rpm/selinux-policy
SHA256
1
0
Fork 0
forked from pool/selinux-policy
Code Pull Requests Activity

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=69

Browse Source
This commit is contained in:
Johannes Segitz 2018-11-28 08:55:02 +00:00 committed by Git OBS Bridge
parent 50b70e6d39
commit 5791105ca8
57 changed files with 11171 additions and 168858 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
add-overlayfs-as-xattr-capable.patch
View File

@ -1,22 +0,0 @@
commit b3a95b4aeb4ecc3ce5125aac2f114224fcead5b9
Author: Jason Zaman <jason@perfinion.com>
Date: Sun Oct 11 18:35:20 2015 +0800
Add overlayfs as an XATTR capable fs
The module is called "overlay" in the kernel
---
policy/modules/kernel/filesystem.te | 1 +
1 file changed, 1 insertion(+)
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -33,6 +33,7 @@ fs_use_xattr gpfs gen_context(system_u:o
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);

12
allow-local_login_t-read-shadow.patch
View File

@ -1,12 +0,0 @@
Index: serefpolicy-3.12.1/policy/modules/system/locallogin.te
===================================================================
--- serefpolicy-3.12.1.orig/policy/modules/system/locallogin.te 2013-10-23 11:44:16.815098321 +0200
+++ serefpolicy-3.12.1/policy/modules/system/locallogin.te 2013-10-23 11:44:16.848098676 +0200
@@ -126,6 +126,7 @@ term_setattr_unallocated_ttys(local_logi
term_relabel_all_ptys(local_login_t)
term_setattr_generic_ptys(local_login_t)
+auth_read_shadow(local_login_t)
auth_rw_login_records(local_login_t)
auth_rw_faillog(local_login_t)
auth_manage_pam_console_data(local_login_t)

1930
booleans-minimum.conf
View File

File diff suppressed because it is too large Load Diff

1854
booleans-mls.conf
View File

File diff suppressed because it is too large Load Diff

1870
booleans-targeted.conf
View File

File diff suppressed because it is too large Load Diff

49
booleans.subs_dist
View File

@ -1,49 +0,0 @@
allow_auditadm_exec_content auditadm_exec_content
allow_console_login login_console_enabled
allow_cvs_read_shadow cvs_read_shadow
allow_daemons_dump_core daemons_dump_core
allow_daemons_use_tcp_wrapper daemons_use_tcp_wrapper
allow_daemons_use_tty daemons_use_tty
allow_domain_fd_use domain_fd_use
allow_execheap selinuxuser_execheap
allow_execmod selinuxuser_execmod
allow_execstack selinuxuser_execstack
allow_ftpd_anon_write ftpd_anon_write
allow_ftpd_full_access ftpd_full_access
allow_ftpd_use_cifs ftpd_use_cifs
allow_ftpd_use_nfs ftpd_use_nfs
allow_gssd_read_tmp gssd_read_tmp
allow_guest_exec_content guest_exec_content
allow_httpd_anon_write httpd_anon_write
allow_httpd_mod_auth_ntlm_winbind httpd_mod_auth_ntlm_winbind
allow_httpd_mod_auth_pam httpd_mod_auth_pam
allow_httpd_sys_script_anon_write httpd_sys_script_anon_write
allow_kerberos kerberos_enabled
allow_mplayer_execstack mplayer_execstack
allow_mount_anyfile mount_anyfile
allow_nfsd_anon_write nfsd_anon_write
allow_polyinstantiation polyinstantiation_enabled
allow_postfix_local_write_mail_spool postfix_local_write_mail_spool
allow_rsync_anon_write rsync_anon_write
allow_saslauthd_read_shadow saslauthd_read_shadow
allow_secadm_exec_content secadm_exec_content
allow_smbd_anon_write smbd_anon_write
allow_ssh_keysign ssh_keysign
allow_staff_exec_content staff_exec_content
allow_sysadm_exec_content sysadm_exec_content
allow_user_exec_content user_exec_content
allow_user_mysql_connect selinuxuser_mysql_connect_enabled
allow_user_postgresql_connect selinuxuser_postgresql_connect_enabled
allow_write_xshm xserver_clients_write_xshm
allow_xguest_exec_content xguest_exec_content
allow_xserver_execmem xserver_execmem
allow_ypbind nis_enabled
allow_zebra_write_config zebra_write_config
user_direct_dri selinuxuser_direct_dri_enabled
user_ping selinuxuser_ping
user_share_music selinuxuser_share_music
user_tcp_server selinuxuser_tcp_server
sepgsql_enable_pitr_implementation postgresql_can_rsync
sepgsql_enable_users_ddl postgresql_selinux_users_ddl
sepgsql_transmit_client_label postgresql_selinux_transmit_client_label
sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm

14
dont_use_xmllint_in_make_conf.patch
View File

@ -1,14 +0,0 @@
Index: serefpolicy-20140730/Makefile
===================================================================
--- serefpolicy-20140730.orig/Makefile 2014-07-30 16:48:48.379896000 +0200
+++ serefpolicy-20140730/Makefile 2015-02-25 12:37:11.262844720 +0100
@@ -431,9 +431,6 @@ $(polxml): $(layerxml) $(tunxml) $(boolx
$(verbose) for i in $(basename $(notdir $(layerxml))); do echo "<layer name=\"$$i\">" >> $@; cat $(tmpdir)/$$i.xml >> $@; echo "</layer>" >> $@; done
$(verbose) cat $(tunxml) $(boolxml) >> $@
$(verbose) echo '</policy>' >> $@
- $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \
- $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\
- fi
xml: $(polxml)

12
label_sysconfig.selinux-policy.patch
View File

@ -1,12 +0,0 @@
Index: serefpolicy-3.12.1/policy/modules/system/selinuxutil.fc
===================================================================
--- serefpolicy-3.12.1.orig/policy/modules/system/selinuxutil.fc 2013-10-23 11:44:16.817098343 +0200
+++ serefpolicy-3.12.1/policy/modules/system/selinuxutil.fc 2013-10-23 11:44:16.836098547 +0200
@@ -4,6 +4,7 @@
# /etc
#
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
+/etc/sysconfig/selinux-policy gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0)

12
label_sysconfig.selinux.patch Normal file
View File

@ -0,0 +1,12 @@
Index: refpolicy/policy/modules/system/selinuxutil.fc
===================================================================
--- refpolicy.orig/policy/modules/system/selinuxutil.fc 2018-11-27 11:44:18.621994420 +0100
+++ refpolicy/policy/modules/system/selinuxutil.fc 2018-11-27 11:45:11.406831098 +0100
@@ -13,6 +13,7 @@
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
/etc/selinux/([^/]*/)?users(/.*)? -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/sysconfig/selinux-policy -- gen_context(system_u:object_r:selinux_config_t,s0)
#
# /root

31
label_var_run_rsyslog.patch
View File

@ -1,23 +1,12 @@
Index: serefpolicy-20140730/policy/modules/system/logging.fc
Index: refpolicy/policy/modules/system/logging.fc
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/logging.fc
+++ serefpolicy-20140730/policy/modules/system/logging.fc
@@ -83,6 +83,7 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/rsyslog(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
--- refpolicy.orig/policy/modules/system/logging.fc 2018-11-27 11:50:10.755599120 +0100
+++ refpolicy/policy/modules/system/logging.fc 2018-11-27 11:50:32.611949480 +0100
@@ -60,6 +60,7 @@ ifdef(`distro_suse', `
/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/log/syslog(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
Index: serefpolicy-20140730/policy/modules/system/init.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/init.te
+++ serefpolicy-20140730/policy/modules/system/init.te
@@ -1676,3 +1676,6 @@ optional_policy(`
ccs_read_config(daemon)
')
')
+
+# relabel /var/run/rsyslog
+filetrans_pattern(init_t, var_run_t, syslogd_var_run_t, dir, "rsyslog")
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)

