pool/selinux-policy
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 734854 from home:jsegitz:branches:security:SELinux

Browse Source 
- Moved back to fedora policy (20190802)
- Removed spec file conditionals for old SELinux userland
- Removed config.tgz
- Removed patches:
  * label_sysconfig.selinux.patch
  * label_var_run_rsyslog.patch
  * suse_additions_obs.patch
  * suse_additions_sslh.patch
  * suse_modifications_apache.patch
  * suse_modifications_cron.patch
  * suse_modifications_getty.patch
  * suse_modifications_logging.patch
  * suse_modifications_ntp.patch
  * suse_modifications_usermanage.patch
  * suse_modifications_virt.patch
  * suse_modifications_xserver.patch
  * sysconfig_network_scripts.patch
  * segenxml_interpreter.patch
- Added patches:
  * fix_djbdns.patch
  * fix_dbus.patch
  * fix_gift.patch
  * fix_java.patch
  * fix_hadoop.patch
  * fix_thunderbird.patch
  * postfix_paths.patch
  * fix_nscd.patch
  * fix_sysnetwork.patch
  * fix_logging.patch
  * fix_xserver.patch

OBS-URL: https://build.opensuse.org/request/show/734854
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=73
This commit is contained in:
Johannes Segitz 2019-10-04 02:15:03 +00:00 committed by Git OBS Bridge
parent deab87434d
commit cbd186764a
54 changed files with 8543 additions and 11648 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2024
booleans-minimum.conf
View File

File diff suppressed because it is too large Load Diff

1854
booleans-mls.conf
View File

File diff suppressed because it is too large Load Diff

1870
booleans-targeted.conf
View File

File diff suppressed because it is too large Load Diff

54
booleans.subs_dist Normal file
View File

@ -0,0 +1,54 @@
allow_auditadm_exec_content auditadm_exec_content
allow_console_login login_console_enabled
allow_cvs_read_shadow cvs_read_shadow
allow_daemons_dump_core daemons_dump_core
allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
allow_daemons_use_tty daemons_use_tty
allow_domain_fd_use domain_fd_use
allow_execheap selinuxuser_execheap
allow_execmod selinuxuser_execmod
allow_execstack selinuxuser_execstack
allow_ftpd_anon_write ftpd_anon_write
allow_ftpd_full_access ftpd_full_access
allow_ftpd_use_cifs ftpd_use_cifs
allow_ftpd_use_nfs ftpd_use_nfs
allow_gssd_read_tmp gssd_read_tmp
allow_guest_exec_content guest_exec_content
allow_httpd_anon_write httpd_anon_write
allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
allow_httpd_mod_auth_pam httpd_mod_auth_pam
allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
allow_kerberos kerberos_enabled
allow_mplayer_execstack mplayer_execstack
allow_mount_anyfile mount_anyfile
allow_nfsd_anon_write nfsd_anon_write
allow_polyinstantiation polyinstantiation_enabled
allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
allow_rsync_anon_write rsync_anon_write
allow_saslauthd_read_shadow saslauthd_read_shadow
allow_secadm_exec_content secadm_exec_content
allow_smbd_anon_write smbd_anon_write
allow_ssh_keysign ssh_keysign
allow_staff_exec_content staff_exec_content
allow_sysadm_exec_content sysadm_exec_content
allow_user_exec_content user_exec_content
allow_user_mysql_connect selinuxuser_mysql_connect_enabled
allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
allow_write_xshm xserver_clients_write_xshm
allow_xguest_exec_content xguest_exec_content
allow_xserver_execmem xserver_execmem
allow_ypbind nis_enabled
allow_zebra_write_config zebra_write_config
user_direct_dri selinuxuser_direct_dri_enabled
user_ping selinuxuser_ping
user_share_music selinuxuser_share_music
user_tcp_server selinuxuser_tcp_server
sepgsql_enable_pitr_implementation postgresql_can_rsync
sepgsql_enable_users_ddl postgresql_selinux_users_ddl
sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
clamd_use_jit antivirus_use_jit
amavis_use_jit antivirus_use_jit
logwatch_can_sendmail logwatch_can_network_connect_mail
puppet_manage_all_files puppetagent_manage_all_files
virt_sandbox_use_nfs virt_use_nfs

3
config.tgz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:652101e6cd75232a223d53d498a9190f0c21d513c9587d34956805fd56545ee2
size 3189

3
fedora-policy.20190802.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3ff2142bd458599826f79aa85344da39a6ef833e5c644d0da46dfc686baf9bd3
size 730294

35
fix_dbus.patch Normal file
View File

@ -0,0 +1,35 @@
Index: fedora-policy/policy/modules/contrib/evolution.te
===================================================================
--- fedora-policy.orig/policy/modules/contrib/evolution.te 2019-08-05 09:39:48.641670181 +0200
+++ fedora-policy/policy/modules/contrib/evolution.te 2019-08-05 09:57:29.695474175 +0200
@@ -228,7 +228,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(evolution_t)
- dbus_all_session_bus_client(evolution_t)
')
optional_policy(`
@@ -309,10 +308,6 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- dbus_all_session_bus_client(evolution_alarm_t)
-')
-
-optional_policy(`
gnome_stream_connect_gconf(evolution_alarm_t)
')
Index: fedora-policy/policy/modules/contrib/thunderbird.te
===================================================================
--- fedora-policy.orig/policy/modules/contrib/thunderbird.te 2019-08-05 09:39:48.681670851 +0200
+++ fedora-policy/policy/modules/contrib/thunderbird.te 2019-08-05 09:57:38.503622198 +0200
@@ -121,7 +121,6 @@ ifndef(`enable_mls',`
optional_policy(`
dbus_system_bus_client(thunderbird_t)
- dbus_all_session_bus_client(thunderbird_t)
optional_policy(`
cups_dbus_chat(thunderbird_t)

33
fix_djbdns.patch Normal file
View File

@ -0,0 +1,33 @@
Index: fedora-policy/policy/modules/contrib/djbdns.te
===================================================================
--- fedora-policy.orig/policy/modules/contrib/djbdns.te 2019-08-05 09:39:48.641670181 +0200
+++ fedora-policy/policy/modules/contrib/djbdns.te 2019-08-05 09:53:08.383084236 +0200
@@ -24,28 +24,6 @@ allow djbdns_domain self:fifo_file rw_fi
allow djbdns_domain self:tcp_socket create_stream_socket_perms;
allow djbdns_domain self:udp_socket create_socket_perms;
-corenet_all_recvfrom_unlabeled(djbdns_domain)
-corenet_all_recvfrom_netlabel(djbdns_domain)
-corenet_tcp_sendrecv_generic_if(djbdns_domain)
-corenet_udp_sendrecv_generic_if(djbdns_domain)
-corenet_tcp_sendrecv_generic_node(djbdns_domain)
-corenet_udp_sendrecv_generic_node(djbdns_domain)
-corenet_tcp_sendrecv_all_ports(djbdns_domain)
-corenet_udp_sendrecv_all_ports(djbdns_domain)
-corenet_tcp_bind_generic_node(djbdns_domain)
-corenet_udp_bind_generic_node(djbdns_domain)
-
-corenet_sendrecv_dns_server_packets(djbdns_domain)
-corenet_tcp_bind_dns_port(djbdns_domain)
-corenet_udp_bind_dns_port(djbdns_domain)
-
-corenet_sendrecv_dns_client_packets(djbdns_domain)
-corenet_tcp_connect_dns_port(djbdns_domain)
-
-corenet_sendrecv_generic_server_packets(djbdns_domain)
-corenet_tcp_bind_generic_port(djbdns_domain)
-corenet_udp_bind_generic_port(djbdns_domain)
-
files_search_var(djbdns_domain)
daemontools_ipc_domain(djbdns_axfrdns_t)

9
fix_gift.patch Normal file
View File

@ -0,0 +1,9 @@
Index: fedora-policy/policy/modules/contrib/gift.te
===================================================================
--- fedora-policy.orig/policy/modules/contrib/gift.te 2019-08-05 09:39:48.645670248 +0200
+++ fedora-policy/policy/modules/contrib/gift.te 2019-08-05 10:05:44.787808191 +0200
@@ -113,4 +113,3 @@ files_read_etc_runtime_files(giftd_t)
sysnet_dns_name_resolve(giftd_t)
userdom_use_inherited_user_terminals(giftd_t)
-userdom_home_manager(gitd_t)

