20220624.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220624/policy/modules/system/systemd.te @@ -355,6 +355,10 @@ userdom_manage_user_tmp_chr_files(system xserver_dbus_chat(systemd_logind_t) @@ -24,3 +24,21 @@ Index: fedora-policy-20220428/policy/modules/system/systemd.te ####################################### # # rfkill policy +@@ -1105,7 +1113,7 @@ systemd_read_efivarfs(systemd_hwdb_t) + # systemd_gpt_generator domain + # + +-allow systemd_gpt_generator_t self:capability sys_rawio; ++allow systemd_gpt_generator_t self:capability { sys_rawio sys_admin}; + allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms; + + dev_read_sysfs(systemd_gpt_generator_t) +@@ -1127,6 +1135,8 @@ systemd_unit_file_filetrans(systemd_gpt_ + systemd_create_unit_file_dirs(systemd_gpt_generator_t) + systemd_create_unit_file_lnk(systemd_gpt_generator_t) + ++kernel_dgram_send(systemd_gpt_generator_t) ++ + optional_policy(` + udev_read_pid_files(systemd_gpt_generator_t) + ') diff --git a/fix_userdomain.patch b/fix_userdomain.patch new file mode 100644 index 0000000..6691ad8 --- /dev/null +++ b/fix_userdomain.patch @@ -0,0 +1,12 @@ +Index: fedora-policy-20220624/policy/modules/system/userdomain.if +=================================================================== +--- fedora-policy-20220624.orig/policy/modules/system/userdomain.if ++++ fedora-policy-20220624/policy/modules/system/userdomain.if +@@ -1497,6 +1497,7 @@ tunable_policy(`deny_bluetooth',`',` + + # port access is audited even if dac would not have allowed it, so dontaudit it here + # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) ++ corenet_dontaudit_udp_bind_all_rpc_ports($1_t) + # Need the following rule to allow users to run vpnc + corenet_tcp_bind_xserver_port($1_t) + corenet_tcp_bind_generic_node($1_usertype) diff --git a/selinux-policy.changes b/selinux-policy.changes index 170fbc2..6d8445d 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Wed Jul 13 07:48:41 UTC 2022 - Johannes Segitz + +- Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for + systemd_gpt_generator_t (bsc#1200911) + +------------------------------------------------------------------- +Mon Jul 11 13:45:04 UTC 2022 - Johannes Segitz + +- postfix: Label PID files and some helpers correctly (bsc#1197242) + +------------------------------------------------------------------- +Fri Jun 24 12:51:40 UTC 2022 - Johannes Segitz + +- Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984) + ------------------------------------------------------------------- Fri Jun 24 06:32:55 UTC 2022 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 0280976..5d3dfa9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -141,6 +141,7 @@ Patch057: fix_hypervkvp.patch Patch058: fix_bitlbee.patch Patch059: systemd_domain_dyntrans_type.patch Patch060: fix_dnsmasq.patch +Patch061: fix_userdomain.patch Patch100: sedoctool.patch From 9a0c018a4eb5862d820c61cd5719fc6996187a245cbb21ba04068c27207b1563 Mon Sep 17 00:00:00 2001 From: Richard Brown Date: Mon, 18 Jul 2022 16:32:44 +0000 Subject: [PATCH 28/35] Accepting request 989143 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/989143 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=28 --- fedora-policy-20220624.tar.bz2 | 3 --- fedora-policy-20220714.tar.bz2 | 3 +++ fix_init.patch | 16 ++++++++-------- fix_systemd_watch.patch | 8 ++++---- selinux-policy.changes | 7 +++++++ selinux-policy.spec | 2 +- 6 files changed, 23 insertions(+), 16 deletions(-) delete mode 100644 fedora-policy-20220624.tar.bz2 create mode 100644 fedora-policy-20220714.tar.bz2 diff --git a/fedora-policy-20220624.tar.bz2 b/fedora-policy-20220624.tar.bz2 deleted file mode 100644 index 19e65ab..0000000 --- a/fedora-policy-20220624.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1cd368f29dfa53404b27e8cd3a055bf0a7f78214a4124b53b6ba616d00c7ff3e -size 731909 diff --git a/fedora-policy-20220714.tar.bz2 b/fedora-policy-20220714.tar.bz2 new file mode 100644 index 0000000..e44436d --- /dev/null +++ b/fedora-policy-20220714.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dc7e16b718c4b36fc790d0e55a41fb18226a17e8b5e079afe127e611d16276a9 +size 731294 diff --git a/fix_init.patch b/fix_init.patch index 239c74b..baf4749 100644 --- a/fix_init.patch +++ b/fix_init.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220624/policy/modules/system/init.te +Index: fedora-policy-20220714/policy/modules/system/init.te =================================================================== ---- fedora-policy-20220624.orig/policy/modules/system/init.te -+++ fedora-policy-20220624/policy/modules/system/init.te +--- fedora-policy-20220714.orig/policy/modules/system/init.te ++++ fedora-policy-20220714/policy/modules/system/init.te @@ -187,6 +187,8 @@ allow init_t self:bpf { map_create map_r # setuid (from /sbin/shutdown) # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot() @@ -48,7 +48,7 @@ Index: fedora-policy-20220624/policy/modules/system/init.te optional_policy(` anaconda_stream_connect(init_t) anaconda_create_unix_stream_sockets(init_t) -@@ -580,10 +595,10 @@ tunable_policy(`init_audit_control',` +@@ -581,10 +596,10 @@ tunable_policy(`init_audit_control',` allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -61,7 +61,7 @@ Index: fedora-policy-20220624/policy/modules/system/init.te allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; # Until systemd is fixed -@@ -642,6 +657,7 @@ files_delete_all_spool_sockets(init_t) +@@ -643,6 +658,7 @@ files_delete_all_spool_sockets(init_t) files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -69,7 +69,7 @@ Index: fedora-policy-20220624/policy/modules/system/init.te files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -679,7 +695,7 @@ fs_list_all(init_t) +@@ -680,7 +696,7 @@ fs_list_all(init_t) fs_list_auto_mountpoints(init_t) fs_register_binary_executable_type(init_t) fs_relabel_tmpfs_sock_file(init_t) @@ -78,7 +78,7 @@ Index: fedora-policy-20220624/policy/modules/system/init.te fs_relabel_cgroup_dirs(init_t) fs_search_cgroup_dirs(init_t) # for network namespaces -@@ -735,6 +751,7 @@ systemd_write_inherited_logind_sessions_ +@@ -736,6 +752,7 @@ systemd_write_inherited_logind_sessions_ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -86,7 +86,7 @@ Index: fedora-policy-20220624/policy/modules/system/init.te auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1589,6 +1606,8 @@ optional_policy(` +@@ -1590,6 +1607,8 @@ optional_policy(` optional_policy(` postfix_list_spool(initrc_t) diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch index 75af5b6..9c5f4ad 100644 --- a/fix_systemd_watch.patch +++ b/fix_systemd_watch.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20220428/policy/modules/system/systemd.te +Index: fedora-policy-20220714/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20220428.orig/policy/modules/system/systemd.te -+++ fedora-policy-20220428/policy/modules/system/systemd.te -@@ -1445,6 +1445,12 @@ fstools_rw_swap_files(systemd_sleep_t) +--- fedora-policy-20220714.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220714/policy/modules/system/systemd.te +@@ -1447,6 +1447,12 @@ fstools_rw_swap_files(systemd_sleep_t) storage_getattr_fixed_disk_dev(systemd_sleep_t) storage_getattr_removable_dev(systemd_sleep_t) diff --git a/selinux-policy.changes b/selinux-policy.changes index 6d8445d..f3789d1 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Jul 14 08:44:12 UTC 2022 - Johannes Segitz + +- Update to version 20220714. Refreshed: + * fix_init.patch + * fix_systemd_watch.patch + ------------------------------------------------------------------- Wed Jul 13 07:48:41 UTC 2022 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 5d3dfa9..de1a77b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20220624 +Version: 20220714 Release: 0 Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc From 954309bfb4173d9c7721109e5ff81be2e8c9a87eb05dba07882e7f605f2f9e2b Mon Sep 17 00:00:00 2001 From: Richard Brown Date: Fri, 29 Jul 2022 14:47:11 +0000 Subject: [PATCH 29/35] Accepting request 991558 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/991558 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=29 --- fix_cloudform.patch | 13 +++++++++++++ fix_networkmanager.patch | 21 +++++++++++++++------ selinux-policy.changes | 13 +++++++++++++ selinux-policy.spec | 1 + 4 files changed, 42 insertions(+), 6 deletions(-) create mode 100644 fix_cloudform.patch diff --git a/fix_cloudform.patch b/fix_cloudform.patch new file mode 100644 index 0000000..cac7161 --- /dev/null +++ b/fix_cloudform.patch @@ -0,0 +1,13 @@ +Index: fedora-policy/policy/modules/contrib/cloudform.te +=================================================================== +--- cloudform.te 2022-07-18 14:06:56.735383426 +0200 ++++ cloudform.te.new 2022-07-18 14:07:36.003069544 +0200 +@@ -81,6 +81,8 @@ + + init_dbus_chat(cloud_init_t) + ++snapper_dbus_chat(cloud_init_t) ++ + kernel_read_network_state(cloud_init_t) + + corenet_tcp_connect_http_port(cloud_init_t) diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index 1a58fe3..1db6e5c 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220624/policy/modules/contrib/networkmanager.te +Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.te =================================================================== ---- fedora-policy-20220624.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy-20220624/policy/modules/contrib/networkmanager.te +--- fedora-policy-20220714.orig/policy/modules/contrib/networkmanager.te ++++ fedora-policy-20220714/policy/modules/contrib/networkmanager.te @@ -276,6 +276,9 @@ userdom_read_home_certs(NetworkManager_t userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) @@ -27,10 +27,19 @@ Index: fedora-policy-20220624/policy/modules/contrib/networkmanager.te bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_kill(NetworkManager_t) -Index: fedora-policy-20220624/policy/modules/contrib/networkmanager.if +@@ -420,6 +431,8 @@ optional_policy(` + nscd_kill(NetworkManager_t) + nscd_initrc_domtrans(NetworkManager_t) + nscd_systemctl(NetworkManager_t) ++ nscd_socket_use(NetworkManager_dispatcher_tlp_t) ++ nscd_socket_use(NetworkManager_dispatcher_custom_t) + ') + + optional_policy(` +Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.if =================================================================== ---- fedora-policy-20220624.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20220624/policy/modules/contrib/networkmanager.if +--- fedora-policy-20220714.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy-20220714/policy/modules/contrib/networkmanager.if @@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ') diff --git a/selinux-policy.changes b/selinux-policy.changes index f3789d1..df20c31 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Wed Jul 27 14:00:55 UTC 2022 - Hu + +- fix_networkmanager.patch: Allow NetworkManager_dispatcher_tlp_t + and NetworkManager_dispatcher_custom_t to access nscd socket + (bsc#1201741) + +------------------------------------------------------------------- +Thu Jul 26 10:50:21 UTC 2022 - Zdenek Kubala + +- Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper + (bnc#201015) + ------------------------------------------------------------------- Thu Jul 14 08:44:12 UTC 2022 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index de1a77b..6837667 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -142,6 +142,7 @@ Patch058: fix_bitlbee.patch Patch059: systemd_domain_dyntrans_type.patch Patch060: fix_dnsmasq.patch Patch061: fix_userdomain.patch +Patch062: fix_cloudform.patch Patch100: sedoctool.patch From 0e77232f8078e0b13479dab7c1bf3ea07205b09141bb8f52262de1c9435106db Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Thu, 25 Aug 2022 13:09:16 +0000 Subject: [PATCH 30/35] Accepting request 999231 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/999231 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=30 --- selinux-policy.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/selinux-policy.changes b/selinux-policy.changes index df20c31..79c27ca 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -9,7 +9,7 @@ Wed Jul 27 14:00:55 UTC 2022 - Hu Thu Jul 26 10:50:21 UTC 2022 - Zdenek Kubala - Add fix_cloudform.patch to fix cloud-init runcmd issue with snapper - (bnc#201015) + (bnc#1201015) ------------------------------------------------------------------- Thu Jul 14 08:44:12 UTC 2022 - Johannes Segitz From c7c129e00fc1049e3725df1e08d60a23276640f93734813225812dc4fda085b9 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Sat, 3 Sep 2022 21:18:36 +0000 Subject: [PATCH 31/35] Accepting request 1000830 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/1000830 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=31 --- selinux-policy.changes | 5 +++++ selinux-policy.spec | 1 + 2 files changed, 6 insertions(+) diff --git a/selinux-policy.changes b/selinux-policy.changes index 79c27ca..e53d771 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Aug 26 06:08:23 UTC 2022 - Thorsten Kukuk + +- Move SUSE directory from manual page section to html docu + ------------------------------------------------------------------- Wed Jul 27 14:00:55 UTC 2022 - Hu diff --git a/selinux-policy.spec b/selinux-policy.spec index 6837667..bacbf24 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -482,6 +482,7 @@ install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ %{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} mkdir %{buildroot}%{_datadir}/selinux/devel/html +mv %{buildroot}%{_datadir}/man/man8/SUSE %{buildroot}%{_datadir}/selinux/devel/html mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html rm %{buildroot}%{_mandir}/man8/container_selinux.8* From 3fb2472fe52ac0cab12afebc3d3fffd618fa6ebaf2c90cb3e4c9c0bc183e5986 Mon Sep 17 00:00:00 2001 From: Richard Brown Date: Fri, 30 Sep 2022 15:57:06 +0000 Subject: [PATCH 32/35] Accepting request 1007016 from security:SELinux - Update fix_networkmanager.patch to ensure NetworkManager chrony dispatcher is properly labled and update fix_chronyd.patch to ensure chrony helper script has proper label to be used by NetworkManager. Also allow NetworkManager_dispatcher_custom_t to query systemd status (bsc#1203824) - Update fix_xserver.patch to add greetd support (bsc#1198559) - Revamped rtorrent module OBS-URL: https://build.opensuse.org/request/show/1007016 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=32 --- fix_chronyd.patch | 15 ++++--- fix_networkmanager.patch | 20 +++++++++ fix_xserver.patch | 39 ++++++++++++++--- rtorrent.fc | 2 +- rtorrent.if | 94 +++++++++++++++++----------------------- rtorrent.te | 85 ++++++++++++++++++------------------ selinux-policy.changes | 19 ++++++++ 7 files changed, 163 insertions(+), 111 deletions(-) diff --git a/fix_chronyd.patch b/fix_chronyd.patch index 4ec73ce..a4daca5 100644 --- a/fix_chronyd.patch +++ b/fix_chronyd.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20211111/policy/modules/contrib/chronyd.te +Index: fedora-policy-20220714/policy/modules/contrib/chronyd.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/chronyd.te -+++ fedora-policy-20211111/policy/modules/contrib/chronyd.te +--- fedora-policy-20220714.orig/policy/modules/contrib/chronyd.te ++++ fedora-policy-20220714/policy/modules/contrib/chronyd.te @@ -141,6 +141,14 @@ systemd_exec_systemctl(chronyd_t) userdom_dgram_send(chronyd_t) @@ -17,15 +17,16 @@ Index: fedora-policy-20211111/policy/modules/contrib/chronyd.te cron_dgram_send(chronyd_t) ') -Index: fedora-policy-20211111/policy/modules/contrib/chronyd.fc +Index: fedora-policy-20220714/policy/modules/contrib/chronyd.fc =================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/chronyd.fc -+++ fedora-policy-20211111/policy/modules/contrib/chronyd.fc -@@ -6,6 +6,7 @@ +--- fedora-policy-20220714.orig/policy/modules/contrib/chronyd.fc ++++ fedora-policy-20220714/policy/modules/contrib/chronyd.fc +@@ -6,6 +6,8 @@ /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) /usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) +/usr/lib/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) ++/usr/libexec/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) /usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0) diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index 1db6e5c..3553e85 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -36,6 +36,14 @@ Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.te ') optional_policy(` +@@ -602,6 +615,7 @@ files_manage_etc_files(NetworkManager_di + + init_status(NetworkManager_dispatcher_cloud_t) + init_status(NetworkManager_dispatcher_ddclient_t) ++init_status(NetworkManager_dispatcher_custom_t) + init_append_stream_sockets(networkmanager_dispatcher_plugin) + init_ioctl_stream_sockets(networkmanager_dispatcher_plugin) + init_stream_connect(networkmanager_dispatcher_plugin) Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.if =================================================================== --- fedora-policy-20220714.orig/policy/modules/contrib/networkmanager.if @@ -65,3 +73,15 @@ Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.if ######################################## ## ## Execute NetworkManager server in the NetworkManager domain. +Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.fc +=================================================================== +--- fedora-policy-20220714.orig/policy/modules/contrib/networkmanager.fc ++++ fedora-policy-20220714/policy/modules/contrib/networkmanager.fc +@@ -24,6 +24,7 @@ + /usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0) + /usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0) + /usr/lib/NetworkManager/dispatcher\.d/11-dhclient -- gen_context(system_u:object_r:NetworkManager_dispatcher_dhclient_script_t,s0) ++/usr/lib/NetworkManager/dispatcher\.d/20-chrony -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) + /usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) + /usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) + /usr/lib/NetworkManager/dispatcher\.d/30-winbind -- gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0) diff --git a/fix_xserver.patch b/fix_xserver.patch index 686a68d..f969707 100644 --- a/fix_xserver.patch +++ b/fix_xserver.