pool/selinux-policy
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b66c2b8ce6
selinux-policy/fix_init.patch
Johannes Segitz b66c2b8ce6 Accepting request 1035580 from home:jsegitz:branches:security:SELinux 
- Update to version 20221019. Refreshed:
  * distro_suse_to_distro_redhat.patch
  * fix_apache.patch
  * fix_chronyd.patch
  * fix_cron.patch
  * fix_init.patch
  * fix_kernel_sysctl.patch
  * fix_networkmanager.patch
  * fix_rpm.patch
  * fix_sysnetwork.patch
  * fix_systemd.patch
  * fix_systemd_watch.patch
  * fix_unconfined.patch
  * fix_unconfineduser.patch
  * fix_unprivuser.patch
  * fix_xserver.patch
- Dropped fix_cockpit.patch as this is now packaged with cockpit itself
- Remove the ipa module, freeip ships their own module
- Added fix_alsa.patch to allow reading of config files in home directories
- Extended fix_networkmanager.patch and fix_postfix.patch to account
  for SUSE systems
- Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc
  queries the running processes
- Updated fix_snapper.patch to allow snapper to talk to rpm via dbus

OBS-URL: https://build.opensuse.org/request/show/1035580
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=155
2022-11-14 08:27:42 +00:00

89 lines
3.1 KiB
Diff
Raw Blame History

Index: fedora-policy-20221019/policy/modules/system/init.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/init.te
+++ fedora-policy-20221019/policy/modules/system/init.te
@@ -269,6 +269,8 @@ corecmd_exec_bin(init_t)
corenet_all_recvfrom_netlabel(init_t)
corenet_tcp_bind_all_ports(init_t)
corenet_udp_bind_all_ports(init_t)
+corenet_udp_bind_generic_node(init_t)
+corenet_tcp_bind_generic_node(init_t)
dev_create_all_files(init_t)
dev_create_all_chr_files(init_t)
@@ -398,6 +400,7 @@ logging_manage_audit_config(init_t)
logging_create_syslog_netlink_audit_socket(init_t)
logging_write_var_log_dirs(init_t)
logging_manage_var_log_symlinks(init_t)
+logging_dgram_accept(init_t)
seutil_read_config(init_t)
seutil_read_login_config(init_t)
@@ -450,9 +453,19 @@ ifdef(`distro_redhat',`
corecmd_shell_domtrans(init_t, initrc_t)
storage_raw_rw_fixed_disk(init_t)
+storage_raw_read_removable_device(init_t)
sysnet_read_dhcpc_state(init_t)
+# bsc#1197610, find a better, generic solution
+optional_policy(`
+ mta_getattr_spool(init_t)
+')
+
+optional_policy(`
+ networkmanager_initrc_read_lnk_files(init_t)
+')
+
optional_policy(`
anaconda_stream_connect(init_t)
anaconda_create_unix_stream_sockets(init_t)
@@ -584,10 +597,10 @@ tunable_policy(`init_audit_control',`
allow init_t self:system all_system_perms;
allow init_t self:system module_load;
allow init_t self:unix_dgram_socket { create_socket_perms sendto };
-allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec };
+allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec execmem };
allow init_t self:process { getcap setcap };
allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom };
-allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
allow init_t self:netlink_selinux_socket create_socket_perms;
allow init_t self:unix_dgram_socket lock;
# Until systemd is fixed
@@ -647,6 +660,7 @@ files_delete_all_spool_sockets(init_t)
files_create_var_lib_dirs(init_t)
files_create_var_lib_symlinks(init_t)
files_read_var_lib_symlinks(init_t)
+files_read_var_files(init_t)
files_manage_urandom_seed(init_t)
files_list_locks(init_t)
files_list_spool(init_t)
@@ -684,7 +698,7 @@ fs_list_all(init_t)
fs_list_auto_mountpoints(init_t)
fs_register_binary_executable_type(init_t)
fs_relabel_tmpfs_sock_file(init_t)
-fs_rw_tmpfs_files(init_t)
+fs_rw_tmpfs_files(init_t)
fs_relabel_cgroup_dirs(init_t)
fs_search_cgroup_dirs(init_t)
# for network namespaces
@@ -740,6 +754,7 @@ systemd_write_inherited_logind_sessions_
create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
create_dirs_pattern(init_t, var_log_t, var_log_t)
+files_manage_var_files(init_t)
auth_use_nsswitch(init_t)
auth_rw_login_records(init_t)
@@ -1596,6 +1611,8 @@ optional_policy(`
optional_policy(`
postfix_list_spool(initrc_t)
+ #allow init_t postfix_map_exec_t:file { open read execute execute_no_trans ioctl };
+ postfix_domtrans_map(init_t)
')
optional_policy(`
Reference in New Issue View Git Blame Copy Permalink