forked from pool/selinux-policy
Accepting request 1080824 from security:SELinux
- Update to version 20230420: * libzypp creates temporary files in /var/adm/mount. Label it with rpm_var_cache_t to prevent wrong labels in /var/cache/zypp * only use rsync_exec_t for the rsync server, not for the client (bsc#1209890) * properly label sshd-gen-keys-start to ensure ssh host keys have proper labels after creation * Allow dovecot-deliver write to the main process runtime fifo files * Allow dmidecode write to cloud-init tmp files * Allow chronyd send a message to cloud-init over a datagram socket * Allow cloud-init domain transition to insights-client domain * Allow mongodb read filesystem sysctls * Allow mongodb read network sysctls * Allow accounts-daemon read generic systemd unit lnk files * Allow blueman watch generic device dirs * Allow nm-dispatcher tlp plugin create tlp dirs * Allow systemd-coredump mounton /usr * Allow rabbitmq to read network sysctls * Allow certmonger dbus chat with the cron system domain * Allow geoclue read network sysctls * Allow geoclue watch the /etc directory * Allow logwatch_mail_t read network sysctls * allow systemd_resolved_t to bind to all nodes (bsc#1200182) * Allow insights-client read all sysctls * Allow passt manage qemu pid sock files * Allow sssd read accountsd fifo files * Add support for the passt_t domain * Allow virtd_t and svirt_t work with passt * Add new interfaces in the virt module * Add passt interfaces defined conditionally OBS-URL: https://build.opensuse.org/request/show/1080824 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=45
This commit is contained in:
commit
ae7e61e582
@ -1,6 +1,6 @@
|
|||||||
<servicedata>
|
<servicedata>
|
||||||
<service name="tar_scm">
|
<service name="tar_scm">
|
||||||
<param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
|
<param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
|
||||||
<param name="changesrevision">0140f0a3f8dbf17ddbd0adb6c8fc7eb23511ba2f</param></service><service name="tar_scm">
|
<param name="changesrevision">ca88adc84584e150ecb8f67ec2c1dc5a29618ab9</param></service><service name="tar_scm">
|
||||||
<param name="url">https://github.com/containers/container-selinux.git</param>
|
<param name="url">https://github.com/containers/container-selinux.git</param>
|
||||||
<param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service></servicedata>
|
<param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service></servicedata>
|
29
container.te
29
container.te
@ -1,4 +1,4 @@
|
|||||||
policy_module(container, 2.205.0)
|
policy_module(container, 2.210.0)
|
||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
class passwd rootok;
|
class passwd rootok;
|
||||||
@ -17,6 +17,13 @@ gen_require(`
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(container_connect_any, false)
|
gen_tunable(container_connect_any, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Determine whether sshd can launch container engines
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(sshd_launch_containers, false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow containers to use any device volume mounted into container
|
## Allow containers to use any device volume mounted into container
|
||||||
@ -77,7 +84,6 @@ ifdef(`enable_mls',`
|
|||||||
type spc_t, container_domain;
|
type spc_t, container_domain;
|
||||||
domain_type(spc_t)
|
domain_type(spc_t)
|
||||||
role system_r types spc_t;
|
role system_r types spc_t;
|
||||||
init_initrc_domain(spc_t)
|
|
||||||
|
|
||||||
type container_auth_t alias docker_auth_t;
|
type container_auth_t alias docker_auth_t;
|
||||||
type container_auth_exec_t alias docker_auth_exec_t;
|
type container_auth_exec_t alias docker_auth_exec_t;
|
||||||
@ -124,6 +130,7 @@ term_pty(container_devpts_t)
|
|||||||
|
|
||||||
typealias container_ro_file_t alias { container_share_t docker_share_t };
|
typealias container_ro_file_t alias { container_share_t docker_share_t };
|
||||||
files_mountpoint(container_ro_file_t)
|
files_mountpoint(container_ro_file_t)
|
