forked from pool/selinux-policy
Accepting request 1063441 from home:jsegitz:branches:security:SELinux
- Update to version 20230206. Refreshed: * fix_entropyd.patch * fix_networkmanager.patch * fix_systemd_watch.patch * fix_unconfineduser.patch - Updated fix_kernel.patch to allow kernel_t access to xdm state. This is necessary as plymouth doesn't run in it's own domain in early boot OBS-URL: https://build.opensuse.org/request/show/1063441 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=172
This commit is contained in:
Johannes Segitz
Git OBS Bridge
parent
c4556003bf
commit
2c0c138859
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:4653c59f1e4df7872bf6f0186e1d75819b2b0580e750cad1b32bcb8ae71146ee
|
||||
size 736028
|
||||
3
fedora-policy-20230206.tar.bz2
Normal file
3
fedora-policy-20230206.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:5cf93823fbb8094a509b23be28f1328e7d61a6d564c6265ecbb295c63c188979
|
||||
size 736493
|
||||
@ -1,7 +1,7 @@
|
||||
Index: fedora-policy-20230125/policy/modules/contrib/entropyd.te
|
||||
Index: fedora-policy-20230206/policy/modules/contrib/entropyd.te
|
||||
===================================================================
|
||||
--- fedora-policy-20230125.orig/policy/modules/contrib/entropyd.te
|
||||
+++ fedora-policy-20230125/policy/modules/contrib/entropyd.te
|
||||
--- fedora-policy-20230206.orig/policy/modules/contrib/entropyd.te
|
||||
+++ fedora-policy-20230206/policy/modules/contrib/entropyd.te
|
||||
@@ -24,6 +24,9 @@ init_script_file(entropyd_initrc_exec_t)
|
||||
type entropyd_var_run_t;
|
||||
files_pid_file(entropyd_var_run_t)
|
||||
@ -32,10 +32,10 @@ Index: fedora-policy-20230125/policy/modules/contrib/entropyd.te
|
||||
|
||||
domain_use_interactive_fds(entropyd_t)
|
||||
|
||||
Index: fedora-policy-20230125/policy/modules/contrib/entropyd.if
|
||||
Index: fedora-policy-20230206/policy/modules/contrib/entropyd.if
|
||||
===================================================================
|
||||
--- fedora-policy-20230125.orig/policy/modules/contrib/entropyd.if
|
||||
+++ fedora-policy-20230125/policy/modules/contrib/entropyd.if
|
||||
--- fedora-policy-20230206.orig/policy/modules/contrib/entropyd.if
|
||||
+++ fedora-policy-20230206/policy/modules/contrib/entropyd.if
|
||||
@@ -33,3 +33,22 @@ interface(`entropyd_admin',`
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, entropyd_var_run_t)
|
||||
@ -59,11 +59,11 @@ Index: fedora-policy-20230125/policy/modules/contrib/entropyd.if
|
||||
+
|
||||
+ fs_tmpfs_filetrans($1, entropyd_tmpfs_t, file, "sem.haveged_sem")
|
||||
+')
|
||||
Index: fedora-policy-20230125/policy/modules/kernel/kernel.te
|
||||
Index: fedora-policy-20230206/policy/modules/kernel/kernel.te
|
||||
===================================================================
|
||||
--- fedora-policy-20230125.orig/policy/modules/kernel/kernel.te
|
||||
+++ fedora-policy-20230125/policy/modules/kernel/kernel.te
|
||||
@@ -397,6 +397,10 @@ optional_policy(`
|
||||
--- fedora-policy-20230206.orig/policy/modules/kernel/kernel.te
|
||||
+++ fedora-policy-20230206/policy/modules/kernel/kernel.te
|
||||
@@ -401,6 +401,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
Index: fedora-policy-20230125/policy/modules/kernel/kernel.te
|
||||
Index: fedora-policy-20230206/policy/modules/kernel/kernel.te
|
||||
===================================================================
|
||||
--- fedora-policy-20230125.orig/policy/modules/kernel/kernel.te
|
||||
+++ fedora-policy-20230125/policy/modules/kernel/kernel.te
|
||||
@@ -389,6 +389,13 @@ ifdef(`distro_redhat',`
|
||||
--- fedora-policy-20230206.orig/policy/modules/kernel/kernel.te
|
||||
+++ fedora-policy-20230206/policy/modules/kernel/kernel.te
|
||||
@@ -393,6 +393,13 @@ ifdef(`distro_redhat',`
|
||||
fs_rw_tmpfs_chr_files(kernel_t)
|
||||
')
|
