Accepting request 888543 from security:SELinux

- Added Recommends for selinux-autorelabel (bsc#1181837) - Prevent libreoffice fonts from changing types on every relabel (bsc#1185265). Added fix_libraries.patch - Transition unconfined users to ldconfig type (bsc#1183121). Extended fix_unconfineduser.patch OBS-URL: https://build.opensuse.org/request/show/888543 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=10
2021-04-29 20:44:23 +00:00 · 2021-04-29 20:44:23 +00:00 · 9770640975
commit 9770640975
parent 46cba05af6
4 changed files with 43 additions and 3 deletions
--- a/fix_libraries.patch
+++ b/fix_libraries.patch
@ -0,0 +1,13 @@
+Index: fedora-policy-20210419/policy/modules/system/libraries.fc
+===================================================================
+--- fedora-policy-20210419.orig/policy/modules/system/libraries.fc
+++ fedora-policy-20210419/policy/modules/system/libraries.fc
+@@ -124,6 +124,8 @@ ifdef(`distro_redhat',`
+ 
+ /usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+ 
+/usr/lib/libreoffice/program/resource.* --	gen_context(system_u:object_r:lib_t,s0)
+
+ /usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
+ /usr/lib/(sse2/)?libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
--- a/fix_unconfineduser.patch
+++ b/fix_unconfineduser.patch
@ -1,7 +1,7 @@
-Index: fedora-policy-20210309/policy/modules/roles/unconfineduser.te
+Index: fedora-policy-20210419/policy/modules/roles/unconfineduser.te
 ===================================================================
--- fedora-policy-20210309.orig/policy/modules/roles/unconfineduser.te
-+++ fedora-policy-20210309/policy/modules/roles/unconfineduser.te
+--- fedora-policy-20210419.orig/policy/modules/roles/unconfineduser.te
+++ fedora-policy-20210419/policy/modules/roles/unconfineduser.te
@@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all'
     domain_dyntrans(unconfined_t)
 ')
@ -44,3 +44,14 @@ Index: fedora-policy-20210309/policy/modules/roles/unconfineduser.te
 		bluetooth_dbus_chat(unconfined_t)
 	')
 
+@@ -311,6 +332,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+	libs_run_ldconfig(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
+ 	firstboot_run(unconfined_t, unconfined_r)
+ ')
+ 
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Mon Apr 26 07:16:10 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added Recommends for selinux-autorelabel (bsc#1181837)
+- Prevent libreoffice fonts from changing types on every relabel 
+  (bsc#1185265). Added fix_libraries.patch
+
+-------------------------------------------------------------------
+Fri Apr 23 10:50:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Transition unconfined users to ldconfig type (bsc#1183121).
+  Extended fix_unconfineduser.patch
+
 -------------------------------------------------------------------
 Mon Apr 19 11:37:49 UTC 2021 - Johannes Segitz <jsegitz@suse.com>

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -128,6 +128,7 @@ Patch046:       fix_unprivuser.patch
 Patch047:       fix_rpm.patch
 Patch048:       fix_apache.patch
 Patch049:       fix_nis.patch
+Patch050:       fix_libraries.patch

 Patch100:       sedoctool.patch

@ -154,6 +155,7 @@ Recommends:     selinux-tools
 Recommends:     python3-policycoreutils
 Recommends:     policycoreutils-python-utils
 Recommends:     container-selinux
+Recommends:     selinux-autorelabel

 %define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024

@ -432,6 +434,7 @@ exit 0
 %patch047 -p1
 %patch048 -p1
 %patch049 -p1
+%patch050 -p1

 %patch100 -p1
 find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \;