forked from pool/selinux-policy
Accepting request 988924 from home:jsegitz:branches:security:SELinux
- Update fix_systemd.patch to add sys_admin systemd_gpt_generator_t (bsc#1200911) - postfix: Label PID files and some helpers correctly (bsc#1197242) - Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984) OBS-URL: https://build.opensuse.org/request/show/988924 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=134
This commit is contained in:
Johannes Segitz
Git OBS Bridge
parent
a7283c99d6
commit
80bdcc2619
@ -1,8 +1,8 @@
|
||||
Index: fedora-policy/policy/modules/contrib/postfix.fc
|
||||
Index: fedora-policy-20220624/policy/modules/contrib/postfix.fc
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/postfix.fc
|
||||
+++ fedora-policy/policy/modules/contrib/postfix.fc
|
||||
@@ -1,37 +1,20 @@
|
||||
--- fedora-policy-20220624.orig/policy/modules/contrib/postfix.fc
|
||||
+++ fedora-policy-20220624/policy/modules/contrib/postfix.fc
|
||||
@@ -1,37 +1,21 @@
|
||||
# postfix
|
||||
-/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
|
||||
-/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
|
||||
@ -41,6 +41,7 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc
|
||||
+/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
|
||||
+/etc/postfix/chroot-update -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
||||
+/usr/lib/postfix/bin/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
||||
+/usr/lib/postfix/systemd/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
||||
+/usr/lib/postfix/bin/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
|
||||
+/usr/lib/postfix/bin/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
|
||||
+/usr/lib/postfix/bin/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
@ -56,7 +57,7 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc
|
||||
/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
||||
/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
|
||||
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
@@ -45,6 +28,9 @@ ifdef(`distro_redhat', `
|
||||
@@ -45,13 +29,16 @@ ifdef(`distro_redhat', `
|
||||
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
|
||||
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
||||
|
||||
@ -66,10 +67,18 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc
|
||||
/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
|
||||
|
||||
/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
|
||||
Index: fedora-policy/policy/modules/contrib/postfix.te
|
||||
/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
|
||||
/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
|
||||
/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
|
||||
-/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
|
||||
+/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0)
|
||||
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
|
||||
/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
|
||||
/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
|
||||
Index: fedora-policy-20220624/policy/modules/contrib/postfix.te
|
||||
===================================================================
|
||||
--- fedora-policy.orig/policy/modules/contrib/postfix.te
|
||||
+++ fedora-policy/policy/modules/contrib/postfix.te
|
||||
--- fedora-policy-20220624.orig/policy/modules/contrib/postfix.te
|
||||
+++ fedora-policy-20220624/policy/modules/contrib/postfix.te
|
||||
@@ -447,6 +447,14 @@ logging_send_syslog_msg(postfix_map_t)
|
||||
|
||||
userdom_use_inherited_user_ptys(postfix_map_t)
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
Index: fedora-policy-20220428/policy/modules/system/systemd.te
|
||||
Index: fedora-policy-20220624/policy/modules/system/systemd.te
|
||||
===================================================================
|
||||
--- fedora-policy-20220428.orig/policy/modules/system/systemd.te
|
||||
+++ fedora-policy-20220428/policy/modules/system/systemd.te
|
||||
--- fedora-policy-20220624.orig/policy/modules/system/systemd.te
|
||||
+++ fedora-policy-20220624/policy/modules/system/systemd.te
|
||||
@@ -355,6 +355,10 @@ userdom_manage_user_tmp_chr_files(system
|
||||
xserver_dbus_chat(systemd_logind_t)
|
||||
|
||||
@ -24,3 +24,12 @@ Index: fedora-policy-20220428/policy/modules/system/systemd.te
|
||||
#######################################
|
||||
#
|
||||
# rfkill policy
|
||||
@@ -1105,7 +1113,7 @@ systemd_read_efivarfs(systemd_hwdb_t)
|
||||
# systemd_gpt_generator domain
|
||||
#
|
||||
|
||||
-allow systemd_gpt_generator_t self:capability sys_rawio;
|
||||
+allow systemd_gpt_generator_t self:capability { sys_rawio sys_admin};
|
||||
allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
dev_read_sysfs(systemd_gpt_generator_t)
|
||||
|
||||
12
fix_userdomain.patch
Normal file
12
fix_userdomain.patch
Normal file
@ -0,0 +1,12 @@
|
||||
Index: fedora-policy-20220624/policy/modules/system/userdomain.if
|
||||
===================================================================
|
||||
--- fedora-policy-20220624.orig/policy/modules/system/userdomain.if
|
||||
+++ fedora-policy-20220624/policy/modules/system/userdomain.if
|
||||
@@ -1497,6 +1497,7 @@ tunable_policy(`deny_bluetooth',`',`
|
||||
|
||||
# port access is audited even if dac would not have allowed it, so dontaudit it here
|
||||
# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
|
||||
+ corenet_dontaudit_udp_bind_all_rpc_ports($1_t)
|
||||
# Need the following rule to allow users to run vpnc
|
||||
corenet_tcp_bind_xserver_port($1_t)
|
||||
corenet_tcp_bind_generic_node($1_usertype)
|
||||
@ -1,3 +1,19 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 13 07:48:41 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Update fix_systemd.patch to add sys_admin systemd_gpt_generator_t
|
||||
(bsc#1200911)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 11 13:45:04 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- postfix: Label PID files and some helpers correctly (bsc#1197242)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 24 12:51:40 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 24 06:32:55 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
|
||||
@ -141,6 +141,7 @@ Patch057: fix_hypervkvp.patch
|
||||
Patch058: fix_bitlbee.patch
|
||||
Patch059: systemd_domain_dyntrans_type.patch
|
||||
Patch060: fix_dnsmasq.patch
|
||||
Patch061: fix_userdomain.patch
|
||||
|
||||
Patch100: sedoctool.patch
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user