diff --git a/fedora-policy-20220124.tar.bz2 b/fedora-policy-20220124.tar.bz2 deleted file mode 100644 index 91d9636..0000000 --- a/fedora-policy-20220124.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ebec268024dfd05d9563991a424d12892b0eb210d1eab2c484ae424f8fb757c5 -size 725506 diff --git a/fedora-policy-20220520.tar.bz2 b/fedora-policy-20220520.tar.bz2 new file mode 100644 index 0000000..8523e23 --- /dev/null +++ b/fedora-policy-20220520.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:90d1df3189f84ff576e2bd3cf5bc504bac06037d3475ea1904d2b9eda9d164e7 +size 730405 diff --git a/fix_apache.patch b/fix_apache.patch index e097a03..74a1c76 100644 --- a/fix_apache.patch +++ b/fix_apache.patch @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/contrib/apache.if +Index: fedora-policy-20220428/policy/modules/contrib/apache.if =================================================================== ---- fedora-policy.orig/policy/modules/contrib/apache.if -+++ fedora-policy/policy/modules/contrib/apache.if -@@ -1967,3 +1967,25 @@ interface(`apache_ioctl_stream_sockets', +--- fedora-policy-20220428.orig/policy/modules/contrib/apache.if ++++ fedora-policy-20220428/policy/modules/contrib/apache.if +@@ -1989,3 +1989,25 @@ interface(`apache_ioctl_stream_sockets', allow $1 httpd_t:unix_stream_socket ioctl; ') diff --git a/fix_dnsmasq.patch b/fix_dnsmasq.patch new file mode 100644 index 0000000..0471529 --- /dev/null +++ b/fix_dnsmasq.patch @@ -0,0 +1,12 @@ +Index: fedora-policy-20220519/policy/modules/contrib/dnsmasq.te +=================================================================== +--- fedora-policy-20220519.orig/policy/modules/contrib/dnsmasq.te ++++ fedora-policy-20220519/policy/modules/contrib/dnsmasq.te +@@ -115,6 +115,7 @@ libs_exec_ldconfig(dnsmasq_t) + logging_send_syslog_msg(dnsmasq_t) + + miscfiles_read_public_files(dnsmasq_t) ++sysnet_manage_config_dirs(dnsmasq_t) + + userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) + userdom_dontaudit_search_user_home_dirs(dnsmasq_t) diff --git a/fix_hadoop.patch b/fix_hadoop.patch index 4c24161..708fcb9 100644 --- a/fix_hadoop.patch +++ b/fix_hadoop.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220124/policy/modules/roles/sysadm.te +Index: fedora-policy-20220428/policy/modules/roles/sysadm.te =================================================================== ---- fedora-policy-20220124.orig/policy/modules/roles/sysadm.te -+++ fedora-policy-20220124/policy/modules/roles/sysadm.te +--- fedora-policy-20220428.orig/policy/modules/roles/sysadm.te ++++ fedora-policy-20220428/policy/modules/roles/sysadm.te @@ -315,10 +315,6 @@ optional_policy(` ') @@ -13,11 +13,11 @@ Index: fedora-policy-20220124/policy/modules/roles/sysadm.te iotop_run(sysadm_t, sysadm_r) ') -Index: fedora-policy-20220124/policy/modules/roles/unprivuser.te +Index: fedora-policy-20220428/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20220124.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20220124/policy/modules/roles/unprivuser.te -@@ -205,10 +205,6 @@ ifndef(`distro_redhat',` +--- fedora-policy-20220428.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20220428/policy/modules/roles/unprivuser.te +@@ -210,10 +210,6 @@ ifndef(`distro_redhat',` ') optional_policy(` diff --git a/fix_init.patch b/fix_init.patch index 18063b1..f209bdb 100644 --- a/fix_init.patch +++ b/fix_init.patch @@ -1,8 +1,17 @@ -Index: fedora-policy-20220124/policy/modules/system/init.te +Index: fedora-policy-20220428/policy/modules/system/init.te =================================================================== ---- fedora-policy-20220124.orig/policy/modules/system/init.te -+++ fedora-policy-20220124/policy/modules/system/init.te -@@ -267,6 +267,8 @@ corecmd_exec_bin(init_t) +--- fedora-policy-20220428.orig/policy/modules/system/init.te ++++ fedora-policy-20220428/policy/modules/system/init.te +@@ -187,6 +187,8 @@ allow init_t self:bpf { map_create map_r + # setuid (from /sbin/shutdown) + # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot() + ++# bsc#1197610, find a better, generic solution ++allow init_t self:file mounton; + allow init_t self:fifo_file rw_fifo_file_perms; + + allow init_t self:service manage_service_perms; +@@ -267,6 +269,8 @@ corecmd_exec_bin(init_t) corenet_all_recvfrom_netlabel(init_t) corenet_tcp_bind_all_ports(init_t) corenet_udp_bind_all_ports(init_t) @@ -11,7 +20,7 @@ Index: fedora-policy-20220124/policy/modules/system/init.te dev_create_all_files(init_t) dev_create_all_chr_files(init_t) -@@ -394,6 +396,7 @@ logging_manage_audit_config(init_t) +@@ -396,6 +400,7 @@ logging_manage_audit_config(init_t) logging_create_syslog_netlink_audit_socket(init_t) logging_write_var_log_dirs(init_t) logging_manage_var_log_symlinks(init_t) @@ -19,7 +28,7 @@ Index: fedora-policy-20220124/policy/modules/system/init.te seutil_read_config(init_t) seutil_read_login_config(init_t) -@@ -444,10 +447,15 @@ ifdef(`distro_redhat',` +@@ -446,9 +451,19 @@ ifdef(`distro_redhat',` corecmd_shell_domtrans(init_t, initrc_t) storage_raw_rw_fixed_disk(init_t) @@ -27,15 +36,19 @@ Index: fedora-policy-20220124/policy/modules/system/init.te sysnet_read_dhcpc_state(init_t) - optional_policy(` -+ networkmanager_initrc_read_lnk_files(init_t) ++# bsc#1197610, find a better, generic solution ++optional_policy(` ++ mta_getattr_spool(init_t) +') + +optional_policy(` ++ networkmanager_initrc_read_lnk_files(init_t) ++') ++ + optional_policy(` bootloader_domtrans(init_t) ') - -@@ -571,10 +579,10 @@ tunable_policy(`init_audit_control',` +@@ -573,10 +588,10 @@ tunable_policy(`init_audit_control',` allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -48,7 +61,7 @@ Index: fedora-policy-20220124/policy/modules/system/init.te allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; # Until systemd is fixed -@@ -633,6 +641,7 @@ files_delete_all_spool_sockets(init_t) +@@ -635,6 +650,7 @@ files_delete_all_spool_sockets(init_t) files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -56,7 +69,7 @@ Index: fedora-policy-20220124/policy/modules/system/init.te files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -669,7 +678,7 @@ fs_list_all(init_t) +@@ -672,7 +688,7 @@ fs_list_all(init_t) fs_list_auto_mountpoints(init_t) fs_register_binary_executable_type(init_t) fs_relabel_tmpfs_sock_file(init_t) @@ -65,7 +78,7 @@ Index: fedora-policy-20220124/policy/modules/system/init.te fs_relabel_cgroup_dirs(init_t) fs_search_cgroup_dirs(init_t) # for network namespaces -@@ -725,6 +734,7 @@ systemd_write_inherited_logind_sessions_ +@@ -728,6 +744,7 @@ systemd_write_inherited_logind_sessions_ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -73,7 +86,7 @@ Index: fedora-policy-20220124/policy/modules/system/init.te auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1571,6 +1581,8 @@ optional_policy(` +@@ -1578,6 +1595,8 @@ optional_policy(` optional_policy(` postfix_list_spool(initrc_t) diff --git a/fix_iptables.patch b/fix_iptables.patch index 6c71cb9..bb149fd 100644 --- a/fix_iptables.patch +++ b/fix_iptables.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210309/policy/modules/system/iptables.te +Index: fedora-policy-20220428/policy/modules/system/iptables.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/system/iptables.te -+++ fedora-policy-20210309/policy/modules/system/iptables.te -@@ -74,6 +74,7 @@ kernel_read_network_state(iptables_t) +--- fedora-policy-20220428.orig/policy/modules/system/iptables.te ++++ fedora-policy-20220428/policy/modules/system/iptables.te +@@ -76,6 +76,7 @@ kernel_read_network_state(iptables_t) kernel_read_kernel_sysctls(iptables_t) kernel_use_fds(iptables_t) kernel_rw_net_sysctls(iptables_t) diff --git a/fix_kernel_sysctl.patch b/fix_kernel_sysctl.patch index 7fb1b7e..b32448e 100644 --- a/fix_kernel_sysctl.patch +++ b/fix_kernel_sysctl.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220124/policy/modules/kernel/files.fc +Index: fedora-policy-20220428/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy-20220124.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20220124/policy/modules/kernel/files.fc +--- fedora-policy-20220428.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20220428/policy/modules/kernel/files.fc @@ -236,6 +236,8 @@ ifdef(`distro_redhat',` /usr/lib/ostree-boot(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/lib/modules(/.