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20211111/policy/modules/services/xserver.fc +Index: fedora-policy-20220714/policy/modules/services/xserver.fc =================================================================== ---- fedora-policy-20211111.orig/policy/modules/services/xserver.fc -+++ fedora-policy-20211111/policy/modules/services/xserver.fc +--- fedora-policy-20220714.orig/policy/modules/services/xserver.fc ++++ fedora-policy-20220714/policy/modules/services/xserver.fc @@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) @@ -18,7 +18,15 @@ Index: fedora-policy-20211111/policy/modules/services/xserver.fc /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0) -@@ -137,6 +139,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ +@@ -114,6 +116,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ + /usr/bin/Xwayland -- gen_context(system_u:object_r:xserver_exec_t,s0) + /usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0) + /usr/bin/nvidia.* -- gen_context(system_u:object_r:xserver_exec_t,s0) ++/usr/bin/greetd -- gen_context(system_u:object_r:xdm_exec_t,s0) + + /usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0) + /usr/libexec/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0) +@@ -137,6 +140,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0) /usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0) @@ -26,10 +34,27 @@ Index: fedora-policy-20211111/policy/modules/services/xserver.fc ifndef(`distro_debian',` /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) ') -Index: fedora-policy-20211111/policy/modules/services/xserver.te +@@ -155,6 +159,7 @@ ifndef(`distro_debian',` + /var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) + /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) + /var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) ++/var/lib/greetd(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) + + /var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) + /var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +@@ -184,6 +189,8 @@ ifndef(`distro_debian',` + /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + /var/run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/greetd[^/]*\.sock -s gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/greetd\.run -- gen_context(system_u:object_r:xdm_var_run_t,s0) + + /var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) + /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) +Index: fedora-policy-20220714/policy/modules/services/xserver.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/services/xserver.te -+++ fedora-policy-20211111/policy/modules/services/xserver.te +--- fedora-policy-20220714.orig/policy/modules/services/xserver.te ++++ fedora-policy-20220714/policy/modules/services/xserver.te @@ -473,6 +473,10 @@ userdom_delete_user_home_content_files(x userdom_signull_unpriv_users(xdm_t) userdom_dontaudit_read_admin_home_lnk_files(xdm_t) diff --git a/rtorrent.fc b/rtorrent.fc index 24f879f..562f8ad 100644 --- a/rtorrent.fc +++ b/rtorrent.fc @@ -1 +1 @@ -/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0) +/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0) diff --git a/rtorrent.if b/rtorrent.if index 830e349..9ea4193 100644 --- a/rtorrent.if +++ b/rtorrent.if @@ -1,49 +1,14 @@ -## Policy for rtorrent. -############################################################ -## -## Role access for rtorrent -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`rtorrent_role',` - gen_require(` - attribute_role rtorrent_roles; - type rtorrent_t, rtorrent_exec_t; - ') - - roleattribute $1 rtorrent_roles; - - # transition from the userdomain to the derived domain - domtrans_pattern($2, rtorrent_exec_t, rtorrent_t) - - # allow ps to show rtorrent - ps_process_pattern($2, rtorrent_t) - allow $2 rtorrent_t:process { signull sigstop signal sigkill }; - - ifdef(`hide_broken_symptoms',` - #Leaked File Descriptors - dontaudit rtorrent_t $2:fifo_file rw_fifo_file_perms; - ') -') +## policy for rtorrent ######################################## ## -## Transition to a user torrent domain. +## Execute rtorrent_exec_t in the rtorrent domain. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`rtorrent_domtrans',` @@ -51,12 +16,13 @@ interface(`rtorrent_domtrans',` type rtorrent_t, rtorrent_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, rtorrent_exec_t, rtorrent_t) ') ###################################### ## -## Execute torrent in the caller domain. +## Execute rtorrent in the caller domain. ## ## ## @@ -73,39 +39,57 @@ interface(`rtorrent_exec',` can_exec($1, rtorrent_exec_t) ') -###################################### +######################################## ## -## Make rtorrent an entrypoint for -## the specified domain. +## Execute rtorrent in the rtorrent domain, and +## allow the specified role the rtorrent domain. ## ## -## -## The domain for which cifs_t is an entrypoint. -## +## +## Domain allowed to transition +## +## +## +## +## The role to be allowed the rtorrent domain. +## ## # -interface(`rtorrent_entry_type',` - gen_require(` - type rtorrent_exec_t; - ') +interface(`rtorrent_run',` + gen_require(` + type rtorrent_t; + attribute_role rtorrent_roles; + ') - domain_entry_file($1, rtorrent_exec_t) + rtorrent_domtrans($1) + roleattribute $2 rtorrent_roles; ') ######################################## ## -## Send generic signals to user rtorrent processes. +## Role access for rtorrent ## +## +## +## Role allowed access +## +## ## ## -## Domain allowed access. +## User domain for the role ## ## # -interface(`rtorrent_signal',` +interface(`rtorrent_role',` gen_require(` type rtorrent_t; + attribute_role rtorrent_roles; ') - allow $1 rtorrent_t:process signal; + roleattribute $1 rtorrent_roles; + + rtorrent_domtrans($2) + + ps_process_pattern($2, rtorrent_t) + allow $2 rtorrent_t:process { signull signal sigkill }; ') diff --git a/rtorrent.te b/rtorrent.te index dcf4d43..996f7a7 100644 --- a/rtorrent.te +++ b/rtorrent.te @@ -1,4 +1,4 @@ -policy_module(rtorrent, 1.0.1) +policy_module(rtorrent, 1.0.0) ######################################## # @@ -18,81 +18,84 @@ gen_tunable(rtorrent_send_mails, false) ## gen_tunable(rtorrent_enable_rutorrent, false) -attribute rtorrentdomain; +## +##

+## Allow rtorrent to execute helper scripts in home directories +##

+## +gen_tunable(rtorrent_exec_scripts, false) attribute_role rtorrent_roles; roleattribute system_r rtorrent_roles; type rtorrent_t; type rtorrent_exec_t; -userdom_user_application_domain(rtorrent_t, rtorrent_exec_t) +application_domain(rtorrent_t, rtorrent_exec_t) role rtorrent_roles types rtorrent_t; ######################################## # # rtorrent local policy # +allow rtorrent_t self:process { fork signal_perms }; -corenet_tcp_bind_commplex_main_port(rtorrent_t) +allow rtorrent_t self:fifo_file manage_fifo_file_perms; +allow rtorrent_t self:unix_stream_socket create_stream_socket_perms; + +domain_use_interactive_fds(rtorrent_t) + +files_read_etc_files(rtorrent_t) + +miscfiles_read_localization(rtorrent_t) + +sysnet_dns_name_resolve(rtorrent_t) + +optional_policy(` + gen_require(` + type staff_t; + role staff_r; + ') + + rtorrent_run(staff_t, staff_r) +') type rtorrent_port_t; corenet_port(rtorrent_port_t) allow rtorrent_t rtorrent_port_t:tcp_socket name_bind; userdom_read_user_home_content_symlinks(rtorrent_t) +userdom_manage_user_home_content_files(rtorrent_t) +userdom_manage_user_home_content_dirs(rtorrent_t) -allow rtorrent_t self:process setpgid; -allow rtorrent_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; -allow rtorrent_t self:fifo_file rw_fifo_file_perms; -allow rtorrent_t self:tcp_socket create_stream_socket_perms; -allow rtorrent_t self:unix_stream_socket connectto; +allow rtorrent_t self:tcp_socket { accept listen }; -allow rtorrent_t self:netlink_route_socket { bind create nlmsg_read }; -allow rtorrent_t self:udp_socket { connect create getattr }; -nscd_shm_use(rtorrent_t) - -#corecmd_exec_shell(rtorrent_t) -corecmd_exec_bin(rtorrent_t) -# execute helper scripts -userdom_exec_user_bin_files(rtorrent_t) - -corenet_all_recvfrom_netlabel(rtorrent_t) -corenet_tcp_sendrecv_generic_if(rtorrent_t) -corenet_udp_sendrecv_generic_if(rtorrent_t) -corenet_tcp_sendrecv_generic_node(rtorrent_t) -corenet_udp_sendrecv_generic_node(rtorrent_t) -corenet_tcp_sendrecv_all_ports(rtorrent_t) -corenet_udp_sendrecv_all_ports(rtorrent_t) corenet_tcp_connect_all_ports(rtorrent_t) -corenet_sendrecv_all_client_packets(rtorrent_t) -corenet_udp_bind_all_unreserved_ports(rtorrent_t) -domain_use_interactive_fds(rtorrent_t) -auth_use_nsswitch(rtorrent_t) -miscfiles_map_generic_certs(rtorrent_t) fs_getattr_xattr_fs(rtorrent_t) userdom_use_inherited_user_terminals(rtorrent_t) -userdom_manage_user_home_content_files(rtorrent_t) -userdom_manage_user_home_content_dirs(rtorrent_t) +# this might be to much userdom_home_manager(rtorrent_t) userdom_filetrans_home_content(rtorrent_t) -userdom_stream_connect(rtorrent_t) optional_policy(` - tunable_policy(`rtorrent_send_mails',` - userdom_exec_user_bin_files(rtorrent_t) - userdom_exec_user_home_content_files(rtorrent_t) - files_manage_generic_tmp_files(rtorrent_t) - mta_send_mail(rtorrent_t) - ') + tunable_policy(`rtorrent_send_mails',` + userdom_exec_user_bin_files(rtorrent_t) + userdom_exec_user_home_content_files(rtorrent_t) + files_manage_generic_tmp_files(rtorrent_t) + mta_send_mail(rtorrent_t) + ') ') optional_policy(` - apache_manage_sys_content(rtorrent_t) - tunable_policy(`rtorrent_enable_rutorrent',` + apache_manage_sys_content(rtorrent_t) apache_exec_sys_content(rtorrent_t) ') ') +tunable_policy(`rtorrent_exec_scripts',` + # execute helper scripts + corecmd_exec_bin(rtorrent_t) + userdom_exec_user_bin_files(rtorrent_t) +') diff --git a/selinux-policy.changes b/selinux-policy.changes index e53d771..671e11c 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Thu Sep 29 12:54:15 UTC 2022 - Johannes Segitz + +- Update fix_networkmanager.patch to ensure NetworkManager chrony + dispatcher is properly labled and update fix_chronyd.patch to ensure + chrony helper script has proper label to be used by NetworkManager. + Also allow NetworkManager_dispatcher_custom_t to query systemd status + (bsc#1203824) + +------------------------------------------------------------------- +Tue Sep 27 13:00:35 UTC 2022 - Filippo Bonazzi + +- Update fix_xserver.patch to add greetd support (bsc#1198559) + +------------------------------------------------------------------- +Mon Sep 12 06:47:56 UTC 2022 - Johannes Segitz + +- Revamped rtorrent module + ------------------------------------------------------------------- Fri Aug 26 06:08:23 UTC 2022 - Thorsten Kukuk From 6580811b2495419e4ebe9676f7174b8b4779bf1437567deac5097bc8f04f2dab Mon Sep 17 00:00:00 2001 From: Fabian Vogt Date: Mon, 10 Oct 2022 16:43:41 +0000 Subject: [PATCH 33/35] Accepting request 1008716 from security:SELinux Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/1008716 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=33 --- distro_suse_to_distro_redhat.patch | 195 +++++++++++++++++++++++++++++ fix_cron.patch | 16 +-- selinux-policy.changes | 8 ++ selinux-policy.spec | 4 +- 4 files changed, 213 insertions(+), 10 deletions(-) create mode 100644 distro_suse_to_distro_redhat.patch diff --git a/distro_suse_to_distro_redhat.patch b/distro_suse_to_distro_redhat.patch new file mode 100644 index 0000000..c931eb5 --- /dev/null +++ b/distro_suse_to_distro_redhat.patch @@ -0,0 +1,195 @@ +diff -r -u fedora-policy-20220714/policy/modules/contrib/apache.fc fedora-policy-20220714_changed/policy/modules/contrib/apache.fc +--- fedora-policy-20220714/policy/modules/contrib/apache.fc 2022-07-14 10:41:34.267983097 +0200 ++++ fedora-policy-20220714_changed/policy/modules/contrib/apache.fc 2022-09-30 09:07:02.245313656 +0200 +@@ -74,7 +74,7 @@ + /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) + /usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) + +-ifdef(`distro_suse', ` ++ifdef(`distro_redhat', ` + /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) + ') + +diff -r -u fedora-policy-20220714/policy/modules/contrib/cron.fc fedora-policy-20220714_changed/policy/modules/contrib/cron.fc +--- fedora-policy-20220714/policy/modules/contrib/cron.fc 2022-07-14 10:41:34.279983278 +0200 ++++ fedora-policy-20220714_changed/policy/modules/contrib/cron.fc 2022-09-30 09:07:01.465301514 +0200 +@@ -51,7 +51,7 @@ + /var/spool/cron/lastrun/[^/]* -- <> + ') + +-ifdef(`distro_suse', ` ++ifdef(`distro_redhat', ` + /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) + /var/spool/cron/lastrun/[^/]* -- <> + /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) +@@ -70,7 +70,7 @@ + /var/spool/cron/lastrun/[^/]* -- <> + ') + +-ifdef(`distro_suse', ` ++ifdef(`distro_redhat', ` + /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) + /var/spool/cron/lastrun/[^/]* -- <> + /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) +diff -r -u fedora-policy-20220714/policy/modules/contrib/rpm.fc fedora-policy-20220714_changed/policy/modules/contrib/rpm.fc +--- fedora-policy-20220714/policy/modules/contrib/rpm.fc 2022-07-14 10:41:34.315983821 +0200 ++++ fedora-policy-20220714_changed/policy/modules/contrib/rpm.fc 2022-09-30 09:07:01.713305375 +0200 +@@ -79,7 +79,7 @@ + /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) + + # SuSE +-ifdef(`distro_suse', ` ++ifdef(`distro_redhat', ` + /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) + /sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) + /var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +diff -r -u fedora-policy-20220714/policy/modules/kernel/corecommands.fc fedora-policy-20220714_changed/policy/modules/kernel/corecommands.fc +--- fedora-policy-20220714/policy/modules/kernel/corecommands.fc 2022-07-14 10:41:34.327984002 +0200 ++++ fedora-policy-20220714_changed/policy/modules/kernel/corecommands.fc 2022-09-30 09:07:01.273298522 +0200 +@@ -462,7 +462,7 @@ + /usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0) + ') + +-ifdef(`distro_suse', ` ++ifdef(`distro_redhat', ` + /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/ssh/.* -- gen_context(system_u:object_r:bin_t,s0) +@@ -491,7 +491,7 @@ + /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) + /var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0) + +-ifdef(`distro_suse',` ++ifdef(`distro_redhat',` + /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) + ') + +diff -r -u fedora-policy-20220714/policy/modules/kernel/devices.fc fedora-policy-20220714_changed/policy/modules/kernel/devices.fc +--- fedora-policy-20220714/policy/modules/kernel/devices.fc 2022-07-14 10:41:34.327984002 +0200 ++++ fedora-policy-20220714_changed/policy/modules/kernel/devices.fc 2022-09-30 09:07:01.265298397 +0200 +@@ -148,7 +148,7 @@ + /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) + /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) + /dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0) +-ifdef(`distro_suse', ` ++ifdef(`distro_redhat', ` + /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) + ') + /dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0) +diff -r -u fedora-policy-20220714/policy/modules/kernel/files.fc fedora-policy-20220714_changed/policy/modules/kernel/files.fc +--- fedora-policy-20220714/policy/modules/kernel/files.fc 2022-07-14 10:41:34.331984062 +0200 ++++ fedora-policy-20220714_changed/policy/modules/kernel/files.fc 2022-09-30 09:07:01.289298772 +0200 +@@ -22,7 +22,7 @@ + /[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) + ') + +-ifdef(`distro_suse',` ++ifdef(`distro_redhat',` + /success -- gen_context(system_u:object_r:etc_runtime_t,s0) + ') + +@@ -92,7 +92,7 @@ + /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) + ') + +-ifdef(`distro_suse',` ++ifdef(`distro_redhat',` + /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) + /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) + ') +diff -r -u fedora-policy-20220714/policy/modules/services/xserver.fc fedora-policy-20220714_changed/policy/modules/services/xserver.fc +--- fedora-policy-20220714/policy/modules/services/xserver.fc 2022-07-14 10:41:34.335984123 +0200 ++++ fedora-policy-20220714_changed/policy/modules/services/xserver.fc 2022-09-30 09:07:02.689320566 +0200 +@@ -189,7 +189,7 @@ + /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) + /var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + +-ifdef(`distro_suse',` ++ifdef(`distro_redhat',` + /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) + ') + +diff -r -u fedora-policy-20220714/policy/modules/system/authlogin.fc fedora-policy-20220714_changed/policy/modules/system/authlogin.fc +--- fedora-policy-20220714/policy/modules/system/authlogin.fc 2022-07-14 10:41:34.335984123 +0200 ++++ fedora-policy-20220714_changed/policy/modules/system/authlogin.fc 2022-09-30 09:07:02.761321686 +0200 +@@ -31,7 +31,7 @@ + /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) + /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) +-ifdef(`distro_suse', ` ++ifdef(`distro_redhat', ` + /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + ') + +diff -r -u fedora-policy-20220714/policy/modules/system/init.fc fedora-policy-20220714_changed/policy/modules/system/init.fc +--- fedora-policy-20220714/policy/modules/system/init.fc 2022-07-14 10:41:34.335984123 +0200 ++++ fedora-policy-20220714_changed/policy/modules/system/init.fc 2022-09-30 09:07:02.701320753 +0200 +@@ -92,7 +92,7 @@ + /var/run/svscan\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) + ') + +-ifdef(`distro_suse', ` ++ifdef(`distro_redhat', ` + /var/run/bootsplashctl -p gen_context(system_u:object_r:initrc_var_run_t,s0) + /var/run/keymap -- gen_context(system_u:object_r:initrc_var_run_t,s0) + /var/run/numlock-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) +diff -r -u fedora-policy-20220714/policy/modules/system/init.te fedora-policy-20220714_changed/policy/modules/system/init.te +--- fedora-policy-20220714/policy/modules/system/init.te 2022-07-14 10:41:34.335984123 +0200 ++++ fedora-policy-20220714_changed/policy/modules/system/init.te 2022-09-30 09:07:02.725321126 +0200 +@@ -1330,7 +1330,7 @@ + ') + ') + +-ifdef(`distro_suse',` ++ifdef(`distro_redhat',` + optional_policy(` + # set permissions on /tmp/.X11-unix + xserver_setattr_xdm_tmp_dirs(initrc_t) +diff -r -u fedora-policy-20220714/policy/modules/system/libraries.fc fedora-policy-20220714_changed/policy/modules/system/libraries.fc +--- fedora-policy-20220714/policy/modules/system/libraries.fc 2022-07-14 10:41:34.335984123 +0200 ++++ fedora-policy-20220714_changed/policy/modules/system/libraries.fc 2022-09-30 09:07:02.709320877 +0200 +@@ -329,7 +329,7 @@ + /var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) + /usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) + +-ifdef(`distro_suse',` ++ifdef(`distro_redhat',` + /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) + ') + +diff -r -u fedora-policy-20220714/policy/modules/system/locallogin.te fedora-policy-20220714_changed/policy/modules/system/locallogin.te +--- fedora-policy-20220714/policy/modules/system/locallogin.te 2022-07-14 10:41:34.335984123 +0200 ++++ fedora-policy-20220714_changed/policy/modules/system/locallogin.te 2022-09-30 09:07:02.757321625 +0200 +@@ -274,7 +274,7 @@ + ') + + # suse and debian do not use pam with sulogin... +-ifdef(`distro_suse', `define(`sulogin_no_pam')') ++ifdef(`distro_redhat', `define(`sulogin_no_pam')') + ifdef(`distro_debian', `define(`sulogin_no_pam')') + + allow sulogin_t self:capability sys_tty_config; +diff -r -u fedora-policy-20220714/policy/modules/system/logging.fc fedora-policy-20220714_changed/policy/modules/system/logging.fc +--- fedora-policy-20220714/policy/modules/system/logging.fc 2022-07-14 10:41:34.335984123 +0200 ++++ fedora-policy-20220714_changed/policy/modules/system/logging.fc 2022-09-30 09:07:02.757321625 +0200 +@@ -46,7 +46,7 @@ + /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,mls_systemhigh) + /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) + +-ifdef(`distro_suse', ` ++ifdef(`distro_redhat', ` + /var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0) + ') + +diff -r -u fedora-policy-20220714/policy/modules/system/logging.te fedora-policy-20220714_changed/policy/modules/system/logging.te +--- fedora-policy-20220714/policy/modules/system/logging.te 2022-07-14 10:41:34.335984123 +0200 ++++ fedora-policy-20220714_changed/policy/modules/system/logging.te 2022-09-30 09:07:02.709320877 +0200 +@@ -674,7 +674,7 @@ + term_dontaudit_setattr_unallocated_ttys(syslogd_t) + ') + +-ifdef(`distro_suse',` ++ifdef(`distro_redhat',` + # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel + files_var_lib_filetrans(syslogd_t, devlog_t, sock_file) + ') diff --git a/fix_cron.patch b/fix_cron.patch index e2ccb9a..8b4135d 100644 --- a/fix_cron.patch +++ b/fix_cron.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220124/policy/modules/contrib/cron.fc +Index: fedora-policy-20220714/policy/modules/contrib/cron.fc =================================================================== ---- fedora-policy-20220124.orig/policy/modules/contrib/cron.fc -+++ fedora-policy-20220124/policy/modules/contrib/cron.fc +--- fedora-policy-20220714.orig/policy/modules/contrib/cron.fc ++++ fedora-policy-20220714/policy/modules/contrib/cron.fc @@ -34,7 +34,7 @@ /var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) @@ -11,7 +11,7 @@ Index: fedora-policy-20220124/policy/modules/contrib/cron.fc /var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) /var/spool/cron/crontabs/.* -- <> -@@ -55,6 +55,10 @@ ifdef(`distro_suse', ` +@@ -55,6 +55,10 @@ ifdef(`distro_redhat', ` /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) /var/spool/cron/lastrun/[^/]* -- <> /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) @@ -27,15 +27,15 @@ Index: fedora-policy-20220124/policy/modules/contrib/cron.fc /var/spool/cron/lastrun/[^/]* -- <> ') - --ifdef(`distro_suse', ` +-ifdef(`distro_redhat', ` -/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) -/var/spool/cron/lastrun/[^/]* -- <> -/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -') -Index: fedora-policy-20220124/policy/modules/contrib/cron.if +Index: fedora-policy-20220714/policy/modules/contrib/cron.if =================================================================== ---- fedora-policy-20220124.orig/policy/modules/contrib/cron.if -+++ fedora-policy-20220124/policy/modules/contrib/cron.if +--- fedora-policy-20220714.orig/policy/modules/contrib/cron.if ++++ fedora-policy-20220714/policy/modules/contrib/cron.if @@ -1057,7 +1057,7 @@ interface(`cron_generic_log_filetrans_lo # interface(`cron_system_spool_entrypoint',` diff --git a/selinux-policy.changes b/selinux-policy.changes index 671e11c..adcc217 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Sep 30 07:14:49 UTC 2022 - Johannes Segitz + +- Updated quilt couldn't unpack tarball. This will cause ongoing issues + so drop the sed statement in the %prep section and add + distro_suse_to_distro_redhat.patch to add the necessary changes + via a patch + ------------------------------------------------------------------- Thu Sep 29 12:54:15 UTC 2022 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index bacbf24..eb4bf37 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ # There are almost no SUSE specific modifications available in the policy, so we utilize the -# ones used by redhat and include also the SUSE specific ones (see sed statement below) +# ones used by redhat and include also the SUSE specific ones (distro_suse_to_distro_redhat.patch) %define distro redhat %define ubac n %define polyinstatiate n @@ -85,6 +85,7 @@ Source129: rebootmgr.te Source130: rebootmgr.if Source131: rebootmgr.fc +Patch000: distro_suse_to_distro_redhat.patch Patch001: fix_djbdns.patch Patch002: fix_dbus.patch Patch004: fix_java.patch @@ -406,7 +407,6 @@ exit 0 %prep %autosetup -n fedora-policy-%{version} -p1 -find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \; %build From c77d62d06eeb3a9a9b45ed2e69358d52d48858820f2000f46addd30023e73f8c Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Sat, 22 Oct 2022 12:13:02 +0000 Subject: [PATCH 34/35] Accepting request 1030152 from security:SELinux OBS-URL: https://build.opensuse.org/request/show/1030152 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=34 --- distro_suse_to_distro_redhat.patch | 128 +++++++++++++++------------ dontaudit_interface_kmod_tmpfs.patch | 41 +++++++++ fedora-policy-20220714.tar.bz2 | 3 - fedora-policy-20221019.tar.bz2 | 3 + fix_alsa.patch | 15 ++++ fix_apache.patch | 10 +-- fix_chronyd.patch | 14 +-- fix_cockpit.patch | 47 ---------- fix_cron.patch | 14 +-- fix_init.patch | 31 +++---- fix_kernel_sysctl.patch | 14 +-- fix_networkmanager.patch | 48 +++++++--- fix_postfix.patch | 25 ++++-- fix_rpm.patch | 24 ++--- fix_snapper.patch | 18 ++-- fix_sysnetwork.patch | 8 +- fix_systemd.patch | 18 ++-- fix_systemd_watch.patch | 8 +- fix_unconfined.patch | 8 +- fix_unconfineduser.patch | 10 +-- fix_unprivuser.patch | 8 +- fix_xserver.patch | 18 ++-- modules-minimum-contrib.conf | 14 --- modules-targeted-contrib.conf | 14 --- selinux-policy.changes | 28 ++++++ selinux-policy.spec | 6 +- 26 files changed, 313 insertions(+), 262 deletions(-) create mode 100644 dontaudit_interface_kmod_tmpfs.patch delete mode 100644 fedora-policy-20220714.tar.bz2 create mode 100644 fedora-policy-20221019.tar.bz2 create mode 100644 fix_alsa.patch delete mode 100644 fix_cockpit.patch diff --git a/distro_suse_to_distro_redhat.patch b/distro_suse_to_distro_redhat.patch index c931eb5..c11814e 100644 --- a/distro_suse_to_distro_redhat.patch +++ b/distro_suse_to_distro_redhat.patch @@ -1,7 +1,8 @@ -diff -r -u fedora-policy-20220714/policy/modules/contrib/apache.fc fedora-policy-20220714_changed/policy/modules/contrib/apache.fc ---- fedora-policy-20220714/policy/modules/contrib/apache.fc 2022-07-14 10:41:34.267983097 +0200 -+++ fedora-policy-20220714_changed/policy/modules/contrib/apache.fc 2022-09-30 09:07:02.245313656 +0200 -@@ -74,7 +74,7 @@ +Index: fedora-policy-20221019/policy/modules/contrib/apache.fc +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/contrib/apache.fc ++++ fedora-policy-20221019/policy/modules/contrib/apache.fc +@@ -74,7 +74,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.* /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -10,10 +11,11 @@ diff -r -u fedora-policy-20220714/policy/modules/contrib/apache.fc fedora-policy /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') -diff -r -u fedora-policy-20220714/policy/modules/contrib/cron.fc fedora-policy-20220714_changed/policy/modules/contrib/cron.fc ---- fedora-policy-20220714/policy/modules/contrib/cron.fc 2022-07-14 10:41:34.279983278 +0200 -+++ fedora-policy-20220714_changed/policy/modules/contrib/cron.fc 2022-09-30 09:07:01.465301514 +0200 -@@ -51,7 +51,7 @@ +Index: fedora-policy-20221019/policy/modules/contrib/cron.fc +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc ++++ fedora-policy-20221019/policy/modules/contrib/cron.fc +@@ -51,7 +51,7 @@ ifdef(`distro_gentoo',` /var/spool/cron/lastrun/[^/]* -- <> ') @@ -22,7 +24,7 @@ diff -r -u fedora-policy-20220714/policy/modules/contrib/cron.fc fedora-policy-2 /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) /var/spool/cron/lastrun/[^/]* -- <> /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -@@ -70,7 +70,7 @@ +@@ -70,7 +70,7 @@ ifdef(`distro_gentoo',` /var/spool/cron/lastrun/[^/]* -- <> ') @@ -31,10 +33,11 @@ diff -r -u fedora-policy-20220714/policy/modules/contrib/cron.fc fedora-policy-2 /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) /var/spool/cron/lastrun/[^/]* -- <> /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -diff -r -u fedora-policy-20220714/policy/modules/contrib/rpm.fc fedora-policy-20220714_changed/policy/modules/contrib/rpm.fc ---- fedora-policy-20220714/policy/modules/contrib/rpm.fc 2022-07-14 10:41:34.315983821 +0200 -+++ fedora-policy-20220714_changed/policy/modules/contrib/rpm.fc 2022-09-30 09:07:01.713305375 +0200 -@@ -79,7 +79,7 @@ +Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc ++++ fedora-policy-20221019/policy/modules/contrib/rpm.fc +@@ -80,7 +80,7 @@ ifdef(`distro_redhat', ` /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) # SuSE @@ -43,10 +46,11 @@ diff -r -u fedora-policy-20220714/policy/modules/contrib/rpm.fc fedora-policy-20 /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) /sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) /var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -diff -r -u fedora-policy-20220714/policy/modules/kernel/corecommands.fc fedora-policy-20220714_changed/policy/modules/kernel/corecommands.fc ---- fedora-policy-20220714/policy/modules/kernel/corecommands.fc 2022-07-14 10:41:34.327984002 +0200 -+++ fedora-policy-20220714_changed/policy/modules/kernel/corecommands.fc 2022-09-30 09:07:01.273298522 +0200 -@@ -462,7 +462,7 @@ +Index: fedora-policy-20221019/policy/modules/kernel/corecommands.fc +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/kernel/corecommands.fc ++++ fedora-policy-20221019/policy/modules/kernel/corecommands.fc +@@ -462,7 +462,7 @@ ifdef(`distro_redhat', ` /usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0) ') @@ -55,7 +59,7 @@ diff -r -u fedora-policy-20220714/policy/modules/kernel/corecommands.fc fedora-p /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/ssh/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -491,7 +491,7 @@ +@@ -491,7 +491,7 @@ ifdef(`distro_suse', ` /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -64,9 +68,10 @@ diff -r -u fedora-policy-20220714/policy/modules/kernel/corecommands.fc fedora-p /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') -diff -r -u fedora-policy-20220714/policy/modules/kernel/devices.fc fedora-policy-20220714_changed/policy/modules/kernel/devices.fc ---- fedora-policy-20220714/policy/modules/kernel/devices.fc 2022-07-14 10:41:34.327984002 +0200 -+++ fedora-policy-20220714_changed/policy/modules/kernel/devices.fc 2022-09-30 09:07:01.265298397 +0200 +Index: fedora-policy-20221019/policy/modules/kernel/devices.fc +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/kernel/devices.fc ++++ fedora-policy-20221019/policy/modules/kernel/devices.fc @@ -148,7 +148,7 @@ /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) @@ -76,10 +81,11 @@ diff -r -u fedora-policy-20220714/policy/modules/kernel/devices.fc fedora-policy /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') /dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0) -diff -r -u fedora-policy-20220714/policy/modules/kernel/files.fc fedora-policy-20220714_changed/policy/modules/kernel/files.fc ---- fedora-policy-20220714/policy/modules/kernel/files.fc 2022-07-14 10:41:34.331984062 +0200 -+++ fedora-policy-20220714_changed/policy/modules/kernel/files.fc 2022-09-30 09:07:01.289298772 +0200 -@@ -22,7 +22,7 @@ +Index: fedora-policy-20221019/policy/modules/kernel/files.fc +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20221019/policy/modules/kernel/files.fc +@@ -22,7 +22,7 @@ ifdef(`distro_redhat',` /[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -88,7 +94,7 @@ diff -r -u fedora-policy-20220714/policy/modules/kernel/files.fc fedora-policy-2 /success -- gen_context(system_u:object_r:etc_runtime_t,s0) ') -@@ -92,7 +92,7 @@ +@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', ` /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -97,10 +103,11 @@ diff -r -u fedora-policy-20220714/policy/modules/kernel/files.fc fedora-policy-2 /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) ') -diff -r -u fedora-policy-20220714/policy/modules/services/xserver.fc fedora-policy-20220714_changed/policy/modules/services/xserver.fc ---- fedora-policy-20220714/policy/modules/services/xserver.fc 2022-07-14 10:41:34.335984123 +0200 -+++ fedora-policy-20220714_changed/policy/modules/services/xserver.fc 2022-09-30 09:07:02.689320566 +0200 -@@ -189,7 +189,7 @@ +Index: fedora-policy-20221019/policy/modules/services/xserver.fc +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/services/xserver.fc ++++ fedora-policy-20221019/policy/modules/services/xserver.fc +@@ -189,7 +189,7 @@ ifndef(`distro_debian',` /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) /var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -109,10 +116,11 @@ diff -r -u fedora-policy-20220714/policy/modules/services/xserver.fc fedora-poli /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) ') -diff -r -u fedora-policy-20220714/policy/modules/system/authlogin.fc fedora-policy-20220714_changed/policy/modules/system/authlogin.fc ---- fedora-policy-20220714/policy/modules/system/authlogin.fc 2022-07-14 10:41:34.335984123 +0200 -+++ fedora-policy-20220714_changed/policy/modules/system/authlogin.fc 2022-09-30 09:07:02.761321686 +0200 -@@ -31,7 +31,7 @@ +Index: fedora-policy-20221019/policy/modules/system/authlogin.fc +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/system/authlogin.fc ++++ fedora-policy-20221019/policy/modules/system/authlogin.fc +@@ -31,7 +31,7 @@ HOME_DIR/\.google_authenticator~ gen_co /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) @@ -121,10 +129,11 @@ diff -r -u fedora-policy-20220714/policy/modules/system/authlogin.fc fedora-poli /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') -diff -r -u fedora-policy-20220714/policy/modules/system/init.fc fedora-policy-20220714_changed/policy/modules/system/init.fc ---- fedora-policy-20220714/policy/modules/system/init.fc 2022-07-14 10:41:34.335984123 +0200 -+++ fedora-policy-20220714_changed/policy/modules/system/init.fc 2022-09-30 09:07:02.701320753 +0200 -@@ -92,7 +92,7 @@ +Index: fedora-policy-20221019/policy/modules/system/init.fc +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/system/init.fc ++++ fedora-policy-20221019/policy/modules/system/init.fc +@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', ` /var/run/svscan\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') @@ -133,10 +142,11 @@ diff -r -u fedora-policy-20220714/policy/modules/system/init.fc fedora-policy-20 /var/run/bootsplashctl -p gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/keymap -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/numlock-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) -diff -r -u fedora-policy-20220714/policy/modules/system/init.te fedora-policy-20220714_changed/policy/modules/system/init.te ---- fedora-policy-20220714/policy/modules/system/init.te 2022-07-14 10:41:34.335984123 +0200 -+++ fedora-policy-20220714_changed/policy/modules/system/init.te 2022-09-30 09:07:02.725321126 +0200 -@@ -1330,7 +1330,7 @@ +Index: fedora-policy-20221019/policy/modules/system/init.te +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/system/init.te ++++ fedora-policy-20221019/policy/modules/system/init.te +@@ -1334,7 +1334,7 @@ ifdef(`distro_redhat',` ') ') @@ -145,10 +155,11 @@ diff -r -u fedora-policy-20220714/policy/modules/system/init.te fedora-policy-20 optional_policy(` # set permissions on /tmp/.X11-unix xserver_setattr_xdm_tmp_dirs(initrc_t) -diff -r -u fedora-policy-20220714/policy/modules/system/libraries.fc fedora-policy-20220714_changed/policy/modules/system/libraries.fc ---- fedora-policy-20220714/policy/modules/system/libraries.fc 2022-07-14 10:41:34.335984123 +0200 -+++ fedora-policy-20220714_changed/policy/modules/system/libraries.fc 2022-09-30 09:07:02.709320877 +0200 -@@ -329,7 +329,7 @@ +Index: fedora-policy-20221019/policy/modules/system/libraries.fc +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/system/libraries.fc ++++ fedora-policy-20221019/policy/modules/system/libraries.fc +@@ -329,7 +329,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_ /var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) /usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) @@ -157,10 +168,11 @@ diff -r -u fedora-policy-20220714/policy/modules/system/libraries.fc fedora-poli /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') -diff -r -u fedora-policy-20220714/policy/modules/system/locallogin.te fedora-policy-20220714_changed/policy/modules/system/locallogin.te ---- fedora-policy-20220714/policy/modules/system/locallogin.te 2022-07-14 10:41:34.335984123 +0200 -+++ fedora-policy-20220714_changed/policy/modules/system/locallogin.te 2022-09-30 09:07:02.757321625 +0200 -@@ -274,7 +274,7 @@ +Index: fedora-policy-20221019/policy/modules/system/locallogin.te +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/system/locallogin.te ++++ fedora-policy-20221019/policy/modules/system/locallogin.te +@@ -274,7 +274,7 @@ ifdef(`enable_mls',` ') # suse and debian do not use pam with sulogin... @@ -169,9 +181,10 @@ diff -r -u fedora-policy-20220714/policy/modules/system/locallogin.te fedora-pol ifdef(`distro_debian', `define(`sulogin_no_pam')') allow sulogin_t self:capability sys_tty_config; -diff -r -u fedora-policy-20220714/policy/modules/system/logging.fc fedora-policy-20220714_changed/policy/modules/system/logging.fc ---- fedora-policy-20220714/policy/modules/system/logging.fc 2022-07-14 10:41:34.335984123 +0200 -+++ fedora-policy-20220714_changed/policy/modules/system/logging.fc 2022-09-30 09:07:02.757321625 +0200 +Index: fedora-policy-20221019/policy/modules/system/logging.fc +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/system/logging.fc ++++ fedora-policy-20221019/policy/modules/system/logging.fc @@ -46,7 +46,7 @@ /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,mls_systemhigh) /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) @@ -181,10 +194,11 @@ diff -r -u fedora-policy-20220714/policy/modules/system/logging.fc fedora-policy /var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') -diff -r -u fedora-policy-20220714/policy/modules/system/logging.te fedora-policy-20220714_changed/policy/modules/system/logging.te ---- fedora-policy-20220714/policy/modules/system/logging.te 2022-07-14 10:41:34.335984123 +0200 -+++ fedora-policy-20220714_changed/policy/modules/system/logging.te 2022-09-30 09:07:02.709320877 +0200 -@@ -674,7 +674,7 @@ +Index: fedora-policy-20221019/policy/modules/system/logging.te +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/system/logging.te ++++ fedora-policy-20221019/policy/modules/system/logging.te +@@ -682,7 +682,7 @@ ifdef(`distro_gentoo',` term_dontaudit_setattr_unallocated_ttys(syslogd_t) ') diff --git a/dontaudit_interface_kmod_tmpfs.patch b/dontaudit_interface_kmod_tmpfs.patch new file mode 100644 index 0000000..031ead4 --- /dev/null +++ b/dontaudit_interface_kmod_tmpfs.patch @@ -0,0 +1,41 @@ +Index: fedora-policy-20221019/policy/modules/services/xserver.te +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/services/xserver.te ++++ fedora-policy-20221019/policy/modules/services/xserver.te +@@ -764,6 +764,10 @@ userdom_mounton_tmp_sockets(xdm_t) + userdom_nnp_transition_login_userdomain(xdm_t) + userdom_watch_user_home_dirs(xdm_t) + ++# SUSE uses startproc to start the display manager. While checking for running processes ++# it goes over all running instances, triggering AVCs ++modutils_dontaudit_kmod_tmpfs_getattr(xdm_t) ++ + #userdom_home_manager(xdm_t) + tunable_policy(`xdm_write_home',` + userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file }) +Index: fedora-policy-20221019/policy/modules/system/modutils.if +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/system/modutils.if ++++ fedora-policy-20221019/policy/modules/system/modutils.if +@@ -507,3 +507,21 @@ interface(`modules_filetrans_named_conte + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols") + #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin") + ') ++ ++####################################### ++## ++## Don't audit accesses to tmp file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`modutils_dontaudit_kmod_tmpfs_getattr',` ++ gen_require(` ++ type kmod_tmpfs_t; ++ ') ++ ++ dontaudit $1 kmod_tmpfs_t:file { getattr }; ++') diff --git a/fedora-policy-20220714.tar.bz2 b/fedora-policy-20220714.tar.bz2 deleted file mode 100644 index e44436d..0000000 --- a/fedora-policy-20220714.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:dc7e16b718c4b36fc790d0e55a41fb18226a17e8b5e079afe127e611d16276a9 -size 731294 diff --git a/fedora-policy-20221019.tar.bz2 b/fedora-policy-20221019.tar.bz2 new file mode 100644 index 0000000..6fb0487 --- /dev/null +++ b/fedora-policy-20221019.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e2cfe78d728e0b94dfbdc81413f6ede0a0f0e6064de4f6628fa7328d1f4d2ede +size 733130 diff --git a/fix_alsa.patch b/fix_alsa.patch new file mode 100644 index 0000000..0e6b04c --- /dev/null +++ b/fix_alsa.patch @@ -0,0 +1,15 @@ +Index: fedora-policy-20221019/policy/modules/contrib/alsa.te +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/contrib/alsa.te ++++ fedora-policy-20221019/policy/modules/contrib/alsa.te +@@ -104,6 +104,10 @@ userdom_manage_unpriv_user_semaphores(al + userdom_manage_unpriv_user_shared_mem(alsa_t) + userdom_search_user_home_dirs(alsa_t) + ++optional_policy(` ++ gnome_read_home_config(alsa_t) ++') ++ + ifdef(`distro_debian',` + term_dontaudit_use_unallocated_ttys(alsa_t) + diff --git a/fix_apache.patch b/fix_apache.patch index 74a1c76..6b24b83 100644 --- a/fix_apache.patch +++ b/fix_apache.patch @@ -1,10 +1,10 @@ -Index: fedora-policy-20220428/policy/modules/contrib/apache.if +Index: fedora-policy-20221019/policy/modules/contrib/apache.if =================================================================== ---- fedora-policy-20220428.orig/policy/modules/contrib/apache.if -+++ fedora-policy-20220428/policy/modules/contrib/apache.if -@@ -1989,3 +1989,25 @@ interface(`apache_ioctl_stream_sockets', +--- fedora-policy-20221019.orig/policy/modules/contrib/apache.if ++++ fedora-policy-20221019/policy/modules/contrib/apache.if +@@ -2007,3 +2007,25 @@ interface(`apache_read_semaphores',` - allow $1 httpd_t:unix_stream_socket ioctl; + allow $1 httpd_t:sem r_sem_perms; ') + +####################################### diff --git a/fix_chronyd.patch b/fix_chronyd.patch index a4daca5..beabc0d 100644 --- a/fix_chronyd.patch +++ b/fix_chronyd.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20220714/policy/modules/contrib/chronyd.te +Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te =================================================================== ---- fedora-policy-20220714.orig/policy/modules/contrib/chronyd.te -+++ fedora-policy-20220714/policy/modules/contrib/chronyd.te -@@ -141,6 +141,14 @@ systemd_exec_systemctl(chronyd_t) +--- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.te ++++ fedora-policy-20221019/policy/modules/contrib/chronyd.te +@@ -144,6 +144,14 @@ systemd_exec_systemctl(chronyd_t) userdom_dgram_send(chronyd_t) optional_policy(` @@ -17,10 +17,10 @@ Index: fedora-policy-20220714/policy/modules/contrib/chronyd.te cron_dgram_send(chronyd_t) ') -Index: fedora-policy-20220714/policy/modules/contrib/chronyd.fc +Index: fedora-policy-20221019/policy/modules/contrib/chronyd.fc =================================================================== ---- fedora-policy-20220714.orig/policy/modules/contrib/chronyd.fc -+++ fedora-policy-20220714/policy/modules/contrib/chronyd.fc +--- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.fc ++++ fedora-policy-20221019/policy/modules/contrib/chronyd.fc @@ -6,6 +6,8 @@ /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) diff --git a/fix_cockpit.patch b/fix_cockpit.patch deleted file mode 100644 index 99c363e..0000000 --- a/fix_cockpit.patch +++ /dev/null @@ -1,47 +0,0 @@ -From d63e6cf43bfe32d53b371b6920d4c09431647ddd Mon Sep 17 00:00:00 2001 -From: Ludwig Nussel -Date: Wed, 28 Apr 2021 17:09:49 +0200 -Subject: [PATCH] cockpit: allow cockpit socket to bind nodes - -Looks like this setting is implicit with kerberos enabled. -cockpit.socket fails to start if kerberos_enabled=false ---- - policy/modules/contrib/cockpit.te | 2 ++ - 1 file changed, 2 insertions(+) - -Index: fedora-policy-20210716/policy/modules/contrib/cockpit.te -=================================================================== ---- fedora-policy-20210716.orig/policy/modules/contrib/cockpit.te -+++ fedora-policy-20210716/policy/modules/contrib/cockpit.te -@@ -51,7 +51,9 @@ can_exec(cockpit_ws_t,cockpit_session_ex - dev_read_urand(cockpit_ws_t) # for authkey - dev_read_rand(cockpit_ws_t) # for libssh - -+# cockpit-ws allows connections on websm port - corenet_tcp_bind_websm_port(cockpit_ws_t) -+corenet_tcp_bind_generic_node(cockpit_ws_t) - - # cockpit-ws can connect to other hosts via ssh - corenet_tcp_connect_ssh_port(cockpit_ws_t) -Index: fedora-policy-20210716/policy/modules/contrib/cockpit.fc -=================================================================== ---- fedora-policy-20210716.orig/policy/modules/contrib/cockpit.fc -+++ fedora-policy-20210716/policy/modules/contrib/cockpit.fc -@@ -3,12 +3,12 @@ - /usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) - /etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) - --/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) --/usr/libexec/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) --/usr/libexec/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) -+/usr/lib(exec)?/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) -+/usr/lib(exec)?/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) -+/usr/lib(exec)?/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) - --/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) --/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) -+/usr/lib(exec)?/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) -+/usr/lib(exec)?/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) - - /usr/share/cockpit/motd/update-motd -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) - diff --git a/fix_cron.patch b/fix_cron.patch index 8b4135d..203162a 100644 --- a/fix_cron.patch +++ b/fix_cron.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220714/policy/modules/contrib/cron.fc +Index: fedora-policy-20221019/policy/modules/contrib/cron.fc =================================================================== ---- fedora-policy-20220714.orig/policy/modules/contrib/cron.fc -+++ fedora-policy-20220714/policy/modules/contrib/cron.fc +--- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc ++++ fedora-policy-20221019/policy/modules/contrib/cron.fc @@ -34,7 +34,7 @@ /var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) @@ -32,11 +32,11 @@ Index: fedora-policy-20220714/policy/modules/contrib/cron.fc -/var/spool/cron/lastrun/[^/]* -- <> -/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -') -Index: fedora-policy-20220714/policy/modules/contrib/cron.if +Index: fedora-policy-20221019/policy/modules/contrib/cron.if =================================================================== ---- fedora-policy-20220714.orig/policy/modules/contrib/cron.if -+++ fedora-policy-20220714/policy/modules/contrib/cron.if -@@ -1057,7 +1057,7 @@ interface(`cron_generic_log_filetrans_lo +--- fedora-policy-20221019.orig/policy/modules/contrib/cron.if ++++ fedora-policy-20221019/policy/modules/contrib/cron.if +@@ -1075,7 +1075,7 @@ interface(`cron_generic_log_filetrans_lo # interface(`cron_system_spool_entrypoint',` gen_require(` diff --git a/fix_init.patch b/fix_init.patch index baf4749..29df1c9 100644 --- a/fix_init.patch +++ b/fix_init.patch @@ -1,17 +1,8 @@ -Index: fedora-policy-20220714/policy/modules/system/init.te +Index: fedora-policy-20221019/policy/modules/system/init.te =================================================================== ---- fedora-policy-20220714.orig/policy/modules/system/init.te -+++ fedora-policy-20220714/policy/modules/system/init.te -@@ -187,6 +187,8 @@ allow init_t self:bpf { map_create map_r - # setuid (from /sbin/shutdown) - # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot() - -+# bsc#1197610, find a better, generic solution -+allow init_t self:file mounton; - allow init_t self:fifo_file rw_fifo_file_perms; - - allow init_t self:service manage_service_perms; -@@ -267,6 +269,8 @@ corecmd_exec_bin(init_t) +--- fedora-policy-20221019.orig/policy/modules/system/init.te ++++ fedora-policy-20221019/policy/modules/system/init.te +@@ -269,6 +269,8 @@ corecmd_exec_bin(init_t) corenet_all_recvfrom_netlabel(init_t) corenet_tcp_bind_all_ports(init_t) corenet_udp_bind_all_ports(init_t) @@ -20,7 +11,7 @@ Index: fedora-policy-20220714/policy/modules/system/init.te dev_create_all_files(init_t) dev_create_all_chr_files(init_t) -@@ -396,6 +400,7 @@ logging_manage_audit_config(init_t) +@@ -398,6 +400,7 @@ logging_manage_audit_config(init_t) logging_create_syslog_netlink_audit_socket(init_t) logging_write_var_log_dirs(init_t) logging_manage_var_log_symlinks(init_t) @@ -28,7 +19,7 @@ Index: fedora-policy-20220714/policy/modules/system/init.te seutil_read_config(init_t) seutil_read_login_config(init_t) -@@ -448,9 +453,19 @@ ifdef(`distro_redhat',` +@@ -450,9 +453,19 @@ ifdef(`distro_redhat',` corecmd_shell_domtrans(init_t, initrc_t) storage_raw_rw_fixed_disk(init_t) @@ -48,7 +39,7 @@ Index: fedora-policy-20220714/policy/modules/system/init.te optional_policy(` anaconda_stream_connect(init_t) anaconda_create_unix_stream_sockets(init_t) -@@ -581,10 +596,10 @@ tunable_policy(`init_audit_control',` +@@ -584,10 +597,10 @@ tunable_policy(`init_audit_control',` allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -61,7 +52,7 @@ Index: fedora-policy-20220714/policy/modules/system/init.te allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; # Until systemd is fixed -@@ -643,6 +658,7 @@ files_delete_all_spool_sockets(init_t) +@@ -647,6 +660,7 @@ files_delete_all_spool_sockets(init_t) files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -69,7 +60,7 @@ Index: fedora-policy-20220714/policy/modules/system/init.te files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -680,7 +696,7 @@ fs_list_all(init_t) +@@ -684,7 +698,7 @@ fs_list_all(init_t) fs_list_auto_mountpoints(init_t) fs_register_binary_executable_type(init_t) fs_relabel_tmpfs_sock_file(init_t) @@ -78,7 +69,7 @@ Index: fedora-policy-20220714/policy/modules/system/init.te fs_relabel_cgroup_dirs(init_t) fs_search_cgroup_dirs(init_t) # for network namespaces -@@ -736,6 +752,7 @@ systemd_write_inherited_logind_sessions_ +@@ -740,6 +754,7 @@ systemd_write_inherited_logind_sessions_ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -86,7 +77,7 @@ Index: fedora-policy-20220714/policy/modules/system/init.te auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1590,6 +1607,8 @@ optional_policy(` +@@ -1596,6 +1611,8 @@ optional_policy(` optional_policy(` postfix_list_spool(initrc_t) diff --git a/fix_kernel_sysctl.patch b/fix_kernel_sysctl.patch index bd4527a..4769ca5 100644 --- a/fix_kernel_sysctl.patch +++ b/fix_kernel_sysctl.