Accepting request 821528 from home:jsegitz:branches:security:SELinux

- Update to version 20200717. Refreshed
  * fix_fwupd.patch
  * fix_hadoop.patch
  * fix_init.patch
  * fix_irqbalance.patch
  * fix_logrotate.patch
  * fix_nagios.patch
  * fix_networkmanager.patch
  * fix_postfix.patch
  * fix_sysnetwork.patch
  * fix_systemd.patch
  * fix_thunderbird.patch
  * fix_unconfined.patch
  * fix_unprivuser.patch
  * selinux-policy.spec
- Added update.sh to make updating easier

- Updated fix_unconfineduser.patch to allow unconfined_dbusd_t access
  to accountsd dbus
- New patch:
  * fix_nis.patch
- Updated patches:
  * fix_postfix.patch: Transition is done in distribution specific script

OBS-URL: https://build.opensuse.org/request/show/821528
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=77

fedora-policy.20200219.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:62cd90fa977ee00fd42a249690e13ad8fb87de95d06a1f12e86d05695544844d
-size 735114

fedora-policy.20200717.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9cce9137b42c72c260c989e8a35153681b4fda9c9bcabda80816393683cd0304
+size 752394

fix_fwupd.patch

@@ -1,7 +1,7 @@
 Index: fedora-policy/policy/modules/contrib/fwupd.fc
 ===================================================================
---- fedora-policy.orig/policy/modules/contrib/fwupd.fc	2020-02-19 09:36:31.784283432 +0000
-+++ fedora-policy/policy/modules/contrib/fwupd.fc	2020-02-21 14:24:21.739179426 +0000
+--- fedora-policy.orig/policy/modules/contrib/fwupd.fc
++++ fedora-policy/policy/modules/contrib/fwupd.fc
 @@ -4,6 +4,7 @@
  /etc/pki/(fwupd|fwupd-metadata)(/.*)?		gen_context(system_u:object_r:fwupd_cert_t,s0)
  
@@ -9,4 +9,4 @@ Index: fedora-policy/policy/modules/contrib/fwupd.fc
 +/usr/lib/fwupd/fwupd			--	gen_context(system_u:object_r:fwupd_exec_t,s0)
  
  /var/cache/app-info(/.*)?		gen_context(system_u:object_r:fwupd_cache_t,s0)
- 
+ /var/cache/fwupd(/.*)?			gen_context(system_u:object_r:fwupd_cache_t,s0)

fix_hadoop.patch

@@ -1,8 +1,8 @@
 Index: fedora-policy/policy/modules/roles/sysadm.te
 ===================================================================
---- fedora-policy.orig/policy/modules/roles/sysadm.te	2020-02-19 09:08:50.433854051 +0000
-+++ fedora-policy/policy/modules/roles/sysadm.te	2020-02-19 09:17:47.026397710 +0000
-@@ -289,10 +289,6 @@ optional_policy(`
+--- fedora-policy.orig/policy/modules/roles/sysadm.te
++++ fedora-policy/policy/modules/roles/sysadm.te
+@@ -293,10 +293,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15,9 +15,9 @@ Index: fedora-policy/policy/modules/roles/sysadm.te
  
 Index: fedora-policy/policy/modules/roles/unprivuser.te
 ===================================================================
---- fedora-policy.orig/policy/modules/roles/unprivuser.te	2020-02-19 09:08:50.433854051 +0000
-+++ fedora-policy/policy/modules/roles/unprivuser.te	2020-02-19 09:17:47.030397773 +0000
-@@ -197,10 +197,6 @@ ifndef(`distro_redhat',`
+--- fedora-policy.orig/policy/modules/roles/unprivuser.te
++++ fedora-policy/policy/modules/roles/unprivuser.te
+@@ -200,10 +200,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`

