From c4556003bf91d790ca313ff1a2062f02bf7c00c7fa1e59d1adcd478a2e9df3de Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Fri, 27 Jan 2023 14:51:33 +0000 Subject: [PATCH 1/8] Accepting request 1061575 from home:jsegitz:branches:security:SELinux - Update to version 20230125. Refreshed: * distro_suse_to_distro_redhat.patch * fix_dnsmasq.patch * fix_init.patch * fix_ipsec.patch * fix_kernel_sysctl.patch * fix_logging.patch * fix_rpm.patch * fix_selinuxutil.patch * fix_systemd_watch.patch * fix_userdomain.patch - More flexible lib(exec) matching in fix_fwupd.patch - Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch - Dropped fix_container.patch, is now upstream - Added fix_entropyd.patch * Added new interface entropyd_semaphore_filetrans to properly transfer semaphore created during early boot. That doesn't work yet, so work around with next item * Allow reading tempfs files - Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace to allow kmod_tmpfs_t files to be executed. Necessary for firewalld - Added fix_rtkit.patch to fix labeling of binary - Modified fix_ntp.patch: * Proper labeling for start-ntpd * Fixed label rules for chroot path * Temporarily allow dac_override for ntpd_t (bsc#1207577) * Add interface ntp_manage_pid_files to allow management of pid files - Updated fix_networkmanager.patch to allow managing ntp pid files OBS-URL: https://build.opensuse.org/request/show/1061575 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=171 --- distro_suse_to_distro_redhat.patch | 90 +++++++++++++++--------------- fedora-policy-20221019.tar.bz2 | 3 - fedora-policy-20230125.tar.bz2 | 3 + fix_container.patch | 13 ----- fix_dnsmasq.patch | 8 +-- fix_entropyd.patch | 76 +++++++++++++++++++++++++ fix_fwupd.patch | 17 ++++-- fix_init.patch | 22 ++++---- fix_ipsec.patch | 10 ++-- fix_kernel.patch | 52 +++++++++++++++++ fix_kernel_sysctl.patch | 14 ++--- fix_logging.patch | 14 ++--- fix_networkmanager.patch | 36 ++++++------ fix_ntp.patch | 78 +++++++++++++++++++++++--- fix_rpm.patch | 27 +++++---- fix_rtkit.patch | 11 ++++ fix_selinuxutil.patch | 16 +++--- fix_systemd.patch | 17 ++---- fix_systemd_watch.patch | 8 +-- fix_userdomain.patch | 8 +-- selinux-policy.changes | 33 +++++++++++ selinux-policy.spec | 7 ++- 22 files changed, 391 insertions(+), 172 deletions(-) delete mode 100644 fedora-policy-20221019.tar.bz2 create mode 100644 fedora-policy-20230125.tar.bz2 delete mode 100644 fix_container.patch create mode 100644 fix_entropyd.patch create mode 100644 fix_kernel.patch create mode 100644 fix_rtkit.patch diff --git a/distro_suse_to_distro_redhat.patch b/distro_suse_to_distro_redhat.patch index c11814e..f3832d5 100644 --- a/distro_suse_to_distro_redhat.patch +++ b/distro_suse_to_distro_redhat.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20221019/policy/modules/contrib/apache.fc +Index: fedora-policy-20230116/policy/modules/contrib/apache.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/apache.fc -+++ fedora-policy-20221019/policy/modules/contrib/apache.fc +--- fedora-policy-20230116.orig/policy/modules/contrib/apache.fc ++++ fedora-policy-20230116/policy/modules/contrib/apache.fc @@ -74,7 +74,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.* /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -11,10 +11,10 @@ Index: fedora-policy-20221019/policy/modules/contrib/apache.fc /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') -Index: fedora-policy-20221019/policy/modules/contrib/cron.fc +Index: fedora-policy-20230116/policy/modules/contrib/cron.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc -+++ fedora-policy-20221019/policy/modules/contrib/cron.fc +--- fedora-policy-20230116.orig/policy/modules/contrib/cron.fc ++++ fedora-policy-20230116/policy/modules/contrib/cron.fc @@ -51,7 +51,7 @@ ifdef(`distro_gentoo',` /var/spool/cron/lastrun/[^/]* -- <> ') @@ -33,11 +33,11 @@ Index: fedora-policy-20221019/policy/modules/contrib/cron.fc /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) /var/spool/cron/lastrun/[^/]* -- <> /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc +Index: fedora-policy-20230116/policy/modules/contrib/rpm.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc -+++ fedora-policy-20221019/policy/modules/contrib/rpm.fc -@@ -80,7 +80,7 @@ ifdef(`distro_redhat', ` +--- fedora-policy-20230116.orig/policy/modules/contrib/rpm.fc ++++ fedora-policy-20230116/policy/modules/contrib/rpm.fc +@@ -82,7 +82,7 @@ ifdef(`distro_redhat', ` /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) # SuSE @@ -46,10 +46,10 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) /sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) /var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -Index: fedora-policy-20221019/policy/modules/kernel/corecommands.fc +Index: fedora-policy-20230116/policy/modules/kernel/corecommands.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/kernel/corecommands.fc -+++ fedora-policy-20221019/policy/modules/kernel/corecommands.fc +--- fedora-policy-20230116.orig/policy/modules/kernel/corecommands.fc ++++ fedora-policy-20230116/policy/modules/kernel/corecommands.fc @@ -462,7 +462,7 @@ ifdef(`distro_redhat', ` /usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0) ') @@ -68,10 +68,10 @@ Index: fedora-policy-20221019/policy/modules/kernel/corecommands.fc /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') -Index: fedora-policy-20221019/policy/modules/kernel/devices.fc +Index: fedora-policy-20230116/policy/modules/kernel/devices.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/kernel/devices.fc -+++ fedora-policy-20221019/policy/modules/kernel/devices.fc +--- fedora-policy-20230116.orig/policy/modules/kernel/devices.fc ++++ fedora-policy-20230116/policy/modules/kernel/devices.fc @@ -148,7 +148,7 @@ /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) @@ -81,10 +81,10 @@ Index: fedora-policy-20221019/policy/modules/kernel/devices.fc /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') /dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0) -Index: fedora-policy-20221019/policy/modules/kernel/files.fc +Index: fedora-policy-20230116/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20221019/policy/modules/kernel/files.fc +--- fedora-policy-20230116.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20230116/policy/modules/kernel/files.fc @@ -22,7 +22,7 @@ ifdef(`distro_redhat',` /[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -103,10 +103,10 @@ Index: fedora-policy-20221019/policy/modules/kernel/files.fc /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) ') -Index: fedora-policy-20221019/policy/modules/services/xserver.fc +Index: fedora-policy-20230116/policy/modules/services/xserver.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/services/xserver.fc -+++ fedora-policy-20221019/policy/modules/services/xserver.fc +--- fedora-policy-20230116.orig/policy/modules/services/xserver.fc ++++ fedora-policy-20230116/policy/modules/services/xserver.fc @@ -189,7 +189,7 @@ ifndef(`distro_debian',` /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) /var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) @@ -116,10 +116,10 @@ Index: fedora-policy-20221019/policy/modules/services/xserver.fc /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) ') -Index: fedora-policy-20221019/policy/modules/system/authlogin.fc +Index: fedora-policy-20230116/policy/modules/system/authlogin.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/authlogin.fc -+++ fedora-policy-20221019/policy/modules/system/authlogin.fc +--- fedora-policy-20230116.orig/policy/modules/system/authlogin.fc ++++ fedora-policy-20230116/policy/modules/system/authlogin.fc @@ -31,7 +31,7 @@ HOME_DIR/\.google_authenticator~ gen_co /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) @@ -129,10 +129,10 @@ Index: fedora-policy-20221019/policy/modules/system/authlogin.fc /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') -Index: fedora-policy-20221019/policy/modules/system/init.fc +Index: fedora-policy-20230116/policy/modules/system/init.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/init.fc -+++ fedora-policy-20221019/policy/modules/system/init.fc +--- fedora-policy-20230116.orig/policy/modules/system/init.fc ++++ fedora-policy-20230116/policy/modules/system/init.fc @@ -92,7 +92,7 @@ ifdef(`distro_gentoo', ` /var/run/svscan\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) ') @@ -142,11 +142,11 @@ Index: fedora-policy-20221019/policy/modules/system/init.fc /var/run/bootsplashctl -p gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/keymap -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/numlock-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) -Index: fedora-policy-20221019/policy/modules/system/init.te +Index: fedora-policy-20230116/policy/modules/system/init.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/init.te -+++ fedora-policy-20221019/policy/modules/system/init.te -@@ -1334,7 +1334,7 @@ ifdef(`distro_redhat',` +--- fedora-policy-20230116.orig/policy/modules/system/init.te ++++ fedora-policy-20230116/policy/modules/system/init.te +@@ -1330,7 +1330,7 @@ ifdef(`distro_redhat',` ') ') @@ -155,10 +155,10 @@ Index: fedora-policy-20221019/policy/modules/system/init.te optional_policy(` # set permissions on /tmp/.X11-unix xserver_setattr_xdm_tmp_dirs(initrc_t) -Index: fedora-policy-20221019/policy/modules/system/libraries.fc +Index: fedora-policy-20230116/policy/modules/system/libraries.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/libraries.fc -+++ fedora-policy-20221019/policy/modules/system/libraries.fc +--- fedora-policy-20230116.orig/policy/modules/system/libraries.fc ++++ fedora-policy-20230116/policy/modules/system/libraries.fc @@ -329,7 +329,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_ /var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) /usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) @@ -168,10 +168,10 @@ Index: fedora-policy-20221019/policy/modules/system/libraries.fc /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) ') -Index: fedora-policy-20221019/policy/modules/system/locallogin.te +Index: fedora-policy-20230116/policy/modules/system/locallogin.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/locallogin.te -+++ fedora-policy-20221019/policy/modules/system/locallogin.te +--- fedora-policy-20230116.orig/policy/modules/system/locallogin.te ++++ fedora-policy-20230116/policy/modules/system/locallogin.te @@ -274,7 +274,7 @@ ifdef(`enable_mls',` ') @@ -181,10 +181,10 @@ Index: fedora-policy-20221019/policy/modules/system/locallogin.te ifdef(`distro_debian', `define(`sulogin_no_pam')') allow sulogin_t self:capability sys_tty_config; -Index: fedora-policy-20221019/policy/modules/system/logging.fc +Index: fedora-policy-20230116/policy/modules/system/logging.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/logging.fc -+++ fedora-policy-20221019/policy/modules/system/logging.fc +--- fedora-policy-20230116.orig/policy/modules/system/logging.fc ++++ fedora-policy-20230116/policy/modules/system/logging.fc @@ -46,7 +46,7 @@ /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,mls_systemhigh) /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) @@ -194,11 +194,11 @@ Index: fedora-policy-20221019/policy/modules/system/logging.fc /var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') -Index: fedora-policy-20221019/policy/modules/system/logging.te +Index: fedora-policy-20230116/policy/modules/system/logging.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/logging.te -+++ fedora-policy-20221019/policy/modules/system/logging.te -@@ -682,7 +682,7 @@ ifdef(`distro_gentoo',` +--- fedora-policy-20230116.orig/policy/modules/system/logging.te ++++ fedora-policy-20230116/policy/modules/system/logging.te +@@ -685,7 +685,7 @@ ifdef(`distro_gentoo',` term_dontaudit_setattr_unallocated_ttys(syslogd_t) ') diff --git a/fedora-policy-20221019.tar.bz2 b/fedora-policy-20221019.tar.bz2 deleted file mode 100644 index 6fb0487..0000000 --- a/fedora-policy-20221019.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e2cfe78d728e0b94dfbdc81413f6ede0a0f0e6064de4f6628fa7328d1f4d2ede -size 733130 diff --git a/fedora-policy-20230125.tar.bz2 b/fedora-policy-20230125.tar.bz2 new file mode 100644 index 0000000..9b8400e --- /dev/null +++ b/fedora-policy-20230125.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4653c59f1e4df7872bf6f0186e1d75819b2b0580e750cad1b32bcb8ae71146ee +size 736028 diff --git a/fix_container.patch b/fix_container.patch deleted file mode 100644 index f54d046..0000000 --- a/fix_container.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/services/container.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/services/container.te -+++ fedora-policy-20221019/policy/modules/services/container.te -@@ -681,6 +681,8 @@ init_dbus_chat(spc_t) - optional_policy(` - systemd_dbus_chat_machined(spc_t) - systemd_dbus_chat_logind(spc_t) -+ systemd_dbus_chat_timedated(spc_t) -+ systemd_dbus_chat_localed(spc_t) - ') - - optional_policy(` diff --git a/fix_dnsmasq.patch b/fix_dnsmasq.patch index 0471529..d9f6e29 100644 --- a/fix_dnsmasq.patch +++ b/fix_dnsmasq.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20220519/policy/modules/contrib/dnsmasq.te +Index: fedora-policy-20230116/policy/modules/contrib/dnsmasq.te =================================================================== ---- fedora-policy-20220519.orig/policy/modules/contrib/dnsmasq.te -+++ fedora-policy-20220519/policy/modules/contrib/dnsmasq.te -@@ -115,6 +115,7 @@ libs_exec_ldconfig(dnsmasq_t) +--- fedora-policy-20230116.orig/policy/modules/contrib/dnsmasq.te ++++ fedora-policy-20230116/policy/modules/contrib/dnsmasq.te +@@ -116,6 +116,7 @@ libs_exec_ldconfig(dnsmasq_t) logging_send_syslog_msg(dnsmasq_t) miscfiles_read_public_files(dnsmasq_t) diff --git a/fix_entropyd.patch b/fix_entropyd.patch new file mode 100644 index 0000000..bf7cd5b --- /dev/null +++ b/fix_entropyd.patch @@ -0,0 +1,76 @@ +Index: fedora-policy-20230125/policy/modules/contrib/entropyd.te +=================================================================== +--- fedora-policy-20230125.orig/policy/modules/contrib/entropyd.te ++++ fedora-policy-20230125/policy/modules/contrib/entropyd.te +@@ -24,6 +24,9 @@ init_script_file(entropyd_initrc_exec_t) + type entropyd_var_run_t; + files_pid_file(entropyd_var_run_t) + ++type entropyd_tmpfs_t; ++files_tmpfs_file(entropyd_tmpfs_t) ++ + ######################################## + # + # Local policy +@@ -36,6 +39,10 @@ allow entropyd_t self:process signal_per + manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t) + files_pid_filetrans(entropyd_t, entropyd_var_run_t, file) + ++manage_dirs_pattern(entropyd_t, entropyd_tmpfs_t, entropyd_tmpfs_t) ++manage_files_pattern(entropyd_t, entropyd_tmpfs_t, entropyd_tmpfs_t) ++fs_tmpfs_filetrans(entropyd_t, entropyd_tmpfs_t, { file }) ++ + kernel_read_system_state(entropyd_t) + kernel_rw_kernel_sysctl(entropyd_t) + +@@ -47,6 +54,8 @@ dev_write_rand(entropyd_t) + + fs_getattr_all_fs(entropyd_t) + fs_search_auto_mountpoints(entropyd_t) ++# not great, but necessary for now since I can't get sem.haveged_sem to have a proper label ++fs_rw_tmpfs_files(entropyd_t) + + domain_use_interactive_fds(entropyd_t) + +Index: fedora-policy-20230125/policy/modules/contrib/entropyd.if +=================================================================== +--- fedora-policy-20230125.orig/policy/modules/contrib/entropyd.if ++++ fedora-policy-20230125/policy/modules/contrib/entropyd.if +@@ -33,3 +33,22 @@ interface(`entropyd_admin',` + files_search_pids($1) + admin_pattern($1, entropyd_var_run_t) + ') ++ ++######################################## ++## ++## Transition kernel created semaphore to correct type ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`entropyd_semaphore_filetrans',` ++ gen_require(` ++ type entropyd_tmpfs_t; ++ ') ++ ++ fs_tmpfs_filetrans($1, entropyd_tmpfs_t, file, "sem.haveged_sem") ++') +Index: fedora-policy-20230125/policy/modules/kernel/kernel.te +=================================================================== +--- fedora-policy-20230125.orig/policy/modules/kernel/kernel.te ++++ fedora-policy-20230125/policy/modules/kernel/kernel.te +@@ -397,6 +397,10 @@ optional_policy(` + ') + + optional_policy(` ++ entropyd_semaphore_filetrans(kernel_t) ++') ++ ++optional_policy(` + abrt_filetrans_named_content(kernel_t) + abrt_dump_oops_domtrans(kernel_t) + ') diff --git a/fix_fwupd.patch b/fix_fwupd.patch index 30bc0ae..2c970f5 100644 --- a/fix_fwupd.patch +++ b/fix_fwupd.patch @@ -1,12 +1,17 @@ -Index: fedora-policy/policy/modules/contrib/fwupd.fc +Index: fedora-policy-20230116/policy/modules/contrib/fwupd.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/fwupd.fc -+++ fedora-policy/policy/modules/contrib/fwupd.fc -@@ -4,6 +4,7 @@ +--- fedora-policy-20230116.orig/policy/modules/contrib/fwupd.fc ++++ fedora-policy-20230116/policy/modules/contrib/fwupd.fc +@@ -2,9 +2,9 @@ + /etc/pki/(fwupd|fwupd-metadata)(/.*)? gen_context(system_u:object_r:fwupd_cert_t,s0) - /usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0) -+/usr/lib/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0) +-/usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0) +-/usr/libexec/fwupd/fwupdoffline -- gen_context(system_u:object_r:fwupd_exec_t,s0) +-/usr/libexec/fwupd/fwupd-detect-cet -- gen_context(system_u:object_r:fwupd_exec_t,s0) ++/usr/lib(exec)?/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0) ++/usr/lib(exec)?/fwupd/fwupdoffline -- gen_context(system_u:object_r:fwupd_exec_t,s0) ++/usr/lib(exec)?/fwupd/fwupd-detect-cet -- gen_context(system_u:object_r:fwupd_exec_t,s0) /var/cache/app-info(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0) /var/cache/fwupd(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0) diff --git a/fix_init.patch b/fix_init.patch index 29df1c9..e33e0e5 100644 --- a/fix_init.patch +++ b/fix_init.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/system/init.te +Index: fedora-policy-20230116/policy/modules/system/init.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/init.te -+++ fedora-policy-20221019/policy/modules/system/init.te -@@ -269,6 +269,8 @@ corecmd_exec_bin(init_t) +--- fedora-policy-20230116.orig/policy/modules/system/init.te ++++ fedora-policy-20230116/policy/modules/system/init.te +@@ -270,6 +270,8 @@ corecmd_exec_bin(init_t) corenet_all_recvfrom_netlabel(init_t) corenet_tcp_bind_all_ports(init_t) corenet_udp_bind_all_ports(init_t) @@ -11,7 +11,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te dev_create_all_files(init_t) dev_create_all_chr_files(init_t) -@@ -398,6 +400,7 @@ logging_manage_audit_config(init_t) +@@ -396,6 +398,7 @@ logging_manage_audit_config(init_t) logging_create_syslog_netlink_audit_socket(init_t) logging_write_var_log_dirs(init_t) logging_manage_var_log_symlinks(init_t) @@ -19,7 +19,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te seutil_read_config(init_t) seutil_read_login_config(init_t) -@@ -450,9 +453,19 @@ ifdef(`distro_redhat',` +@@ -448,9 +451,19 @@ ifdef(`distro_redhat',` corecmd_shell_domtrans(init_t, initrc_t) storage_raw_rw_fixed_disk(init_t) @@ -39,7 +39,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te optional_policy(` anaconda_stream_connect(init_t) anaconda_create_unix_stream_sockets(init_t) -@@ -584,10 +597,10 @@ tunable_policy(`init_audit_control',` +@@ -582,10 +595,10 @@ tunable_policy(`init_audit_control',` allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -52,7 +52,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; # Until systemd is fixed -@@ -647,6 +660,7 @@ files_delete_all_spool_sockets(init_t) +@@ -645,6 +658,7 @@ files_delete_all_spool_sockets(init_t) files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -60,7 +60,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -684,7 +698,7 @@ fs_list_all(init_t) +@@ -682,7 +696,7 @@ fs_list_all(init_t) fs_list_auto_mountpoints(init_t) fs_register_binary_executable_type(init_t) fs_relabel_tmpfs_sock_file(init_t) @@ -69,7 +69,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te fs_relabel_cgroup_dirs(init_t) fs_search_cgroup_dirs(init_t) # for network namespaces -@@ -740,6 +754,7 @@ systemd_write_inherited_logind_sessions_ +@@ -738,6 +752,7 @@ systemd_write_inherited_logind_sessions_ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -77,7 +77,7 @@ Index: fedora-policy-20221019/policy/modules/system/init.te auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1596,6 +1611,8 @@ optional_policy(` +@@ -1592,6 +1607,8 @@ optional_policy(` optional_policy(` postfix_list_spool(initrc_t) diff --git a/fix_ipsec.patch b/fix_ipsec.patch index 42486de..f303a0a 100644 --- a/fix_ipsec.patch +++ b/fix_ipsec.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/system/ipsec.te +Index: fedora-policy-20230116/policy/modules/system/ipsec.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/ipsec.te -+++ fedora-policy-20221019/policy/modules/system/ipsec.te -@@ -87,6 +87,7 @@ allow ipsec_t self:tcp_socket create_str +--- fedora-policy-20230116.orig/policy/modules/system/ipsec.te ++++ fedora-policy-20230116/policy/modules/system/ipsec.te +@@ -88,6 +88,7 @@ allow ipsec_t self:tcp_socket create_str allow ipsec_t self:udp_socket create_socket_perms; allow ipsec_t self:packet_socket create_socket_perms; allow ipsec_t self:key_socket create_socket_perms; @@ -10,7 +10,7 @@ Index: fedora-policy-20221019/policy/modules/system/ipsec.te allow ipsec_t self:fifo_file read_fifo_file_perms; allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; allow ipsec_t self:netlink_selinux_socket create_socket_perms; -@@ -269,6 +270,7 @@ allow ipsec_mgmt_t self:unix_stream_sock +@@ -270,6 +271,7 @@ allow ipsec_mgmt_t self:unix_stream_sock allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; allow ipsec_mgmt_t self:udp_socket create_socket_perms; allow ipsec_mgmt_t self:key_socket create_socket_perms; diff --git a/fix_kernel.patch b/fix_kernel.patch new file mode 100644 index 0000000..498b057 --- /dev/null +++ b/fix_kernel.patch @@ -0,0 +1,52 @@ +Index: fedora-policy-20230125/policy/modules/kernel/kernel.te +=================================================================== +--- fedora-policy-20230125.orig/policy/modules/kernel/kernel.te ++++ fedora-policy-20230125/policy/modules/kernel/kernel.te +@@ -389,6 +389,13 @@ ifdef(`distro_redhat',` + fs_rw_tmpfs_chr_files(kernel_t) + ') + ++# this is a temporary fix. This permission doesn't make a lot of sense, but ++# without a kernel change there's not much we can do about it. I don't want to ++# audit it due to the unknown impact (happens e.g. during firewall changes) ++optional_policy(` ++ modutils_execute_kmod_tmpfs_files(kernel_t) ++') ++ + optional_policy(` + abrt_filetrans_named_content(kernel_t) + abrt_dump_oops_domtrans(kernel_t) +@@ -410,6 +417,7 @@ optional_policy(` + init_dbus_chat(kernel_t) + init_sigchld(kernel_t) + init_dyntrans(kernel_t) ++ init_read_state(kernel_t) + ') + + optional_policy(` +Index: fedora-policy-20230125/policy/modules/system/modutils.if +=================================================================== +--- fedora-policy-20230125.orig/policy/modules/system/modutils.if ++++ fedora-policy-20230125/policy/modules/system/modutils.if +@@ -525,3 +525,21 @@ interface(`modutils_dontaudit_kmod_tmpfs + + dontaudit $1 kmod_tmpfs_t:file { getattr }; + ') ++ ++####################################### ++## ++## Execute accesses to tmp file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`modutils_execute_kmod_tmpfs_files',` ++ gen_require(` ++ type kmod_tmpfs_t; ++ ') ++ ++ allow $1 kmod_tmpfs_t:file { execute execute_no_trans }; ++') diff --git a/fix_kernel_sysctl.patch b/fix_kernel_sysctl.patch index 4769ca5..fb5a8bd 100644 --- a/fix_kernel_sysctl.patch +++ b/fix_kernel_sysctl.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20221019/policy/modules/kernel/files.fc +Index: fedora-policy-20230116/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20221019/policy/modules/kernel/files.fc +--- fedora-policy-20230116.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20230116/policy/modules/kernel/files.fc @@ -242,6 +242,8 @@ ifdef(`distro_redhat',` /usr/lib/ostree-boot(/.*)? gen_context(system_u:object_r:usr_t,s0) /usr/lib/modules(/.*)/vmlinuz -- gen_context(system_u:object_r:usr_t,s0) @@ -11,11 +11,11 @@ Index: fedora-policy-20221019/policy/modules/kernel/files.fc /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) -Index: fedora-policy-20221019/policy/modules/system/systemd.te +Index: fedora-policy-20230116/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/systemd.te -+++ fedora-policy-20221019/policy/modules/system/systemd.te -@@ -1105,6 +1105,8 @@ init_stream_connect(systemd_sysctl_t) +--- fedora-policy-20230116.orig/policy/modules/system/systemd.te ++++ fedora-policy-20230116/policy/modules/system/systemd.te +@@ -1113,6 +1113,8 @@ init_stream_connect(systemd_sysctl_t) logging_send_syslog_msg(systemd_sysctl_t) systemd_read_efivarfs(systemd_sysctl_t) diff --git a/fix_logging.patch b/fix_logging.patch index 8a74cb7..612c515 100644 --- a/fix_logging.patch +++ b/fix_logging.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20220624/policy/modules/system/logging.fc +Index: fedora-policy-20230116/policy/modules/system/logging.fc =================================================================== ---- fedora-policy-20220624.orig/policy/modules/system/logging.fc -+++ fedora-policy-20220624/policy/modules/system/logging.fc +--- fedora-policy-20230116.orig/policy/modules/system/logging.fc ++++ fedora-policy-20230116/policy/modules/system/logging.fc @@ -3,6 +3,8 @@ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) @@ -19,11 +19,11 @@ Index: fedora-policy-20220624/policy/modules/system/logging.fc /var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) -Index: fedora-policy-20220624/policy/modules/system/logging.if +Index: fedora-policy-20230116/policy/modules/system/logging.if =================================================================== ---- fedora-policy-20220624.orig/policy/modules/system/logging.if -+++ fedora-policy-20220624/policy/modules/system/logging.if -@@ -1788,3 +1788,22 @@ interface(`logging_dgram_send',` +--- fedora-policy-20230116.orig/policy/modules/system/logging.if ++++ fedora-policy-20230116/policy/modules/system/logging.if +@@ -1806,3 +1806,22 @@ interface(`logging_dgram_send',` allow $1 syslogd_t:unix_dgram_socket sendto; ') diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index 85dc9f3..de2dfe7 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te +Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.te -@@ -259,6 +259,7 @@ sysnet_search_dhcp_state(NetworkManager_ +--- fedora-policy-20230125.orig/policy/modules/contrib/networkmanager.te ++++ fedora-policy-20230125/policy/modules/contrib/networkmanager.te +@@ -260,6 +260,7 @@ sysnet_search_dhcp_state(NetworkManager_ sysnet_manage_config(NetworkManager_t) sysnet_filetrans_named_content(NetworkManager_t) sysnet_filetrans_net_conf(NetworkManager_t) @@ -10,7 +10,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te systemd_login_watch_pid_dirs(NetworkManager_t) systemd_login_watch_session_dirs(NetworkManager_t) -@@ -275,6 +276,9 @@ userdom_read_home_certs(NetworkManager_t +@@ -276,6 +277,9 @@ userdom_read_home_certs(NetworkManager_t userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) @@ -20,10 +20,14 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(NetworkManager_t) ') -@@ -284,6 +288,10 @@ tunable_policy(`use_samba_home_dirs',` +@@ -285,6 +289,14 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` ++ ntp_manage_pid_files(NetworkManager_t) ++') ++ ++optional_policy(` + nis_systemctl_ypbind(NetworkManager_t) +') + @@ -31,7 +35,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te avahi_domtrans(NetworkManager_t) avahi_kill(NetworkManager_t) avahi_signal(NetworkManager_t) -@@ -292,6 +300,14 @@ optional_policy(` +@@ -293,6 +305,14 @@ optional_policy(` ') optional_policy(` @@ -46,7 +50,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_kill(NetworkManager_t) -@@ -419,6 +435,8 @@ optional_policy(` +@@ -420,6 +440,8 @@ optional_policy(` nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) nscd_systemctl(NetworkManager_t) @@ -55,7 +59,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te ') optional_policy(` -@@ -606,6 +624,7 @@ files_manage_etc_files(NetworkManager_di +@@ -607,6 +629,7 @@ files_manage_etc_files(NetworkManager_di init_status(NetworkManager_dispatcher_cloud_t) init_status(NetworkManager_dispatcher_ddclient_t) @@ -63,7 +67,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te init_append_stream_sockets(networkmanager_dispatcher_plugin) init_ioctl_stream_sockets(networkmanager_dispatcher_plugin) init_stream_connect(networkmanager_dispatcher_plugin) -@@ -621,6 +640,10 @@ optional_policy(` +@@ -622,6 +645,10 @@ optional_policy(` ') optional_policy(` @@ -74,10 +78,10 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t) ') -Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if +Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.if =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.if +--- fedora-policy-20230125.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy-20230125/policy/modules/contrib/networkmanager.if @@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ') @@ -103,10 +107,10 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if ######################################## ## ## Execute NetworkManager server in the NetworkManager domain. -Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.fc +Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.fc -+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.fc +--- fedora-policy-20230125.orig/policy/modules/contrib/networkmanager.fc ++++ fedora-policy-20230125/policy/modules/contrib/networkmanager.fc @@ -24,6 +24,7 @@ /usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0) /usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0) diff --git a/fix_ntp.patch b/fix_ntp.patch index b444775..c762c96 100644 --- a/fix_ntp.patch +++ b/fix_ntp.patch @@ -1,8 +1,16 @@ -Index: fedora-policy/policy/modules/contrib/ntp.fc +Index: fedora-policy-20230125/policy/modules/contrib/ntp.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/ntp.fc 2020-02-21 15:59:23.349556504 +0000 -+++ fedora-policy/policy/modules/contrib/ntp.fc 2020-02-21 16:01:41.591761350 +0000 -@@ -16,7 +16,6 @@ +--- fedora-policy-20230125.orig/policy/modules/contrib/ntp.fc ++++ fedora-policy-20230125/policy/modules/contrib/ntp.fc +@@ -9,6 +9,7 @@ + + /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) + ++/usr/sbin/start-ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) + /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) + /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) + /usr/libexec/ntpdate-wrapper -- gen_context(system_u:object_r:ntpdate_exec_t,s0) +@@ -16,7 +17,6 @@ /usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) @@ -10,7 +18,7 @@ Index: fedora-policy/policy/modules/contrib/ntp.fc /var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) -@@ -25,3 +24,26 @@ +@@ -25,3 +25,26 @@ /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) @@ -25,9 +33,10 @@ Index: fedora-policy/policy/modules/contrib/ntp.fc +/var/lib/ntp/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) +/var/lib/ntp/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0) +/var/lib/ntp/etc/ntp.conf.iburst -- gen_context(system_u:object_r:ntp_conf_t,s0) -+/var/lib/ntp/var gen_context(system_u:object_r:var_t,s0) -+/var/lib/ntp/var/lib gen_context(system_u:object_r:var_lib_t,s0) -+/var/lib/ntp/var/run gen_context(system_u:object_r:var_run_t,s0) ++/var/lib/ntp/var(/.*)? gen_context(system_u:object_r:var_t,s0) ++/var/lib/ntp/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) ++/var/lib/ntp/var/run(/.*)? gen_context(system_u:object_r:var_run_t,s0) ++/var/lib/ntp/var/run/ntp(/.*)? gen_context(system_u:object_r:ntpd_var_run_t,s0) +/var/lib/ntp/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/ntp/var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/ntp/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) @@ -36,4 +45,55 @@ Index: fedora-policy/policy/modules/contrib/ntp.fc +/var/lib/ntp/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) +/var/lib/ntp/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) +/var/lib/ntp/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) -+/var/lib/ntp/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) +Index: fedora-policy-20230125/policy/modules/contrib/ntp.te +=================================================================== +--- fedora-policy-20230125.orig/policy/modules/contrib/ntp.te ++++ fedora-policy-20230125/policy/modules/contrib/ntp.te +@@ -49,6 +49,9 @@ init_system_domain(ntpd_t, ntpdate_exec_ + + allow ntpd_t self:capability { chown dac_read_search kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; + dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; ++# remove once 1207577 is done ++allow ntpd_t self:capability dac_override; ++ + allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; + allow ntpd_t self:fifo_file rw_fifo_file_perms; + allow ntpd_t self:shm create_shm_perms; +@@ -78,7 +81,8 @@ manage_files_pattern(ntpd_t, ntpd_tmpfs_ + fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file }) + + manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) +-files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) ++manage_lnk_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) ++files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file dir lnk_file }) + + can_exec(ntpd_t, ntpd_exec_t) + can_exec(ntpd_t, ntpdate_exec_t) +Index: fedora-policy-20230125/policy/modules/contrib/ntp.if +=================================================================== +--- fedora-policy-20230125.orig/policy/modules/contrib/ntp.if ++++ fedora-policy-20230125/policy/modules/contrib/ntp.if +@@ -339,3 +339,23 @@ interface(`ntp_manage_log',` + manage_lnk_files_pattern($1, ntpd_log_t, ntpd_log_t) + ') + ++######################################## ++## ++## Create, read, write, and delete ++## ntp pid (lnk) files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ntp_manage_pid_files',` ++ gen_require(` ++ type ntpd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, ntpd_var_run_t, ntpd_var_run_t) ++ manage_lnk_files_pattern($1, ntpd_var_run_t, ntpd_var_run_t) ++') diff --git a/fix_rpm.patch b/fix_rpm.patch index 67cf3c4..77ca8ac 100644 --- a/fix_rpm.patch +++ b/fix_rpm.patch @@ -1,19 +1,18 @@ -Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc +Index: fedora-policy-20230116/policy/modules/contrib/rpm.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/rpm.fc -+++ fedora-policy-20221019/policy/modules/contrib/rpm.fc -@@ -18,6 +18,10 @@ - /usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) +--- fedora-policy-20230116.orig/policy/modules/contrib/rpm.fc ++++ fedora-policy-20230116/policy/modules/contrib/rpm.fc +@@ -23,6 +23,9 @@ + # This is in /usr, but is expected to be variable content from a policy perspective (#2042149) + /usr/lib/sysimage/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +/usr/sbin/zypp-refresh -- gen_context(system_u:object_r:rpm_exec_t,s0) +/usr/bin/zypper -- gen_context(system_u:object_r:rpm_exec_t,s0) -+ + /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -56,6 +60,8 @@ ifdef(`distro_redhat', ` +@@ -61,6 +64,8 @@ ifdef(`distro_redhat', ` /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) @@ -22,10 +21,10 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.fc /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -Index: fedora-policy-20221019/policy/modules/contrib/rpm.if +Index: fedora-policy-20230116/policy/modules/contrib/rpm.if =================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/rpm.if -+++ fedora-policy-20221019/policy/modules/contrib/rpm.if +--- fedora-policy-20230116.orig/policy/modules/contrib/rpm.if ++++ fedora-policy-20230116/policy/modules/contrib/rpm.if @@ -515,8 +515,10 @@ interface(`rpm_named_filetrans',` logging_log_named_filetrans($1, rpm_log_t, file, "yum.log") logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log") @@ -37,10 +36,10 @@ Index: fedora-policy-20221019/policy/modules/contrib/rpm.if files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm") -Index: fedora-policy-20221019/policy/modules/kernel/files.fc +Index: fedora-policy-20230116/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy-20221019.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20221019/policy/modules/kernel/files.fc +--- fedora-policy-20230116.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20230116/policy/modules/kernel/files.fc @@ -67,6 +67,7 @@ ifdef(`distro_redhat',` /etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) diff --git a/fix_rtkit.patch b/fix_rtkit.patch new file mode 100644 index 0000000..0f6a9ab --- /dev/null +++ b/fix_rtkit.patch @@ -0,0 +1,11 @@ +Index: fedora-policy-20230116/policy/modules/contrib/rtkit.fc +=================================================================== +--- fedora-policy-20230116.orig/policy/modules/contrib/rtkit.fc ++++ fedora-policy-20230116/policy/modules/contrib/rtkit.fc +@@ -1,5 +1,6 @@ + /etc/rc\.d/init\.d/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_initrc_exec_t,s0) + + /usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) ++/usr/libexec/rtkit/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) + + /usr/lib/rtkit/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) diff --git a/fix_selinuxutil.patch b/fix_selinuxutil.patch index 84e87ac..3cc047a 100644 --- a/fix_selinuxutil.patch +++ b/fix_selinuxutil.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te +Index: fedora-policy-20230116/policy/modules/system/selinuxutil.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/system/selinuxutil.te -+++ fedora-policy-20210628/policy/modules/system/selinuxutil.te -@@ -238,6 +238,10 @@ ifdef(`hide_broken_symptoms',` +--- fedora-policy-20230116.orig/policy/modules/system/selinuxutil.te ++++ fedora-policy-20230116/policy/modules/system/selinuxutil.te +@@ -239,6 +239,10 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -13,7 +13,7 @@ Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te portage_dontaudit_use_fds(load_policy_t) ') -@@ -618,6 +622,10 @@ logging_send_audit_msgs(setfiles_t) +@@ -619,6 +623,10 @@ logging_send_audit_msgs(setfiles_t) logging_send_syslog_msg(setfiles_t) optional_policy(` @@ -24,10 +24,10 @@ Index: fedora-policy-20210628/policy/modules/system/selinuxutil.te cloudform_dontaudit_write_cloud_log(setfiles_t) ') -Index: fedora-policy-20210628/policy/modules/system/selinuxutil.if +Index: fedora-policy-20230116/policy/modules/system/selinuxutil.if =================================================================== ---- fedora-policy-20210628.orig/policy/modules/system/selinuxutil.if -+++ fedora-policy-20210628/policy/modules/system/selinuxutil.if +--- fedora-policy-20230116.orig/policy/modules/system/selinuxutil.if ++++ fedora-policy-20230116/policy/modules/system/selinuxutil.if @@ -795,6 +795,8 @@ interface(`seutil_dontaudit_read_config' dontaudit $1 selinux_config_t:dir search_dir_perms; diff --git a/fix_systemd.patch b/fix_systemd.patch index 1576754..11c069c 100644 --- a/fix_systemd.patch +++ b/fix_systemd.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20221019/policy/modules/system/systemd.te +Index: fedora-policy-20230116/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/systemd.te -+++ fedora-policy-20221019/policy/modules/system/systemd.te +--- fedora-policy-20230116.orig/policy/modules/system/systemd.te ++++ fedora-policy-20230116/policy/modules/system/systemd.te @@ -381,6 +381,10 @@ userdom_manage_user_tmp_chr_files(system xserver_dbus_chat(systemd_logind_t) @@ -24,16 +24,7 @@ Index: fedora-policy-20221019/policy/modules/system/systemd.te ####################################### # # Hostnamed policy -@@ -1158,7 +1166,7 @@ systemd_read_efivarfs(systemd_hwdb_t) - # systemd_gpt_generator domain - # - --allow systemd_gpt_generator_t self:capability sys_rawio; -+allow systemd_gpt_generator_t self:capability { sys_rawio sys_admin}; - allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms; - - dev_read_sysfs(systemd_gpt_generator_t) -@@ -1185,6 +1193,8 @@ systemd_unit_file_filetrans(systemd_gpt_ +@@ -1195,6 +1203,8 @@ systemd_unit_file_filetrans(systemd_gpt_ systemd_create_unit_file_dirs(systemd_gpt_generator_t) systemd_create_unit_file_lnk(systemd_gpt_generator_t) diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch index 530f381..40a25b7 100644 --- a/fix_systemd_watch.patch +++ b/fix_systemd_watch.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/system/systemd.te +Index: fedora-policy-20230116/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/systemd.te -+++ fedora-policy-20221019/policy/modules/system/systemd.te -@@ -1508,6 +1508,12 @@ fstools_rw_swap_files(systemd_sleep_t) +--- fedora-policy-20230116.orig/policy/modules/system/systemd.te ++++ fedora-policy-20230116/policy/modules/system/systemd.te +@@ -1520,6 +1520,12 @@ fstools_rw_swap_files(systemd_sleep_t) storage_getattr_fixed_disk_dev(systemd_sleep_t) storage_getattr_removable_dev(systemd_sleep_t) diff --git a/fix_userdomain.patch b/fix_userdomain.patch index 6691ad8..a2ea637 100644 --- a/fix_userdomain.patch +++ b/fix_userdomain.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20220624/policy/modules/system/userdomain.if +Index: fedora-policy-20230116/policy/modules/system/userdomain.if =================================================================== ---- fedora-policy-20220624.orig/policy/modules/system/userdomain.if -+++ fedora-policy-20220624/policy/modules/system/userdomain.if -@@ -1497,6 +1497,7 @@ tunable_policy(`deny_bluetooth',`',` +--- fedora-policy-20230116.orig/policy/modules/system/userdomain.if ++++ fedora-policy-20230116/policy/modules/system/userdomain.if +@@ -1515,6 +1515,7 @@ tunable_policy(`deny_bluetooth',`',` # port access is audited even if dac would not have allowed it, so dontaudit it here # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) diff --git a/selinux-policy.changes b/selinux-policy.changes index 88845c2..e85f955 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,36 @@ +------------------------------------------------------------------- +Mon Jan 16 08:42:09 UTC 2023 - Johannes Segitz + +- Update to version 20230125. Refreshed: + * distro_suse_to_distro_redhat.patch + * fix_dnsmasq.patch + * fix_init.patch + * fix_ipsec.patch + * fix_kernel_sysctl.patch + * fix_logging.patch + * fix_rpm.patch + * fix_selinuxutil.patch + * fix_systemd_watch.patch + * fix_userdomain.patch +- More flexible lib(exec) matching in fix_fwupd.patch +- Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch +- Dropped fix_container.patch, is now upstream +- Added fix_entropyd.patch + * Added new interface entropyd_semaphore_filetrans to properly transfer + semaphore created during early boot. That doesn't work yet, so work + around with next item + * Allow reading tempfs files +- Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace + to allow kmod_tmpfs_t files to be executed. Necessary for firewalld +- Added fix_rtkit.patch to fix labeling of binary +- Modified fix_ntp.patch: + * Proper labeling for start-ntpd + * Fixed label rules for chroot path + * Temporarily allow dac_override for ntpd_t (bsc#1207577) + * Add interface ntp_manage_pid_files to allow management of pid + files +- Updated fix_networkmanager.patch to allow managing ntp pid files + ------------------------------------------------------------------- Thu Jan 12 13:01:47 UTC 2023 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 6d85ed7..72b18f0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20221019 +Version: 20230125 Release: 0 Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc @@ -148,8 +148,9 @@ Patch063: fix_alsa.patch Patch064: dontaudit_interface_kmod_tmpfs.patch Patch065: fix_sendmail.patch Patch066: fix_ipsec.patch -# https://github.com/containers/container-selinux/pull/199, can be dropped once this is included -Patch067: fix_container.patch +Patch067: fix_kernel.patch +Patch068: fix_entropyd.patch +Patch069: fix_rtkit.patch Patch100: sedoctool.patch From 2c0c138859cd84bbf1b2e938dce39dbe343ec21e3d17577648ec547b3aa5aad3 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Mon, 6 Feb 2023 15:32:26 +0000 Subject: [PATCH 2/8] Accepting request 1063441 from home:jsegitz:branches:security:SELinux - Update to version 20230206. Refreshed: * fix_entropyd.patch * fix_networkmanager.patch * fix_systemd_watch.patch * fix_unconfineduser.patch - Updated fix_kernel.patch to allow kernel_t access to xdm state. This is necessary as plymouth doesn't run in it's own domain in early boot OBS-URL: https://build.opensuse.org/request/show/1063441 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=172 --- fedora-policy-20230125.tar.bz2 | 3 --- fedora-policy-20230206.tar.bz2 | 3 +++ fix_entropyd.patch | 20 ++++++++++---------- fix_kernel.patch | 24 ++++++++++++++++-------- fix_networkmanager.patch | 22 +++++++++++----------- fix_systemd_watch.patch | 8 ++++---- fix_unconfineduser.patch | 12 ++++++------ selinux-policy.changes | 11 +++++++++++ selinux-policy.spec | 2 +- 9 files changed, 62 insertions(+), 43 deletions(-) delete mode 100644 fedora-policy-20230125.tar.bz2 create mode 100644 fedora-policy-20230206.tar.bz2 diff --git a/fedora-policy-20230125.tar.bz2 b/fedora-policy-20230125.tar.bz2 deleted file mode 100644 index 9b8400e..0000000 --- a/fedora-policy-20230125.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4653c59f1e4df7872bf6f0186e1d75819b2b0580e750cad1b32bcb8ae71146ee -size 736028 diff --git a/fedora-policy-20230206.tar.bz2 b/fedora-policy-20230206.tar.bz2 new file mode 100644 index 0000000..ffdbc93 --- /dev/null +++ b/fedora-policy-20230206.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5cf93823fbb8094a509b23be28f1328e7d61a6d564c6265ecbb295c63c188979 +size 736493 diff --git a/fix_entropyd.patch b/fix_entropyd.patch index bf7cd5b..33cf71a 100644 --- a/fix_entropyd.patch +++ b/fix_entropyd.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20230125/policy/modules/contrib/entropyd.te +Index: fedora-policy-20230206/policy/modules/contrib/entropyd.te =================================================================== ---- fedora-policy-20230125.orig/policy/modules/contrib/entropyd.te -+++ fedora-policy-20230125/policy/modules/contrib/entropyd.te +--- fedora-policy-20230206.orig/policy/modules/contrib/entropyd.te ++++ fedora-policy-20230206/policy/modules/contrib/entropyd.te @@ -24,6 +24,9 @@ init_script_file(entropyd_initrc_exec_t) type entropyd_var_run_t; files_pid_file(entropyd_var_run_t) @@ -32,10 +32,10 @@ Index: fedora-policy-20230125/policy/modules/contrib/entropyd.te domain_use_interactive_fds(entropyd_t) -Index: fedora-policy-20230125/policy/modules/contrib/entropyd.if +Index: fedora-policy-20230206/policy/modules/contrib/entropyd.if =================================================================== ---- fedora-policy-20230125.orig/policy/modules/contrib/entropyd.if -+++ fedora-policy-20230125/policy/modules/contrib/entropyd.if +--- fedora-policy-20230206.orig/policy/modules/contrib/entropyd.if ++++ fedora-policy-20230206/policy/modules/contrib/entropyd.if @@ -33,3 +33,22 @@ interface(`entropyd_admin',` files_search_pids($1) admin_pattern($1, entropyd_var_run_t) @@ -59,11 +59,11 @@ Index: fedora-policy-20230125/policy/modules/contrib/entropyd.if + + fs_tmpfs_filetrans($1, entropyd_tmpfs_t, file, "sem.haveged_sem") +') -Index: fedora-policy-20230125/policy/modules/kernel/kernel.te +Index: fedora-policy-20230206/policy/modules/kernel/kernel.te =================================================================== ---- fedora-policy-20230125.orig/policy/modules/kernel/kernel.te -+++ fedora-policy-20230125/policy/modules/kernel/kernel.te -@@ -397,6 +397,10 @@ optional_policy(` +--- fedora-policy-20230206.orig/policy/modules/kernel/kernel.te ++++ fedora-policy-20230206/policy/modules/kernel/kernel.te +@@ -401,6 +401,10 @@ optional_policy(` ') optional_policy(` diff --git a/fix_kernel.patch b/fix_kernel.patch index 498b057..710e788 100644 --- a/fix_kernel.patch +++ b/fix_kernel.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20230125/policy/modules/kernel/kernel.te +Index: fedora-policy-20230206/policy/modules/kernel/kernel.te =================================================================== ---- fedora-policy-20230125.orig/policy/modules/kernel/kernel.te -+++ fedora-policy-20230125/policy/modules/kernel/kernel.te -@@ -389,6 +389,13 @@ ifdef(`distro_redhat',` +--- fedora-policy-20230206.orig/policy/modules/kernel/kernel.te ++++ fedora-policy-20230206/policy/modules/kernel/kernel.te +@@ -393,6 +393,13 @@ ifdef(`distro_redhat',` fs_rw_tmpfs_chr_files(kernel_t) ') @@ -16,7 +16,7 @@ Index: fedora-policy-20230125/policy/modules/kernel/kernel.te optional_policy(` abrt_filetrans_named_content(kernel_t) abrt_dump_oops_domtrans(kernel_t) -@@ -410,6 +417,7 @@ optional_policy(` +@@ -418,6 +425,7 @@ optional_policy(` init_dbus_chat(kernel_t) init_sigchld(kernel_t) init_dyntrans(kernel_t) @@ -24,10 +24,18 @@ Index: fedora-policy-20230125/policy/modules/kernel/kernel.te ') optional_policy(` -Index: fedora-policy-20230125/policy/modules/system/modutils.if +@@ -519,6 +527,7 @@ optional_policy(` + ') + + optional_policy(` ++ xserver_read_xdm_state(kernel_t) + xserver_xdm_manage_spool(kernel_t) + xserver_filetrans_home_content(kernel_t) + ') +Index: fedora-policy-20230206/policy/modules/system/modutils.if =================================================================== ---- fedora-policy-20230125.orig/policy/modules/system/modutils.if -+++ fedora-policy-20230125/policy/modules/system/modutils.if +--- fedora-policy-20230206.orig/policy/modules/system/modutils.if ++++ fedora-policy-20230206/policy/modules/system/modutils.if @@ -525,3 +525,21 @@ interface(`modutils_dontaudit_kmod_tmpfs dontaudit $1 kmod_tmpfs_t:file { getattr }; diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index de2dfe7..f76012a 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.te +Index: fedora-policy-20230206/policy/modules/contrib/networkmanager.te =================================================================== ---- fedora-policy-20230125.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy-20230125/policy/modules/contrib/networkmanager.te +--- fedora-policy-20230206.orig/policy/modules/contrib/networkmanager.te ++++ fedora-policy-20230206/policy/modules/contrib/networkmanager.te @@ -260,6 +260,7 @@ sysnet_search_dhcp_state(NetworkManager_ sysnet_manage_config(NetworkManager_t) sysnet_filetrans_named_content(NetworkManager_t) @@ -59,7 +59,7 @@ Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.te ') optional_policy(` -@@ -607,6 +629,7 @@ files_manage_etc_files(NetworkManager_di +@@ -608,6 +630,7 @@ files_manage_etc_files(NetworkManager_di init_status(NetworkManager_dispatcher_cloud_t) init_status(NetworkManager_dispatcher_ddclient_t) @@ -67,7 +67,7 @@ Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.te init_append_stream_sockets(networkmanager_dispatcher_plugin) init_ioctl_stream_sockets(networkmanager_dispatcher_plugin) init_stream_connect(networkmanager_dispatcher_plugin) -@@ -622,6 +645,10 @@ optional_policy(` +@@ -623,6 +646,10 @@ optional_policy(` ') optional_policy(` @@ -78,10 +78,10 @@ Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.te cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t) ') -Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.if +Index: fedora-policy-20230206/policy/modules/contrib/networkmanager.if =================================================================== ---- fedora-policy-20230125.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20230125/policy/modules/contrib/networkmanager.if +--- fedora-policy-20230206.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy-20230206/policy/modules/contrib/networkmanager.if @@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ') @@ -107,10 +107,10 @@ Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.if ######################################## ## ## Execute NetworkManager server in the NetworkManager domain. -Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.fc +Index: fedora-policy-20230206/policy/modules/contrib/networkmanager.fc =================================================================== ---- fedora-policy-20230125.orig/policy/modules/contrib/networkmanager.fc -+++ fedora-policy-20230125/policy/modules/contrib/networkmanager.fc +--- fedora-policy-20230206.orig/policy/modules/contrib/networkmanager.fc ++++ fedora-policy-20230206/policy/modules/contrib/networkmanager.fc @@ -24,6 +24,7 @@ /usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0) /usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0) diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch index 40a25b7..72073ab 100644 --- a/fix_systemd_watch.patch +++ b/fix_systemd_watch.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20230116/policy/modules/system/systemd.te +Index: fedora-policy-20230206/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/systemd.te -+++ fedora-policy-20230116/policy/modules/system/systemd.te -@@ -1520,6 +1520,12 @@ fstools_rw_swap_files(systemd_sleep_t) +--- fedora-policy-20230206.orig/policy/modules/system/systemd.te ++++ fedora-policy-20230206/policy/modules/system/systemd.te +@@ -1524,6 +1524,12 @@ fstools_rw_swap_files(systemd_sleep_t) storage_getattr_fixed_disk_dev(systemd_sleep_t) storage_getattr_removable_dev(systemd_sleep_t) diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch index 017c8f7..bad300f 100644 --- a/fix_unconfineduser.patch +++ b/fix_unconfineduser.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te +Index: fedora-policy-20230206/policy/modules/roles/unconfineduser.te =================================================================== ---- fedora-policy-20221019.orig/policy/modules/roles/unconfineduser.te -+++ fedora-policy-20221019/policy/modules/roles/unconfineduser.te -@@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all' +--- fedora-policy-20230206.orig/policy/modules/roles/unconfineduser.te ++++ fedora-policy-20230206/policy/modules/roles/unconfineduser.te +@@ -126,6 +126,11 @@ tunable_policy(`unconfined_dyntrans_all' domain_dyntrans(unconfined_t) ') @@ -14,7 +14,7 @@ Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te optional_policy(` gen_require(` type unconfined_t; -@@ -214,6 +219,10 @@ optional_policy(` +@@ -216,6 +221,10 @@ optional_policy(` ') optional_policy(` @@ -25,7 +25,7 @@ Index: fedora-policy-20221019/policy/modules/roles/unconfineduser.te chrome_role_notrans(unconfined_r, unconfined_t) tunable_policy(`unconfined_chrome_sandbox_transition',` -@@ -248,6 +257,18 @@ optional_policy(` +@@ -250,6 +259,18 @@ optional_policy(` dbus_stub(unconfined_t) optional_policy(` diff --git a/selinux-policy.changes b/selinux-policy.changes index e85f955..c83b5af 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Mon Feb 6 08:36:32 UTC 2023 - Johannes Segitz + +- Update to version 20230206. Refreshed: + * fix_entropyd.patch + * fix_networkmanager.patch + * fix_systemd_watch.patch + * fix_unconfineduser.patch +- Updated fix_kernel.patch to allow kernel_t access to xdm state. This is + necessary as plymouth doesn't run in it's own domain in early boot + ------------------------------------------------------------------- Mon Jan 16 08:42:09 UTC 2023 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 72b18f0..11acb6d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20230125 +Version: 20230206 Release: 0 Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc From 330c32dde14f41ac8bc725154cb72264fe7de4305d870da4e58dfb865e8e1d18 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Thu, 16 Feb 2023 07:31:19 +0000 Subject: [PATCH 3/8] Accepting request 1065970 from home:cahu:branches:security:SELinux - Complete packaging rework: Move policy to git repository and only use tar_scm obs service to refresh from there: https://gitlab.suse.de/selinux/selinux-policy Please use `osc service manualrun` to update this OBS package to the newest git version. * Added README.Update describing how to update this package * Added _service file that pulls from selinux-policy and upstream container-selinux and tars them * Adapted selinux-policy.spec to build selinux-policy with container-selinux * Removed update.sh as no longer needed * Removed suse specific modules as they are now covered by git commits * packagekit.te packagekit.if packagekit.fc * rebootmgr.te rebootmgr.if rebootmgr.fc * rtorrent.te rtorrent.if rtorrent.fc * wicked.te wicked.if wicked.fc * Removed *.patch as they are now covered by git commits: * distro_suse_to_distro_redhat.patch * dontaudit_interface_kmod_tmpfs.patch * fix_accountsd.patch * fix_alsa.patch * fix_apache.patch * fix_auditd.patch * fix_authlogin.patch * fix_automount.patch * fix_bitlbee.patch * fix_chronyd.patch * fix_cloudform.patch * fix_colord.patch * fix_corecommand.patch * fix_cron.patch * fix_dbus.patch * fix_djbdns.patch * fix_dnsmasq.patch * fix_dovecot.patch * fix_entropyd.patch * fix_firewalld.patch * fix_fwupd.patch * fix_geoclue.patch * fix_hypervkvp.patch * fix_init.patch * fix_ipsec.patch * fix_iptables.patch * fix_irqbalance.patch * fix_java.patch * fix_kernel.patch * fix_kernel_sysctl.patch * fix_libraries.patch * fix_locallogin.patch * fix_logging.patch * fix_logrotate.patch * fix_mcelog.patch * fix_miscfiles.patch * fix_nagios.patch * fix_networkmanager.patch * fix_nis.patch * fix_nscd.patch * fix_ntp.patch * fix_openvpn.patch * fix_postfix.patch * fix_rpm.patch * fix_rtkit.patch * fix_screen.patch * fix_selinuxutil.patch * fix_sendmail.patch * fix_smartmon.patch * fix_snapper.patch * fix_sslh.patch * fix_sysnetwork.patch * fix_systemd.patch * fix_systemd_watch.patch * fix_thunderbird.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_unprivuser.patch * fix_userdomain.patch * fix_usermanage.patch * fix_wine.patch * fix_xserver.patch * sedoctool.patch * systemd_domain_dyntrans_type.patch OBS-URL: https://build.opensuse.org/request/show/1065970 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=173 --- README.Update | 19 + _service | 26 + _servicedata | 6 + container-selinux-20230214.tar.xz | 3 + distro_suse_to_distro_redhat.patch | 209 --------- dontaudit_interface_kmod_tmpfs.patch | 41 -- fedora-policy-20230206.tar.bz2 | 3 - fix_accountsd.patch | 12 - fix_alsa.patch | 15 - fix_apache.patch | 30 -- fix_auditd.patch | 12 - fix_authlogin.patch | 12 - fix_automount.patch | 15 - fix_bitlbee.patch | 12 - fix_chronyd.patch | 60 --- fix_cloudform.patch | 13 - fix_colord.patch | 25 - fix_corecommand.patch | 64 --- fix_cron.patch | 47 -- fix_dbus.patch | 21 - fix_djbdns.patch | 33 -- fix_dnsmasq.patch | 12 - fix_dovecot.patch | 15 - fix_entropyd.patch | 76 --- fix_firewalld.patch | 42 -- fix_fwupd.patch | 17 - fix_geoclue.patch | 10 - fix_hypervkvp.patch | 15 - fix_init.patch | 88 ---- fix_ipsec.patch | 20 - fix_iptables.patch | 12 - fix_irqbalance.patch | 13 - fix_java.patch | 41 -- fix_kernel.patch | 60 --- fix_kernel_sysctl.patch | 26 - fix_libraries.patch | 13 - fix_locallogin.patch | 20 - fix_logging.patch | 48 -- fix_logrotate.patch | 12 - fix_mcelog.patch | 13 - fix_miscfiles.patch | 12 - fix_nagios.patch | 24 - fix_networkmanager.patch | 131 ------ fix_nis.patch | 12 - fix_nscd.patch | 35 -- fix_ntp.patch | 99 ---- fix_openvpn.patch | 41 -- fix_postfix.patch | 120 ----- fix_rpm.patch | 50 -- fix_rtkit.patch | 11 - fix_screen.patch | 22 - fix_selinuxutil.patch | 39 -- fix_sendmail.patch | 32 -- fix_smartmon.patch | 9 - fix_snapper.patch | 68 --- fix_sslh.patch | 33 -- fix_sysnetwork.patch | 25 - fix_systemd.patch | 35 -- fix_systemd_watch.patch | 17 - fix_thunderbird.patch | 12 - fix_unconfined.patch | 22 - fix_unconfineduser.patch | 46 -- fix_unprivuser.patch | 18 - fix_userdomain.patch | 12 - fix_usermanage.patch | 29 -- fix_wine.patch | 23 - fix_xserver.patch | 68 --- packagekit.fc | 44 -- packagekit.if | 40 -- packagekit.te | 38 -- rebootmgr.fc | 1 - rebootmgr.if | 61 --- rebootmgr.te | 37 -- rtorrent.fc | 1 - rtorrent.if | 95 ---- rtorrent.te | 101 ---- sedoctool.patch | 22 - selinux-policy-20230214.tar.xz | 3 + selinux-policy.changes | 87 ++++ selinux-policy.spec | 105 +---- systemd_domain_dyntrans_type.patch | 13 - update.sh | 23 - wicked.fc | 50 -- wicked.if | 678 --------------------------- wicked.te | 572 ---------------------- 85 files changed, 158 insertions(+), 4089 deletions(-) create mode 100644 README.Update create mode 100644 _service create mode 100644 _servicedata create mode 100644 container-selinux-20230214.tar.xz delete mode 100644 distro_suse_to_distro_redhat.patch delete mode 100644 dontaudit_interface_kmod_tmpfs.patch delete mode 100644 fedora-policy-20230206.tar.bz2 delete mode 100644 fix_accountsd.patch delete mode 100644 fix_alsa.patch delete mode 100644 fix_apache.patch delete mode 100644 fix_auditd.patch delete mode 100644 fix_authlogin.patch delete mode 100644 fix_automount.patch delete mode 100644 fix_bitlbee.patch delete mode 100644 fix_chronyd.patch delete mode 100644 fix_cloudform.patch delete mode 100644 fix_colord.patch delete mode 100644 fix_corecommand.patch delete mode 100644 fix_cron.patch delete mode 100644 fix_dbus.patch delete mode 100644 fix_djbdns.patch delete mode 100644 fix_dnsmasq.patch delete mode 100644 fix_dovecot.patch delete mode 100644 fix_entropyd.patch delete mode 100644 fix_firewalld.patch delete mode 100644 fix_fwupd.patch delete mode 