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220624/policy/modules/kernel/files.fc +Index: fedora-policy-20221019/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy-20220624.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20220624/policy/modules/kernel/files.fc +--- fedora-policy-20221019.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20221019/policy/modules/kernel/files.fc @@ -242,6 +242,8 @@ ifdef(`distro_redhat',` /usr/lib/ostree-boot(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/lib/modules(/.*)/vmlinuz -- gen_context(system_u:object_r:usr_t,s0) @@ -11,11 +11,11 @@ Index: fedora-policy-20220624/policy/modules/kernel/files.fc /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -Index: fedora-policy-20220624/policy/modules/system/systemd.te +Index: fedora-policy-20221019/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20220624.orig/policy/modules/system/systemd.te -+++ fedora-policy-20220624/policy/modules/system/systemd.te -@@ -1052,6 +1052,8 @@ init_stream_connect(systemd_sysctl_t) +--- fedora-policy-20221019.orig/policy/modules/system/systemd.te ++++ fedora-policy-20221019/policy/modules/system/systemd.te +@@ -1105,6 +1105,8 @@ init_stream_connect(systemd_sysctl_t) logging_send_syslog_msg(systemd_sysctl_t) systemd_read_efivarfs(systemd_sysctl_t) diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index 3553e85..91a7087 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.te +Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te =================================================================== ---- fedora-policy-20220714.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy-20220714/policy/modules/contrib/networkmanager.te -@@ -276,6 +276,9 @@ userdom_read_home_certs(NetworkManager_t +--- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.te ++++ fedora-policy-20221019/policy/modules/contrib/networkmanager.te +@@ -275,6 +275,9 @@ userdom_read_home_certs(NetworkManager_t userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) @@ -12,7 +12,18 @@ Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.te tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(NetworkManager_t) ') -@@ -293,6 +296,14 @@ optional_policy(` +@@ -284,6 +287,10 @@ tunable_policy(`use_samba_home_dirs',` + ') + + optional_policy(` ++ nis_systemctl_ypbind(NetworkManager_t) ++') ++ ++optional_policy(` + avahi_domtrans(NetworkManager_t) + avahi_kill(NetworkManager_t) + avahi_signal(NetworkManager_t) +@@ -292,6 +299,14 @@ optional_policy(` ') optional_policy(` @@ -27,7 +38,7 @@ Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.te bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_kill(NetworkManager_t) -@@ -420,6 +431,8 @@ optional_policy(` +@@ -419,6 +434,8 @@ optional_policy(` nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) nscd_systemctl(NetworkManager_t) @@ -36,7 +47,7 @@ Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.te ') optional_policy(` -@@ -602,6 +615,7 @@ files_manage_etc_files(NetworkManager_di +@@ -606,6 +623,7 @@ files_manage_etc_files(NetworkManager_di init_status(NetworkManager_dispatcher_cloud_t) init_status(NetworkManager_dispatcher_ddclient_t) @@ -44,10 +55,21 @@ Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.te init_append_stream_sockets(networkmanager_dispatcher_plugin) init_ioctl_stream_sockets(networkmanager_dispatcher_plugin) init_stream_connect(networkmanager_dispatcher_plugin) -Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.if +@@ -621,6 +639,10 @@ optional_policy(` + ') + + optional_policy(` ++ nscd_shm_use(NetworkManager_dispatcher_chronyc_t) ++') ++ ++optional_policy(` + cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t) + ') + +Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if =================================================================== ---- fedora-policy-20220714.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20220714/policy/modules/contrib/networkmanager.if +--- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy-20221019/policy/modules/contrib/networkmanager.if @@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ') @@ -73,10 +95,10 @@ Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.if ######################################## ## ## Execute NetworkManager server in the NetworkManager domain. -Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.fc +Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.fc =================================================================== ---- fedora-policy-20220714.orig/policy/modules/contrib/networkmanager.fc -+++ fedora-policy-20220714/policy/modules/contrib/networkmanager.fc +--- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.fc ++++ fedora-policy-20221019/policy/modules/contrib/networkmanager.fc @@ -24,6 +24,7 @@ /usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0) /usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0) diff --git a/fix_postfix.patch b/fix_postfix.patch index e068681..9b7fb86 100644 --- a/fix_postfix.patch +++ b/fix_postfix.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220624/policy/modules/contrib/postfix.fc +Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc =================================================================== ---- fedora-policy-20220624.orig/policy/modules/contrib/postfix.fc -+++ fedora-policy-20220624/policy/modules/contrib/postfix.fc +--- fedora-policy-20221019.orig/policy/modules/contrib/postfix.fc ++++ fedora-policy-20221019/policy/modules/contrib/postfix.fc @@ -1,37 +1,21 @@ # postfix -/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) @@ -75,11 +75,20 @@ Index: fedora-policy-20220624/policy/modules/contrib/postfix.fc /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) -Index: fedora-policy-20220624/policy/modules/contrib/postfix.te +Index: fedora-policy-20221019/policy/modules/contrib/postfix.te =================================================================== ---- fedora-policy-20220624.orig/policy/modules/contrib/postfix.te -+++ fedora-policy-20220624/policy/modules/contrib/postfix.te -@@ -447,6 +447,14 @@ logging_send_syslog_msg(postfix_map_t) +--- fedora-policy-20221019.orig/policy/modules/contrib/postfix.te ++++ fedora-policy-20221019/policy/modules/contrib/postfix.te +@@ -121,6 +121,8 @@ allow postfix_master_t self:udp_socket c + allow postfix_master_t postfix_etc_t:dir rw_dir_perms; + allow postfix_master_t postfix_etc_t:file rw_file_perms; + mta_filetrans_aliases(postfix_master_t, postfix_etc_t) ++# SUSE also runs this on /etc/alias ++mta_filetrans_aliases(postfix_master_t, etc_t) + + can_exec(postfix_master_t, postfix_exec_t) + +@@ -447,6 +449,14 @@ logging_send_syslog_msg(postfix_map_t) userdom_use_inherited_user_ptys(postfix_map_t) @@ -94,7 +103,7 @@ Index: fedora-policy-20220624/policy/modules/contrib/postfix.te optional_policy(` locallogin_dontaudit_use_fds(postfix_map_t) ') -@@ -687,6 +695,14 @@ corenet_tcp_connect_spamd_port(postfix_m +@@ -687,6 +697,14 @@ corenet_tcp_connect_spamd_port(postfix_m files_search_all_mountpoints(postfix_smtp_t) optional_policy(` diff --git a/fix_rpm.patch b/fix_rpm.patch index e5d9b7c..67cf3c4 100644 --- a/fix_rpm.patch +++ b/fix_rpm.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210628/policy/modules/contrib/rpm.fc +Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc =================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/rpm.fc -+++ fedora-policy-20210628/policy/modules/contrib/rpm.fc +--- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc ++++ fedora-policy-20221019/policy/modules/contrib/rpm.fc @@ -18,6 +18,10 @@ /usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -13,7 +13,7 @@ Index: fedora-policy-20210628/policy/modules/contrib/rpm.fc /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -55,6 +59,8 @@ ifdef(`distro_redhat', ` +@@ -56,6 +60,8 @@ ifdef(`distro_redhat', ` /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) @@ -22,11 +22,11 @@ Index: fedora-policy-20210628/policy/modules/contrib/rpm.fc /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -Index: fedora-policy-20210628/policy/modules/contrib/rpm.if +Index: fedora-policy-20221019/policy/modules/contrib/rpm.if =================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/rpm.if -+++ fedora-policy-20210628/policy/modules/contrib/rpm.if -@@ -479,8 +479,10 @@ interface(`rpm_named_filetrans',` +--- fedora-policy-20221019.orig/policy/modules/contrib/rpm.if ++++ fedora-policy-20221019/policy/modules/contrib/rpm.if +@@ -515,8 +515,10 @@ interface(`rpm_named_filetrans',` logging_log_named_filetrans($1, rpm_log_t, file, "yum.log") logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log") logging_log_named_filetrans($1, rpm_log_t, file, "up2date") @@ -37,11 +37,11 @@ Index: fedora-policy-20210628/policy/modules/contrib/rpm.if files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm") -Index: fedora-policy-20210628/policy/modules/kernel/files.fc +Index: fedora-policy-20221019/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy-20210628.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20210628/policy/modules/kernel/files.fc -@@ -67,6 +67,7 @@ ifdef(`distro_suse',` +--- fedora-policy-20221019.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20221019/policy/modules/kernel/files.fc +@@ -67,6 +67,7 @@ ifdef(`distro_redhat',` /etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) /etc/yum\.repos\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0) diff --git a/fix_snapper.patch b/fix_snapper.patch index e52343a..045bc12 100644 --- a/fix_snapper.patch +++ b/fix_snapper.patch @@ -1,7 +1,7 @@ -Index: fedora-policy/policy/modules/contrib/snapper.te +Index: fedora-policy-20221019/policy/modules/contrib/snapper.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/snapper.te -+++ fedora-policy/policy/modules/contrib/snapper.te +--- fedora-policy-20221019.orig/policy/modules/contrib/snapper.te ++++ fedora-policy-20221019/policy/modules/contrib/snapper.te @@ -18,6 +18,9 @@ files_config_file(snapperd_conf_t) type snapperd_data_t; files_type(snapperd_data_t) @@ -23,21 +23,25 @@ Index: fedora-policy/policy/modules/contrib/snapper.te kernel_setsched(snapperd_t) domain_read_all_domains_state(snapperd_t) -@@ -73,6 +80,10 @@ storage_raw_read_fixed_disk(snapperd_t) +@@ -73,6 +80,14 @@ storage_raw_read_fixed_disk(snapperd_t) auth_use_nsswitch(snapperd_t) optional_policy(` + packagekit_dbus_chat(snapperd_t) +') + ++optional_policy(` ++ rpm_dbus_chat(snapperd_t) ++') ++ +optional_policy(` cron_system_entry(snapperd_t, snapperd_exec_t) ') -Index: fedora-policy/policy/modules/contrib/snapper.fc +Index: fedora-policy-20221019/policy/modules/contrib/snapper.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/snapper.fc -+++ fedora-policy/policy/modules/contrib/snapper.fc +--- fedora-policy-20221019.orig/policy/modules/contrib/snapper.fc ++++ fedora-policy-20221019/policy/modules/contrib/snapper.fc @@ -7,9 +7,17 @@ /var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0) diff --git a/fix_sysnetwork.patch b/fix_sysnetwork.patch index 844d87f..b7f0b13 100644 --- a/fix_sysnetwork.patch +++ b/fix_sysnetwork.patch @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/system/sysnetwork.fc +Index: fedora-policy-20221019/policy/modules/system/sysnetwork.fc =================================================================== ---- fedora-policy.orig/policy/modules/system/sysnetwork.fc -+++ fedora-policy/policy/modules/system/sysnetwork.fc -@@ -102,6 +102,8 @@ ifdef(`distro_debian',` +--- fedora-policy-20221019.orig/policy/modules/system/sysnetwork.fc ++++ fedora-policy-20221019/policy/modules/system/sysnetwork.fc +@@ -103,6 +103,8 @@ ifdef(`distro_debian',` /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') diff --git a/fix_systemd.patch b/fix_systemd.patch index 867f7e0..1576754 100644 --- a/fix_systemd.patch +++ b/fix_systemd.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20220624/policy/modules/system/systemd.te +Index: fedora-policy-20221019/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20220624.orig/policy/modules/system/systemd.te -+++ fedora-policy-20220624/policy/modules/system/systemd.te -@@ -355,6 +355,10 @@ userdom_manage_user_tmp_chr_files(system +--- fedora-policy-20221019.orig/policy/modules/system/systemd.te ++++ fedora-policy-20221019/policy/modules/system/systemd.te +@@ -381,6 +381,10 @@ userdom_manage_user_tmp_chr_files(system xserver_dbus_chat(systemd_logind_t) optional_policy(` @@ -13,8 +13,8 @@ Index: fedora-policy-20220624/policy/modules/system/systemd.te apache_read_tmp_files(systemd_logind_t) ') -@@ -882,6 +886,10 @@ optional_policy(` - udev_read_pid_files(systemd_hostnamed_t) +@@ -863,6 +867,10 @@ optional_policy(` + dbus_system_bus_client(systemd_localed_t) ') +optional_policy(` @@ -23,8 +23,8 @@ Index: fedora-policy-20220624/policy/modules/system/systemd.te + ####################################### # - # rfkill policy -@@ -1105,7 +1113,7 @@ systemd_read_efivarfs(systemd_hwdb_t) + # Hostnamed policy +@@ -1158,7 +1166,7 @@ systemd_read_efivarfs(systemd_hwdb_t) # systemd_gpt_generator domain # @@ -33,7 +33,7 @@ Index: fedora-policy-20220624/policy/modules/system/systemd.te allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms; dev_read_sysfs(systemd_gpt_generator_t) -@@ -1127,6 +1135,8 @@ systemd_unit_file_filetrans(systemd_gpt_ +@@ -1185,6 +1193,8 @@ systemd_unit_file_filetrans(systemd_gpt_ systemd_create_unit_file_dirs(systemd_gpt_generator_t) systemd_create_unit_file_lnk(systemd_gpt_generator_t) diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch index 9c5f4ad..530f381 100644 --- a/fix_systemd_watch.patch +++ b/fix_systemd_watch.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20220714/policy/modules/system/systemd.te +Index: fedora-policy-20221019/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20220714.orig/policy/modules/system/systemd.te -+++ fedora-policy-20220714/policy/modules/system/systemd.te -@@ -1447,6 +1447,12 @@ fstools_rw_swap_files(systemd_sleep_t) +--- fedora-policy-20221019.orig/policy/modules/system/systemd.te ++++ fedora-policy-20221019/policy/modules/system/systemd.te +@@ -1508,6 +1508,12 @@ fstools_rw_swap_files(systemd_sleep_t) storage_getattr_fixed_disk_dev(systemd_sleep_t) storage_getattr_removable_dev(systemd_sleep_t) diff --git a/fix_unconfined.patch b/fix_unconfined.patch index a9b5b32..815055b 100644 --- a/fix_unconfined.patch +++ b/fix_unconfined.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20211111/policy/modules/system/unconfined.te +Index: fedora-policy-20221019/policy/modules/system/unconfined.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/unconfined.te -+++ fedora-policy-20211111/policy/modules/system/unconfined.te +--- fedora-policy-20221019.orig/policy/modules/system/unconfined.te ++++ fedora-policy-20221019/policy/modules/system/unconfined.te @@ -1,5 +1,10 @@ policy_module(unconfined, 3.5.0) @@ -13,7 +13,7 @@ Index: fedora-policy-20211111/policy/modules/system/unconfined.te ######################################## # # Declarations -@@ -39,3 +44,6 @@ optional_policy(` +@@ -45,3 +50,6 @@ optional_policy(` optional_policy(` container_runtime_domtrans(unconfined_service_t) ') diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch index 82632fe..017c8f7 100644 --- a/fix_unconfineduser.patch +++ b/fix_unconfineduser.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220509/policy/modules/roles/unconfineduser.te +Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te =================================================================== ---- fedora-policy-20220509.orig/policy/modules/roles/unconfineduser.te -+++ fedora-policy-20220509/policy/modules/roles/unconfineduser.te +--- fedora-policy-20221019.orig/policy/modules/roles/unconfineduser.te ++++ fedora-policy-20221019/policy/modules/roles/unconfineduser.te @@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all' domain_dyntrans(unconfined_t) ') @@ -14,7 +14,7 @@ Index: fedora-policy-20220509/policy/modules/roles/unconfineduser.te optional_policy(` gen_require(` type unconfined_t; -@@ -210,6 +215,10 @@ optional_policy(` +@@ -214,6 +219,10 @@ optional_policy(` ') optional_policy(` @@ -25,7 +25,7 @@ Index: fedora-policy-20220509/policy/modules/roles/unconfineduser.te chrome_role_notrans(unconfined_r, unconfined_t) tunable_policy(`unconfined_chrome_sandbox_transition',` -@@ -244,6 +253,18 @@ optional_policy(` +@@ -248,6 +257,18 @@ optional_policy(` dbus_stub(unconfined_t) optional_policy(` diff --git a/fix_unprivuser.patch b/fix_unprivuser.patch index 646fcde..70fe21e 100644 --- a/fix_unprivuser.patch +++ b/fix_unprivuser.