From 330c32dde14f41ac8bc725154cb72264fe7de4305d870da4e58dfb865e8e1d18 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Thu, 16 Feb 2023 07:31:19 +0000 Subject: [PATCH] Accepting request 1065970 from home:cahu:branches:security:SELinux - Complete packaging rework: Move policy to git repository and only use tar_scm obs service to refresh from there: https://gitlab.suse.de/selinux/selinux-policy Please use `osc service manualrun` to update this OBS package to the newest git version. * Added README.Update describing how to update this package * Added _service file that pulls from selinux-policy and upstream container-selinux and tars them * Adapted selinux-policy.spec to build selinux-policy with container-selinux * Removed update.sh as no longer needed * Removed suse specific modules as they are now covered by git commits * packagekit.te packagekit.if packagekit.fc * rebootmgr.te rebootmgr.if rebootmgr.fc * rtorrent.te rtorrent.if rtorrent.fc * wicked.te wicked.if wicked.fc * Removed *.patch as they are now covered by git commits: * distro_suse_to_distro_redhat.patch * dontaudit_interface_kmod_tmpfs.patch * fix_accountsd.patch * fix_alsa.patch * fix_apache.patch * fix_auditd.patch * fix_authlogin.patch * fix_automount.patch * fix_bitlbee.patch * fix_chronyd.patch * fix_cloudform.patch * fix_colord.patch * fix_corecommand.patch * fix_cron.patch * fix_dbus.patch * fix_djbdns.patch * fix_dnsmasq.patch * fix_dovecot.patch * fix_entropyd.patch * fix_firewalld.patch * fix_fwupd.patch * fix_geoclue.patch * fix_hypervkvp.patch * fix_init.patch * fix_ipsec.patch * fix_iptables.patch * fix_irqbalance.patch * fix_java.patch * fix_kernel.patch * fix_kernel_sysctl.patch * fix_libraries.patch * fix_locallogin.patch * fix_logging.patch * fix_logrotate.patch * fix_mcelog.patch * fix_miscfiles.patch * fix_nagios.patch * fix_networkmanager.patch * fix_nis.patch * fix_nscd.patch * fix_ntp.patch * fix_openvpn.patch * fix_postfix.patch * fix_rpm.patch * fix_rtkit.patch * fix_screen.patch * fix_selinuxutil.patch * fix_sendmail.patch * fix_smartmon.patch * fix_snapper.patch * fix_sslh.patch * fix_sysnetwork.patch * fix_systemd.patch * fix_systemd_watch.patch * fix_thunderbird.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_unprivuser.patch * fix_userdomain.patch * fix_usermanage.patch * fix_wine.patch * fix_xserver.patch * sedoctool.patch * systemd_domain_dyntrans_type.patch OBS-URL: https://build.opensuse.org/request/show/1065970 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=173 --- README.Update | 19 + _service | 26 + _servicedata | 6 + container-selinux-20230214.tar.xz | 3 + distro_suse_to_distro_redhat.patch | 209 --------- dontaudit_interface_kmod_tmpfs.patch | 41 -- fedora-policy-20230206.tar.bz2 | 3 - fix_accountsd.patch | 12 - fix_alsa.patch | 15 - fix_apache.patch | 30 -- fix_auditd.patch | 12 - fix_authlogin.patch | 12 - fix_automount.patch | 15 - fix_bitlbee.patch | 12 - fix_chronyd.patch | 60 --- fix_cloudform.patch | 13 - fix_colord.patch | 25 - fix_corecommand.patch | 64 --- fix_cron.patch | 47 -- fix_dbus.patch | 21 - fix_djbdns.patch | 33 -- fix_dnsmasq.patch | 12 - fix_dovecot.patch | 15 - fix_entropyd.patch | 76 --- fix_firewalld.patch | 42 -- fix_fwupd.patch | 17 - fix_geoclue.patch | 10 - fix_hypervkvp.patch | 15 - fix_init.patch | 88 ---- fix_ipsec.patch | 20 - fix_iptables.patch | 12 - fix_irqbalance.patch | 13 - fix_java.patch | 41 -- fix_kernel.patch | 60 --- fix_kernel_sysctl.patch | 26 - fix_libraries.patch | 13 - fix_locallogin.patch | 20 - fix_logging.patch | 48 -- fix_logrotate.patch | 12 - fix_mcelog.patch | 13 - fix_miscfiles.patch | 12 - fix_nagios.patch | 24 - fix_networkmanager.patch | 131 ------ fix_nis.patch | 12 - fix_nscd.patch | 35 -- fix_ntp.patch | 99 ---- fix_openvpn.patch | 41 -- fix_postfix.patch | 120 ----- fix_rpm.patch | 50 -- fix_rtkit.patch | 11 - fix_screen.patch | 22 - fix_selinuxutil.patch | 39 -- fix_sendmail.patch | 32 -- fix_smartmon.patch | 9 - fix_snapper.patch | 68 --- fix_sslh.patch | 33 -- fix_sysnetwork.patch | 25 - fix_systemd.patch | 35 -- fix_systemd_watch.patch | 17 - fix_thunderbird.patch | 12 - fix_unconfined.patch | 22 - fix_unconfineduser.patch | 46 -- fix_unprivuser.patch | 18 - fix_userdomain.patch | 12 - fix_usermanage.patch | 29 -- fix_wine.patch | 23 - fix_xserver.patch | 68 --- packagekit.fc | 44 -- packagekit.if | 40 -- packagekit.te | 38 -- rebootmgr.fc | 1 - rebootmgr.if | 61 --- rebootmgr.te | 37 -- rtorrent.fc | 1 - rtorrent.if | 95 ---- rtorrent.te | 101 ---- sedoctool.patch | 22 - selinux-policy-20230214.tar.xz | 3 + selinux-policy.changes | 87 ++++ selinux-policy.spec | 105 +---- systemd_domain_dyntrans_type.patch | 13 - update.sh | 23 - wicked.fc | 50 -- wicked.if | 678 --------------------------- wicked.te | 572 ---------------------- 85 files changed, 158 insertions(+), 4089 deletions(-) create mode 100644 README.Update create mode 100644 _service create mode 100644 _servicedata create mode 100644 container-selinux-20230214.tar.xz delete mode 100644 distro_suse_to_distro_redhat.patch delete mode 100644 dontaudit_interface_kmod_tmpfs.patch delete mode 100644 fedora-policy-20230206.tar.bz2 delete mode 100644 fix_accountsd.patch delete mode 100644 fix_alsa.patch delete mode 100644 fix_apache.patch delete mode 100644 fix_auditd.patch delete mode 100644 fix_authlogin.patch delete mode 100644 fix_automount.patch delete mode 100644 fix_bitlbee.patch delete mode 100644 fix_chronyd.patch delete mode 100644 fix_cloudform.patch delete mode 100644 fix_colord.patch delete mode 100644 fix_corecommand.patch delete mode 100644 fix_cron.patch delete mode 100644 fix_dbus.patch delete mode 100644 fix_djbdns.patch delete mode 100644 fix_dnsmasq.patch delete mode 100644 fix_dovecot.patch delete mode 100644 fix_entropyd.patch delete mode 100644 fix_firewalld.patch delete mode 100644 fix_fwupd.patch delete mode 100644 fix_geoclue.patch delete mode 100644 fix_hypervkvp.patch delete mode 100644 fix_init.patch delete mode 100644 fix_ipsec.patch delete mode 100644 fix_iptables.patch delete mode 100644 fix_irqbalance.patch delete mode 100644 fix_java.patch delete mode 100644 fix_kernel.patch delete mode 100644 fix_kernel_sysctl.patch delete mode 100644 fix_libraries.patch delete mode 100644 fix_locallogin.patch delete mode 100644 fix_logging.patch delete mode 100644 fix_logrotate.patch delete mode 100644 fix_mcelog.patch delete mode 100644 fix_miscfiles.patch delete mode 100644 fix_nagios.patch delete mode 100644 fix_networkmanager.patch delete mode 100644 fix_nis.patch delete mode 100644 fix_nscd.patch delete mode 100644 fix_ntp.patch delete mode 100644 fix_openvpn.patch delete mode 100644 fix_postfix.patch delete mode 100644 fix_rpm.patch delete mode 100644 fix_rtkit.patch delete mode 100644 fix_screen.patch delete mode 100644 fix_selinuxutil.patch delete mode 100644 fix_sendmail.patch delete mode 100644 fix_smartmon.patch delete mode 100644 fix_snapper.patch delete mode 100644 fix_sslh.patch delete mode 100644 fix_sysnetwork.patch delete mode 100644 fix_systemd.patch delete mode 100644 fix_systemd_watch.patch delete mode 100644 fix_thunderbird.patch delete mode 100644 fix_unconfined.patch delete mode 100644 fix_unconfineduser.patch delete mode 100644 fix_unprivuser.patch delete mode 100644 fix_userdomain.patch delete mode 100644 fix_usermanage.patch delete mode 100644 fix_wine.patch delete mode 100644 fix_xserver.patch delete mode 100644 packagekit.fc delete mode 100644 packagekit.if delete mode 100644 packagekit.te delete mode 100644 rebootmgr.fc delete mode 100644 rebootmgr.if delete mode 100644 rebootmgr.te delete mode 100644 rtorrent.fc delete mode 100644 rtorrent.if delete mode 100644 rtorrent.te delete mode 100644 sedoctool.patch create mode 100644 selinux-policy-20230214.tar.xz delete mode 100644 systemd_domain_dyntrans_type.patch delete mode 100644 update.sh delete mode 100644 wicked.fc delete mode 100644 wicked.if delete mode 100644 wicked.te diff --git a/README.Update b/README.Update new file mode 100644 index 0000000..d0e3b5c --- /dev/null +++ b/README.Update @@ -0,0 +1,19 @@ +# How to update this project + +This project is updated using obs services. +The obs services pull from git repositories, which are specified in the `_service` file. +Please contribute all changes to the upstream git repositories listed there. + +To update this project to the upstream versions, please make sure you installed these obs services locally: +``` +sudo zypper in obs-service-tar_scm obs-service-recompress obs-service-set_version obs-service-download_files +``` + +Then, generate new tarballs, changelog and version number for this repository by running this command: +``` +osc service manualrun +``` + +Afterwards, please check your local project state and remove old tarballs if necessary. +Then proceed as usual with check-in and build. + diff --git a/_service b/_service new file mode 100644 index 0000000..64a67c0 --- /dev/null +++ b/_service @@ -0,0 +1,26 @@ + + + 1 + %cd + https://gitlab.suse.de/selinux/selinux-policy.git + git + enable + factory + + + 1 + %cd + https://github.com/containers/container-selinux.git + git + enable + main + + + xz + *.tar + + + selinux-policy.spec + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..b50b36f --- /dev/null +++ b/_servicedata @@ -0,0 +1,6 @@ + + + https://gitlab.suse.de/selinux/selinux-policy.git + 167da331be8238b650e75d629a925576ca5bf70b + https://github.com/containers/container-selinux.git + 07b3034f6d9625ab84508a2f46515d8ff79b4204 \ No newline at end of file diff --git a/container-selinux-20230214.tar.xz b/container-selinux-20230214.tar.xz new file mode 100644 index 0000000..16fd854 --- /dev/null +++ b/container-selinux-20230214.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:35976ddc019bac7363a4a7eb7f626fc92cf91a19deeca7bb8ff1458dbb0dc936 +size 25128 diff --git a/distro_suse_to_distro_redhat.patch b/distro_suse_to_distro_redhat.patch deleted file mode 100644 index f3832d5..0000000 --- a/distro_suse_to_distro_redhat.patch +++ /dev/null @@ -1,209 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/contrib/apache.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/contrib/apache.fc -+++ fedora-policy-20230116/policy/modules/contrib/apache.fc -@@ -74,7 +74,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.* - /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) - /usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) - ') - -Index: fedora-policy-20230116/policy/modules/contrib/cron.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/contrib/cron.fc -+++ fedora-policy-20230116/policy/modules/contrib/cron.fc -@@ -51,7 +51,7 @@ ifdef(`distro_gentoo',` - /var/spool/cron/lastrun/[^/]* -- <> - ') - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) - /var/spool/cron/lastrun/[^/]* -- <> - /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -@@ -70,7 +70,7 @@ ifdef(`distro_gentoo',` - /var/spool/cron/lastrun/[^/]* -- <> - ') - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) - /var/spool/cron/lastrun/[^/]* -- <> - /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -Index: fedora-policy-20230116/policy/modules/contrib/rpm.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/contrib/rpm.fc -+++ fedora-policy-20230116/policy/modules/contrib/rpm.fc -@@ -82,7 +82,7 @@ ifdef(`distro_redhat', ` - /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) - - # SuSE --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) - /sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) - /var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -Index: fedora-policy-20230116/policy/modules/kernel/corecommands.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/kernel/corecommands.fc -+++ fedora-policy-20230116/policy/modules/kernel/corecommands.fc -@@ -462,7 +462,7 @@ ifdef(`distro_redhat', ` - /usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0) - ') - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/ssh/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -491,7 +491,7 @@ ifdef(`distro_suse', ` - /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) - /var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0) - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) - ') - -Index: fedora-policy-20230116/policy/modules/kernel/devices.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/kernel/devices.fc -+++ fedora-policy-20230116/policy/modules/kernel/devices.fc -@@ -148,7 +148,7 @@ - /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) - /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) - /dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0) --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) - ') - /dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0) -Index: fedora-policy-20230116/policy/modules/kernel/files.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20230116/policy/modules/kernel/files.fc -@@ -22,7 +22,7 @@ ifdef(`distro_redhat',` - /[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) - ') - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - /success -- gen_context(system_u:object_r:etc_runtime_t,s0) - ') - -@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', ` - /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) - ') - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) - ') -Index: fedora-policy-20230116/policy/modules/services/xserver.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/services/xserver.fc -+++ fedora-policy-20230116/policy/modules/services/xserver.fc -@@ -189,7 +189,7 @@ ifndef(`distro_debian',` - /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) - /var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) - ') - -Index: fedora-policy-20230116/policy/modules/system/authlogin.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/authlogin.fc -+++ fedora-policy-20230116/policy/modules/system/authlogin.fc -@@ -31,7 +31,7 @@ HOME_DIR/\.google_authenticator~ gen_co - /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) - /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - ') - -Index: fedora-policy-20230116/policy/modules/system/init.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/init.fc -+++ fedora-policy-20230116/policy/modules/system/init.fc -@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', ` - /var/run/svscan\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) - ') - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /var/run/bootsplashctl -p gen_context(system_u:object_r:initrc_var_run_t,s0) - /var/run/keymap -- gen_context(system_u:object_r:initrc_var_run_t,s0) - /var/run/numlock-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) -Index: fedora-policy-20230116/policy/modules/system/init.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/init.te -+++ fedora-policy-20230116/policy/modules/system/init.te -@@ -1330,7 +1330,7 @@ ifdef(`distro_redhat',` - ') - ') - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - optional_policy(` - # set permissions on /tmp/.X11-unix - xserver_setattr_xdm_tmp_dirs(initrc_t) -Index: fedora-policy-20230116/policy/modules/system/libraries.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/libraries.fc -+++ fedora-policy-20230116/policy/modules/system/libraries.fc -@@ -329,7 +329,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_ - /var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) - /usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) - ') - -Index: fedora-policy-20230116/policy/modules/system/locallogin.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/locallogin.te -+++ fedora-policy-20230116/policy/modules/system/locallogin.te -@@ -274,7 +274,7 @@ ifdef(`enable_mls',` - ') - - # suse and debian do not use pam with sulogin... --ifdef(`distro_suse', `define(`sulogin_no_pam')') -+ifdef(`distro_redhat', `define(`sulogin_no_pam')') - ifdef(`distro_debian', `define(`sulogin_no_pam')') - - allow sulogin_t self:capability sys_tty_config; -Index: fedora-policy-20230116/policy/modules/system/logging.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/logging.fc -+++ fedora-policy-20230116/policy/modules/system/logging.fc -@@ -46,7 +46,7 @@ - /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,mls_systemhigh) - /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0) - ') - -Index: fedora-policy-20230116/policy/modules/system/logging.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/logging.te -+++ fedora-policy-20230116/policy/modules/system/logging.te -@@ -685,7 +685,7 @@ ifdef(`distro_gentoo',` - term_dontaudit_setattr_unallocated_ttys(syslogd_t) - ') - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel - files_var_lib_filetrans(syslogd_t, devlog_t, sock_file) - ') diff --git a/dontaudit_interface_kmod_tmpfs.patch b/dontaudit_interface_kmod_tmpfs.patch deleted file mode 100644 index 031ead4..0000000 --- a/dontaudit_interface_kmod_tmpfs.patch +++ /dev/null @@ -1,41 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/services/xserver.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/services/xserver.te -+++ fedora-policy-20221019/policy/modules/services/xserver.te -@@ -764,6 +764,10 @@ userdom_mounton_tmp_sockets(xdm_t) - userdom_nnp_transition_login_userdomain(xdm_t) - userdom_watch_user_home_dirs(xdm_t) - -+# SUSE uses startproc to start the display manager. While checking for running processes -+# it goes over all running instances, triggering AVCs -+modutils_dontaudit_kmod_tmpfs_getattr(xdm_t) -+ - #userdom_home_manager(xdm_t) - tunable_policy(`xdm_write_home',` - userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file }) -Index: fedora-policy-20221019/policy/modules/system/modutils.if -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/modutils.if -+++ fedora-policy-20221019/policy/modules/system/modutils.if -@@ -507,3 +507,21 @@ interface(`modules_filetrans_named_conte - #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols") - #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin") - ') -+ -+####################################### -+## -+## Don't audit accesses to tmp file type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`modutils_dontaudit_kmod_tmpfs_getattr',` -+ gen_require(` -+ type kmod_tmpfs_t; -+ ') -+ -+ dontaudit $1 kmod_tmpfs_t:file { getattr }; -+') diff --git a/fedora-policy-20230206.tar.bz2 b/fedora-policy-20230206.tar.bz2 deleted file mode 100644 index ffdbc93..0000000 --- a/fedora-policy-20230206.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5cf93823fbb8094a509b23be28f1328e7d61a6d564c6265ecbb295c63c188979 -size 736493 diff --git a/fix_accountsd.patch b/fix_accountsd.patch deleted file mode 100644 index 6558c5c..0000000 --- a/fix_accountsd.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/accountsd.fc -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/accountsd.fc -+++ fedora-policy/policy/modules/contrib/accountsd.fc -@@ -1,6 +1,7 @@ - /usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0) - - /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) -+/usr/lib/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) - - /usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) - diff --git a/fix_alsa.patch b/fix_alsa.patch deleted file mode 100644 index 0e6b04c..0000000 --- a/fix_alsa.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/alsa.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/alsa.te -+++ fedora-policy-20221019/policy/modules/contrib/alsa.te -@@ -104,6 +104,10 @@ userdom_manage_unpriv_user_semaphores(al - userdom_manage_unpriv_user_shared_mem(alsa_t) - userdom_search_user_home_dirs(alsa_t) - -+optional_policy(` -+ gnome_read_home_config(alsa_t) -+') -+ - ifdef(`distro_debian',` - term_dontaudit_use_unallocated_ttys(alsa_t) - diff --git a/fix_apache.patch b/fix_apache.patch deleted file mode 100644 index 6b24b83..0000000 --- a/fix_apache.patch +++ /dev/null @@ -1,30 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/apache.if -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/apache.if -+++ fedora-policy-20221019/policy/modules/contrib/apache.if -@@ -2007,3 +2007,25 @@ interface(`apache_read_semaphores',` - - allow $1 httpd_t:sem r_sem_perms; - ') -+ -+####################################### -+## -+## Allow the specified domain to execute -+## httpd_sys_content_t and manage httpd_sys_rw_content_t -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`apache_exec_sys_content',` -+ gen_require(` -+ type httpd_sys_content_t; -+ type httpd_sys_rw_content_t; -+ ') -+ -+ apache_manage_sys_content_rw($1) -+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) -+ can_exec($1, httpd_sys_content_t) -+') diff --git a/fix_auditd.patch b/fix_auditd.patch deleted file mode 100644 index d4d94e0..0000000 --- a/fix_auditd.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20211111/policy/modules/system/logging.if -=================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/logging.if -+++ fedora-policy-20211111/policy/modules/system/logging.if -@@ -431,6 +431,7 @@ interface(`logging_manage_audit_config', - - files_search_etc($1) - manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -+ allow $1 auditd_etc_t:dir mounton; - ') - - ######################################## diff --git a/fix_authlogin.patch b/fix_authlogin.patch deleted file mode 100644 index 7220120..0000000 --- a/fix_authlogin.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20211111/policy/modules/system/authlogin.fc -=================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/authlogin.fc -+++ fedora-policy-20211111/policy/modules/system/authlogin.fc -@@ -56,6 +56,7 @@ ifdef(`distro_gentoo', ` - /usr/libexec/chkpwd/tcb_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - /usr/libexec/chkpwd/tcb_updpwd -- gen_context(system_u:object_r:updpwd_exec_t,s0) - /usr/libexec/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) -+/usr/lib/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) - - /var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0) - diff --git a/fix_automount.patch b/fix_automount.patch deleted file mode 100644 index a702fc7..0000000 --- a/fix_automount.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/automount.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/automount.te -+++ fedora-policy/policy/modules/contrib/automount.te -@@ -154,6 +154,10 @@ optional_policy(` - ') - - optional_policy(` -+ networkmanager_read_pid_files(automount_t) -+') -+ -+optional_policy(` - fstools_domtrans(automount_t) - ') - diff --git a/fix_bitlbee.patch b/fix_bitlbee.patch deleted file mode 100644 index 2ce1749..0000000 --- a/fix_bitlbee.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20220124/policy/modules/contrib/bitlbee.fc -=================================================================== ---- fedora-policy-20220124.orig/policy/modules/contrib/bitlbee.fc -+++ fedora-policy-20220124/policy/modules/contrib/bitlbee.fc -@@ -9,6 +9,5 @@ - - /var/log/bip.* gen_context(system_u:object_r:bitlbee_log_t,s0) - --/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0) --/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0) -+/var/run/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0) - /var/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0) diff --git a/fix_chronyd.patch b/fix_chronyd.patch deleted file mode 100644 index 1ea9a55..0000000 --- a/fix_chronyd.patch +++ /dev/null @@ -1,60 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.te -+++ fedora-policy-20221019/policy/modules/contrib/chronyd.te -@@ -144,6 +144,15 @@ systemd_exec_systemctl(chronyd_t) - userdom_dgram_send(chronyd_t) - - optional_policy(` -+ networkmanager_read_pid_files(chronyd_t) -+ networkmanager_dispatcher_custom_dgram_send(chronyd_t) -+') -+ -+optional_policy(` -+ wicked_read_pid_files(chronyd_t) -+') -+ -+optional_policy(` - cron_dgram_send(chronyd_t) - ') - -Index: fedora-policy-20221019/policy/modules/contrib/chronyd.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.fc -+++ fedora-policy-20221019/policy/modules/contrib/chronyd.fc -@@ -6,6 +6,8 @@ - - /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) - /usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) -+/usr/lib/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) -+/usr/libexec/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) - - /usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0) - -Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.if -@@ -684,3 +684,22 @@ template(`networkmanager_dispatcher_plug - - domtrans_pattern(NetworkManager_dispatcher_t, NetworkManager_dispatcher_$1_script_t, NetworkManager_dispatcher_$1_t) - ') -+ -+######################################## -+## -+## Send a message to NetworkManager_dispatcher_custom -+## over a unix domain datagram socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`networkmanager_dispatcher_custom_dgram_send',` -+ gen_require(` -+ type NetworkManager_dispatcher_custom_t; -+ ') -+ -+ allow $1 NetworkManager_dispatcher_custom_t:unix_dgram_socket sendto; -+') diff --git a/fix_cloudform.patch b/fix_cloudform.patch deleted file mode 100644 index cac7161..0000000 --- a/fix_cloudform.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/cloudform.te -=================================================================== ---- cloudform.te 2022-07-18 14:06:56.735383426 +0200 -+++ cloudform.te.new 2022-07-18 14:07:36.003069544 +0200 -@@ -81,6 +81,8 @@ - - init_dbus_chat(cloud_init_t) - -+snapper_dbus_chat(cloud_init_t) -+ - kernel_read_network_state(cloud_init_t) - - corenet_tcp_connect_http_port(cloud_init_t) diff --git a/fix_colord.patch b/fix_colord.patch deleted file mode 100644 index 763641f..0000000 --- a/fix_colord.patch +++ /dev/null @@ -1,25 +0,0 @@ -Index: fedora-policy-20211111/policy/modules/contrib/colord.fc -=================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/colord.fc -+++ fedora-policy-20211111/policy/modules/contrib/colord.fc -@@ -6,6 +6,8 @@ - - /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) - /usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) -+/usr/lib/colord -- gen_context(system_u:object_r:colord_exec_t,s0) -+/usr/lib/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) - - /usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0) - -Index: fedora-policy-20211111/policy/modules/contrib/colord.te -=================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/colord.te -+++ fedora-policy-20211111/policy/modules/contrib/colord.te -@@ -17,6 +17,7 @@ type colord_t; - type colord_exec_t; - dbus_system_domain(colord_t, colord_exec_t) - init_daemon_domain(colord_t, colord_exec_t) -+init_nnp_daemon_domain(colord_t) - - type colord_tmp_t; - files_tmp_file(colord_tmp_t) diff --git a/fix_corecommand.patch b/fix_corecommand.patch deleted file mode 100644 index 60362f2..0000000 --- a/fix_corecommand.patch +++ /dev/null @@ -1,64 +0,0 @@ -Index: fedora-policy/policy/modules/kernel/corecommands.fc -=================================================================== ---- fedora-policy.orig/policy/modules/kernel/corecommands.fc -+++ fedora-policy/policy/modules/kernel/corecommands.fc -@@ -86,7 +86,10 @@ ifdef(`distro_redhat',` - - /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) - --/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0) -+ -+/etc/netconfig.d/.* -- gen_context(system_u:object_r:bin_t,s0) -+ -+/etc/mcelog/.*-error.*-trigger -- gen_context(system_u:object_r:bin_t,s0) - /etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0) - /etc/mcelog/.*\.setup -- gen_context(system_u:object_r:bin_t,s0) - -@@ -251,6 +254,21 @@ ifdef(`distro_gentoo',` - /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) - /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/gnome-settings-daemon/.* -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-settings-daemon-3.0/.* -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-calculator-search-provider -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-control-center-search-provider -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-photos-thumbnailer -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-rr-debug -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-session-binary -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-session-check-accelerated -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-session-check-accelerated-gles-helper -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-session-check-accelerated-gl-helper -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-session-failed -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-software-cmd -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-software-restarter -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-terminal-migration -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-terminal-server -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-tweak-tool-lid-inhibitor -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/gvfs/.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -313,6 +331,8 @@ ifdef(`distro_gentoo',` - - /usr/lib/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) -+# also covers /usr/lib64/libexec due to equivalency rule '/usr/lib64 /usr/lib' -+/usr/lib/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) - - /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -324,6 +344,8 @@ ifdef(`distro_gentoo',` - - /usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0) - -+/usr/lib/build/.* -- gen_context(system_u:object_r:bin_t,s0) -+ - /usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0) -@@ -391,6 +413,7 @@ ifdef(`distro_debian',` - /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0) - ') -+/usr/lib/gdm/.* -- gen_context(system_u:object_r:bin_t,s0) - - ifdef(`distro_gentoo', ` - /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/fix_cron.patch b/fix_cron.patch deleted file mode 100644 index 203162a..0000000 --- a/fix_cron.patch +++ /dev/null @@ -1,47 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/cron.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc -+++ fedora-policy-20221019/policy/modules/contrib/cron.fc -@@ -34,7 +34,7 @@ - - /var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) - #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) --/var/spool/cron/USER -- gen_context(system_u:object_r:user_cron_spool_t,s0) -+/var/spool/cron/tabs/USER -- gen_context(system_u:object_r:user_cron_spool_t,s0) - - /var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) - /var/spool/cron/crontabs/.* -- <> -@@ -55,6 +55,10 @@ ifdef(`distro_redhat', ` - /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) - /var/spool/cron/lastrun/[^/]* -- <> - /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -+ -+/var/spool/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) -+/var/spool/atjobs/.SEQ -- gen_context(system_u:object_r:user_cron_spool_t,s0) -+/var/spool/atjobs/[^/]* -- <> - ') - - ifdef(`distro_debian',` -@@ -69,9 +73,3 @@ ifdef(`distro_gentoo',` - /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) - /var/spool/cron/lastrun/[^/]* -- <> - ') -- --ifdef(`distro_redhat', ` --/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) --/var/spool/cron/lastrun/[^/]* -- <> --/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) --') -Index: fedora-policy-20221019/policy/modules/contrib/cron.if -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/cron.if -+++ fedora-policy-20221019/policy/modules/contrib/cron.if -@@ -1075,7 +1075,7 @@ interface(`cron_generic_log_filetrans_lo - # - interface(`cron_system_spool_entrypoint',` - gen_require(` -- attribute system_cron_spool_t; -+ type system_cron_spool_t; - ') - allow $1 system_cron_spool_t:file entrypoint; - ') diff --git a/fix_dbus.patch b/fix_dbus.patch deleted file mode 100644 index 00440bd..0000000 --- a/fix_dbus.patch +++ /dev/null @@ -1,21 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/dbus.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/dbus.te -+++ fedora-policy-20221019/policy/modules/contrib/dbus.te -@@ -81,6 +81,7 @@ manage_dirs_pattern(system_dbusd_t, syst - manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) - manage_sock_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) - files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file sock_file }) -+allow system_dbusd_t system_dbusd_tmp_t:file execute; - - manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) - manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) -@@ -109,6 +110,8 @@ files_read_var_lib_symlinks(system_dbusd - files_rw_inherited_non_security_files(system_dbusd_t) - files_watch_usr_dirs(system_dbusd_t) - files_watch_var_lib_dirs(system_dbusd_t) -+# bsc#1205895 -+files_watch_lib_dirs(system_dbusd_t) - - fs_getattr_all_fs(system_dbusd_t) - fs_search_auto_mountpoints(system_dbusd_t) diff --git a/fix_djbdns.patch b/fix_djbdns.patch deleted file mode 100644 index c3015b7..0000000 --- a/fix_djbdns.patch +++ /dev/null @@ -1,33 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/djbdns.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/djbdns.te 2019-08-05 09:39:48.641670181 +0200 -+++ fedora-policy/policy/modules/contrib/djbdns.te 2019-08-05 09:53:08.383084236 +0200 -@@ -24,28 +24,6 @@ allow djbdns_domain self:fifo_file rw_fi - allow djbdns_domain self:tcp_socket create_stream_socket_perms; - allow djbdns_domain self:udp_socket create_socket_perms; - --corenet_all_recvfrom_unlabeled(djbdns_domain) --corenet_all_recvfrom_netlabel(djbdns_domain) --corenet_tcp_sendrecv_generic_if(djbdns_domain) --corenet_udp_sendrecv_generic_if(djbdns_domain) --corenet_tcp_sendrecv_generic_node(djbdns_domain) --corenet_udp_sendrecv_generic_node(djbdns_domain) --corenet_tcp_sendrecv_all_ports(djbdns_domain) --corenet_udp_sendrecv_all_ports(djbdns_domain) --corenet_tcp_bind_generic_node(djbdns_domain) --corenet_udp_bind_generic_node(djbdns_domain) -- --corenet_sendrecv_dns_server_packets(djbdns_domain) --corenet_tcp_bind_dns_port(djbdns_domain) --corenet_udp_bind_dns_port(djbdns_domain) -- --corenet_sendrecv_dns_client_packets(djbdns_domain) --corenet_tcp_connect_dns_port(djbdns_domain) -- --corenet_sendrecv_generic_server_packets(djbdns_domain) --corenet_tcp_bind_generic_port(djbdns_domain) --corenet_udp_bind_generic_port(djbdns_domain) -- - files_search_var(djbdns_domain) - - daemontools_ipc_domain(djbdns_axfrdns_t) diff --git a/fix_dnsmasq.patch b/fix_dnsmasq.patch deleted file mode 100644 index d9f6e29..0000000 --- a/fix_dnsmasq.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/contrib/dnsmasq.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/contrib/dnsmasq.te -+++ fedora-policy-20230116/policy/modules/contrib/dnsmasq.te -@@ -116,6 +116,7 @@ libs_exec_ldconfig(dnsmasq_t) - logging_send_syslog_msg(dnsmasq_t) - - miscfiles_read_public_files(dnsmasq_t) -+sysnet_manage_config_dirs(dnsmasq_t) - - userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) - userdom_dontaudit_search_user_home_dirs(dnsmasq_t) diff --git a/fix_dovecot.patch b/fix_dovecot.patch deleted file mode 100644 index f88cff1..0000000 --- a/fix_dovecot.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: fedora-policy-20210419/policy/modules/contrib/dovecot.fc -=================================================================== ---- fedora-policy-20210419.orig/policy/modules/contrib/dovecot.fc -+++ fedora-policy-20210419/policy/modules/contrib/dovecot.fc -@@ -34,6 +34,10 @@ ifdef(`distro_redhat', ` - /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) - ') - -+/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -+/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -+ - # - # /var - # diff --git a/fix_entropyd.patch b/fix_entropyd.patch deleted file mode 100644 index 33cf71a..0000000 --- a/fix_entropyd.patch +++ /dev/null @@ -1,76 +0,0 @@ -Index: fedora-policy-20230206/policy/modules/contrib/entropyd.te -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/contrib/entropyd.te -+++ fedora-policy-20230206/policy/modules/contrib/entropyd.te -@@ -24,6 +24,9 @@ init_script_file(entropyd_initrc_exec_t) - type entropyd_var_run_t; - files_pid_file(entropyd_var_run_t) - -+type entropyd_tmpfs_t; -+files_tmpfs_file(entropyd_tmpfs_t) -+ - ######################################## - # - # Local policy -@@ -36,6 +39,10 @@ allow entropyd_t self:process signal_per - manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t) - files_pid_filetrans(entropyd_t, entropyd_var_run_t, file) - -+manage_dirs_pattern(entropyd_t, entropyd_tmpfs_t, entropyd_tmpfs_t) -+manage_files_pattern(entropyd_t, entropyd_tmpfs_t, entropyd_tmpfs_t) -+fs_tmpfs_filetrans(entropyd_t, entropyd_tmpfs_t, { file }) -+ - kernel_read_system_state(entropyd_t) - kernel_rw_kernel_sysctl(entropyd_t) - -@@ -47,6 +54,8 @@ dev_write_rand(entropyd_t) - - fs_getattr_all_fs(entropyd_t) - fs_search_auto_mountpoints(entropyd_t) -+# not great, but necessary for now since I can't get sem.haveged_sem to have a proper label -+fs_rw_tmpfs_files(entropyd_t) - - domain_use_interactive_fds(entropyd_t) - -Index: fedora-policy-20230206/policy/modules/contrib/entropyd.if -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/contrib/entropyd.if -+++ fedora-policy-20230206/policy/modules/contrib/entropyd.if -@@ -33,3 +33,22 @@ interface(`entropyd_admin',` - files_search_pids($1) - admin_pattern($1, entropyd_var_run_t) - ') -+ -+######################################## -+## -+## Transition kernel created semaphore to correct type -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`entropyd_semaphore_filetrans',` -+ gen_require(` -+ type entropyd_tmpfs_t; -+ ') -+ -+ fs_tmpfs_filetrans($1, entropyd_tmpfs_t, file, "sem.haveged_sem") -+') -Index: fedora-policy-20230206/policy/modules/kernel/kernel.te -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/kernel/kernel.te -+++ fedora-policy-20230206/policy/modules/kernel/kernel.te -@@ -401,6 +401,10 @@ optional_policy(` - ') - - optional_policy(` -+ entropyd_semaphore_filetrans(kernel_t) -+') -+ -+optional_policy(` - abrt_filetrans_named_content(kernel_t) - abrt_dump_oops_domtrans(kernel_t) - ') diff --git a/fix_firewalld.patch b/fix_firewalld.patch deleted file mode 100644 index 1e455b7..0000000 --- a/fix_firewalld.patch +++ /dev/null @@ -1,42 +0,0 @@ -Index: fedora-policy-20211111/policy/modules/contrib/firewalld.te -=================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/firewalld.te -+++ fedora-policy-20211111/policy/modules/contrib/firewalld.te -@@ -131,6 +131,7 @@ optional_policy(` - ') - - optional_policy(` -+ iptables_manage_var_lib_files(firewalld_t) - iptables_domtrans(firewalld_t) - iptables_read_var_run(firewalld_t) - ') -Index: fedora-policy-20211111/policy/modules/system/iptables.if -=================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/iptables.if -+++ fedora-policy-20211111/policy/modules/system/iptables.if -@@ -2,6 +2,25 @@ - - ######################################## - ## -+## Allow management of iptables_var_lib_t files -+## -+## -+## -+## Domain allowed to mange files -+## -+## -+# -+interface(`iptables_manage_var_lib_files',` -+ gen_require(` -+ type iptables_var_lib_t; -+ ') -+ -+ manage_dirs_pattern($1, iptables_var_lib_t, iptables_var_lib_t) -+ manage_files_pattern($1, iptables_var_lib_t, iptables_var_lib_t) -+') -+ -+######################################## -+## - ## Execute iptables in the iptables domain. - ## - ## diff --git a/fix_fwupd.patch b/fix_fwupd.patch deleted file mode 100644 index 2c970f5..0000000 --- a/fix_fwupd.patch +++ /dev/null @@ -1,17 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/contrib/fwupd.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/contrib/fwupd.fc -+++ fedora-policy-20230116/policy/modules/contrib/fwupd.fc -@@ -2,9 +2,9 @@ - - /etc/pki/(fwupd|fwupd-metadata)(/.*)? gen_context(system_u:object_r:fwupd_cert_t,s0) - --/usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0) --/usr/libexec/fwupd/fwupdoffline -- gen_context(system_u:object_r:fwupd_exec_t,s0) --/usr/libexec/fwupd/fwupd-detect-cet -- gen_context(system_u:object_r:fwupd_exec_t,s0) -+/usr/lib(exec)?/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0) -+/usr/lib(exec)?/fwupd/fwupdoffline -- gen_context(system_u:object_r:fwupd_exec_t,s0) -+/usr/lib(exec)?/fwupd/fwupd-detect-cet -- gen_context(system_u:object_r:fwupd_exec_t,s0) - - /var/cache/app-info(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0) - /var/cache/fwupd(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0) diff --git a/fix_geoclue.patch b/fix_geoclue.patch deleted file mode 100644 index 0d05684..0000000 --- a/fix_geoclue.patch +++ /dev/null @@ -1,10 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/geoclue.fc -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/geoclue.fc -+++ fedora-policy/policy/modules/contrib/geoclue.fc -@@ -1,4 +1,4 @@ -- -+/usr/lib/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0) - /usr/libexec/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0) - - /var/lib/geoclue(/.*)? gen_context(system_u:object_r:geoclue_var_lib_t,s0) diff --git a/fix_hypervkvp.patch b/fix_hypervkvp.patch deleted file mode 100644 index 3cac649..0000000 --- a/fix_hypervkvp.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc -=================================================================== ---- fedora-policy-20220124.orig/policy/modules/contrib/hypervkvp.fc -+++ fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc -@@ -3,8 +3,10 @@ - /usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0) - - /usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) -+/usr/lib/hyper-v/bin/.*kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) - /usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) - - /usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0) -+/usr/lib/hyper-v/bin/.*vss_daemon -- gen_context(system_u:object_r:hypervvssd_exec_t,s0) - - /var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0) diff --git a/fix_init.patch b/fix_init.patch deleted file mode 100644 index e33e0e5..0000000 --- a/fix_init.patch +++ /dev/null @@ -1,88 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/system/init.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/init.te -+++ fedora-policy-20230116/policy/modules/system/init.te -@@ -270,6 +270,8 @@ corecmd_exec_bin(init_t) - corenet_all_recvfrom_netlabel(init_t) - corenet_tcp_bind_all_ports(init_t) - corenet_udp_bind_all_ports(init_t) -+corenet_udp_bind_generic_node(init_t) -+corenet_tcp_bind_generic_node(init_t) - - dev_create_all_files(init_t) - dev_create_all_chr_files(init_t) -@@ -396,6 +398,7 @@ logging_manage_audit_config(init_t) - logging_create_syslog_netlink_audit_socket(init_t) - logging_write_var_log_dirs(init_t) - logging_manage_var_log_symlinks(init_t) -+logging_dgram_accept(init_t) - - seutil_read_config(init_t) - seutil_read_login_config(init_t) -@@ -448,9 +451,19 @@ ifdef(`distro_redhat',` - corecmd_shell_domtrans(init_t, initrc_t) - - storage_raw_rw_fixed_disk(init_t) -+storage_raw_read_removable_device(init_t) - - sysnet_read_dhcpc_state(init_t) - -+# bsc#1197610, find a better, generic solution -+optional_policy(` -+ mta_getattr_spool(init_t) -+') -+ -+optional_policy(` -+ networkmanager_initrc_read_lnk_files(init_t) -+') -+ - optional_policy(` - anaconda_stream_connect(init_t) - anaconda_create_unix_stream_sockets(init_t) -@@ -582,10 +595,10 @@ tunable_policy(`init_audit_control',` - allow init_t self:system all_system_perms; - allow init_t self:system module_load; - allow init_t self:unix_dgram_socket { create_socket_perms sendto }; --allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec }; -+allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec execmem }; - allow init_t self:process { getcap setcap }; - allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom }; --allow init_t self:netlink_kobject_uevent_socket create_socket_perms; -+allow init_t self:netlink_kobject_uevent_socket create_socket_perms; - allow init_t self:netlink_selinux_socket create_socket_perms; - allow init_t self:unix_dgram_socket lock; - # Until systemd is fixed -@@ -645,6 +658,7 @@ files_delete_all_spool_sockets(init_t) - files_create_var_lib_dirs(init_t) - files_create_var_lib_symlinks(init_t) - files_read_var_lib_symlinks(init_t) -+files_read_var_files(init_t) - files_manage_urandom_seed(init_t) - files_list_locks(init_t) - files_list_spool(init_t) -@@ -682,7 +696,7 @@ fs_list_all(init_t) - fs_list_auto_mountpoints(init_t) - fs_register_binary_executable_type(init_t) - fs_relabel_tmpfs_sock_file(init_t) --fs_rw_tmpfs_files(init_t) -+fs_rw_tmpfs_files(init_t) - fs_relabel_cgroup_dirs(init_t) - fs_search_cgroup_dirs(init_t) - # for network namespaces -@@ -738,6 +752,7 @@ systemd_write_inherited_logind_sessions_ - create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) - - create_dirs_pattern(init_t, var_log_t, var_log_t) -+files_manage_var_files(init_t) - - auth_use_nsswitch(init_t) - auth_rw_login_records(init_t) -@@ -1592,6 +1607,8 @@ optional_policy(` - - optional_policy(` - postfix_list_spool(initrc_t) -+ #allow init_t postfix_map_exec_t:file { open read execute execute_no_trans ioctl }; -+ postfix_domtrans_map(init_t) - ') - - optional_policy(` diff --git a/fix_ipsec.patch b/fix_ipsec.patch deleted file mode 100644 index f303a0a..0000000 --- a/fix_ipsec.patch +++ /dev/null @@ -1,20 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/system/ipsec.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/ipsec.te -+++ fedora-policy-20230116/policy/modules/system/ipsec.te -@@ -88,6 +88,7 @@ allow ipsec_t self:tcp_socket create_str - allow ipsec_t self:udp_socket create_socket_perms; - allow ipsec_t self:packet_socket create_socket_perms; - allow ipsec_t self:key_socket create_socket_perms; -+allow ipsec_t self:alg_socket create_socket_perms; - allow ipsec_t self:fifo_file read_fifo_file_perms; - allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; - allow ipsec_t self:netlink_selinux_socket create_socket_perms; -@@ -270,6 +271,7 @@ allow ipsec_mgmt_t self:unix_stream_sock - allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; - allow ipsec_mgmt_t self:udp_socket create_socket_perms; - allow ipsec_mgmt_t self:key_socket create_socket_perms; -+allow ipsec_mgmt_t self:alg_socket create_socket_perms; - allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; - allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; - allow ipsec_mgmt_t self:netlink_route_socket { create_netlink_socket_perms }; diff --git a/fix_iptables.patch b/fix_iptables.patch deleted file mode 100644 index bb149fd..0000000 --- a/fix_iptables.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20220428/policy/modules/system/iptables.te -=================================================================== ---- fedora-policy-20220428.orig/policy/modules/system/iptables.te -+++ fedora-policy-20220428/policy/modules/system/iptables.te -@@ -76,6 +76,7 @@ kernel_read_network_state(iptables_t) - kernel_read_kernel_sysctls(iptables_t) - kernel_use_fds(iptables_t) - kernel_rw_net_sysctls(iptables_t) -+kernel_rw_pipes(iptables_t) - kernel_search_network_sysctl(iptables_t) - - diff --git a/fix_irqbalance.patch b/fix_irqbalance.patch deleted file mode 100644 index 3760aa3..0000000 --- a/fix_irqbalance.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/irqbalance.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/irqbalance.te -+++ fedora-policy-20221019/policy/modules/contrib/irqbalance.te -@@ -24,7 +24,7 @@ files_pid_file(irqbalance_var_run_t) - allow irqbalance_t self:capability { setpcap net_admin }; - dontaudit irqbalance_t self:capability sys_tty_config; - allow irqbalance_t self:process { getcap getsched setcap signal_perms }; --allow irqbalance_t self:udp_socket create_socket_perms; -+allow irqbalance_t self:{udp_socket netlink_generic_socket} create_socket_perms; - - manage_dirs_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t) - manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t) diff --git a/fix_java.patch b/fix_java.patch deleted file mode 100644 index f1f2358..0000000 --- a/fix_java.patch +++ /dev/null @@ -1,41 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/java.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/java.te 2019-08-05 13:50:32.925673660 +0200 -+++ fedora-policy/policy/modules/contrib/java.te 2019-08-05 14:06:51.896425229 +0200 -@@ -21,6 +21,7 @@ roleattribute system_r java_roles; - attribute_role unconfined_java_roles; - - type java_t, java_domain; -+typealias java_t alias java_domain_t; - type java_exec_t; - userdom_user_application_domain(java_t, java_exec_t) - typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; -@@ -71,19 +72,9 @@ can_exec(java_domain, { java_exec_t java - kernel_read_all_sysctls(java_domain) - kernel_search_vm_sysctl(java_domain) - kernel_read_network_state(java_domain) --kernel_read_system_state(java_domain) - - corecmd_search_bin(java_domain) - --corenet_all_recvfrom_unlabeled(java_domain) --corenet_all_recvfrom_netlabel(java_domain) --corenet_tcp_sendrecv_generic_if(java_domain) --corenet_tcp_sendrecv_generic_node(java_domain) -- --corenet_sendrecv_all_client_packets(java_domain) --corenet_tcp_connect_all_ports(java_domain) --corenet_tcp_sendrecv_all_ports(java_domain) -- - dev_read_sound(java_domain) - dev_write_sound(java_domain) - dev_read_urand(java_domain) -@@ -95,8 +86,6 @@ files_read_etc_runtime_files(java_domain - fs_getattr_all_fs(java_domain) - fs_dontaudit_rw_tmpfs_files(java_domain) - --logging_send_syslog_msg(java_domain) -- - miscfiles_read_localization(java_domain) - miscfiles_read_fonts(java_domain) - diff --git a/fix_kernel.patch b/fix_kernel.patch deleted file mode 100644 index 710e788..0000000 --- a/fix_kernel.patch +++ /dev/null @@ -1,60 +0,0 @@ -Index: fedora-policy-20230206/policy/modules/kernel/kernel.te -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/kernel/kernel.te -+++ fedora-policy-20230206/policy/modules/kernel/kernel.te -@@ -393,6 +393,13 @@ ifdef(`distro_redhat',` - fs_rw_tmpfs_chr_files(kernel_t) - ') - -+# this is a temporary fix. This permission doesn't make a lot of sense, but -+# without a kernel change there's not much we can do about it. I don't want to -+# audit it due to the unknown impact (happens e.g. during firewall changes) -+optional_policy(` -+ modutils_execute_kmod_tmpfs_files(kernel_t) -+') -+ - optional_policy(` - abrt_filetrans_named_content(kernel_t) - abrt_dump_oops_domtrans(kernel_t) -@@ -418,6 +425,7 @@ optional_policy(` - init_dbus_chat(kernel_t) - init_sigchld(kernel_t) - init_dyntrans(kernel_t) -+ init_read_state(kernel_t) - ') - - optional_policy(` -@@ -519,6 +527,7 @@ optional_policy(` - ') - - optional_policy(` -+ xserver_read_xdm_state(kernel_t) - xserver_xdm_manage_spool(kernel_t) - xserver_filetrans_home_content(kernel_t) - ') -Index: fedora-policy-20230206/policy/modules/system/modutils.if -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/system/modutils.if -+++ fedora-policy-20230206/policy/modules/system/modutils.if -@@ -525,3 +525,21 @@ interface(`modutils_dontaudit_kmod_tmpfs - - dontaudit $1 kmod_tmpfs_t:file { getattr }; - ') -+ -+####################################### -+## -+## Execute accesses to tmp file type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`modutils_execute_kmod_tmpfs_files',` -+ gen_require(` -+ type kmod_tmpfs_t; -+ ') -+ -+ allow $1 kmod_tmpfs_t:file { execute execute_no_trans }; -+') diff --git a/fix_kernel_sysctl.patch b/fix_kernel_sysctl.patch deleted file mode 100644 index fb5a8bd..0000000 --- a/fix_kernel_sysctl.patch +++ /dev/null @@ -1,26 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/kernel/files.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20230116/policy/modules/kernel/files.fc -@@ -242,6 +242,8 @@ ifdef(`distro_redhat',` - /usr/lib/ostree-boot(/.*)? gen_context(system_u:object_r:usr_t,s0) - /usr/lib/modules(/.*)/vmlinuz -- gen_context(system_u:object_r:usr_t,s0) - /usr/lib/modules(/.*)/initramfs.img -- gen_context(system_u:object_r:usr_t,s0) -+/usr/lib/modules(/.*)/sysctl.conf -- gen_context(system_u:object_r:usr_t,s0) -+/usr/lib/modules(/.*)/System.map -- gen_context(system_u:object_r:system_map_t,s0) - - /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) - -Index: fedora-policy-20230116/policy/modules/system/systemd.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/systemd.te -+++ fedora-policy-20230116/policy/modules/system/systemd.te -@@ -1113,6 +1113,8 @@ init_stream_connect(systemd_sysctl_t) - logging_send_syslog_msg(systemd_sysctl_t) - - systemd_read_efivarfs(systemd_sysctl_t) -+# kernel specific sysctl.conf may be in modules dir -+allow systemd_sysctl_t modules_object_t:dir search; - - ####################################### - # diff --git a/fix_libraries.patch b/fix_libraries.patch deleted file mode 100644 index a6a228f..0000000 --- a/fix_libraries.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-policy-20210419/policy/modules/system/libraries.fc -=================================================================== ---- fedora-policy-20210419.orig/policy/modules/system/libraries.fc -+++ fedora-policy-20210419/policy/modules/system/libraries.fc -@@ -124,6 +124,8 @@ ifdef(`distro_redhat',` - - /usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) - -+/usr/lib/libreoffice/program/resource.* -- gen_context(system_u:object_r:lib_t,s0) -+ - /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) - - /usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/fix_locallogin.patch b/fix_locallogin.patch deleted file mode 100644 index cdee73c..0000000 --- a/fix_locallogin.patch +++ /dev/null @@ -1,20 +0,0 @@ -Index: fedora-policy-20220624/policy/modules/system/locallogin.te -=================================================================== ---- fedora-policy-20220624.orig/policy/modules/system/locallogin.te -+++ fedora-policy-20220624/policy/modules/system/locallogin.te -@@ -63,6 +63,7 @@ kernel_read_system_state(local_login_t) - kernel_read_kernel_sysctls(local_login_t) - kernel_search_key(local_login_t) - kernel_link_key(local_login_t) -+kernel_getattr_proc(local_login_t) - - corecmd_list_bin(local_login_t) - corecmd_read_bin_symlinks(local_login_t) -@@ -137,6 +138,7 @@ auth_rw_faillog(local_login_t) - auth_manage_pam_console_data(local_login_t) - auth_domtrans_pam_console(local_login_t) - auth_use_nsswitch(local_login_t) -+auth_read_shadow(local_login_t) - - init_dontaudit_use_fds(local_login_t) - init_stream_connect(local_login_t) diff --git a/fix_logging.patch b/fix_logging.patch deleted file mode 100644 index 612c515..0000000 --- a/fix_logging.patch +++ /dev/null @@ -1,48 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/system/logging.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/logging.fc -+++ fedora-policy-20230116/policy/modules/system/logging.fc -@@ -3,6 +3,8 @@ - /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) -+/var/run/rsyslog/additional-log-sockets.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) -+/run/rsyslog/additional-log-sockets.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) - /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) - /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) -@@ -83,6 +85,7 @@ ifdef(`distro_redhat',` - /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) - /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) - /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) -+/var/run/rsyslog(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) - /var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) - - /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) -Index: fedora-policy-20230116/policy/modules/system/logging.if -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/logging.if -+++ fedora-policy-20230116/policy/modules/system/logging.if -@@ -1806,3 +1806,22 @@ interface(`logging_dgram_send',` - - allow $1 syslogd_t:unix_dgram_socket sendto; - ') -+ -+######################################## -+## -+## Accept a message to syslogd over a unix domain -+## datagram socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`logging_dgram_accept',` -+ gen_require(` -+ type syslogd_t; -+ ') -+ -+ allow $1 syslogd_t:unix_dgram_socket accept; -+') diff --git a/fix_logrotate.patch b/fix_logrotate.patch deleted file mode 100644 index 7cb2f23..0000000 --- a/fix_logrotate.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20210628/policy/modules/contrib/logrotate.te -=================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/logrotate.te -+++ fedora-policy-20210628/policy/modules/contrib/logrotate.te -@@ -104,6 +104,7 @@ files_var_lib_filetrans(logrotate_t, log - - kernel_read_system_state(logrotate_t) - kernel_read_kernel_sysctls(logrotate_t) -+files_manage_mounttab(logrotate_t) - - dev_read_urand(logrotate_t) - dev_read_sysfs(logrotate_t) diff --git a/fix_mcelog.patch b/fix_mcelog.patch deleted file mode 100644 index 66c37cf..0000000 --- a/fix_mcelog.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/mcelog.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/mcelog.te -+++ fedora-policy/policy/modules/contrib/mcelog.te -@@ -58,7 +58,7 @@ files_pid_file(mcelog_var_run_t) - # Local policy - # - --allow mcelog_t self:capability sys_admin; -+allow mcelog_t self:capability { sys_admin setgid }; - allow mcelog_t self:unix_stream_socket connected_socket_perms; - - allow mcelog_t mcelog_etc_t:dir list_dir_perms; diff --git a/fix_miscfiles.patch b/fix_miscfiles.patch deleted file mode 100644 index 9a954e0..0000000 --- a/fix_miscfiles.