||||||
|
userdom_user_home_content(container_ro_file_t)
|
||||||
|
|
||||||
type container_port_t alias docker_port_t;
|
type container_port_t alias docker_port_t;
|
||||||
corenet_port(container_port_t)
|
corenet_port(container_port_t)
|
||||||
@ -287,6 +294,8 @@ domain_getattr_all_domains(container_runtime_domain)
|
|||||||
|
|
||||||
userdom_map_tmp_files(container_runtime_domain)
|
userdom_map_tmp_files(container_runtime_domain)
|
||||||
|
|
||||||
|
anaconda_domtrans_install(container_runtime_domain)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
gnome_map_generic_data_home_files(container_runtime_domain)
|
gnome_map_generic_data_home_files(container_runtime_domain)
|
||||||
allow container_runtime_domain data_home_t:dir { relabelfrom relabelto };
|
allow container_runtime_domain data_home_t:dir { relabelfrom relabelto };
|
||||||
@ -575,7 +584,6 @@ fs_unmount_fusefs(container_runtime_domain)
|
|||||||
fs_exec_fusefs_files(container_runtime_domain)
|
fs_exec_fusefs_files(container_runtime_domain)
|
||||||
storage_rw_fuse(container_runtime_domain)
|
storage_rw_fuse(container_runtime_domain)
|
||||||
|
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
files_search_all(container_domain)
|
files_search_all(container_domain)
|
||||||
container_read_share_files(container_domain)
|
container_read_share_files(container_domain)
|
||||||
@ -806,7 +814,7 @@ gen_require(`
|
|||||||
')
|
')
|
||||||
container_manage_files_template(container, container)
|
container_manage_files_template(container, container)
|
||||||
|
|
||||||
typeattribute container_file_t container_file_type;
|
typeattribute container_file_t container_file_type, user_home_type;
|
||||||
typeattribute container_t container_domain, container_net_domain, container_user_domain;
|
typeattribute container_t container_domain, container_net_domain, container_user_domain;
|
||||||
allow container_user_domain self:process getattr;
|
allow container_user_domain self:process getattr;
|
||||||
allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint;
|
allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint;
|
||||||
@ -1411,7 +1419,7 @@ optional_policy(`
|
|||||||
type syslogd_t;
|
type syslogd_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
allow syslogd_t container_runtime_tmpfs_t:file { read write };
|
allow syslogd_t container_runtime_tmpfs_t:file rw_inherited_file_perms;
|
||||||
logging_send_syslog_msg(container_runtime_t)
|
logging_send_syslog_msg(container_runtime_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
@ -1422,3 +1430,14 @@ manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_
|
|||||||
manage_chr_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
|
manage_chr_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
|
||||||
manage_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
|
manage_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
|
||||||
manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
|
manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t)
|
||||||
|
|
||||||
|
tunable_policy(`sshd_launch_containers',`
|
||||||
|
gen_require(`
|
||||||
|
type sshd_t;
|
||||||
|
type systemd_logind_t;
|
||||||
|
type iptables_var_run_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
container_runtime_domtrans(sshd_t)
|
||||||
|
dontaudit systemd_logind_t iptables_var_run_t:dir read;
|
||||||
|
')
|
||||||
|
34
debug-build.sh
Normal file
34
debug-build.sh
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
# This script creates a debugging and testing environment when working on the policy
|
||||||
|
# Basically a fancy wrapper for "tar --exclude-vcs -cJf selinux-policy-20230321.tar.xz --transform 's,^,selinux-policy-20230321/,' -C selinux-policy ."
|
||||||
|
#
|
||||||
|
# 1. Get the git repository with 'osc service manualrun' or './update.sh'
|
||||||
|
# 2. Do your changes in the selinux-policy repository, test around
|
||||||
|
# 1. When you want to build locally to debug, call this script. It will create a .tar.xz with your current selinux-policy working directory.
