diff --git a/fix_libraries.patch b/fix_libraries.patch new file mode 100644 index 0000000..a6a228f --- /dev/null +++ b/fix_libraries.patch @@ -0,0 +1,13 @@ +Index: fedora-policy-20210419/policy/modules/system/libraries.fc +=================================================================== +--- fedora-policy-20210419.orig/policy/modules/system/libraries.fc ++++ fedora-policy-20210419/policy/modules/system/libraries.fc +@@ -124,6 +124,8 @@ ifdef(`distro_redhat',` + + /usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) + ++/usr/lib/libreoffice/program/resource.* -- gen_context(system_u:object_r:lib_t,s0) ++ + /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) + + /usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch index 2ab2e84..55b9dda 100644 --- a/fix_unconfineduser.patch +++ b/fix_unconfineduser.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210309/policy/modules/roles/unconfineduser.te +Index: fedora-policy-20210419/policy/modules/roles/unconfineduser.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/roles/unconfineduser.te -+++ fedora-policy-20210309/policy/modules/roles/unconfineduser.te +--- fedora-policy-20210419.orig/policy/modules/roles/unconfineduser.te ++++ fedora-policy-20210419/policy/modules/roles/unconfineduser.te @@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all' domain_dyntrans(unconfined_t) ') @@ -44,3 +44,14 @@ Index: fedora-policy-20210309/policy/modules/roles/unconfineduser.te bluetooth_dbus_chat(unconfined_t) ') +@@ -311,6 +332,10 @@ optional_policy(` + ') + + optional_policy(` ++ libs_run_ldconfig(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` + firstboot_run(unconfined_t, unconfined_r) + ') + diff --git a/selinux-policy.changes b/selinux-policy.changes index 248ee11..ea9b543 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Mon Apr 26 07:16:10 UTC 2021 - Johannes Segitz + +- Added Recommends for selinux-autorelabel (bsc#1181837) +- Prevent libreoffice fonts from changing types on every relabel + (bsc#1185265). Added fix_libraries.patch + +------------------------------------------------------------------- +Fri Apr 23 10:50:24 UTC 2021 - Johannes Segitz + +- Transition unconfined users to ldconfig type (bsc#1183121). + Extended fix_unconfineduser.patch + ------------------------------------------------------------------- Mon Apr 19 11:37:49 UTC 2021 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index ec2eeb2..7dcde59 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -128,6 +128,7 @@ Patch046: fix_unprivuser.patch Patch047: fix_rpm.patch Patch048: fix_apache.patch Patch049: fix_nis.patch +Patch050: fix_libraries.patch Patch100: sedoctool.patch @@ -154,6 +155,7 @@ Recommends: selinux-tools Recommends: python3-policycoreutils Recommends: policycoreutils-python-utils Recommends: container-selinux +Recommends: selinux-autorelabel %define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 @@ -432,6 +434,7 @@ exit 0 %patch047 -p1 %patch048 -p1 %patch049 -p1 +%patch050 -p1 %patch100 -p1 find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \;