diff --git a/fix_postfix.patch b/fix_postfix.patch index 3f9b14f..e068681 100644 --- a/fix_postfix.patch +++ b/fix_postfix.patch @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/contrib/postfix.fc +Index: fedora-policy-20220624/policy/modules/contrib/postfix.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/postfix.fc -+++ fedora-policy/policy/modules/contrib/postfix.fc -@@ -1,37 +1,20 @@ +--- fedora-policy-20220624.orig/policy/modules/contrib/postfix.fc ++++ fedora-policy-20220624/policy/modules/contrib/postfix.fc +@@ -1,37 +1,21 @@ # postfix -/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) -/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) @@ -41,6 +41,7 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc +/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) +/etc/postfix/chroot-update -- gen_context(system_u:object_r:postfix_exec_t,s0) +/usr/lib/postfix/bin/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) ++/usr/lib/postfix/systemd/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) +/usr/lib/postfix/bin/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) +/usr/lib/postfix/bin/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) +/usr/lib/postfix/bin/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) @@ -56,7 +57,7 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -@@ -45,6 +28,9 @@ ifdef(`distro_redhat', ` +@@ -45,13 +29,16 @@ ifdef(`distro_redhat', ` /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) @@ -66,10 +67,18 @@ Index: fedora-policy/policy/modules/contrib/postfix.fc /var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) /var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) -Index: fedora-policy/policy/modules/contrib/postfix.te + /var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) + /var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) + /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) +-/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) ++/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) + /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) + /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) + /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) +Index: fedora-policy-20220624/policy/modules/contrib/postfix.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/postfix.te -+++ fedora-policy/policy/modules/contrib/postfix.te +--- fedora-policy-20220624.orig/policy/modules/contrib/postfix.te ++++ fedora-policy-20220624/policy/modules/contrib/postfix.te @@ -447,6 +447,14 @@ logging_send_syslog_msg(postfix_map_t) userdom_use_inherited_user_ptys(postfix_map_t) diff --git a/fix_systemd.patch b/fix_systemd.patch index 7b60e25..81eadcc 100644 --- a/fix_systemd.patch +++ b/fix_systemd.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220428/policy/modules/system/systemd.te +Index: fedora-policy-20220624/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20220428.orig/policy/modules/system/systemd.te -+++ fedora-policy-20220428/policy/modules/system/systemd.te +--- fedora-policy-20220624.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220624/policy/modules/system/systemd.te @@ -355,6 +355,10 @@ userdom_manage_user_tmp_chr_files(system xserver_dbus_chat(systemd_logind_t) @@ -24,3 +24,12 @@ Index: fedora-policy-20220428/policy/modules/system/systemd.te ####################################### # # rfkill policy +@@ -1105,7 +1113,7 @@ systemd_read_efivarfs(systemd_hwdb_t) + # systemd_gpt_generator domain + # + +-allow systemd_gpt_generator_t self:capability sys_rawio; ++allow systemd_gpt_generator_t self:capability { sys_rawio sys_admin}; + allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms; + + dev_read_sysfs(systemd_gpt_generator_t) diff --git a/fix_userdomain.patch b/fix_userdomain.patch new file mode 100644 index 0000000..6691ad8 --- /dev/null +++ b/fix_userdomain.patch @@ -0,0 +1,12 @@ +Index: fedora-policy-20220624/policy/modules/system/userdomain.if +=================================================================== +--- fedora-policy-20220624.orig/policy/modules/system/userdomain.if ++++ fedora-policy-20220624/policy/modules/system/userdomain.if +@@ -1497,6 +1497,7 @@ tunable_policy(`deny_bluetooth',`',` + + # port access is audited even if dac would not have allowed it, so dontaudit it here + # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) ++ corenet_dontaudit_udp_bind_all_rpc_ports($1_t) + # Need the following rule to allow users to run vpnc + corenet_tcp_bind_xserver_port($1_t) + corenet_tcp_bind_generic_node($1_usertype) diff --git a/selinux-policy.changes b/selinux-policy.changes index 170fbc2..8663b1d 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Wed Jul 13 07:48:41 UTC 2022 - Johannes Segitz + +- Update fix_systemd.patch to add sys_admin systemd_gpt_generator_t + (bsc#1200911) + +------------------------------------------------------------------- +Mon Jul 11 13:45:04 UTC 2022 - Johannes Segitz + +- postfix: Label PID files and some helpers correctly (bsc#1197242) + +------------------------------------------------------------------- +Fri Jun 24 12:51:40 UTC 2022 - Johannes Segitz + +- Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984) + ------------------------------------------------------------------- Fri Jun 24 06:32:55 UTC 2022 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 0280976..5d3dfa9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -141,6 +141,7 @@ Patch057: fix_hypervkvp.patch Patch058: fix_bitlbee.patch Patch059: systemd_domain_dyntrans_type.patch Patch060: fix_dnsmasq.patch +Patch061: fix_userdomain.patch Patch100: sedoctool.patch