|
||||||
|
# 2. Build locally: e.g. with osc build
|
||||||
|
# 3. Test your rpms that contain your changes and repeat
|
||||||
|
# 3. When finished, commit your changes in the selinux-policy repository and push to git
|
||||||
|
# 4. Run './update.sh' and checkin the changes to OBS
|
||||||
|
|
||||||
|
REPO_NAME=selinux-policy
|
||||||
|
|
||||||
|
# Check if git repository exists, if not ask the user to fetch the latest version
|
||||||
|
if ! test -d "$REPO_NAME"; then
|
||||||
|
echo "-$REPO_NAME does not exist. Please run 'osc service manualrun' or './update.sh' first."
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Get current version: Parse "Version: <current-version>" from specfile
|
||||||
|
VERSION=$(grep -Po '^Version:\s*\K.*?(?=$)' $REPO_NAME.spec)
|
||||||
|
|
||||||
|
# Create tar file with name like selinux-policy-<current-version>.tar.xz
|
||||||
|
TAR_NAME=$REPO_NAME-$VERSION.tar.xz
|
||||||
|
echo "Creating tar file: $TAR_NAME"
|
||||||
|
tar --exclude-vcs -cJf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C $REPO_NAME .
|
||||||
|
|
||||||
|
# Some helpful prompts
|
||||||
|
if test $? -eq 0; then
|
||||||
|
echo "Success! Now you can run your local build command, e.g. 'osc build'. It will take the archive that contains your changes."
|
||||||
|
echo "You can also inspect the created archive with: 'tar tvf $REPO_NAME-$VERSION.tar.xz'"
|
||||||
|
else
|
||||||
|
echo "Error, creating archive failed"
|
||||||
|
fi
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:aca29203873cc2fdec23e233e89e56471f06c7b7fa02ed29fa3978e85b994e04
|
|
||||||
size 752588
|
|
3
selinux-policy-20230420.tar.xz
Normal file
3
selinux-policy-20230420.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:fc623df379efb3571e2da1798099459b353d4a02bc6b6d9045cf8545ef15086e
|
||||||
|
size 754612
|
@ -1,3 +1,71 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 20 10:47:16 UTC 2023 - jsegitz@suse.com
|
||||||
|
|
||||||
|
- Update to version 20230420:
|
||||||
|
* libzypp creates temporary files in /var/adm/mount. Label it with
|
||||||
|
rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
|
||||||
|
* only use rsync_exec_t for the rsync server, not for the client
|
||||||
|
(bsc#1209890)
|
||||||
|
* properly label sshd-gen-keys-start to ensure ssh host keys have proper
|
||||||
|
labels after creation
|
||||||
|
* Allow dovecot-deliver write to the main process runtime fifo files
|
||||||
|
* Allow dmidecode write to cloud-init tmp files
|
||||||
|
* Allow chronyd send a message to cloud-init over a datagram socket
|
||||||
|
* Allow cloud-init domain transition to insights-client domain
|
||||||
|
* Allow mongodb read filesystem sysctls
|
||||||
|
* Allow mongodb read network sysctls
|
||||||
|
* Allow accounts-daemon read generic systemd unit lnk files
|
||||||
|
* Allow blueman watch generic device dirs
|
||||||
|
* Allow nm-dispatcher tlp plugin create tlp dirs
|
||||||
|
* Allow systemd-coredump mounton /usr
|
||||||
|
* Allow rabbitmq to read network sysctls
|
||||||
|
* Allow certmonger dbus chat with the cron system domain
|
||||||
|
* Allow geoclue read network sysctls
|
||||||
|
* Allow geoclue watch the /etc directory
|
||||||
|
* Allow logwatch_mail_t read network sysctls
|
||||||
|
* allow systemd_resolved_t to bind to all nodes (bsc#1200182)
|
||||||
|
* Allow insights-client read all sysctls