100644 fix_geoclue.patch delete mode 100644 fix_hypervkvp.patch delete mode 100644 fix_init.patch delete mode 100644 fix_ipsec.patch delete mode 100644 fix_iptables.patch delete mode 100644 fix_irqbalance.patch delete mode 100644 fix_java.patch delete mode 100644 fix_kernel.patch delete mode 100644 fix_kernel_sysctl.patch delete mode 100644 fix_libraries.patch delete mode 100644 fix_locallogin.patch delete mode 100644 fix_logging.patch delete mode 100644 fix_logrotate.patch delete mode 100644 fix_mcelog.patch delete mode 100644 fix_miscfiles.patch delete mode 100644 fix_nagios.patch delete mode 100644 fix_networkmanager.patch delete mode 100644 fix_nis.patch delete mode 100644 fix_nscd.patch delete mode 100644 fix_ntp.patch delete mode 100644 fix_openvpn.patch delete mode 100644 fix_postfix.patch delete mode 100644 fix_rpm.patch delete mode 100644 fix_rtkit.patch delete mode 100644 fix_screen.patch delete mode 100644 fix_selinuxutil.patch delete mode 100644 fix_sendmail.patch delete mode 100644 fix_smartmon.patch delete mode 100644 fix_snapper.patch delete mode 100644 fix_sslh.patch delete mode 100644 fix_sysnetwork.patch delete mode 100644 fix_systemd.patch delete mode 100644 fix_systemd_watch.patch delete mode 100644 fix_thunderbird.patch delete mode 100644 fix_unconfined.patch delete mode 100644 fix_unconfineduser.patch delete mode 100644 fix_unprivuser.patch delete mode 100644 fix_userdomain.patch delete mode 100644 fix_usermanage.patch delete mode 100644 fix_wine.patch delete mode 100644 fix_xserver.patch delete mode 100644 packagekit.fc delete mode 100644 packagekit.if delete mode 100644 packagekit.te delete mode 100644 rebootmgr.fc delete mode 100644 rebootmgr.if delete mode 100644 rebootmgr.te delete mode 100644 rtorrent.fc delete mode 100644 rtorrent.if delete mode 100644 rtorrent.te delete mode 100644 sedoctool.patch create mode 100644 selinux-policy-20230214.tar.xz delete mode 100644 systemd_domain_dyntrans_type.patch delete mode 100644 update.sh delete mode 100644 wicked.fc delete mode 100644 wicked.if delete mode 100644 wicked.te diff --git a/README.Update b/README.Update new file mode 100644 index 0000000..d0e3b5c --- /dev/null +++ b/README.Update @@ -0,0 +1,19 @@ +# How to update this project + +This project is updated using obs services. +The obs services pull from git repositories, which are specified in the `_service` file. +Please contribute all changes to the upstream git repositories listed there. + +To update this project to the upstream versions, please make sure you installed these obs services locally: +``` +sudo zypper in obs-service-tar_scm obs-service-recompress obs-service-set_version obs-service-download_files +``` + +Then, generate new tarballs, changelog and version number for this repository by running this command: +``` +osc service manualrun +``` + +Afterwards, please check your local project state and remove old tarballs if necessary. +Then proceed as usual with check-in and build. + diff --git a/_service b/_service new file mode 100644 index 0000000..64a67c0 --- /dev/null +++ b/_service @@ -0,0 +1,26 @@ + + + 1 + %cd + https://gitlab.suse.de/selinux/selinux-policy.git + git + enable + factory + + + 1 + %cd + https://github.com/containers/container-selinux.git + git + enable + main + + + xz + *.tar + + + selinux-policy.spec + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..b50b36f --- /dev/null +++ b/_servicedata @@ -0,0 +1,6 @@ + + + https://gitlab.suse.de/selinux/selinux-policy.git + 167da331be8238b650e75d629a925576ca5bf70b + https://github.com/containers/container-selinux.git + 07b3034f6d9625ab84508a2f46515d8ff79b4204 \ No newline at end of file diff --git a/container-selinux-20230214.tar.xz b/container-selinux-20230214.tar.xz new file mode 100644 index 0000000..16fd854 --- /dev/null +++ b/container-selinux-20230214.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:35976ddc019bac7363a4a7eb7f626fc92cf91a19deeca7bb8ff1458dbb0dc936 +size 25128 diff --git a/distro_suse_to_distro_redhat.patch b/distro_suse_to_distro_redhat.patch deleted file mode 100644 index f3832d5..0000000 --- a/distro_suse_to_distro_redhat.patch +++ /dev/null @@ -1,209 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/contrib/apache.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/contrib/apache.fc -+++ fedora-policy-20230116/policy/modules/contrib/apache.fc -@@ -74,7 +74,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.* - /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) - /usr/sbin/thttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) - ') - -Index: fedora-policy-20230116/policy/modules/contrib/cron.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/contrib/cron.fc -+++ fedora-policy-20230116/policy/modules/contrib/cron.fc -@@ -51,7 +51,7 @@ ifdef(`distro_gentoo',` - /var/spool/cron/lastrun/[^/]* -- <> - ') - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) - /var/spool/cron/lastrun/[^/]* -- <> - /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -@@ -70,7 +70,7 @@ ifdef(`distro_gentoo',` - /var/spool/cron/lastrun/[^/]* -- <> - ') - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) - /var/spool/cron/lastrun/[^/]* -- <> - /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -Index: fedora-policy-20230116/policy/modules/contrib/rpm.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/contrib/rpm.fc -+++ fedora-policy-20230116/policy/modules/contrib/rpm.fc -@@ -82,7 +82,7 @@ ifdef(`distro_redhat', ` - /var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) - - # SuSE --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) - /sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0) - /var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -Index: fedora-policy-20230116/policy/modules/kernel/corecommands.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/kernel/corecommands.fc -+++ fedora-policy-20230116/policy/modules/kernel/corecommands.fc -@@ -462,7 +462,7 @@ ifdef(`distro_redhat', ` - /usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0) - ') - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/ssh/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -491,7 +491,7 @@ ifdef(`distro_suse', ` - /var/lib/glusterd/hooks/.*/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) - /var/lib/glusterd/hooks/.*/.*\.py -- gen_context(system_u:object_r:bin_t,s0) - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) - ') - -Index: fedora-policy-20230116/policy/modules/kernel/devices.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/kernel/devices.fc -+++ fedora-policy-20230116/policy/modules/kernel/devices.fc -@@ -148,7 +148,7 @@ - /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) - /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) - /dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0) --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) - ') - /dev/vmci -c gen_context(system_u:object_r:vmci_device_t,s0) -Index: fedora-policy-20230116/policy/modules/kernel/files.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20230116/policy/modules/kernel/files.fc -@@ -22,7 +22,7 @@ ifdef(`distro_redhat',` - /[^/]+ -- gen_context(system_u:object_r:etc_runtime_t,s0) - ') - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - /success -- gen_context(system_u:object_r:etc_runtime_t,s0) - ') - -@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', ` - /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0) - ') - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0) - /etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0) - ') -Index: fedora-policy-20230116/policy/modules/services/xserver.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/services/xserver.fc -+++ fedora-policy-20230116/policy/modules/services/xserver.fc -@@ -189,7 +189,7 @@ ifndef(`distro_debian',` - /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) - /var/run/systemd/multi-session-x(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) - ') - -Index: fedora-policy-20230116/policy/modules/system/authlogin.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/authlogin.fc -+++ fedora-policy-20230116/policy/modules/system/authlogin.fc -@@ -31,7 +31,7 @@ HOME_DIR/\.google_authenticator~ gen_co - /sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - /sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0) - /sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0) --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - ') - -Index: fedora-policy-20230116/policy/modules/system/init.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/init.fc -+++ fedora-policy-20230116/policy/modules/system/init.fc -@@ -92,7 +92,7 @@ ifdef(`distro_gentoo', ` - /var/run/svscan\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0) - ') - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /var/run/bootsplashctl -p gen_context(system_u:object_r:initrc_var_run_t,s0) - /var/run/keymap -- gen_context(system_u:object_r:initrc_var_run_t,s0) - /var/run/numlock-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) -Index: fedora-policy-20230116/policy/modules/system/init.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/init.te -+++ fedora-policy-20230116/policy/modules/system/init.te -@@ -1330,7 +1330,7 @@ ifdef(`distro_redhat',` - ') - ') - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - optional_policy(` - # set permissions on /tmp/.X11-unix - xserver_setattr_xdm_tmp_dirs(initrc_t) -Index: fedora-policy-20230116/policy/modules/system/libraries.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/libraries.fc -+++ fedora-policy-20230116/policy/modules/system/libraries.fc -@@ -329,7 +329,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_ - /var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) - /usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - /var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0) - ') - -Index: fedora-policy-20230116/policy/modules/system/locallogin.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/locallogin.te -+++ fedora-policy-20230116/policy/modules/system/locallogin.te -@@ -274,7 +274,7 @@ ifdef(`enable_mls',` - ') - - # suse and debian do not use pam with sulogin... --ifdef(`distro_suse', `define(`sulogin_no_pam')') -+ifdef(`distro_redhat', `define(`sulogin_no_pam')') - ifdef(`distro_debian', `define(`sulogin_no_pam')') - - allow sulogin_t self:capability sys_tty_config; -Index: fedora-policy-20230116/policy/modules/system/logging.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/logging.fc -+++ fedora-policy-20230116/policy/modules/system/logging.fc -@@ -46,7 +46,7 @@ - /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,mls_systemhigh) - /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) - --ifdef(`distro_suse', ` -+ifdef(`distro_redhat', ` - /var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0) - ') - -Index: fedora-policy-20230116/policy/modules/system/logging.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/logging.te -+++ fedora-policy-20230116/policy/modules/system/logging.te -@@ -685,7 +685,7 @@ ifdef(`distro_gentoo',` - term_dontaudit_setattr_unallocated_ttys(syslogd_t) - ') - --ifdef(`distro_suse',` -+ifdef(`distro_redhat',` - # suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel - files_var_lib_filetrans(syslogd_t, devlog_t, sock_file) - ') diff --git a/dontaudit_interface_kmod_tmpfs.patch b/dontaudit_interface_kmod_tmpfs.patch deleted file mode 100644 index 031ead4..0000000 --- a/dontaudit_interface_kmod_tmpfs.patch +++ /dev/null @@ -1,41 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/services/xserver.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/services/xserver.te -+++ fedora-policy-20221019/policy/modules/services/xserver.te -@@ -764,6 +764,10 @@ userdom_mounton_tmp_sockets(xdm_t) - userdom_nnp_transition_login_userdomain(xdm_t) - userdom_watch_user_home_dirs(xdm_t) - -+# SUSE uses startproc to start the display manager. While checking for running processes -+# it goes over all running instances, triggering AVCs -+modutils_dontaudit_kmod_tmpfs_getattr(xdm_t) -+ - #userdom_home_manager(xdm_t) - tunable_policy(`xdm_write_home',` - userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file }) -Index: fedora-policy-20221019/policy/modules/system/modutils.if -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/modutils.if -+++ fedora-policy-20221019/policy/modules/system/modutils.if -@@ -507,3 +507,21 @@ interface(`modules_filetrans_named_conte - #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols") - #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin") - ') -+ -+####################################### -+## -+## Don't audit accesses to tmp file type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`modutils_dontaudit_kmod_tmpfs_getattr',` -+ gen_require(` -+ type kmod_tmpfs_t; -+ ') -+ -+ dontaudit $1 kmod_tmpfs_t:file { getattr }; -+') diff --git a/fedora-policy-20230206.tar.bz2 b/fedora-policy-20230206.tar.bz2 deleted file mode 100644 index ffdbc93..0000000 --- a/fedora-policy-20230206.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5cf93823fbb8094a509b23be28f1328e7d61a6d564c6265ecbb295c63c188979 -size 736493 diff --git a/fix_accountsd.patch b/fix_accountsd.patch deleted file mode 100644 index 6558c5c..0000000 --- a/fix_accountsd.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/accountsd.fc -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/accountsd.fc -+++ fedora-policy/policy/modules/contrib/accountsd.fc -@@ -1,6 +1,7 @@ - /usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0) - - /usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) -+/usr/lib/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) - - /usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0) - diff --git a/fix_alsa.patch b/fix_alsa.patch deleted file mode 100644 index 0e6b04c..0000000 --- a/fix_alsa.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/alsa.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/alsa.te -+++ fedora-policy-20221019/policy/modules/contrib/alsa.te -@@ -104,6 +104,10 @@ userdom_manage_unpriv_user_semaphores(al - userdom_manage_unpriv_user_shared_mem(alsa_t) - userdom_search_user_home_dirs(alsa_t) - -+optional_policy(` -+ gnome_read_home_config(alsa_t) -+') -+ - ifdef(`distro_debian',` - term_dontaudit_use_unallocated_ttys(alsa_t) - diff --git a/fix_apache.patch b/fix_apache.patch deleted file mode 100644 index 6b24b83..0000000 --- a/fix_apache.patch +++ /dev/null @@ -1,30 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/apache.if -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/apache.if -+++ fedora-policy-20221019/policy/modules/contrib/apache.if -@@ -2007,3 +2007,25 @@ interface(`apache_read_semaphores',` - - allow $1 httpd_t:sem r_sem_perms; - ') -+ -+####################################### -+## -+## Allow the specified domain to execute -+## httpd_sys_content_t and manage httpd_sys_rw_content_t -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`apache_exec_sys_content',` -+ gen_require(` -+ type httpd_sys_content_t; -+ type httpd_sys_rw_content_t; -+ ') -+ -+ apache_manage_sys_content_rw($1) -+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) -+ can_exec($1, httpd_sys_content_t) -+') diff --git a/fix_auditd.patch b/fix_auditd.patch deleted file mode 100644 index d4d94e0..0000000 --- a/fix_auditd.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20211111/policy/modules/system/logging.if -=================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/logging.if -+++ fedora-policy-20211111/policy/modules/system/logging.if -@@ -431,6 +431,7 @@ interface(`logging_manage_audit_config', - - files_search_etc($1) - manage_files_pattern($1, auditd_etc_t, auditd_etc_t) -+ allow $1 auditd_etc_t:dir mounton; - ') - - ######################################## diff --git a/fix_authlogin.patch b/fix_authlogin.patch deleted file mode 100644 index 7220120..0000000 --- a/fix_authlogin.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20211111/policy/modules/system/authlogin.fc -=================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/authlogin.fc -+++ fedora-policy-20211111/policy/modules/system/authlogin.fc -@@ -56,6 +56,7 @@ ifdef(`distro_gentoo', ` - /usr/libexec/chkpwd/tcb_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) - /usr/libexec/chkpwd/tcb_updpwd -- gen_context(system_u:object_r:updpwd_exec_t,s0) - /usr/libexec/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) -+/usr/lib/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) - - /var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0) - diff --git a/fix_automount.patch b/fix_automount.patch deleted file mode 100644 index a702fc7..0000000 --- a/fix_automount.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/automount.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/automount.te -+++ fedora-policy/policy/modules/contrib/automount.te -@@ -154,6 +154,10 @@ optional_policy(` - ') - - optional_policy(` -+ networkmanager_read_pid_files(automount_t) -+') -+ -+optional_policy(` - fstools_domtrans(automount_t) - ') - diff --git a/fix_bitlbee.patch b/fix_bitlbee.patch deleted file mode 100644 index 2ce1749..0000000 --- a/fix_bitlbee.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20220124/policy/modules/contrib/bitlbee.fc -=================================================================== ---- fedora-policy-20220124.orig/policy/modules/contrib/bitlbee.fc -+++ fedora-policy-20220124/policy/modules/contrib/bitlbee.fc -@@ -9,6 +9,5 @@ - - /var/log/bip.* gen_context(system_u:object_r:bitlbee_log_t,s0) - --/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0) --/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0) -+/var/run/bitlbee(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0) - /var/run/bip(/.*)? gen_context(system_u:object_r:bitlbee_var_run_t,s0) diff --git a/fix_chronyd.patch b/fix_chronyd.patch deleted file mode 100644 index 1ea9a55..0000000 --- a/fix_chronyd.patch +++ /dev/null @@ -1,60 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.te -+++ fedora-policy-20221019/policy/modules/contrib/chronyd.te -@@ -144,6 +144,15 @@ systemd_exec_systemctl(chronyd_t) - userdom_dgram_send(chronyd_t) - - optional_policy(` -+ networkmanager_read_pid_files(chronyd_t) -+ networkmanager_dispatcher_custom_dgram_send(chronyd_t) -+') -+ -+optional_policy(` -+ wicked_read_pid_files(chronyd_t) -+') -+ -+optional_policy(` - cron_dgram_send(chronyd_t) - ') - -Index: fedora-policy-20221019/policy/modules/contrib/chronyd.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.fc -+++ fedora-policy-20221019/policy/modules/contrib/chronyd.fc -@@ -6,6 +6,8 @@ - - /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) - /usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) -+/usr/lib/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) -+/usr/libexec/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) - - /usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0) - -Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.if -@@ -684,3 +684,22 @@ template(`networkmanager_dispatcher_plug - - domtrans_pattern(NetworkManager_dispatcher_t, NetworkManager_dispatcher_$1_script_t, NetworkManager_dispatcher_$1_t) - ') -+ -+######################################## -+## -+## Send a message to NetworkManager_dispatcher_custom -+## over a unix domain datagram socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`networkmanager_dispatcher_custom_dgram_send',` -+ gen_require(` -+ type NetworkManager_dispatcher_custom_t; -+ ') -+ -+ allow $1 NetworkManager_dispatcher_custom_t:unix_dgram_socket sendto; -+') diff --git a/fix_cloudform.patch b/fix_cloudform.patch deleted file mode 100644 index cac7161..0000000 --- a/fix_cloudform.