*)/vmlinuz -- gen_context(system_u:object_r:usr_t,s0) @@ -11,11 +11,11 @@ Index: fedora-policy-20220124/policy/modules/kernel/files.fc /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -Index: fedora-policy-20220124/policy/modules/system/systemd.te +Index: fedora-policy-20220428/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20220124.orig/policy/modules/system/systemd.te -+++ fedora-policy-20220124/policy/modules/system/systemd.te -@@ -1037,6 +1037,8 @@ init_stream_connect(systemd_sysctl_t) +--- fedora-policy-20220428.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220428/policy/modules/system/systemd.te +@@ -1052,6 +1052,8 @@ init_stream_connect(systemd_sysctl_t) logging_send_syslog_msg(systemd_sysctl_t) systemd_read_efivarfs(systemd_sysctl_t) diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index 6dcab29..58e611c 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20211111/policy/modules/contrib/networkmanager.te +Index: fedora-policy-20220428/policy/modules/contrib/networkmanager.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy-20211111/policy/modules/contrib/networkmanager.te -@@ -243,6 +243,9 @@ userdom_read_home_certs(NetworkManager_t +--- fedora-policy-20220428.orig/policy/modules/contrib/networkmanager.te ++++ fedora-policy-20220428/policy/modules/contrib/networkmanager.te +@@ -271,6 +271,9 @@ userdom_read_home_certs(NetworkManager_t userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) @@ -12,7 +12,7 @@ Index: fedora-policy-20211111/policy/modules/contrib/networkmanager.te tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(NetworkManager_t) ') -@@ -260,6 +263,14 @@ optional_policy(` +@@ -288,6 +291,14 @@ optional_policy(` ') optional_policy(` @@ -27,10 +27,10 @@ Index: fedora-policy-20211111/policy/modules/contrib/networkmanager.te bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_kill(NetworkManager_t) -Index: fedora-policy-20211111/policy/modules/contrib/networkmanager.if +Index: fedora-policy-20220428/policy/modules/contrib/networkmanager.if =================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20211111/policy/modules/contrib/networkmanager.if +--- fedora-policy-20220428.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy-20220428/policy/modules/contrib/networkmanager.if @@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ') diff --git a/fix_systemd.patch b/fix_systemd.patch index f923439..7b60e25 100644 --- a/fix_systemd.patch +++ b/fix_systemd.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20220124/policy/modules/system/systemd.te +Index: fedora-policy-20220428/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20220124.orig/policy/modules/system/systemd.te -+++ fedora-policy-20220124/policy/modules/system/systemd.te -@@ -353,6 +353,10 @@ userdom_manage_user_tmp_chr_files(system +--- fedora-policy-20220428.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220428/policy/modules/system/systemd.te +@@ -355,6 +355,10 @@ userdom_manage_user_tmp_chr_files(system xserver_dbus_chat(systemd_logind_t) optional_policy(` @@ -13,7 +13,7 @@ Index: fedora-policy-20220124/policy/modules/system/systemd.te apache_read_tmp_files(systemd_logind_t) ') -@@ -868,6 +872,10 @@ optional_policy(` +@@ -882,6 +886,10 @@ optional_policy(` udev_read_pid_files(systemd_hostnamed_t) ') @@ -24,12 +24,3 @@ Index: fedora-policy-20220124/policy/modules/system/systemd.te ####################################### # # rfkill policy -@@ -1115,6 +1123,8 @@ optional_policy(` - udev_read_pid_files(systemd_gpt_generator_t) - ') - -+udev_read_pid_files(systemd_gpt_generator_t) -+ - ####################################### - # - # systemd_resolved domain diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch index 8f6061d..75af5b6 100644 --- a/fix_systemd_watch.patch +++ b/fix_systemd_watch.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20220124/policy/modules/system/systemd.te +Index: fedora-policy-20220428/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20220124.orig/policy/modules/system/systemd.te -+++ fedora-policy-20220124/policy/modules/system/systemd.te -@@ -1421,6 +1421,12 @@ fstools_rw_swap_files(systemd_sleep_t) +--- fedora-policy-20220428.orig/policy/modules/system/systemd.te ++++ fedora-policy-20220428/policy/modules/system/systemd.te +@@ -1445,6 +1445,12 @@ fstools_rw_swap_files(systemd_sleep_t) storage_getattr_fixed_disk_dev(systemd_sleep_t) storage_getattr_removable_dev(systemd_sleep_t) diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch index 54458d4..82632fe 100644 --- a/fix_unconfineduser.patch +++ b/fix_unconfineduser.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20211111/policy/modules/roles/unconfineduser.te +Index: fedora-policy-20220509/policy/modules/roles/unconfineduser.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/roles/unconfineduser.te -+++ fedora-policy-20211111/policy/modules/roles/unconfineduser.te -@@ -122,6 +122,11 @@ tunable_policy(`unconfined_dyntrans_all' +--- fedora-policy-20220509.orig/policy/modules/roles/unconfineduser.te ++++ fedora-policy-20220509/policy/modules/roles/unconfineduser.te +@@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all' domain_dyntrans(unconfined_t) ') @@ -14,7 +14,7 @@ Index: fedora-policy-20211111/policy/modules/roles/unconfineduser.te optional_policy(` gen_require(` type unconfined_t; -@@ -208,6 +213,10 @@ optional_policy(` +@@ -210,6 +215,10 @@ optional_policy(` ') optional_policy(` @@ -25,7 +25,7 @@ Index: fedora-policy-20211111/policy/modules/roles/unconfineduser.te chrome_role_notrans(unconfined_r, unconfined_t) tunable_policy(`unconfined_chrome_sandbox_transition',` -@@ -242,6 +251,18 @@ optional_policy(` +@@ -244,6 +253,18 @@ optional_policy(` dbus_stub(unconfined_t) optional_policy(` @@ -44,14 +44,3 @@ Index: fedora-policy-20211111/policy/modules/roles/unconfineduser.te bluetooth_dbus_chat(unconfined_t) ') -@@ -305,6 +326,10 @@ optional_policy(` - ') - - optional_policy(` -+ libs_run_ldconfig(unconfined_t, unconfined_r) -+') -+ -+optional_policy(` - firstboot_run(unconfined_t, unconfined_r) - ') - diff --git a/fix_unprivuser.patch b/fix_unprivuser.patch index f23ba18..639da39 100644 --- a/fix_unprivuser.patch +++ b/fix_unprivuser.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210628/policy/modules/roles/unprivuser.te +Index: fedora-policy-20220428/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20210628/policy/modules/roles/unprivuser.te -@@ -287,6 +287,13 @@ ifndef(`distro_redhat',` +--- fedora-policy-20220428.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20220428/policy/modules/roles/unprivuser.te +@@ -292,6 +292,13 @@ ifndef(`distro_redhat',` ') optional_policy(` diff --git a/fix_usermanage.patch b/fix_usermanage.patch index 391cc2f..a7d1bee 100644 --- a/fix_usermanage.patch +++ b/fix_usermanage.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210309/policy/modules/admin/usermanage.te +Index: fedora-policy-20220428/policy/modules/admin/usermanage.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/admin/usermanage.te -+++ fedora-policy-20210309/policy/modules/admin/usermanage.te +--- fedora-policy-20220428.orig/policy/modules/admin/usermanage.te ++++ fedora-policy-20220428/policy/modules/admin/usermanage.te @@ -226,6 +226,7 @@ allow groupadd_t self:unix_dgram_socket allow groupadd_t self:unix_stream_socket create_stream_socket_perms; allow groupadd_t self:unix_dgram_socket sendto; @@ -10,7 +10,7 @@ Index: fedora-policy-20210309/policy/modules/admin/usermanage.te fs_getattr_xattr_fs(groupadd_t) fs_search_auto_mountpoints(groupadd_t) -@@ -529,6 +530,7 @@ allow useradd_t self:unix_dgram_socket c +@@ -538,6 +539,7 @@ allow useradd_t self:unix_dgram_socket c allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -18,7 +18,7 @@ Index: fedora-policy-20210309/policy/modules/admin/usermanage.te manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) -@@ -537,6 +539,8 @@ files_pid_filetrans(useradd_t, useradd_v +@@ -546,6 +548,8 @@ files_pid_filetrans(useradd_t, useradd_v # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) diff --git a/fix_wine.patch b/fix_wine.patch index 0a5f9d1..17698f2 100644 --- a/fix_wine.patch +++ b/fix_wine.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20210716/policy/modules/system/libraries.fc +Index: fedora-policy-20220428/policy/modules/system/libraries.fc =================================================================== ---- fedora-policy-20210716.orig/policy/modules/system/libraries.fc -+++ fedora-policy-20210716/policy/modules/system/libraries.fc +--- fedora-policy-20220428.orig/policy/modules/system/libraries.fc ++++ fedora-policy-20220428/policy/modules/system/libraries.fc @@ -90,7 +90,7 @@ ifdef(`distro_redhat',` /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) @@ -12,7 +12,7 @@ Index: fedora-policy-20210716/policy/modules/system/libraries.fc /opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -173,7 +173,8 @@ ifdef(`distro_redhat',` - /usr/lib/systemd/libsystemd-shared-[0-9]+\.so.