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy/policy/modules/system/miscfiles.fc -=================================================================== ---- fedora-policy.orig/policy/modules/system/miscfiles.fc 2019-08-05 09:39:39.117510678 +0200 -+++ fedora-policy/policy/modules/system/miscfiles.fc 2019-08-22 12:44:01.678484113 +0200 -@@ -46,6 +46,7 @@ ifdef(`distro_redhat',` - /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) - - /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) -+/var/lib/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) - /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) diff --git a/fix_nagios.patch b/fix_nagios.patch deleted file mode 100644 index 08fdbf0..0000000 --- a/fix_nagios.patch +++ /dev/null @@ -1,24 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/nagios.fc -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/nagios.fc -+++ fedora-policy/policy/modules/contrib/nagios.fc -@@ -24,6 +24,7 @@ - /var/log/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) - - /var/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) -+/var/lib/nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) - - /var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0) - -Index: fedora-policy/policy/modules/contrib/nagios.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/nagios.te -+++ fedora-policy/policy/modules/contrib/nagios.te -@@ -161,6 +161,7 @@ allow nagios_t nagios_spool_t:file map; - manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) - manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) - manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) -+manage_sock_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) - files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { dir file fifo_file }) - - kernel_read_system_state(nagios_t) diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch deleted file mode 100644 index f76012a..0000000 --- a/fix_networkmanager.patch +++ /dev/null @@ -1,131 +0,0 @@ -Index: fedora-policy-20230206/policy/modules/contrib/networkmanager.te -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy-20230206/policy/modules/contrib/networkmanager.te -@@ -260,6 +260,7 @@ sysnet_search_dhcp_state(NetworkManager_ - sysnet_manage_config(NetworkManager_t) - sysnet_filetrans_named_content(NetworkManager_t) - sysnet_filetrans_net_conf(NetworkManager_t) -+sysnet_watch_config(NetworkManager_t) - - systemd_login_watch_pid_dirs(NetworkManager_t) - systemd_login_watch_session_dirs(NetworkManager_t) -@@ -276,6 +277,9 @@ userdom_read_home_certs(NetworkManager_t - userdom_read_user_home_content_files(NetworkManager_t) - userdom_dgram_send(NetworkManager_t) - -+hostname_exec(NetworkManager_t) -+networkmanager_systemctl(NetworkManager_t) -+ - tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(NetworkManager_t) - ') -@@ -285,6 +289,14 @@ tunable_policy(`use_samba_home_dirs',` - ') - - optional_policy(` -+ ntp_manage_pid_files(NetworkManager_t) -+') -+ -+optional_policy(` -+ nis_systemctl_ypbind(NetworkManager_t) -+') -+ -+optional_policy(` - avahi_domtrans(NetworkManager_t) - avahi_kill(NetworkManager_t) - avahi_signal(NetworkManager_t) -@@ -293,6 +305,14 @@ optional_policy(` - ') - - optional_policy(` -+ packagekit_dbus_chat(NetworkManager_t) -+') -+ -+optional_policy(` -+ networkmanager_dbus_chat(NetworkManager_t) -+') -+ -+optional_policy(` - bind_domtrans(NetworkManager_t) - bind_manage_cache(NetworkManager_t) - bind_kill(NetworkManager_t) -@@ -420,6 +440,8 @@ optional_policy(` - nscd_kill(NetworkManager_t) - nscd_initrc_domtrans(NetworkManager_t) - nscd_systemctl(NetworkManager_t) -+ nscd_socket_use(NetworkManager_dispatcher_tlp_t) -+ nscd_socket_use(NetworkManager_dispatcher_custom_t) - ') - - optional_policy(` -@@ -608,6 +630,7 @@ files_manage_etc_files(NetworkManager_di - - init_status(NetworkManager_dispatcher_cloud_t) - init_status(NetworkManager_dispatcher_ddclient_t) -+init_status(NetworkManager_dispatcher_custom_t) - init_append_stream_sockets(networkmanager_dispatcher_plugin) - init_ioctl_stream_sockets(networkmanager_dispatcher_plugin) - init_stream_connect(networkmanager_dispatcher_plugin) -@@ -623,6 +646,10 @@ optional_policy(` - ') - - optional_policy(` -+ nscd_shm_use(NetworkManager_dispatcher_chronyc_t) -+') -+ -+optional_policy(` - cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t) - ') - -Index: fedora-policy-20230206/policy/modules/contrib/networkmanager.if -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20230206/policy/modules/contrib/networkmanager.if -@@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran - init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) - ') - -+####################################### -+## -+## Allow reading of NetworkManager link files -+## -+## -+## -+## Domain allowed to read the links -+## -+## -+# -+interface(`networkmanager_initrc_read_lnk_files',` -+ gen_require(` -+ type NetworkManager_initrc_exec_t; -+ ') -+ -+ read_lnk_files_pattern($1, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) -+') -+ - ######################################## - ## - ## Execute NetworkManager server in the NetworkManager domain. -Index: fedora-policy-20230206/policy/modules/contrib/networkmanager.fc -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/contrib/networkmanager.fc -+++ fedora-policy-20230206/policy/modules/contrib/networkmanager.fc -@@ -24,6 +24,7 @@ - /usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0) - /usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0) - /usr/lib/NetworkManager/dispatcher\.d/11-dhclient -- gen_context(system_u:object_r:NetworkManager_dispatcher_dhclient_script_t,s0) -+/usr/lib/NetworkManager/dispatcher\.d/20-chrony -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) - /usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) - /usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) - /usr/lib/NetworkManager/dispatcher\.d/30-winbind -- gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0) -@@ -37,6 +38,9 @@ - - /usr/libexec/nm-dispatcher -- gen_context(system_u:object_r:NetworkManager_dispatcher_exec_t,s0) - /usr/libexec/nm-priv-helper -- gen_context(system_u:object_r:NetworkManager_priv_helper_exec_t,s0) -+# bsc#1206355 -+/usr/lib/nm-dispatcher -- gen_context(system_u:object_r:NetworkManager_dispatcher_exec_t,s0) -+/usr/lib/nm-priv-helper -- gen_context(system_u:object_r:NetworkManager_priv_helper_exec_t,s0) - - /usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - /usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) diff --git a/fix_nis.patch b/fix_nis.patch deleted file mode 100644 index 117562c..0000000 --- a/fix_nis.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/nis.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/nis.te -+++ fedora-policy/policy/modules/contrib/nis.te -@@ -78,6 +78,7 @@ manage_files_pattern(ypbind_t, ypbind_va - files_pid_filetrans(ypbind_t, ypbind_var_run_t, file) - - manage_files_pattern(ypbind_t, var_yp_t, var_yp_t) -+manage_dirs_pattern(ypbind_t, var_yp_t, var_yp_t) - - kernel_read_system_state(ypbind_t) - kernel_read_kernel_sysctls(ypbind_t) diff --git a/fix_nscd.patch b/fix_nscd.patch deleted file mode 100644 index 56a7c50..0000000 --- a/fix_nscd.patch +++ /dev/null @@ -1,35 +0,0 @@ -Index: fedora-policy-20210628/policy/modules/contrib/nscd.fc -=================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/nscd.fc -+++ fedora-policy-20210628/policy/modules/contrib/nscd.fc -@@ -8,8 +8,10 @@ - /var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) - - /var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0) --/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) -+/var/run/nscd/socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) - -+/var/lib/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) - /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) - - /usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0) -+ -Index: fedora-policy-20210628/policy/modules/contrib/nscd.te -=================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/nscd.te -+++ fedora-policy-20210628/policy/modules/contrib/nscd.te -@@ -130,6 +130,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns - userdom_dontaudit_search_user_home_dirs(nscd_t) - - optional_policy(` -+ networkmanager_read_pid_files(nscd_t) -+') -+ -+optional_policy(` -+ wicked_read_pid_files(nscd_t) -+') -+ -+optional_policy(` - accountsd_dontaudit_rw_fifo_file(nscd_t) - ') - diff --git a/fix_ntp.patch b/fix_ntp.patch deleted file mode 100644 index c762c96..0000000 --- a/fix_ntp.patch +++ /dev/null @@ -1,99 +0,0 @@ -Index: fedora-policy-20230125/policy/modules/contrib/ntp.fc -=================================================================== ---- fedora-policy-20230125.orig/policy/modules/contrib/ntp.fc -+++ fedora-policy-20230125/policy/modules/contrib/ntp.fc -@@ -9,6 +9,7 @@ - - /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) - -+/usr/sbin/start-ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) - /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) - /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) - /usr/libexec/ntpdate-wrapper -- gen_context(system_u:object_r:ntpdate_exec_t,s0) -@@ -16,7 +17,6 @@ - - /usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) - --/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) - /var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) - /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) - -@@ -25,3 +25,26 @@ - /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) - - /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) -+ -+/var/lib/ntp gen_context(system_u:object_r:root_t,s0) -+/var/lib/ntp/kod gen_context(system_u:object_r:etc_runtime_t,s0) -+/var/lib/ntp/dev gen_context(system_u:object_r:device_t,s0) -+/var/lib/ntp/etc gen_context(system_u:object_r:etc_t,s0) -+/var/lib/ntp/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0) -+/var/lib/ntp/etc/ntp/crypto(/.*)? -- gen_context(system_u:object_r:ntpd_key_t,s0) -+/var/lib/ntp/etc/ntp/data(/.*)? -- gen_context(system_u:object_r:ntp_drift_t,s0) -+/var/lib/ntp/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) -+/var/lib/ntp/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0) -+/var/lib/ntp/etc/ntp.conf.iburst -- gen_context(system_u:object_r:ntp_conf_t,s0) -+/var/lib/ntp/var(/.*)? gen_context(system_u:object_r:var_t,s0) -+/var/lib/ntp/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) -+/var/lib/ntp/var/run(/.*)? gen_context(system_u:object_r:var_run_t,s0) -+/var/lib/ntp/var/run/ntp(/.*)? gen_context(system_u:object_r:ntpd_var_run_t,s0) -+/var/lib/ntp/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) -+/var/lib/ntp/var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) -+/var/lib/ntp/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) -+/var/lib/ntp/drift gen_context(system_u:object_r:ntp_drift_t,s0) -+/var/lib/ntp/drift/ntp.drift -- gen_context(system_u:object_r:ntp_drift_t,s0) -+/var/lib/ntp/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) -+/var/lib/ntp/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) -+/var/lib/ntp/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) -Index: fedora-policy-20230125/policy/modules/contrib/ntp.te -=================================================================== ---- fedora-policy-20230125.orig/policy/modules/contrib/ntp.te -+++ fedora-policy-20230125/policy/modules/contrib/ntp.te -@@ -49,6 +49,9 @@ init_system_domain(ntpd_t, ntpdate_exec_ - - allow ntpd_t self:capability { chown dac_read_search kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; - dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; -+# remove once 1207577 is done -+allow ntpd_t self:capability dac_override; -+ - allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; - allow ntpd_t self:fifo_file rw_fifo_file_perms; - allow ntpd_t self:shm create_shm_perms; -@@ -78,7 +81,8 @@ manage_files_pattern(ntpd_t, ntpd_tmpfs_ - fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file }) - - manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) --files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) -+manage_lnk_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) -+files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file dir lnk_file }) - - can_exec(ntpd_t, ntpd_exec_t) - can_exec(ntpd_t, ntpdate_exec_t) -Index: fedora-policy-20230125/policy/modules/contrib/ntp.if -=================================================================== ---- fedora-policy-20230125.orig/policy/modules/contrib/ntp.if -+++ fedora-policy-20230125/policy/modules/contrib/ntp.if -@@ -339,3 +339,23 @@ interface(`ntp_manage_log',` - manage_lnk_files_pattern($1, ntpd_log_t, ntpd_log_t) - ') - -+######################################## -+## -+## Create, read, write, and delete -+## ntp pid (lnk) files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ntp_manage_pid_files',` -+ gen_require(` -+ type ntpd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ manage_files_pattern($1, ntpd_var_run_t, ntpd_var_run_t) -+ manage_lnk_files_pattern($1, ntpd_var_run_t, ntpd_var_run_t) -+') diff --git a/fix_openvpn.patch b/fix_openvpn.patch deleted file mode 100644 index 3acf3e5..0000000 --- a/fix_openvpn.patch +++ /dev/null @@ -1,41 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/openvpn.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/openvpn.te -+++ fedora-policy/policy/modules/contrib/openvpn.te -@@ -28,6 +28,14 @@ gen_tunable(openvpn_enable_homedirs, fal - ## - gen_tunable(openvpn_can_network_connect, true) - -+## -+##

-+## Determine whether openvpn can -+## change sysctl values (e.g. rp_filter) -+##

-+## -+gen_tunable(openvpn_allow_changing_sysctls, false) -+ - attribute_role openvpn_roles; - - type openvpn_t; -@@ -176,6 +184,10 @@ userdom_attach_admin_tun_iface(openvpn_t - userdom_read_inherited_user_tmp_files(openvpn_t) - userdom_read_inherited_user_home_content_files(openvpn_t) - -+tunable_policy(`openvpn_allow_changing_sysctls',` -+ kernel_rw_net_sysctls(openvpn_t) -+') -+ - tunable_policy(`openvpn_enable_homedirs',` - userdom_search_user_home_dirs(openvpn_t) - ') -@@ -195,6 +207,10 @@ tunable_policy(`openvpn_can_network_conn - ') - - optional_policy(` -+ firewalld_dbus_chat(openvpn_t) -+') -+ -+optional_policy(` - brctl_domtrans(openvpn_t) - ') - diff --git a/fix_postfix.patch b/fix_postfix.patch deleted file mode 100644 index 9b7fb86..0000000 --- a/fix_postfix.patch +++ /dev/null @@ -1,120 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/postfix.fc -+++ fedora-policy-20221019/policy/modules/contrib/postfix.fc -@@ -1,37 +1,21 @@ - # postfix --/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) --/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) --/etc/postfix/chroot-update -- gen_context(system_u:object_r:postfix_exec_t,s0) --ifdef(`distro_redhat', ` --/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) --/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) --/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) --/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) --/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) --/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) --/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) --/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) --/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) --/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) --/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) --/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) --/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) --/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) --', ` --/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) --/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) --/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) --/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) --/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) --/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) --/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) --/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) --/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) --/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) --/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) --/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) --/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) --') -+/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) -+/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) -+/etc/postfix/chroot-update -- gen_context(system_u:object_r:postfix_exec_t,s0) -+/usr/lib/postfix/bin/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -+/usr/lib/postfix/systemd/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -+/usr/lib/postfix/bin/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) -+/usr/lib/postfix/bin/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) -+/usr/lib/postfix/bin/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -+/usr/lib/postfix/bin/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) -+/usr/lib/postfix/bin/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) -+/usr/lib/postfix/bin/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) -+/usr/lib/postfix/bin/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -+/usr/lib/postfix/bin/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -+/usr/lib/postfix/bin/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -+/usr/lib/postfix/bin/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) -+/usr/lib/postfix/bin/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) -+/usr/lib/postfix/bin/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) - /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) - /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) - /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -@@ -45,13 +29,16 @@ ifdef(`distro_redhat', ` - /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) - /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) - -+/etc/postfix/system/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -+/etc/postfix/system/update_postmaps -- gen_context(system_u:object_r:postfix_map_exec_t,s0) -+ - /var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) - - /var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) - /var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) - /var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) - /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) --/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) -+/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) - /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) - /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) - /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) -Index: fedora-policy-20221019/policy/modules/contrib/postfix.