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/cloudform.te -=================================================================== ---- cloudform.te 2022-07-18 14:06:56.735383426 +0200 -+++ cloudform.te.new 2022-07-18 14:07:36.003069544 +0200 -@@ -81,6 +81,8 @@ - - init_dbus_chat(cloud_init_t) - -+snapper_dbus_chat(cloud_init_t) -+ - kernel_read_network_state(cloud_init_t) - - corenet_tcp_connect_http_port(cloud_init_t) diff --git a/fix_colord.patch b/fix_colord.patch deleted file mode 100644 index 763641f..0000000 --- a/fix_colord.patch +++ /dev/null @@ -1,25 +0,0 @@ -Index: fedora-policy-20211111/policy/modules/contrib/colord.fc -=================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/colord.fc -+++ fedora-policy-20211111/policy/modules/contrib/colord.fc -@@ -6,6 +6,8 @@ - - /usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0) - /usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) -+/usr/lib/colord -- gen_context(system_u:object_r:colord_exec_t,s0) -+/usr/lib/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0) - - /usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0) - -Index: fedora-policy-20211111/policy/modules/contrib/colord.te -=================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/colord.te -+++ fedora-policy-20211111/policy/modules/contrib/colord.te -@@ -17,6 +17,7 @@ type colord_t; - type colord_exec_t; - dbus_system_domain(colord_t, colord_exec_t) - init_daemon_domain(colord_t, colord_exec_t) -+init_nnp_daemon_domain(colord_t) - - type colord_tmp_t; - files_tmp_file(colord_tmp_t) diff --git a/fix_corecommand.patch b/fix_corecommand.patch deleted file mode 100644 index 60362f2..0000000 --- a/fix_corecommand.patch +++ /dev/null @@ -1,64 +0,0 @@ -Index: fedora-policy/policy/modules/kernel/corecommands.fc -=================================================================== ---- fedora-policy.orig/policy/modules/kernel/corecommands.fc -+++ fedora-policy/policy/modules/kernel/corecommands.fc -@@ -86,7 +86,10 @@ ifdef(`distro_redhat',` - - /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) - --/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0) -+ -+/etc/netconfig.d/.* -- gen_context(system_u:object_r:bin_t,s0) -+ -+/etc/mcelog/.*-error.*-trigger -- gen_context(system_u:object_r:bin_t,s0) - /etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0) - /etc/mcelog/.*\.setup -- gen_context(system_u:object_r:bin_t,s0) - -@@ -251,6 +254,21 @@ ifdef(`distro_gentoo',` - /usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) - /usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/lib/gnome-settings-daemon/.* -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-settings-daemon-3.0/.* -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-calculator-search-provider -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-control-center-search-provider -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-photos-thumbnailer -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-rr-debug -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-session-binary -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-session-check-accelerated -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-session-check-accelerated-gles-helper -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-session-check-accelerated-gl-helper -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-session-failed -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-software-cmd -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-software-restarter -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-terminal-migration -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-terminal-server -- gen_context(system_u:object_r:bin_t,s0) -+/usr/lib/gnome-tweak-tool-lid-inhibitor -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/gvfs/.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0) -@@ -313,6 +331,8 @@ ifdef(`distro_gentoo',` - - /usr/lib/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) -+# also covers /usr/lib64/libexec due to equivalency rule '/usr/lib64 /usr/lib' -+/usr/lib/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) - - /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) - /usr/libexec/cockpit-agent -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -324,6 +344,8 @@ ifdef(`distro_gentoo',` - - /usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0) - -+/usr/lib/build/.* -- gen_context(system_u:object_r:bin_t,s0) -+ - /usr/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0) - /usr/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0) -@@ -391,6 +413,7 @@ ifdef(`distro_debian',` - /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0) - /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0) - ') -+/usr/lib/gdm/.* -- gen_context(system_u:object_r:bin_t,s0) - - ifdef(`distro_gentoo', ` - /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/fix_cron.patch b/fix_cron.patch deleted file mode 100644 index 203162a..0000000 --- a/fix_cron.patch +++ /dev/null @@ -1,47 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/cron.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/cron.fc -+++ fedora-policy-20221019/policy/modules/contrib/cron.fc -@@ -34,7 +34,7 @@ - - /var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) - #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) --/var/spool/cron/USER -- gen_context(system_u:object_r:user_cron_spool_t,s0) -+/var/spool/cron/tabs/USER -- gen_context(system_u:object_r:user_cron_spool_t,s0) - - /var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0) - /var/spool/cron/crontabs/.* -- <> -@@ -55,6 +55,10 @@ ifdef(`distro_redhat', ` - /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) - /var/spool/cron/lastrun/[^/]* -- <> - /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -+ -+/var/spool/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0) -+/var/spool/atjobs/.SEQ -- gen_context(system_u:object_r:user_cron_spool_t,s0) -+/var/spool/atjobs/[^/]* -- <> - ') - - ifdef(`distro_debian',` -@@ -69,9 +73,3 @@ ifdef(`distro_gentoo',` - /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) - /var/spool/cron/lastrun/[^/]* -- <> - ') -- --ifdef(`distro_redhat', ` --/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) --/var/spool/cron/lastrun/[^/]* -- <> --/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) --') -Index: fedora-policy-20221019/policy/modules/contrib/cron.if -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/cron.if -+++ fedora-policy-20221019/policy/modules/contrib/cron.if -@@ -1075,7 +1075,7 @@ interface(`cron_generic_log_filetrans_lo - # - interface(`cron_system_spool_entrypoint',` - gen_require(` -- attribute system_cron_spool_t; -+ type system_cron_spool_t; - ') - allow $1 system_cron_spool_t:file entrypoint; - ') diff --git a/fix_dbus.patch b/fix_dbus.patch deleted file mode 100644 index 00440bd..0000000 --- a/fix_dbus.patch +++ /dev/null @@ -1,21 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/dbus.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/dbus.te -+++ fedora-policy-20221019/policy/modules/contrib/dbus.te -@@ -81,6 +81,7 @@ manage_dirs_pattern(system_dbusd_t, syst - manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) - manage_sock_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) - files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file sock_file }) -+allow system_dbusd_t system_dbusd_tmp_t:file execute; - - manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) - manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) -@@ -109,6 +110,8 @@ files_read_var_lib_symlinks(system_dbusd - files_rw_inherited_non_security_files(system_dbusd_t) - files_watch_usr_dirs(system_dbusd_t) - files_watch_var_lib_dirs(system_dbusd_t) -+# bsc#1205895 -+files_watch_lib_dirs(system_dbusd_t) - - fs_getattr_all_fs(system_dbusd_t) - fs_search_auto_mountpoints(system_dbusd_t) diff --git a/fix_djbdns.patch b/fix_djbdns.patch deleted file mode 100644 index c3015b7..0000000 --- a/fix_djbdns.patch +++ /dev/null @@ -1,33 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/djbdns.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/djbdns.te 2019-08-05 09:39:48.641670181 +0200 -+++ fedora-policy/policy/modules/contrib/djbdns.te 2019-08-05 09:53:08.383084236 +0200 -@@ -24,28 +24,6 @@ allow djbdns_domain self:fifo_file rw_fi - allow djbdns_domain self:tcp_socket create_stream_socket_perms; - allow djbdns_domain self:udp_socket create_socket_perms; - --corenet_all_recvfrom_unlabeled(djbdns_domain) --corenet_all_recvfrom_netlabel(djbdns_domain) --corenet_tcp_sendrecv_generic_if(djbdns_domain) --corenet_udp_sendrecv_generic_if(djbdns_domain) --corenet_tcp_sendrecv_generic_node(djbdns_domain) --corenet_udp_sendrecv_generic_node(djbdns_domain) --corenet_tcp_sendrecv_all_ports(djbdns_domain) --corenet_udp_sendrecv_all_ports(djbdns_domain) --corenet_tcp_bind_generic_node(djbdns_domain) --corenet_udp_bind_generic_node(djbdns_domain) -- --corenet_sendrecv_dns_server_packets(djbdns_domain) --corenet_tcp_bind_dns_port(djbdns_domain) --corenet_udp_bind_dns_port(djbdns_domain) -- --corenet_sendrecv_dns_client_packets(djbdns_domain) --corenet_tcp_connect_dns_port(djbdns_domain) -- --corenet_sendrecv_generic_server_packets(djbdns_domain) --corenet_tcp_bind_generic_port(djbdns_domain) --corenet_udp_bind_generic_port(djbdns_domain) -- - files_search_var(djbdns_domain) - - daemontools_ipc_domain(djbdns_axfrdns_t) diff --git a/fix_dnsmasq.patch b/fix_dnsmasq.patch deleted file mode 100644 index d9f6e29..0000000 --- a/fix_dnsmasq.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/contrib/dnsmasq.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/contrib/dnsmasq.te -+++ fedora-policy-20230116/policy/modules/contrib/dnsmasq.te -@@ -116,6 +116,7 @@ libs_exec_ldconfig(dnsmasq_t) - logging_send_syslog_msg(dnsmasq_t) - - miscfiles_read_public_files(dnsmasq_t) -+sysnet_manage_config_dirs(dnsmasq_t) - - userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t) - userdom_dontaudit_search_user_home_dirs(dnsmasq_t) diff --git a/fix_dovecot.patch b/fix_dovecot.patch deleted file mode 100644 index f88cff1..0000000 --- a/fix_dovecot.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: fedora-policy-20210419/policy/modules/contrib/dovecot.fc -=================================================================== ---- fedora-policy-20210419.orig/policy/modules/contrib/dovecot.fc -+++ fedora-policy-20210419/policy/modules/contrib/dovecot.fc -@@ -34,6 +34,10 @@ ifdef(`distro_redhat', ` - /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) - ') - -+/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) -+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -+/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) -+ - # - # /var - # diff --git a/fix_entropyd.patch b/fix_entropyd.patch deleted file mode 100644 index 33cf71a..0000000 --- a/fix_entropyd.patch +++ /dev/null @@ -1,76 +0,0 @@ -Index: fedora-policy-20230206/policy/modules/contrib/entropyd.te -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/contrib/entropyd.te -+++ fedora-policy-20230206/policy/modules/contrib/entropyd.te -@@ -24,6 +24,9 @@ init_script_file(entropyd_initrc_exec_t) - type entropyd_var_run_t; - files_pid_file(entropyd_var_run_t) - -+type entropyd_tmpfs_t; -+files_tmpfs_file(entropyd_tmpfs_t) -+ - ######################################## - # - # Local policy -@@ -36,6 +39,10 @@ allow entropyd_t self:process signal_per - manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t) - files_pid_filetrans(entropyd_t, entropyd_var_run_t, file) - -+manage_dirs_pattern(entropyd_t, entropyd_tmpfs_t, entropyd_tmpfs_t) -+manage_files_pattern(entropyd_t, entropyd_tmpfs_t, entropyd_tmpfs_t) -+fs_tmpfs_filetrans(entropyd_t, entropyd_tmpfs_t, { file }) -+ - kernel_read_system_state(entropyd_t) - kernel_rw_kernel_sysctl(entropyd_t) - -@@ -47,6 +54,8 @@ dev_write_rand(entropyd_t) - - fs_getattr_all_fs(entropyd_t) - fs_search_auto_mountpoints(entropyd_t) -+# not great, but necessary for now since I can't get sem.haveged_sem to have a proper label -+fs_rw_tmpfs_files(entropyd_t) - - domain_use_interactive_fds(entropyd_t) - -Index: fedora-policy-20230206/policy/modules/contrib/entropyd.if -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/contrib/entropyd.if -+++ fedora-policy-20230206/policy/modules/contrib/entropyd.if -@@ -33,3 +33,22 @@ interface(`entropyd_admin',` - files_search_pids($1) - admin_pattern($1, entropyd_var_run_t) - ') -+ -+######################################## -+## -+## Transition kernel created semaphore to correct type -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`entropyd_semaphore_filetrans',` -+ gen_require(` -+ type entropyd_tmpfs_t; -+ ') -+ -+ fs_tmpfs_filetrans($1, entropyd_tmpfs_t, file, "sem.haveged_sem") -+') -Index: fedora-policy-20230206/policy/modules/kernel/kernel.te -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/kernel/kernel.te -+++ fedora-policy-20230206/policy/modules/kernel/kernel.te -@@ -401,6 +401,10 @@ optional_policy(` - ') - - optional_policy(` -+ entropyd_semaphore_filetrans(kernel_t) -+') -+ -+optional_policy(` - abrt_filetrans_named_content(kernel_t) - abrt_dump_oops_domtrans(kernel_t) - ') diff --git a/fix_firewalld.patch b/fix_firewalld.patch deleted file mode 100644 index 1e455b7..0000000 --- a/fix_firewalld.patch +++ /dev/null @@ -1,42 +0,0 @@ -Index: fedora-policy-20211111/policy/modules/contrib/firewalld.te -=================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/firewalld.te -+++ fedora-policy-20211111/policy/modules/contrib/firewalld.te -@@ -131,6 +131,7 @@ optional_policy(` - ') - - optional_policy(` -+ iptables_manage_var_lib_files(firewalld_t) - iptables_domtrans(firewalld_t) - iptables_read_var_run(firewalld_t) - ') -Index: fedora-policy-20211111/policy/modules/system/iptables.if -=================================================================== ---- fedora-policy-20211111.orig/policy/modules/system/iptables.if -+++ fedora-policy-20211111/policy/modules/system/iptables.if -@@ -2,6 +2,25 @@ - - ######################################## - ## -+## Allow management of iptables_var_lib_t files -+## -+## -+## -+## Domain allowed to mange files -+## -+## -+# -+interface(`iptables_manage_var_lib_files',` -+ gen_require(` -+ type iptables_var_lib_t; -+ ') -+ -+ manage_dirs_pattern($1, iptables_var_lib_t, iptables_var_lib_t) -+ manage_files_pattern($1, iptables_var_lib_t, iptables_var_lib_t) -+') -+ -+######################################## -+## - ## Execute iptables in the iptables domain. - ## - ## diff --git a/fix_fwupd.patch b/fix_fwupd.patch deleted file mode 100644 index 2c970f5..0000000 --- a/fix_fwupd.patch +++ /dev/null @@ -1,17 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/contrib/fwupd.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/contrib/fwupd.fc -+++ fedora-policy-20230116/policy/modules/contrib/fwupd.fc -@@ -2,9 +2,9 @@ - - /etc/pki/(fwupd|fwupd-metadata)(/.*)? gen_context(system_u:object_r:fwupd_cert_t,s0) - --/usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0) --/usr/libexec/fwupd/fwupdoffline -- gen_context(system_u:object_r:fwupd_exec_t,s0) --/usr/libexec/fwupd/fwupd-detect-cet -- gen_context(system_u:object_r:fwupd_exec_t,s0) -+/usr/lib(exec)?/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0) -+/usr/lib(exec)?/fwupd/fwupdoffline -- gen_context(system_u:object_r:fwupd_exec_t,s0) -+/usr/lib(exec)?/fwupd/fwupd-detect-cet -- gen_context(system_u:object_r:fwupd_exec_t,s0) - - /var/cache/app-info(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0) - /var/cache/fwupd(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0) diff --git a/fix_geoclue.patch b/fix_geoclue.patch deleted file mode 100644 index 0d05684..0000000 --- a/fix_geoclue.patch +++ /dev/null @@ -1,10 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/geoclue.fc -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/geoclue.fc -+++ fedora-policy/policy/modules/contrib/geoclue.fc -@@ -1,4 +1,4 @@ -- -+/usr/lib/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0) - /usr/libexec/geoclue -- gen_context(system_u:object_r:geoclue_exec_t,s0) - - /var/lib/geoclue(/.*)? gen_context(system_u:object_r:geoclue_var_lib_t,s0) diff --git a/fix_hypervkvp.patch b/fix_hypervkvp.patch deleted file mode 100644 index 3cac649..0000000 --- a/fix_hypervkvp.patch +++ /dev/null @@ -1,15 +0,0 @@ -Index: fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc -=================================================================== ---- fedora-policy-20220124.orig/policy/modules/contrib/hypervkvp.fc -+++ fedora-policy-20220124/policy/modules/contrib/hypervkvp.fc -@@ -3,8 +3,10 @@ - /usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0) - - /usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) -+/usr/lib/hyper-v/bin/.*kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) - /usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_exec_t,s0) - - /usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0) -+/usr/lib/hyper-v/bin/.*vss_daemon -- gen_context(system_u:object_r:hypervvssd_exec_t,s0) - - /var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0) diff --git a/fix_init.patch b/fix_init.patch deleted file mode 100644 index e33e0e5..0000000 --- a/fix_init.patch +++ /dev/null @@ -1,88 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/system/init.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/init.te -+++ fedora-policy-20230116/policy/modules/system/init.te -@@ -270,6 +270,8 @@ corecmd_exec_bin(init_t) - corenet_all_recvfrom_netlabel(init_t) - corenet_tcp_bind_all_ports(init_t) - corenet_udp_bind_all_ports(init_t) -+corenet_udp_bind_generic_node(init_t) -+corenet_tcp_bind_generic_node(init_t) - - dev_create_all_files(init_t) - dev_create_all_chr_files(init_t) -@@ -396,6 +398,7 @@ logging_manage_audit_config(init_t) - logging_create_syslog_netlink_audit_socket(init_t) - logging_write_var_log_dirs(init_t) - logging_manage_var_log_symlinks(init_t) -+logging_dgram_accept(init_t) - - seutil_read_config(init_t) - seutil_read_login_config(init_t) -@@ -448,9 +451,19 @@ ifdef(`distro_redhat',` - corecmd_shell_domtrans(init_t, initrc_t) - - storage_raw_rw_fixed_disk(init_t) -+storage_raw_read_removable_device(init_t) - - sysnet_read_dhcpc_state(init_t) - -+# bsc#1197610, find a better, generic solution -+optional_policy(` -+ mta_getattr_spool(init_t) -+') -+ -+optional_policy(` -+ networkmanager_initrc_read_lnk_files(init_t) -+') -+ - optional_policy(` - anaconda_stream_connect(init_t) - anaconda_create_unix_stream_sockets(init_t) -@@ -582,10 +595,10 @@ tunable_policy(`init_audit_control',` - allow init_t self:system all_system_perms; - allow init_t self:system module_load; - allow init_t self:unix_dgram_socket { create_socket_perms sendto }; --allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec }; -+allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec execmem }; - allow init_t self:process { getcap setcap }; - allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom }; --allow init_t self:netlink_kobject_uevent_socket create_socket_perms; -+allow init_t self:netlink_kobject_uevent_socket create_socket_perms; - allow init_t self:netlink_selinux_socket create_socket_perms; - allow init_t self:unix_dgram_socket lock; - # Until systemd is fixed -@@ -645,6 +658,7 @@ files_delete_all_spool_sockets(init_t) - files_create_var_lib_dirs(init_t) - files_create_var_lib_symlinks(init_t) - files_read_var_lib_symlinks(init_t) -+files_read_var_files(init_t) - files_manage_urandom_seed(init_t) - files_list_locks(init_t) - files_list_spool(init_t) -@@ -682,7 +696,7 @@ fs_list_all(init_t) - fs_list_auto_mountpoints(init_t) - fs_register_binary_executable_type(init_t) - fs_relabel_tmpfs_sock_file(init_t) --fs_rw_tmpfs_files(init_t) -+fs_rw_tmpfs_files(init_t) - fs_relabel_cgroup_dirs(init_t) - fs_search_cgroup_dirs(init_t) - # for network namespaces -@@ -738,6 +752,7 @@ systemd_write_inherited_logind_sessions_ - create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) - - create_dirs_pattern(init_t, var_log_t, var_log_t) -+files_manage_var_files(init_t) - - auth_use_nsswitch(init_t) - auth_rw_login_records(init_t) -@@ -1592,6 +1607,8 @@ optional_policy(` - - optional_policy(` - postfix_list_spool(initrc_t) -+ #allow init_t postfix_map_exec_t:file { open read execute execute_no_trans ioctl }; -+ postfix_domtrans_map(init_t) - ') - - optional_policy(` diff --git a/fix_ipsec.patch b/fix_ipsec.patch deleted file mode 100644 index f303a0a..0000000 --- a/fix_ipsec.patch +++ /dev/null @@ -1,20 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/system/ipsec.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/ipsec.te -+++ fedora-policy-20230116/policy/modules/system/ipsec.te -@@ -88,6 +88,7 @@ allow ipsec_t self:tcp_socket create_str - allow ipsec_t self:udp_socket create_socket_perms; - allow ipsec_t self:packet_socket create_socket_perms; - allow ipsec_t self:key_socket create_socket_perms; -+allow ipsec_t self:alg_socket create_socket_perms; - allow ipsec_t self:fifo_file read_fifo_file_perms; - allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write }; - allow ipsec_t self:netlink_selinux_socket create_socket_perms; -@@ -270,6 +271,7 @@ allow ipsec_mgmt_t self:unix_stream_sock - allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms; - allow ipsec_mgmt_t self:udp_socket create_socket_perms; - allow ipsec_mgmt_t self:key_socket create_socket_perms; -+allow ipsec_mgmt_t self:alg_socket create_socket_perms; - allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms; - allow ipsec_mgmt_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read }; - allow ipsec_mgmt_t self:netlink_route_socket { create_netlink_socket_perms }; diff --git a/fix_iptables.patch b/fix_iptables.patch deleted file mode 100644 index bb149fd..0000000 --- a/fix_iptables.