rpm/selinux-policy
SHA256
1
0
Fork 0
forked from pool/selinux-policy
Code Pull Requests Activity

Accepting request 839873 from security:SELinux

Browse Source 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/839873
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=2
This commit is contained in:
Dominique Leuenberger 2020-10-07 12:18:21 +00:00 committed by Git OBS Bridge
commit 4b6a0b8466
16 changed files with 549 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
booleans-minimum.conf
View File

@ -4,19 +4,19 @@ allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
allow_execmod = false
selinuxuser_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
allow_execstack = true
selinuxuser_execstack = false
# Allow ftpd to read cifs directories.
#
allow_ftpd_use_cifs = false
ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
allow_ftpd_use_nfs = false
ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
@ -24,7 +24,7 @@ allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
allow_gssd_read_tmp = true
gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
@ -32,7 +32,7 @@ allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
allow_httpd_mod_auth_pam = false
httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
@ -44,7 +44,7 @@ allow_rsync_anon_write = false
# Allow sasl to read shadow
#
allow_saslauthd_read_shadow = false
saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
@ -56,7 +56,7 @@ allow_ypbind = false
# Allow zebra to write it own configuration files
#
allow_zebra_write_config = false
zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
@ -148,55 +148,35 @@ user_ping = false
# allow host key based authentication
#
allow_ssh_keysign = false
ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted
#
read_untrusted_content = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow regular users direct mouse access
#
user_direct_mouse = false
# Allow users to read system messages.
#
user_dmesg = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = false
user_rw_noexattrfile = true
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow w to display everyone
#
user_ttyfile_stat = false
# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored.
#
write_untrusted_content = false
# Allow all domains to talk to ttys
#
allow_daemons_use_tty = false
daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
allow_polyinstantiation = false
polyinstantiation_enabled = false
# Allow all domains to dump core
#
allow_daemons_dump_core = true
daemons_dump_core = true
# Allow samba to act as the domain controller
#
@ -208,36 +188,24 @@ samba_run_unconfined = false
# Allows XServer to execute writable memory
#
allow_xserver_execmem = false
xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
allow_guest_exec_content = false
allow_xguest_exec_content = false
# Only allow browser to use the web
#
browser_confine_xguest=false
guest_exec_content = false
xguest_exec_content = false
# Allow postfix locat to write to mail spool
#
allow_postfix_local_write_mail_spool=false
postfix_local_write_mail_spool = false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile=true
user_rw_noexattrfile = true
# Allow qemu to connect fully to the network
#
qemu_full_network=true
# Allow nsplugin execmem/execstack for bad plugins
#
allow_nsplugin_execmem=true
# Allow unconfined domain to transition to confined domain
#
allow_unconfined_nsplugin_transition=true
qemu_full_network = true
# System uses init upstart program
#
@ -245,9 +213,20 @@ init_upstart = true
# Allow mount to mount any file/dir
#
allow_mount_anyfile = true
mount_anyfile = true
# Allow all domains to mmap files
#
domain_can_mmap_files = true
# Allow confined applications to use nscd shared memory
#
nscd_use_shm = true
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
#
unconfined_chrome_sandbox_transition = true
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
#
unconfined_mozilla_plugin_transition = true

236
booleans-mls.conf
View File

@ -1,6 +1,232 @@
kerberos_enabled = true
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
selinuxuser_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
selinuxuser_execstack = false
# Allow ftpd to read cifs directories.
#
ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow system to run with NIS
#
allow_ypbind = false
# Allow zebra to write it own configuration files
#
zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
httpd_dbus_avahi = true
#
# allow httpd to network relay
httpd_can_network_relay = false
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
# Allow reading of default_t files.
#
read_default_t = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Support NFS home directories
#
use_nfs_home_dirs = true
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = false
# allow host key based authentication
#
ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = true
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow all domains to talk to ttys
#
daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
polyinstantiation_enabled = false
# Allow all domains to dump core
#
daemons_dump_core = true
# Allow samba to act as the domain controller
#
samba_domain_controller = false
# Allow samba to export user home directories.
#
samba_run_unconfined = false
# Allows XServer to execute writable memory
#
xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
guest_exec_content = false
xguest_exec_content = false
# Allow postfix locat to write to mail spool
#
postfix_local_write_mail_spool = false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile = true
# Allow qemu to connect fully to the network
#
qemu_full_network = true
# System uses init upstart program
#
init_upstart = true
# Allow mount to mount any file/dir
#
mount_anyfile = true
polyinstantiation_enabled = true
ftpd_is_daemon = true
selinuxuser_ping = true
xserver_object_manager = true
# Allow all domains to mmap files
#
domain_can_mmap_files = true
# Allow confined applications to use nscd shared memory
#
nscd_use_shm = true
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
#
unconfined_chrome_sandbox_transition = false
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
#
unconfined_mozilla_plugin_transition = false

241
booleans-targeted.conf
View File

@ -1,23 +1,232 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
selinuxuser_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
selinuxuser_execstack = false
# Allow ftpd to read cifs directories.
#
ftpd_use_cifs = false
# Allow ftpd to read nfs directories.
#
ftpd_use_nfs = false
# Allow ftp servers to modify public filesused for public file transfer services.
#
allow_ftpd_anon_write = false
# Allow gssd to read temp directory.
#
gssd_read_tmp = true
# Allow Apache to modify public filesused for public file transfer services.
#
allow_httpd_anon_write = false
# Allow Apache to use mod_auth_pam module
#
httpd_mod_auth_pam = false
# Allow system to run with kerberos
#
allow_kerberos = true
# Allow rsync to modify public filesused for public file transfer services.
#
allow_rsync_anon_write = false
# Allow sasl to read shadow
#
saslauthd_read_shadow = false
# Allow samba to modify public filesused for public file transfer services.
#
allow_smbd_anon_write = false
# Allow system to run with NIS
#
allow_ypbind = false
# Allow zebra to write it own configuration files
#
zebra_write_config = false
# Enable extra rules in the cron domainto support fcron.
#
fcron_crond = false
#
# allow httpd to connect to mysql/posgresql
httpd_can_network_connect_db = false
#
# allow httpd to send dbus messages to avahi
httpd_dbus_avahi = true
#
# allow httpd to network relay
httpd_can_network_relay = false
# Allow httpd to use built in scripting (usually php)
#
httpd_builtin_scripting = true
# Allow http daemon to tcp connect
#
httpd_can_network_connect = false
# Allow httpd cgi support
#
httpd_enable_cgi = true
kerberos_enabled = true
mount_anyfile = true
nfs_export_all_ro = true
# Allow httpd to act as a FTP server bylistening on the ftp port.
#
httpd_enable_ftp_server = false
# Allow httpd to read home directories
#
httpd_enable_homedirs = false
# Run SSI execs in system CGI script domain.
#
httpd_ssi_exec = false
# Allow http daemon to communicate with the TTY
#
httpd_tty_comm = false
# Run CGI in the main httpd domain
#
httpd_unified = false
# Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
#
named_write_master_zones = false
# Allow nfs to be exported read/write.
#
nfs_export_all_rw = true
nscd_use_shm = true
openvpn_enable_homedirs = true
postfix_local_write_mail_spool= true
# Allow nfs to be exported read only
#
nfs_export_all_ro = true
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
privoxy_connect_any = true
selinuxuser_direct_dri_enabled = true
selinuxuser_rw_noexattrfile = true
selinuxuser_ping = true
squid_connect_any = true
telepathy_tcp_connect_generic_network_ports=true
unconfined_chrome_sandbox_transition=true
unconfined_mozilla_plugin_transition=true
xguest_exec_content = true
mozilla_plugin_can_network_connect = true
# Allow reading of default_t files.
#
read_default_t = false
# Allow samba to export user home directories.
#
samba_enable_home_dirs = false
# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports.
#
squid_connect_any = false
# Support NFS home directories
#
use_nfs_home_dirs = true
# Support SAMBA home directories
#
use_samba_home_dirs = false
# Control users use of ping and traceroute
#
user_ping = false
# allow host key based authentication
#
ssh_keysign = false
# Allow pppd to be run for a regular user
#
pppd_for_user = false
# Allow spamd to write to users homedirs
#
spamd_enable_home_dirs = false
# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY)
#
user_rw_noexattrfile = true
# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols.
#
user_tcp_server = false
# Allow all domains to talk to ttys
#
daemons_use_tty = false
# Allow login domains to polyinstatiate directories
#
polyinstantiation_enabled = false
# Allow all domains to dump core
#
daemons_dump_core = true
# Allow samba to act as the domain controller
#
samba_domain_controller = false
# Allow samba to export user home directories.
#
samba_run_unconfined = false
# Allows XServer to execute writable memory
#
xserver_execmem = false
# disallow guest accounts to execute files that they can create
#
guest_exec_content = false
xguest_exec_content = false
# Allow postfix locat to write to mail spool
#
postfix_local_write_mail_spool = false
# Allow common users to read/write noexattrfile systems
#
user_rw_noexattrfile = true
# Allow qemu to connect fully to the network
#
qemu_full_network = true
# System uses init upstart program
#
init_upstart = true
# Allow mount to mount any file/dir
#
mount_anyfile = true
# Allow all domains to mmap files
#
domain_can_mmap_files = true
# Allow confined applications to use nscd shared memory
#
nscd_use_shm = true
# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
#
unconfined_chrome_sandbox_transition = true
# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
#
unconfined_mozilla_plugin_transition = true