fix_init.patch

@@ -2,7 +2,7 @@ Index: fedora-policy/policy/modules/system/init.te
 ===================================================================
 --- fedora-policy.orig/policy/modules/system/init.te
 +++ fedora-policy/policy/modules/system/init.te
-@@ -250,6 +250,7 @@ corecmd_exec_bin(init_t)
+@@ -257,6 +257,7 @@ corecmd_exec_bin(init_t)
  corenet_all_recvfrom_netlabel(init_t)
  corenet_tcp_bind_all_ports(init_t)
  corenet_udp_bind_all_ports(init_t)
@@ -10,7 +10,7 @@ Index: fedora-policy/policy/modules/system/init.te
  
  dev_create_all_files(init_t)
  dev_create_all_chr_files(init_t)
-@@ -370,6 +371,7 @@ logging_manage_audit_config(init_t)
+@@ -378,6 +379,7 @@ logging_manage_audit_config(init_t)
  logging_create_syslog_netlink_audit_socket(init_t)
  logging_write_var_log_dirs(init_t)
  logging_manage_var_log_symlinks(init_t)
@@ -18,7 +18,7 @@ Index: fedora-policy/policy/modules/system/init.te
  
  seutil_read_config(init_t)
  seutil_read_login_config(init_t)
-@@ -419,10 +421,15 @@ ifdef(`distro_redhat',`
+@@ -427,10 +429,15 @@ ifdef(`distro_redhat',`
  corecmd_shell_domtrans(init_t, initrc_t)
  
  storage_raw_rw_fixed_disk(init_t)
@@ -34,7 +34,7 @@ Index: fedora-policy/policy/modules/system/init.te
      bootloader_domtrans(init_t)
  ')
  
-@@ -536,7 +543,7 @@ tunable_policy(`init_create_dirs',`
+@@ -544,7 +551,7 @@ tunable_policy(`init_create_dirs',`
  allow init_t self:system all_system_perms;
  allow init_t self:system module_load;
  allow init_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -43,7 +43,7 @@ Index: fedora-policy/policy/modules/system/init.te
  allow init_t self:process { getcap setcap };
  allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom };
  allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
-@@ -598,6 +605,7 @@ files_delete_all_spool_sockets(init_t)
+@@ -606,6 +613,7 @@ files_delete_all_spool_sockets(init_t)
  files_create_var_lib_dirs(init_t)
  files_create_var_lib_symlinks(init_t)
  files_read_var_lib_symlinks(init_t)
@@ -51,7 +51,7 @@ Index: fedora-policy/policy/modules/system/init.te
  files_manage_urandom_seed(init_t)
  files_list_locks(init_t)
  files_list_spool(init_t)
-@@ -689,6 +697,7 @@ systemd_userdbd_runtime_manage_symlinks(
+@@ -698,6 +706,7 @@ systemd_write_inherited_logind_sessions_
  create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
  
  create_dirs_pattern(init_t, var_log_t, var_log_t)
@@ -59,7 +59,7 @@ Index: fedora-policy/policy/modules/system/init.te
  
  auth_use_nsswitch(init_t)
  auth_rw_login_records(init_t)
-@@ -1525,6 +1534,8 @@ optional_policy(`
+@@ -1543,6 +1552,8 @@ optional_policy(`
  
  optional_policy(`
  	postfix_list_spool(initrc_t)

fix_irqbalance.patch

@@ -2,17 +2,15 @@ Index: fedora-policy/policy/modules/contrib/irqbalance.te
 ===================================================================
 --- fedora-policy.orig/policy/modules/contrib/irqbalance.te
 +++ fedora-policy/policy/modules/contrib/irqbalance.te
-@@ -25,8 +25,12 @@ dontaudit irqbalance_t self:capability s
- allow irqbalance_t self:process { getcap getsched setcap signal_perms };
- allow irqbalance_t self:udp_socket create_socket_perms;
- 
-+manage_dirs_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
+@@ -29,8 +29,11 @@ allow irqbalance_t self:udp_socket creat
+ manage_dirs_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
  manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
--files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, file)
+ manage_sock_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
 +manage_sock_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t)
-+files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, { dir file sock_file })
-+
-+init_nnp_daemon_domain(irqbalance_t)
+ files_pid_filetrans(irqbalance_t, irqbalance_var_run_t, { dir file sock_file })
  