1
modules-minimum-disable.lst Normal file
View File

@ -0,0 +1 @@
abrt accountsd acct afs aiccu aide ajaxterm alsa amanda amtu anaconda antivirus apache apcupsd apm arpwatch asterisk authconfig automount avahi awstats bcfg2 bind rpcbind rngd bitlbee blueman bluetooth boinc brctl bugzilla cachefilesd calamaris callweaver canna ccs cdrecord certmaster certmonger certwatch cfengine cgroup chrome chronyd cipe clogd cloudform cmirrord cobbler collectd colord comsat condor consolekit couchdb courier cpucontrol cpufreqselector cron ctdb cups cvs cyphesis cyrus daemontools dbadm dbskk dbus dcc ddclient denyhosts devicekit dhcp dictd dirsrv-admin dirsrv dmidecode dnsmasq dnssec dovecot drbd dspam entropyd exim fail2ban fcoe fetchmail finger firewalld firewallgui firstboot fprintd ftp tftp games gitosis git glance glusterd gnome gpg gpg gpm gpsd guest xguest hddtemp icecast inetd inn lircd irc irqbalance iscsi isns jabber jetty jockey kdumpgui kdump kerberos keyboardd keystone kismet ksmtuned ktalk l2tp ldap likewise lircd livecd lldpad loadkeys lockdev logrotate logwatch lpd slpd mailman mailscanner man2html mcelog mediawiki memcached milter mock modemmanager mojomojo mozilla mpd mplayer mrtg mta munin mysql mythtv nagios namespace ncftool ncftool networkmanager nis nova nscd nslcd ntop ntp numad nut nx obex oddjob openct openshift-origin openshift openvpn openvswitch prelude pads passenger pcmcia pcscd pegasus pingd piranha plymouthd podsleuth policykit polipo portmap portreserve postfix postgrey ppp prelink unprivuser prelude privoxy procmail psad ptchown publicfile pulseaudio puppet pwauth qmail qpid quantum quota rabbitmq radius radvd raid rdisc readahead realmd remotelogin rhcs rhev rhgb rhsmcertd ricci rlogin roundup rpcbind rpc rpm rshd rssh rsync rtkit rwho sambagui samba sandbox sandboxX sanlock sasl sblim screen sectoolm sendmail sensord setroubleshoot sge shorewall slocate slpd smartmon smokeping smoltclient snmp snort sosreport soundserver spamassassin squid sssd stapserver stunnel svnserve swift sysstat tcpd tcsd telepathy telnet tftp tgtd thumb tmpreaper tomcat cpufreqselector tor ksmtuned tuned tvtime ulogd uml updfstab usbmodules usbmuxd userhelper usernetctl uucp uuidd varnishd vbetool vbetool vdagent vhostmd virt vlock vmware vnstatd openvpn vpn w3c wdmd webadm webalizer wine wireshark xen xguest zabbix zarafa zebra zoneminder zosremote thin mandb pki smsd sslh obs

2863
modules-mls-base.conf
View File

File diff suppressed because it is too large Load Diff

1644
modules-mls-contrib.conf
View File

File diff suppressed because it is too large Load Diff

2851
modules-targeted-base.conf
View File

File diff suppressed because it is too large Load Diff

2238
modules-targeted-contrib.conf
View File

File diff suppressed because it is too large Load Diff

52618
policy-rawhide-base.patch
View File

File diff suppressed because it is too large Load Diff

110647
policy-rawhide-contrib.patch
View File

File diff suppressed because it is too large Load Diff

3
refpolicy-2.20180701.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:dca99ee829b41f216474170c0e38aae99b01a0406a841bdc7347b49aa24f6c7d
size 753050

2
rpmlintrc Normal file
View File

@ -0,0 +1,2 @@
# this is intentional
addFilter("W: files-duplicate")

10
segenxml_interpreter.patch Normal file
View File

@ -0,0 +1,10 @@
Index: refpolicy/support/segenxml.py
===================================================================
--- refpolicy.orig/support/segenxml.py 2018-06-10 19:32:41.000000000 +0200
+++ refpolicy/support/segenxml.py 2018-11-27 16:52:00.196329793 +0100
@@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#! /usr/bin/python3
# Author(s): Donald Miner <dminer@tresys.com>
# Dave Sugar <dsugar@tresys.com>

36
selinux-policy.changes
View File

@ -1,10 +1,44 @@
-------------------------------------------------------------------
Tue Nov 27 15:20:03 UTC 2018 - jsegitz@suse.com
- Use refpolicy 20180701 as a base
- Dropped patches
* allow-local_login_t-read-shadow.patch
* dont_use_xmllint_in_make_conf.patch
* label_sysconfig.selinux-policy.patch
* policy-rawhide-base.patch
* policy-rawhide-contrib.patch
* suse_modifications_authlogin.patch
* suse_modifications_dbus.patch
* suse_modifications_glusterfs.patch
* suse_modifications_ipsec.patch
* suse_modifications_passenger.patch
* suse_modifications_policykit.patch
* suse_modifications_postfix.patch
* suse_modifications_rtkit.patch
* suse_modifications_selinuxutil.patch
* suse_modifications_ssh.patch
* suse_modifications_staff.patch
* suse_modifications_stapserver.patch
* suse_modifications_systemd.patch
* suse_modifications_unconfined.patch
* suse_modifications_unconfineduser.patch
* suse_modifications_unprivuser.patch
* systemd-tmpfiles.patch
* type_transition_contrib.patch
* type_transition_file_class.patch
* useradd-netlink_selinux_socket.patch
* xconsole.patch
Rebased the other patches to apply to refpolicy
- Added segenxml_interpreter.patch to not use env in shebang
- Added rpmlintrc to surpress duplicate file warnings
-------------------------------------------------------------------
Mon Mar 26 13:18:34 UTC 2018 - rgoldwyn@suse.com
- Add overlayfs as xattr capable (bsc#1073741)
* add-overlayfs-as-xattr-capable.patch
-------------------------------------------------------------------
Tue Dec 12 09:07:31 UTC 2017 - jsegitz@suse.com

250
selinux-policy.spec
View File

@ -24,21 +24,14 @@
# TODO: This turns on distro-specific policies.
# There are almost no SUSE specific modifications available in the policy, so we utilize the
# ones used by redhat and include also the SUSE specific ones (see sed statement below)
%define distro redhat
%define distro suse
%define ubac n
%define polyinstatiate n
%define monolithic n
%define BUILD_DOC 1
%define BUILD_TARGETED 1
%define BUILD_MINIMUM 1
%if 0%{suse_version} == 1315 && 0%{is_opensuse} == 0
%define BUILD_MLS 0
%else
%define BUILD_MLS 1
%endif
%if 0%{?suse_version} >= 1330 || ( 0%{?suse_version} == 1315 && 0%{?sle_version} >= 120200 )
%else
%endif
%define POLICYCOREUTILSVER %(rpm -q --qf %%{version} policycoreutils)
%define CHECKPOLICYVER %POLICYCOREUTILSVER
@ -129,21 +122,17 @@ Summary: SELinux policy configuration
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
Version: 20140730
Version: 20180701
Release: 0
Source: serefpolicy-%{version}.tgz
Source1: serefpolicy-contrib-%{version}.tgz
Source: https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_%{version}/refpolicy-2.%{version}.tar.bz2
Source10: modules-targeted-base.conf
Source11: modules-targeted-contrib.conf
Source12: modules-mls-base.conf
Source13: modules-mls-contrib.conf
#Source14: modules-minimum.conf
Source13: modules-minimum-disable.lst
Source20: booleans-targeted.conf
Source21: booleans-mls.conf
Source22: booleans-minimum.conf
Source23: booleans.subs_dist
Source30: setrans-targeted.conf
Source31: setrans-mls.conf
@ -166,49 +155,20 @@ Source92: customizable_types
Source93: config.tgz
Source94: file_contexts.subs_dist
# base policy patches
Patch0001: policy-rawhide-base.patch
# The following two patches are a workaround for 812055
Patch0002: type_transition_file_class.patch
Patch0003: label_sysconfig.selinux-policy.patch
Patch0004: sysconfig_network_scripts.patch
Patch0005: allow-local_login_t-read-shadow.patch
Patch0006: xconsole.patch
Patch0007: useradd-netlink_selinux_socket.patch
Patch0008: systemd-tmpfiles.patch
Patch0009: label_var_run_rsyslog.patch
Patch0010: suse_modifications_unconfined.patch
Patch0011: suse_modifications_systemd.patch
Patch0012: suse_modifications_unconfineduser.patch
Patch0013: suse_modifications_selinuxutil.patch
Patch0014: suse_modifications_logging.patch
Patch0015: suse_modifications_getty.patch
Patch0016: suse_modifications_authlogin.patch
Patch0017: suse_modifications_xserver.patch
Patch0018: suse_modifications_ssh.patch
Patch0019: suse_modifications_usermanage.patch
Patch0020: suse_modifications_unprivuser.patch
Patch0021: dont_use_xmllint_in_make_conf.patch
Patch0022: suse_modifications_staff.patch
Patch0023: suse_modifications_ipsec.patch
Patch0024: add-overlayfs-as-xattr-capable.patch
# contrib patches
Patch1000: policy-rawhide-contrib.patch
Patch1001: type_transition_contrib.patch
Patch1002: suse_modifications_virt.patch
Patch1003: suse_modifications_dbus.patch
Patch1004: suse_modifications_policykit.patch
Patch1005: suse_modifications_postfix.patch
Patch1006: suse_modifications_rtkit.patch
Patch1007: suse_modifications_apache.patch
Patch1008: suse_modifications_ntp.patch
Patch1009: suse_modifications_cron.patch
Patch1010: suse_additions_sslh.patch
Patch1011: suse_additions_obs.patch
Patch1012: suse_modifications_glusterfs.patch
Patch1013: suse_modifications_passenger.patch
Patch1014: suse_modifications_stapserver.patch
Patch001: label_sysconfig.selinux.patch
Patch002: label_var_run_rsyslog.patch
Patch003: suse_additions_obs.patch
Patch004: suse_additions_sslh.patch
Patch005: suse_modifications_apache.patch
Patch007: suse_modifications_cron.patch
Patch009: suse_modifications_getty.patch
Patch012: suse_modifications_logging.patch
Patch013: suse_modifications_ntp.patch
Patch021: suse_modifications_usermanage.patch
Patch022: suse_modifications_virt.patch
Patch023: suse_modifications_xserver.patch
Patch024: sysconfig_network_scripts.patch
Patch025: segenxml_interpreter.patch
Url: http://oss.tresys.com/repos/refpolicy/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -221,7 +181,7 @@ BuildRequires: gawk
BuildRequires: libxml2-tools
BuildRequires: m4
BuildRequires: policycoreutils
BuildRequires: policycoreutils-python
BuildRequires: python3-policycoreutils
BuildRequires: python
BuildRequires: python-xml
#BuildRequires: selinux-policy-devel
@ -232,28 +192,29 @@ Requires(post): /bin/awk /usr/bin/sha512sum
Recommends: audit
Recommends: selinux-tools
# for audit2allow
Recommends: policycoreutils-python
Recommends: python3-policycoreutils
Recommends: policycoreutils
%global makeCmds() \
make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \
make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \
make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
cp -f selinux_config/users-%1 ./policy/users \
#cp -f selinux_config/users-%1 ./policy/users \
#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \
%global makeModulesConf() \
cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \
cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \
if [ "%3" = "contrib" ];then \
cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
fi; \
#if [ "%3" = "contrib" ];then \
# cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \
# cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \
#fi; \
%global installCmds() \
make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" base.pp \
make validate SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \
make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" base.pp \
make %{?_smp_mflags} validate SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \
make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
make %{?_smp_mflags} SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
%{__mkdir} -p %{buildroot}/%{module_store %%{1}}/%{module_dir} \
@ -272,14 +233,11 @@ touch %{buildroot}%{module_store %%{1}}/active/seusers \
touch %{buildroot}%{module_store %%{1}}/active/nodes.local \
touch %{buildroot}%{module_store %%{1}}/active/users_extra.local \
touch %{buildroot}%{module_store %%{1}}/active/users.local \
cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \
%install_pp %%1 \
touch %{buildroot}%{module_disabled %%1 sandbox} \
/usr/sbin/semodule -s %%1 -n -B -p %{buildroot}; \
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.* | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern \
ln -sf %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{module_store %%{1}}/active/policy.kern \
%nil
%global fileList() \
@ -304,13 +262,14 @@ ln -sf %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{modul
%verify(not md5 size mtime) %{module_store %%{1}}/active/homedir_template \
%{module_store %%{1}}/%{module_dir}/* \
%ghost %{module_store %%{1}}/active/*.local \
%{module_store %%{1}}/active/*.linked \
%{module_store %%{1}}/active/*.homedirs \
%{files_dot_bin %%1} \
%ghost %{module_store %%{1}}/active/seusers \
%dir %{_sysconfdir}/selinux/%1/policy/ \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.* \
%{_sysconfdir}/selinux/%1/.policy.sha512 \
%dir %{_sysconfdir}/selinux/%1/contexts \
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
@ -324,7 +283,8 @@ ln -sf %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{modul
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/customizable_types \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/openrc_contexts \
%dir %{_sysconfdir}/selinux/%1/contexts/files \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
@ -332,7 +292,6 @@ ln -sf %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{modul
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
%{_sysconfdir}/selinux/%1/booleans.subs_dist \
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
%dir %{_sysconfdir}/selinux/%1/contexts/users \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/*
@ -414,62 +373,27 @@ SELinux Reference Policy. A complete SELinux policy that can be used as the syst
systems and used as the basis for creating other policies.
%prep
# contrib modules
%setup -n serefpolicy-contrib-%{version} -q -b 1
%patch1000 -p1
%patch1001 -p1
%patch1002 -p1
%patch1003 -p1
%patch1004 -p1
%patch1005 -p1
%patch1006 -p1
%patch1007 -p1
%patch1008 -p1
%patch1009 -p1
%patch1010 -p1
%patch1011 -p1
%patch1012 -p1
%patch1013 -p1
%patch1014 -p1
# base policy
contrib_path=`pwd`
%setup -n serefpolicy-%{version} -q
cp COPYING ..
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
%patch0004 -p1
%patch0005 -p1
%patch0006 -p0
%patch0007 -p1
%patch0008 -p1
%patch0009 -p1
%patch0010 -p1
%patch0011 -p1
%patch0012 -p1
%patch0013 -p1
%patch0014 -p1
%patch0015 -p1
%patch0016 -p1
%patch0017 -p1
%patch0018 -p1
%patch0019 -p1
%patch0020 -p1
%patch0021 -p1
%patch0022 -p1
%patch0023 -p1
%patch0024 -p1
refpolicy_path=`pwd`
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
# we use distro=redhat to get all the redhat modifications but we'll still need everything that is defined for suse
find "$refpolicy_path" -type f -print0 | xargs -0 sed -i -e 's/ifdef(`distro_suse/ifdef(`distro_redhat/g'
%setup -n refpolicy
%patch001 -p1
%patch002 -p1
%patch003 -p1
%patch004 -p1
%patch005 -p1
%patch007 -p1
%patch009 -p1
%patch012 -p1
%patch013 -p1
%patch021 -p1
%patch022 -p1
%patch023 -p1
%patch024 -p1
%patch025 -p1
%build
%install
mkdir selinux_config
for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE93} %{SOURCE94};do
for i in %{SOURCE10} %{SOURCE12} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE91} %{SOURCE92} %{SOURCE93} %{SOURCE94};do
cp $i selinux_config
done
tar zxvf selinux_config/config.tgz
@ -498,6 +422,7 @@ mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
%makeCmds minimum mcs n allow
%makeModulesConf targeted base contrib
%installCmds minimum mcs n allow
install -m0644 %{SOURCE13} %{buildroot}/usr/share/selinux/minimum/modules-minimum-disable.lst \
%modulesList minimum
%endif
@ -513,8 +438,8 @@ mkdir -p %{buildroot}%{_usr}/share/selinux/mls
# Install devel
mkdir -p %{buildroot}%{_mandir}
cp -R man/* %{buildroot}%{_mandir}
make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs
make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers
mkdir %{buildroot}%{_usr}/share/selinux/devel/
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
chmod +x %{buildroot}%{_usr}/share/selinux/devel/include/support/segenxml.py
@ -565,14 +490,8 @@ SELinux policy development and man page package
%files devel
%defattr(-,root,root,-)
%{_mandir}/ru/man8/ftpd_selinux.8.gz
%{_mandir}/ru/man8/httpd_selinux.8.gz
%{_mandir}/ru/man8/kerberos_selinux.8.gz
%{_mandir}/ru/man8/named_selinux.8.gz
%{_mandir}/ru/man8/nfs_selinux.8.gz
%{_mandir}/ru/man8/rsync_selinux.8.gz
%{_mandir}/ru/man8/samba_selinux.8.gz
%{_mandir}/ru/man8/ypbind_selinux.8.gz
%doc /usr/share/man/ru/man8/*
%doc /usr/share/man/man8/*
%dir %{_usr}/share/selinux/devel
%dir %{_usr}/share/selinux/devel/include
%{_usr}/share/selinux/devel/include/*
@ -617,7 +536,6 @@ exit 0
%defattr(-,root,root,-)
%fileList targeted
%{_usr}/share/selinux/targeted/modules-base.lst
%{_usr}/share/selinux/targeted/modules-contrib.lst
%endif
%if %{BUILD_MINIMUM}
@ -625,7 +543,7 @@ exit 0
Summary: SELinux minimum base policy
Group: System/Management
Provides: selinux-policy-base = %{version}-%{release}
Requires(post): policycoreutils-python = %{POLICYCOREUTILSVER}
Requires(post): python3-policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
Requires: selinux-policy = %{version}-%{release}
@ -641,34 +559,20 @@ if [ $1 -ne 1 ]; then
fi
%post minimum
contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
contribpackages=`cat /usr/share/selinux/minimum/modules-minimum-disable.lst`
if [ $1 -eq 1 ]; then
for p in $contribpackages; do
touch %{module_disabled minimum $p}
done
# this is temporarily needed to make minimum policy work without errors. Will be included
# into the proper places later on
for p in $basepackages plymouthd postfix apache dbus inetd kerberos mta nis nscd cron; do
rm -f %{module_disabled minimum $p}
done
# those are default anyway
# /usr/sbin/semanage -S minimum -i - << __eof
# login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
# login -m -s unconfined_u -r s0-s0:c0.c1023 root
# __eof
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
/usr/sbin/semodule -B -s minimum
for p in $contribpackages djbdns dkim getty geoclue lightsquid openca pyzor portage shibboleth yam portslave qemu xserver evolution thunderbird xscreensaver; do
touch %{module_disabled minimum $p}
done
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
/usr/sbin/semodule -B -s minimum
else
instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
for p in $contribpackages; do
touch %{module_disabled minimum $p}
done
for p in $instpackages apache dbus inetd kerberos mta nis; do
rm -f %{module_disabled minimum $p}
done
/usr/sbin/semodule -B -s minimum
%relabel minimum
instpackages=`cat /usr/share/selinux/minimum/instmodules.lst`
for p in $contribpackages djbdns dkim getty geoclue lightsquid openca pyzor portage shibboleth yam portslave qemu xserver evolution thunderbird xscreensaver; do
touch %{module_disabled minimum $p}
done
/usr/sbin/semodule -B -s minimum
%relabel minimum
fi
exit 0
@ -676,7 +580,7 @@ exit 0
%defattr(-,root,root,-)
%fileList minimum
%{_usr}/share/selinux/minimum/modules-base.lst
%{_usr}/share/selinux/minimum/modules-contrib.lst
/usr/share/selinux/minimum/modules-minimum-disable.lst
%endif
%if %{BUILD_MLS}
@ -685,9 +589,9 @@ Summary: SELinux mls base policy
Group: System/Management
Provides: selinux-policy-base = %{version}-%{release}
Obsoletes: selinux-policy-mls-sources < 2
Requires: policycoreutils-newrole = %{POLICYCOREUTILSVER}
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER}
Requires: setransd
Requires(pre): policycoreutils = %{POLICYCOREUTILSVER}
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
Requires: selinux-policy = %{version}-%{release}
@ -704,10 +608,8 @@ SELinux Reference policy mls base module.
%files mls
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
%fileList mls
%{_usr}/share/selinux/mls/modules-base.lst
%{_usr}/share/selinux/mls/modules-contrib.lst
%endif
%changelog

3
serefpolicy-20140730.tgz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ef950250ca524c822fff44677af9d061d77e09b02cba2ce6444fb057d35f0dae
size 318859

3
serefpolicy-contrib-20140730.tgz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a717a82690fc2f10de53241471112944cd99eedb1d4ffd05c7c8d6883cf31d11
size 467521

22
suse_modifications_apache.patch
View File

@ -1,12 +1,12 @@
Index: serefpolicy-contrib-20140730/apache.fc
Index: refpolicy/policy/modules/services/apache.fc
===================================================================
--- serefpolicy-contrib-20140730.orig/apache.fc
+++ serefpolicy-contrib-20140730/apache.fc
@@ -64,6 +64,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/start_apache2 -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/htcacheclean -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
--- refpolicy.orig/policy/modules/services/apache.fc 2018-11-27 13:33:30.059837794 +0100
+++ refpolicy/policy/modules/services/apache.fc 2018-11-27 13:34:07.964446972 +0100
@@ -84,6 +84,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
ifdef(`distro_suse',`
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/start_apache2 -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)

14
suse_modifications_authlogin.patch
View File

@ -1,14 +0,0 @@
Index: serefpolicy-20140730/policy/modules/system/authlogin.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/authlogin.te
+++ serefpolicy-20140730/policy/modules/system/authlogin.te
@@ -152,6 +152,9 @@ seutil_dontaudit_use_newrole_fds(chkpwd_
userdom_dontaudit_use_user_ttys(chkpwd_t)
+allow chkpwd_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(chkpwd_t)
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(chkpwd_t)

65
suse_modifications_cron.patch
View File

@ -1,21 +1,24 @@
Index: serefpolicy-contrib-20140730/cron.fc
Index: refpolicy/policy/modules/services/cron.fc
===================================================================
--- serefpolicy-contrib-20140730.orig/cron.fc 2015-08-13 10:13:01.320203530 +0200
+++ serefpolicy-contrib-20140730/cron.fc 2015-08-13 10:13:01.620208372 +0200
@@ -55,6 +55,8 @@ ifdef(`distro_suse', `
/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
--- refpolicy.orig/policy/modules/services/cron.fc 2018-11-27 13:46:40.344580166 +0100
+++ refpolicy/policy/modules/services/cron.fc 2018-11-27 13:47:44.725617173 +0100
@@ -68,7 +68,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_suse',`
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
/var/spool/cron/lastrun/[^/]* -- <<none>>
/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
+/var/spool/cron/tabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+/var/spool/cron/tabs/[^/]* -- gen_context(system_u:object_r:user_cron_spool_t,s0)
')
ifdef(`distro_debian',`
Index: serefpolicy-contrib-20140730/cron.te
Index: refpolicy/policy/modules/services/cron.te
===================================================================
--- serefpolicy-contrib-20140730.orig/cron.te 2015-08-13 10:13:01.320203530 +0200
+++ serefpolicy-contrib-20140730/cron.te 2015-08-13 10:13:01.620208372 +0200
@@ -841,3 +841,9 @@ tunable_policy(`cron_userdomain_transiti
--- refpolicy.orig/policy/modules/services/cron.te 2018-11-27 13:46:21.396274896 +0100
+++ refpolicy/policy/modules/services/cron.te 2018-11-27 13:46:40.344580166 +0100
@@ -761,3 +761,9 @@ tunable_policy(`cron_userdomain_transiti
optional_policy(`
unconfined_domain(unconfined_cronjob_t)
')
@ -25,33 +28,33 @@ Index: serefpolicy-contrib-20140730/cron.te
+ userdom_manage_user_home_dirs(crontab_t)
+ xserver_non_drawing_client(crontab_t)
+')
Index: serefpolicy-contrib-20140730/cron.if
Index: refpolicy/policy/modules/services/cron.if
===================================================================
--- serefpolicy-contrib-20140730.orig/cron.if 2015-08-13 10:13:01.320203530 +0200
+++ serefpolicy-contrib-20140730/cron.if 2015-08-13 10:14:06.153249993 +0200
@@ -158,7 +158,7 @@ interface(`cron_role',`
--- refpolicy.orig/policy/modules/services/cron.if 2018-11-27 13:46:40.344580166 +0100
+++ refpolicy/policy/modules/services/cron.if 2018-11-27 13:49:17.339129179 +0100
@@ -139,7 +139,7 @@ interface(`cron_role',`
#
interface(`cron_unconfined_role',`
gen_require(`
- type unconfined_cronjob_t, crontab_t, crontab_exec_t;
+ type unconfined_cronjob_t, admin_crontab_t, crontab_t, crontab_exec_t;
type crond_t, user_cron_spool_t;
bool cron_userdomain_transition;
type crond_t, user_cron_spool_t;
bool cron_userdomain_transition;
')
@@ -168,14 +168,14 @@ interface(`cron_unconfined_role',`
# Declarations
#
- role $1 types { unconfined_cronjob_t crontab_t };
+ role $1 types { unconfined_cronjob_t admin_crontab_t crontab_t };
@@ -149,14 +149,14 @@ interface(`cron_unconfined_role',`
# Declarations
#
##############################
#
# Local policy
#
- role $1 types { unconfined_cronjob_t crontab_t };
+ role $1 types { unconfined_cronjob_t admin_crontab_t crontab_t };
- domtrans_pattern($2, crontab_exec_t, crontab_t)
+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
##############################
#
# Local policy
#
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- domtrans_pattern($2, crontab_exec_t, crontab_t)
+ domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
allow $2 crond_t:process sigchld;

61
suse_modifications_dbus.patch
View File

@ -1,61 +0,0 @@
Index: serefpolicy-contrib-20140730/dbus.te
===================================================================
--- serefpolicy-contrib-20140730.orig/dbus.te 2015-07-21 16:39:25.588407411 +0200
+++ serefpolicy-contrib-20140730/dbus.te 2015-07-21 16:41:17.738197485 +0200
@@ -55,7 +55,7 @@ ifdef(`enable_mls',`
# dac_override: /var/run/dbus is owned by messagebus on Debian
# cjp: dac_override should probably go in a distro_debian
allow system_dbusd_t self:capability2 block_suspend;
-allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid ipc_lock};
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
@@ -87,6 +87,7 @@ kernel_read_kernel_sysctls(system_dbusd_
kernel_stream_connect(system_dbusd_t)
dev_read_urand(system_dbusd_t)
+dev_read_rand(system_dbusd_t)
dev_read_sysfs(system_dbusd_t)
dev_rw_inherited_input_dev(system_dbusd_t)
@@ -154,6 +155,8 @@ userdom_dontaudit_search_user_home_dirs(
userdom_home_reader(system_dbusd_t)
+allow system_dbusd_t var_run_t:sock_file write;
+
optional_policy(`
bind_domtrans(system_dbusd_t)
')
Index: serefpolicy-contrib-20140730/dbus.if
===================================================================
--- serefpolicy-contrib-20140730.orig/dbus.if 2015-07-21 16:39:25.588407411 +0200
+++ serefpolicy-contrib-20140730/dbus.if 2015-07-21 16:39:28.964461299 +0200
@@ -111,6 +111,26 @@ template(`dbus_role_template',`
logging_send_syslog_msg($1_dbusd_t)
+ ifdef(`distro_suse',`
+ gen_require(`
+ type config_home_t, xdm_var_run_t;
+ ')
+ allow $1_dbusd_t self:unix_stream_socket connectto;
+
+ # is this firefox mislabeled?
+ #allow $1_dbusd_t lib_t:file execute_no_trans;
+ allow $1_dbusd_t config_home_t:file { rename unlink create read write getattr };
+ allow $1_dbusd_t xdm_var_run_t:file { getattr open read };
+
+ allow $1_dbusd_t $1_t:dbus send_msg;
+
+ auth_login_pgm_domain($1_dbusd_t)
+ xserver_non_drawing_client($1_dbusd_t)
+ gnome_manage_home_config_dirs($1_dbusd_t)
+ gnome_delete_home_config_dirs($1_dbusd_t)
+ corenet_tcp_connect_xserver_port($1_dbusd_t)
+ ')
+
optional_policy(`
mozilla_domtrans_spec($1_dbusd_t, $1_t)
')

10
suse_modifications_getty.patch
View File

@ -1,10 +1,10 @@
Index: serefpolicy-20140730/policy/modules/system/getty.te
Index: refpolicy/policy/modules/system/getty.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/getty.te
+++ serefpolicy-20140730/policy/modules/system/getty.te
@@ -109,6 +109,10 @@ locallogin_domtrans(getty_t)
logging_send_syslog_msg(getty_t)
--- refpolicy.orig/policy/modules/system/getty.te 2017-08-07 00:45:21.000000000 +0200
+++ refpolicy/policy/modules/system/getty.te 2018-11-27 14:50:03.798977971 +0100
@@ -91,6 +91,10 @@ logging_send_syslog_msg(getty_t)
miscfiles_read_localization(getty_t)
+allow getty_t var_run_t:sock_file write;
+plymouthd_exec_plymouth(getty_t)

10
suse_modifications_glusterfs.patch
View File

@ -1,10 +0,0 @@
Index: serefpolicy-contrib-20140730/glusterd.te
===================================================================
--- serefpolicy-contrib-20140730.orig/glusterd.te 2017-12-11 17:38:13.448089663 +0100
+++ serefpolicy-contrib-20140730/glusterd.te 2017-12-11 17:38:52.960730655 +0100
@@ -1,4 +1,4 @@
-policy_module(glusterfs, 1.1.2)
+policy_module(glusterd, 1.1.2)
## <desc>
## <p>

65
suse_modifications_ipsec.patch
View File

@ -1,65 +0,0 @@
Index: serefpolicy-20140730/policy/modules/system/ipsec.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/ipsec.te 2015-08-10 12:55:56.098645940 +0200
+++ serefpolicy-20140730/policy/modules/system/ipsec.te 2015-08-10 14:32:28.542764339 +0200
@@ -209,14 +209,18 @@ optional_policy(`
# ipsec_mgmt Local policy
#
-allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace };
+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin net_raw setpcap sys_nice sys_ptrace };
dontaudit ipsec_mgmt_t self:capability sys_tty_config;
-allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal setcap };
allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
+allow ipsec_mgmt_t self:netlink_route_socket nlmsg_write;
+allow ipsec_mgmt_t self:packet_socket { setopt create read write };
+allow ipsec_mgmt_t self:socket { bind create read write };
+allow ipsec_mgmt_t self:netlink_xfrm_socket { nlmsg_write write read bind create };
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
@@ -231,6 +235,8 @@ logging_log_filetrans(ipsec_mgmt_t, ipse
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
filetrans_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_mgmt_var_run_t, file)
+# temporary fix until the rules above work
+allow ipsec_mgmt_t var_run_t:sock_file { write unlink };
manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -269,6 +275,7 @@ kernel_read_software_raid_state(ipsec_mg
kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
+kernel_request_load_module(ipsec_mgmt_t)
domain_dontaudit_getattr_all_sockets(ipsec_mgmt_t)
domain_dontaudit_getattr_all_pipes(ipsec_mgmt_t)
@@ -290,6 +297,10 @@ corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
corenet_tcp_connect_rndc_port(ipsec_mgmt_t)
+corenet_udp_bind_dhcpc_port(ipsec_mgmt_t)
+corenet_udp_bind_isakmp_port(ipsec_mgmt_t)
+corenet_udp_bind_generic_node(ipsec_mgmt_t)
+corenet_udp_bind_ipsecnat_port(ipsec_mgmt_t)
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
@@ -297,10 +308,7 @@ dev_read_urand(ipsec_mgmt_t)
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
-# suppress audit messages about unnecessary socket access
-# cjp: this seems excessive
-domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
+# domain_dontaudit_rw_all_key_sockets(ipsec_mgmt_t)
files_read_etc_files(ipsec_mgmt_t)
files_exec_etc_files(ipsec_mgmt_t)

12
suse_modifications_logging.patch
View File

@ -1,10 +1,10 @@
Index: serefpolicy-20140730/policy/modules/system/logging.te
Index: refpolicy/policy/modules/system/logging.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/logging.te
+++ serefpolicy-20140730/policy/modules/system/logging.te
@@ -565,6 +565,9 @@ userdom_dontaudit_use_unpriv_user_fds(sy
userdom_search_user_home_dirs(syslogd_t)
userdom_rw_inherited_user_tmp_files(syslogd_t)
--- refpolicy.orig/policy/modules/system/logging.te 2018-07-01 17:02:31.000000000 +0200
+++ refpolicy/policy/modules/system/logging.te 2018-11-27 14:51:58.508861896 +0100
@@ -554,6 +554,9 @@ ifdef(`init_systemd',`
udev_read_pid_files(syslogd_t)
')
+allow syslogd_t var_run_t:file { read getattr open };
+allow syslogd_t var_run_t:sock_file write;

72
suse_modifications_ntp.patch
View File

@ -1,56 +1,11 @@
Index: serefpolicy-contrib-20140730/ntp.fc
Index: refpolicy/policy/modules/services/ntp.fc
===================================================================
--- serefpolicy-contrib-20140730.orig/ntp.fc
+++ serefpolicy-contrib-20140730/ntp.fc
@@ -1,25 +1,36 @@
/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
-/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
-
-/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
-
-/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
-
-/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
-
-/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
-
-/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
-/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
-
-/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
+/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
+
+/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+
+/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/sbin/start-ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+
+/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
+
+/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+
+/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
+/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+
+/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
--- refpolicy.orig/policy/modules/services/ntp.fc 2018-11-27 14:54:54.495739330 +0100
+++ refpolicy/policy/modules/services/ntp.fc 2018-11-27 14:55:32.792361276 +0100
@@ -37,3 +37,13 @@
/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
+
+# SUSE chroot
+/var/lib/ntp/etc/ntpd?.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
@ -61,16 +16,3 @@ Index: serefpolicy-contrib-20140730/ntp.fc
+/var/lib/ntp/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntp/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntp/var/run/ntp(/.*)? gen_context(system_u:object_r:ntpd_var_run_t,s0)
Index: serefpolicy-contrib-20140730/ntp.te
===================================================================
--- serefpolicy-contrib-20140730.orig/ntp.te
+++ serefpolicy-contrib-20140730/ntp.te
@@ -76,7 +76,7 @@ manage_files_pattern(ntpd_t, ntpd_tmpfs_
fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file })
manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t)
-files_pid_filetrans(ntpd_t, ntpd_var_run_t, file)
+files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file lnk_file } )
can_exec(ntpd_t, ntpd_exec_t)

10
suse_modifications_passenger.patch
View File

@ -1,10 +0,0 @@
Index: serefpolicy-contrib-20140730/passenger.te
===================================================================
--- serefpolicy-contrib-20140730.orig/passenger.te 2017-12-11 17:38:13.276086872 +0100
+++ serefpolicy-contrib-20140730/passenger.te 2017-12-11 17:42:24.592161419 +0100
@@ -1,4 +1,4 @@
-policy_module(passanger, 1.1.1)
+policy_module(passenger, 1.1.1)
########################################
#

14
suse_modifications_policykit.patch
View File

@ -1,14 +0,0 @@
Index: serefpolicy-contrib-20140730/policykit.te
===================================================================
--- serefpolicy-contrib-20140730.orig/policykit.te
+++ serefpolicy-contrib-20140730/policykit.te
@@ -94,6 +94,9 @@ userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
userdom_dontaudit_search_admin_dir(policykit_t)
+allow policykit_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(policykit_t)
+
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)

49
suse_modifications_postfix.patch
View File

@ -1,49 +0,0 @@
Index: serefpolicy-contrib-20140730/postfix.te
===================================================================
--- serefpolicy-contrib-20140730.orig/postfix.te
+++ serefpolicy-contrib-20140730/postfix.te
@@ -132,6 +132,9 @@ allow postfix_master_t postfix_map_exec_
allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+allow postfix_master_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(postfix_master_t)
+
manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
Index: serefpolicy-contrib-20140730/postfix.fc
===================================================================
--- serefpolicy-contrib-20140730.orig/postfix.fc
+++ serefpolicy-contrib-20140730/postfix.fc
@@ -1,22 +1,6 @@
# postfix
/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
-ifdef(`distro_redhat', `
-/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
-/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
-/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
-/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
-/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
-/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
-/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
-/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
-/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
-/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
-', `
/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
@@ -30,7 +14,6 @@ ifdef(`distro_redhat', `
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-')
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)

14
suse_modifications_rtkit.patch
View File

@ -1,14 +0,0 @@
Index: serefpolicy-contrib-20140730/rtkit.te
===================================================================
--- serefpolicy-contrib-20140730.orig/rtkit.te
+++ serefpolicy-contrib-20140730/rtkit.te
@@ -20,6 +20,9 @@ init_script_file(rtkit_daemon_initrc_exe
allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit };
+allow rtkit_daemon_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(rtkit_daemon_t)
+
kernel_read_system_state(rtkit_daemon_t)
domain_getsched_all_domains(rtkit_daemon_t)

13
suse_modifications_selinuxutil.patch
View File

@ -1,13 +0,0 @@
Index: serefpolicy-20140730/policy/modules/system/selinuxutil.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/selinuxutil.te
+++ serefpolicy-20140730/policy/modules/system/selinuxutil.te
@@ -337,6 +337,8 @@ optional_policy(`
xserver_dontaudit_exec_xauth(newrole_t)
')
+allow restorecond_t var_run_t:sock_file write;
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)

43
suse_modifications_ssh.patch
View File

@ -1,43 +0,0 @@
Index: serefpolicy-20140730/policy/modules/services/ssh.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/services/ssh.te
+++ serefpolicy-20140730/policy/modules/services/ssh.te
@@ -27,6 +27,16 @@ gen_tunable(ssh_sysadm_login, false)
## </desc>
gen_tunable(ssh_chroot_rw_homedirs, false)
+## <desc>
+## <p>
+## Allow sshd to forward port connections. This should work
+## out-of-the-box according to 11b328b4cfa484d55db01a0f127cbc94fa776f48
+## but it doesn't
+## </p>
+## </desc>
+##
+gen_tunable(sshd_forward_ports, false)
+
attribute ssh_dyntransition_domain;
attribute ssh_server;
attribute ssh_agent_type;
@@ -291,6 +301,11 @@ corenet_tcp_bind_xserver_port(sshd_t)
corenet_tcp_bind_vnc_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
+tunable_policy(`sshd_forward_ports',`
+ corenet_tcp_bind_all_unreserved_ports(sshd_t)
+ corenet_tcp_connect_all_ports(sshd_t)
+')
+
auth_exec_login_program(sshd_t)
userdom_read_user_home_content_files(sshd_t)
@@ -300,6 +315,9 @@ userdom_spec_domtrans_unpriv_users(sshd_
userdom_signal_unpriv_users(sshd_t)
userdom_dyntransition_unpriv_users(sshd_t)
+allow sshd_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(sshd_t)
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to

23
suse_modifications_staff.patch
View File

@ -1,23 +0,0 @@
Index: serefpolicy-20140730/policy/modules/roles/staff.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/roles/staff.te 2015-05-20 15:15:49.646097573 +0200
+++ serefpolicy-20140730/policy/modules/roles/staff.te 2015-05-20 15:59:47.483684401 +0200
@@ -388,18 +388,3 @@ ifndef(`distro_redhat',`
tunable_policy(`selinuxuser_execmod',`
userdom_execmod_user_home_files(staff_t)
')
-
-optional_policy(`
- virt_transition_svirt(staff_t, staff_r)
- virt_filetrans_home_content(staff_t)
-')
-
-optional_policy(`
- tunable_policy(`staff_use_svirt',`
- allow staff_t self:fifo_file relabelfrom;
- dev_rw_kvm(staff_t)
- virt_manage_images(staff_t)
- virt_stream_connect_svirt(staff_t)
- virt_exec(staff_t)
- ')
-')

10
suse_modifications_stapserver.patch
View File

@ -1,10 +0,0 @@
Index: serefpolicy-contrib-20140730/stapserver.te
===================================================================
--- serefpolicy-contrib-20140730.orig/stapserver.te 2017-12-11 17:38:13.312087456 +0100
+++ serefpolicy-contrib-20140730/stapserver.te 2017-12-11 17:46:03.915729618 +0100
@@ -1,4 +1,4 @@
-policy_module(systemtap, 1.1.0)
+policy_module(stapserver, 1.1.0)
########################################
#

40
suse_modifications_systemd.patch
View File

@ -1,40 +0,0 @@
Index: serefpolicy-20140730/policy/modules/system/systemd.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/systemd.te 2015-06-24 14:42:23.931790867 +0200
+++ serefpolicy-20140730/policy/modules/system/systemd.te 2015-06-24 15:34:50.677937166 +0200
@@ -189,6 +189,9 @@ userdom_manage_tmpfs_role(system_r, syst
xserver_dbus_chat(systemd_logind_t)
+allow systemd_logind_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(systemd_logind_t)
+
optional_policy(`
apache_read_tmp_files(systemd_logind_t)
')
@@ -528,9 +531,14 @@ allow systemd_hostnamed_t self:unix_stre
allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms;
manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
+manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "hostname" )
files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "machine-info" )
+# since we have unpredictable filenames for the link file we can't use a named transition
+create_lnk_files_pattern( systemd_hostnamed_t, etc_t, etc_t )
+delete_lnk_files_pattern( systemd_hostnamed_t, etc_t, etc_t )
+rename_lnk_files_pattern( systemd_hostnamed_t, etc_t, etc_t )
kernel_dgram_send(systemd_hostnamed_t)
@@ -608,6 +616,10 @@ optional_policy(`
')
optional_policy(`
+ unconfined_dbus_send(systemd_timedated_t)
+')
+
+optional_policy(`
gnome_manage_usr_config(systemd_timedated_t)
gnome_manage_home_config(systemd_timedated_t)
gnome_manage_home_config_dirs(systemd_timedated_t)

15
suse_modifications_unconfined.patch
View File

@ -1,15 +0,0 @@
Index: serefpolicy-20140730/policy/modules/system/unconfined.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/unconfined.te
+++ serefpolicy-20140730/policy/modules/system/unconfined.te
@@ -15,6 +15,10 @@ unconfined_domain(unconfined_service_t)
corecmd_bin_entry_type(unconfined_service_t)
corecmd_shell_entry_type(unconfined_service_t)
+systemd_dbus_chat_localed(unconfined_service_t)
+systemd_dbus_chat_logind(unconfined_service_t)
+unconfined_shell_domtrans(unconfined_service_t)
+
optional_policy(`
rpm_transition_script(unconfined_service_t, system_r)
')

16
suse_modifications_unconfineduser.patch
View File

@ -1,16 +0,0 @@
Index: serefpolicy-20140730/policy/modules/roles/unconfineduser.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/roles/unconfineduser.te
+++ serefpolicy-20140730/policy/modules/roles/unconfineduser.te
@@ -79,6 +79,11 @@ domain_transition_all(unconfined_t)
usermanage_run_passwd(unconfined_t, unconfined_r)
+# FIXME SUSE
+#allow unconfined_t systemd_systemctl_exec_t:file entrypoint;
+allow unconfined_t init_exec_t:file entrypoint;
+allow init_t unconfined_t:process transition;
+
tunable_policy(`deny_execmem',`',`
allow unconfined_t self:process execmem;
')