3
fedora-policy.20200717.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9cce9137b42c72c260c989e8a35153681b4fda9c9bcabda80816393683cd0304
size 752394

3
fedora-policy.20200910.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7e8acb185a5abf179037ca0531d312d327df52c0b201128e84d22afe730c8b96
size 738509

2
fix_authlogin.patch
View File

@ -2,7 +2,7 @@ Index: fedora-policy/policy/modules/system/authlogin.fc
===================================================================
--- fedora-policy.orig/policy/modules/system/authlogin.fc
+++ fedora-policy/policy/modules/system/authlogin.fc
@@ -47,6 +47,7 @@ ifdef(`distro_gentoo', `
@@ -49,6 +49,7 @@ ifdef(`distro_gentoo', `
/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
/usr/libexec/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)

2
fix_nagios.patch
View File

@ -14,7 +14,7 @@ Index: fedora-policy/policy/modules/contrib/nagios.te
===================================================================
--- fedora-policy.orig/policy/modules/contrib/nagios.te
+++ fedora-policy/policy/modules/contrib/nagios.te
@@ -157,6 +157,7 @@ allow nagios_t nagios_spool_t:file map;
@@ -161,6 +161,7 @@ allow nagios_t nagios_spool_t:file map;
manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)

13
fix_selinuxutil.patch
View File

@ -24,3 +24,16 @@ Index: fedora-policy/policy/modules/system/selinuxutil.te
cloudform_dontaudit_write_cloud_log(setfiles_t)
')
Index: fedora-policy/policy/modules/system/selinuxutil.if
===================================================================
--- fedora-policy.orig/policy/modules/system/selinuxutil.if
+++ fedora-policy/policy/modules/system/selinuxutil.if
@@ -777,6 +777,8 @@ interface(`seutil_dontaudit_read_config'
dontaudit $1 selinux_config_t:dir search_dir_perms;
dontaudit $1 selinux_config_t:file read_file_perms;
+ # /etc/selinux/config was a link to /etc/sysconfig/selinux-policy, ignore read attemps
+ dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms;
')
########################################

2
fix_systemd.patch
View File

@ -13,7 +13,7 @@ Index: fedora-policy/policy/modules/system/systemd.te
apache_read_tmp_files(systemd_logind_t)
')
@@ -823,6 +827,10 @@ optional_policy(`
@@ -828,6 +832,10 @@ optional_policy(`
dbus_connect_system_bus(systemd_hostnamed_t)
')

4
fix_usermanage.patch
View File

@ -10,7 +10,7 @@ Index: fedora-policy/policy/modules/admin/usermanage.te
fs_getattr_xattr_fs(groupadd_t)
fs_search_auto_mountpoints(groupadd_t)
@@ -529,6 +530,7 @@ allow useradd_t self:unix_dgram_socket c
@@ -530,6 +531,7 @@ allow useradd_t self:unix_dgram_socket c
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@ -18,7 +18,7 @@ Index: fedora-policy/policy/modules/admin/usermanage.te
manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
@@ -537,6 +539,8 @@ files_pid_filetrans(useradd_t, useradd_v
@@ -538,6 +540,8 @@ files_pid_filetrans(useradd_t, useradd_v
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)

7
modules-minimum-base.conf
View File

@ -392,13 +392,6 @@ udev = module
#
unconfined = module
# Layer: system
# Module: kdbus
#
# Policy for kdbus.
#
kdbus = module
# Layer: admin
# Module: rpm
#

7
modules-targeted-base.conf
View File

@ -392,13 +392,6 @@ udev = module
#
unconfined = module
# Layer: system
# Module: kdbus
#
# Policy for kdbus.
#
kdbus = module
# Layer: contrib
# Module: packagekit
#

29
selinux-policy.changes
View File

@ -1,3 +1,32 @@
-------------------------------------------------------------------
Tue Sep 10 07:16:50 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
- Update to version 20200910. Refreshed
* fix_authlogin.patch
* fix_nagios.patch
* fix_systemd.patch
* fix_usermanage.patch
- Delete suse_specific.patch, moved content into fix_selinuxutil.patch
- Cleanup of booleans-* presets
* Enabled
user_rw_noexattrfile
unconfined_chrome_sandbox_transition
unconfined_mozilla_plugin_transition
for the minimal policy
* Disabled
xserver_object_manager
for the MLS policy
* Disabled
openvpn_enable_homedirs
privoxy_connect_any
selinuxuser_direct_dri_enabled
selinuxuser_ping (aka user_ping)
squid_connect_any
telepathy_tcp_connect_generic_network_ports
for the targeted policy
Change your local config if you need them
- Build HTML version of manpages for the -devel package
-------------------------------------------------------------------
Thu Sep 3 07:47:52 UTC 2020 - Johannes Segitz <jsegitz@suse.com>

