From 0bda3469f423e014d457502fd8e686417efbd6cd37bfb62b0d17038553474452 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Fri, 23 Apr 2021 11:50:03 +0000 Subject: [PATCH 1/3] Accepting request 888009 from home:jsegitz:branches:security:SELinux - Transition unconfined users to ldconfig type (bsc#1183121). Extended fix_unconfineduser.patch OBS-URL: https://build.opensuse.org/request/show/888009 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=101 --- fix_unconfineduser.patch | 17 ++++++++++++++--- selinux-policy.changes | 6 ++++++ 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch index 2ab2e84..55b9dda 100644 --- a/fix_unconfineduser.patch +++ b/fix_unconfineduser.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210309/policy/modules/roles/unconfineduser.te +Index: fedora-policy-20210419/policy/modules/roles/unconfineduser.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/roles/unconfineduser.te -+++ fedora-policy-20210309/policy/modules/roles/unconfineduser.te +--- fedora-policy-20210419.orig/policy/modules/roles/unconfineduser.te ++++ fedora-policy-20210419/policy/modules/roles/unconfineduser.te @@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all' domain_dyntrans(unconfined_t) ') @@ -44,3 +44,14 @@ Index: fedora-policy-20210309/policy/modules/roles/unconfineduser.te bluetooth_dbus_chat(unconfined_t) ') +@@ -311,6 +332,10 @@ optional_policy(` + ') + + optional_policy(` ++ libs_run_ldconfig(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` + firstboot_run(unconfined_t, unconfined_r) + ') + diff --git a/selinux-policy.changes b/selinux-policy.changes index 248ee11..29065f1 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Apr 23 10:50:24 UTC 2021 - Johannes Segitz + +- Transition unconfined users to ldconfig type (bsc#1183121). + Extended fix_unconfineduser.patch + ------------------------------------------------------------------- Mon Apr 19 11:37:49 UTC 2021 - Johannes Segitz From 5a087ac379bc0b4e50ef1246c98c1e747110ff9abde79c6727cf50413d1b22ba Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Mon, 26 Apr 2021 12:07:40 +0000 Subject: [PATCH 2/3] Accepting request 888474 from home:jsegitz:branches:security:SELinux - Added Recommends for selinux-autorelabel (bsc#1181837) - Prevent libreoffice fonts from changing types on every relabel (bsc#1185265) OBS-URL: https://build.opensuse.org/request/show/888474 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=102 --- fix_libraries.patch | 13 +++++++++++++ selinux-policy.changes | 7 +++++++ selinux-policy.spec | 3 +++ 3 files changed, 23 insertions(+) create mode 100644 fix_libraries.patch diff --git a/fix_libraries.patch b/fix_libraries.patch new file mode 100644 index 0000000..a6a228f --- /dev/null +++ b/fix_libraries.patch @@ -0,0 +1,13 @@ +Index: fedora-policy-20210419/policy/modules/system/libraries.fc +=================================================================== +--- fedora-policy-20210419.orig/policy/modules/system/libraries.fc ++++ fedora-policy-20210419/policy/modules/system/libraries.fc +@@ -124,6 +124,8 @@ ifdef(`distro_redhat',` + + /usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) + ++/usr/lib/libreoffice/program/resource.* -- gen_context(system_u:object_r:lib_t,s0) ++ + /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/selinux-policy.changes b/selinux-policy.changes index 29065f1..98db17c 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Apr 26 07:16:10 UTC 2021 - Johannes Segitz + +- Added Recommends for selinux-autorelabel (bsc#1181837) +- Prevent libreoffice fonts from changing types on every relabel + (bsc#1185265) + ------------------------------------------------------------------- Fri Apr 23 10:50:24 UTC 2021 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index ec2eeb2..7dcde59 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -128,6 +128,7 @@ Patch046: fix_unprivuser.patch Patch047: fix_rpm.patch Patch048: fix_apache.patch Patch049: fix_nis.patch +Patch050: fix_libraries.patch Patch100: sedoctool.patch @@ -154,6 +155,7 @@ Recommends: selinux-tools Recommends: python3-policycoreutils Recommends: policycoreutils-python-utils Recommends: container-selinux +Recommends: selinux-autorelabel %define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 @@ -432,6 +434,7 @@ exit 0 %patch047 -p1 %patch048 -p1 %patch049 -p1 +%patch050 -p1 %patch100 -p1 find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \; From 81f34f7fcab50383421787f08c152f516c940164c863964d7122170667c04762 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Mon, 26 Apr 2021 16:08:25 +0000 Subject: [PATCH 3/3] (bsc#1185265). Added fix_libraries.patch OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=103 --- selinux-policy.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/selinux-policy.changes b/selinux-policy.changes index 98db17c..ea9b543 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -3,7 +3,7 @@ Mon Apr 26 07:16:10 UTC 2021 - Johannes Segitz - Added Recommends for selinux-autorelabel (bsc#1181837) - Prevent libreoffice fonts from changing types on every relabel - (bsc#1185265) + (bsc#1185265). Added fix_libraries.patch ------------------------------------------------------------------- Fri Apr 23 10:50:24 UTC 2021 - Johannes Segitz