26
suse_modifications_unprivuser.patch
View File

@ -1,26 +0,0 @@
Index: serefpolicy-20140730/policy/modules/roles/unprivuser.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/roles/unprivuser.te 2015-05-20 15:15:49.646097573 +0200
+++ serefpolicy-20140730/policy/modules/roles/unprivuser.te 2015-05-20 16:00:16.212137319 +0200
@@ -259,17 +259,12 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- vmtools_run_helper(user_t, user_r)
+ vmtools_run_helper(user_t, user_r)
')
-optional_policy(`
- virt_transition_svirt(user_t, user_r)
- virt_filetrans_home_content(user_t)
+ifdef(`distro_suse',`
+ xserver_xsession_entry_type(user_t)
+ dbus_system_bus_client(user_t)
')
-optional_policy(`
- tunable_policy(`unprivuser_use_svirt',`
- virt_manage_images(user_t)
- ')
-')

18
suse_modifications_usermanage.patch
View File

@ -1,8 +1,8 @@
Index: serefpolicy-20140730/policy/modules/admin/usermanage.te
Index: refpolicy/policy/modules/admin/usermanage.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/admin/usermanage.te
+++ serefpolicy-20140730/policy/modules/admin/usermanage.te
@@ -274,6 +274,9 @@ userdom_use_unpriv_users_fds(groupadd_t)
--- refpolicy.orig/policy/modules/admin/usermanage.te 2018-02-15 22:52:31.000000000 +0100
+++ refpolicy/policy/modules/admin/usermanage.te 2018-11-27 15:03:05.555740143 +0100
@@ -251,6 +251,9 @@ userdom_use_unpriv_users_fds(groupadd_t)
# for when /root is the cwd
userdom_dontaudit_search_user_home_dirs(groupadd_t)
@ -12,13 +12,13 @@ Index: serefpolicy-20140730/policy/modules/admin/usermanage.te
optional_policy(`
dpkg_use_fds(groupadd_t)
dpkg_rw_pipes(groupadd_t)
@@ -572,6 +575,9 @@ userdom_home_filetrans_user_home_dir(use
userdom_manage_home_role(system_r, useradd_t)
userdom_delete_all_user_home_content(useradd_t)
@@ -550,6 +553,9 @@ optional_policy(`
puppet_rw_tmp(useradd_t)
')
+allow useradd_t var_run_t:sock_file write;
+selinux_compute_access_vector(useradd_t)
+
optional_policy(`
mta_manage_spool(useradd_t)
')
tunable_policy(`samba_domain_controller',`
samba_append_log(useradd_t)

14
suse_modifications_virt.patch
View File

@ -1,13 +1,13 @@
Index: serefpolicy-contrib-20140730/virt.te
Index: refpolicy/policy/modules/services/virt.te
===================================================================
--- serefpolicy-contrib-20140730.orig/virt.te
+++ serefpolicy-contrib-20140730/virt.te
@@ -280,6 +280,8 @@ corenet_udp_bind_all_ports(svirt_t)
corenet_tcp_bind_all_ports(svirt_t)
corenet_tcp_connect_all_ports(svirt_t)
--- refpolicy.orig/policy/modules/services/virt.te 2018-07-01 17:02:32.000000000 +0200
+++ refpolicy/policy/modules/services/virt.te 2018-11-27 15:03:42.792334942 +0100
@@ -1235,6 +1235,8 @@ optional_policy(`
rpm_read_db(svirt_lxc_net_t)
')
+allow svirt_t qemu_exec_t:file execmod;
+
#######################################
#
# svirt_prot_exec local policy
# Prot exec local policy

32
suse_modifications_xserver.patch
View File

@ -1,24 +1,24 @@
Index: serefpolicy-20140730/policy/modules/services/xserver.fc
Index: refpolicy/policy/modules/services/xserver.fc
===================================================================
--- serefpolicy-20140730.orig/policy/modules/services/xserver.fc
+++ serefpolicy-20140730/policy/modules/services/xserver.fc
@@ -97,6 +97,9 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
/usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0)
--- refpolicy.orig/policy/modules/services/xserver.fc 2018-06-25 01:11:14.000000000 +0200
+++ refpolicy/policy/modules/services/xserver.fc 2018-11-27 15:03:58.228581598 +0100
@@ -76,6 +76,9 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
+#/usr/lib/gdm/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/X11/display-manager -- gen_context(system_u:object_r:xdm_exec_t,s0)
+
/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
Index: serefpolicy-20140730/policy/modules/services/xserver.te
/usr/lib/xorg/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/lib/xorg/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0)
Index: refpolicy/policy/modules/services/xserver.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/services/xserver.te
+++ serefpolicy-20140730/policy/modules/services/xserver.te
@@ -810,6 +810,17 @@ ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
--- refpolicy.orig/policy/modules/services/xserver.te 2018-07-01 17:02:32.000000000 +0200
+++ refpolicy/policy/modules/services/xserver.te 2018-11-27 15:03:58.228581598 +0100
@@ -893,6 +893,17 @@ corenet_tcp_bind_vnc_port(xserver_t)
init_use_fds(xserver_t)
+ifndef(`distro_suse',`
+ # this is a neverallow, maybe dontaudit it
@ -32,5 +32,5 @@ Index: serefpolicy-20140730/policy/modules/services/xserver.te
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_exec_nfs_files(xdm_t)
')
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)

36
sysconfig_network_scripts.patch
View File

@ -1,8 +1,8 @@
Index: serefpolicy-20140730/policy/modules/system/sysnetwork.fc
Index: refpolicy/policy/modules/system/sysnetwork.fc
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.fc 2015-07-21 16:52:51.913277147 +0200
+++ serefpolicy-20140730/policy/modules/system/sysnetwork.fc 2015-07-21 16:52:55.461333779 +0200
@@ -11,6 +11,15 @@ ifdef(`distro_debian',`
--- refpolicy.orig/policy/modules/system/sysnetwork.fc 2018-11-27 16:09:33.159358187 +0100
+++ refpolicy/policy/modules/system/sysnetwork.fc 2018-11-27 16:09:36.851417892 +0100
@@ -6,6 +6,15 @@ ifdef(`distro_debian',`
/dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
@ -18,8 +18,8 @@ Index: serefpolicy-20140730/policy/modules/system/sysnetwork.fc
#
# /etc
#
@@ -37,6 +46,10 @@ ifdef(`distro_redhat',`
/var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
@@ -33,6 +42,10 @@ ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
+/etc/sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
@ -27,23 +27,23 @@ Index: serefpolicy-20140730/policy/modules/system/sysnetwork.fc
+/etc/sysconfig/scripts/.* gen_context(system_u:object_r:bin_t,s0)
+
#
# /sbin
# /usr
#
Index: serefpolicy-20140730/policy/modules/system/sysnetwork.te
Index: refpolicy/policy/modules/system/sysnetwork.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.te 2015-07-21 16:52:51.913277147 +0200
+++ serefpolicy-20140730/policy/modules/system/sysnetwork.te 2015-07-21 16:54:15.998619244 +0200
@@ -60,7 +60,8 @@ ifdef(`distro_debian',`
--- refpolicy.orig/policy/modules/system/sysnetwork.te 2018-11-27 16:09:33.163358252 +0100
+++ refpolicy/policy/modules/system/sysnetwork.te 2018-11-27 16:10:36.920389270 +0100
@@ -47,7 +47,8 @@ ifdef(`distro_debian',`
#
# DHCP client local policy
#
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config };
+# need sys_admin to set hostname/domainname
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config sys_admin ipc_lock };
dontaudit dhcpc_t self:capability sys_tty_config;
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config sys_admin };
dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
@@ -95,6 +96,12 @@ allow dhcpc_t net_conf_t:file relabel_fi
@@ -79,6 +80,12 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
@ -56,10 +56,10 @@ Index: serefpolicy-20140730/policy/modules/system/sysnetwork.te
# create temp files
manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
Index: serefpolicy-20140730/policy/modules/kernel/devices.fc
Index: refpolicy/policy/modules/kernel/devices.fc
===================================================================
--- serefpolicy-20140730.orig/policy/modules/kernel/devices.fc 2015-07-21 16:52:51.913277147 +0200
+++ serefpolicy-20140730/policy/modules/kernel/devices.fc 2015-07-21 16:52:55.461333779 +0200
--- refpolicy.orig/policy/modules/kernel/devices.fc 2018-11-27 16:09:33.163358252 +0100
+++ refpolicy/policy/modules/kernel/devices.fc 2018-11-27 16:09:36.851417892 +0100
@@ -2,6 +2,7 @@
/dev -d gen_context(system_u:object_r:device_t,s0)
/dev/.* gen_context(system_u:object_r:device_t,s0)