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/postfix.te -+++ fedora-policy-20221019/policy/modules/contrib/postfix.te -@@ -121,6 +121,8 @@ allow postfix_master_t self:udp_socket c - allow postfix_master_t postfix_etc_t:dir rw_dir_perms; - allow postfix_master_t postfix_etc_t:file rw_file_perms; - mta_filetrans_aliases(postfix_master_t, postfix_etc_t) -+# SUSE also runs this on /etc/alias -+mta_filetrans_aliases(postfix_master_t, etc_t) - - can_exec(postfix_master_t, postfix_exec_t) - -@@ -447,6 +449,14 @@ logging_send_syslog_msg(postfix_map_t) - - userdom_use_inherited_user_ptys(postfix_map_t) - -+corecmd_exec_bin(postfix_map_t) -+allow postfix_map_t postfix_map_exec_t:file execute_no_trans; -+init_ioctl_stream_sockets(postfix_map_t) -+ -+optional_policy(` -+ mta_read_aliases(postfix_map_t) -+') -+ - optional_policy(` - locallogin_dontaudit_use_fds(postfix_map_t) - ') -@@ -687,6 +697,14 @@ corenet_tcp_connect_spamd_port(postfix_m - files_search_all_mountpoints(postfix_smtp_t) - - optional_policy(` -+ networkmanager_read_pid_files(postfix_smtp_t) -+') -+ -+optional_policy(` -+ wicked_read_pid_files(postfix_smtp_t) -+') -+ -+optional_policy(` - cyrus_stream_connect(postfix_smtp_t) - cyrus_runtime_stream_connect(postfix_smtp_t) - ') diff --git a/fix_rpm.patch b/fix_rpm.patch deleted file mode 100644 index 77ca8ac..0000000 --- a/fix_rpm.patch +++ /dev/null @@ -1,50 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/contrib/rpm.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/contrib/rpm.fc -+++ fedora-policy-20230116/policy/modules/contrib/rpm.fc -@@ -23,6 +23,9 @@ - # This is in /usr, but is expected to be variable content from a policy perspective (#2042149) - /usr/lib/sysimage/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) - -+/usr/sbin/zypp-refresh -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/zypper -- gen_context(system_u:object_r:rpm_exec_t,s0) -+ - /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -61,6 +64,8 @@ ifdef(`distro_redhat', ` - /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) - /var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) - -+/var/cache/zypp(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -+ - /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) - /var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) - /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -Index: fedora-policy-20230116/policy/modules/contrib/rpm.if -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/contrib/rpm.if -+++ fedora-policy-20230116/policy/modules/contrib/rpm.if -@@ -515,8 +515,10 @@ interface(`rpm_named_filetrans',` - logging_log_named_filetrans($1, rpm_log_t, file, "yum.log") - logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log") - logging_log_named_filetrans($1, rpm_log_t, file, "up2date") -+ logging_log_named_filetrans($1, rpm_log_t, file, "zypper.log") - files_var_filetrans($1, rpm_var_cache_t, dir, "dnf") - files_var_filetrans($1, rpm_var_cache_t, dir, "yum") -+ files_var_filetrans($1, rpm_var_cache_t, dir, "zypp") - files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf") - files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum") - files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm") -Index: fedora-policy-20230116/policy/modules/kernel/files.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20230116/policy/modules/kernel/files.fc -@@ -67,6 +67,7 @@ ifdef(`distro_redhat',` - /etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) - /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) - /etc/yum\.repos\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0) -+/etc/zypp(/.*)? gen_context(system_u:object_r:system_conf_t,s0) - /etc/ostree/remotes.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0) - - /ostree/repo(/.*)? gen_context(system_u:object_r:system_conf_t,s0) diff --git a/fix_rtkit.patch b/fix_rtkit.patch deleted file mode 100644 index 0f6a9ab..0000000 --- a/fix_rtkit.patch +++ /dev/null @@ -1,11 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/contrib/rtkit.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/contrib/rtkit.fc -+++ fedora-policy-20230116/policy/modules/contrib/rtkit.fc -@@ -1,5 +1,6 @@ - /etc/rc\.d/init\.d/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_initrc_exec_t,s0) - - /usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) -+/usr/libexec/rtkit/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) - - /usr/lib/rtkit/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) diff --git a/fix_screen.patch b/fix_screen.patch deleted file mode 100644 index efc3cdb..0000000 --- a/fix_screen.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/screen.if -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/screen.if -+++ fedora-policy/policy/modules/contrib/screen.if -@@ -45,6 +45,7 @@ template(`screen_role_template',` - - userdom_list_user_home_dirs($1_screen_t) - userdom_home_reader($1_screen_t) -+ userdom_read_user_home_content_symlinks($1_screen_t) - - domtrans_pattern($3, screen_exec_t, $1_screen_t) - allow $3 $1_screen_t:process { signal sigchld }; -Index: fedora-policy/policy/modules/contrib/screen.fc -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/screen.fc -+++ fedora-policy/policy/modules/contrib/screen.fc -@@ -8,4 +8,5 @@ HOME_DIR/\.tmux\.conf -- gen_context(sys - /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) - - /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) -+/var/run/uscreens(/.*)?' gen_context(system_u:object_r:screen_var_run_t,s0) - /var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/fix_selinuxutil.patch b/fix_selinuxutil.patch deleted file mode 100644 index 3cc047a..0000000 --- a/fix_selinuxutil.patch +++ /dev/null @@ -1,39 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/system/selinuxutil.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/selinuxutil.te -+++ fedora-policy-20230116/policy/modules/system/selinuxutil.te -@@ -239,6 +239,10 @@ ifdef(`hide_broken_symptoms',` - ') - - optional_policy(` -+ packagekit_read_write_fifo(load_policy_t) -+') -+ -+optional_policy(` - portage_dontaudit_use_fds(load_policy_t) - ') - -@@ -619,6 +623,10 @@ logging_send_audit_msgs(setfiles_t) - logging_send_syslog_msg(setfiles_t) - - optional_policy(` -+ packagekit_read_write_fifo(setfiles_t) -+') -+ -+optional_policy(` - cloudform_dontaudit_write_cloud_log(setfiles_t) - ') - -Index: fedora-policy-20230116/policy/modules/system/selinuxutil.if -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/selinuxutil.if -+++ fedora-policy-20230116/policy/modules/system/selinuxutil.if -@@ -795,6 +795,8 @@ interface(`seutil_dontaudit_read_config' - - dontaudit $1 selinux_config_t:dir search_dir_perms; - dontaudit $1 selinux_config_t:file read_file_perms; -+ # /etc/selinux/config was a link to /etc/sysconfig/selinux-policy, ignore read attemps -+ dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms; - ') - - ######################################## diff --git a/fix_sendmail.patch b/fix_sendmail.patch deleted file mode 100644 index c3fbc09..0000000 --- a/fix_sendmail.patch +++ /dev/null @@ -1,32 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/sendmail.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.fc -+++ fedora-policy-20221019/policy/modules/contrib/sendmail.fc -@@ -1,8 +1,9 @@ - - /etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) -+/etc/mail/system/sm-client.pre -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) - - /var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0) - /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) - --/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) -+/var/run/sendmail(/.*)? gen_context(system_u:object_r:sendmail_var_run_t,s0) - /var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) -Index: fedora-policy-20221019/policy/modules/contrib/sendmail.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.te -+++ fedora-policy-20221019/policy/modules/contrib/sendmail.te -@@ -60,8 +60,10 @@ manage_dirs_pattern(sendmail_t, sendmail - manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) - files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir }) - --allow sendmail_t sendmail_var_run_t:file manage_file_perms; --files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) -+manage_dirs_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t) -+manage_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t) -+manage_sock_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t) -+files_pid_filetrans(sendmail_t, sendmail_var_run_t, { file dir }) - - kernel_read_network_state(sendmail_t) - kernel_read_kernel_sysctls(sendmail_t) diff --git a/fix_smartmon.patch b/fix_smartmon.patch deleted file mode 100644 index 3d965d9..0000000 --- a/fix_smartmon.patch +++ /dev/null @@ -1,9 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/smartmon.fc -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/smartmon.fc -+++ fedora-policy/policy/modules/contrib/smartmon.fc -@@ -5,3 +5,4 @@ - /var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0) - - /var/lib/smartmontools(/.*)? gen_context(system_u:object_r:fsdaemon_var_lib_t,s0) -+/var/lib/smartmontools/smartd_opts -- gen_context(system_u:object_r:etc_t,s0) diff --git a/fix_snapper.patch b/fix_snapper.patch deleted file mode 100644 index 045bc12..0000000 --- a/fix_snapper.patch +++ /dev/null @@ -1,68 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/snapper.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/snapper.te -+++ fedora-policy-20221019/policy/modules/contrib/snapper.te -@@ -18,6 +18,9 @@ files_config_file(snapperd_conf_t) - type snapperd_data_t; - files_type(snapperd_data_t) - -+type snapperd_tmp_t; -+files_tmp_file(snapperd_tmp_t) -+ - ######################################## - # - # snapperd local policy -@@ -43,6 +46,10 @@ allow snapperd_t snapperd_data_t:dir { r - allow snapperd_t snapperd_data_t:file relabelfrom; - snapper_filetrans_named_content(snapperd_t) - -+allow snapperd_t snapperd_tmp_t:file manage_file_perms; -+allow snapperd_t snapperd_tmp_t:dir manage_dir_perms; -+files_tmp_filetrans(snapperd_t, snapperd_tmp_t, { file dir }) -+ - kernel_setsched(snapperd_t) - - domain_read_all_domains_state(snapperd_t) -@@ -73,6 +80,14 @@ storage_raw_read_fixed_disk(snapperd_t) - auth_use_nsswitch(snapperd_t) - - optional_policy(` -+ packagekit_dbus_chat(snapperd_t) -+') -+ -+optional_policy(` -+ rpm_dbus_chat(snapperd_t) -+') -+ -+optional_policy(` - cron_system_entry(snapperd_t, snapperd_exec_t) - ') - -Index: fedora-policy-20221019/policy/modules/contrib/snapper.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/snapper.fc -+++ fedora-policy-20221019/policy/modules/contrib/snapper.fc -@@ -7,9 +7,17 @@ - - /var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0) - --/mnt/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) --/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) --/usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) --/var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) --/etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) --HOME_ROOT/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) -+/mnt/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) -+/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) -+/usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) -+/var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) -+/etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) -+HOME_ROOT/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) -+ -+# ensure that the snapshots itself aren't relabled -+/mnt/(.*/)?\.snapshots/[^/]*/snapshot(/.*)? <> -+/\.snapshots/[^/]*/snapshot(/.*)? <> -+/usr/\.snapshots/[^/]*/snapshot(/.*)? <> -+/var/\.snapshots/[^/]*/snapshot(/.*)? <> -+/etc/\.snapshots/[^/]*/snapshot(/.*)? <> -+HOME_ROOT/(.*/)?\.snapshots/[^/]*/snapshot(/.*)? <> diff --git a/fix_sslh.patch b/fix_sslh.patch deleted file mode 100644 index 5a6e49a..0000000 --- a/fix_sslh.patch +++ /dev/null @@ -1,33 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/sslh.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/sslh.te -+++ fedora-policy/policy/modules/contrib/sslh.te -@@ -28,6 +28,7 @@ gen_tunable(sslh_can_bind_any_port, fals - type sslh_t; - type sslh_exec_t; - init_daemon_domain(sslh_t, sslh_exec_t) -+init_nnp_daemon_domain(sslh_t) - - type sslh_config_t; - files_config_file(sslh_config_t) -@@ -90,6 +91,7 @@ tunable_policy(`sslh_can_connect_any_por - # allow sslh to connect to any port - corenet_tcp_sendrecv_all_ports(sslh_t) - corenet_tcp_connect_all_ports(sslh_t) -+ corenet_tcp_connect_all_ports(sslh_t) - ') - - tunable_policy(`sslh_can_bind_any_port',` -Index: fedora-policy/policy/modules/contrib/sslh.fc -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/sslh.fc -+++ fedora-policy/policy/modules/contrib/sslh.fc -@@ -4,6 +4,8 @@ - /etc/rc\.d/init\.d/sslh -- gen_context(system_u:object_r:sslh_initrc_exec_t,s0) - /etc/sslh(/.*)? gen_context(system_u:object_r:sslh_config_t,s0) - /etc/sslh\.cfg -- gen_context(system_u:object_r:sslh_config_t,s0) -+/etc/conf\.d/sslh -- gen_context(system_u:object_r:sslh_config_t,s0) -+/etc/default/sslh -- gen_context(system_u:object_r:sslh_config_t,s0) - /etc/sysconfig/sslh -- gen_context(system_u:object_r:sslh_config_t,s0) - /usr/lib/systemd/system/sslh.* -- gen_context(system_u:object_r:sslh_unit_file_t,s0) - /var/run/sslh.* gen_context(system_u:object_r:sslh_var_run_t,s0) diff --git a/fix_sysnetwork.patch b/fix_sysnetwork.patch deleted file mode 100644 index 81fb138..0000000 --- a/fix_sysnetwork.patch +++ /dev/null @@ -1,25 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/system/sysnetwork.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/sysnetwork.fc -+++ fedora-policy-20221019/policy/modules/system/sysnetwork.fc -@@ -33,9 +33,9 @@ ifdef(`distro_debian',` - /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) - - ifdef(`distro_redhat',` --/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) -+/etc/sysconfig/network/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0) --/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) -+/etc/sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) - /var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) - /var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) - /var/run/systemd/resolve/stub-resolv\.conf gen_context(system_u:object_r:net_conf_t,s0) -@@ -103,6 +103,8 @@ ifdef(`distro_debian',` - /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) - ') - -+/var/run/netconfig(/.*)? gen_context(system_u:object_r:net_conf_t,s0) -+ - /var/run/netns -d gen_context(system_u:object_r:ifconfig_var_run_t,s0) - /var/run/netns/[^/]+ <> - diff --git a/fix_systemd.patch b/fix_systemd.patch deleted file mode 100644 index 11c069c..0000000 --- a/fix_systemd.patch +++ /dev/null @@ -1,35 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/system/systemd.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/systemd.te -+++ fedora-policy-20230116/policy/modules/system/systemd.te -@@ -381,6 +381,10 @@ userdom_manage_user_tmp_chr_files(system - xserver_dbus_chat(systemd_logind_t) - - optional_policy(` -+ packagekit_dbus_chat(systemd_logind_t) -+') -+ -+optional_policy(` - apache_read_tmp_files(systemd_logind_t) - ') - -@@ -863,6 +867,10 @@ optional_policy(` - dbus_system_bus_client(systemd_localed_t) - ') - -+optional_policy(` -+ nscd_unconfined(systemd_hostnamed_t) -+') -+ - ####################################### - # - # Hostnamed policy -@@ -1195,6 +1203,8 @@ systemd_unit_file_filetrans(systemd_gpt_ - systemd_create_unit_file_dirs(systemd_gpt_generator_t) - systemd_create_unit_file_lnk(systemd_gpt_generator_t) - -+kernel_dgram_send(systemd_gpt_generator_t) -+ - optional_policy(` - udev_read_pid_files(systemd_gpt_generator_t) - ') diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch deleted file mode 100644 index 72073ab..0000000 --- a/fix_systemd_watch.patch +++ /dev/null @@ -1,17 +0,0 @@ -Index: fedora-policy-20230206/policy/modules/system/systemd.te -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/system/systemd.te -+++ fedora-policy-20230206/policy/modules/system/systemd.te -@@ -1524,6 +1524,12 @@ fstools_rw_swap_files(systemd_sleep_t) - storage_getattr_fixed_disk_dev(systemd_sleep_t) - storage_getattr_removable_dev(systemd_sleep_t) - -+####################################### -+# -+# Allow systemd to watch certificate dir for ca-certificates -+# -+watch_dirs_pattern(init_t,cert_t,cert_t) -+ - optional_policy(` - sysstat_domtrans(systemd_sleep_t) - ') diff --git a/fix_thunderbird.patch b/fix_thunderbird.patch deleted file mode 100644 index 159afc4..0000000 --- a/fix_thunderbird.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20210628/policy/modules/contrib/thunderbird.te -=================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/thunderbird.te -+++ fedora-policy-20210628/policy/modules/contrib/thunderbird.te -@@ -138,7 +138,6 @@ optional_policy(` - optional_policy(` - gnome_stream_connect_gconf(thunderbird_t) - gnome_domtrans_gconfd(thunderbird_t) -- gnome_manage_generic_home_content(thunderbird_t) - ') - - optional_policy(` diff --git a/fix_unconfined.patch b/fix_unconfined.patch deleted file mode 100644 index 815055b..0000000 --- a/fix_unconfined.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/system/unconfined.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/unconfined.te -+++ fedora-policy-20221019/policy/modules/system/unconfined.te -@@ -1,5 +1,10 @@ - policy_module(unconfined, 3.5.0) - -+require { -+ type var_run_t; -+ type net_conf_t; -+} -+ - ######################################## - # - # Declarations -@@ -45,3 +50,6 @@ optional_policy(` - optional_policy(` - container_runtime_domtrans(unconfined_service_t) - ') -+ -+filetrans_pattern(unconfined_service_t, var_run_t, net_conf_t, dir) -+ diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch deleted file mode 100644 index bad300f..0000000 --- a/fix_unconfineduser.patch +++ /dev/null @@ -1,46 +0,0 @@ -Index: fedora-policy-20230206/policy/modules/roles/unconfineduser.te -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/roles/unconfineduser.te -+++ fedora-policy-20230206/policy/modules/roles/unconfineduser.te -@@ -126,6 +126,11 @@ tunable_policy(`unconfined_dyntrans_all' - domain_dyntrans(unconfined_t) - ') - -+# FIXME this is probably caused by some wierd PAM interaction -+corecmd_entrypoint_all_executables(unconfined_t) -+# FIXME sddm JITs some code, requiring execmod on user_tmp_t. Check how to disable this behaviour in sddm/qtdeclarative -+files_execmod_tmp(unconfined_t) -+ - optional_policy(` - gen_require(` - type unconfined_t; -@@ -216,6 +221,10 @@ optional_policy(` - ') - - optional_policy(` -+ cron_system_spool_entrypoint(unconfined_t) -+') -+ -+optional_policy(` - chrome_role_notrans(unconfined_r, unconfined_t) - - tunable_policy(`unconfined_chrome_sandbox_transition',` -@@ -250,6 +259,18 @@ optional_policy(` - dbus_stub(unconfined_t) - - optional_policy(` -+ accountsd_dbus_chat(unconfined_dbusd_t) -+ ') -+ -+ optional_policy(` -+ networkmanager_dbus_chat(unconfined_dbusd_t) -+ ') -+ -+ optional_policy(` -+ systemd_dbus_chat_logind(unconfined_dbusd_t) -+ ') -+ -+ optional_policy(` - bluetooth_dbus_chat(unconfined_t) - ') - diff --git a/fix_unprivuser.patch b/fix_unprivuser.patch deleted file mode 100644 index 70fe21e..0000000 --- a/fix_unprivuser.patch +++ /dev/null @@ -1,18 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/roles/unprivuser.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20221019/policy/modules/roles/unprivuser.te -@@ -300,6 +300,13 @@ ifndef(`distro_redhat',` - ') - - optional_policy(` -+ rtorrent_role(user_r, user_t) -+ # needed for tunable rtorrent_send_mails -+ mta_role_access_system_mail(user_r) -+') -+ -+ -+optional_policy(` - vmtools_run_helper(user_t, user_r) - ') - diff --git a/fix_userdomain.patch b/fix_userdomain.patch deleted file mode 100644 index a2ea637..0000000 --- a/fix_userdomain.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/system/userdomain.if -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/userdomain.if -+++ fedora-policy-20230116/policy/modules/system/userdomain.if -@@ -1515,6 +1515,7 @@ tunable_policy(`deny_bluetooth',`',` - - # port access is audited even if dac would not have allowed it, so dontaudit it here - # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) -+ corenet_dontaudit_udp_bind_all_rpc_ports($1_t) - # Need the following rule to allow users to run vpnc - corenet_tcp_bind_xserver_port($1_t) - corenet_tcp_bind_generic_node($1_usertype) diff --git a/fix_usermanage.patch b/fix_usermanage.patch deleted file mode 100644 index a7d1bee..0000000 --- a/fix_usermanage.patch +++ /dev/null @@ -1,29 +0,0 @@ -Index: fedora-policy-20220428/policy/modules/admin/usermanage.te -=================================================================== ---- fedora-policy-20220428.orig/policy/modules/admin/usermanage.te -+++ fedora-policy-20220428/policy/modules/admin/usermanage.te -@@ -226,6 +226,7 @@ allow groupadd_t self:unix_dgram_socket - allow groupadd_t self:unix_stream_socket create_stream_socket_perms; - allow groupadd_t self:unix_dgram_socket sendto; - allow groupadd_t self:unix_stream_socket connectto; -+allow groupadd_t self:netlink_selinux_socket create_socket_perms; - - fs_getattr_xattr_fs(groupadd_t) - fs_search_auto_mountpoints(groupadd_t) -@@ -538,6 +539,7 @@ allow useradd_t self:unix_dgram_socket c - allow useradd_t self:unix_stream_socket create_stream_socket_perms; - allow useradd_t self:unix_dgram_socket sendto; - allow useradd_t self:unix_stream_socket connectto; -+allow useradd_t self:netlink_selinux_socket create_socket_perms; - - manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) - manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) -@@ -546,6 +548,8 @@ files_pid_filetrans(useradd_t, useradd_v - # for getting the number of groups - kernel_read_kernel_sysctls(useradd_t) - -+selinux_compute_access_vector(useradd_t) -+ - corecmd_exec_shell(useradd_t) - # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. - corecmd_exec_bin(useradd_t) diff --git a/fix_wine.patch b/fix_wine.patch deleted file mode 100644 index 17698f2..0000000 --- a/fix_wine.patch +++ /dev/null @@ -1,23 +0,0 @@ -Index: fedora-policy-20220428/policy/modules/system/libraries.fc -=================================================================== ---- fedora-policy-20220428.orig/policy/modules/system/libraries.fc -+++ fedora-policy-20220428/policy/modules/system/libraries.fc -@@ -90,7 +90,7 @@ ifdef(`distro_redhat',` - /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) - /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/opt/cx.*/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/cx.*/lib/wine/.+\.(so|dll) -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) - /opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -173,7 +173,8 @@ ifdef(`distro_redhat',` - /usr/lib/systemd/libsystemd-.+\.so.* -- gen_context(system_u:object_r:lib_t,s0) - - /usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) --/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/wine/*-windows/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - diff --git a/fix_xserver.patch b/fix_xserver.patch deleted file mode 100644 index a8fd6e8..0000000 --- a/fix_xserver.patch +++ /dev/null @@ -1,68 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/services/xserver.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/services/xserver.fc -+++ fedora-policy-20221019/policy/modules/services/xserver.fc -@@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ - /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) - /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) - /etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -+/etc/X11/xdm/Xsetup -- gen_context(system_u:object_r:xsession_exec_t,s0) - /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) - /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) - -@@ -102,6 +103,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ - - /usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/lib/sddm/sddm-helper -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) - /usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0) -@@ -114,6 +116,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ - /usr/bin/Xwayland -- gen_context(system_u:object_r:xserver_exec_t,s0) - /usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0) - /usr/bin/nvidia.* -- gen_context(system_u:object_r:xserver_exec_t,s0) -+/usr/bin/greetd -- gen_context(system_u:object_r:xdm_exec_t,s0) - - /usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0) - /usr/libexec/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -137,6 +140,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ - /usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0) - /usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0) - -+/usr/lib/X11/display-manager -- gen_context(system_u:object_r:xdm_exec_t,s0) - ifndef(`distro_debian',` - /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) - ') -@@ -155,6 +159,7 @@ ifndef(`distro_debian',` - /var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) - /var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) -+/var/lib/greetd(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - - /var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - /var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -@@ -184,6 +189,8 @@ ifndef(`distro_debian',` - /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - /var/run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/greetd[^/]*\.sock -s gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/greetd\.run -- gen_context(system_u:object_r:xdm_var_run_t,s0) - - /var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) - /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) -Index: fedora-policy-20221019/policy/modules/services/xserver.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/services/xserver.te -+++ fedora-policy-20221019/policy/modules/services/xserver.te -@@ -475,6 +475,10 @@ userdom_dontaudit_read_admin_home_lnk_fi - - kernel_read_vm_sysctls(xdm_t) - -+files_manage_generic_pids_symlinks(xdm_t) -+userdom_manage_user_home_content_dirs(xdm_t) -+userdom_manage_user_home_content_files(xdm_t) -+ - # Allow gdm to run gdm-binary - can_exec(xdm_t, xdm_exec_t) - can_exec(xdm_t, xsession_exec_t) diff --git a/packagekit.fc b/packagekit.fc deleted file mode 100644 index b004ae0..0000000 --- a/packagekit.fc +++ /dev/null @@ -1,44 +0,0 @@ -/usr/lib/systemd/system/packagekit.* -- gen_context(system_u:object_r:packagekit_unit_file_t,s0) - -/usr/bin/packagekit -- gen_context(system_u:object_r:packagekit_exec_t,s0) - -#/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:packagekit_var_lib_t,s0) - -/usr/bin/pkcon -- gen_context(system_u:object_r:packagekit_exec_t,s0) -/usr/bin/pkmon -- gen_context(system_u:object_r:packagekit_exec_t,s0) -/usr/lib/packagekit-direct -- gen_context(system_u:object_r:packagekit_exec_t,s0) -/usr/lib/packagekitd -- gen_context(system_u:object_r:packagekit_exec_t,s0) -/usr/lib/pk-offline-update -- gen_context(system_u:object_r:packagekit_exec_t,s0) - -#/etc/PackageKit -#/etc/dbus-1/system.d/org.freedesktop.PackageKit.conf -#/usr/lib/tmpfiles.d -#/usr/lib/tmpfiles.d/PackageKit.conf -#/usr/lib64/packagekit-backend -#/usr/lib64/packagekit-backend/libpk_backend_dummy.so -#/usr/sbin/rcpackagekit -#/usr/sbin/rcpackagekit-offline-update -#/usr/share/PackageKit -#/usr/share/PackageKit/helpers -#/usr/share/PackageKit/helpers/test_spawn -#/usr/share/PackageKit/helpers/test_spawn/search-name.sh -#/usr/share/PackageKit/packagekit-background.sh -#/usr/share/PackageKit/pk-upgrade-distro.sh -#/usr/share/PackageKit/transactions.db -#/usr/share/bash-completion/completions/pkcon -#/usr/share/dbus-1/interfaces/org.freedesktop.PackageKit.Transaction.xml -#/usr/share/dbus-1/interfaces/org.freedesktop.PackageKit.xml -#/usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service -#/usr/share/doc/packages/PackageKit -#/usr/share/doc/packages/PackageKit/AUTHORS -#/usr/share/doc/packages/PackageKit/HACKING -#/usr/share/doc/packages/PackageKit/NEWS -#/usr/share/doc/packages/PackageKit/README -#/usr/share/doc/packages/PackageKit/org.freedesktop.packagekit.rules -#/usr/share/licenses/PackageKit -#/usr/share/licenses/PackageKit/COPYING -#/usr/share/man/man1/pkcon.1.gz -#/usr/share/man/man1/pkmon.1.gz -#/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy -#/var/cache/PackageKit - diff --git a/packagekit.if b/packagekit.if deleted file mode 100644 index a9d1918..0000000 --- a/packagekit.if +++ /dev/null @@ -1,40 +0,0 @@ -## A temporary policy for packagekit. - -######################################## -## -## Allow reading of fifo files -## -## -## -## Domain allowed to mange files -## -## -# -interface(`packagekit_read_write_fifo',` - gen_require(` - type packagekit_t; - ') - - allow $1 packagekit_t:fifo_file rw_inherited_fifo_file_perms; -') - -######################################## -## -## Send and receive messages from -## packagekit over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`packagekit_dbus_chat',` - gen_require(` - type packagekit_t; - class dbus send_msg; - ') - - allow $1 packagekit_t:dbus send_msg; - allow packagekit_t $1:dbus send_msg; -') diff --git a/packagekit.te b/packagekit.te deleted file mode 100644 index 090ccb7..0000000 --- a/packagekit.te +++ /dev/null @@ -1,38 +0,0 @@ -policy_module(packagekit,1.0.0) - -######################################## -# -# Declarations -# - -type packagekit_t; -type packagekit_exec_t; -init_daemon_domain(packagekit_t,packagekit_exec_t) - -type packagekit_unit_file_t; -systemd_unit_file(packagekit_unit_file_t) - -type packagekit_var_lib_t; -files_type(packagekit_var_lib_t) - -unconfined_dbus_chat(packagekit_t) -init_dbus_chat(packagekit_t) -optional_policy(` - policykit_dbus_chat(packagekit_t) -') - -optional_policy(` - unconfined_domain(packagekit_t) -') - -optional_policy(` - snapper_dbus_chat(packagekit_t) -') - -optional_policy(` - systemd_dbus_chat_logind(packagekit_t) -') - -optional_policy(` - rpm_transition_script(packagekit_t,system_r) -') diff --git a/rebootmgr.fc b/rebootmgr.fc deleted file mode 100644 index 156f78f..0000000 --- a/rebootmgr.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/rebootmgrd -- gen_context(system_u:object_r:rebootmgr_exec_t,s0) diff --git a/rebootmgr.if b/rebootmgr.if deleted file mode 100644 index bb42f80..0000000 --- a/rebootmgr.if +++ /dev/null @@ -1,61 +0,0 @@ - -## policy for rebootmgr - -######################################## -## -## Execute rebootmgr_exec_t in the rebootmgr domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rebootmgr_domtrans',` - gen_require(` - type rebootmgr_t, rebootmgr_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t) -') - -###################################### -## -## Execute rebootmgr in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`rebootmgr_exec',` - gen_require(` - type rebootmgr_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rebootmgr_exec_t) -') - -######################################## -## -## Send and receive messages from -## rebootmgr over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`rebootmgr_dbus_chat',` - gen_require(` - type rebootmgr_t; - class dbus send_msg; - ') - - allow $1 rebootmgr_t:dbus send_msg; - allow rebootmgr_t $1:dbus send_msg; -') diff --git a/rebootmgr.te b/rebootmgr.te deleted file mode 100644 index 4b4e6ab..0000000 --- a/rebootmgr.te +++ /dev/null @@ -1,37 +0,0 @@ -policy_module(rebootmgr, 1.0.0) - -######################################## -# -# Declarations -# - -type rebootmgr_t; -type rebootmgr_exec_t; -init_daemon_domain(rebootmgr_t, rebootmgr_exec_t) - -######################################## -# -# rebootmgr local policy -# -allow rebootmgr_t self:process { fork }; -allow rebootmgr_t self:fifo_file rw_fifo_file_perms; -allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms; - -domain_use_interactive_fds(rebootmgr_t) - -files_manage_etc_files(rebootmgr_t) - -logging_send_syslog_msg(rebootmgr_t) - -miscfiles_read_localization(rebootmgr_t) - -systemd_start_power_services(rebootmgr_t) - -systemd_dbus_chat_logind(rebootmgr_t) - -unconfined_dbus_chat(rebootmgr_t) - -optional_policy(` - dbus_system_bus_client(rebootmgr_t) - dbus_connect_system_bus(rebootmgr_t) -') diff --git a/rtorrent.fc b/rtorrent.fc deleted file mode 100644 index 562f8ad..0000000 --- a/rtorrent.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0) diff --git a/rtorrent.if b/rtorrent.if deleted file mode 100644 index 9ea4193..0000000 --- a/rtorrent.if +++ /dev/null @@ -1,95 +0,0 @@ - -## policy for rtorrent - -######################################## -## -## Execute rtorrent_exec_t in the rtorrent domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rtorrent_domtrans',` - gen_require(` - type rtorrent_t, rtorrent_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rtorrent_exec_t, rtorrent_t) -') - -###################################### -## -## Execute rtorrent in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`rtorrent_exec',` - gen_require(` - type rtorrent_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rtorrent_exec_t) -') - -######################################## -## -## Execute rtorrent in the rtorrent domain, and -## allow the specified role the rtorrent domain. -## -## -## -## Domain allowed to transition -## -## -## -## -## The role to be allowed the rtorrent domain. -## -## -# -interface(`rtorrent_run',` - gen_require(` - type rtorrent_t; - attribute_role rtorrent_roles; - ') - - rtorrent_domtrans($1) - roleattribute $2 rtorrent_roles; -') - -######################################## -## -## Role access for rtorrent -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`rtorrent_role',` - gen_require(` - type rtorrent_t; - attribute_role rtorrent_roles; - ') - - roleattribute $1 rtorrent_roles; - - rtorrent_domtrans($2) - - ps_process_pattern($2, rtorrent_t) - allow $2 rtorrent_t:process { signull signal sigkill }; -') diff --git a/rtorrent.te b/rtorrent.te deleted file mode 100644 index 996f7a7..0000000 --- a/rtorrent.te +++ /dev/null @@ -1,101 +0,0 @@ -policy_module(rtorrent, 1.0.0) - -######################################## -# -# Declarations -# -## -##

-## Allow rtorrent to use send mails -##

-## -gen_tunable(rtorrent_send_mails, false) - -## -##

-## Enable necessary permissions for rutorrent -##

-## -gen_tunable(rtorrent_enable_rutorrent, false) - -## -##

-## Allow rtorrent to execute helper scripts in home directories -##

-## -gen_tunable(rtorrent_exec_scripts, false) - -attribute_role rtorrent_roles; -roleattribute system_r rtorrent_roles; - -type rtorrent_t; -type rtorrent_exec_t; -application_domain(rtorrent_t, rtorrent_exec_t) -role rtorrent_roles types rtorrent_t; - -######################################## -# -# rtorrent local policy -# -allow rtorrent_t self:process { fork signal_perms }; - -allow rtorrent_t self:fifo_file manage_fifo_file_perms; -allow rtorrent_t self:unix_stream_socket create_stream_socket_perms; - -domain_use_interactive_fds(rtorrent_t) - -files_read_etc_files(rtorrent_t) - -miscfiles_read_localization(rtorrent_t) - -sysnet_dns_name_resolve(rtorrent_t) - -optional_policy(` - gen_require(` - type staff_t; - role staff_r; - ') - - rtorrent_run(staff_t, staff_r) -') - -type rtorrent_port_t; -corenet_port(rtorrent_port_t) -allow rtorrent_t rtorrent_port_t:tcp_socket name_bind; - -userdom_read_user_home_content_symlinks(rtorrent_t) -userdom_manage_user_home_content_files(rtorrent_t) -userdom_manage_user_home_content_dirs(rtorrent_t) - -allow rtorrent_t self:tcp_socket { accept listen }; - -corenet_tcp_connect_all_ports(rtorrent_t) - -fs_getattr_xattr_fs(rtorrent_t) - -userdom_use_inherited_user_terminals(rtorrent_t) -# this might be to much -userdom_home_manager(rtorrent_t) -userdom_filetrans_home_content(rtorrent_t) - -optional_policy(` - tunable_policy(`rtorrent_send_mails',` - userdom_exec_user_bin_files(rtorrent_t) - userdom_exec_user_home_content_files(rtorrent_t) - files_manage_generic_tmp_files(rtorrent_t) - mta_send_mail(rtorrent_t) - ') -') - -optional_policy(` - tunable_policy(`rtorrent_enable_rutorrent',` - apache_manage_sys_content(rtorrent_t) - apache_exec_sys_content(rtorrent_t) - ') -') - -tunable_policy(`rtorrent_exec_scripts',` - # execute helper scripts - corecmd_exec_bin(rtorrent_t) - userdom_exec_user_bin_files(rtorrent_t) -') diff --git a/sedoctool.patch b/sedoctool.patch deleted file mode 100644 index 82b2eee..0000000 --- a/sedoctool.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: fedora-policy/support/sedoctool.py -=================================================================== ---- fedora-policy.orig/support/sedoctool.py -+++ fedora-policy/support/sedoctool.py -@@ -810,7 +810,7 @@ if booleans: - namevalue_list = [] - if os.path.exists(booleans): - try: -- conf = open(booleans, 'r') -+ conf = open(booleans, 'r', errors='replace') - except: - error("Could not open booleans file for reading") - -@@ -831,7 +831,7 @@ if modules: - namevalue_list = [] - if os.path.exists(modules): - try: -- conf = open(modules, 'r') -+ conf = open(modules, 'r', errors='replace') - except: - error("Could not open modules file for reading") - namevalue_list = get_conf(conf) diff --git a/selinux-policy-20230214.tar.xz b/selinux-policy-20230214.tar.xz new file mode 100644 index 0000000..a99d60c --- /dev/null +++ b/selinux-policy-20230214.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9693ed2c5547a04fe58227ee5f6db761b68cc2f4c7267492220e33678788a83f +size 752564 diff --git a/selinux-policy.changes b/selinux-policy.changes index c83b5af..2656fda 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,90 @@ +------------------------------------------------------------------- +Tue Feb 14 21:41:54 UTC 2023 - Hu + +- Complete packaging rework: Move policy to git repository and + only use tar_scm obs service to refresh from there: + https://gitlab.suse.de/selinux/selinux-policy + + Please use `osc service manualrun` to update this OBS package to the + newest git version. + + * Added README.Update describing how to update this package + * Added _service file that pulls from selinux-policy and + upstream container-selinux and tars them + * Adapted selinux-policy.spec to build selinux-policy with + container-selinux + * Removed update.sh as no longer needed + * Removed suse specific modules as they are now covered by git commits + * packagekit.te packagekit.if packagekit.fc + * rebootmgr.te rebootmgr.if rebootmgr.fc + * rtorrent.te rtorrent.if rtorrent.fc + * wicked.te wicked.if wicked.fc + * Removed *.patch as they are now covered by git commits: + * distro_suse_to_distro_redhat.patch + * dontaudit_interface_kmod_tmpfs.patch + * fix_accountsd.patch + * fix_alsa.patch + * fix_apache.patch + * fix_auditd.patch + * fix_authlogin.patch + * fix_automount.patch + * fix_bitlbee.patch + * fix_chronyd.patch + * fix_cloudform.patch + * fix_colord.patch + * fix_corecommand.patch + * fix_cron.patch + * fix_dbus.patch + * fix_djbdns.patch + * fix_dnsmasq.patch + * fix_dovecot.patch + * fix_entropyd.patch + * fix_firewalld.patch + * fix_fwupd.patch + * fix_geoclue.patch + * fix_hypervkvp.patch + * fix_init.patch + * fix_ipsec.patch + * fix_iptables.patch + * fix_irqbalance.patch + * fix_java.patch + * fix_kernel.patch + * fix_kernel_sysctl.patch + * fix_libraries.patch + * fix_locallogin.patch + * fix_logging.patch + * fix_logrotate.patch + * fix_mcelog.patch + * fix_miscfiles.patch + * fix_nagios.patch + * fix_networkmanager.patch + * fix_nis.patch + * fix_nscd.patch + * fix_ntp.patch + * fix_openvpn.patch + * fix_postfix.patch + * fix_rpm.patch + * fix_rtkit.patch + * fix_screen.patch + * fix_selinuxutil.patch + * fix_sendmail.patch + * fix_smartmon.patch + * fix_snapper.patch + * fix_sslh.patch + * fix_sysnetwork.patch + * fix_systemd.patch + * fix_systemd_watch.patch + * fix_thunderbird.patch + * fix_unconfined.patch + * fix_unconfineduser.patch + * fix_unprivuser.patch + * fix_userdomain.patch + * fix_usermanage.patch + * fix_wine.patch + * fix_xserver.patch + * sedoctool.patch + * systemd_domain_dyntrans_type.patch + ------------------------------------------------------------------- Mon Feb 6 08:36:32 UTC 2023 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 11acb6d..80d04ff 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,10 +33,11 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20230206 +Version: 20230214 Release: 0 -Source: fedora-policy-%{version}.tar.bz2 -Source1: selinux-policy-rpmlintrc +Source0: %{name}-%{version}.tar.xz +Source1: container-selinux-%{version}.tar.xz +Source2: selinux-policy-rpmlintrc Source10: modules-targeted-base.conf Source11: modules-targeted-contrib.conf @@ -70,89 +71,6 @@ Source92: customizable_types #Source93: config.tgz Source94: file_contexts.subs_dist Source95: macros.selinux-policy -Source96: update.sh - -Source120: packagekit.te -Source121: packagekit.if -Source122: packagekit.fc -Source123: rtorrent.te -Source124: rtorrent.if -Source125: rtorrent.fc -Source126: wicked.te -Source127: wicked.if -Source128: wicked.fc -Source129: rebootmgr.te -Source130: rebootmgr.if -Source131: rebootmgr.fc - -Patch000: distro_suse_to_distro_redhat.patch -Patch001: fix_djbdns.patch -Patch002: fix_dbus.patch -Patch004: fix_java.patch -Patch006: fix_thunderbird.patch -Patch007: fix_postfix.patch -Patch008: fix_nscd.patch -Patch009: fix_sysnetwork.patch -Patch010: fix_logging.patch -Patch011: fix_xserver.patch -Patch012: fix_miscfiles.patch -Patch013: fix_init.patch -Patch014: fix_locallogin.patch -Patch016: fix_iptables.patch -Patch017: fix_irqbalance.patch -Patch018: fix_ntp.patch -Patch019: fix_fwupd.patch -Patch020: fix_firewalld.patch -Patch021: fix_logrotate.patch -Patch022: fix_selinuxutil.patch -Patch024: fix_corecommand.patch -Patch025: fix_snapper.patch -Patch026: fix_systemd.patch -Patch027: fix_unconfined.patch -Patch028: fix_unconfineduser.patch -Patch029: fix_chronyd.patch -Patch030: fix_networkmanager.patch -Patch032: fix_accountsd.patch -Patch033: fix_automount.patch -Patch034: fix_colord.patch -Patch035: fix_mcelog.patch -Patch036: fix_sslh.patch -Patch037: fix_nagios.patch -Patch038: fix_openvpn.patch -Patch039: fix_cron.patch -Patch040: fix_usermanage.patch -Patch041: fix_smartmon.patch -Patch042: fix_geoclue.patch -Patch044: fix_authlogin.patch -Patch045: fix_screen.patch -Patch046: fix_unprivuser.patch -Patch047: fix_rpm.patch -Patch048: fix_apache.patch -Patch049: fix_nis.patch -Patch050: fix_libraries.patch -Patch051: fix_dovecot.patch -# https://github.com/cockpit-project/cockpit/pull/15758 -#Patch052: fix_cockpit.patch -Patch053: fix_systemd_watch.patch -# kernel specific sysctl.conf (boo#1184804) -Patch054: fix_kernel_sysctl.patch -Patch055: fix_auditd.patch -Patch056: fix_wine.patch -Patch057: fix_hypervkvp.patch -Patch058: fix_bitlbee.patch -Patch059: systemd_domain_dyntrans_type.patch -Patch060: fix_dnsmasq.patch -Patch061: fix_userdomain.patch -Patch062: fix_cloudform.patch -Patch063: fix_alsa.patch -Patch064: dontaudit_interface_kmod_tmpfs.patch -Patch065: fix_sendmail.patch -Patch066: fix_ipsec.patch -Patch067: fix_kernel.patch -Patch068: fix_entropyd.patch -Patch069: fix_rtkit.patch - -Patch100: sedoctool.patch URL: https://github.com/fedora-selinux/selinux-policy.git BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -413,7 +331,16 @@ fi; exit 0 %prep -%autosetup -n fedora-policy-%{version} -p1 + +# set up selinux-policy +%autosetup -n %{name}-%{version} -p1 + +# dirty hack for container-selinux, because selinux-policy won't build without it +# upstream does not want to include it in main policy tree: +# see discussion in https://github.com/containers/container-selinux/issues/186 +%setup -T -D -b 1 +cp ../container-selinux-%{version}/container.* policy/modules/services/ +rm -rf ../container-selinux-%{version} %build @@ -440,10 +367,6 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} cp $i selinux_config done -for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do - cp $i policy/modules/contrib -done - make clean %if %{BUILD_TARGETED} %makeCmds targeted mcs allow diff --git a/systemd_domain_dyntrans_type.patch b/systemd_domain_dyntrans_type.patch deleted file mode 100644 index 8376c95..0000000 --- a/systemd_domain_dyntrans_type.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-policy-20220124/policy/modules/system/init.te -=================================================================== ---- fedora-policy-20220124.orig/policy/modules/system/init.te -+++ fedora-policy-20220124/policy/modules/system/init.te -@@ -179,6 +179,8 @@ allow init_t self:tcp_socket { listen ac - allow init_t self:packet_socket create_socket_perms; - allow init_t self:key manage_key_perms; - allow init_t self:bpf { map_create map_read map_write prog_load prog_run }; -+domain_dyntrans_type(init_t) -+allow init_t self:process { dyntransition setcurrent }; - - # is ~sys_module really needed? observed: - # sys_boot diff --git a/update.sh b/update.sh deleted file mode 100644 index 92f709c..0000000 --- a/update.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh - -date=$(date '+%Y%m%d') - -echo Update to $date - -rm -rf fedora-policy container-selinux - -git clone --depth 1 https://github.com/fedora-selinux/selinux-policy.git -git clone --depth 1 https://github.com/containers/container-selinux.git - -mv selinux-policy fedora-policy-$date -rm -rf fedora-policy-$date/.git* -mv container-selinux/container.* fedora-policy-$date/policy/modules/services/ - -rm -f fedora-policy?$date.tar* -tar cf fedora-policy-$date.tar fedora-policy-$date -bzip2 fedora-policy-$date.tar -rm -rf fedora-policy-$date container-selinux - -sed -i -e "s/^Version:.*/Version: $date/" selinux-policy.spec - -echo "remove old tar file, then osc addremove" diff --git a/wicked.fc b/wicked.fc deleted file mode 100644 index 8b84838..0000000 --- a/wicked.fc +++ /dev/null @@ -1,50 +0,0 @@ -# not used -#/etc/wicked/dispatcher\.d(/.*)? gen_context(system_u:object_r:wicked_initrc_exec_t,s0) -#/usr/lib/wicked/dispatcher\.d(/.*)? gen_context(system_u:object_r:wicked_initrc_exec_t,s0) - -/etc/wicked(/.*)? gen_context(system_u:object_r:wicked_etc_t,s0) -/etc/wicked/extensions/.* -- gen_context(system_u:object_r:wicked_exec_t,s0) - -#/etc/wicked/wicked\.conf gen_context(system_u:object_r:wicked_etc_rw_t,s0) -#/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:wicked_var_lib_t, s0) - -/usr/lib/systemd/system/wicked.* -- gen_context(system_u:object_r:wicked_unit_file_t,s0) - -/sbin/ifdown -- gen_context(system_u:object_r:wicked_exec_t,s0) -/sbin/ifprobe -- gen_context(system_u:object_r:wicked_exec_t,s0) -/sbin/ifstatus -- gen_context(system_u:object_r:wicked_exec_t,s0) -/sbin/ifup -- gen_context(system_u:object_r:wicked_exec_t,s0) -/usr/sbin/ifup -- gen_context(system_u:object_r:wicked_exec_t,s0) - -/usr/sbin/rcwicked.* -- gen_context(system_u:object_r:wicked_initrc_exec_t,s0) - -/usr/lib/wicked/bin(/.*)? gen_context(system_u:object_r:wicked_exec_t,s0) -/usr/libexec/wicked/bin(/.*)? gen_context(system_u:object_r:wicked_exec_t,s0) - -#/usr/lib64/libwicked-0.6.63.so - -/usr/sbin/wicked -- gen_context(system_u:object_r:wicked_exec_t,s0) -/usr/sbin/wickedd -- gen_context(system_u:object_r:wicked_exec_t,s0) -/usr/sbin/wickedd-nanny -- gen_context(system_u:object_r:wicked_exec_t,s0) -#/usr/share/wicked/schema/wireless.xml -/var/lib/wicked(/.*)? gen_context(system_u:object_r:wicked_var_lib_t,s0) -#/etc/sysconfig/network/ifcfg-lo - -#/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) -#/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:wicked_exec_t,s0) -#/var/lib/wicd(/.*)? gen_context(system_u:object_r:wicked_var_lib_t,s0) -#/var/log/wicd.* -- gen_context(system_u:object_r:wicked_log_t,s0) - -/var/run/wicked(/.*)? gen_context(system_u:object_r:wicked_var_run_t,s0) - -#/etc/dbus-1 -#/etc/dbus-1/system.d -#/etc/dbus-1/system.d/org.opensuse.Network.AUTO4.conf -#/etc/dbus-1/system.d/org.opensuse.Network.DHCP4.conf -#/etc/dbus-1/system.d/org.opensuse.Network.DHCP6.conf -#/etc/dbus-1/system.d/org.opensuse.Network.Nanny.conf -#/etc/dbus-1/system.d/org.opensuse.Network.conf - -/etc/sysconfig/network/scripts(/.*)? gen_context(system_u:object_r:wicked_script_t,s0) -/etc/sysconfig/network/scripts/samba-winbindd -- gen_context(system_u:object_r:wicked_winbind_script_t,s0) -/etc/sysconfig/network/scripts/dhcpd-restart-hook -- gen_context(system_u:object_r:wicked_dhcp_script_t,s0) diff --git a/wicked.if b/wicked.if deleted file mode 100644 index 0246cda..0000000 --- a/wicked.if +++ /dev/null @@ -1,678 +0,0 @@ -## Manager for dynamically switching between networks. - -######################################## -## -## Read and write wicked UDP sockets. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for named. -interface(`wicked_rw_udp_sockets',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:udp_socket { read write }; -') - -######################################## -## -## Read and write wicked packet sockets. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for named. -interface(`wicked_rw_packet_sockets',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:packet_socket { read write }; -') - -####################################### -## -## Allow caller to relabel tun_socket -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_attach_tun_iface',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; -') - -######################################## -## -## Read and write wicked netlink -## routing sockets. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for named. -interface(`wicked_rw_routing_sockets',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:netlink_route_socket { read write }; -') - -######################################## -## -## Execute wicked with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`wicked_domtrans',` - gen_require(` - type wicked_t, wicked_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, wicked_exec_t, wicked_t) -') - -####################################### -## -## Execute wicked scripts with an automatic domain transition to initrc. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`wicked_initrc_domtrans',` - gen_require(` - type wicked_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, wicked_initrc_exec_t) -') - -####################################### -## -## Allow reading of wicked link files -## -## -## -## Domain allowed to read the links -## -## -# -interface(`wicked_initrc_read_lnk_files',` - gen_require(` - type wicked_initrc_exec_t; - ') - - read_lnk_files_pattern($1, wicked_initrc_exec_t, wicked_initrc_exec_t) -') - -######################################## -## -## Execute wicked server in the wicked domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`wicked_systemctl',` - gen_require(` - type wicked_unit_file_t; - type wicked_t; - ') - - systemd_exec_systemctl($1) - init_reload_services($1) - allow $1 wicked_unit_file_t:file read_file_perms; - allow $1 wicked_unit_file_t:service manage_service_perms; - - ps_process_pattern($1, wicked_t) -') - -######################################## -## -## Send and receive messages from -## wicked over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_dbus_chat',` - gen_require(` - type wicked_t; - class dbus send_msg; - ') - - allow $1 wicked_t:dbus send_msg; - allow wicked_t $1:dbus send_msg; -') - -####################################### -## -## Read metworkmanager process state files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_read_state',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:dir search_dir_perms; - allow $1 wicked_t:file read_file_perms; - allow $1 wicked_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Do not audit attempts to send and -## receive messages from wicked -## over dbus. -## -## -## -## Domain to not audit. -## -## -# -interface(`wicked_dontaudit_dbus_chat',` - gen_require(` - type wicked_t; - class dbus send_msg; - ') - - dontaudit $1 wicked_t:dbus send_msg; - dontaudit wicked_t $1:dbus send_msg; -') - -######################################## -## -## Send a generic signal to wicked -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_signal',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:process signal; -') - -######################################## -## -## Create, read, and write -## wicked library files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_manage_lib_files',` - gen_require(` - type wicked_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t) - allow $1 wicked_var_lib_t:file map; -') - -######################################## -## -## Read wicked lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_read_lib_files',` - gen_require(` - type wicked_var_lib_t; - ') - - files_search_var_lib($1) - list_dirs_pattern($1, wicked_var_lib_t, wicked_var_lib_t) - read_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t) - allow $1 wicked_var_lib_t:file map; -') - -####################################### -## -## Read wicked conf files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_read_conf',` - gen_require(` - type wicked_etc_t; - type wicked_etc_rw_t; - ') - - allow $1 wicked_etc_t:dir list_dir_perms; - read_files_pattern($1,wicked_etc_t,wicked_etc_t) - read_files_pattern($1,wicked_etc_rw_t,wicked_etc_rw_t) -') - -######################################## -## -## Read wicked PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_read_pid_files',` - gen_require(` - type wicked_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, wicked_var_run_t, wicked_var_run_t) -') - -######################################## -## -## Manage wicked PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_manage_pid_files',` - gen_require(` - type wicked_var_run_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, wicked_var_run_t, wicked_var_run_t) - manage_files_pattern($1, wicked_var_run_t, wicked_var_run_t) -') - -######################################## -## -## Manage wicked PID sock files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_manage_pid_sock_files',` - gen_require(` - type wicked_var_run_t; - ') - - files_search_pids($1) - manage_sock_files_pattern($1, wicked_var_run_t, wicked_var_run_t) -') - -######################################## -## -## Create objects in /etc with a private -## type using a type_transition. -## -## -## -## Domain allowed access. -## -## -## -## -## Private file type. -## -## -## -## -## Object classes to be created. -## -## -## -## -## The name of the object being created. -## -## -# -interface(`wicked_pid_filetrans',` - gen_require(` - type wicked_var_run_t; - ') - - filetrans_pattern($1, wicked_var_run_t, $2, $3, $4) -') - -#################################### -## -## Connect to wicked over -## a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_stream_connect',` - gen_require(` - type wicked_t, wicked_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, wicked_var_run_t, wicked_var_run_t, wicked_t) -') - -######################################## -## -## Delete wicked PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_delete_pid_files',` - gen_require(` - type wicked_var_run_t; - ') - - files_search_pids($1) - delete_files_pattern($1, wicked_var_run_t, wicked_var_run_t) -') - -######################################## -## -## Execute wicked in the wicked domain, and -## allow the specified role the wicked domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`wicked_run',` - gen_require(` - type wicked_t, wicked_exec_t; - ') - - wicked_domtrans($1) - role $2 types wicked_t; -') - -######################################## -## -## Allow the specified domain to append -## to Network Manager log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_append_log',` - gen_require(` - type wicked_log_t; - ') - - logging_search_logs($1) - allow $1 wicked_log_t:dir list_dir_perms; - append_files_pattern($1, wicked_log_t, wicked_log_t) - allow $1 wicked_log_t:file map; - -') - -####################################### -## -## Allow the specified domain to manage -## to Network Manager lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_manage_lib',` - gen_require(` - type wicked_var_lib_t; - ') - - manage_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t) - allow $1 wicked_var_lib_t:file map; - -') - -####################################### -## -## Send to wicked with a unix dgram socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_dgram_send',` - gen_require(` - type wicked_t, wicked_var_run_t; - ') - - files_search_pids($1) - dgram_send_pattern($1, wicked_var_run_t, wicked_var_run_t, wicked_t) -') - -######################################## -## -## Send sigchld to wicked. -## -## -## -## Domain allowed access. -## -## -# -# -interface(`wicked_sigchld',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:process sigchld; -') - -######################################## -## -## Send signull to wicked. -## -## -## -## Domain allowed access. -## -## -# -# -interface(`wicked_signull',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:process signull; -') - -######################################## -## -## Send sigkill to wicked. -## -## -## -## Domain allowed access. -## -## -# -# -interface(`wicked_sigkill',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:process sigkill; -') - -######################################## -## -## Transition to wicked named content -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_filetrans_named_content',` - gen_require(` - type wicked_var_run_t; - type wicked_var_lib_t; - ') - - - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth0.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth1.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth2.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth3.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth4.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth5.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth6.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth7.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth8.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth9.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth0.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth1.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth2.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth3.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth4.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth5.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth6.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth7.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth8.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth9.dhcp.ipv6") - - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em0.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em1.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em2.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em3.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em4.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em5.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em6.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em7.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em8.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em9.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em0.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em1.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em2.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em3.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em4.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em5.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em6.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em7.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em8.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em9.dhcp.ipv6") - - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.lo.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.lo.dhcp.ipv6") - - files_pid_filetrans($1, wicked_var_run_t, dir, "extension") - files_pid_filetrans($1, wicked_var_run_t, dir, "nanny") - - files_etc_filetrans($1, wicked_var_lib_t, file, "state-1.xml") - files_etc_filetrans($1, wicked_var_lib_t, file, "state-2.xml") - files_etc_filetrans($1, wicked_var_lib_t, file, "state-3.xml") - files_etc_filetrans($1, wicked_var_lib_t, file, "state-4.xml") - files_etc_filetrans($1, wicked_var_lib_t, file, "state-5.xml") - files_etc_filetrans($1, wicked_var_lib_t, file, "state-6.xml") - files_etc_filetrans($1, wicked_var_lib_t, file, "state-7.xml") - files_etc_filetrans($1, wicked_var_lib_t, file, "state-8.xml") - files_etc_filetrans($1, wicked_var_lib_t, file, "state-9.xml") -') - -######################################## -## -## Create a set of derived types for various wicked scripts -## -## -## -## The name to be used for deriving type names. -## -## -# -template(`wicked_script_template',` - gen_require(` - attribute wicked_plugin, wicked_script; - type wicked_t; - ') - - type wicked_$1_t, wicked_plugin; - type wicked_$1_script_t, wicked_script; - application_domain(wicked_$1_t, wicked_$1_script_t) - role system_r types wicked_$1_t; - - domtrans_pattern(wicked_t, wicked_$1_script_t, wicked_$1_t) -') diff --git a/wicked.te b/wicked.te deleted file mode 100644 index 8747b97..0000000 --- a/wicked.te +++ /dev/null @@ -1,572 +0,0 @@ -policy_module(wicked, 1.0.0) - -######################################## -# -# Declarations -# - -type wicked_t; -type wicked_exec_t; -init_daemon_domain(wicked_t, wicked_exec_t) - -type wicked_initrc_exec_t; -init_script_file(wicked_initrc_exec_t) - -type wicked_unit_file_t; -systemd_unit_file(wicked_unit_file_t) - -type wicked_etc_t; -files_config_file(wicked_etc_t) - -type wicked_etc_rw_t; -files_config_file(wicked_etc_rw_t) - -#type wicked_log_t; -#logging_log_file(wicked_log_t) - -type wicked_tmp_t; -files_tmp_file(wicked_tmp_t) - -type wicked_var_lib_t; -files_type(wicked_var_lib_t) - -type wicked_var_run_t; -files_pid_file(wicked_var_run_t) - - -# Wicked scripts - -attribute wicked_plugin; -attribute wicked_script; -type wicked_script_t, wicked_script; -type wicked_custom_t, wicked_plugin; -role system_r types wicked_custom_t; -application_domain(wicked_custom_t, wicked_script_t) -domtrans_pattern(wicked_t, wicked_script_t, wicked_custom_t) - -wicked_script_template(winbind); -wicked_script_template(dhcp); - -#type wpa_cli_t; -#type wpa_cli_exec_t; -#init_system_domain(wpa_cli_t, wpa_cli_exec_t) - -######################################## -# -# Local policy -# - -# wicked will ptrace itself if gdb is installed -# and it receives a unexpected signal (rh bug #204161) -allow wicked_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_read_search dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot }; -dontaudit wicked_t self:capability sys_tty_config; - -allow wicked_t self:bpf { map_create map_read map_write prog_load prog_run }; - -ifdef(`hide_broken_symptoms',` - # caused by some bogus kernel code - dontaudit wicked_t self:capability sys_module; -') -# alternatively allow with -# kernel_load_module( wicked_t ) - -allow wicked_t self:process { getcap setcap setpgid getsched setsched signal_perms }; - -allow wicked_t self:process setfscreate; -selinux_validate_context(wicked_t) - -tunable_policy(`deny_ptrace',`',` - allow wicked_t self:capability sys_ptrace; - allow wicked_t self:process ptrace; -') - -allow wicked_t self:fifo_file rw_fifo_file_perms; -allow wicked_t self:unix_dgram_socket { sendto create_socket_perms }; -allow wicked_t self:unix_stream_socket{ create_stream_socket_perms connectto }; -allow wicked_t self:netlink_generic_socket create_socket_perms; -allow wicked_t self:netlink_route_socket create_netlink_socket_perms; -allow wicked_t self:netlink_xfrm_socket create_netlink_socket_perms; -allow wicked_t self:netlink_socket create_socket_perms; -allow wicked_t self:netlink_kobject_uevent_socket create_socket_perms; -allow wicked_t self:tcp_socket create_stream_socket_perms; -allow wicked_t self:tun_socket { create_socket_perms relabelfrom relabelto }; -allow wicked_t self:udp_socket create_socket_perms; -allow wicked_t self:packet_socket create_socket_perms; -allow wicked_t self:rawip_socket create_socket_perms; -allow wicked_t self:socket create_socket_perms; - -tunable_policy(`deny_bluetooth',`',` - allow wicked_t self:bluetooth_socket create_stream_socket_perms; -') - -#allow wicked_t wpa_cli_t:unix_dgram_socket sendto; - -can_exec(wicked_t, wicked_exec_t) -#wicd -# can_exec(wicked_t, wpa_cli_exec_t) - -list_dirs_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t) -read_files_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t) -read_lnk_files_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t) - -list_dirs_pattern(wicked_t, wicked_etc_t, wicked_etc_t) -read_files_pattern(wicked_t, wicked_etc_t, wicked_etc_t) -read_lnk_files_pattern(wicked_t, wicked_etc_t, wicked_etc_t) - -read_lnk_files_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t) -manage_dirs_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t) -manage_files_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t) -filetrans_pattern(wicked_t, wicked_etc_t, wicked_etc_rw_t, { dir file }) - -#allow wicked_t wicked_log_t:dir setattr_dir_perms; -#append_files_pattern(wicked_t, wicked_log_t, wicked_log_t) -#create_files_pattern(wicked_t, wicked_log_t, wicked_log_t) -#setattr_files_pattern(wicked_t, wicked_log_t, wicked_log_t) -#logging_log_filetrans(wicked_t, wicked_log_t, file) - -can_exec(wicked_t, wicked_tmp_t) -manage_files_pattern(wicked_t, wicked_tmp_t, wicked_tmp_t) -manage_sock_files_pattern(wicked_t, wicked_tmp_t, wicked_tmp_t) -files_tmp_filetrans(wicked_t, wicked_tmp_t, { sock_file file }) - -manage_dirs_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t) -manage_files_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t) -manage_lnk_files_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t) -files_var_lib_filetrans(wicked_t, wicked_var_lib_t, { dir file lnk_file }) - -manage_dirs_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t) -manage_files_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t) -manage_sock_files_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t) -files_pid_filetrans(wicked_t, wicked_var_run_t, { dir file sock_file }) - -kernel_read_system_state(wicked_t) -kernel_read_network_state(wicked_t) -kernel_read_kernel_sysctls(wicked_t) -kernel_request_load_module(wicked_t) -kernel_read_debugfs(wicked_t) -kernel_rw_net_sysctls(wicked_t) -kernel_dontaudit_setsched(wicked_t) -kernel_signull(wicked_t) - -corenet_ib_manage_subnet_unlabeled_endports(wicked_t) -corenet_ib_access_unlabeled_pkeys(wicked_t) -corenet_all_recvfrom_netlabel(wicked_t) -corenet_tcp_sendrecv_generic_if(wicked_t) -corenet_udp_sendrecv_generic_if(wicked_t) -corenet_raw_sendrecv_generic_if(wicked_t) -corenet_tcp_sendrecv_generic_node(wicked_t) -corenet_udp_sendrecv_generic_node(wicked_t) -corenet_raw_sendrecv_generic_node(wicked_t) -corenet_tcp_sendrecv_all_ports(wicked_t) -corenet_udp_sendrecv_all_ports(wicked_t) -corenet_udp_bind_generic_node(wicked_t) -corenet_udp_bind_isakmp_port(wicked_t) -corenet_udp_bind_dhcpc_port(wicked_t) -corenet_tcp_connect_all_ports(wicked_t) -corenet_sendrecv_isakmp_server_packets(wicked_t) -corenet_sendrecv_dhcpc_server_packets(wicked_t) -corenet_sendrecv_all_client_packets(wicked_t) -corenet_rw_tun_tap_dev(wicked_t) -corenet_getattr_ppp_dev(wicked_t) - -dev_access_check_sysfs(wicked_t) -dev_rw_sysfs(wicked_t) -dev_write_sysfs_dirs(wicked_t) -dev_read_rand(wicked_t) -dev_read_urand(wicked_t) -dev_dontaudit_getattr_generic_blk_files(wicked_t) -dev_getattr_all_chr_files(wicked_t) -dev_rw_wireless(wicked_t) - -fs_getattr_all_fs(wicked_t) -fs_search_auto_mountpoints(wicked_t) -fs_list_inotifyfs(wicked_t) -fs_read_nsfs_files(wicked_t) - -mls_file_read_all_levels(wicked_t) - -selinux_dontaudit_search_fs(wicked_t) - -corecmd_exec_shell(wicked_t) -corecmd_exec_bin(wicked_t) - -domain_use_interactive_fds(wicked_t) -domain_read_all_domains_state(wicked_t) - -files_read_etc_runtime_files(wicked_t) -files_read_system_conf_files(wicked_t) -files_read_usr_src_files(wicked_t) -files_read_isid_type_files(wicked_t) - -storage_getattr_fixed_disk_dev(wicked_t) - -term_open_unallocated_ttys(wicked_t) - -init_read_utmp(wicked_t) -init_dontaudit_write_utmp(wicked_t) -init_domtrans_script(wicked_t) -init_signull_script(wicked_t) -init_signal_script(wicked_t) -init_sigkill_script(wicked_t) - -auth_use_nsswitch(wicked_t) - -libs_exec_ldconfig(wicked_t) - -logging_send_syslog_msg(wicked_t) -logging_send_audit_msgs(wicked_t) - -miscfiles_read_generic_certs(wicked_t) - -seutil_read_config(wicked_t) -seutil_run_setfiles(wicked_t, system_r) - -sysnet_domtrans_ifconfig(wicked_t) -sysnet_domtrans_dhcpc(wicked_t) -sysnet_signal_dhcpc(wicked_t) -sysnet_signull_dhcpc(wicked_t) -sysnet_read_dhcpc_pid(wicked_t) -sysnet_read_dhcp_config(wicked_t) -sysnet_delete_dhcpc_pid(wicked_t) -sysnet_kill_dhcpc(wicked_t) -sysnet_read_dhcpc_state(wicked_t) -sysnet_delete_dhcpc_state(wicked_t) -sysnet_search_dhcp_state(wicked_t) -# in /etc created by wicked will be labelled net_conf_t. -sysnet_manage_config(wicked_t) -sysnet_filetrans_named_content(wicked_t) -sysnet_filetrans_net_conf(wicked_t) - -systemd_machined_read_pid_files(wicked_t) - -term_use_unallocated_ttys(wicked_t) - -userdom_stream_connect(wicked_t) -userdom_dontaudit_use_unpriv_user_fds(wicked_t) -userdom_dontaudit_use_user_ttys(wicked_t) -# Read gnome-keyring -userdom_read_home_certs(wicked_t) -userdom_read_user_home_content_files(wicked_t) -userdom_dgram_send(wicked_t) - -hostname_exec(wicked_t) -wicked_systemctl(wicked_t) - -sysnet_manage_config_dirs(wicked_t) - - -# Wicked scripts - -list_dirs_pattern(wicked_t, wicked_script_t, wicked_script) -read_files_pattern(wicked_t, wicked_script_t, wicked_script) -read_lnk_files_pattern(wicked_t, wicked_script_t, wicked_script) -list_dirs_pattern(wicked_plugin, wicked_script_t, wicked_script_t) -read_lnk_files_pattern(wicked_plugin, wicked_script_t, wicked_script) - -auth_read_passwd(wicked_plugin) - -corecmd_exec_bin(wicked_plugin) -corecmd_exec_shell(wicked_winbind_t) - -#tunable_policy(`use_nfs_home_dirs',` -# fs_read_nfs_files(wicked_t) -#') -# -#tunable_policy(`use_samba_home_dirs',` -# fs_read_cifs_files(wicked_t) -#') - -optional_policy(` - avahi_domtrans(wicked_t) - avahi_kill(wicked_t) - avahi_signal(wicked_t) - avahi_signull(wicked_t) - avahi_dbus_chat(wicked_t) -') - -optional_policy(` - packagekit_dbus_chat(wicked_t) -') - -optional_policy(` - firewalld_dbus_chat(wicked_t) -') - -optional_policy(` - wicked_dbus_chat(wicked_t) -') - -optional_policy(` - bind_domtrans(wicked_t) - bind_manage_cache(wicked_t) - bind_kill(wicked_t) - bind_signal(wicked_t) - bind_signull(wicked_t) -') - -optional_policy(` - bluetooth_dontaudit_read_helper_state(wicked_t) -') - -optional_policy(` - consoletype_exec(wicked_t) -') - -optional_policy(` - cron_read_system_job_lib_files(wicked_t) -') - -optional_policy(` - chronyd_domtrans_chronyc(wicked_t) - chronyd_domtrans(wicked_t) -') - -optional_policy(` - dbus_system_domain(wicked_t, wicked_exec_t) - - init_dbus_chat(wicked_t) - - optional_policy(` - consolekit_dbus_chat(wicked_t) - consolekit_read_pid_files(wicked_t) - ') -') - -optional_policy(` - dnsmasq_read_pid_files(wicked_t) - dnsmasq_dbus_chat(wicked_t) - dnsmasq_delete_pid_files(wicked_t) - dnsmasq_domtrans(wicked_t) - dnsmasq_initrc_domtrans(wicked_t) - dnsmasq_kill(wicked_t) - dnsmasq_signal(wicked_t) - dnsmasq_signull(wicked_t) - dnsmasq_systemctl(wicked_t) -') - -optional_policy(` - dnssec_trigger_domtrans(wicked_t) - dnssec_trigger_signull(wicked_t) - dnssec_trigger_sigkill(wicked_t) -') - -optional_policy(` - fcoe_dgram_send_fcoemon(wicked_t) -') - -optional_policy(` - howl_signal(wicked_t) -') - -optional_policy(` - gnome_dontaudit_search_config(wicked_t) -') - -optional_policy(` - iscsid_domtrans(wicked_t) -') - -optional_policy(` - iodined_domtrans(wicked_t) -') - -optional_policy(` - ipsec_domtrans_mgmt(wicked_t) - ipsec_kill_mgmt(wicked_t) - ipsec_signal_mgmt(wicked_t) - ipsec_signull_mgmt(wicked_t) - ipsec_domtrans(wicked_t) - ipsec_kill(wicked_t) - ipsec_signal(wicked_t) - ipsec_signull(wicked_t) -') - -optional_policy(` - iptables_domtrans(wicked_t) -') - -optional_policy(` - l2tpd_domtrans(wicked_t) - l2tpd_sigkill(wicked_t) - l2tpd_signal(wicked_t) - l2tpd_signull(wicked_t) -') - -optional_policy(` - lldpad_dgram_send(wicked_t) -') - -optional_policy(` - kdump_dontaudit_inherited_kdumpctl_tmp_pipes(wicked_t) -') - -optional_policy(` - netutils_exec_ping(wicked_t) - netutils_exec(wicked_t) -') - -optional_policy(` - nscd_domtrans(wicked_t) - nscd_signal(wicked_t) - nscd_signull(wicked_t) - nscd_kill(wicked_t) - nscd_initrc_domtrans(wicked_t) - nscd_systemctl(wicked_t) -') - -optional_policy(` - # Dispatcher starting and stoping ntp - ntp_initrc_domtrans(wicked_t) - ntp_systemctl(wicked_t) -') - -optional_policy(` - modutils_domtrans_kmod(wicked_t) -') - -optional_policy(` - openvpn_read_config(wicked_t) - openvpn_domtrans(wicked_t) - openvpn_kill(wicked_t) - openvpn_signal(wicked_t) - openvpn_signull(wicked_t) - openvpn_stream_connect(wicked_t) - openvpn_noatsecure(wicked_t) -') - -optional_policy(` - policykit_dbus_chat(wicked_t) - policykit_domtrans_auth(wicked_t) - policykit_read_lib(wicked_t) - policykit_read_reload(wicked_t) - userdom_read_all_users_state(wicked_t) -') - -optional_policy(` - polipo_systemctl(wicked_t) -') - -optional_policy(` - ppp_initrc_domtrans(wicked_t) - ppp_domtrans(wicked_t) - ppp_manage_pid_files(wicked_t) - ppp_kill(wicked_t) - ppp_signal(wicked_t) - ppp_signull(wicked_t) - ppp_read_config(wicked_t) - ppp_systemctl(wicked_t) -') - -optional_policy(` - rpm_exec(wicked_t) - rpm_read_db(wicked_t) - rpm_dontaudit_manage_db(wicked_t) -') - -optional_policy(` - samba_service_status(wicked_t) -') - -optional_policy(` - seutil_sigchld_newrole(wicked_t) -') - -optional_policy(` - sysnet_manage_dhcpc_state(wicked_t) -') - -optional_policy(` - systemd_write_inhibit_pipes(wicked_t) - systemd_read_logind_sessions_files(wicked_t) - systemd_dbus_chat_logind(wicked_t) - systemd_dbus_chat_hostnamed(wicked_t) - systemd_hostnamed_manage_config(wicked_t) -') - -optional_policy(` - ssh_basic_client_template(wicked, wicked_t, system_r) - term_use_generic_ptys(wicked_ssh_t) - modutils_domtrans_kmod(wicked_ssh_t) - dbus_connect_system_bus(wicked_ssh_t) - dbus_system_bus_client(wicked_ssh_t) - - wicked_dbus_chat(wicked_ssh_t) -') - -optional_policy(` - udev_exec(wicked_t) - udev_read_db(wicked_t) - udev_read_pid_files(wicked_t) -') - -optional_policy(` - vpn_domtrans(wicked_t) - vpn_kill(wicked_t) - vpn_signal(wicked_t) - vpn_signull(wicked_t) - vpn_relabelfrom_tun_socket(wicked_t) -') - -optional_policy(` - openfortivpn_domtrans(wicked_t) - openfortivpn_sigkill(wicked_t) - openfortivpn_signal(wicked_t) - openfortivpn_signull(wicked_t) -') - -optional_policy(` - openvswitch_stream_connect(wicked_t) -') - -optional_policy(` - virt_dbus_chat(wicked_t) -') - -optional_policy(` - networkmanager_dbus_chat(wicked_t) -') - -optional_policy(` - logging_send_syslog_msg(wicked_winbind_t) -') - -optional_policy(` - sysnet_exec_ifconfig(wicked_plugin) - sysnet_read_config(wicked_plugin) -') - -optional_policy(` - systemd_exec_systemctl(wicked_winbind_t) - systemd_exec_systemctl(wicked_dhcp_t) -') - -optional_policy(` - samba_domtrans_smbcontrol(wicked_winbind_t) - samba_read_config(wicked_winbind_t) - samba_service_status(wicked_winbind_t) -') - -#tunable_policy(`use_ecryptfs_home_dirs',` -#fs_manage_ecryptfs_files(wicked_t) -#') - -######################################## -# -# wpa_cli local policy -# - -#allow wpa_cli_t self:capability { dac_read_search }; -#allow wpa_cli_t self:unix_dgram_socket create_socket_perms; -# -#allow wpa_cli_t wicked_t:unix_dgram_socket sendto; -# -#manage_sock_files_pattern(wpa_cli_t, wicked_tmp_t, wicked_tmp_t) -#files_tmp_filetrans(wpa_cli_t, wicked_tmp_t, sock_file) -# -#list_dirs_pattern(wpa_cli_t, wicked_var_run_t, wicked_var_run_t) -#rw_sock_files_pattern(wpa_cli_t, wicked_var_run_t, wicked_var_run_t) -# -#init_dontaudit_use_fds(wpa_cli_t) -#init_use_script_ptys(wpa_cli_t) -# -#term_dontaudit_use_console(wpa_cli_t)