30
fix_hadoop.patch Normal file
View File

@ -0,0 +1,30 @@
Index: fedora-policy/policy/modules/roles/sysadm.te
===================================================================
--- fedora-policy.orig/policy/modules/roles/sysadm.te 2019-08-05 09:39:39.113510611 +0200
+++ fedora-policy/policy/modules/roles/sysadm.te 2019-08-05 14:11:28.416872543 +0200
@@ -282,10 +282,6 @@ optional_policy(`
')
optional_policy(`
- hadoop_role(sysadm_r, sysadm_t)
-')
-
-optional_policy(`
iotop_run(sysadm_t, sysadm_r)
')
Index: fedora-policy/policy/modules/roles/unprivuser.te
===================================================================
--- fedora-policy.orig/policy/modules/roles/unprivuser.te 2019-08-05 09:39:39.113510611 +0200
+++ fedora-policy/policy/modules/roles/unprivuser.te 2019-08-05 14:11:22.908782828 +0200
@@ -192,10 +192,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- hadoop_role(user_r, user_t)
- ')
-
- optional_policy(`
irc_role(user_r, user_t)
')

41
fix_java.patch Normal file
View File

@ -0,0 +1,41 @@
Index: fedora-policy/policy/modules/contrib/java.te
===================================================================
--- fedora-policy.orig/policy/modules/contrib/java.te 2019-08-05 13:50:32.925673660 +0200
+++ fedora-policy/policy/modules/contrib/java.te 2019-08-05 14:06:51.896425229 +0200
@@ -21,6 +21,7 @@ roleattribute system_r java_roles;
attribute_role unconfined_java_roles;
type java_t, java_domain;
+typealias java_t alias java_domain_t;
type java_exec_t;
userdom_user_application_domain(java_t, java_exec_t)
typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
@@ -71,19 +72,9 @@ can_exec(java_domain, { java_exec_t java
kernel_read_all_sysctls(java_domain)
kernel_search_vm_sysctl(java_domain)
kernel_read_network_state(java_domain)
-kernel_read_system_state(java_domain)
corecmd_search_bin(java_domain)
-corenet_all_recvfrom_unlabeled(java_domain)
-corenet_all_recvfrom_netlabel(java_domain)
-corenet_tcp_sendrecv_generic_if(java_domain)
-corenet_tcp_sendrecv_generic_node(java_domain)
-
-corenet_sendrecv_all_client_packets(java_domain)
-corenet_tcp_connect_all_ports(java_domain)
-corenet_tcp_sendrecv_all_ports(java_domain)
-
dev_read_sound(java_domain)
dev_write_sound(java_domain)
dev_read_urand(java_domain)
@@ -95,8 +86,6 @@ files_read_etc_runtime_files(java_domain
fs_getattr_all_fs(java_domain)
fs_dontaudit_rw_tmpfs_files(java_domain)
-logging_send_syslog_msg(java_domain)
-
miscfiles_read_localization(java_domain)
miscfiles_read_fonts(java_domain)

12
fix_logging.patch Normal file
View File

@ -0,0 +1,12 @@
Index: fedora-policy/policy/modules/system/logging.fc
===================================================================
--- fedora-policy.orig/policy/modules/system/logging.fc 2019-08-22 11:28:09.250979768 +0200
+++ fedora-policy/policy/modules/system/logging.fc 2019-08-22 11:45:28.360015899 +0200
@@ -3,6 +3,7 @@
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
+/var//run/rsyslog/additional-log-sockets.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)

12
fix_miscfiles.patch Normal file
View File

@ -0,0 +1,12 @@
Index: fedora-policy/policy/modules/system/miscfiles.fc
===================================================================
--- fedora-policy.orig/policy/modules/system/miscfiles.fc 2019-08-05 09:39:39.117510678 +0200
+++ fedora-policy/policy/modules/system/miscfiles.fc 2019-08-22 12:44:01.678484113 +0200
@@ -46,6 +46,7 @@ ifdef(`distro_redhat',`
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
+/var/lib/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)

16
fix_nscd.patch Normal file
View File

@ -0,0 +1,16 @@
Index: fedora-policy/policy/modules/contrib/nscd.fc
===================================================================
--- fedora-policy.orig/policy/modules/contrib/nscd.fc 2019-08-05 09:39:48.661670516 +0200
+++ fedora-policy/policy/modules/contrib/nscd.fc 2019-08-15 14:13:18.681607730 +0200
@@ -8,8 +8,10 @@
/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0)
/var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0)
-/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/run/nscd/socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
+/var/lib/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
+

13
fix_sysnetwork.patch Normal file
View File

@ -0,0 +1,13 @@
Index: fedora-policy/policy/modules/system/sysnetwork.fc
===================================================================
--- fedora-policy.orig/policy/modules/system/sysnetwork.fc 2019-08-05 09:39:39.121510745 +0200
+++ fedora-policy/policy/modules/system/sysnetwork.fc 2019-08-21 13:47:17.253328905 +0200
@@ -102,6 +102,8 @@ ifdef(`distro_debian',`
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
+/var/run/netconfig(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+
/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)

12
fix_thunderbird.patch Normal file
View File

@ -0,0 +1,12 @@
Index: fedora-policy/policy/modules/contrib/thunderbird.te
===================================================================
--- fedora-policy.orig/policy/modules/contrib/thunderbird.te 2019-08-21 13:42:54.325021721 +0200
+++ fedora-policy/policy/modules/contrib/thunderbird.te 2019-08-21 13:42:58.249085986 +0200
@@ -138,7 +138,6 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(thunderbird_t)
gnome_domtrans_gconfd(thunderbird_t)
- gnome_manage_generic_home_content(thunderbird_t)
')
optional_policy(`

12
fix_xserver.patch Normal file
View File

@ -0,0 +1,12 @@
Index: fedora-policy/policy/modules/services/xserver.fc
===================================================================
--- fedora-policy.orig/policy/modules/services/xserver.fc 2019-08-05 09:39:39.113510611 +0200
+++ fedora-policy/policy/modules/services/xserver.fc 2019-08-22 11:44:16.178832073 +0200
@@ -133,6 +133,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
/usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0)
/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/usr/lib/X11/display-manager -- gen_context(system_u:object_r:xdm_exec_t,s0)
ifndef(`distro_debian',`
/usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
')

12
label_sysconfig.selinux.patch
View File

@ -1,12 +0,0 @@
Index: refpolicy/policy/modules/system/selinuxutil.fc
===================================================================
--- refpolicy.orig/policy/modules/system/selinuxutil.fc 2018-11-27 11:44:18.621994420 +0100
+++ refpolicy/policy/modules/system/selinuxutil.fc 2018-11-27 11:45:11.406831098 +0100
@@ -13,6 +13,7 @@
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/sysconfig/selinux-policy -- gen_context(system_u:object_r:selinux_config_t,s0)
#
# /root

12
label_var_run_rsyslog.patch
View File

@ -1,12 +0,0 @@
Index: refpolicy/policy/modules/system/logging.fc
===================================================================
--- refpolicy.orig/policy/modules/system/logging.fc 2019-06-09 20:05:20.000000000 +0200
+++ refpolicy/policy/modules/system/logging.fc 2019-07-11 14:31:20.605624453 +0200
@@ -62,6 +62,7 @@ ifdef(`distro_suse', `
/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/log/syslog(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)