43
systemd-tmpfiles.patch
View File

@ -1,43 +0,0 @@
Index: serefpolicy-20140730/policy/modules/system/systemd.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/systemd.te
+++ serefpolicy-20140730/policy/modules/system/systemd.te
@@ -320,6 +320,11 @@ dev_read_cpu_online(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
dev_relabel_all_dev_nodes(systemd_tmpfiles_t)
+# allow tmpfiles to create files/dirs in /dev
+systemd_tmpfiles_xconsole_create(systemd_tmpfiles_t)
+dev_getattr_autofs_dev(systemd_tmpfiles_t);
+dev_getattr_lvm_control(systemd_tmpfiles_t);
+dev_create_generic_dirs(systemd_tmpfiles_t);
domain_obj_id_change_exemption(systemd_tmpfiles_t)
# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
Index: serefpolicy-20140730/policy/modules/system/systemd.if
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/systemd.if
+++ serefpolicy-20140730/policy/modules/system/systemd.if
@@ -1458,3 +1458,22 @@ interface(`systemd_dontaudit_dbus_chat',
dontaudit $1 systemd_domain:dbus send_msg;
')
+
+########################################
+## <summary>
+## Allow systemd-tmpfiles to create xconsole_device_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_tmpfiles_xconsole_create',`
+ gen_require(`
+ type device_t, xconsole_device_t;
+ ')
+
+ create_fifo_files_pattern($1, device_t, xconsole_device_t);
+')
+

13
type_transition_contrib.patch
View File

@ -1,13 +0,0 @@
Index: serefpolicy-contrib-20140730/glusterd.te
===================================================================
--- serefpolicy-contrib-20140730.orig/glusterd.te
+++ serefpolicy-contrib-20140730/glusterd.te
@@ -68,7 +68,7 @@ allow glusterd_t self:unix_stream_socket
manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
-files_etc_filetrans(glusterd_t, glusterd_conf_t, { dir file }, "glusterfs")
+files_etc_filetrans(glusterd_t, glusterd_conf_t, file, "glusterfs")
manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)

24
type_transition_file_class.patch
View File

@ -1,24 +0,0 @@
Index: serefpolicy-20140730/policy/modules/system/miscfiles.if
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/miscfiles.if
+++ serefpolicy-20140730/policy/modules/system/miscfiles.if
@@ -896,7 +896,8 @@ interface(`miscfiles_etc_filetrans_local
')
files_etc_filetrans($1, locale_t, lnk_file)
- files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" )
+ files_etc_filetrans($1, locale_t, file, "localtime" )
+ files_etc_filetrans($1, locale_t, lnk_file, "localtime" )
files_etc_filetrans($1, locale_t, file, "locale.conf" )
files_etc_filetrans($1, locale_t, file, "timezone" )
files_etc_filetrans($1, locale_t, file, "vconsole.conf" )
@@ -938,7 +939,8 @@ interface(`miscfiles_filetrans_locale_na
type locale_t;
')
- files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime")
+ files_etc_filetrans($1, locale_t, file, "localtime")
+ files_etc_filetrans($1, locale_t, lnk_file, "localtime")
files_etc_filetrans($1, locale_t, file, "locale.conf")
files_etc_filetrans($1, locale_t, file, "vconsole.conf")
files_etc_filetrans($1, locale_t, file, "locale.conf.new")

12
useradd-netlink_selinux_socket.patch
View File

@ -1,12 +0,0 @@
Index: serefpolicy-20140730/policy/modules/admin/usermanage.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/admin/usermanage.te
+++ serefpolicy-20140730/policy/modules/admin/usermanage.te
@@ -497,6 +497,7 @@ allow useradd_t self:unix_dgram_socket c
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
+allow useradd_t self:netlink_selinux_socket create_socket_perms;
manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)
manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t)

9
users-minimum
View File

@ -27,12 +27,3 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

9
users-mls
View File

@ -27,12 +27,3 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

9
users-targeted
View File

@ -27,12 +27,3 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

231
xconsole.patch
View File

@ -1,231 +0,0 @@
Basically, /dev/xconsole is a FIFO written to by syslog, and often is
present even when there is no X. Therefore, this should go into the
logging policy.
Patch attached.
best regards,
Erich Schubert
--
erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_
Nothing prevents happiness like the memory of happiness. --- A. Gide //\
Die einzige Hoffnung auf Freude liegt in den menschlichen V_/_
Beziehungen. --- Antoine de Saint-Exupéry
["xconsole" (xconsole)]
Index: policy/modules/services/xserver.te
===================================================================
--- policy/modules/services/xserver.te.orig
+++ policy/modules/services/xserver.te
@@ -189,13 +189,6 @@ typealias xauth_tmp_t alias { xguest_xau
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
userdom_user_tmp_file(xauth_tmp_t)
-# this is not actually a device, its a pipe
-type xconsole_device_t;
-files_type(xconsole_device_t)
-dev_associate(xconsole_device_t)
-fs_associate_tmpfs(xconsole_device_t)
-files_associate_tmp(xconsole_device_t)
-
type xdm_unconfined_exec_t;
application_executable_file(xdm_unconfined_exec_t)
@@ -437,7 +430,6 @@ allow xdm_t self:dbus { send_msg acquire
allow xdm_t xauth_home_t:file manage_file_perms;
-allow xdm_t xconsole_device_t:fifo_file { getattr_fifo_file_perms setattr_fifo_file_perms };
manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -663,6 +655,10 @@ libs_exec_lib_files(xdm_t)
libs_exec_ldconfig(xdm_t)
logging_read_generic_logs(xdm_t)
+logging_setattr_xconsole_pipes(xdm_t)
+
+# allow relabel of /dev/xconsole
+dev_associate(xconsole_device_t)
miscfiles_search_man_pages(xdm_t)
miscfiles_read_fonts(xdm_t)
Index: policy/modules/services/xserver.fc
===================================================================
--- policy/modules/services/xserver.fc.orig
+++ policy/modules/services/xserver.fc
@@ -33,11 +33,6 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
#
-# /dev
-#
-/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0)
-
-#
# /etc
#
/etc/gdm(3)?/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
Index: policy/modules/system/logging.te
===================================================================
--- policy/modules/system/logging.te.orig
+++ policy/modules/system/logging.te
@@ -110,6 +110,12 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
')
+# this is not actually a device, its a pipe
+type xconsole_device_t;
+files_type(xconsole_device_t)
+fs_associate_tmpfs(xconsole_device_t)
+files_associate_tmp(xconsole_device_t)
+
########################################
#
# Auditctl local policy
@@ -173,6 +179,9 @@ manage_files_pattern(auditd_t, auditd_va
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
+# log to xconsole
+allow syslogd_t xconsole_device_t:fifo_file rw_file_perms;
+
kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
@@ -631,11 +640,6 @@ optional_policy(`
udev_read_db(syslogd_t)
')
-optional_policy(`
- # log to the xconsole
- xserver_rw_console(syslogd_t)
-')
-
#####################################################
#
# syslog client rules
Index: policy/modules/system/logging.if
===================================================================
--- policy/modules/system/logging.if.orig
+++ policy/modules/system/logging.if
@@ -1431,3 +1431,40 @@ interface(`logging_filetrans_named_conte
logging_log_filetrans($1, var_log_t, dir, "anaconda")
')
+
+########################################
+## <summary>
+## Set the attributes of the xconsole named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_setattr_xconsole_pipes',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file setattr;
+')
+
+########################################
+## <summary>
+## Read the xconsole named pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_r_xconsole',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file { getattr read };
+')
+
Index: policy/modules/system/init.te
===================================================================
--- policy/modules/system/init.te.orig
+++ policy/modules/system/init.te
@@ -797,6 +797,7 @@ logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
+logging_setattr_xconsole_pipes(initrc_t)
# slapd needs to read cert files from its initscript
miscfiles_manage_generic_cert_files(initrc_t)
@@ -1453,9 +1454,6 @@ optional_policy(`
')
optional_policy(`
- # Set device ownerships/modes.
- xserver_setattr_console_pipes(initrc_t)
-
# init script wants to check if it needs to update windowmanagerlist
xserver_read_xdm_rw_config(initrc_t)
')
Index: policy/modules/system/logging.fc
===================================================================
--- policy/modules/system/logging.fc.orig
+++ policy/modules/system/logging.fc
@@ -1,4 +1,5 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0)
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
Index: policy/modules/services/xserver.if
===================================================================
--- policy/modules/services/xserver.if.orig
+++ policy/modules/services/xserver.if
@@ -635,42 +635,6 @@ interface(`xserver_manage_user_xauth',`
########################################
## <summary>
-## Set the attributes of the X windows console named pipes.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_setattr_console_pipes',`
- gen_require(`
- type xconsole_device_t;
- ')
-
- allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms;
-')
-
-########################################
-## <summary>
-## Read and write the X windows console named pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`xserver_rw_console',`
- gen_require(`
- type xconsole_device_t;
- ')
-
- allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms;
-')
-
-########################################
-## <summary>
## Read XDM state files.
## </summary>
## <param name="domain">