++init_nnp_daemon_domain(irqbalance_t)
++
  kernel_read_network_state(irqbalance_t)
  kernel_read_system_state(irqbalance_t)
+ kernel_read_kernel_sysctls(irqbalance_t)

fix_logrotate.patch

@@ -1,8 +1,8 @@
 Index: fedora-policy/policy/modules/contrib/logrotate.te
 ===================================================================
---- fedora-policy.orig/policy/modules/contrib/logrotate.te	2020-02-19 09:36:31.796283623 +0000
-+++ fedora-policy/policy/modules/contrib/logrotate.te	2020-02-24 07:54:50.138294492 +0000
-@@ -100,6 +100,7 @@ files_var_lib_filetrans(logrotate_t, log
+--- fedora-policy.orig/policy/modules/contrib/logrotate.te
++++ fedora-policy/policy/modules/contrib/logrotate.te
+@@ -107,6 +107,7 @@ files_var_lib_filetrans(logrotate_t, log
  
  kernel_read_system_state(logrotate_t)
  kernel_read_kernel_sysctls(logrotate_t)

fix_nagios.patch

@@ -14,7 +14,7 @@ Index: fedora-policy/policy/modules/contrib/nagios.te
 ===================================================================
 --- fedora-policy.orig/policy/modules/contrib/nagios.te
 +++ fedora-policy/policy/modules/contrib/nagios.te
-@@ -155,6 +155,7 @@ allow nagios_t nagios_spool_t:file map;
+@@ -157,6 +157,7 @@ allow nagios_t nagios_spool_t:file map;
  manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
  manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
  manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)

fix_networkmanager.patch

@@ -2,7 +2,7 @@ Index: fedora-policy/policy/modules/contrib/networkmanager.te
 ===================================================================
 --- fedora-policy.orig/policy/modules/contrib/networkmanager.te
 +++ fedora-policy/policy/modules/contrib/networkmanager.te
-@@ -233,6 +233,9 @@ userdom_read_home_certs(NetworkManager_t
+@@ -236,6 +236,9 @@ userdom_read_home_certs(NetworkManager_t
  userdom_read_user_home_content_files(NetworkManager_t)
  userdom_dgram_send(NetworkManager_t)
  
@@ -12,7 +12,7 @@ Index: fedora-policy/policy/modules/contrib/networkmanager.te
  tunable_policy(`use_nfs_home_dirs',`
      fs_read_nfs_files(NetworkManager_t)
  ')
-@@ -250,6 +253,14 @@ optional_policy(`
+@@ -253,6 +256,14 @@ optional_policy(`
  ')
  
  optional_policy(`

fix_nis.patch

@@ -0,0 +1,12 @@
+Index: fedora-policy/policy/modules/contrib/nis.te
+===================================================================
+--- fedora-policy.orig/policy/modules/contrib/nis.te
++++ fedora-policy/policy/modules/contrib/nis.te
+@@ -78,6 +78,7 @@ manage_files_pattern(ypbind_t, ypbind_va
+ files_pid_filetrans(ypbind_t, ypbind_var_run_t, file)
+ 
+ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
++manage_dirs_pattern(ypbind_t, var_yp_t, var_yp_t)
+ 
+ kernel_read_system_state(ypbind_t)
+ kernel_read_kernel_sysctls(ypbind_t)

fix_postfix.patch

@@ -70,11 +70,12 @@ Index: fedora-policy/policy/modules/contrib/postfix.te
 ===================================================================
 --- fedora-policy.orig/policy/modules/contrib/postfix.te
 +++ fedora-policy/policy/modules/contrib/postfix.te
-@@ -447,6 +447,13 @@ logging_send_syslog_msg(postfix_map_t)
+@@ -447,6 +447,14 @@ logging_send_syslog_msg(postfix_map_t)
  
  userdom_use_inherited_user_ptys(postfix_map_t)
  
 +corecmd_exec_bin(postfix_map_t)
++allow postfix_map_t postfix_map_exec_t:file execute_no_trans;
 +init_ioctl_stream_sockets(postfix_map_t)
 +
 +optional_policy(`
@@ -84,7 +85,7 @@ Index: fedora-policy/policy/modules/contrib/postfix.te
  optional_policy(`
  	locallogin_dontaudit_use_fds(postfix_map_t)
  ')
-@@ -687,6 +694,14 @@ corenet_tcp_connect_spamd_port(postfix_m
+@@ -687,6 +695,14 @@ corenet_tcp_connect_spamd_port(postfix_m
  files_search_all_mountpoints(postfix_smtp_t)
  
  optional_policy(`
@@ -97,5 +98,5 @@ Index: fedora-policy/policy/modules/contrib/postfix.te
 +
 +optional_policy(`
  	cyrus_stream_connect(postfix_smtp_t)
+ 	cyrus_runtime_stream_connect(postfix_smtp_t)
  ')
- 

fix_sysnetwork.patch

@@ -1,13 +1,13 @@
 Index: fedora-policy/policy/modules/system/sysnetwork.fc
 ===================================================================
---- fedora-policy.orig/policy/modules/system/sysnetwork.fc	2019-08-05 09:39:39.121510745 +0200
-+++ fedora-policy/policy/modules/system/sysnetwork.fc	2019-08-21 13:47:17.253328905 +0200
+--- fedora-policy.orig/policy/modules/system/sysnetwork.fc
++++ fedora-policy/policy/modules/system/sysnetwork.fc
 @@ -102,6 +102,8 @@ ifdef(`distro_debian',`
  /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
  ')
  
 +/var/run/netconfig(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
 +
- /var/run/netns(/.*)?		gen_context(system_u:object_r:ifconfig_var_run_t,s0)
- /etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+ /var/run/netns	-d 		gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+ /var/run/netns/[^/]+       	<<none>>
  

fix_systemd.patch

@@ -2,7 +2,7 @@ Index: fedora-policy/policy/modules/system/systemd.te
 ===================================================================
 --- fedora-policy.orig/policy/modules/system/systemd.te
 +++ fedora-policy/policy/modules/system/systemd.te
-@@ -328,6 +328,10 @@ userdom_manage_user_tmp_chr_files(system
+@@ -332,6 +332,10 @@ userdom_manage_user_tmp_chr_files(system
  xserver_dbus_chat(systemd_logind_t)
  
  optional_policy(`
@@ -13,7 +13,7 @@ Index: fedora-policy/policy/modules/system/systemd.te
  	apache_read_tmp_files(systemd_logind_t)
  ')
  
-@@ -817,6 +821,10 @@ optional_policy(`
+@@ -823,6 +827,10 @@ optional_policy(`
          dbus_connect_system_bus(systemd_hostnamed_t)
  ')
  

fix_thunderbird.patch

@@ -1,8 +1,8 @@
 Index: fedora-policy/policy/modules/contrib/thunderbird.te
 ===================================================================
---- fedora-policy.orig/policy/modules/contrib/thunderbird.te	2019-08-21 13:42:54.325021721 +0200
-+++ fedora-policy/policy/modules/contrib/thunderbird.te	2019-08-21 13:42:58.249085986 +0200
-@@ -138,7 +138,6 @@ optional_policy(`
+--- fedora-policy.orig/policy/modules/contrib/thunderbird.te
++++ fedora-policy/policy/modules/contrib/thunderbird.te
+@@ -139,7 +139,6 @@ optional_policy(`
  optional_policy(`
  	gnome_stream_connect_gconf(thunderbird_t)
  	gnome_domtrans_gconfd(thunderbird_t)

fix_unconfined.patch

@@ -1,7 +1,7 @@
 Index: fedora-policy/policy/modules/system/unconfined.te
 ===================================================================
---- fedora-policy.orig/policy/modules/system/unconfined.te	2020-02-19 09:36:25.444182470 +0000
-+++ fedora-policy/policy/modules/system/unconfined.te	2020-02-24 15:14:59.222899685 +0000
+--- fedora-policy.orig/policy/modules/system/unconfined.te
++++ fedora-policy/policy/modules/system/unconfined.te
 @@ -1,5 +1,10 @@
  policy_module(unconfined, 3.5.0)
  

