forked from pool/selinux-policy
Accepting request 1080824 from security:SELinux
- Update to version 20230420: * libzypp creates temporary files in /var/adm/mount. Label it with rpm_var_cache_t to prevent wrong labels in /var/cache/zypp * only use rsync_exec_t for the rsync server, not for the client (bsc#1209890) * properly label sshd-gen-keys-start to ensure ssh host keys have proper labels after creation * Allow dovecot-deliver write to the main process runtime fifo files * Allow dmidecode write to cloud-init tmp files * Allow chronyd send a message to cloud-init over a datagram socket * Allow cloud-init domain transition to insights-client domain * Allow mongodb read filesystem sysctls * Allow mongodb read network sysctls * Allow accounts-daemon read generic systemd unit lnk files * Allow blueman watch generic device dirs * Allow nm-dispatcher tlp plugin create tlp dirs * Allow systemd-coredump mounton /usr * Allow rabbitmq to read network sysctls * Allow certmonger dbus chat with the cron system domain * Allow geoclue read network sysctls * Allow geoclue watch the /etc directory * Allow logwatch_mail_t read network sysctls * allow systemd_resolved_t to bind to all nodes (bsc#1200182) * Allow insights-client read all sysctls * Allow passt manage qemu pid sock files * Allow sssd read accountsd fifo files * Add support for the passt_t domain * Allow virtd_t and svirt_t work with passt * Add new interfaces in the virt module * Add passt interfaces defined conditionally OBS-URL: https://build.opensuse.org/request/show/1080824 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=45
This commit is contained in:
commit
ae7e61e582
@ -1,6 +1,6 @@
|
||||
<servicedata>
|
||||
<service name="tar_scm">
|
||||
<param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
|
||||
<param name="changesrevision">0140f0a3f8dbf17ddbd0adb6c8fc7eb23511ba2f</param></service><service name="tar_scm">
|
||||
<param name="changesrevision">ca88adc84584e150ecb8f67ec2c1dc5a29618ab9</param></service><service name="tar_scm">
|
||||
<param name="url">https://github.com/containers/container-selinux.git</param>
|
||||
<param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service></servicedata>
|
29
container.te
29
container.te
@ -1,4 +1,4 @@
|
||||
policy_module(container, 2.205.0)
|
||||
policy_module(container, 2.210.0)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
@ -17,6 +17,13 @@ gen_require(`
|
||||
## </desc>
|
||||
gen_tunable(container_connect_any, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Determine whether sshd can launch container engines
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(sshd_launch_containers, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow containers to use any device volume mounted into container
|
||||
@ -77,7 +84,6 @@ ifdef(`enable_mls',`
|
||||
type spc_t, container_domain;
|
||||
domain_type(spc_t)
|
||||
role system_r types spc_t;
|
||||
init_initrc_domain(spc_t)
|
||||
|
||||
type container_auth_t alias docker_auth_t;
|
||||
type container_auth_exec_t alias docker_auth_exec_t;
|
||||
@ -124,6 +130,7 @@ term_pty(container_devpts_t)
|
||||
|
||||
typealias container_ro_file_t alias { container_share_t docker_share_t };
|
||||
files_mountpoint(container_ro_file_t)
|
||||
userdom_user_home_content(container_ro_file_t)
|
||||
|
||||
type container_port_t alias docker_port_t;
|
||||
corenet_port(container_port_t)
|
||||
@ -287,6 +294,8 @@ domain_getattr_all_domains(container_runtime_domain)
|
||||
|
||||
userdom_map_tmp_files(container_runtime_domain)
|
||||
|
||||
anaconda_domtrans_install(container_runtime_domain)
|
||||
|
||||
optional_policy(`
|
||||