0
minimum_temp_fixes.fc Normal file
View File

1
minimum_temp_fixes.if Normal file
View File

@ -0,0 +1 @@
## <summary></summary>

95
minimum_temp_fixes.te Normal file
View File

@ -0,0 +1,95 @@
policy_module(minimum_temp_fixes, 1.0)
require {
type sshd_t;
type lib_t;
type init_t;
type unconfined_t;
type systemd_localed_t;
type systemd_logind_t;
type unconfined_service_t;
type chkpwd_t;
type bin_t;
type fsadm_t;
type getty_t;
type systemd_tmpfiles_t;
type systemd_systemctl_exec_t;
type unconfined_dbusd_t;
type rtkit_daemon_t;
type system_dbusd_t;
class dir mounton;
class dbus { acquire_svc send_msg };
class nscd { getgrp shmemgrp shmemhost shmempwd getpwd gethost getserv shmemserv };
class process { execmem transition };
class file { entrypoint execmod };
}
#============= chkpwd_t ==============
allow chkpwd_t unconfined_service_t:nscd { shmempwd getpwd };
files_map_var_lib_files(chkpwd_t)
files_read_var_lib_files(chkpwd_t)
files_write_generic_pid_sockets(chkpwd_t)
#============= fsadm_t ==============
allow fsadm_t unconfined_service_t:nscd { shmemgrp shmempwd };
#============= getty_t ==============
allow getty_t unconfined_service_t:nscd shmemgrp;
files_map_var_lib_files(getty_t)
files_read_var_lib_files(getty_t)
files_write_generic_pid_sockets(getty_t)
#============= init_t ==============
allow init_t bin_t:dir mounton;
allow init_t lib_t:dir mounton;
allow init_t self:process execmem;
allow init_t unconfined_service_t:dbus { acquire_svc send_msg };
allow init_t unconfined_service_t:nscd { gethost getserv shmemhost shmemserv shmemgrp shmempwd getpwd };
files_manage_generic_spool(init_t)
corenet_udp_bind_generic_node(init_t)
files_map_var_lib_files(init_t)
files_read_var_files(init_t)
files_manage_var_files(init_t)
storage_raw_read_removable_device(init_t)
#============= sshd_t ==============
allow sshd_t unconfined_service_t:nscd { shmemgrp shmemhost shmempwd getgrp getpwd };
files_exec_generic_pid_files(sshd_t)
files_map_var_lib_files(sshd_t)
files_read_var_lib_files(sshd_t)
files_write_generic_pid_sockets(sshd_t)
unconfined_server_dbus_chat(sshd_t)
#============= systemd_localed_t ==============
allow systemd_localed_t unconfined_service_t:dbus { acquire_svc send_msg };
files_write_generic_pid_sockets(systemd_localed_t)
#============= systemd_logind_t ==============
allow systemd_logind_t unconfined_service_t:dbus { acquire_svc send_msg };
allow systemd_logind_t unconfined_service_t:nscd { shmempwd getpwd };
files_map_var_lib_files(systemd_logind_t)
files_read_var_lib_files(systemd_logind_t)
files_write_generic_pid_sockets(systemd_logind_t)
systemd_dbus_chat_logind(systemd_logind_t)
#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t unconfined_service_t:nscd { getpwd getgrp shmemgrp shmempwd };
files_map_var_lib_files(systemd_tmpfiles_t)
#============= unconfined_service_t ==============
allow unconfined_service_t unconfined_t:process transition;
init_dbus_chat(unconfined_service_t)
unconfined_server_dbus_chat(unconfined_service_t)
#============= unconfined_t ==============
allow unconfined_t systemd_systemctl_exec_t:file entrypoint;
allow unconfined_t unconfined_service_t:nscd { shmemgrp shmempwd getgrp gethost getpwd getserv shmemhost shmemserv };
#============= unconfined_dbusd_t ==============
allow unconfined_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };
#============= rtkit_daemon_t ==============
allow rtkit_daemon_t unconfined_service_t:nscd { getpwd shmempwd };
#============= system_dbusd_t ==============
allow system_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };

429
modules-minimum-base.conf Normal file
View File

@ -0,0 +1,429 @@
# Layer: kernel
# Module: bootloader
#
# Policy for the kernel modules, kernel image, and bootloader.
#
bootloader = module
# Layer: kernel
# Module: corecommands
# Required in base
#
# Core policy for shells, and generic programs
# in /bin, /sbin, /usr/bin, and /usr/sbin.
#
corecommands = base
# Layer: kernel
# Module: corenetwork
# Required in base
#
# Policy controlling access to network objects
#
corenetwork = base
# Layer: admin
# Module: dmesg
#
# Policy for dmesg.
#
dmesg = module
# Layer: admin
# Module: netutils
#
# Network analysis utilities
#
netutils = module
# Layer: admin
# Module: sudo
#
# Execute a command with a substitute user
#
sudo = module
# Layer: admin
# Module: su
#
# Run shells with substitute user and group
#
su = module
# Layer: admin
# Module: usermanage
#
# Policy for managing user accounts.
#
usermanage = module
# Layer: apps
# Module: seunshare
#
# seunshare executable
#
seunshare = module
# Module: devices
# Required in base
#
# Device nodes and interfaces for many basic system devices.
#
devices = base
# Module: domain
# Required in base
#
# Core policy for domains.
#
domain = base
# Layer: system
# Module: userdomain
#
# Policy for user domains
#
userdomain = module
# Module: files
# Required in base
#
# Basic filesystem types and interfaces.
#
files = base
# Layer: system
# Module: miscfiles
#
# Miscelaneous files.
#
miscfiles = module
# Module: filesystem
# Required in base
#
# Policy for filesystems.
#
filesystem = base
# Module: kernel
# Required in base
#
# Policy for kernel threads, proc filesystem,and unlabeled processes and objects.
#
kernel = base
# Module: mcs
# Required in base
#
# MultiCategory security policy
#
mcs = base
# Module: mls
# Required in base
#
# Multilevel security policy
#
mls = base
# Module: selinux
# Required in base
#
# Policy for kernel security interface, in particular, selinuxfs.
#
selinux = base
# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
#
storage = base
# Module: terminal
# Required in base
#
# Policy for terminals.
#
terminal = base
# Layer: kernel
# Module: ubac
#
#
#
ubac = base
# Layer: kernel
# Module: unconfined
#
# The unlabelednet module.
#
unlabelednet = module
# Layer: role
# Module: auditadm
#
# auditadm account on tty logins
#
auditadm = module
# Layer: role
# Module: logadm
#
# Minimally prived root role for managing logging system
#
logadm = module
# Layer: role
# Module: secadm
#
# secadm account on tty logins
#
secadm = module
# Layer:role
# Module: sysadm_secadm
#
# System Administrator with Security Admin rules
#
sysadm_secadm = module
# Module: staff
#
# admin account
#
staff = module
# Layer:role
# Module: sysadm
#
# System Administrator
#
sysadm = module
# Layer: role
# Module: unconfineduser
#
# The unconfined user domain.
#
unconfineduser = module
# Layer: role
# Module: unprivuser
#
# Minimally privs guest account on tty logins
#
unprivuser = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
postgresql = module
# Layer: services
# Module: ssh
#
# Secure shell client and server policy.
#
ssh = module
# Layer: services
# Module: xserver
#
# X windows login display manager
#
xserver = module
# Module: application
# Required in base
#
# Defines attributs and interfaces for all user applications
#
application = module
# Layer: system
# Module: authlogin
#
# Common policy for authentication and user login.
#
authlogin = module
# Layer: system
# Module: clock
#
# Policy for reading and setting the hardware clock.
#
clock = module
# Layer: system
# Module: fstools
#
# Tools for filesystem management, such as mkfs and fsck.
#
fstools = module
# Layer: system
# Module: getty
#
# Policy for getty.
#
getty = module
# Layer: system
# Module: hostname
#
# Policy for changing the system host name.
#
hostname = module
# Layer: system
# Module: init
#
# System initialization programs (init and init scripts).
#
init = module
# Layer: system
# Module: ipsec
#
# TCP/IP encryption
#
ipsec = module
# Layer: system
# Module: iptables
#
# Policy for iptables.
#
iptables = module
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
libraries = module
# Layer: system
# Module: locallogin
#
# Policy for local logins.
#
locallogin = module
# Layer: system
# Module: logging
#
# Policy for the kernel message logger and system logging daemon.
#
logging = module
# Layer: system
# Module: lvm
#
# Policy for logical volume management programs.
#
lvm = module
# Layer: system
# Module: modutils
#
# Policy for kernel module utilities
#
modutils = module
# Layer: system
# Module: mount
#
# Policy for mount.
#
mount = module
# Layer: system
# Module: netlabel
#
# Basic netlabel types and interfaces.
#
netlabel = module
# Layer: system
# Module: selinuxutil
#
# Policy for SELinux policy and userland applications.
#
selinuxutil = module
# Module: setrans
# Required in base
#
# Policy for setrans
#
setrans = module
# Layer: system
# Module: sysnetwork
#
# Policy for network configuration: ifconfig and dhcp client.
#
sysnetwork = module
# Layer: system
# Module: systemd
#
# Policy for systemd components
#
systemd = module
# Layer: system
# Module: udev
#
# Policy for udev.
#
udev = module
# Layer: system
# Module: unconfined
#
# The unconfined domain.
#
unconfined = module
# Layer: system
# Module: kdbus
#
# Policy for kdbus.
#
kdbus = module
# Layer: admin
# Module: rpm
#
# Policy for the RPM package manager.
#
rpm = module
# Layer: contrib
# Module: minimum_temp_fixes
#
# Temporary fixes for the minimum policy.
#
minimum_temp_fixes = module
# Layer: contrib
# Module: packagekit
#
# Temporary permissive module for packagekit
#
packagekit = module
# Layer: services
# Module: nscd
#
# Name service cache daemon
#
nscd = module

2630
modules-minimum-contrib.conf Normal file
View File

File diff suppressed because it is too large Load Diff

2
modules-minimum-disable.lst
View File

@ -1 +1 @@
abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nscd nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown publicfile pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs
abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown publicfile pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs

2839
modules-mls-base.conf
View File

File diff suppressed because it is too large Load Diff

1581
modules-mls-contrib.conf Normal file
View File

File diff suppressed because it is too large Load Diff

2845
modules-targeted-base.conf
View File

File diff suppressed because it is too large Load Diff

2644
modules-targeted-contrib.conf Normal file
View File

File diff suppressed because it is too large Load Diff

44
packagekit.fc Normal file
View File

@ -0,0 +1,44 @@
/usr/lib/systemd/system/packagekit.* -- gen_context(system_u:object_r:packagekit_unit_file_t,s0)
/usr/bin/packagekit -- gen_context(system_u:object_r:packagekit_exec_t,s0)
#/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:packagekit_var_lib_t,s0)
/usr/bin/pkcon -- gen_context(system_u:object_r:packagekit_exec_t,s0)
/usr/bin/pkmon -- gen_context(system_u:object_r:packagekit_exec_t,s0)
/usr/lib/packagekit-direct -- gen_context(system_u:object_r:packagekit_exec_t,s0)
/usr/lib/packagekitd -- gen_context(system_u:object_r:packagekit_exec_t,s0)
/usr/lib/pk-offline-update -- gen_context(system_u:object_r:packagekit_exec_t,s0)
#/etc/PackageKit
#/etc/dbus-1/system.d/org.freedesktop.PackageKit.conf
#/usr/lib/tmpfiles.d
#/usr/lib/tmpfiles.d/PackageKit.conf
#/usr/lib64/packagekit-backend
#/usr/lib64/packagekit-backend/libpk_backend_dummy.so
#/usr/sbin/rcpackagekit
#/usr/sbin/rcpackagekit-offline-update
#/usr/share/PackageKit
#/usr/share/PackageKit/helpers
#/usr/share/PackageKit/helpers/test_spawn
#/usr/share/PackageKit/helpers/test_spawn/search-name.sh
#/usr/share/PackageKit/packagekit-background.sh
#/usr/share/PackageKit/pk-upgrade-distro.sh
#/usr/share/PackageKit/transactions.db
#/usr/share/bash-completion/completions/pkcon
#/usr/share/dbus-1/interfaces/org.freedesktop.PackageKit.Transaction.xml
#/usr/share/dbus-1/interfaces/org.freedesktop.PackageKit.xml
#/usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service
#/usr/share/doc/packages/PackageKit
#/usr/share/doc/packages/PackageKit/AUTHORS
#/usr/share/doc/packages/PackageKit/HACKING
#/usr/share/doc/packages/PackageKit/NEWS
#/usr/share/doc/packages/PackageKit/README
#/usr/share/doc/packages/PackageKit/org.freedesktop.packagekit.rules
#/usr/share/licenses/PackageKit
#/usr/share/licenses/PackageKit/COPYING
#/usr/share/man/man1/pkcon.1.gz
#/usr/share/man/man1/pkmon.1.gz
#/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy
#/var/cache/PackageKit

2
packagekit.if Normal file
View File

@ -0,0 +1,2 @@
## <summary>A temporary policy for packagekit.</summary>

37
packagekit.te Normal file
View File

@ -0,0 +1,37 @@
policy_module(packagekit,1.0.0)
########################################
#
# Declarations
#
type packagekit_t;
type packagekit_exec_t;
init_daemon_domain(packagekit_t,packagekit_exec_t)
permissive packagekit_t;
type packagekit_unit_file_t;
systemd_unit_file(packagekit_unit_file_t)
type packagekit_var_lib_t;
files_type(packagekit_var_lib_t)
#allow packagekit_t self:tcp_socket create_stream_socket_perms;
#
#manage_dirs_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t)
#manage_files_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t)
#manage_lnk_files_pattern(packagekit_t, packagekit_var_lib_t, packagekit_var_lib_t)
#files_var_lib_filetrans(packagekit_t, packagekit_var_lib_t, dir)
#
#kernel_read_unix_sysctls(packagekit_t)
#kernel_read_net_sysctls(packagekit_t)
#
#corenet_tcp_bind_generic_node(packagekit_t)
#
#corenet_tcp_bind_kubernetes_port(packagekit_t)
#corenet_tcp_bind_afs3_callback_port(packagekit_t)
#
#fs_getattr_xattr_fs(packagekit_t)
#
#logging_send_syslog_msg(packagekit_t)

63
postfix_paths.patch Normal file
View File

@ -0,0 +1,63 @@
Index: fedora-policy/policy/modules/contrib/postfix.fc
===================================================================
--- fedora-policy.orig/policy/modules/contrib/postfix.fc 2019-08-05 09:39:48.669670650 +0200
+++ fedora-policy/policy/modules/contrib/postfix.fc 2019-08-14 11:11:26.195163409 +0200
@@ -1,36 +1,19 @@
# postfix
/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
-ifdef(`distro_redhat', `
-/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
-', `
/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-')
+/usr/lib/postfix/bin/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/bin/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/lib/postfix/bin/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/lib/postfix/bin/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/lib/postfix/bin/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/bin/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/lib/postfix/bin/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/bin/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/bin/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/bin/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/lib/postfix/bin/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/lib/postfix/bin/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
@@ -44,6 +27,9 @@ ifdef(`distro_redhat', `
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/etc/postfix/system/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/etc/postfix/system/update_postmaps -- gen_context(system_u:object_r:postfix_map_exec_t,s0)
+
/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)

3
refpolicy-2.20190609.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:67bd1213e9d014ada15512028bb7f35ef6610c2d209cc5117b8577474aa6147f
size 555882

22
sedoctool.patch Normal file
View File

@ -0,0 +1,22 @@
Index: fedora-policy/support/sedoctool.py
===================================================================
--- fedora-policy.orig/support/sedoctool.py 2019-08-21 13:54:02.175947408 +0200
+++ fedora-policy/support/sedoctool.py 2019-08-21 13:57:57.323782524 +0200
@@ -810,7 +810,7 @@ if booleans:
namevalue_list = []
if os.path.exists(booleans):
try:
- conf = open(booleans, 'r')
+ conf = open(booleans, 'r', errors='replace')
except:
error("Could not open booleans file for reading")
@@ -831,7 +831,7 @@ if modules:
namevalue_list = []
if os.path.exists(modules):
try:
- conf = open(modules, 'r')
+ conf = open(modules, 'r', errors='replace')
except:
error("Could not open modules file for reading")
namevalue_list = get_conf(conf)

50
selinux-policy.changes
View File

@ -1,3 +1,53 @@
-------------------------------------------------------------------
Mon Aug 9 12:11:28 UTC 2019 - Johannes Segitz <jsegitz@suse.de>
- Moved back to fedora policy (20190802)
- Removed spec file conditionals for old SELinux userland
- Removed config.tgz
- Removed patches:
* label_sysconfig.selinux.patch
* label_var_run_rsyslog.patch
* suse_additions_obs.patch
* suse_additions_sslh.patch
* suse_modifications_apache.patch
* suse_modifications_cron.patch
* suse_modifications_getty.patch
* suse_modifications_logging.patch
* suse_modifications_ntp.patch
* suse_modifications_usermanage.patch
* suse_modifications_virt.patch
* suse_modifications_xserver.patch
* sysconfig_network_scripts.patch
* segenxml_interpreter.patch
- Added patches:
* fix_djbdns.patch
* fix_dbus.patch
* fix_gift.patch
* fix_java.patch
* fix_hadoop.patch
* fix_thunderbird.patch
* postfix_paths.patch
* fix_nscd.patch
* fix_sysnetwork.patch
* fix_logging.patch
* fix_xserver.patch
* fix_miscfiles.patch
to fix problems with the coresponding modules
- Added sedoctool.patch to prevent build failures
- This also adds three modules:
* packagekit.(te|if|fc)
Basic (currently permissive) module for packagekit
* minimum_temp_fixes.(te|if|fc)
and
* targeted_temp_fixes.(te|if|fc)
both are currently necessary to get the systems to boot in
enforcing mode. Most of them obviosly stem from mislabeled
files, so this needs to be worked through and then removed
eventually
Also selinuxuser_execstack, selinuxuser_execmod and
domain_can_mmap_files need to be enabled. Especially the first
two are bad and should be removed ASAP
-------------------------------------------------------------------
Thu Jul 11 12:29:29 UTC 2019 - <jsegitz@suse.com>

258
selinux-policy.spec
View File

@ -24,7 +24,7 @@
# TODO: This turns on distro-specific policies.
# There are almost no SUSE specific modifications available in the policy, so we utilize the
# ones used by redhat and include also the SUSE specific ones (see sed statement below)
%define distro suse
%define distro redhat
%define ubac n
%define polyinstatiate n
%define monolithic n
@ -38,10 +38,6 @@
%define coreutils_ge() %{lua: if (rpm.vercmp(rpm.expand("%POLICYCOREUTILSVER"), rpm.expand("%1")) >= 0) then print "1" else print "0" end }
# conditional stuff depending on policycoreutils version
# See https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration
%if %{coreutils_ge 2.5}
# Policy version, see https://selinuxproject.org/page/NB_PolicyType#Policy_Versions
# It depends on the kernel, but apparently more so on the libsemanage version.
%define POLICYVER 30
@ -69,54 +65,6 @@
%dir %{module_store %%1}/active/modules/disabled \
%{module_disabled %%1 sandbox}
%global files_dot_bin() %nil
%global rm_selinux_mod() rm -rf %%1
%else
# Policy version, see https://selinuxproject.org/page/NB_PolicyType#Policy_Versions
# It depends on the kernel, but apparently more so on the libsemanage version.
%define POLICYVER 29
%global module_store() %{_sysconfdir}/selinux/%%{1}/modules
%global module_dir active/modules
%global module_disabled() %{module_store %%{1}}/active/modules/%%{2}.pp.disabled
# FixMe 170315: Why is bzip2 used here rather than semodule -i?
%global install_pp() \
(cd %{buildroot}/%{_usr}/share/selinux/%%1/ \
bzip2 -c base.pp > %{buildroot}/%{_sysconfdir}/selinux/%%1/modules/active/base.pp \
rm -f base.pp \
for i in *.pp; do \
bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%%1/modules/active/modules/$i \
done \
rm -f *pp* );
# FixMe 170315:
# Why is base.pp installed in a different path than other modules?
# Requirement of policycoreutils 2.3 ??
%global files_base_pp() %verify(not md5 size mtime) %{module_store %%{1}}/active/base.pp
# FixMe 170315: do we really need these?
%global touch_file_contexts() \
touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.local \
touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.homedirs.bin \
touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.bin;
%global mkdir_other() %nil
# FixMe 170315: do we really need these?
%global files_file_contexts() \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/file_contexts.homedirs \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/file_contexts.template
# FixMe 170315: do we really need these?
%global files_other() \
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/seusers.final \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/netfilter_contexts
%global files_dot_bin() %ghost %{module_store %%{1}}/active/*.bin
%global rm_selinux_mod() rm -f %%{1}.pp
%endif
Summary: SELinux policy configuration
License: GPL-2.0-or-later
@ -124,11 +72,15 @@ Group: System/Management
Name: selinux-policy
Version: 20190609
Release: 0
Source: https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_%{version}/refpolicy-2.%{version}.tar.bz2
Source: fedora-policy.20190802.tar.bz2
Source10: modules-targeted-base.conf
Source11: modules-targeted-contrib.conf
Source12: modules-mls-base.conf
Source13: modules-minimum-disable.lst
Source13: modules-mls-contrib.conf
Source14: modules-minimum-base.conf
Source15: modules-minimum-contrib.conf
Source18: modules-minimum-disable.lst
Source20: booleans-targeted.conf
Source21: booleans-mls.conf
@ -152,23 +104,35 @@ Source61: selinux-policy.sysconfig
Source90: selinux-policy-rpmlintrc
Source91: Makefile.devel
Source92: customizable_types
Source93: config.tgz
#Source93: config.tgz
Source94: file_contexts.subs_dist
Patch001: label_sysconfig.selinux.patch
Patch002: label_var_run_rsyslog.patch
Patch003: suse_additions_obs.patch
Patch004: suse_additions_sslh.patch
Patch005: suse_modifications_apache.patch
Patch007: suse_modifications_cron.patch
Patch009: suse_modifications_getty.patch
Patch012: suse_modifications_logging.patch
Patch013: suse_modifications_ntp.patch
Patch021: suse_modifications_usermanage.patch
Patch022: suse_modifications_virt.patch
Patch023: suse_modifications_xserver.patch
Patch024: sysconfig_network_scripts.patch
Patch025: segenxml_interpreter.patch
Source100: minimum_temp_fixes.te
Source101: minimum_temp_fixes.if
Source102: minimum_temp_fixes.fc
Source110: targeted_temp_fixes.te
Source111: targeted_temp_fixes.if
Source112: targeted_temp_fixes.fc
Source120: packagekit.te
Source121: packagekit.if
Source122: packagekit.fc
Patch001: fix_djbdns.patch
Patch002: fix_dbus.patch
Patch003: fix_gift.patch
Patch004: fix_java.patch
Patch005: fix_hadoop.patch
Patch006: fix_thunderbird.patch
Patch007: postfix_paths.patch
Patch008: fix_nscd.patch
Patch009: fix_sysnetwork.patch
Patch010: fix_logging.patch
Patch011: fix_xserver.patch
Patch012: fix_miscfiles.patch
Patch100: sedoctool.patch
Url: http://oss.tresys.com/repos/refpolicy/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -195,26 +159,24 @@ Recommends: selinux-tools
Recommends: python3-policycoreutils
Recommends: policycoreutils
%global makeCmds() \
make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \
%global makeConfig() \
make %{?_smp_mflags} UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
make %{?_smp_mflags} UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
#cp -f selinux_config/users-%1 ./policy/users \
#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \
%global makeModulesConf() \
cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \
cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \
#if [ "%3" = "contrib" ];then \
# cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
# cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
#fi; \
cp -f selinux_config/users-%1 ./policy/users \
cp -f selinux_config/modules-%1-base.conf ./policy/modules-base.conf \
cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \
if [ "%5" = "contrib" ];then \
cp selinux_config/modules-%1-%5.conf ./policy/modules-contrib.conf; \
cat selinux_config/modules-%1-%5.conf >> ./policy/modules.conf; \
fi; \
%global installCmds() \
make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" base.pp \
make %{?_smp_mflags} validate SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \
make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
make %{?_smp_mflags} UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 base.pp \
make %{?_smp_mflags} validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \
make %{?_smp_mflags} UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
mkdir -p %{buildroot}/var/lib/selinux/%1 \
/usr/sbin/semodule -s %%1 -n -B -p %{buildroot}; \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
%{__mkdir} -p %{buildroot}/%{module_store %%{1}}/%{module_dir} \
@ -235,7 +197,6 @@ touch %{buildroot}%{module_store %%{1}}/active/users_extra.local \
touch %{buildroot}%{module_store %%{1}}/active/users.local \
%install_pp %%1 \
touch %{buildroot}%{module_disabled %%1 sandbox} \
/usr/sbin/semodule -s %%1 -n -B -p %{buildroot}; \
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.* | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
%nil
@ -243,6 +204,7 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
%global fileList() \
%defattr(-,root,root) \
%dir %{_usr}/share/selinux/%1 \
%{_usr}/share/selinux/%1/* \
%dir %{_sysconfdir}/selinux/%1 \
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
@ -278,13 +240,15 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/customizable_types \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/openrc_contexts \
%dir %{_sysconfdir}/selinux/%1/contexts/files \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
@ -294,10 +258,10 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
%dir %{_sysconfdir}/selinux/%1/contexts/users \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/*
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/*
%define relabel() \
. %{_sysconfdir}/sysconfig/selinux-policy; \
. %{_sysconfdir}/selinux/config; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
if selinuxenabled; then \
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
@ -329,7 +293,6 @@ fi;
. %{_sysconfdir}/selinux/config; \
if [ -e %{_sysconfdir}/selinux/%%2/.rebuild ]; then \
rm %{_sysconfdir}/selinux/%%2/.rebuild; \
(cd %{module_store %%2}/%{module_dir}; for _mod in shutdown amavis clamav gnomeclock matahari xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor pki-selinux phpfpm consoletype ctdbd fcoemon isnsd l2tp rgmanager corosync aisexec pacemaker; do %{rm_selinux_mod ${_mod}}; done ) \
/usr/sbin/semodule -B -n -s %%2; \
else \
touch %{module_disabled %%2 sandbox} \
@ -356,7 +319,7 @@ fi;
%define modulesList() \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \
if [ -e ./policy/modules-contrib.conf ];then \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \
fi;
%files
@ -373,31 +336,30 @@ SELinux Reference Policy. A complete SELinux policy that can be used as the syst
systems and used as the basis for creating other policies.
%prep
%setup -n refpolicy
%setup -n fedora-policy
%patch001 -p1
%patch002 -p1
%patch003 -p1
%patch004 -p1
%patch005 -p1
%patch006 -p1
%patch007 -p1
%patch008 -p1
%patch009 -p1
%patch010 -p1
%patch011 -p1
%patch012 -p1
%patch013 -p1
%patch021 -p1
%patch022 -p1
%patch023 -p1
%patch024 -p1
%patch025 -p1
%patch100 -p1
%build
%install
mkdir selinux_config
for i in %{SOURCE10} %{SOURCE12} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE91} %{SOURCE92} %{SOURCE93} %{SOURCE94};do
for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do
cp $i selinux_config
done
tar zxvf selinux_config/config.tgz
# Build targeted policy
#tar zxvf selinux_config/config.tgz
%{__rm} -fR %{buildroot}
mkdir -p %{buildroot}%{_sysconfdir}/selinux
mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
@ -406,40 +368,45 @@ cp %{SOURCE60} %{buildroot}%{_usr}/lib/tmpfiles.d/
# Always create policy module package directories
mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/
for i in %{SOURCE120} %{SOURCE121} %{SOURCE122}; do
cp $i policy/modules/contrib
done
make clean
%if %{BUILD_TARGETED}
# Build targeted policy
mkdir -p %{buildroot}%{_usr}/share/selinux/targeted
%makeCmds targeted mcs n allow
%makeModulesConf targeted base contrib
for i in %{SOURCE110} %{SOURCE111} %{SOURCE112}; do
cp $i policy/modules/contrib
done
%makeConfig targeted mcs n deny contrib
%installCmds targeted mcs n allow
%modulesList targeted
%endif
%if %{BUILD_MINIMUM}
# Build minimum policy
mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
%makeCmds minimum mcs n allow
%makeModulesConf targeted base contrib
%installCmds minimum mcs n allow
install -m0644 %{SOURCE13} %{buildroot}/usr/share/selinux/minimum/modules-minimum-disable.lst \
%modulesList minimum
%endif
for i in %{SOURCE110} %{SOURCE111} %{SOURCE112}; do
rm policy/modules/contrib/$(basename $i)
done
%if %{BUILD_MLS}
# Build mls policy
mkdir -p %{buildroot}%{_usr}/share/selinux/mls
%makeCmds mls mls n deny
%makeModulesConf mls base contrib
%makeConfig mls mls n deny contrib
%installCmds mls mls n deny
%modulesList mls
%endif
%if %{BUILD_MINIMUM}
for i in %{SOURCE100} %{SOURCE101} %{SOURCE102}; do
cp $i policy/modules/contrib
done
%makeConfig minimum mcs n deny contrib
%installCmds minimum mcs n allow
install -m0644 %{SOURCE18} %{buildroot}/usr/share/selinux/minimum/modules-minimum-disable.lst \
%modulesList minimum
%endif
# Install devel
mkdir -p %{buildroot}%{_mandir}
cp -R man/* %{buildroot}%{_mandir}
make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
mkdir %{buildroot}%{_usr}/share/selinux/devel/
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
chmod +x %{buildroot}%{_usr}/share/selinux/devel/include/support/segenxml.py
@ -466,6 +433,7 @@ else
[ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/booleans.local ] && mv %{_sysconfdir}/selinux/${SELINUXTYPE}/booleans.local %{module_store targeted}/active/
[ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers ] && cp -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers %{module_store ${SELINUXTYPE}}/active/seusers
fi
%tmpfiles_create %_tmpfilesdir/selinux-policy.conf
exit 0
%global post_un() \
@ -495,7 +463,6 @@ SELinux policy development and man page package
%files devel
%defattr(-,root,root,-)
%doc /usr/share/man/ru/man8/*
%doc /usr/share/man/man8/*
%dir %{_usr}/share/selinux/devel
%dir %{_usr}/share/selinux/devel/include
%{_usr}/share/selinux/devel/include/*
@ -539,7 +506,6 @@ exit 0
%files targeted
%defattr(-,root,root,-)
%fileList targeted
%{_usr}/share/selinux/targeted/modules-base.lst
%postun targeted
%post_un $1
@ -566,28 +532,40 @@ if [ $1 -ne 1 ]; then
fi
%post minimum
contribpackages=`cat /usr/share/selinux/minimum/modules-minimum-disable.lst`
contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then
mkdir /var/lib/selinux/minimum/active/modules/disabled
fi
if [ $1 -eq 1 ]; then
for p in $contribpackages djbdns dkim getty geoclue lightsquid openca pyzor portage shibboleth yam portslave qemu xserver evolution thunderbird xscreensaver; do
touch %{module_disabled minimum $p}
done
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
/usr/sbin/semodule -B -s minimum
for p in $contribpackages; do
touch /var/lib/selinux/minimum/active/modules/disabled/$p
done
for p in $basepackages apache dbus inetd kerberos mta nis nscd rpm postfix rtkit; do
rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
done
/usr/sbin/semanage import -S minimum -f - << __eof
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
login -m -s unconfined_u -r s0-s0:c0.c1023 root
__eof
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
/usr/sbin/semodule -B -s minimum
else
instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
for p in $contribpackages djbdns dkim getty geoclue lightsquid openca pyzor portage shibboleth yam portslave qemu xserver evolution thunderbird xscreensaver; do
touch %{module_disabled minimum $p}
done
/usr/sbin/semodule -B -s minimum
%relabel minimum
instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
for p in $contribpackages; do
touch /var/lib/selinux/minimum/active/modules/disabled/$p
done
for p in $instpackages apache dbus inetd kerberos mta nis nscd postfix rtkit; do
rm -f /var/lib/selinux/minimum/active/modules/disabled/$p
done
/usr/sbin/semodule -B -s minimum
%relabel minimum
fi
exit 0
%files minimum
%defattr(-,root,root,-)
%fileList minimum
%{_usr}/share/selinux/minimum/modules-base.lst
/usr/share/selinux/minimum/modules-minimum-disable.lst
%postun minimum
%post_un $1
@ -598,7 +576,6 @@ exit 0
Summary: SELinux mls base policy
Group: System/Management
Provides: selinux-policy-base = %{version}-%{release}
Obsoletes: selinux-policy-mls-sources < 2
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER}
Requires: setransd
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
@ -619,7 +596,6 @@ SELinux Reference policy mls base module.
%files mls
%defattr(-,root,root,-)
%fileList mls
%{_usr}/share/selinux/mls/modules-base.lst
%postun mls
%post_un $1