||||
|
||||
@ -16,7 +16,7 @@ Index: fedora-policy-20230125/policy/modules/kernel/kernel.te
|
||||
optional_policy(`
|
||||
abrt_filetrans_named_content(kernel_t)
|
||||
abrt_dump_oops_domtrans(kernel_t)
|
||||
@@ -410,6 +417,7 @@ optional_policy(`
|
||||
@@ -418,6 +425,7 @@ optional_policy(`
|
||||
init_dbus_chat(kernel_t)
|
||||
init_sigchld(kernel_t)
|
||||
init_dyntrans(kernel_t)
|
||||
@ -24,10 +24,18 @@ Index: fedora-policy-20230125/policy/modules/kernel/kernel.te
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
Index: fedora-policy-20230125/policy/modules/system/modutils.if
|
||||
@@ -519,6 +527,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ xserver_read_xdm_state(kernel_t)
|
||||
xserver_xdm_manage_spool(kernel_t)
|
||||
xserver_filetrans_home_content(kernel_t)
|
||||
')
|
||||
Index: fedora-policy-20230206/policy/modules/system/modutils.if
|
||||
===================================================================
|
||||
--- fedora-policy-20230125.orig/policy/modules/system/modutils.if
|
||||
+++ fedora-policy-20230125/policy/modules/system/modutils.if
|
||||
--- fedora-policy-20230206.orig/policy/modules/system/modutils.if
|
||||
+++ fedora-policy-20230206/policy/modules/system/modutils.if
|
||||
@@ -525,3 +525,21 @@ interface(`modutils_dontaudit_kmod_tmpfs
|
||||
|
||||
dontaudit $1 kmod_tmpfs_t:file { getattr };
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.te
|
||||
Index: fedora-policy-20230206/policy/modules/contrib/networkmanager.te
|
||||
===================================================================
|
||||
--- fedora-policy-20230125.orig/policy/modules/contrib/networkmanager.te
|
||||
+++ fedora-policy-20230125/policy/modules/contrib/networkmanager.te
|
||||
--- fedora-policy-20230206.orig/policy/modules/contrib/networkmanager.te
|
||||
+++ fedora-policy-20230206/policy/modules/contrib/networkmanager.te
|
||||
@@ -260,6 +260,7 @@ sysnet_search_dhcp_state(NetworkManager_
|
||||
sysnet_manage_config(NetworkManager_t)
|
||||
sysnet_filetrans_named_content(NetworkManager_t)
|
||||
@ -59,7 +59,7 @@ Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.te
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -607,6 +629,7 @@ files_manage_etc_files(NetworkManager_di
|
||||
@@ -608,6 +630,7 @@ files_manage_etc_files(NetworkManager_di
|
||||
|
||||
init_status(NetworkManager_dispatcher_cloud_t)
|
||||
init_status(NetworkManager_dispatcher_ddclient_t)
|
||||
@ -67,7 +67,7 @@ Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.te
|
||||
init_append_stream_sockets(networkmanager_dispatcher_plugin)
|
||||
init_ioctl_stream_sockets(networkmanager_dispatcher_plugin)
|
||||
init_stream_connect(networkmanager_dispatcher_plugin)
|
||||
@@ -622,6 +645,10 @@ optional_policy(`
|
||||
@@ -623,6 +646,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -78,10 +78,10 @@ Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.te
|
||||
cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t)
|
||||
')
|
||||
|
||||
Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.if
|
||||
Index: fedora-policy-20230206/policy/modules/contrib/networkmanager.if
|
||||
===================================================================
|
||||
--- fedora-policy-20230125.orig/policy/modules/contrib/networkmanager.if
|
||||
+++ fedora-policy-20230125/policy/modules/contrib/networkmanager.if
|
||||
--- fedora-policy-20230206.orig/policy/modules/contrib/networkmanager.if
|
||||
+++ fedora-policy-20230206/policy/modules/contrib/networkmanager.if
|
||||
@@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran
|
||||
init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
|
||||
')
|
||||
@ -107,10 +107,10 @@ Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.if
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute NetworkManager server in the NetworkManager domain.
|
||||
Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.fc
|
||||
Index: fedora-policy-20230206/policy/modules/contrib/networkmanager.fc
|
||||
===================================================================
|
||||
--- fedora-policy-20230125.orig/policy/modules/contrib/networkmanager.fc
|
||||
+++ fedora-policy-20230125/policy/modules/contrib/networkmanager.fc
|
||||
--- fedora-policy-20230206.orig/policy/modules/contrib/networkmanager.fc
|
||||
+++ fedora-policy-20230206/policy/modules/contrib/networkmanager.fc
|
||||
@@ -24,6 +24,7 @@
|
||||
/usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0)
|
||||
/usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0)
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
Index: fedora-policy-20230116/policy/modules/system/systemd.te
|
||||
Index: fedora-policy-20230206/policy/modules/system/systemd.te
|
||||
===================================================================
|
||||
--- fedora-policy-20230116.orig/policy/modules/system/systemd.te
|
||||
+++ fedora-policy-20230116/policy/modules/system/systemd.te
|
||||
@@ -1520,6 +1520,12 @@ fstools_rw_swap_files(systemd_sleep_t)
|
||||
--- fedora-policy-20230206.orig/policy/modules/system/systemd.te
|
||||
+++ fedora-policy-20230206/policy/modules/system/systemd.te
|
||||
@@ -1524,6 +1524,12 @@ fstools_rw_swap_files(systemd_sleep_t)
|
||||
storage_getattr_fixed_disk_dev(systemd_sleep_t)
|
||||
storage_getattr_removable_dev(systemd_sleep_t)
|
||||
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te
|
||||
Index: fedora-policy-20230206/policy/modules/roles/unconfineduser.te
|
||||
===================================================================
|
||||
--- fedora-policy-20221019.orig/policy/modules/roles/unconfineduser.te
|
||||
+++ fedora-policy-20221019/policy/modules/roles/unconfineduser.te
|
||||
@@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all'
|
||||
--- fedora-policy-20230206.orig/policy/modules/roles/unconfineduser.te
|
||||
+++ fedora-policy-20230206/policy/modules/roles/unconfineduser.te
|
||||
@@ -126,6 +126,11 @@ tunable_policy(`unconfined_dyntrans_all'
|
||||
domain_dyntrans(unconfined_t)
|
||||
')
|
||||
|
||||
@ -14,7 +14,7 @@ Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type unconfined_t;
|
||||
@@ -214,6 +219,10 @@ optional_policy(`
|
||||
@@ -216,6 +221,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -25,7 +25,7 @@ Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te
|
||||
chrome_role_notrans(unconfined_r, unconfined_t)
|
||||
|
||||
tunable_policy(`unconfined_chrome_sandbox_transition',`
|
||||
@@ -248,6 +257,18 @@ optional_policy(`
|
||||
@@ -250,6 +259,18 @@ optional_policy(`
|
||||
dbus_stub(unconfined_t)
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -1,3 +1,14 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Feb 6 08:36:32 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Update to version 20230206. Refreshed:
|
||||
* fix_entropyd.patch
|
||||
* fix_networkmanager.patch
|
||||
* fix_systemd_watch.patch
|
||||
* fix_unconfineduser.patch
|
||||
- Updated fix_kernel.patch to allow kernel_t access to xdm state. This is
|
||||
necessary as plymouth doesn't run in it's own domain in early boot
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 16 08:42:09 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
|
||||
@ -33,7 +33,7 @@ Summary: SELinux policy configuration
|
||||
License: GPL-2.0-or-later
|
||||
Group: System/Management
|
||||
Name: selinux-policy
|
||||
Version: 20230125
|
||||
Version: 20230206
|
||||
Release: 0
|
||||
Source: fedora-policy-%{version}.tar.bz2
|
||||
Source1: selinux-policy-rpmlintrc
|
||||
|
||||
Loading…
Reference in New Issue
Block a user