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20220428/policy/modules/system/iptables.te -=================================================================== ---- fedora-policy-20220428.orig/policy/modules/system/iptables.te -+++ fedora-policy-20220428/policy/modules/system/iptables.te -@@ -76,6 +76,7 @@ kernel_read_network_state(iptables_t) - kernel_read_kernel_sysctls(iptables_t) - kernel_use_fds(iptables_t) - kernel_rw_net_sysctls(iptables_t) -+kernel_rw_pipes(iptables_t) - kernel_search_network_sysctl(iptables_t) - - diff --git a/fix_irqbalance.patch b/fix_irqbalance.patch deleted file mode 100644 index 3760aa3..0000000 --- a/fix_irqbalance.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/irqbalance.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/irqbalance.te -+++ fedora-policy-20221019/policy/modules/contrib/irqbalance.te -@@ -24,7 +24,7 @@ files_pid_file(irqbalance_var_run_t) - allow irqbalance_t self:capability { setpcap net_admin }; - dontaudit irqbalance_t self:capability sys_tty_config; - allow irqbalance_t self:process { getcap getsched setcap signal_perms }; --allow irqbalance_t self:udp_socket create_socket_perms; -+allow irqbalance_t self:{udp_socket netlink_generic_socket} create_socket_perms; - - manage_dirs_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t) - manage_files_pattern(irqbalance_t, irqbalance_var_run_t, irqbalance_var_run_t) diff --git a/fix_java.patch b/fix_java.patch deleted file mode 100644 index f1f2358..0000000 --- a/fix_java.patch +++ /dev/null @@ -1,41 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/java.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/java.te 2019-08-05 13:50:32.925673660 +0200 -+++ fedora-policy/policy/modules/contrib/java.te 2019-08-05 14:06:51.896425229 +0200 -@@ -21,6 +21,7 @@ roleattribute system_r java_roles; - attribute_role unconfined_java_roles; - - type java_t, java_domain; -+typealias java_t alias java_domain_t; - type java_exec_t; - userdom_user_application_domain(java_t, java_exec_t) - typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t }; -@@ -71,19 +72,9 @@ can_exec(java_domain, { java_exec_t java - kernel_read_all_sysctls(java_domain) - kernel_search_vm_sysctl(java_domain) - kernel_read_network_state(java_domain) --kernel_read_system_state(java_domain) - - corecmd_search_bin(java_domain) - --corenet_all_recvfrom_unlabeled(java_domain) --corenet_all_recvfrom_netlabel(java_domain) --corenet_tcp_sendrecv_generic_if(java_domain) --corenet_tcp_sendrecv_generic_node(java_domain) -- --corenet_sendrecv_all_client_packets(java_domain) --corenet_tcp_connect_all_ports(java_domain) --corenet_tcp_sendrecv_all_ports(java_domain) -- - dev_read_sound(java_domain) - dev_write_sound(java_domain) - dev_read_urand(java_domain) -@@ -95,8 +86,6 @@ files_read_etc_runtime_files(java_domain - fs_getattr_all_fs(java_domain) - fs_dontaudit_rw_tmpfs_files(java_domain) - --logging_send_syslog_msg(java_domain) -- - miscfiles_read_localization(java_domain) - miscfiles_read_fonts(java_domain) - diff --git a/fix_kernel.patch b/fix_kernel.patch deleted file mode 100644 index 710e788..0000000 --- a/fix_kernel.patch +++ /dev/null @@ -1,60 +0,0 @@ -Index: fedora-policy-20230206/policy/modules/kernel/kernel.te -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/kernel/kernel.te -+++ fedora-policy-20230206/policy/modules/kernel/kernel.te -@@ -393,6 +393,13 @@ ifdef(`distro_redhat',` - fs_rw_tmpfs_chr_files(kernel_t) - ') - -+# this is a temporary fix. This permission doesn't make a lot of sense, but -+# without a kernel change there's not much we can do about it. I don't want to -+# audit it due to the unknown impact (happens e.g. during firewall changes) -+optional_policy(` -+ modutils_execute_kmod_tmpfs_files(kernel_t) -+') -+ - optional_policy(` - abrt_filetrans_named_content(kernel_t) - abrt_dump_oops_domtrans(kernel_t) -@@ -418,6 +425,7 @@ optional_policy(` - init_dbus_chat(kernel_t) - init_sigchld(kernel_t) - init_dyntrans(kernel_t) -+ init_read_state(kernel_t) - ') - - optional_policy(` -@@ -519,6 +527,7 @@ optional_policy(` - ') - - optional_policy(` -+ xserver_read_xdm_state(kernel_t) - xserver_xdm_manage_spool(kernel_t) - xserver_filetrans_home_content(kernel_t) - ') -Index: fedora-policy-20230206/policy/modules/system/modutils.if -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/system/modutils.if -+++ fedora-policy-20230206/policy/modules/system/modutils.if -@@ -525,3 +525,21 @@ interface(`modutils_dontaudit_kmod_tmpfs - - dontaudit $1 kmod_tmpfs_t:file { getattr }; - ') -+ -+####################################### -+## -+## Execute accesses to tmp file type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`modutils_execute_kmod_tmpfs_files',` -+ gen_require(` -+ type kmod_tmpfs_t; -+ ') -+ -+ allow $1 kmod_tmpfs_t:file { execute execute_no_trans }; -+') diff --git a/fix_kernel_sysctl.patch b/fix_kernel_sysctl.patch deleted file mode 100644 index fb5a8bd..0000000 --- a/fix_kernel_sysctl.patch +++ /dev/null @@ -1,26 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/kernel/files.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20230116/policy/modules/kernel/files.fc -@@ -242,6 +242,8 @@ ifdef(`distro_redhat',` - /usr/lib/ostree-boot(/.*)? gen_context(system_u:object_r:usr_t,s0) - /usr/lib/modules(/.*)/vmlinuz -- gen_context(system_u:object_r:usr_t,s0) - /usr/lib/modules(/.*)/initramfs.img -- gen_context(system_u:object_r:usr_t,s0) -+/usr/lib/modules(/.*)/sysctl.conf -- gen_context(system_u:object_r:usr_t,s0) -+/usr/lib/modules(/.*)/System.map -- gen_context(system_u:object_r:system_map_t,s0) - - /usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) - -Index: fedora-policy-20230116/policy/modules/system/systemd.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/systemd.te -+++ fedora-policy-20230116/policy/modules/system/systemd.te -@@ -1113,6 +1113,8 @@ init_stream_connect(systemd_sysctl_t) - logging_send_syslog_msg(systemd_sysctl_t) - - systemd_read_efivarfs(systemd_sysctl_t) -+# kernel specific sysctl.conf may be in modules dir -+allow systemd_sysctl_t modules_object_t:dir search; - - ####################################### - # diff --git a/fix_libraries.patch b/fix_libraries.patch deleted file mode 100644 index a6a228f..0000000 --- a/fix_libraries.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-policy-20210419/policy/modules/system/libraries.fc -=================================================================== ---- fedora-policy-20210419.orig/policy/modules/system/libraries.fc -+++ fedora-policy-20210419/policy/modules/system/libraries.fc -@@ -124,6 +124,8 @@ ifdef(`distro_redhat',` - - /usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0) - -+/usr/lib/libreoffice/program/resource.* -- gen_context(system_u:object_r:lib_t,s0) -+ - /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) - - /usr/lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --git a/fix_locallogin.patch b/fix_locallogin.patch deleted file mode 100644 index cdee73c..0000000 --- a/fix_locallogin.patch +++ /dev/null @@ -1,20 +0,0 @@ -Index: fedora-policy-20220624/policy/modules/system/locallogin.te -=================================================================== ---- fedora-policy-20220624.orig/policy/modules/system/locallogin.te -+++ fedora-policy-20220624/policy/modules/system/locallogin.te -@@ -63,6 +63,7 @@ kernel_read_system_state(local_login_t) - kernel_read_kernel_sysctls(local_login_t) - kernel_search_key(local_login_t) - kernel_link_key(local_login_t) -+kernel_getattr_proc(local_login_t) - - corecmd_list_bin(local_login_t) - corecmd_read_bin_symlinks(local_login_t) -@@ -137,6 +138,7 @@ auth_rw_faillog(local_login_t) - auth_manage_pam_console_data(local_login_t) - auth_domtrans_pam_console(local_login_t) - auth_use_nsswitch(local_login_t) -+auth_read_shadow(local_login_t) - - init_dontaudit_use_fds(local_login_t) - init_stream_connect(local_login_t) diff --git a/fix_logging.patch b/fix_logging.patch deleted file mode 100644 index 612c515..0000000 --- a/fix_logging.patch +++ /dev/null @@ -1,48 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/system/logging.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/logging.fc -+++ fedora-policy-20230116/policy/modules/system/logging.fc -@@ -3,6 +3,8 @@ - /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) -+/var/run/rsyslog/additional-log-sockets.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) -+/run/rsyslog/additional-log-sockets.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) - /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) - /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) - /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) -@@ -83,6 +85,7 @@ ifdef(`distro_redhat',` - /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) - /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) - /var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) -+/var/run/rsyslog(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) - /var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) - - /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) -Index: fedora-policy-20230116/policy/modules/system/logging.if -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/logging.if -+++ fedora-policy-20230116/policy/modules/system/logging.if -@@ -1806,3 +1806,22 @@ interface(`logging_dgram_send',` - - allow $1 syslogd_t:unix_dgram_socket sendto; - ') -+ -+######################################## -+## -+## Accept a message to syslogd over a unix domain -+## datagram socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`logging_dgram_accept',` -+ gen_require(` -+ type syslogd_t; -+ ') -+ -+ allow $1 syslogd_t:unix_dgram_socket accept; -+') diff --git a/fix_logrotate.patch b/fix_logrotate.patch deleted file mode 100644 index 7cb2f23..0000000 --- a/fix_logrotate.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20210628/policy/modules/contrib/logrotate.te -=================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/logrotate.te -+++ fedora-policy-20210628/policy/modules/contrib/logrotate.te -@@ -104,6 +104,7 @@ files_var_lib_filetrans(logrotate_t, log - - kernel_read_system_state(logrotate_t) - kernel_read_kernel_sysctls(logrotate_t) -+files_manage_mounttab(logrotate_t) - - dev_read_urand(logrotate_t) - dev_read_sysfs(logrotate_t) diff --git a/fix_mcelog.patch b/fix_mcelog.patch deleted file mode 100644 index 66c37cf..0000000 --- a/fix_mcelog.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/mcelog.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/mcelog.te -+++ fedora-policy/policy/modules/contrib/mcelog.te -@@ -58,7 +58,7 @@ files_pid_file(mcelog_var_run_t) - # Local policy - # - --allow mcelog_t self:capability sys_admin; -+allow mcelog_t self:capability { sys_admin setgid }; - allow mcelog_t self:unix_stream_socket connected_socket_perms; - - allow mcelog_t mcelog_etc_t:dir list_dir_perms; diff --git a/fix_miscfiles.patch b/fix_miscfiles.patch deleted file mode 100644 index 9a954e0..0000000 --- a/fix_miscfiles.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy/policy/modules/system/miscfiles.fc -=================================================================== ---- fedora-policy.orig/policy/modules/system/miscfiles.fc 2019-08-05 09:39:39.117510678 +0200 -+++ fedora-policy/policy/modules/system/miscfiles.fc 2019-08-22 12:44:01.678484113 +0200 -@@ -46,6 +46,7 @@ ifdef(`distro_redhat',` - /usr/man(/.*)? gen_context(system_u:object_r:man_t,s0) - - /usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) -+/var/lib/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) - /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) - /usr/share/locale(/.*)? gen_context(system_u:object_r:locale_t,s0) diff --git a/fix_nagios.patch b/fix_nagios.patch deleted file mode 100644 index 08fdbf0..0000000 --- a/fix_nagios.patch +++ /dev/null @@ -1,24 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/nagios.fc -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/nagios.fc -+++ fedora-policy/policy/modules/contrib/nagios.fc -@@ -24,6 +24,7 @@ - /var/log/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0) - - /var/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) -+/var/lib/nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0) - - /var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0) - -Index: fedora-policy/policy/modules/contrib/nagios.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/nagios.te -+++ fedora-policy/policy/modules/contrib/nagios.te -@@ -161,6 +161,7 @@ allow nagios_t nagios_spool_t:file map; - manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) - manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) - manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) -+manage_sock_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) - files_var_lib_filetrans(nagios_t, nagios_var_lib_t, { dir file fifo_file }) - - kernel_read_system_state(nagios_t) diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch deleted file mode 100644 index f76012a..0000000 --- a/fix_networkmanager.patch +++ /dev/null @@ -1,131 +0,0 @@ -Index: fedora-policy-20230206/policy/modules/contrib/networkmanager.te -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy-20230206/policy/modules/contrib/networkmanager.te -@@ -260,6 +260,7 @@ sysnet_search_dhcp_state(NetworkManager_ - sysnet_manage_config(NetworkManager_t) - sysnet_filetrans_named_content(NetworkManager_t) - sysnet_filetrans_net_conf(NetworkManager_t) -+sysnet_watch_config(NetworkManager_t) - - systemd_login_watch_pid_dirs(NetworkManager_t) - systemd_login_watch_session_dirs(NetworkManager_t) -@@ -276,6 +277,9 @@ userdom_read_home_certs(NetworkManager_t - userdom_read_user_home_content_files(NetworkManager_t) - userdom_dgram_send(NetworkManager_t) - -+hostname_exec(NetworkManager_t) -+networkmanager_systemctl(NetworkManager_t) -+ - tunable_policy(`use_nfs_home_dirs',` - fs_read_nfs_files(NetworkManager_t) - ') -@@ -285,6 +289,14 @@ tunable_policy(`use_samba_home_dirs',` - ') - - optional_policy(` -+ ntp_manage_pid_files(NetworkManager_t) -+') -+ -+optional_policy(` -+ nis_systemctl_ypbind(NetworkManager_t) -+') -+ -+optional_policy(` - avahi_domtrans(NetworkManager_t) - avahi_kill(NetworkManager_t) - avahi_signal(NetworkManager_t) -@@ -293,6 +305,14 @@ optional_policy(` - ') - - optional_policy(` -+ packagekit_dbus_chat(NetworkManager_t) -+') -+ -+optional_policy(` -+ networkmanager_dbus_chat(NetworkManager_t) -+') -+ -+optional_policy(` - bind_domtrans(NetworkManager_t) - bind_manage_cache(NetworkManager_t) - bind_kill(NetworkManager_t) -@@ -420,6 +440,8 @@ optional_policy(` - nscd_kill(NetworkManager_t) - nscd_initrc_domtrans(NetworkManager_t) - nscd_systemctl(NetworkManager_t) -+ nscd_socket_use(NetworkManager_dispatcher_tlp_t) -+ nscd_socket_use(NetworkManager_dispatcher_custom_t) - ') - - optional_policy(` -@@ -608,6 +630,7 @@ files_manage_etc_files(NetworkManager_di - - init_status(NetworkManager_dispatcher_cloud_t) - init_status(NetworkManager_dispatcher_ddclient_t) -+init_status(NetworkManager_dispatcher_custom_t) - init_append_stream_sockets(networkmanager_dispatcher_plugin) - init_ioctl_stream_sockets(networkmanager_dispatcher_plugin) - init_stream_connect(networkmanager_dispatcher_plugin) -@@ -623,6 +646,10 @@ optional_policy(` - ') - - optional_policy(` -+ nscd_shm_use(NetworkManager_dispatcher_chronyc_t) -+') -+ -+optional_policy(` - cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t) - ') - -Index: fedora-policy-20230206/policy/modules/contrib/networkmanager.if -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy-20230206/policy/modules/contrib/networkmanager.if -@@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran - init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) - ') - -+####################################### -+## -+## Allow reading of NetworkManager link files -+## -+## -+## -+## Domain allowed to read the links -+## -+## -+# -+interface(`networkmanager_initrc_read_lnk_files',` -+ gen_require(` -+ type NetworkManager_initrc_exec_t; -+ ') -+ -+ read_lnk_files_pattern($1, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t) -+') -+ - ######################################## - ## - ## Execute NetworkManager server in the NetworkManager domain. -Index: fedora-policy-20230206/policy/modules/contrib/networkmanager.fc -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/contrib/networkmanager.fc -+++ fedora-policy-20230206/policy/modules/contrib/networkmanager.fc -@@ -24,6 +24,7 @@ - /usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0) - /usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0) - /usr/lib/NetworkManager/dispatcher\.d/11-dhclient -- gen_context(system_u:object_r:NetworkManager_dispatcher_dhclient_script_t,s0) -+/usr/lib/NetworkManager/dispatcher\.d/20-chrony -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) - /usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) - /usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) - /usr/lib/NetworkManager/dispatcher\.d/30-winbind -- gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0) -@@ -37,6 +38,9 @@ - - /usr/libexec/nm-dispatcher -- gen_context(system_u:object_r:NetworkManager_dispatcher_exec_t,s0) - /usr/libexec/nm-priv-helper -- gen_context(system_u:object_r:NetworkManager_priv_helper_exec_t,s0) -+# bsc#1206355 -+/usr/lib/nm-dispatcher -- gen_context(system_u:object_r:NetworkManager_dispatcher_exec_t,s0) -+/usr/lib/nm-priv-helper -- gen_context(system_u:object_r:NetworkManager_priv_helper_exec_t,s0) - - /usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) - /usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) diff --git a/fix_nis.patch b/fix_nis.patch deleted file mode 100644 index 117562c..0000000 --- a/fix_nis.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/nis.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/nis.te -+++ fedora-policy/policy/modules/contrib/nis.te -@@ -78,6 +78,7 @@ manage_files_pattern(ypbind_t, ypbind_va - files_pid_filetrans(ypbind_t, ypbind_var_run_t, file) - - manage_files_pattern(ypbind_t, var_yp_t, var_yp_t) -+manage_dirs_pattern(ypbind_t, var_yp_t, var_yp_t) - - kernel_read_system_state(ypbind_t) - kernel_read_kernel_sysctls(ypbind_t) diff --git a/fix_nscd.patch b/fix_nscd.patch deleted file mode 100644 index 56a7c50..0000000 --- a/fix_nscd.patch +++ /dev/null @@ -1,35 +0,0 @@ -Index: fedora-policy-20210628/policy/modules/contrib/nscd.fc -=================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/nscd.fc -+++ fedora-policy-20210628/policy/modules/contrib/nscd.fc -@@ -8,8 +8,10 @@ - /var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) - - /var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0) --/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) -+/var/run/nscd/socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) - -+/var/lib/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) - /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) - - /usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0) -+ -Index: fedora-policy-20210628/policy/modules/contrib/nscd.te -=================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/nscd.te -+++ fedora-policy-20210628/policy/modules/contrib/nscd.te -@@ -130,6 +130,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns - userdom_dontaudit_search_user_home_dirs(nscd_t) - - optional_policy(` -+ networkmanager_read_pid_files(nscd_t) -+') -+ -+optional_policy(` -+ wicked_read_pid_files(nscd_t) -+') -+ -+optional_policy(` - accountsd_dontaudit_rw_fifo_file(nscd_t) - ') - diff --git a/fix_ntp.patch b/fix_ntp.patch deleted file mode 100644 index c762c96..0000000 --- a/fix_ntp.patch +++ /dev/null @@ -1,99 +0,0 @@ -Index: fedora-policy-20230125/policy/modules/contrib/ntp.fc -=================================================================== ---- fedora-policy-20230125.orig/policy/modules/contrib/ntp.fc -+++ fedora-policy-20230125/policy/modules/contrib/ntp.fc -@@ -9,6 +9,7 @@ - - /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) - -+/usr/sbin/start-ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) - /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) - /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) - /usr/libexec/ntpdate-wrapper -- gen_context(system_u:object_r:ntpdate_exec_t,s0) -@@ -16,7 +17,6 @@ - - /usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) - --/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) - /var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) - /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) - -@@ -25,3 +25,26 @@ - /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) - - /var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) -+ -+/var/lib/ntp gen_context(system_u:object_r:root_t,s0) -+/var/lib/ntp/kod gen_context(system_u:object_r:etc_runtime_t,s0) -+/var/lib/ntp/dev gen_context(system_u:object_r:device_t,s0) -+/var/lib/ntp/etc gen_context(system_u:object_r:etc_t,s0) -+/var/lib/ntp/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0) -+/var/lib/ntp/etc/ntp/crypto(/.