selinux-policy/systemd-tmpfiles.patch

Index: serefpolicy-20140730/policy/modules/system/systemd.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/systemd.te
+++ serefpolicy-20140730/policy/modules/system/systemd.te
@@ -320,6 +320,11 @@ dev_read_cpu_online(systemd_tmpfiles_t)
 dev_manage_all_dev_nodes(systemd_tmpfiles_t)
 dev_relabel_all_dev_nodes(systemd_tmpfiles_t)
 
+# allow tmpfiles to create files/dirs in /dev
+systemd_tmpfiles_xconsole_create(systemd_tmpfiles_t)
+dev_getattr_autofs_dev(systemd_tmpfiles_t);
+dev_getattr_lvm_control(systemd_tmpfiles_t);
+dev_create_generic_dirs(systemd_tmpfiles_t);
 domain_obj_id_change_exemption(systemd_tmpfiles_t)
 
 # systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
Index: serefpolicy-20140730/policy/modules/system/systemd.if
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/systemd.if
+++ serefpolicy-20140730/policy/modules/system/systemd.if
@@ -1458,3 +1458,22 @@ interface(`systemd_dontaudit_dbus_chat',
 
 	dontaudit $1 systemd_domain:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##	Allow systemd-tmpfiles to create xconsole_device_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`systemd_tmpfiles_xconsole_create',`
+	gen_require(`
+		type device_t, xconsole_device_t;
+	')
+
+	create_fifo_files_pattern($1, device_t, xconsole_device_t);
+')
+
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=68 2018-11-27 09:16:35 +00:00			`Index: serefpolicy-20140730/policy/modules/system/systemd.te`
			`===================================================================`
			`--- serefpolicy-20140730.orig/policy/modules/system/systemd.te`
			`+++ serefpolicy-20140730/policy/modules/system/systemd.te`
			`@@ -320,6 +320,11 @@ dev_read_cpu_online(systemd_tmpfiles_t)`
			`dev_manage_all_dev_nodes(systemd_tmpfiles_t)`
			`dev_relabel_all_dev_nodes(systemd_tmpfiles_t)`

			`+# allow tmpfiles to create files/dirs in /dev`
			`+systemd_tmpfiles_xconsole_create(systemd_tmpfiles_t)`
			`+dev_getattr_autofs_dev(systemd_tmpfiles_t);`
			`+dev_getattr_lvm_control(systemd_tmpfiles_t);`
			`+dev_create_generic_dirs(systemd_tmpfiles_t);`
			`domain_obj_id_change_exemption(systemd_tmpfiles_t)`

			`# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev`
			`Index: serefpolicy-20140730/policy/modules/system/systemd.if`
			`===================================================================`
			`--- serefpolicy-20140730.orig/policy/modules/system/systemd.if`
			`+++ serefpolicy-20140730/policy/modules/system/systemd.if`
			@@ -1458,3 +1458,22 @@ interface(`systemd_dontaudit_dbus_chat',

			`dontaudit $1 systemd_domain:dbus send_msg;`
			`')`
			`+`
			`+########################################`
			`+## <summary>`
			`+## Allow systemd-tmpfiles to create xconsole_device_t`
			`+## </summary>`
			`+## <param name="domain">`
			`+## <summary>`
			`+## Domain to not audit.`
			`+## </summary>`
			`+## </param>`
			`+#`
			+interface(`systemd_tmpfiles_xconsole_create',`
			+ gen_require(`
			`+ type device_t, xconsole_device_t;`
			`+ ')`
			`+`
			`+ create_fifo_files_pattern($1, device_t, xconsole_device_t);`
			`+')`
			`+`