|
||||||
|
* Allow passt manage qemu pid sock files
|
||||||
|
* Allow sssd read accountsd fifo files
|
||||||
|
* Add support for the passt_t domain
|
||||||
|
* Allow virtd_t and svirt_t work with passt
|
||||||
|
* Add new interfaces in the virt module
|
||||||
|
* Add passt interfaces defined conditionally
|
||||||
|
* Allow tshark the setsched capability
|
||||||
|
* Allow poweroff create connections to system dbus
|
||||||
|
* Allow wg load kernel modules, search debugfs dir
|
||||||
|
* Boolean: allow qemu-ga manage ssh home directory
|
||||||
|
* Label smtpd with sendmail_exec_t
|
||||||
|
* Label msmtp and msmtpd with sendmail_exec_t
|
||||||
|
* Allow dovecot to map files in /var/spool/dovecot
|
||||||
|
* Confine gnome-initial-setup
|
||||||
|
* Allow qemu-guest-agent create and use vsock socket
|
||||||
|
* Allow login_pgm setcap permission
|
||||||
|
* Allow chronyc read network sysctls
|
||||||
|
* Enhancement of the /usr/sbin/request-key helper policy
|
||||||
|
* Fix opencryptoki file names in /dev/shm
|
||||||
|
* Allow system_cronjob_t transition to rpm_script_t
|
||||||
|
* Revert "Allow system_cronjob_t domtrans to rpm_script_t"
|
||||||
|
* Add tunable to allow squid bind snmp port
|
||||||
|
* Allow staff_t getattr init pid chr & blk files and read krb5
|
||||||
|
* Allow firewalld to rw z90crypt device
|
||||||
|
* Allow httpd work with tokens in /dev/shm
|
||||||
|
* Allow svirt to map svirt_image_t char files
|
||||||
|
* Allow sysadm_t run initrc_t script and sysadm_r role access
|
||||||
|
* Allow insights-client manage fsadm pid files
|
||||||
|
* Allowing snapper to create snapshots of /home/ subvolume/partition
|
||||||
|
* Add boolean qemu-ga to run unconfined script
|
||||||
|
* Label systemd-journald feature LogNamespace
|
||||||
|
* Add none file context for polyinstantiated tmp dirs
|
||||||
|
* Allow certmonger read the contents of the sysfs filesystem
|
||||||
|
* Add journalctl the sys_resource capability
|
||||||
|
* Allow nm-dispatcher plugins read generic files in /proc
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Mar 28 12:27:47 UTC 2023 - Hu <cathy.hu@suse.com>
|
||||||
|
|
||||||
|
- Add debug-build.sh script to make debugging without committing easier
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Mar 21 15:37:23 UTC 2023 - jsegitz@suse.com
|
Tue Mar 21 15:37:23 UTC 2023 - jsegitz@suse.com
|
||||||
|
|
||||||
|
@ -33,7 +33,7 @@ Summary: SELinux policy configuration
|
|||||||
License: GPL-2.0-or-later
|
License: GPL-2.0-or-later
|
||||||
Group: System/Management
|
Group: System/Management
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 20230321
|
Version: 20230420
|
||||||
Release: 0
|
Release: 0
|
||||||
Source0: %{name}-%{version}.tar.xz
|
Source0: %{name}-%{version}.tar.xz
|
||||||
Source1: container.fc
|
Source1: container.fc
|
||||||
@ -42,6 +42,7 @@ Source3: container.if
|
|||||||
Source4: selinux-policy-rpmlintrc
|
Source4: selinux-policy-rpmlintrc
|
||||||
Source5: README.Update
|
Source5: README.Update
|
||||||
Source6: update.sh
|
Source6: update.sh
|
||||||
|
Source7: debug-build.sh
|
||||||
|
|
||||||
Source10: modules-targeted-base.conf
|
Source10: modules-targeted-base.conf
|
||||||
Source11: modules-targeted-contrib.conf
|
Source11: modules-targeted-contrib.conf
|
||||||
|
Loading…
Reference in New Issue
Block a user