rpm/selinux-policy
SHA256
1
0
Fork 0
forked from pool/selinux-policy
Code Pull Requests Activity

Accepting request 1063441 from home:jsegitz:branches:security:SELinux

Browse Source 
- Update to version 20230206. Refreshed:
  * fix_entropyd.patch
  * fix_networkmanager.patch
  * fix_systemd_watch.patch
  * fix_unconfineduser.patch
- Updated fix_kernel.patch to allow kernel_t access to xdm state. This is
  necessary as plymouth doesn't run in it's own domain in early boot

OBS-URL: https://build.opensuse.org/request/show/1063441
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=172
This commit is contained in:
Johannes Segitz 2023-02-06 15:32:26 +00:00 committed by Git OBS Bridge
parent c4556003bf
commit 2c0c138859
9 changed files with 62 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
fedora-policy-20230125.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4653c59f1e4df7872bf6f0186e1d75819b2b0580e750cad1b32bcb8ae71146ee
size 736028

3
fedora-policy-20230206.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5cf93823fbb8094a509b23be28f1328e7d61a6d564c6265ecbb295c63c188979
size 736493

20
fix_entropyd.patch
View File

@ -1,7 +1,7 @@
Index: fedora-policy-20230125/policy/modules/contrib/entropyd.te Index: fedora-policy-20230206/policy/modules/contrib/entropyd.te
=================================================================== ===================================================================
--- fedora-policy-20230125.orig/policy/modules/contrib/entropyd.te --- fedora-policy-20230206.orig/policy/modules/contrib/entropyd.te
+++ fedora-policy-20230125/policy/modules/contrib/entropyd.te +++ fedora-policy-20230206/policy/modules/contrib/entropyd.te
@@ -24,6 +24,9 @@ init_script_file(entropyd_initrc_exec_t) @@ -24,6 +24,9 @@ init_script_file(entropyd_initrc_exec_t)
type entropyd_var_run_t; type entropyd_var_run_t;
files_pid_file(entropyd_var_run_t) files_pid_file(entropyd_var_run_t)
@ -32,10 +32,10 @@ Index: fedora-policy-20230125/policy/modules/contrib/entropyd.te
domain_use_interactive_fds(entropyd_t) domain_use_interactive_fds(entropyd_t)
Index: fedora-policy-20230125/policy/modules/contrib/entropyd.if Index: fedora-policy-20230206/policy/modules/contrib/entropyd.if
=================================================================== ===================================================================
--- fedora-policy-20230125.orig/policy/modules/contrib/entropyd.if --- fedora-policy-20230206.orig/policy/modules/contrib/entropyd.if
+++ fedora-policy-20230125/policy/modules/contrib/entropyd.if +++ fedora-policy-20230206/policy/modules/contrib/entropyd.if
@@ -33,3 +33,22 @@ interface(`entropyd_admin',` @@ -33,3 +33,22 @@ interface(`entropyd_admin',`
files_search_pids($1) files_search_pids($1)
admin_pattern($1, entropyd_var_run_t) admin_pattern($1, entropyd_var_run_t)
@ -59,11 +59,11 @@ Index: fedora-policy-20230125/policy/modules/contrib/entropyd.if
+ +
+ fs_tmpfs_filetrans($1, entropyd_tmpfs_t, file, "sem.haveged_sem") + fs_tmpfs_filetrans($1, entropyd_tmpfs_t, file, "sem.haveged_sem")
+') +')
Index: fedora-policy-20230125/policy/modules/kernel/kernel.te Index: fedora-policy-20230206/policy/modules/kernel/kernel.te
=================================================================== ===================================================================
--- fedora-policy-20230125.orig/policy/modules/kernel/kernel.te --- fedora-policy-20230206.orig/policy/modules/kernel/kernel.te
+++ fedora-policy-20230125/policy/modules/kernel/kernel.te +++ fedora-policy-20230206/policy/modules/kernel/kernel.te
@@ -397,6 +397,10 @@ optional_policy(` @@ -401,6 +401,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`

24
fix_kernel.patch
View File

@ -1,8 +1,8 @@
Index: fedora-policy-20230125/policy/modules/kernel/kernel.te Index: fedora-policy-20230206/policy/modules/kernel/kernel.te
=================================================================== ===================================================================
--- fedora-policy-20230125.orig/policy/modules/kernel/kernel.te --- fedora-policy-20230206.orig/policy/modules/kernel/kernel.te
+++ fedora-policy-20230125/policy/modules/kernel/kernel.te +++ fedora-policy-20230206/policy/modules/kernel/kernel.te
@@ -389,6 +389,13 @@ ifdef(`distro_redhat',` @@ -393,6 +393,13 @@ ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(kernel_t) fs_rw_tmpfs_chr_files(kernel_t)
') ')
@ -16,7 +16,7 @@ Index: fedora-policy-20230125/policy/modules/kernel/kernel.te
optional_policy(` optional_policy(`
abrt_filetrans_named_content(kernel_t) abrt_filetrans_named_content(kernel_t)
abrt_dump_oops_domtrans(kernel_t) abrt_dump_oops_domtrans(kernel_t)
@@ -410,6 +417,7 @@ optional_policy(` @@ -418,6 +425,7 @@ optional_policy(`
init_dbus_chat(kernel_t) init_dbus_chat(kernel_t)
init_sigchld(kernel_t) init_sigchld(kernel_t)
init_dyntrans(kernel_t) init_dyntrans(kernel_t)
@ -24,10 +24,18 @@ Index: fedora-policy-20230125/policy/modules/kernel/kernel.te
') ')
optional_policy(` optional_policy(`
Index: fedora-policy-20230125/policy/modules/system/modutils.if @@ -519,6 +527,7 @@ optional_policy(`
')
optional_policy(`
+ xserver_read_xdm_state(kernel_t)
xserver_xdm_manage_spool(kernel_t)
xserver_filetrans_home_content(kernel_t)
')
Index: fedora-policy-20230206/policy/modules/system/modutils.if
=================================================================== ===================================================================
--- fedora-policy-20230125.orig/policy/modules/system/modutils.if --- fedora-policy-20230206.orig/policy/modules/system/modutils.if
+++ fedora-policy-20230125/policy/modules/system/modutils.if +++ fedora-policy-20230206/policy/modules/system/modutils.if
@@ -525,3 +525,21 @@ interface(`modutils_dontaudit_kmod_tmpfs @@ -525,3 +525,21 @@ interface(`modutils_dontaudit_kmod_tmpfs
dontaudit $1 kmod_tmpfs_t:file { getattr }; dontaudit $1 kmod_tmpfs_t:file { getattr };

22
fix_networkmanager.patch
View File

@ -1,7 +1,7 @@
Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.te Index: fedora-policy-20230206/policy/modules/contrib/networkmanager.te
=================================================================== ===================================================================
--- fedora-policy-20230125.orig/policy/modules/contrib/networkmanager.te --- fedora-policy-20230206.orig/policy/modules/contrib/networkmanager.te
+++ fedora-policy-20230125/policy/modules/contrib/networkmanager.te +++ fedora-policy-20230206/policy/modules/contrib/networkmanager.te
@@ -260,6 +260,7 @@ sysnet_search_dhcp_state(NetworkManager_ @@ -260,6 +260,7 @@ sysnet_search_dhcp_state(NetworkManager_
sysnet_manage_config(NetworkManager_t) sysnet_manage_config(NetworkManager_t)
sysnet_filetrans_named_content(NetworkManager_t) sysnet_filetrans_named_content(NetworkManager_t)
@ -59,7 +59,7 @@ Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.te
') ')
optional_policy(` optional_policy(`
@@ -607,6 +629,7 @@ files_manage_etc_files(NetworkManager_di @@ -608,6 +630,7 @@ files_manage_etc_files(NetworkManager_di
init_status(NetworkManager_dispatcher_cloud_t) init_status(NetworkManager_dispatcher_cloud_t)
init_status(NetworkManager_dispatcher_ddclient_t) init_status(NetworkManager_dispatcher_ddclient_t)
@ -67,7 +67,7 @@ Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.te
init_append_stream_sockets(networkmanager_dispatcher_plugin) init_append_stream_sockets(networkmanager_dispatcher_plugin)
init_ioctl_stream_sockets(networkmanager_dispatcher_plugin) init_ioctl_stream_sockets(networkmanager_dispatcher_plugin)
init_stream_connect(networkmanager_dispatcher_plugin) init_stream_connect(networkmanager_dispatcher_plugin)
@@ -622,6 +645,10 @@ optional_policy(` @@ -623,6 +646,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -78,10 +78,10 @@ Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.te
cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t) cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t)
') ')
Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.if Index: fedora-policy-20230206/policy/modules/contrib/networkmanager.if
=================================================================== ===================================================================
--- fedora-policy-20230125.orig/policy/modules/contrib/networkmanager.if --- fedora-policy-20230206.orig/policy/modules/contrib/networkmanager.if
+++ fedora-policy-20230125/policy/modules/contrib/networkmanager.if +++ fedora-policy-20230206/policy/modules/contrib/networkmanager.if
@@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran @@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran
init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
') ')
@ -107,10 +107,10 @@ Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.if
######################################## ########################################
## <summary> ## <summary>
## Execute NetworkManager server in the NetworkManager domain. ## Execute NetworkManager server in the NetworkManager domain.
Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.fc Index: fedora-policy-20230206/policy/modules/contrib/networkmanager.fc
=================================================================== ===================================================================
--- fedora-policy-20230125.orig/policy/modules/contrib/networkmanager.fc --- fedora-policy-20230206.orig/policy/modules/contrib/networkmanager.fc
+++ fedora-policy-20230125/policy/modules/contrib/networkmanager.fc +++ fedora-policy-20230206/policy/modules/contrib/networkmanager.fc
@@ -24,6 +24,7 @@ @@ -24,6 +24,7 @@
/usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0) /usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0)
/usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0) /usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0)

8
fix_systemd_watch.patch
View File

@ -1,8 +1,8 @@
Index: fedora-policy-20230116/policy/modules/system/systemd.te Index: fedora-policy-20230206/policy/modules/system/systemd.te
=================================================================== ===================================================================
--- fedora-policy-20230116.orig/policy/modules/system/systemd.te --- fedora-policy-20230206.orig/policy/modules/system/systemd.te
+++ fedora-policy-20230116/policy/modules/system/systemd.te +++ fedora-policy-20230206/policy/modules/system/systemd.te
@@ -1520,6 +1520,12 @@ fstools_rw_swap_files(systemd_sleep_t) @@ -1524,6 +1524,12 @@ fstools_rw_swap_files(systemd_sleep_t)
storage_getattr_fixed_disk_dev(systemd_sleep_t) storage_getattr_fixed_disk_dev(systemd_sleep_t)
storage_getattr_removable_dev(systemd_sleep_t) storage_getattr_removable_dev(systemd_sleep_t)

12
fix_unconfineduser.patch
View File

@ -1,8 +1,8 @@
Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te Index: fedora-policy-20230206/policy/modules/roles/unconfineduser.te
=================================================================== ===================================================================
--- fedora-policy-20221019.orig/policy/modules/roles/unconfineduser.te --- fedora-policy-20230206.orig/policy/modules/roles/unconfineduser.te
+++ fedora-policy-20221019/policy/modules/roles/unconfineduser.te +++ fedora-policy-20230206/policy/modules/roles/unconfineduser.te
@@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all' @@ -126,6 +126,11 @@ tunable_policy(`unconfined_dyntrans_all'
domain_dyntrans(unconfined_t) domain_dyntrans(unconfined_t)
') ')
@ -14,7 +14,7 @@ Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te
optional_policy(` optional_policy(`
gen_require(` gen_require(`
type unconfined_t; type unconfined_t;
@@ -214,6 +219,10 @@ optional_policy(` @@ -216,6 +221,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -25,7 +25,7 @@ Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te
chrome_role_notrans(unconfined_r, unconfined_t) chrome_role_notrans(unconfined_r, unconfined_t)
tunable_policy(`unconfined_chrome_sandbox_transition',` tunable_policy(`unconfined_chrome_sandbox_transition',`
@@ -248,6 +257,18 @@ optional_policy(` @@ -250,6 +259,18 @@ optional_policy(`
dbus_stub(unconfined_t) dbus_stub(unconfined_t)
optional_policy(` optional_policy(`

11
selinux-policy.changes
View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Mon Feb 6 08:36:32 UTC 2023 - Johannes Segitz <jsegitz@suse.com>
- Update to version 20230206. Refreshed:
* fix_entropyd.patch
* fix_networkmanager.patch
* fix_systemd_watch.patch
* fix_unconfineduser.patch
- Updated fix_kernel.patch to allow kernel_t access to xdm state. This is
necessary as plymouth doesn't run in it's own domain in early boot
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jan 16 08:42:09 UTC 2023 - Johannes Segitz <jsegitz@suse.com> Mon Jan 16 08:42:09 UTC 2023 - Johannes Segitz <jsegitz@suse.com>

2
selinux-policy.spec
View File

@ -33,7 +33,7 @@ Summary: SELinux policy configuration
License: GPL-2.0-or-later License: GPL-2.0-or-later
Group: System/Management Group: System/Management
Name: selinux-policy Name: selinux-policy
Version: 20230125 Version: 20230206
Release: 0 Release: 0
Source: fedora-policy-%{version}.tar.bz2 Source: fedora-policy-%{version}.tar.bz2
Source1: selinux-policy-rpmlintrc Source1: selinux-policy-rpmlintrc