pool/selinux-policy
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9dc19e60e0
selinux-policy/debug-build.sh
Hu 9dc19e60e0 Accepting request 1186574 from home:cahu:security:SELinux:policyupdate072024 
- Enable sap module
- Add equivalency in file_contexts.subs_dist
  * /bin /usr/bin
  * /sbin /usr/bin
  * /usr/sbin /usr/bin
- Update to version 20240710:
  * Change fc in rebootmgr module for /sbin -> /usr/bin
  * Change fc in rpm module for /sbin -> /usr/bin
  * Change fc in rsync module for /sbin -> /usr/bin
  * Change fc in wicked module for /sbin -> /usr/bin
  * Confine libvirt-dbus
  * Allow virtqemud the kill capability in user namespace
  * Allow rshim get options of the netlink class for KOBJECT_UEVENT family
  * Allow dhcpcd the kill capability
  * Allow systemd-networkd list /var/lib/systemd/network
  * Allow sysadm_t run systemd-nsresourced bpf programs
  * Update policy for systemd generators interactions
  * Allow create memory.pressure files with cgroup_memory_pressure_t
  * Add support for libvirt hooks
  * Allow certmonger read and write tpm devices
  * Allow all domains to connect to systemd-nsresourced over a unix socket
  * Allow systemd-machined read the vsock device
  * Update policy for systemd generators
  * Allow ptp4l_t request that the kernel load a kernel module
  * Allow sbd to trace processes in user namespace
  * Allow request-key execute scripts
  * Update policy for haproxyd
  * Update policy for systemd-nsresourced
  * Correct sbin-related file context entries
  * Allow login_userdomain execute systemd-tmpfiles in the caller domain
  * Allow virt_driver_domain read files labeled unconfined_t
  * Allow virt_driver_domain dbus chat with policykit
  * Allow virtqemud manage nfs files when virt_use_nfs boolean is on
  * Add rules for interactions between generators
  * Label memory.pressure files with cgroup_memory_pressure_t
  * Revert "Allow some systemd services write to cgroup files"
  * Update policy for systemd-nsresourced
  * Label /usr/bin/ntfsck with fsadm_exec_t
  * Allow systemd_fstab_generator_t read tmpfs files
  * Update policy for systemd-nsresourced
  * Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
  * Remove a few lines duplicated between {dkim,milter}.fc
  * Alias /bin → /usr/bin and remove redundant paths
  * Drop duplicate line for /usr/sbin/unix_chkpwd
  * Drop duplicate paths for /usr/sbin
  * Update systemd-generator policy
  * Remove permissive domain for bootupd_t
  * Remove permissive domain for coreos_installer_t
  * Remove permissive domain for afterburn_t
  * Add the sap module to modules.conf
  * Move unconfined_domain(sap_unconfined_t) to an optional block
  * Create the sap module
  * Allow systemd-coredumpd sys_admin and sys_resource capabilities
  * Allow systemd-coredump read nsfs files
  * Allow generators auto file transition only for plain files
  * Allow systemd-hwdb write to the kernel messages device
  * Escape "interface" as a file name in a virt filetrans pattern
  * Allow gnome-software work for login_userdomain
  * Allow systemd-machined manage runtime sockets
  * Revert "Allow systemd-machined manage runtime sockets"
  * Allow postfix_domain connect to postgresql over a unix socket
  * Dontaudit systemd-coredump sys_admin capability
- Update container-selinux

OBS-URL: https://build.opensuse.org/request/show/1186574
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=233
2024-07-10 11:10:28 +00:00

35 lines
1.7 KiB
Bash
Raw Blame History

# This script creates a debugging and testing environment when working on the policy
# Basically a fancy wrapper for "tar --exclude-vcs -cJf selinux-policy-20230321.tar.xz --transform 's,^,selinux-policy-20230321/,' -C selinux-policy ."
#
# 1. Get the git repository with 'osc service manualrun' or './update.sh'
# 2. Do your changes in the selinux-policy repository, test around
# 1. When you want to build locally to debug, call this script. It will create a .tar.xz with your current selinux-policy working directory.
# 2. Build locally: e.g. with osc build
# 3. Test your rpms that contain your changes and repeat
# 3. When finished, commit your changes in the selinux-policy repository and push to git
# 4. Run './update.sh' and checkin the changes to OBS
REPO_NAME=selinux-policy
# Check if git repository exists, if not ask the user to fetch the latest version
if ! test -d "$REPO_NAME"; then
echo "-$REPO_NAME does not exist. Please run 'osc service manualrun' or './update.sh' first."
exit 1;
fi
# Get current version: Parse "Version: <current-version>" from specfile
VERSION=$(grep -Po '^Version:\s*\K.*?(?=$)' $REPO_NAME.spec)
# Create tar file with name like selinux-policy-<current-version>.tar.xz
TAR_NAME=$REPO_NAME-$VERSION.tar.xz
echo "Creating tar file: $TAR_NAME"
tar --exclude-vcs -cJf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME .
# Some helpful prompts
if test $? -eq 0; then
echo "Success! Now you can run your local build command, e.g. 'osc build'. It will take the archive that contains your changes."
echo "You can also inspect the created archive with: 'tar tvf $REPO_NAME-$VERSION.tar.xz'"
else
echo "Error, creating archive failed"
fi
Reference in New Issue View Git Blame Copy Permalink