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20220624/policy/modules/roles/unprivuser.te +Index: fedora-policy-20221019/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20220624.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20220624/policy/modules/roles/unprivuser.te -@@ -296,6 +296,13 @@ ifndef(`distro_redhat',` +--- fedora-policy-20221019.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20221019/policy/modules/roles/unprivuser.te +@@ -300,6 +300,13 @@ ifndef(`distro_redhat',` ') optional_policy(` diff --git a/fix_xserver.patch b/fix_xserver.patch index f969707..a8fd6e8 100644 --- a/fix_xserver.patch +++ b/fix_xserver.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220714/policy/modules/services/xserver.fc +Index: fedora-policy-20221019/policy/modules/services/xserver.fc =================================================================== ---- fedora-policy-20220714.orig/policy/modules/services/xserver.fc -+++ fedora-policy-20220714/policy/modules/services/xserver.fc +--- fedora-policy-20221019.orig/policy/modules/services/xserver.fc ++++ fedora-policy-20221019/policy/modules/services/xserver.fc @@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) @@ -51,13 +51,13 @@ Index: fedora-policy-20220714/policy/modules/services/xserver.fc /var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) -Index: fedora-policy-20220714/policy/modules/services/xserver.te +Index: fedora-policy-20221019/policy/modules/services/xserver.te =================================================================== ---- fedora-policy-20220714.orig/policy/modules/services/xserver.te -+++ fedora-policy-20220714/policy/modules/services/xserver.te -@@ -473,6 +473,10 @@ userdom_delete_user_home_content_files(x - userdom_signull_unpriv_users(xdm_t) - userdom_dontaudit_read_admin_home_lnk_files(xdm_t) +--- fedora-policy-20221019.orig/policy/modules/services/xserver.te ++++ fedora-policy-20221019/policy/modules/services/xserver.te +@@ -475,6 +475,10 @@ userdom_dontaudit_read_admin_home_lnk_fi + + kernel_read_vm_sysctls(xdm_t) +files_manage_generic_pids_symlinks(xdm_t) +userdom_manage_user_home_content_dirs(xdm_t) diff --git a/modules-minimum-contrib.conf b/modules-minimum-contrib.conf index 1be2194..cde391b 100644 --- a/modules-minimum-contrib.conf +++ b/modules-minimum-contrib.conf @@ -342,13 +342,6 @@ cmirrord = module # cobbler = module -# Layer: contrib -# Module: cockpit -# -# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines. -# -cockpit = module - # Layer: services # Module: collectd # @@ -2367,13 +2360,6 @@ minissdpd = module # freeipmi = module -# Layer: contrib -# Module: freeipmi -# -# ipa policy module contain SELinux policies for IPA services -# -ipa = module - # Layer: contrib # Module: mirrormanager # diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 9182671..54a2b38 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -342,13 +342,6 @@ cmirrord = module # cobbler = module -# Layer: contrib -# Module: cockpit -# -# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines. -# -cockpit = module - # Layer: services # Module: collectd # @@ -2381,13 +2374,6 @@ minissdpd = module # freeipmi = module -# Layer: contrib -# Module: freeipmi -# -# ipa policy module contain SELinux policies for IPA services -# -ipa = module - # Layer: contrib # Module: mirrormanager # diff --git a/selinux-policy.changes b/selinux-policy.changes index adcc217..66c1d72 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,31 @@ +------------------------------------------------------------------- +Wed Oct 19 11:45:57 UTC 2022 - Johannes Segitz + +- Update to version 20221019. Refreshed: + * distro_suse_to_distro_redhat.patch + * fix_apache.patch + * fix_chronyd.patch + * fix_cron.patch + * fix_init.patch + * fix_kernel_sysctl.patch + * fix_networkmanager.patch + * fix_rpm.patch + * fix_sysnetwork.patch + * fix_systemd.patch + * fix_systemd_watch.patch + * fix_unconfined.patch + * fix_unconfineduser.patch + * fix_unprivuser.patch + * fix_xserver.patch +- Dropped fix_cockpit.patch as this is now packaged with cockpit itself +- Remove the ipa module, freeip ships their own module +- Added fix_alsa.patch to allow reading of config files in home directories +- Extended fix_networkmanager.patch and fix_postfix.patch to account + for SUSE systems +- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc + queries the running processes +- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus + ------------------------------------------------------------------- Fri Sep 30 07:14:49 UTC 2022 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index eb4bf37..5da319d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20220714 +Version: 20221019 Release: 0 Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc @@ -132,7 +132,7 @@ Patch049: fix_nis.patch Patch050: fix_libraries.patch Patch051: fix_dovecot.patch # https://github.com/cockpit-project/cockpit/pull/15758 -Patch052: fix_cockpit.patch +#Patch052: fix_cockpit.patch Patch053: fix_systemd_watch.patch # kernel specific sysctl.conf (boo#1184804) Patch054: fix_kernel_sysctl.patch @@ -144,6 +144,8 @@ Patch059: systemd_domain_dyntrans_type.patch Patch060: fix_dnsmasq.patch Patch061: fix_userdomain.patch Patch062: fix_cloudform.patch +Patch063: fix_alsa.patch +Patch064: dontaudit_interface_kmod_tmpfs.patch Patch100: sedoctool.patch From 69aab159dc5cbd788bf7ff16784ae8fda433830f20cc47b057d82dd8280959f2 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Mon, 24 Oct 2022 09:13:01 +0000 Subject: [PATCH 35/35] Accepting request 1030696 from openSUSE:Factory https://bugzilla.suse.com/show_bug.cgi?id=1204605 OBS-URL: https://build.opensuse.org/request/show/1030696 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=35 --- distro_suse_to_distro_redhat.patch | 128 ++++++++++++--------------- dontaudit_interface_kmod_tmpfs.patch | 41 --------- fedora-policy-20220714.tar.bz2 | 3 + fedora-policy-20221019.tar.bz2 | 3 - fix_alsa.patch | 15 ---- fix_apache.patch | 10 +-- fix_chronyd.patch | 14 +-- fix_cockpit.patch | 47 ++++++++++ fix_cron.patch | 14 +-- fix_init.patch | 31 ++++--- fix_kernel_sysctl.patch | 14 +-- fix_networkmanager.patch | 48 +++------- fix_postfix.patch | 25 ++---- fix_rpm.patch | 24 ++--- fix_snapper.patch | 18 ++-- fix_sysnetwork.patch | 8 +- fix_systemd.patch | 18 ++-- fix_systemd_watch.patch | 8 +- fix_unconfined.patch | 8 +- fix_unconfineduser.patch | 10 +-- fix_unprivuser.patch | 8 +- fix_xserver.patch | 18 ++-- modules-minimum-contrib.conf | 14 +++ modules-targeted-contrib.conf | 14 +++ selinux-policy.changes | 28 ------ selinux-policy.spec | 6 +- 26 files changed, 262 insertions(+), 313 deletions(-) delete mode 100644 dontaudit_interface_kmod_tmpfs.patch create mode 100644 fedora-policy-20220714.tar.bz2 delete mode 100644 fedora-policy-20221019.tar.bz2 delete mode 100644 fix_alsa.patch create mode 100644 fix_cockpit.patch diff --git a/distro_suse_to_distro_redhat.patch b/distro_suse_to_distro_redhat.patch index c11814e..c931eb5 100644 --- a/distro_suse_to_distro_redhat.patch +++ b/distro_suse_to_distro_redhat.patch @@ -1,8 +1,7 @@ -Index: fedora-policy-20221019/policy/modules/contrib/apache.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/apache.fc -+++ fedora-policy-20221019/policy/modules/contrib/apache.fc -@@ -74,7 +74,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.* +diff -r -u fedora-policy-20220714/policy/modules/contrib/apache.fc fedora-policy-20220714_changed/policy/modules/contrib/apache.fc +--- fedora-policy-20220714/policy/modules/contrib/apache.fc 2022-07-14 10:41:34.267983097 +0200 ++++ fedora-policy-20220714_changed/policy/modules/contrib/apache.fc 2022-09-30 09:07:02.245313656 +0200 +@@ -74,7 +74,7 @@ /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -11,11 +10,10 @@ Index: fedora-policy-20221019/policy/modules/contrib/apache.fc /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') -Index: fedora-policy-20221019/policy/modules/contrib/cron.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc -+++ fedora-policy-20221019/policy/modules/contrib/cron.fc -@@ -51,7 +51,7 @@ ifdef(`distro_gentoo',` +diff -r -u fedora-policy-20220714/policy/modules/contrib/cron.fc fedora-policy-20220714_changed/policy/modules/contrib/cron.fc +--- fedora-policy-20220714/policy/modules/contrib/cron.fc 2022-07-14 10:41:34.279983278 +0200 ++++ fedora-policy-20220714_changed/policy/modules/contrib/cron.fc 2022-09-30 09:07:01.465301514 +0200 +@@ -51,7 +51,7 @@ /var/spool/cron/lastrun/[^/]* -- <> ') @@ -24,7 +22,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/cron.fc /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) /var/spool/cron/lastrun/[^/]* -- <> /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -@@ -70,7 +70,7 @@ ifdef(`distro_gentoo',` +@@ -70,7 +70,7 @@ /var/spool/cron/lastrun/[^/]* -- <> ') @@ -33,11 +31,10 @@ Index: fedora-policy-20221019/policy/modules/contrib/cron.fc /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) /var/spool/cron/lastrun/[^/]* -- <> /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc -+++ fedora-policy-20221019/policy/modules/contrib/rpm.fc -@@ -80,7 +80,7 @@ ifdef(`distro_redhat', ` +diff -r -u fedora-policy-20220714/policy/modules/contrib/rpm.fc fedora-policy-20220714_changed/policy/modules/contrib/rpm.fc +--- fedora-policy-20220714/policy/modules/contrib/rpm.fc 2022-07-14 10:41:34.315983821 +0200 ++++ fedora-policy-20220714_changed/policy/modules/contrib/rpm.fc 2022-09-30 09:07:01.713305375 +0200 +@@ -79,7 +79,7 @@ /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) # SuSE @@ -46,11 +43,10 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) /sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) /var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -Index: fedora-policy-20221019/policy/modules/kernel/corecommands.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/kernel/corecommands.fc -+++ fedora-policy-20221019/policy/modules/kernel/corecommands.fc -@@ -462,7 +462,7 @@ ifdef(`distro_redhat', ` +diff -r -u fedora-policy-20220714/policy/modules/kernel/corecommands.fc fedora-policy-20220714_changed/policy/modules/kernel/corecommands.fc +--- fedora-policy-20220714/policy/modules/kernel/corecommands.fc 2022-07-14 10:41:34.327984002 +0200 ++++ fedora-policy-20220714_changed/policy/modules/kernel/corecommands.fc 2022-09-30 09:07:01.273298522 +0200 +@@ -462,7 +462,7 @@ /usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0) ') @@ -59,7 +55,7 @@ Index: fedora-policy-20221019/policy/modules/kernel/corecommands.fc /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/ssh/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -491,7 +491,7 @@ ifdef(`distro_suse', ` +@@ -491,7 +491,7 @@ /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -68,10 +64,9 @@ Index: fedora-policy-20221019/policy/modules/kernel/corecommands.fc /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') -Index: fedora-policy-20221019/policy/modules/kernel/devices.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/kernel/devices.fc -+++ fedora-policy-20221019/policy/modules/kernel/devices.fc +diff -r -u fedora-policy-20220714/policy/modules/kernel/devices.fc fedora-policy-20220714_changed/policy/modules/kernel/devices.fc +--- fedora-policy-20220714/policy/modules/kernel/devices.fc 2022-07-14 10:41:34.327984002 +0200 ++++ fedora-policy-20220714_changed/policy/modules/kernel/devices.fc 2022-09-30 09:07:01.265298397 +0200 @@ -148,7 +148,7 @@ /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) @@ -81,11 +76,10 @@ Index: fedora-policy-20221019/policy/modules/kernel/devices.fc /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') /dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0) -Index: fedora-policy-20221019/policy/modules/kernel/files.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20221019/policy/modules/kernel/files.fc -@@ -22,7 +22,7 @@ ifdef(`distro_redhat',` +diff -r -u fedora-policy-20220714/policy/modules/kernel/files.fc fedora-policy-20220714_changed/policy/modules/kernel/files.fc +--- fedora-policy-20220714/policy/modules/kernel/files.fc 2022-07-14 10:41:34.331984062 +0200 ++++ fedora-policy-20220714_changed/policy/modules/kernel/files.fc 2022-09-30 09:07:01.289298772 +0200 +@@ -22,7 +22,7 @@ /[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -94,7 +88,7 @@ Index: fedora-policy-20221019/policy/modules/kernel/files.fc /success -- gen_context(system_u:object_r:etc_runtime_t,s0) ') -@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', ` +@@ -92,7 +92,7 @@ /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -103,11 +97,10 @@ Index: fedora-policy-20221019/policy/modules/kernel/files.fc /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) ') -Index: fedora-policy-20221019/policy/modules/services/xserver.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/services/xserver.fc -+++ fedora-policy-20221019/policy/modules/services/xserver.fc -@@ -189,7 +189,7 @@ ifndef(`distro_debian',` +diff -r -u fedora-policy-20220714/policy/modules/services/xserver.fc fedora-policy-20220714_changed/policy/modules/services/xserver.fc +--- fedora-policy-20220714/policy/modules/services/xserver.fc 2022-07-14 10:41:34.335984123 +0200 ++++ fedora-policy-20220714_changed/policy/modules/services/xserver.fc 2022-09-30 09:07:02.689320566 +0200 +@@ -189,7 +189,7 @@ /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) /var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -116,11 +109,10 @@ Index: fedora-policy-20221019/policy/modules/services/xserver.fc /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) ') -Index: fedora-policy-20221019/policy/modules/system/authlogin.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/authlogin.fc -+++ fedora-policy-20221019/policy/modules/system/authlogin.fc -@@ -31,7 +31,7 @@ HOME_DIR/\.google_authenticator~ gen_co +diff -r -u fedora-policy-20220714/policy/modules/system/authlogin.fc fedora-policy-20220714_changed/policy/modules/system/authlogin.fc +--- fedora-policy-20220714/policy/modules/system/authlogin.fc 2022-07-14 10:41:34.335984123 +0200 ++++ fedora-policy-20220714_changed/policy/modules/system/authlogin.fc 2022-09-30 09:07:02.761321686 +0200 +@@ -31,7 +31,7 @@ /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) @@ -129,11 +121,10 @@ Index: fedora-policy-20221019/policy/modules/system/authlogin.fc /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') -Index: fedora-policy-20221019/policy/modules/system/init.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/init.fc -+++ fedora-policy-20221019/policy/modules/system/init.fc -@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', ` +diff -r -u fedora-policy-20220714/policy/modules/system/init.fc fedora-policy-20220714_changed/policy/modules/system/init.fc +--- fedora-policy-20220714/policy/modules/system/init.fc 2022-07-14 10:41:34.335984123 +0200 ++++ fedora-policy-20220714_changed/policy/modules/system/init.fc 2022-09-30 09:07:02.701320753 +0200 +@@ -92,7 +92,7 @@ /var/run/svscan\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') @@ -142,11 +133,10 @@ Index: fedora-policy-20221019/policy/modules/system/init.fc /var/run/bootsplashctl -p gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/keymap -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/numlock-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) -Index: fedora-policy-20221019/policy/modules/system/init.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/init.te -+++ fedora-policy-20221019/policy/modules/system/init.te -@@ -1334,7 +1334,7 @@ ifdef(`distro_redhat',` +diff -r -u fedora-policy-20220714/policy/modules/system/init.te fedora-policy-20220714_changed/policy/modules/system/init.te +--- fedora-policy-20220714/policy/modules/system/init.te 2022-07-14 10:41:34.335984123 +0200 ++++ fedora-policy-20220714_changed/policy/modules/system/init.te 2022-09-30 09:07:02.725321126 +0200 +@@ -1330,7 +1330,7 @@ ') ') @@ -155,11 +145,10 @@ Index: fedora-policy-20221019/policy/modules/system/init.te optional_policy(` # set permissions on /tmp/.X11-unix xserver_setattr_xdm_tmp_dirs(initrc_t) -Index: fedora-policy-20221019/policy/modules/system/libraries.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/libraries.fc -+++ fedora-policy-20221019/policy/modules/system/libraries.fc -@@ -329,7 +329,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_ +diff -r -u fedora-policy-20220714/policy/modules/system/libraries.fc fedora-policy-20220714_changed/policy/modules/system/libraries.fc +--- fedora-policy-20220714/policy/modules/system/libraries.fc 2022-07-14 10:41:34.335984123 +0200 ++++ fedora-policy-20220714_changed/policy/modules/system/libraries.fc 2022-09-30 09:07:02.709320877 +0200 +@@ -329,7 +329,7 @@ /var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) /usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) @@ -168,11 +157,10 @@ Index: fedora-policy-20221019/policy/modules/system/libraries.fc /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') -Index: fedora-policy-20221019/policy/modules/system/locallogin.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/locallogin.te -+++ fedora-policy-20221019/policy/modules/system/locallogin.te -@@ -274,7 +274,7 @@ ifdef(`enable_mls',` +diff -r -u fedora-policy-20220714/policy/modules/system/locallogin.te fedora-policy-20220714_changed/policy/modules/system/locallogin.te +--- fedora-policy-20220714/policy/modules/system/locallogin.te 2022-07-14 10:41:34.335984123 +0200 ++++ fedora-policy-20220714_changed/policy/modules/system/locallogin.te 2022-09-30 09:07:02.757321625 +0200 +@@ -274,7 +274,7 @@ ') # suse and debian do not use pam with sulogin... @@ -181,10 +169,9 @@ Index: fedora-policy-20221019/policy/modules/system/locallogin.te ifdef(`distro_debian', `define(`sulogin_no_pam')') allow sulogin_t self:capability sys_tty_config; -Index: fedora-policy-20221019/policy/modules/system/logging.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/logging.fc -+++ fedora-policy-20221019/policy/modules/system/logging.fc +diff -r -u fedora-policy-20220714/policy/modules/system/logging.fc fedora-policy-20220714_changed/policy/modules/system/logging.fc +--- fedora-policy-20220714/policy/modules/system/logging.fc 2022-07-14 10:41:34.335984123 +0200 ++++ fedora-policy-20220714_changed/policy/modules/system/logging.fc 2022-09-30 09:07:02.757321625 +0200 @@ -46,7 +46,7 @@ /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,mls_systemhigh) /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) @@ -194,11 +181,10 @@ Index: fedora-policy-20221019/policy/modules/system/logging.fc /var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') -Index: fedora-policy-20221019/policy/modules/system/logging.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/logging.te -+++ fedora-policy-20221019/policy/modules/system/logging.te -@@ -682,7 +682,7 @@ ifdef(`distro_gentoo',` +diff -r -u fedora-policy-20220714/policy/modules/system/logging.te fedora-policy-20220714_changed/policy/modules/system/logging.te +--- fedora-policy-20220714/policy/modules/system/logging.te 2022-07-14 10:41:34.335984123 +0200 ++++ fedora-policy-20220714_changed/policy/modules/system/logging.te 2022-09-30 09:07:02.709320877 +0200 +@@ -674,7 +674,7 @@ term_dontaudit_setattr_unallocated_ttys(syslogd_t) ') diff --git a/dontaudit_interface_kmod_tmpfs.patch b/dontaudit_interface_kmod_tmpfs.patch deleted file mode 100644 index 031ead4..0000000 --- a/dontaudit_interface_kmod_tmpfs.patch +++ /dev/null @@ -1,41 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/services/xserver.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/services/xserver.te -+++ fedora-policy-20221019/policy/modules/services/xserver.te -@@ -764,6 +764,10 @@ userdom_mounton_tmp_sockets(xdm_t) - userdom_nnp_transition_login_userdomain(xdm_t) - userdom_watch_user_home_dirs(xdm_t) - -+# SUSE uses startproc to start the display manager. While checking for running processes -+# it goes over all running instances, triggering AVCs -+modutils_dontaudit_kmod_tmpfs_getattr(xdm_t) -+ - #userdom_home_manager(xdm_t) - tunable_policy(`xdm_write_home',` - userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file }) -Index: fedora-policy-20221019/policy/modules/system/modutils.if -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/modutils.if -+++ fedora-policy-20221019/policy/modules/system/modutils.if -@@ -507,3 +507,21 @@ interface(`modules_filetrans_named_conte - #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols") - #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin") - ') -+ -+####################################### -+## -+## Don't audit accesses to tmp file type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`modutils_dontaudit_kmod_tmpfs_getattr',` -+ gen_require(` -+ type kmod_tmpfs_t; -+ ') -+ -+ dontaudit $1 kmod_tmpfs_t:file { getattr }; -+') diff --git a/fedora-policy-20220714.tar.bz2 b/fedora-policy-20220714.tar.bz2 new file mode 100644 index 0000000..e44436d --- /dev/null +++ b/fedora-policy-20220714.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dc7e16b718c4b36fc790d0e55a41fb18226a17e8b5e079afe127e611d16276a9 +size 731294 diff --git a/fedora-policy-20221019.tar.bz2 b/fedora-policy-20221019.tar.bz2 deleted file mode 100644 index 6fb0487..0000000 --- a/fedora-policy-20221019.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e2cfe78d728e0b94dfbdc81413f6ede0a0f0e6064de4f6628fa7328d1f4d2ede -size 733130 diff --git a/fix_alsa.patch b/fix_alsa.patch deleted file mode 100644 index 0e6b04c..0000000 --- a/fix_alsa.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/alsa.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/alsa.te -+++ fedora-policy-20221019/policy/modules/contrib/alsa.te -@@ -104,6 +104,10 @@ userdom_manage_unpriv_user_semaphores(al - userdom_manage_unpriv_user_shared_mem(alsa_t) - userdom_search_user_home_dirs(alsa_t) - -+optional_policy(` -+ gnome_read_home_config(alsa_t) -+') -+ - ifdef(`distro_debian',` - term_dontaudit_use_unallocated_ttys(alsa_t) - diff --git a/fix_apache.patch b/fix_apache.patch index 6b24b83..74a1c76 100644 --- a/fix_apache.patch +++ b/fix_apache.patch @@ -1,10 +1,10 @@ -Index: fedora-policy-20221019/policy/modules/contrib/apache.if +Index: fedora-policy-20220428/policy/modules/contrib/apache.if =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/apache.if -+++ fedora-policy-20221019/policy/modules/contrib/apache.if -@@ -2007,3 +2007,25 @@ interface(`apache_read_semaphores',` +--- fedora-policy-20220428.orig/policy/modules/contrib/apache.if ++++ fedora-policy-20220428/policy/modules/contrib/apache.if +@@ -1989,3 +1989,25 @@ interface(`apache_ioctl_stream_sockets', - allow $1 httpd_t:sem r_sem_perms; + allow $1 httpd_t:unix_stream_socket ioctl; ') + +####################################### diff --git a/fix_chronyd.patch b/fix_chronyd.patch index beabc0d..a4daca5 100644 --- a/fix_chronyd.patch +++ b/fix_chronyd.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te +Index: fedora-policy-20220714/policy/modules/contrib/chronyd.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.te -+++ fedora-policy-20221019/policy/modules/contrib/chronyd.te -@@ -144,6 +144,14 @@ systemd_exec_systemctl(chronyd_t) +--- fedora-policy-20220714.orig/policy/modules/contrib/chronyd.te ++++ fedora-policy-20220714/policy/modules/contrib/chronyd.te +@@ -141,6 +141,14 @@ systemd_exec_systemctl(chronyd_t) userdom_dgram_send(chronyd_t) optional_policy(` @@ -17,10 +17,10 @@ Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te cron_dgram_send(chronyd_t) ') -Index: fedora-policy-20221019/policy/modules/contrib/chronyd.fc +Index: fedora-policy-20220714/policy/modules/contrib/chronyd.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.fc -+++ fedora-policy-20221019/policy/modules/contrib/chronyd.fc +--- fedora-policy-20220714.orig/policy/modules/contrib/chronyd.fc ++++ fedora-policy-20220714/policy/modules/contrib/chronyd.fc @@ -6,6 +6,8 @@ /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) diff --git a/fix_cockpit.patch b/fix_cockpit.patch new file mode 100644 index 0000000..99c363e --- /dev/null +++ b/fix_cockpit.patch @@ -0,0 +1,47 @@ +From d63e6cf43bfe32d53b371b6920d4c09431647ddd Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel +Date: Wed, 28 Apr 2021 17:09:49 +0200 +Subject: [PATCH] cockpit: allow cockpit socket to bind nodes + +Looks like this setting is implicit with kerberos enabled. +cockpit.socket fails to start if kerberos_enabled=false +--- + policy/modules/contrib/cockpit.te | 2 ++ + 1 file changed, 2 insertions(+) + +Index: fedora-policy-20210716/policy/modules/contrib/cockpit.te +=================================================================== +--- fedora-policy-20210716.orig/policy/modules/contrib/cockpit.te ++++ fedora-policy-20210716/policy/modules/contrib/cockpit.te +@@ -51,7 +51,9 @@ can_exec(cockpit_ws_t,cockpit_session_ex + dev_read_urand(cockpit_ws_t) # for authkey + dev_read_rand(cockpit_ws_t) # for libssh + ++# cockpit-ws allows connections on websm port + corenet_tcp_bind_websm_port(cockpit_ws_t) ++corenet_tcp_bind_generic_node(cockpit_ws_t) + + # cockpit-ws can connect to other hosts via ssh + corenet_tcp_connect_ssh_port(cockpit_ws_t) +Index: fedora-policy-20210716/policy/modules/contrib/cockpit.fc +=================================================================== +--- fedora-policy-20210716.orig/policy/modules/contrib/cockpit.fc ++++ fedora-policy-20210716/policy/modules/contrib/cockpit.fc +@@ -3,12 +3,12 @@ + /usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) + /etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) + +-/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) +-/usr/libexec/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) +-/usr/libexec/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) ++/usr/lib(exec)?/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) ++/usr/lib(exec)?/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) ++/usr/lib(exec)?/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) + +-/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) +-/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) ++/usr/lib(exec)?/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) ++/usr/lib(exec)?/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) + + /usr/share/cockpit/motd/update-motd -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) + diff --git a/fix_cron.patch b/fix_cron.patch index 203162a..8b4135d 100644 --- a/fix_cron.patch +++ b/fix_cron.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20221019/policy/modules/contrib/cron.fc +Index: fedora-policy-20220714/policy/modules/contrib/cron.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc -+++ fedora-policy-20221019/policy/modules/contrib/cron.fc +--- fedora-policy-20220714.orig/policy/modules/contrib/cron.fc ++++ fedora-policy-20220714/policy/modules/contrib/cron.fc @@ -34,7 +34,7 @@ /var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) @@ -32,11 +32,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/cron.fc -/var/spool/cron/lastrun/[^/]* -- <> -/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -') -Index: fedora-policy-20221019/policy/modules/contrib/cron.if +Index: fedora-policy-20220714/policy/modules/contrib/cron.if =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/cron.if -+++ fedora-policy-20221019/policy/modules/contrib/cron.if -@@ -1075,7 +1075,7 @@ interface(`cron_generic_log_filetrans_lo +--- fedora-policy-20220714.orig/policy/modules/contrib/cron.if ++++ fedora-policy-20220714/policy/modules/contrib/cron.if +@@ -1057,7 +1057,7 @@ interface(`cron_generic_log_filetrans_lo # interface(`cron_system_spool_entrypoint',` gen_require(` diff --git a/fix_init.patch b/fix_init.patch index 29df1c9..baf4749 100644 --- a/fix_init.patch +++ b/fix_init.patch @@ -1,8 +1,17 @@ -Index: fedora-policy-20221019/policy/modules/system/init.te +Index: fedora-policy-20220714/policy/modules/system/init.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/init.te -+++ fedora-policy-20221019/policy/modules/system/init.te -@@ -269,6 +269,8 @@ corecmd_exec_bin(init_t) +--- fedora-policy-20220714.orig/policy/modules/system/init.te ++++ fedora-policy-20220714/policy/modules/system/init.te +@@ -187,6 +187,8 @@ allow init_t self:bpf { map_create map_r + # setuid (from /sbin/shutdown) + # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot() + ++# bsc#1197610, find a better, generic solution ++allow init_t self:file mounton; + allow init_t self:fifo_file rw_fifo_file_perms; + + allow init_t self:service manage_service_perms; +@@ -267,6 +269,8 @@ corecmd_exec_bin(init_t) corenet_all_recvfrom_netlabel(init_t) corenet_tcp_bind_all_ports(init_t) corenet_udp_bind_all_ports(init_t) @@ -11,7 +20,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te dev_create_all_files(init_t) dev_create_all_chr_files(init_t) -@@ -398,6 +400,7 @@ logging_manage_audit_config(init_t) +@@ -396,6 +400,7 @@ logging_manage_audit_config(init_t) logging_create_syslog_netlink_audit_socket(init_t) logging_write_var_log_dirs(init_t) logging_manage_var_log_symlinks(init_t) @@ -19,7 +28,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te seutil_read_config(init_t) seutil_read_login_config(init_t) -@@ -450,9 +453,19 @@ ifdef(`distro_redhat',` +@@ -448,9 +453,19 @@ ifdef(`distro_redhat',` corecmd_shell_domtrans(init_t, initrc_t) storage_raw_rw_fixed_disk(init_t) @@ -39,7 +48,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te optional_policy(` anaconda_stream_connect(init_t) anaconda_create_unix_stream_sockets(init_t) -@@ -584,10 +597,10 @@ tunable_policy(`init_audit_control',` +@@ -581,10 +596,10 @@ tunable_policy(`init_audit_control',` allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -52,7 +61,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; # Until systemd is fixed -@@ -647,6 +660,7 @@ files_delete_all_spool_sockets(init_t) +@@ -643,6 +658,7 @@ files_delete_all_spool_sockets(init_t) files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -60,7 +69,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -684,7 +698,7 @@ fs_list_all(init_t) +@@ -680,7 +696,7 @@ fs_list_all(init_t) fs_list_auto_mountpoints(init_t) fs_register_binary_executable_type(init_t) fs_relabel_tmpfs_sock_file(init_t) @@ -69,7 +78,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te fs_relabel_cgroup_dirs(init_t) fs_search_cgroup_dirs(init_t) # for network namespaces -@@ -740,6 +754,7 @@ systemd_write_inherited_logind_sessions_ +@@ -736,6 +752,7 @@ systemd_write_inherited_logind_sessions_ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -77,7 +86,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1596,6 +1611,8 @@ optional_policy(` +@@ -1590,6 +1607,8 @@ optional_policy(` optional_policy(` postfix_list_spool(initrc_t) diff --git a/fix_kernel_sysctl.patch b/fix_kernel_sysctl.patch index 4769ca5..bd4527a 100644 --- a/fix_kernel_sysctl.patch +++ b/fix_kernel_sysctl.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20221019/policy/modules/kernel/files.fc +Index: fedora-policy-20220624/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20221019/policy/modules/kernel/files.fc +--- fedora-policy-20220624.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20220624/policy/modules/kernel/files.fc @@ -242,6 +242,8 @@ ifdef(`distro_redhat',` /usr/lib/ostree-boot(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/lib/modules(/.*)/vmlinuz -- gen_context(system_u:object_r:usr_t,s0) @@ -11,11 +11,11 @@ Index: fedora-policy-20221019/policy/modules/kernel/files.fc /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -Index: fedora-policy-20221019/policy/modules/system/systemd.te +Index: fedora-policy-20220624/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/systemd.te -+++ fedora-policy-20221019/policy/modules/system/systemd.te -@@ -1105,6 +1105,8 @@ init_stream_connect(systemd_sysctl_t) +--- fedora-policy-20220624.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220624/policy/modules/system/systemd.te +@@ -1052,6 +1052,8 @@ init_stream_connect(systemd_sysctl_t) logging_send_syslog_msg(systemd_sysctl_t) systemd_read_efivarfs(systemd_sysctl_t) diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index 91a7087..3553e85 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te +Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.te -@@ -275,6 +275,9 @@ userdom_read_home_certs(NetworkManager_t +--- fedora-policy-20220714.orig/policy/modules/contrib/networkmanager.te ++++ fedora-policy-20220714/policy/modules/contrib/networkmanager.te +@@ -276,6 +276,9 @@ userdom_read_home_certs(NetworkManager_t userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) @@ -12,18 +12,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(NetworkManager_t) ') -@@ -284,6 +287,10 @@ tunable_policy(`use_samba_home_dirs',` - ') - - optional_policy(` -+ nis_systemctl_ypbind(NetworkManager_t) -+') -+ -+optional_policy(` - avahi_domtrans(NetworkManager_t) - avahi_kill(NetworkManager_t) - avahi_signal(NetworkManager_t) -@@ -292,6 +299,14 @@ optional_policy(` +@@ -293,6 +296,14 @@ optional_policy(` ') optional_policy(` @@ -38,7 +27,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_kill(NetworkManager_t) -@@ -419,6 +434,8 @@ optional_policy(` +@@ -420,6 +431,8 @@ optional_policy(` nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) nscd_systemctl(NetworkManager_t) @@ -47,7 +36,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te ') optional_policy(` -@@ -606,6 +623,7 @@ files_manage_etc_files(NetworkManager_di +@@ -602,6 +615,7 @@ files_manage_etc_files(NetworkManager_di init_status(NetworkManager_dispatcher_cloud_t) init_status(NetworkManager_dispatcher_ddclient_t) @@ -55,21 +44,10 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te init_append_stream_sockets(networkmanager_dispatcher_plugin) init_ioctl_stream_sockets(networkmanager_dispatcher_plugin) init_stream_connect(networkmanager_dispatcher_plugin) -@@ -621,6 +639,10 @@ optional_policy(` - ') - - optional_policy(` -+ nscd_shm_use(NetworkManager_dispatcher_chronyc_t) -+') -+ -+optional_policy(` - cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t) - ') - -Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if +Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.if =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.if +--- fedora-policy-20220714.