* -- gen_context(system_u:object_r:lib_t,s0) + /usr/lib/systemd/libsystemd-.+\.so.* -- gen_context(system_u:object_r:lib_t,s0) /usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) -/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/selinux-policy.changes b/selinux-policy.changes index 709306f..dea6cfe 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,4 +1,44 @@ ------------------------------------------------------------------- +Fri May 20 13:46:47 UTC 2022 - Johannes Segitz + +- Update to version 20220520 to pass stricter 3.4 toolchain checks + +------------------------------------------------------------------- +Fri May 20 09:14:58 UTC 2022 - Johannes Segitz + +- Update to version 20220428. Refreshed: + * fix_apache.patch + * fix_hadoop.patch + * fix_init.patch + * fix_iptables.patch + * fix_kernel_sysctl.patch + * fix_networkmanager.patch + * fix_systemd.patch + * fix_systemd_watch.patch + * fix_unprivuser.patch + * fix_usermanage.patch + * fix_wine.patch + +------------------------------------------------------------------- +Thu May 19 12:25:31 UTC 2022 - Johannes Segitz +- Add fix_dnsmasq.patch to fix problems with virtualization on Microos + (bsc#1199518) + +------------------------------------------------------------------- +Tue May 3 13:18:38 UTC 2022 - Johannes Segitz + +- Modified fix_init.patch to allow init to setup contrained environment + for accountsservice. This needs a better, more general solution + (bsc#1197610) + +------------------------------------------------------------------- +Mon May 2 11:27:49 UTC 2022 - Johannes Segitz + +- Add systemd_domain_dyntrans_type.patch to allow systemd to dyntransition. + This happens in certain boot conditions (bsc#1182500) +- Changed fix_unconfineduser.patch to not transition into ldconfig_t + from unconfined_t (bsc#1197169) +------------------------------------------------------------------- Thu Feb 17 12:24:13 UTC 2022 - Klaus Kämpf - use %license tag for COPYING file diff --git a/selinux-policy.spec b/selinux-policy.spec index de4fa04..dc83c18 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20220124 +Version: 20220520 Release: 0 Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc @@ -140,6 +140,8 @@ Patch055: fix_auditd.patch Patch056: fix_wine.patch Patch057: fix_hypervkvp.patch Patch058: fix_bitlbee.patch +Patch059: systemd_domain_dyntrans_type.patch +Patch060: fix_dnsmasq.patch Patch100: sedoctool.patch @@ -274,6 +276,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %{_sharedstatedir}/selinux/%1/active/seusers \ %{_sharedstatedir}/selinux/%1/active/file_contexts \ %{_sharedstatedir}/selinux/%1/active/policy.kern \ +%{_sharedstatedir}/selinux/%1/active/modules_checksum \ %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ diff --git a/systemd_domain_dyntrans_type.patch b/systemd_domain_dyntrans_type.patch new file mode 100644 index 0000000..8376c95 --- /dev/null +++ b/systemd_domain_dyntrans_type.patch @@ -0,0 +1,13 @@ +Index: fedora-policy-20220124/policy/modules/system/init.te +=================================================================== +--- fedora-policy-20220124.orig/policy/modules/system/init.te ++++ fedora-policy-20220124/policy/modules/system/init.te +@@ -179,6 +179,8 @@ allow init_t self:tcp_socket { listen ac + allow init_t self:packet_socket create_socket_perms; + allow init_t self:key manage_key_perms; + allow init_t self:bpf { map_create map_read map_write prog_load prog_run }; ++domain_dyntrans_type(init_t) ++allow init_t self:process { dyntransition setcurrent }; + + # is ~sys_module really needed? observed: + # sys_boot diff --git a/users-minimum b/users-minimum index e49103c..8ccacae 100644 --- a/users-minimum +++ b/users-minimum @@ -36,3 +36,4 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/users-mls b/users-mls index 4de9d57..167ba7c 100644 --- a/users-mls +++ b/users-mls @@ -36,3 +36,5 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/users-targeted b/users-targeted index e49103c..e943336 100644 --- a/users-targeted +++ b/users-targeted @@ -36,3 +36,6 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0)