96
suse_additions_obs.patch
View File

@ -1,96 +0,0 @@
Index: serefpolicy-contrib-20140730/obs.fc
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/obs.fc
@@ -0,0 +1,63 @@
+/usr/lib/build/Build(/.*)? -- gen_context(system_u:object_r:lib_t,s0)
+/usr/lib/build/Build.pm -- gen_context(system_u:object_r:lib_t,s0)
+
+/usr/lib/build/configs(/.*)? -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/baselibs_global.conf -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/baselibs_global-deb.conf -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-pkg -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-pkg-arch -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-pkg-deb -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-pkg-rpm -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-recipe -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-recipe-arch -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-recipe-dsc -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-recipe-kiwi -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-recipe-livebuild -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-recipe-mock -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-recipe-preinstallimage -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-recipe-spec -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-ec2 -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-emulator -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-kvm -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-lxc -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-openstack -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-qemu -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-uml -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-xen -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/build-vm-zvm -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/lxc.conf -- gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/build/qemu-reg -- gen_context(system_u:object_r:etc_t,s0)
+
+/usr/lib/build/emulator/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/build -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/changelog2spec -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/common_functions -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/computeblocklists -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/createarchdeps -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/createdebdeps -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/createrepomddeps -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/createrpmdeps -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/createyastdeps -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/createzyppdeps -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/debtransform -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/debtransformbz2 -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/debtransformzip -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/download -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/expanddeps -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/extractbuild -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/getbinaryid -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/init_buildsystem -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/killchroot -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/mkbaselibs -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/mkdrpms -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/order -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/queryconfig -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/signdummy -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/spec2changelog -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/spec_add_patch -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/spectool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/substitutedeps -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/unrpm -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/build/vc -- gen_context(system_u:object_r:bin_t,s0)
+
Index: serefpolicy-contrib-20140730/obs.if
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/obs.if
@@ -0,0 +1 @@
+#
Index: serefpolicy-contrib-20140730/obs.te
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/obs.te
@@ -0,0 +1,17 @@
+policy_module(obs, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# work out a real policy later on
+#type obs_t;
+#type obs_exec_t;
+#application_domain(obs_t, obs_exec_t)
+#
+#type obs_conf_t;
+#files_config_file(obs_conf_t)
+#
+#permissive obs_t;
+

149
suse_additions_sslh.patch
View File

@ -1,149 +0,0 @@
Index: serefpolicy-contrib-20140730/sslh.fc
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/sslh.fc
@@ -0,0 +1,9 @@
+/etc/conf.d/sslh -- gen_context(system_u:object_r:sslh_conf_t,s0)
+/etc/default/sslh -- gen_context(system_u:object_r:sslh_conf_t,s0)
+
+/etc/init.d/sslh -- gen_context(system_u:object_r:sslh_initrc_exec_t,s0)
+/usr/lib/systemd/system/sslh.service -- gen_context(system_u:object_r:sslh_unit_file_t,s0)
+
+#/usr/sbin/rcsslh -- gen_context(system_u:object_r:sslh_exec_t,s0)
+/usr/sbin/sslh -- gen_context(system_u:object_r:sslh_exec_t,s0)
+
Index: serefpolicy-contrib-20140730/sslh.if
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/sslh.if
@@ -0,0 +1,77 @@
+## <summary>sslh Applicative Protocol Multiplexer</summary>
+
+#######################################
+## <summary>
+## Allow a domain to getattr on sslh binary.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sslh_getattr_exec',`
+ gen_require(`
+ type sslh_exec_t;
+ ')
+
+ allow $1 sslh_exec_t:file getattr;
+')
+
+#######################################
+## <summary>
+## Read sslh configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sslh_read_config',`
+ gen_require(`
+ type sslh_conf_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, sslh_conf_t, sslh_conf_t)
+ read_files_pattern($1, sslh_conf_t, sslh_conf_t)
+')
+
+######################################
+## <summary>
+## Write sslh configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sslh_write_config',`
+ gen_require(`
+ type sslh_conf_t;
+ ')
+
+ files_search_etc($1)
+ write_files_pattern($1, sslh_conf_t, sslh_conf_t)
+')
+
+####################################
+## <summary>
+## Manage sslh configuration.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sslh_manage_config',`
+ gen_require(`
+ type sslh_conf_t;
+ ')
+
+ files_search_etc($1)
+ manage_files_pattern($1, sslh_conf_t, sslh_conf_t)
+')
Index: serefpolicy-contrib-20140730/sslh.te
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/sslh.te
@@ -0,0 +1,48 @@
+policy_module(sslh, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sslh_t;
+type sslh_exec_t;
+init_daemon_domain(sslh_t, sslh_exec_t)
+
+type sslh_initrc_exec_t;
+init_script_file(sslh_initrc_exec_t)
+
+type sslh_conf_t;
+files_config_file(sslh_conf_t)
+
+type sslh_unit_file_t;
+systemd_unit_file(sslh_unit_file_t)
+
+########################################
+#
+# sslh local policy
+#
+
+allow sslh_t self:capability { setuid net_bind_service setgid };
+allow sslh_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow sslh_t self:process { setcap signal };
+allow sslh_t self:tcp_socket { getattr setopt bind create listen accept connect write read };
+
+corenet_tcp_bind_generic_node(sslh_t)
+corenet_tcp_bind_all_ports(sslh_t)
+corenet_tcp_connect_all_ports(sslh_t)
+
+corenet_udp_bind_all_ports(sslh_t)
+corenet_udp_send_generic_if(sslh_t)
+corenet_udp_receive_generic_if(sslh_t)
+
+read_files_pattern(sslh_t, sslh_conf_t, sslh_conf_t)
+
+nscd_shm_use(sslh_t)
+
+allow sslh_t nscd_var_run_t:file read;
+
+# dontaudit?
+#allow sshd_t chkpwd_t:process { siginh rlimitinh noatsecure };
+#allow sshd_t unconfined_t:process { siginh noatsecure };
+

12
suse_modifications_apache.patch
View File

@ -1,12 +0,0 @@
Index: refpolicy/policy/modules/services/apache.fc
===================================================================
--- refpolicy.orig/policy/modules/services/apache.fc 2018-11-27 13:33:30.059837794 +0100
+++ refpolicy/policy/modules/services/apache.fc 2018-11-27 13:34:07.964446972 +0100
@@ -84,6 +84,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
ifdef(`distro_suse',`
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/start_apache2 -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)

60
suse_modifications_cron.patch
View File

@ -1,60 +0,0 @@
Index: refpolicy/policy/modules/services/cron.fc
===================================================================
--- refpolicy.orig/policy/modules/services/cron.fc 2019-06-09 20:05:20.000000000 +0200
+++ refpolicy/policy/modules/services/cron.fc 2019-07-11 14:31:20.905629406 +0200
@@ -69,7 +69,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_suse',`
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <<none>>
-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/tabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+/var/spool/cron/tabs/[^/]* -- gen_context(system_u:object_r:user_cron_spool_t,s0)
')
Index: refpolicy/policy/modules/services/cron.te
===================================================================
--- refpolicy.orig/policy/modules/services/cron.te 2019-06-09 20:05:20.000000000 +0200
+++ refpolicy/policy/modules/services/cron.te 2019-07-11 14:31:20.909629472 +0200
@@ -788,3 +788,9 @@ tunable_policy(`cron_userdomain_transiti
optional_policy(`
unconfined_domain(unconfined_cronjob_t)
')
+
+ifdef(`distro_suse',`
+ files_read_default_symlinks(crontab_t)
+ userdom_manage_user_home_dirs(crontab_t)
+ xserver_non_drawing_client(crontab_t)
+')
Index: refpolicy/policy/modules/services/cron.if
===================================================================
--- refpolicy.orig/policy/modules/services/cron.if 2019-06-09 20:05:20.000000000 +0200
+++ refpolicy/policy/modules/services/cron.if 2019-07-11 14:31:20.909629472 +0200
@@ -139,7 +139,7 @@ interface(`cron_role',`
#
interface(`cron_unconfined_role',`
gen_require(`
- type unconfined_cronjob_t, crontab_t, crontab_exec_t;
+ type unconfined_cronjob_t, admin_crontab_t, crontab_t, crontab_exec_t;
type crond_t, user_cron_spool_t;
bool cron_userdomain_transition;
')
@@ -149,14 +149,14 @@ interface(`cron_unconfined_role',`
# Declarations
#
- role $1 types { unconfined_cronjob_t crontab_t };
+ role $1 types { unconfined_cronjob_t admin_crontab_t crontab_t };
##############################
#
# Local policy
#
- domtrans_pattern($2, crontab_exec_t, crontab_t)
+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
allow $2 crond_t:process sigchld;

15
suse_modifications_getty.patch
View File

@ -1,15 +0,0 @@
Index: refpolicy/policy/modules/system/getty.te
===================================================================
--- refpolicy.orig/policy/modules/system/getty.te 2017-08-07 00:45:21.000000000 +0200
+++ refpolicy/policy/modules/system/getty.te 2018-11-27 14:50:03.798977971 +0100
@@ -91,6 +91,10 @@ logging_send_syslog_msg(getty_t)
miscfiles_read_localization(getty_t)
+allow getty_t var_run_t:sock_file write;
+plymouthd_exec_plymouth(getty_t)
+kernel_stream_connect(getty_t)
+
ifdef(`distro_gentoo',`
# Gentoo default /etc/issue makes agetty
# do a DNS lookup for the hostname

14
suse_modifications_logging.patch
View File

@ -1,14 +0,0 @@
Index: refpolicy/policy/modules/system/logging.te
===================================================================
--- refpolicy.orig/policy/modules/system/logging.te 2019-06-09 20:05:20.000000000 +0200
+++ refpolicy/policy/modules/system/logging.te 2019-07-11 14:31:20.937629934 +0200
@@ -555,6 +555,9 @@ ifdef(`init_systemd',`
udev_read_pid_files(syslogd_t)
')
+allow syslogd_t var_run_t:file { read getattr open };
+allow syslogd_t var_run_t:sock_file write;
+
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
# and high priority messages to /dev/tty12