*)? -- gen_context(system_u:object_r:ntpd_key_t,s0) -+/var/lib/ntp/etc/ntp/data(/.*)? -- gen_context(system_u:object_r:ntp_drift_t,s0) -+/var/lib/ntp/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) -+/var/lib/ntp/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0) -+/var/lib/ntp/etc/ntp.conf.iburst -- gen_context(system_u:object_r:ntp_conf_t,s0) -+/var/lib/ntp/var(/.*)? gen_context(system_u:object_r:var_t,s0) -+/var/lib/ntp/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) -+/var/lib/ntp/var/run(/.*)? gen_context(system_u:object_r:var_run_t,s0) -+/var/lib/ntp/var/run/ntp(/.*)? gen_context(system_u:object_r:ntpd_var_run_t,s0) -+/var/lib/ntp/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) -+/var/lib/ntp/var/lib/sntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) -+/var/lib/ntp/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) -+/var/lib/ntp/drift gen_context(system_u:object_r:ntp_drift_t,s0) -+/var/lib/ntp/drift/ntp.drift -- gen_context(system_u:object_r:ntp_drift_t,s0) -+/var/lib/ntp/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) -+/var/lib/ntp/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) -+/var/lib/ntp/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) -Index: fedora-policy-20230125/policy/modules/contrib/ntp.te -=================================================================== ---- fedora-policy-20230125.orig/policy/modules/contrib/ntp.te -+++ fedora-policy-20230125/policy/modules/contrib/ntp.te -@@ -49,6 +49,9 @@ init_system_domain(ntpd_t, ntpdate_exec_ - - allow ntpd_t self:capability { chown dac_read_search kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource }; - dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice }; -+# remove once 1207577 is done -+allow ntpd_t self:capability dac_override; -+ - allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit }; - allow ntpd_t self:fifo_file rw_fifo_file_perms; - allow ntpd_t self:shm create_shm_perms; -@@ -78,7 +81,8 @@ manage_files_pattern(ntpd_t, ntpd_tmpfs_ - fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file }) - - manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) --files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) -+manage_lnk_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) -+files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file dir lnk_file }) - - can_exec(ntpd_t, ntpd_exec_t) - can_exec(ntpd_t, ntpdate_exec_t) -Index: fedora-policy-20230125/policy/modules/contrib/ntp.if -=================================================================== ---- fedora-policy-20230125.orig/policy/modules/contrib/ntp.if -+++ fedora-policy-20230125/policy/modules/contrib/ntp.if -@@ -339,3 +339,23 @@ interface(`ntp_manage_log',` - manage_lnk_files_pattern($1, ntpd_log_t, ntpd_log_t) - ') - -+######################################## -+## -+## Create, read, write, and delete -+## ntp pid (lnk) files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`ntp_manage_pid_files',` -+ gen_require(` -+ type ntpd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ manage_files_pattern($1, ntpd_var_run_t, ntpd_var_run_t) -+ manage_lnk_files_pattern($1, ntpd_var_run_t, ntpd_var_run_t) -+') diff --git a/fix_openvpn.patch b/fix_openvpn.patch deleted file mode 100644 index 3acf3e5..0000000 --- a/fix_openvpn.patch +++ /dev/null @@ -1,41 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/openvpn.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/openvpn.te -+++ fedora-policy/policy/modules/contrib/openvpn.te -@@ -28,6 +28,14 @@ gen_tunable(openvpn_enable_homedirs, fal - ## - gen_tunable(openvpn_can_network_connect, true) - -+## -+##

-+## Determine whether openvpn can -+## change sysctl values (e.g. rp_filter) -+##

-+## -+gen_tunable(openvpn_allow_changing_sysctls, false) -+ - attribute_role openvpn_roles; - - type openvpn_t; -@@ -176,6 +184,10 @@ userdom_attach_admin_tun_iface(openvpn_t - userdom_read_inherited_user_tmp_files(openvpn_t) - userdom_read_inherited_user_home_content_files(openvpn_t) - -+tunable_policy(`openvpn_allow_changing_sysctls',` -+ kernel_rw_net_sysctls(openvpn_t) -+') -+ - tunable_policy(`openvpn_enable_homedirs',` - userdom_search_user_home_dirs(openvpn_t) - ') -@@ -195,6 +207,10 @@ tunable_policy(`openvpn_can_network_conn - ') - - optional_policy(` -+ firewalld_dbus_chat(openvpn_t) -+') -+ -+optional_policy(` - brctl_domtrans(openvpn_t) - ') - diff --git a/fix_postfix.patch b/fix_postfix.patch deleted file mode 100644 index 9b7fb86..0000000 --- a/fix_postfix.patch +++ /dev/null @@ -1,120 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/postfix.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/postfix.fc -+++ fedora-policy-20221019/policy/modules/contrib/postfix.fc -@@ -1,37 +1,21 @@ - # postfix --/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) --/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) --/etc/postfix/chroot-update -- gen_context(system_u:object_r:postfix_exec_t,s0) --ifdef(`distro_redhat', ` --/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) --/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) --/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) --/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) --/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) --/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) --/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) --/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) --/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) --/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) --/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) --/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) --/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) --/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) --', ` --/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) --/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) --/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) --/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) --/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) --/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) --/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) --/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) --/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) --/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) --/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) --/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) --/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) --') -+/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) -+/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) -+/etc/postfix/chroot-update -- gen_context(system_u:object_r:postfix_exec_t,s0) -+/usr/lib/postfix/bin/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -+/usr/lib/postfix/systemd/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -+/usr/lib/postfix/bin/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) -+/usr/lib/postfix/bin/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) -+/usr/lib/postfix/bin/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -+/usr/lib/postfix/bin/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) -+/usr/lib/postfix/bin/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) -+/usr/lib/postfix/bin/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) -+/usr/lib/postfix/bin/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -+/usr/lib/postfix/bin/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -+/usr/lib/postfix/bin/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -+/usr/lib/postfix/bin/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) -+/usr/lib/postfix/bin/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) -+/usr/lib/postfix/bin/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) - /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) - /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) - /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -@@ -45,13 +29,16 @@ ifdef(`distro_redhat', ` - /usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0) - /usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0) - -+/etc/postfix/system/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -+/etc/postfix/system/update_postmaps -- gen_context(system_u:object_r:postfix_map_exec_t,s0) -+ - /var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0) - - /var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0) - /var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) - /var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) - /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0) --/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0) -+/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0) - /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0) - /var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0) - /var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0) -Index: fedora-policy-20221019/policy/modules/contrib/postfix.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/postfix.te -+++ fedora-policy-20221019/policy/modules/contrib/postfix.te -@@ -121,6 +121,8 @@ allow postfix_master_t self:udp_socket c - allow postfix_master_t postfix_etc_t:dir rw_dir_perms; - allow postfix_master_t postfix_etc_t:file rw_file_perms; - mta_filetrans_aliases(postfix_master_t, postfix_etc_t) -+# SUSE also runs this on /etc/alias -+mta_filetrans_aliases(postfix_master_t, etc_t) - - can_exec(postfix_master_t, postfix_exec_t) - -@@ -447,6 +449,14 @@ logging_send_syslog_msg(postfix_map_t) - - userdom_use_inherited_user_ptys(postfix_map_t) - -+corecmd_exec_bin(postfix_map_t) -+allow postfix_map_t postfix_map_exec_t:file execute_no_trans; -+init_ioctl_stream_sockets(postfix_map_t) -+ -+optional_policy(` -+ mta_read_aliases(postfix_map_t) -+') -+ - optional_policy(` - locallogin_dontaudit_use_fds(postfix_map_t) - ') -@@ -687,6 +697,14 @@ corenet_tcp_connect_spamd_port(postfix_m - files_search_all_mountpoints(postfix_smtp_t) - - optional_policy(` -+ networkmanager_read_pid_files(postfix_smtp_t) -+') -+ -+optional_policy(` -+ wicked_read_pid_files(postfix_smtp_t) -+') -+ -+optional_policy(` - cyrus_stream_connect(postfix_smtp_t) - cyrus_runtime_stream_connect(postfix_smtp_t) - ') diff --git a/fix_rpm.patch b/fix_rpm.patch deleted file mode 100644 index 77ca8ac..0000000 --- a/fix_rpm.patch +++ /dev/null @@ -1,50 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/contrib/rpm.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/contrib/rpm.fc -+++ fedora-policy-20230116/policy/modules/contrib/rpm.fc -@@ -23,6 +23,9 @@ - # This is in /usr, but is expected to be variable content from a policy perspective (#2042149) - /usr/lib/sysimage/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) - -+/usr/sbin/zypp-refresh -- gen_context(system_u:object_r:rpm_exec_t,s0) -+/usr/bin/zypper -- gen_context(system_u:object_r:rpm_exec_t,s0) -+ - /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) - /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -61,6 +64,8 @@ ifdef(`distro_redhat', ` - /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) - /var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) - -+/var/cache/zypp(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -+ - /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) - /var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) - /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -Index: fedora-policy-20230116/policy/modules/contrib/rpm.if -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/contrib/rpm.if -+++ fedora-policy-20230116/policy/modules/contrib/rpm.if -@@ -515,8 +515,10 @@ interface(`rpm_named_filetrans',` - logging_log_named_filetrans($1, rpm_log_t, file, "yum.log") - logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log") - logging_log_named_filetrans($1, rpm_log_t, file, "up2date") -+ logging_log_named_filetrans($1, rpm_log_t, file, "zypper.log") - files_var_filetrans($1, rpm_var_cache_t, dir, "dnf") - files_var_filetrans($1, rpm_var_cache_t, dir, "yum") -+ files_var_filetrans($1, rpm_var_cache_t, dir, "zypp") - files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf") - files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum") - files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm") -Index: fedora-policy-20230116/policy/modules/kernel/files.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/kernel/files.fc -+++ fedora-policy-20230116/policy/modules/kernel/files.fc -@@ -67,6 +67,7 @@ ifdef(`distro_redhat',` - /etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) - /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) - /etc/yum\.repos\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0) -+/etc/zypp(/.*)? gen_context(system_u:object_r:system_conf_t,s0) - /etc/ostree/remotes.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0) - - /ostree/repo(/.*)? gen_context(system_u:object_r:system_conf_t,s0) diff --git a/fix_rtkit.patch b/fix_rtkit.patch deleted file mode 100644 index 0f6a9ab..0000000 --- a/fix_rtkit.patch +++ /dev/null @@ -1,11 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/contrib/rtkit.fc -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/contrib/rtkit.fc -+++ fedora-policy-20230116/policy/modules/contrib/rtkit.fc -@@ -1,5 +1,6 @@ - /etc/rc\.d/init\.d/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_initrc_exec_t,s0) - - /usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) -+/usr/libexec/rtkit/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) - - /usr/lib/rtkit/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0) diff --git a/fix_screen.patch b/fix_screen.patch deleted file mode 100644 index efc3cdb..0000000 --- a/fix_screen.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/screen.if -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/screen.if -+++ fedora-policy/policy/modules/contrib/screen.if -@@ -45,6 +45,7 @@ template(`screen_role_template',` - - userdom_list_user_home_dirs($1_screen_t) - userdom_home_reader($1_screen_t) -+ userdom_read_user_home_content_symlinks($1_screen_t) - - domtrans_pattern($3, screen_exec_t, $1_screen_t) - allow $3 $1_screen_t:process { signal sigchld }; -Index: fedora-policy/policy/modules/contrib/screen.fc -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/screen.fc -+++ fedora-policy/policy/modules/contrib/screen.fc -@@ -8,4 +8,5 @@ HOME_DIR/\.tmux\.conf -- gen_context(sys - /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) - - /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) -+/var/run/uscreens(/.*)?' gen_context(system_u:object_r:screen_var_run_t,s0) - /var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/fix_selinuxutil.patch b/fix_selinuxutil.patch deleted file mode 100644 index 3cc047a..0000000 --- a/fix_selinuxutil.patch +++ /dev/null @@ -1,39 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/system/selinuxutil.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/selinuxutil.te -+++ fedora-policy-20230116/policy/modules/system/selinuxutil.te -@@ -239,6 +239,10 @@ ifdef(`hide_broken_symptoms',` - ') - - optional_policy(` -+ packagekit_read_write_fifo(load_policy_t) -+') -+ -+optional_policy(` - portage_dontaudit_use_fds(load_policy_t) - ') - -@@ -619,6 +623,10 @@ logging_send_audit_msgs(setfiles_t) - logging_send_syslog_msg(setfiles_t) - - optional_policy(` -+ packagekit_read_write_fifo(setfiles_t) -+') -+ -+optional_policy(` - cloudform_dontaudit_write_cloud_log(setfiles_t) - ') - -Index: fedora-policy-20230116/policy/modules/system/selinuxutil.if -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/selinuxutil.if -+++ fedora-policy-20230116/policy/modules/system/selinuxutil.if -@@ -795,6 +795,8 @@ interface(`seutil_dontaudit_read_config' - - dontaudit $1 selinux_config_t:dir search_dir_perms; - dontaudit $1 selinux_config_t:file read_file_perms; -+ # /etc/selinux/config was a link to /etc/sysconfig/selinux-policy, ignore read attemps -+ dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms; - ') - - ######################################## diff --git a/fix_sendmail.patch b/fix_sendmail.patch deleted file mode 100644 index c3fbc09..0000000 --- a/fix_sendmail.patch +++ /dev/null @@ -1,32 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/sendmail.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.fc -+++ fedora-policy-20221019/policy/modules/contrib/sendmail.fc -@@ -1,8 +1,9 @@ - - /etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) -+/etc/mail/system/sm-client.pre -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) - - /var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0) - /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) - --/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) -+/var/run/sendmail(/.*)? gen_context(system_u:object_r:sendmail_var_run_t,s0) - /var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) -Index: fedora-policy-20221019/policy/modules/contrib/sendmail.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.te -+++ fedora-policy-20221019/policy/modules/contrib/sendmail.te -@@ -60,8 +60,10 @@ manage_dirs_pattern(sendmail_t, sendmail - manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) - files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir }) - --allow sendmail_t sendmail_var_run_t:file manage_file_perms; --files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) -+manage_dirs_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t) -+manage_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t) -+manage_sock_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t) -+files_pid_filetrans(sendmail_t, sendmail_var_run_t, { file dir }) - - kernel_read_network_state(sendmail_t) - kernel_read_kernel_sysctls(sendmail_t) diff --git a/fix_smartmon.patch b/fix_smartmon.patch deleted file mode 100644 index 3d965d9..0000000 --- a/fix_smartmon.patch +++ /dev/null @@ -1,9 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/smartmon.fc -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/smartmon.fc -+++ fedora-policy/policy/modules/contrib/smartmon.fc -@@ -5,3 +5,4 @@ - /var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0) - - /var/lib/smartmontools(/.*)? gen_context(system_u:object_r:fsdaemon_var_lib_t,s0) -+/var/lib/smartmontools/smartd_opts -- gen_context(system_u:object_r:etc_t,s0) diff --git a/fix_snapper.patch b/fix_snapper.patch deleted file mode 100644 index 045bc12..0000000 --- a/fix_snapper.patch +++ /dev/null @@ -1,68 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/contrib/snapper.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/snapper.te -+++ fedora-policy-20221019/policy/modules/contrib/snapper.te -@@ -18,6 +18,9 @@ files_config_file(snapperd_conf_t) - type snapperd_data_t; - files_type(snapperd_data_t) - -+type snapperd_tmp_t; -+files_tmp_file(snapperd_tmp_t) -+ - ######################################## - # - # snapperd local policy -@@ -43,6 +46,10 @@ allow snapperd_t snapperd_data_t:dir { r - allow snapperd_t snapperd_data_t:file relabelfrom; - snapper_filetrans_named_content(snapperd_t) - -+allow snapperd_t snapperd_tmp_t:file manage_file_perms; -+allow snapperd_t snapperd_tmp_t:dir manage_dir_perms; -+files_tmp_filetrans(snapperd_t, snapperd_tmp_t, { file dir }) -+ - kernel_setsched(snapperd_t) - - domain_read_all_domains_state(snapperd_t) -@@ -73,6 +80,14 @@ storage_raw_read_fixed_disk(snapperd_t) - auth_use_nsswitch(snapperd_t) - - optional_policy(` -+ packagekit_dbus_chat(snapperd_t) -+') -+ -+optional_policy(` -+ rpm_dbus_chat(snapperd_t) -+') -+ -+optional_policy(` - cron_system_entry(snapperd_t, snapperd_exec_t) - ') - -Index: fedora-policy-20221019/policy/modules/contrib/snapper.