From aea4a827c00f7441728f58fa8ff96aa4b8a32477bd2e1538093e40372891ef1d Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Sun, 23 May 2021 21:30:29 +0000 Subject: [PATCH] Accepting request 894727 from security:SELinux - allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units that trigger on changes in those. Added fix_systemd_watch.patch - own /usr/share/selinux/packages/$SELINUXTYPE/ and /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install files there OBS-URL: https://build.opensuse.org/request/show/894727 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=13 --- fix_systemd_watch.patch | 38 ++++++++++++++++++++++++++++++++++++++ selinux-policy.changes | 10 ++++++++++ selinux-policy.spec | 7 ++++++- 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 fix_systemd_watch.patch diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch new file mode 100644 index 0000000..fb52641 --- /dev/null +++ b/fix_systemd_watch.patch @@ -0,0 +1,38 @@ +Index: fedora-policy-20210419/policy/modules/system/systemd.te +=================================================================== +--- fedora-policy-20210419.orig/policy/modules/system/systemd.te ++++ fedora-policy-20210419/policy/modules/system/systemd.te +@@ -1357,3 +1357,10 @@ fstools_rw_swap_files(systemd_sleep_t) + + # systemd-sleep needs to getattr swap partitions + storage_getattr_fixed_disk_dev(systemd_sleep_t) ++ ++ ++####################################### ++# ++# Allow systemd to watch certificate dir for ca-certificates ++# ++watch_dirs_pattern(init_t,cert_t,cert_t) +Index: fedora-policy-20210419/policy/modules/system/init.te +=================================================================== +--- fedora-policy-20210419.orig/policy/modules/system/init.te ++++ fedora-policy-20210419/policy/modules/system/init.te +@@ -317,7 +317,10 @@ files_etc_filetrans_etc_runtime(init_t, + # Run /etc/X11/prefdm: + files_exec_etc_files(init_t) + files_watch_etc_dirs(init_t) ++files_watch_etc_files(init_t) + files_read_usr_files(init_t) ++files_watch_usr_dirs(init_t) ++files_watch_usr_files(init_t) + files_watch_root_dirs(init_t) + files_write_root_dirs(init_t) + files_watch_var_dirs(init_t) +@@ -334,6 +337,7 @@ files_remount_rootfs(init_t) + files_create_var_dirs(init_t) + files_watch_home(init_t) + files_watch_all_pid(init_t) ++watch_dirs_pattern(init_t,lib_t,lib_t) + + fs_list_inotifyfs(init_t) + # cjp: this may be related to /dev/log diff --git a/selinux-policy.changes b/selinux-policy.changes index 06eeea7..bdbda71 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue May 18 11:10:59 UTC 2021 - Ludwig Nussel + +- allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units + that trigger on changes in those. + Added fix_systemd_watch.patch +- own /usr/share/selinux/packages/$SELINUXTYPE/ and + /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install + files there + ------------------------------------------------------------------- Wed Apr 28 15:18:37 UTC 2021 - Ludwig Nussel diff --git a/selinux-policy.spec b/selinux-policy.spec index cab891b..f3168b3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -131,6 +131,7 @@ Patch050: fix_libraries.patch Patch051: fix_dovecot.patch # https://github.com/cockpit-project/cockpit/pull/15758 Patch052: fix_cockpit.patch +Patch053: fix_systemd_watch.patch Patch100: sedoctool.patch @@ -183,6 +184,7 @@ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \ %{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ +%{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ @@ -210,6 +212,8 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ %dir %attr(700,root,root) %{_sharedstatedir}/selinux/%1/active/modules \ %dir %{_sharedstatedir}/selinux/%1/active/modules/100 \ +%dir %{_sharedstatedir}/selinux/%1/active/modules/200 \ +%dir %{_sharedstatedir}/selinux/%1/active/modules/400 \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ %dir %{_sysconfdir}/selinux/%1/policy/ \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.* \ @@ -250,6 +254,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ %dir %{_datadir}/selinux/%1 \ +%dir %{_datadir}/selinux/packages/%1 \ %{_datadir}/selinux/%1/base.lst \ %{_datadir}/selinux/%1/modules-base.lst \ %{_datadir}/selinux/%1/modules-contrib.lst \ @@ -409,7 +414,7 @@ sed -i 's|SELINUXSTOREPATH|%{_sharedstatedir}/selinux|' %{buildroot}%{_rpmconfig mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ -mkdir -p %{buildroot}%{_datadir}/selinux/packages +mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/ mkdir selinux_config for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do