gnome_map_generic_data_home_files(container_runtime_domain)
|
||||
allow container_runtime_domain data_home_t:dir { relabelfrom relabelto };
|
||||
@ -575,7 +584,6 @@ fs_unmount_fusefs(container_runtime_domain)
|
||||
fs_exec_fusefs_files(container_runtime_domain)
|
||||
storage_rw_fuse(container_runtime_domain)
|
||||
|
||||
|
||||
optional_policy(`
|
||||
files_search_all(container_domain)
|
||||
container_read_share_files(container_domain)
|
||||
@ -806,7 +814,7 @@ gen_require(`
|
||||
')
|
||||
container_manage_files_template(container, container)
|
||||
|
||||
typeattribute container_file_t container_file_type;
|
||||
typeattribute container_file_t container_file_type, user_home_type;
|
||||
typeattribute container_t container_domain, container_net_domain, container_user_domain;
|
||||
allow container_user_domain self:process getattr;
|
||||
allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint;
|
||||
@ -1411,7 +1419,7 @@ optional_policy(`
|
||||
type syslogd_t;
|
||||
')
|
||||
|
||||
allow syslogd_t container_runtime_tmpfs_t:file { read write };
|
||||
allow syslogd_t container_runtime_tmpfs_t:file rw_inherited_file_perms;
|
||||
logging_send_syslog_msg(container_runtime_t)
|
||||
')
|
||||
|
||||
@ -1422,3 +1430,14 @@ manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_
|
||||
manage_chr_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
|
||||
manage_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
|
||||
manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
|
||||
|
||||
tunable_policy(`sshd_launch_containers',`
|
||||
gen_require(`
|
||||
type sshd_t;
|
||||
type systemd_logind_t;
|
||||
type iptables_var_run_t;
|
||||
')
|
||||
|
||||
container_runtime_domtrans(sshd_t)
|
||||
dontaudit systemd_logind_t iptables_var_run_t:dir read;
|
||||
')
|
||||
|
34
debug-build.sh
Normal file
34
debug-build.sh
Normal file
@ -0,0 +1,34 @@
|
||||
# This script creates a debugging and testing environment when working on the policy
|
||||
# Basically a fancy wrapper for "tar --exclude-vcs -cJf selinux-policy-20230321.tar.xz --transform 's,^,selinux-policy-20230321/,' -C selinux-policy ."
|
||||
#
|
||||
# 1. Get the git repository with 'osc service manualrun' or './update.sh'
|
||||
# 2. Do your changes in the selinux-policy repository, test around
|
||||
# 1. When you want to build locally to debug, call this script. It will create a .tar.xz with your current selinux-policy working directory.
|
||||
# 2. Build locally: e.g. with osc build
|
||||
# 3. Test your rpms that contain your changes and repeat
|
||||
# 3. When finished, commit your changes in the selinux-policy repository and push to git
|
||||
# 4. Run './update.sh' and checkin the changes to OBS
|
||||
|
||||
REPO_NAME=selinux-policy
|
||||
|
||||
# Check if git repository exists, if not ask the user to fetch the latest version
|
||||
if ! test -d "$REPO_NAME"; then
|
||||
echo "-$REPO_NAME does not exist. Please run 'osc service manualrun' or './update.sh' first."
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
# Get current version: Parse "Version: <current-version>" from specfile
|
||||
VERSION=$(grep -Po '^Version:\s*\K.*?(?=$)' $REPO_NAME.spec)
|
||||
|
||||
# Create tar file with name like selinux-policy-<current-version>.tar.xz
|
||||
TAR_NAME=$REPO_NAME-$VERSION.tar.xz
|
||||
echo "Creating tar file: $TAR_NAME"
|
||||
tar --exclude-vcs -cJf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME .
|
||||
|
||||
# Some helpful prompts
|
||||
if test $? -eq 0; then
|
||||
echo "Success! Now you can run your local build command, e.g. 'osc build'. It will take the archive that contains your changes."