25
selinux-policy.spec
View File

@ -15,7 +15,6 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# TODO: This turns on distro-specific policies.
# There are almost no SUSE specific modifications available in the policy, so we utilize the
# ones used by redhat and include also the SUSE specific ones (see sed statement below)
%define distro redhat
@ -33,7 +32,7 @@ Summary: SELinux policy configuration
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
Version: 20200717
Version: 20200910
Release: 0
Source: fedora-policy.%{version}.tar.bz2
Source1: selinux-policy-rpmlintrc
@ -65,7 +64,6 @@ Source52: users-minimum
Source60: selinux-policy.conf
Source90: selinux-policy-rpmlintrc
Source91: Makefile.devel
Source92: customizable_types
#Source93: config.tgz
@ -123,7 +121,7 @@ Patch039: fix_cron.patch
Patch040: fix_usermanage.patch
Patch041: fix_smartmon.patch
Patch042: fix_geoclue.patch
Patch043: suse_specific.patch
#Patch043: suse_specific.patch
Patch044: fix_authlogin.patch
Patch045: fix_screen.patch
Patch046: fix_unprivuser.patch
@ -154,6 +152,7 @@ Recommends: selinux-tools
# for audit2allow
Recommends: python3-policycoreutils
Recommends: policycoreutils-python-utils
Recommends: container-selinux
%define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
@ -351,7 +350,6 @@ creating other policies.
%dir %{_datadir}/selinux/packages
%dir %{_sysconfdir}/selinux
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
#%ghost %{_sysconfdir}/sysconfig/selinux-policy
%{_tmpfilesdir}/selinux-policy.conf
%{_rpmconfigdir}/macros.d/macros.selinux-policy
@ -426,7 +424,7 @@ exit 0
%patch040 -p1
%patch041 -p1
%patch042 -p1
%patch043 -p1
#% patch043 -p1
%patch044 -p1
%patch045 -p1
%patch046 -p1
@ -442,8 +440,6 @@ find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \;
%install
mkdir -p %{buildroot}%{_sysconfdir}/selinux
touch %{buildroot}%{_sysconfdir}/selinux/config
#mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
#touch %{buildroot}%{_sysconfdir}/sysconfig/selinux-policy
mkdir -p %{buildroot}%{_tmpfilesdir}
cp %{SOURCE60} %{buildroot}%{_tmpfilesdir}
@ -512,11 +508,10 @@ mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/seli
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
#XXX what's missing for html?
#%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
#mkdir %{buildroot}%{_datadir}/selinux/devel/html
#mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
#mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
mkdir %{buildroot}%{_datadir}/selinux/devel/html
mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
%post
if [ ! -s %{_sysconfdir}/selinux/config ]; then
@ -525,7 +520,6 @@ if [ ! -s %{_sysconfdir}/selinux/config ]; then
if [ -f %{_sysconfdir}/sysconfig/selinux-policy ]; then
mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config
else
# XXX right default for SELINUXTYPE?
echo "
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
@ -594,7 +588,10 @@ SELinux policy development and man page package
%files devel
%defattr(-,root,root,-)
%doc %{_datadir}/man/ru/man8/*
%doc %{_datadir}/man/man8/*
%dir %{_datadir}/selinux/devel
%dir %{_datadir}/selinux/devel/html/
%doc %{_datadir}/selinux/devel/html/*
%dir %{_datadir}/selinux/devel/include
%{_datadir}/selinux/devel/include/*
%{_datadir}/selinux/devel/Makefile

13
suse_specific.patch
View File

@ -1,13 +0,0 @@
Index: fedora-policy/policy/modules/system/selinuxutil.if
===================================================================
--- fedora-policy.orig/policy/modules/system/selinuxutil.if
+++ fedora-policy/policy/modules/system/selinuxutil.if
@@ -777,6 +777,8 @@ interface(`seutil_dontaudit_read_config'
dontaudit $1 selinux_config_t:dir search_dir_perms;
dontaudit $1 selinux_config_t:file read_file_perms;
+ # /etc/selinux/config is often a link to /etc/sysconfig/selinux-policy
+ dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms;
')
########################################

2
update.sh
View File

@ -13,7 +13,7 @@ git clone --depth 1 https://github.com/containers/container-selinux.git
mv selinux-policy fedora-policy
rm -rf fedora-policy/.git*
mv selinux-policy-contrib/* fedora-policy/policy/modules/contrib/
mv container-selinux/* fedora-policy/policy/modules/contrib/
mv container-selinux/container.* fedora-policy/policy/modules/contrib/
rm -f fedora-policy.$date.tar*
tar cf fedora-policy.$date.tar fedora-policy