fix_unconfineduser.patch

@@ -25,10 +25,14 @@ Index: fedora-policy/policy/modules/roles/unconfineduser.te
  	chrome_role_notrans(unconfined_r, unconfined_t)
  
  	tunable_policy(`unconfined_chrome_sandbox_transition',`
-@@ -244,6 +253,14 @@ optional_policy(`
+@@ -244,6 +253,18 @@ optional_policy(`
  	dbus_stub(unconfined_t)
  
  	optional_policy(`
++		accountsd_dbus_chat(unconfined_dbusd_t)
++	')
++
++	optional_policy(`
 +		networkmanager_dbus_chat(unconfined_dbusd_t)
 +	')
 +

fix_unprivuser.patch

@@ -2,7 +2,7 @@ Index: fedora-policy/policy/modules/roles/unprivuser.te
 ===================================================================
 --- fedora-policy.orig/policy/modules/roles/unprivuser.te
 +++ fedora-policy/policy/modules/roles/unprivuser.te
-@@ -281,6 +281,13 @@ ifndef(`distro_redhat',`
+@@ -289,6 +289,13 @@ ifndef(`distro_redhat',`
  ')
  
  optional_policy(`

selinux-policy.changes

@@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Fri Jul 17 08:30:52 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
+
+- Update to version 20200717. Refreshed
+  * fix_fwupd.patch
+  * fix_hadoop.patch
+  * fix_init.patch
+  * fix_irqbalance.patch
+  * fix_logrotate.patch
+  * fix_nagios.patch
+  * fix_networkmanager.patch
+  * fix_postfix.patch
+  * fix_sysnetwork.patch
+  * fix_systemd.patch
+  * fix_thunderbird.patch
+  * fix_unconfined.patch
+  * fix_unprivuser.patch
+  * selinux-policy.spec
+- Added update.sh to make updating easier
+
+-------------------------------------------------------------------
+Tue Jul 14 13:18:43 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
+
+- Updated fix_unconfineduser.patch to allow unconfined_dbusd_t access
+  to accountsd dbus
+- New patch:
+  * fix_nis.patch
+- Updated patches:
+  * fix_postfix.patch: Transition is done in distribution specific script
+
 -------------------------------------------------------------------
 Tue Jun  2 14:45:37 UTC 2020 - Johannes Segitz <jsegitz@suse.de>
 

selinux-policy.spec

@@ -66,7 +66,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20200219
+Version:        20200717
 Release:        0
 Source:         fedora-policy.%{version}.tar.bz2
 
@@ -159,6 +159,7 @@ Patch045:       fix_screen.patch
 Patch046:       fix_unprivuser.patch
 Patch047:       fix_rpm.patch
 Patch048:       fix_apache.patch
+Patch049:       fix_nis.patch
 
 Patch100: 	sedoctool.patch
 
@@ -414,6 +415,7 @@ systems and used as the basis for creating other policies.
 %patch046 -p1
 %patch047 -p1
 %patch048 -p1
+%patch049 -p1
 
 %patch100 -p1
 find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \;

update.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+date=$(date '+%Y%m%d')
+
+echo Update to $date
+
+rm -rf fedora-policy container-selinux selinux-policy-contrib
+
+git clone --depth 1 https://github.com/fedora-selinux/selinux-policy.git
+git clone --depth 1 https://github.com/fedora-selinux/selinux-policy-contrib.git
+git clone --depth 1 https://github.com/containers/container-selinux.git
+
+mv selinux-policy fedora-policy
+rm -rf fedora-policy/.git*
+mv selinux-policy-contrib/* fedora-policy/policy/modules/contrib/
+mv container-selinux/* fedora-policy/policy/modules/contrib/
+
+rm -f fedora-policy.$date.tar*
+tar cf fedora-policy.$date.tar fedora-policy
+bzip2 fedora-policy.$date.tar
+rm -rf fedora-policy container-selinux selinux-policy-contrib
+
+sed -i -e "s/^Version:.*/Version:        $date/" selinux-policy.spec
+
+echo "remove old tar file, then osc addremove"