|
||||
echo "You can also inspect the created archive with: 'tar tvf $REPO_NAME-$VERSION.tar.xz'"
|
||||
else
|
||||
echo "Error, creating archive failed"
|
||||
fi
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:aca29203873cc2fdec23e233e89e56471f06c7b7fa02ed29fa3978e85b994e04
|
||||
size 752588
|
3
selinux-policy-20230420.tar.xz
Normal file
3
selinux-policy-20230420.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:fc623df379efb3571e2da1798099459b353d4a02bc6b6d9045cf8545ef15086e
|
||||
size 754612
|
@ -1,3 +1,71 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 20 10:47:16 UTC 2023 - jsegitz@suse.com
|
||||
|
||||
- Update to version 20230420:
|
||||
* libzypp creates temporary files in /var/adm/mount. Label it with
|
||||
rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
|
||||
* only use rsync_exec_t for the rsync server, not for the client
|
||||
(bsc#1209890)
|
||||
* properly label sshd-gen-keys-start to ensure ssh host keys have proper
|
||||
labels after creation
|
||||
* Allow dovecot-deliver write to the main process runtime fifo files
|
||||
* Allow dmidecode write to cloud-init tmp files
|
||||
* Allow chronyd send a message to cloud-init over a datagram socket
|
||||
* Allow cloud-init domain transition to insights-client domain
|
||||
* Allow mongodb read filesystem sysctls
|
||||
* Allow mongodb read network sysctls
|
||||
* Allow accounts-daemon read generic systemd unit lnk files
|
||||
* Allow blueman watch generic device dirs
|
||||
* Allow nm-dispatcher tlp plugin create tlp dirs
|
||||
* Allow systemd-coredump mounton /usr
|
||||
* Allow rabbitmq to read network sysctls
|
||||
* Allow certmonger dbus chat with the cron system domain
|
||||
* Allow geoclue read network sysctls
|
||||
* Allow geoclue watch the /etc directory
|
||||
* Allow logwatch_mail_t read network sysctls
|
||||
* allow systemd_resolved_t to bind to all nodes (bsc#1200182)
|
||||
* Allow insights-client read all sysctls
|
||||
* Allow passt manage qemu pid sock files
|
||||
* Allow sssd read accountsd fifo files
|
||||
* Add support for the passt_t domain
|
||||
* Allow virtd_t and svirt_t work with passt
|
||||
* Add new interfaces in the virt module
|
||||
* Add passt interfaces defined conditionally
|
||||
* Allow tshark the setsched capability
|
||||
* Allow poweroff create connections to system dbus
|
||||
* Allow wg load kernel modules, search debugfs dir
|
||||
* Boolean: allow qemu-ga manage ssh home directory
|
||||
* Label smtpd with sendmail_exec_t
|
||||
* Label msmtp and msmtpd with sendmail_exec_t
|
||||
* Allow dovecot to map files in /var/spool/dovecot
|
||||
* Confine gnome-initial-setup
|
||||
* Allow qemu-guest-agent create and use vsock socket
|
||||
* Allow login_pgm setcap permission
|
||||
* Allow chronyc read network sysctls
|
||||
* Enhancement of the /usr/sbin/request-key helper policy
|
||||
* Fix opencryptoki file names in /dev/shm
|
||||
* Allow system_cronjob_t transition to rpm_script_t
|
||||
* Revert "Allow system_cronjob_t domtrans to rpm_script_t"
|
||||
* Add tunable to allow squid bind snmp port
|
||||
* Allow staff_t getattr init pid chr & blk files and read krb5
|
||||
* Allow firewalld to rw z90crypt device
|
||||
* Allow httpd work with tokens in /dev/shm
|
||||
* Allow svirt to map svirt_image_t char files
|
||||
* Allow sysadm_t run initrc_t script and sysadm_r role access
|
||||
* Allow insights-client manage fsadm pid files
|
||||
* Allowing snapper to create snapshots of /home/ subvolume/partition
|
||||
* Add boolean qemu-ga to run unconfined script
|
||||
* Label systemd-journald feature LogNamespace
|
||||
* Add none file context for polyinstantiated tmp dirs
|
||||
* Allow certmonger read the contents of the sysfs filesystem
|
||||
* Add journalctl the sys_resource capability
|
||||
* Allow nm-dispatcher plugins read generic files in /proc
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 28 12:27:47 UTC 2023 - Hu <cathy.hu@suse.com>
|
||||
|
||||
- Add debug-build.sh script to make debugging without committing easier
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 21 15:37:23 UTC 2023 - jsegitz@suse.com
|
||||
|
||||
|
@ -33,7 +33,7 @@ Summary: SELinux policy configuration
|
||||
License: GPL-2.0-or-later
|
||||
Group: System/Management
|
||||
Name: selinux-policy
|
||||
Version: 20230321
|
||||
Version: 20230420
|
||||
Release: 0
|
||||
Source0: %{name}-%{version}.tar.xz
|
||||
Source1: container.fc
|
||||
@ -42,6 +42,7 @@ Source3: container.if
|
||||
Source4: selinux-policy-rpmlintrc
|
||||
Source5: README.Update
|
||||
Source6: update.sh
|
||||
Source7: debug-build.sh
|
||||
|
||||
Source10: modules-targeted-base.conf
|
||||
Source11: modules-targeted-contrib.conf
|
||||
|
Loading…
Reference in New Issue
Block a user