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy-20220714/policy/modules/contrib/networkmanager.if @@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ') @@ -95,10 +73,10 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if ######################################## ## ## Execute NetworkManager server in the NetworkManager domain. -Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.fc +Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.fc -+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.fc +--- fedora-policy-20220714.orig/policy/modules/contrib/networkmanager.fc ++++ fedora-policy-20220714/policy/modules/contrib/networkmanager.fc @@ -24,6 +24,7 @@ /usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0) /usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0) diff --git a/fix_postfix.patch b/fix_postfix.patch index 9b7fb86..e068681 100644 --- a/fix_postfix.patch +++ b/fix_postfix.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc +Index: fedora-policy-20220624/policy/modules/contrib/postfix.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/postfix.fc -+++ fedora-policy-20221019/policy/modules/contrib/postfix.fc +--- fedora-policy-20220624.orig/policy/modules/contrib/postfix.fc ++++ fedora-policy-20220624/policy/modules/contrib/postfix.fc @@ -1,37 +1,21 @@ # postfix -/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) @@ -75,20 +75,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) -Index: fedora-policy-20221019/policy/modules/contrib/postfix.te +Index: fedora-policy-20220624/policy/modules/contrib/postfix.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/postfix.te -+++ fedora-policy-20221019/policy/modules/contrib/postfix.te -@@ -121,6 +121,8 @@ allow postfix_master_t self:udp_socket c - allow postfix_master_t postfix_etc_t:dir rw_dir_perms; - allow postfix_master_t postfix_etc_t:file rw_file_perms; - mta_filetrans_aliases(postfix_master_t, postfix_etc_t) -+# SUSE also runs this on /etc/alias -+mta_filetrans_aliases(postfix_master_t, etc_t) - - can_exec(postfix_master_t, postfix_exec_t) - -@@ -447,6 +449,14 @@ logging_send_syslog_msg(postfix_map_t) +--- fedora-policy-20220624.orig/policy/modules/contrib/postfix.te ++++ fedora-policy-20220624/policy/modules/contrib/postfix.te +@@ -447,6 +447,14 @@ logging_send_syslog_msg(postfix_map_t) userdom_use_inherited_user_ptys(postfix_map_t) @@ -103,7 +94,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/postfix.te optional_policy(` locallogin_dontaudit_use_fds(postfix_map_t) ') -@@ -687,6 +697,14 @@ corenet_tcp_connect_spamd_port(postfix_m +@@ -687,6 +695,14 @@ corenet_tcp_connect_spamd_port(postfix_m files_search_all_mountpoints(postfix_smtp_t) optional_policy(` diff --git a/fix_rpm.patch b/fix_rpm.patch index 67cf3c4..e5d9b7c 100644 --- a/fix_rpm.patch +++ b/fix_rpm.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc +Index: fedora-policy-20210628/policy/modules/contrib/rpm.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc -+++ fedora-policy-20221019/policy/modules/contrib/rpm.fc +--- fedora-policy-20210628.orig/policy/modules/contrib/rpm.fc ++++ fedora-policy-20210628/policy/modules/contrib/rpm.fc @@ -18,6 +18,10 @@ /usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -13,7 +13,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -56,6 +60,8 @@ ifdef(`distro_redhat', ` +@@ -55,6 +59,8 @@ ifdef(`distro_redhat', ` /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) @@ -22,11 +22,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -Index: fedora-policy-20221019/policy/modules/contrib/rpm.if +Index: fedora-policy-20210628/policy/modules/contrib/rpm.if =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/rpm.if -+++ fedora-policy-20221019/policy/modules/contrib/rpm.if -@@ -515,8 +515,10 @@ interface(`rpm_named_filetrans',` +--- fedora-policy-20210628.orig/policy/modules/contrib/rpm.if ++++ fedora-policy-20210628/policy/modules/contrib/rpm.if +@@ -479,8 +479,10 @@ interface(`rpm_named_filetrans',` logging_log_named_filetrans($1, rpm_log_t, file, "yum.log") logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log") logging_log_named_filetrans($1, rpm_log_t, file, "up2date") @@ -37,11 +37,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.if files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm") -Index: fedora-policy-20221019/policy/modules/kernel/files.fc +Index: fedora-policy-20210628/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20221019/policy/modules/kernel/files.fc -@@ -67,6 +67,7 @@ ifdef(`distro_redhat',` +--- fedora-policy-20210628.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20210628/policy/modules/kernel/files.fc +@@ -67,6 +67,7 @@ ifdef(`distro_suse',` /etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) /etc/yum\.repos\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0) diff --git a/fix_snapper.patch b/fix_snapper.patch index 045bc12..e52343a 100644 --- a/fix_snapper.patch +++ b/fix_snapper.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20221019/policy/modules/contrib/snapper.te +Index: fedora-policy/policy/modules/contrib/snapper.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/snapper.te -+++ fedora-policy-20221019/policy/modules/contrib/snapper.te +--- fedora-policy.orig/policy/modules/contrib/snapper.te ++++ fedora-policy/policy/modules/contrib/snapper.te @@ -18,6 +18,9 @@ files_config_file(snapperd_conf_t) type snapperd_data_t; files_type(snapperd_data_t) @@ -23,25 +23,21 @@ Index: fedora-policy-20221019/policy/modules/contrib/snapper.te kernel_setsched(snapperd_t) domain_read_all_domains_state(snapperd_t) -@@ -73,6 +80,14 @@ storage_raw_read_fixed_disk(snapperd_t) +@@ -73,6 +80,10 @@ storage_raw_read_fixed_disk(snapperd_t) auth_use_nsswitch(snapperd_t) optional_policy(` + packagekit_dbus_chat(snapperd_t) +') + -+optional_policy(` -+ rpm_dbus_chat(snapperd_t) -+') -+ +optional_policy(` cron_system_entry(snapperd_t, snapperd_exec_t) ') -Index: fedora-policy-20221019/policy/modules/contrib/snapper.fc +Index: fedora-policy/policy/modules/contrib/snapper.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/snapper.fc -+++ fedora-policy-20221019/policy/modules/contrib/snapper.fc +--- fedora-policy.orig/policy/modules/contrib/snapper.fc ++++ fedora-policy/policy/modules/contrib/snapper.fc @@ -7,9 +7,17 @@ /var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0) diff --git a/fix_sysnetwork.patch b/fix_sysnetwork.patch index b7f0b13..844d87f 100644 --- a/fix_sysnetwork.patch +++ b/fix_sysnetwork.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/system/sysnetwork.fc +Index: fedora-policy/policy/modules/system/sysnetwork.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/sysnetwork.fc -+++ fedora-policy-20221019/policy/modules/system/sysnetwork.fc -@@ -103,6 +103,8 @@ ifdef(`distro_debian',` +--- fedora-policy.orig/policy/modules/system/sysnetwork.fc ++++ fedora-policy/policy/modules/system/sysnetwork.fc +@@ -102,6 +102,8 @@ ifdef(`distro_debian',` /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') diff --git a/fix_systemd.patch b/fix_systemd.patch index 1576754..867f7e0 100644 --- a/fix_systemd.patch +++ b/fix_systemd.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/system/systemd.te +Index: fedora-policy-20220624/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/systemd.te -+++ fedora-policy-20221019/policy/modules/system/systemd.te -@@ -381,6 +381,10 @@ userdom_manage_user_tmp_chr_files(system +--- fedora-policy-20220624.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220624/policy/modules/system/systemd.te +@@ -355,6 +355,10 @@ userdom_manage_user_tmp_chr_files(system xserver_dbus_chat(systemd_logind_t) optional_policy(` @@ -13,8 +13,8 @@ Index: fedora-policy-20221019/policy/modules/system/systemd.te apache_read_tmp_files(systemd_logind_t) ') -@@ -863,6 +867,10 @@ optional_policy(` - dbus_system_bus_client(systemd_localed_t) +@@ -882,6 +886,10 @@ optional_policy(` + udev_read_pid_files(systemd_hostnamed_t) ') +optional_policy(` @@ -23,8 +23,8 @@ Index: fedora-policy-20221019/policy/modules/system/systemd.te + ####################################### # - # Hostnamed policy -@@ -1158,7 +1166,7 @@ systemd_read_efivarfs(systemd_hwdb_t) + # rfkill policy +@@ -1105,7 +1113,7 @@ systemd_read_efivarfs(systemd_hwdb_t) # systemd_gpt_generator domain # @@ -33,7 +33,7 @@ Index: fedora-policy-20221019/policy/modules/system/systemd.te allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms; dev_read_sysfs(systemd_gpt_generator_t) -@@ -1185,6 +1193,8 @@ systemd_unit_file_filetrans(systemd_gpt_ +@@ -1127,6 +1135,8 @@ systemd_unit_file_filetrans(systemd_gpt_ systemd_create_unit_file_dirs(systemd_gpt_generator_t) systemd_create_unit_file_lnk(systemd_gpt_generator_t) diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch index 530f381..9c5f4ad 100644 --- a/fix_systemd_watch.patch +++ b/fix_systemd_watch.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/system/systemd.te +Index: fedora-policy-20220714/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/systemd.te -+++ fedora-policy-20221019/policy/modules/system/systemd.te -@@ -1508,6 +1508,12 @@ fstools_rw_swap_files(systemd_sleep_t) +--- fedora-policy-20220714.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220714/policy/modules/system/systemd.te +@@ -1447,6 +1447,12 @@ fstools_rw_swap_files(systemd_sleep_t) storage_getattr_fixed_disk_dev(systemd_sleep_t) storage_getattr_removable_dev(systemd_sleep_t) diff --git a/fix_unconfined.patch b/fix_unconfined.patch index 815055b..a9b5b32 100644 --- a/fix_unconfined.patch +++ b/fix_unconfined.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20221019/policy/modules/system/unconfined.te +Index: fedora-policy-20211111/policy/modules/system/unconfined.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/unconfined.te -+++ fedora-policy-20221019/policy/modules/system/unconfined.te +--- fedora-policy-20211111.orig/policy/modules/system/unconfined.te ++++ fedora-policy-20211111/policy/modules/system/unconfined.te @@ -1,5 +1,10 @@ policy_module(unconfined, 3.5.0) @@ -13,7 +13,7 @@ Index: fedora-policy-20221019/policy/modules/system/unconfined.te ######################################## # # Declarations -@@ -45,3 +50,6 @@ optional_policy(` +@@ -39,3 +44,6 @@ optional_policy(` optional_policy(` container_runtime_domtrans(unconfined_service_t) ') diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch index 017c8f7..82632fe 100644 --- a/fix_unconfineduser.patch +++ b/fix_unconfineduser.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te +Index: fedora-policy-20220509/policy/modules/roles/unconfineduser.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/roles/unconfineduser.te -+++ fedora-policy-20221019/policy/modules/roles/unconfineduser.te +--- fedora-policy-20220509.orig/policy/modules/roles/unconfineduser.te ++++ fedora-policy-20220509/policy/modules/roles/unconfineduser.te @@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all' domain_dyntrans(unconfined_t) ') @@ -14,7 +14,7 @@ Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te optional_policy(` gen_require(` type unconfined_t; -@@ -214,6 +219,10 @@ optional_policy(` +@@ -210,6 +215,10 @@ optional_policy(` ') optional_policy(` @@ -25,7 +25,7 @@ Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te chrome_role_notrans(unconfined_r, unconfined_t) tunable_policy(`unconfined_chrome_sandbox_transition',` -@@ -248,6 +257,18 @@ optional_policy(` +@@ -244,6 +253,18 @@ optional_policy(` dbus_stub(unconfined_t) optional_policy(` diff --git a/fix_unprivuser.patch b/fix_unprivuser.patch index 70fe21e..646fcde 100644 --- a/fix_unprivuser.patch +++ b/fix_unprivuser.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/roles/unprivuser.te +Index: fedora-policy-20220624/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20221019/policy/modules/roles/unprivuser.te -@@ -300,6 +300,13 @@ ifndef(`distro_redhat',` +--- fedora-policy-20220624.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20220624/policy/modules/roles/unprivuser.te +@@ -296,6 +296,13 @@ ifndef(`distro_redhat',` ') optional_policy(` diff --git a/fix_xserver.patch b/fix_xserver.patch index a8fd6e8..f969707 100644 --- a/fix_xserver.patch +++ b/fix_xserver.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20221019/policy/modules/services/xserver.fc +Index: fedora-policy-20220714/policy/modules/services/xserver.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/services/xserver.fc -+++ fedora-policy-20221019/policy/modules/services/xserver.fc +--- fedora-policy-20220714.orig/policy/modules/services/xserver.fc ++++ fedora-policy-20220714/policy/modules/services/xserver.fc @@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) @@ -51,13 +51,13 @@ Index: fedora-policy-20221019/policy/modules/services/xserver.fc /var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) -Index: fedora-policy-20221019/policy/modules/services/xserver.te +Index: fedora-policy-20220714/policy/modules/services/xserver.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/services/xserver.te -+++ fedora-policy-20221019/policy/modules/services/xserver.te -@@ -475,6 +475,10 @@ userdom_dontaudit_read_admin_home_lnk_fi - - kernel_read_vm_sysctls(xdm_t) +--- fedora-policy-20220714.orig/policy/modules/services/xserver.te ++++ fedora-policy-20220714/policy/modules/services/xserver.te +@@ -473,6 +473,10 @@ userdom_delete_user_home_content_files(x + userdom_signull_unpriv_users(xdm_t) + userdom_dontaudit_read_admin_home_lnk_files(xdm_t) +files_manage_generic_pids_symlinks(xdm_t) +userdom_manage_user_home_content_dirs(xdm_t) diff --git a/modules-minimum-contrib.conf b/modules-minimum-contrib.conf index cde391b..1be2194 100644 --- a/modules-minimum-contrib.conf +++ b/modules-minimum-contrib.conf @@ -342,6 +342,13 @@ cmirrord = module # cobbler = module +# Layer: contrib +# Module: cockpit +# +# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines. +# +cockpit = module + # Layer: services # Module: collectd # @@ -2360,6 +2367,13 @@ minissdpd = module # freeipmi = module +# Layer: contrib +# Module: freeipmi +# +# ipa policy module contain SELinux policies for IPA services +# +ipa = module + # Layer: contrib # Module: mirrormanager # diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 54a2b38..9182671 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -342,6 +342,13 @@ cmirrord = module # cobbler = module +# Layer: contrib +# Module: cockpit +# +# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines. +# +cockpit = module + # Layer: services # Module: collectd # @@ -2374,6 +2381,13 @@ minissdpd = module # freeipmi = module +# Layer: contrib +# Module: freeipmi +# +# ipa policy module contain SELinux policies for IPA services +# +ipa = module + # Layer: contrib # Module: mirrormanager # diff --git a/selinux-policy.changes b/selinux-policy.changes index 66c1d72..adcc217 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,31 +1,3 @@ -------------------------------------------------------------------- -Wed Oct 19 11:45:57 UTC 2022 - Johannes Segitz - -- Update to version 20221019. Refreshed: - * distro_suse_to_distro_redhat.patch - * fix_apache.patch - * fix_chronyd.patch - * fix_cron.patch - * fix_init.patch - * fix_kernel_sysctl.patch - * fix_networkmanager.patch - * fix_rpm.patch - * fix_sysnetwork.patch - * fix_systemd.patch - * fix_systemd_watch.patch - * fix_unconfined.patch - * fix_unconfineduser.patch - * fix_unprivuser.patch - * fix_xserver.patch -- Dropped fix_cockpit.patch as this is now packaged with cockpit itself -- Remove the ipa module, freeip ships their own module -- Added fix_alsa.patch to allow reading of config files in home directories -- Extended fix_networkmanager.patch and fix_postfix.patch to account - for SUSE systems -- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc - queries the running processes -- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus - ------------------------------------------------------------------- Fri Sep 30 07:14:49 UTC 2022 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 5da319d..eb4bf37 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20221019 +Version: 20220714 Release: 0 Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc @@ -132,7 +132,7 @@ Patch049: fix_nis.patch Patch050: fix_libraries.patch Patch051: fix_dovecot.patch # https://github.com/cockpit-project/cockpit/pull/15758 -#Patch052: fix_cockpit.patch +Patch052: fix_cockpit.patch Patch053: fix_systemd_watch.patch # kernel specific sysctl.conf (boo#1184804) Patch054: fix_kernel_sysctl.patch @@ -144,8 +144,6 @@ Patch059: systemd_domain_dyntrans_type.patch Patch060: fix_dnsmasq.patch Patch061: fix_userdomain.patch Patch062: fix_cloudform.patch -Patch063: fix_alsa.patch -Patch064: dontaudit_interface_kmod_tmpfs.patch Patch100: sedoctool.patch