18
suse_modifications_ntp.patch
View File

@ -1,18 +0,0 @@
Index: refpolicy/policy/modules/services/ntp.fc
===================================================================
--- refpolicy.orig/policy/modules/services/ntp.fc 2019-06-09 20:05:20.000000000 +0200
+++ refpolicy/policy/modules/services/ntp.fc 2019-07-11 14:31:20.957630264 +0200
@@ -39,3 +39,13 @@
/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+
+# SUSE chroot
+/var/lib/ntp/etc/ntpd?.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/var/lib/ntp/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
+/var/lib/ntp/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntp/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
+/var/lib/ntp/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/var/lib/ntp/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntp/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntp/var/run/ntp(/.*)? gen_context(system_u:object_r:ntpd_var_run_t,s0)

24
suse_modifications_usermanage.patch
View File

@ -1,24 +0,0 @@
Index: refpolicy/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy.orig/policy/modules/admin/usermanage.te 2019-06-09 20:05:20.000000000 +0200
+++ refpolicy/policy/modules/admin/usermanage.te 2019-07-11 14:31:20.965630396 +0200
@@ -251,6 +251,9 @@ userdom_use_unpriv_users_fds(groupadd_t)
# for when /root is the cwd
userdom_dontaudit_search_user_home_dirs(groupadd_t)
+allow groupadd_t self:netlink_selinux_socket { create bind };
+allow groupadd_t var_run_t:sock_file write;
+
optional_policy(`
apt_use_fds(groupadd_t)
')
@@ -571,6 +574,9 @@ optional_policy(`
puppet_rw_tmp(useradd_t)
')
+allow useradd_t var_run_t:sock_file write;
+selinux_compute_access_vector(useradd_t)
+
optional_policy(`
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)

13
suse_modifications_virt.patch
View File

@ -1,13 +0,0 @@
Index: refpolicy/policy/modules/services/virt.te
===================================================================
--- refpolicy.orig/policy/modules/services/virt.te 2018-07-01 17:02:32.000000000 +0200
+++ refpolicy/policy/modules/services/virt.te 2018-11-27 15:03:42.792334942 +0100
@@ -1235,6 +1235,8 @@ optional_policy(`
rpm_read_db(svirt_lxc_net_t)
')
+allow svirt_t qemu_exec_t:file execmod;
+
#######################################
#
# Prot exec local policy

36
suse_modifications_xserver.patch
View File

@ -1,36 +0,0 @@
Index: refpolicy/policy/modules/services/xserver.fc
===================================================================
--- refpolicy.orig/policy/modules/services/xserver.fc 2019-06-09 20:05:20.000000000 +0200
+++ refpolicy/policy/modules/services/xserver.fc 2019-07-11 14:31:20.989630792 +0200
@@ -77,6 +77,9 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
+#/usr/lib/gdm/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/X11/display-manager -- gen_context(system_u:object_r:xdm_exec_t,s0)
+
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/usr/lib/xorg/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/lib/xorg/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0)
Index: refpolicy/policy/modules/services/xserver.te
===================================================================
--- refpolicy.orig/policy/modules/services/xserver.te 2019-06-09 20:05:20.000000000 +0200
+++ refpolicy/policy/modules/services/xserver.te 2019-07-11 14:31:20.989630792 +0200
@@ -912,6 +912,17 @@ corenet_tcp_bind_vnc_port(xserver_t)
init_use_fds(xserver_t)
+ifndef(`distro_suse',`
+ # this is a neverallow, maybe dontaudit it
+ #allow xdm_t proc_kcore_t:file getattr;
+ allow xdm_t var_run_t:lnk_file create;
+ allow xdm_t var_lib_t:lnk_file read;
+
+ dev_getattr_all_blk_files( xdm_t )
+ dev_getattr_all_chr_files( xdm_t )
+ logging_r_xconsole(xdm_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)

70
sysconfig_network_scripts.patch
View File

@ -1,70 +0,0 @@
Index: refpolicy/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy.orig/policy/modules/system/sysnetwork.fc 2019-06-09 20:05:20.000000000 +0200
+++ refpolicy/policy/modules/system/sysnetwork.fc 2019-07-11 14:31:20.997630924 +0200
@@ -6,6 +6,15 @@ ifdef(`distro_debian',`
/dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
+# SUSE
+# sysconfig network files are stored in /dev/.sysconfig
+/dev/.sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+# label netconfig files in /var/adm and /var/lib and /var/run
+/var/adm/netconfig(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/var/lib/ntp/var(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/netconfig(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+
+
#
# /etc
#
@@ -34,6 +43,10 @@ ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
+/etc/sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/etc/sysconfig/network/scripts/.* gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/scripts/.* gen_context(system_u:object_r:bin_t,s0)
+
#
# /usr
#
Index: refpolicy/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy.orig/policy/modules/system/sysnetwork.te 2019-06-09 20:05:20.000000000 +0200
+++ refpolicy/policy/modules/system/sysnetwork.te 2019-07-11 14:31:21.001630990 +0200
@@ -47,7 +47,8 @@ ifdef(`distro_debian',`
#
# DHCP client local policy
#
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config };
+# need sys_admin to set hostname/domainname
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config sys_admin };
dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
@@ -80,6 +81,12 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
+# allow relabel of /dev/.sysconfig
+dev_associate(net_conf_t)
+
+# allow mv /etc/resolv.conf.netconfig
+allow dhcpc_t etc_runtime_t:file unlink;
+
# create temp files
manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
Index: refpolicy/policy/modules/kernel/devices.fc
===================================================================
--- refpolicy.orig/policy/modules/kernel/devices.fc 2019-06-09 20:05:20.000000000 +0200
+++ refpolicy/policy/modules/kernel/devices.fc 2019-07-11 14:31:21.001630990 +0200
@@ -2,6 +2,7 @@
/dev -d gen_context(system_u:object_r:device_t,s0)
/dev/.* gen_context(system_u:object_r:device_t,s0)
+/dev/.sysconfig(/.*)? -d gen_context(system_u:object_r:net_conf_t,s0)
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)

0
targeted_temp_fixes.fc Normal file
View File

1
targeted_temp_fixes.if Normal file
View File

@ -0,0 +1 @@
## <summary></summary>

54
targeted_temp_fixes.te Normal file
View File

@ -0,0 +1,54 @@
policy_module(targeted_temp_fixes, 1.0)
require {
type iptables_t;
type nscd_t;
type lib_t;
type bin_t;
type init_t;
type irqbalance_t;
type iptables_var_lib_t;
type postfix_master_t;
type firewalld_t;
type postfix_map_exec_t;
type xdm_t;
type groupadd_t;
type useradd_t;
class netlink_selinux_socket { bind create };
class dir { add_name mounton write };
class file { create execute execute_no_trans getattr ioctl lock open read };
}
#============= firewalld_t ==============
allow firewalld_t iptables_var_lib_t:dir { add_name write };
allow firewalld_t iptables_var_lib_t:file { create lock open read };
#============= init_t ==============
allow init_t bin_t:dir mounton;
allow init_t lib_t:dir mounton;
allow init_t postfix_map_exec_t:file { execute execute_no_trans getattr ioctl open read };
files_rw_var_files(init_t)
fwupd_manage_cache_dirs(init_t)
ntp_read_drift_files(init_t)
#============= iptables_t ==============
kernel_rw_pipes(iptables_t)
#============= irqbalance_t ==============
init_nnp_daemon_domain(irqbalance_t)
#============= nscd_t ==============
files_exec_generic_pid_files(nscd_t)
#============= postfix_master_t ==============
files_read_var_lib_files(postfix_master_t)
files_read_var_lib_symlinks(postfix_master_t)
#============= xdm_t ==============
# KDE write to home directories
userdom_manage_user_home_content_files(xdm_t)
#============= groupadd_t ============== allow groupadd_t self:netlink_selinux_socket { bind create };
allow useradd_t self:netlink_selinux_socket { bind create };
selinux_compute_access_vector(groupadd_t)
selinux_compute_access_vector(useradd_t)

9
users-minimum
View File

@ -27,3 +27,12 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

9
users-mls
View File

@ -27,3 +27,12 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

9
users-targeted
View File

@ -27,3 +27,12 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)