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/contrib/snapper.fc -+++ fedora-policy-20221019/policy/modules/contrib/snapper.fc -@@ -7,9 +7,17 @@ - - /var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0) - --/mnt/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) --/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) --/usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) --/var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) --/etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) --HOME_ROOT/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) -+/mnt/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) -+/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) -+/usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) -+/var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) -+/etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) -+HOME_ROOT/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) -+ -+# ensure that the snapshots itself aren't relabled -+/mnt/(.*/)?\.snapshots/[^/]*/snapshot(/.*)? <> -+/\.snapshots/[^/]*/snapshot(/.*)? <> -+/usr/\.snapshots/[^/]*/snapshot(/.*)? <> -+/var/\.snapshots/[^/]*/snapshot(/.*)? <> -+/etc/\.snapshots/[^/]*/snapshot(/.*)? <> -+HOME_ROOT/(.*/)?\.snapshots/[^/]*/snapshot(/.*)? <> diff --git a/fix_sslh.patch b/fix_sslh.patch deleted file mode 100644 index 5a6e49a..0000000 --- a/fix_sslh.patch +++ /dev/null @@ -1,33 +0,0 @@ -Index: fedora-policy/policy/modules/contrib/sslh.te -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/sslh.te -+++ fedora-policy/policy/modules/contrib/sslh.te -@@ -28,6 +28,7 @@ gen_tunable(sslh_can_bind_any_port, fals - type sslh_t; - type sslh_exec_t; - init_daemon_domain(sslh_t, sslh_exec_t) -+init_nnp_daemon_domain(sslh_t) - - type sslh_config_t; - files_config_file(sslh_config_t) -@@ -90,6 +91,7 @@ tunable_policy(`sslh_can_connect_any_por - # allow sslh to connect to any port - corenet_tcp_sendrecv_all_ports(sslh_t) - corenet_tcp_connect_all_ports(sslh_t) -+ corenet_tcp_connect_all_ports(sslh_t) - ') - - tunable_policy(`sslh_can_bind_any_port',` -Index: fedora-policy/policy/modules/contrib/sslh.fc -=================================================================== ---- fedora-policy.orig/policy/modules/contrib/sslh.fc -+++ fedora-policy/policy/modules/contrib/sslh.fc -@@ -4,6 +4,8 @@ - /etc/rc\.d/init\.d/sslh -- gen_context(system_u:object_r:sslh_initrc_exec_t,s0) - /etc/sslh(/.*)? gen_context(system_u:object_r:sslh_config_t,s0) - /etc/sslh\.cfg -- gen_context(system_u:object_r:sslh_config_t,s0) -+/etc/conf\.d/sslh -- gen_context(system_u:object_r:sslh_config_t,s0) -+/etc/default/sslh -- gen_context(system_u:object_r:sslh_config_t,s0) - /etc/sysconfig/sslh -- gen_context(system_u:object_r:sslh_config_t,s0) - /usr/lib/systemd/system/sslh.* -- gen_context(system_u:object_r:sslh_unit_file_t,s0) - /var/run/sslh.* gen_context(system_u:object_r:sslh_var_run_t,s0) diff --git a/fix_sysnetwork.patch b/fix_sysnetwork.patch deleted file mode 100644 index 81fb138..0000000 --- a/fix_sysnetwork.patch +++ /dev/null @@ -1,25 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/system/sysnetwork.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/sysnetwork.fc -+++ fedora-policy-20221019/policy/modules/system/sysnetwork.fc -@@ -33,9 +33,9 @@ ifdef(`distro_debian',` - /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) - - ifdef(`distro_redhat',` --/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) -+/etc/sysconfig/network/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) - /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0) --/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) -+/etc/sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) - /var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) - /var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) - /var/run/systemd/resolve/stub-resolv\.conf gen_context(system_u:object_r:net_conf_t,s0) -@@ -103,6 +103,8 @@ ifdef(`distro_debian',` - /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) - ') - -+/var/run/netconfig(/.*)? gen_context(system_u:object_r:net_conf_t,s0) -+ - /var/run/netns -d gen_context(system_u:object_r:ifconfig_var_run_t,s0) - /var/run/netns/[^/]+ <> - diff --git a/fix_systemd.patch b/fix_systemd.patch deleted file mode 100644 index 11c069c..0000000 --- a/fix_systemd.patch +++ /dev/null @@ -1,35 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/system/systemd.te -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/systemd.te -+++ fedora-policy-20230116/policy/modules/system/systemd.te -@@ -381,6 +381,10 @@ userdom_manage_user_tmp_chr_files(system - xserver_dbus_chat(systemd_logind_t) - - optional_policy(` -+ packagekit_dbus_chat(systemd_logind_t) -+') -+ -+optional_policy(` - apache_read_tmp_files(systemd_logind_t) - ') - -@@ -863,6 +867,10 @@ optional_policy(` - dbus_system_bus_client(systemd_localed_t) - ') - -+optional_policy(` -+ nscd_unconfined(systemd_hostnamed_t) -+') -+ - ####################################### - # - # Hostnamed policy -@@ -1195,6 +1203,8 @@ systemd_unit_file_filetrans(systemd_gpt_ - systemd_create_unit_file_dirs(systemd_gpt_generator_t) - systemd_create_unit_file_lnk(systemd_gpt_generator_t) - -+kernel_dgram_send(systemd_gpt_generator_t) -+ - optional_policy(` - udev_read_pid_files(systemd_gpt_generator_t) - ') diff --git a/fix_systemd_watch.patch b/fix_systemd_watch.patch deleted file mode 100644 index 72073ab..0000000 --- a/fix_systemd_watch.patch +++ /dev/null @@ -1,17 +0,0 @@ -Index: fedora-policy-20230206/policy/modules/system/systemd.te -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/system/systemd.te -+++ fedora-policy-20230206/policy/modules/system/systemd.te -@@ -1524,6 +1524,12 @@ fstools_rw_swap_files(systemd_sleep_t) - storage_getattr_fixed_disk_dev(systemd_sleep_t) - storage_getattr_removable_dev(systemd_sleep_t) - -+####################################### -+# -+# Allow systemd to watch certificate dir for ca-certificates -+# -+watch_dirs_pattern(init_t,cert_t,cert_t) -+ - optional_policy(` - sysstat_domtrans(systemd_sleep_t) - ') diff --git a/fix_thunderbird.patch b/fix_thunderbird.patch deleted file mode 100644 index 159afc4..0000000 --- a/fix_thunderbird.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20210628/policy/modules/contrib/thunderbird.te -=================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/thunderbird.te -+++ fedora-policy-20210628/policy/modules/contrib/thunderbird.te -@@ -138,7 +138,6 @@ optional_policy(` - optional_policy(` - gnome_stream_connect_gconf(thunderbird_t) - gnome_domtrans_gconfd(thunderbird_t) -- gnome_manage_generic_home_content(thunderbird_t) - ') - - optional_policy(` diff --git a/fix_unconfined.patch b/fix_unconfined.patch deleted file mode 100644 index 815055b..0000000 --- a/fix_unconfined.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/system/unconfined.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/system/unconfined.te -+++ fedora-policy-20221019/policy/modules/system/unconfined.te -@@ -1,5 +1,10 @@ - policy_module(unconfined, 3.5.0) - -+require { -+ type var_run_t; -+ type net_conf_t; -+} -+ - ######################################## - # - # Declarations -@@ -45,3 +50,6 @@ optional_policy(` - optional_policy(` - container_runtime_domtrans(unconfined_service_t) - ') -+ -+filetrans_pattern(unconfined_service_t, var_run_t, net_conf_t, dir) -+ diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch deleted file mode 100644 index bad300f..0000000 --- a/fix_unconfineduser.patch +++ /dev/null @@ -1,46 +0,0 @@ -Index: fedora-policy-20230206/policy/modules/roles/unconfineduser.te -=================================================================== ---- fedora-policy-20230206.orig/policy/modules/roles/unconfineduser.te -+++ fedora-policy-20230206/policy/modules/roles/unconfineduser.te -@@ -126,6 +126,11 @@ tunable_policy(`unconfined_dyntrans_all' - domain_dyntrans(unconfined_t) - ') - -+# FIXME this is probably caused by some wierd PAM interaction -+corecmd_entrypoint_all_executables(unconfined_t) -+# FIXME sddm JITs some code, requiring execmod on user_tmp_t. Check how to disable this behaviour in sddm/qtdeclarative -+files_execmod_tmp(unconfined_t) -+ - optional_policy(` - gen_require(` - type unconfined_t; -@@ -216,6 +221,10 @@ optional_policy(` - ') - - optional_policy(` -+ cron_system_spool_entrypoint(unconfined_t) -+') -+ -+optional_policy(` - chrome_role_notrans(unconfined_r, unconfined_t) - - tunable_policy(`unconfined_chrome_sandbox_transition',` -@@ -250,6 +259,18 @@ optional_policy(` - dbus_stub(unconfined_t) - - optional_policy(` -+ accountsd_dbus_chat(unconfined_dbusd_t) -+ ') -+ -+ optional_policy(` -+ networkmanager_dbus_chat(unconfined_dbusd_t) -+ ') -+ -+ optional_policy(` -+ systemd_dbus_chat_logind(unconfined_dbusd_t) -+ ') -+ -+ optional_policy(` - bluetooth_dbus_chat(unconfined_t) - ') - diff --git a/fix_unprivuser.patch b/fix_unprivuser.patch deleted file mode 100644 index 70fe21e..0000000 --- a/fix_unprivuser.patch +++ /dev/null @@ -1,18 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/roles/unprivuser.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20221019/policy/modules/roles/unprivuser.te -@@ -300,6 +300,13 @@ ifndef(`distro_redhat',` - ') - - optional_policy(` -+ rtorrent_role(user_r, user_t) -+ # needed for tunable rtorrent_send_mails -+ mta_role_access_system_mail(user_r) -+') -+ -+ -+optional_policy(` - vmtools_run_helper(user_t, user_r) - ') - diff --git a/fix_userdomain.patch b/fix_userdomain.patch deleted file mode 100644 index a2ea637..0000000 --- a/fix_userdomain.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: fedora-policy-20230116/policy/modules/system/userdomain.if -=================================================================== ---- fedora-policy-20230116.orig/policy/modules/system/userdomain.if -+++ fedora-policy-20230116/policy/modules/system/userdomain.if -@@ -1515,6 +1515,7 @@ tunable_policy(`deny_bluetooth',`',` - - # port access is audited even if dac would not have allowed it, so dontaudit it here - # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) -+ corenet_dontaudit_udp_bind_all_rpc_ports($1_t) - # Need the following rule to allow users to run vpnc - corenet_tcp_bind_xserver_port($1_t) - corenet_tcp_bind_generic_node($1_usertype) diff --git a/fix_usermanage.patch b/fix_usermanage.patch deleted file mode 100644 index a7d1bee..0000000 --- a/fix_usermanage.patch +++ /dev/null @@ -1,29 +0,0 @@ -Index: fedora-policy-20220428/policy/modules/admin/usermanage.te -=================================================================== ---- fedora-policy-20220428.orig/policy/modules/admin/usermanage.te -+++ fedora-policy-20220428/policy/modules/admin/usermanage.te -@@ -226,6 +226,7 @@ allow groupadd_t self:unix_dgram_socket - allow groupadd_t self:unix_stream_socket create_stream_socket_perms; - allow groupadd_t self:unix_dgram_socket sendto; - allow groupadd_t self:unix_stream_socket connectto; -+allow groupadd_t self:netlink_selinux_socket create_socket_perms; - - fs_getattr_xattr_fs(groupadd_t) - fs_search_auto_mountpoints(groupadd_t) -@@ -538,6 +539,7 @@ allow useradd_t self:unix_dgram_socket c - allow useradd_t self:unix_stream_socket create_stream_socket_perms; - allow useradd_t self:unix_dgram_socket sendto; - allow useradd_t self:unix_stream_socket connectto; -+allow useradd_t self:netlink_selinux_socket create_socket_perms; - - manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) - manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) -@@ -546,6 +548,8 @@ files_pid_filetrans(useradd_t, useradd_v - # for getting the number of groups - kernel_read_kernel_sysctls(useradd_t) - -+selinux_compute_access_vector(useradd_t) -+ - corecmd_exec_shell(useradd_t) - # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. - corecmd_exec_bin(useradd_t) diff --git a/fix_wine.patch b/fix_wine.patch deleted file mode 100644 index 17698f2..0000000 --- a/fix_wine.patch +++ /dev/null @@ -1,23 +0,0 @@ -Index: fedora-policy-20220428/policy/modules/system/libraries.fc -=================================================================== ---- fedora-policy-20220428.orig/policy/modules/system/libraries.fc -+++ fedora-policy-20220428/policy/modules/system/libraries.fc -@@ -90,7 +90,7 @@ ifdef(`distro_redhat',` - /opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0) - /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) --/opt/cx.*/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/cx.*/lib/wine/.+\.(so|dll) -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) - /opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -173,7 +173,8 @@ ifdef(`distro_redhat',` - /usr/lib/systemd/libsystemd-.+\.so.* -- gen_context(system_u:object_r:lib_t,s0) - - /usr/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) --/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib/wine/*-windows/* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) - diff --git a/fix_xserver.patch b/fix_xserver.patch deleted file mode 100644 index a8fd6e8..0000000 --- a/fix_xserver.patch +++ /dev/null @@ -1,68 +0,0 @@ -Index: fedora-policy-20221019/policy/modules/services/xserver.fc -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/services/xserver.fc -+++ fedora-policy-20221019/policy/modules/services/xserver.fc -@@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ - /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) - /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) - /etc/X11/wdm/Xsetup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) -+/etc/X11/xdm/Xsetup -- gen_context(system_u:object_r:xsession_exec_t,s0) - /etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0) - /etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0) - -@@ -102,6 +103,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ - - /usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0) -+/usr/lib/sddm/sddm-helper -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) - /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) - /usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0) -@@ -114,6 +116,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ - /usr/bin/Xwayland -- gen_context(system_u:object_r:xserver_exec_t,s0) - /usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0) - /usr/bin/nvidia.* -- gen_context(system_u:object_r:xserver_exec_t,s0) -+/usr/bin/greetd -- gen_context(system_u:object_r:xdm_exec_t,s0) - - /usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0) - /usr/libexec/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0) -@@ -137,6 +140,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ - /usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0) - /usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0) - -+/usr/lib/X11/display-manager -- gen_context(system_u:object_r:xdm_exec_t,s0) - ifndef(`distro_debian',` - /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) - ') -@@ -155,6 +159,7 @@ ifndef(`distro_debian',` - /var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) - /var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) -+/var/lib/greetd(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - - /var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) - /var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -@@ -184,6 +189,8 @@ ifndef(`distro_debian',` - /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) - /var/run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/greetd[^/]*\.sock -s gen_context(system_u:object_r:xdm_var_run_t,s0) -+/var/run/greetd\.run -- gen_context(system_u:object_r:xdm_var_run_t,s0) - - /var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) - /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) -Index: fedora-policy-20221019/policy/modules/services/xserver.te -=================================================================== ---- fedora-policy-20221019.orig/policy/modules/services/xserver.te -+++ fedora-policy-20221019/policy/modules/services/xserver.te -@@ -475,6 +475,10 @@ userdom_dontaudit_read_admin_home_lnk_fi - - kernel_read_vm_sysctls(xdm_t) - -+files_manage_generic_pids_symlinks(xdm_t) -+userdom_manage_user_home_content_dirs(xdm_t) -+userdom_manage_user_home_content_files(xdm_t) -+ - # Allow gdm to run gdm-binary - can_exec(xdm_t, xdm_exec_t) - can_exec(xdm_t, xsession_exec_t) diff --git a/packagekit.fc b/packagekit.fc deleted file mode 100644 index b004ae0..0000000 --- a/packagekit.fc +++ /dev/null @@ -1,44 +0,0 @@ -/usr/lib/systemd/system/packagekit.* -- gen_context(system_u:object_r:packagekit_unit_file_t,s0) - -/usr/bin/packagekit -- gen_context(system_u:object_r:packagekit_exec_t,s0) - -#/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:packagekit_var_lib_t,s0) - -/usr/bin/pkcon -- gen_context(system_u:object_r:packagekit_exec_t,s0) -/usr/bin/pkmon -- gen_context(system_u:object_r:packagekit_exec_t,s0) -/usr/lib/packagekit-direct -- gen_context(system_u:object_r:packagekit_exec_t,s0) -/usr/lib/packagekitd -- gen_context(system_u:object_r:packagekit_exec_t,s0) -/usr/lib/pk-offline-update -- gen_context(system_u:object_r:packagekit_exec_t,s0) - -#/etc/PackageKit -#/etc/dbus-1/system.d/org.freedesktop.PackageKit.conf -#/usr/lib/tmpfiles.d -#/usr/lib/tmpfiles.d/PackageKit.conf -#/usr/lib64/packagekit-backend -#/usr/lib64/packagekit-backend/libpk_backend_dummy.so -#/usr/sbin/rcpackagekit -#/usr/sbin/rcpackagekit-offline-update -#/usr/share/PackageKit -#/usr/share/PackageKit/helpers -#/usr/share/PackageKit/helpers/test_spawn -#/usr/share/PackageKit/helpers/test_spawn/search-name.sh -#/usr/share/PackageKit/packagekit-background.sh -#/usr/share/PackageKit/pk-upgrade-distro.sh -#/usr/share/PackageKit/transactions.db -#/usr/share/bash-completion/completions/pkcon -#/usr/share/dbus-1/interfaces/org.freedesktop.PackageKit.Transaction.xml -#/usr/share/dbus-1/interfaces/org.freedesktop.PackageKit.xml -#/usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service -#/usr/share/doc/packages/PackageKit -#/usr/share/doc/packages/PackageKit/AUTHORS -#/usr/share/doc/packages/PackageKit/HACKING -#/usr/share/doc/packages/PackageKit/NEWS -#/usr/share/doc/packages/PackageKit/README -#/usr/share/doc/packages/PackageKit/org.freedesktop.packagekit.rules -#/usr/share/licenses/PackageKit -#/usr/share/licenses/PackageKit/COPYING -#/usr/share/man/man1/pkcon.1.gz -#/usr/share/man/man1/pkmon.1.gz -#/usr/share/polkit-1/actions/org.freedesktop.packagekit.policy -#/var/cache/PackageKit - diff --git a/packagekit.if b/packagekit.if deleted file mode 100644 index a9d1918..0000000 --- a/packagekit.if +++ /dev/null @@ -1,40 +0,0 @@ -## A temporary policy for packagekit. - -######################################## -## -## Allow reading of fifo files -## -## -## -## Domain allowed to mange files -## -## -# -interface(`packagekit_read_write_fifo',` - gen_require(` - type packagekit_t; - ') - - allow $1 packagekit_t:fifo_file rw_inherited_fifo_file_perms; -') - -######################################## -## -## Send and receive messages from -## packagekit over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`packagekit_dbus_chat',` - gen_require(` - type packagekit_t; - class dbus send_msg; - ') - - allow $1 packagekit_t:dbus send_msg; - allow packagekit_t $1:dbus send_msg; -') diff --git a/packagekit.te b/packagekit.te deleted file mode 100644 index 090ccb7..0000000 --- a/packagekit.te +++ /dev/null @@ -1,38 +0,0 @@ -policy_module(packagekit,1.0.0) - -######################################## -# -# Declarations -# - -type packagekit_t; -type packagekit_exec_t; -init_daemon_domain(packagekit_t,packagekit_exec_t) - -type packagekit_unit_file_t; -systemd_unit_file(packagekit_unit_file_t) - -type packagekit_var_lib_t; -files_type(packagekit_var_lib_t) - -unconfined_dbus_chat(packagekit_t) -init_dbus_chat(packagekit_t) -optional_policy(` - policykit_dbus_chat(packagekit_t) -') - -optional_policy(` - unconfined_domain(packagekit_t) -') - -optional_policy(` - snapper_dbus_chat(packagekit_t) -') - -optional_policy(` - systemd_dbus_chat_logind(packagekit_t) -') - -optional_policy(` - rpm_transition_script(packagekit_t,system_r) -') diff --git a/rebootmgr.fc b/rebootmgr.fc deleted file mode 100644 index 156f78f..0000000 --- a/rebootmgr.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/sbin/rebootmgrd -- gen_context(system_u:object_r:rebootmgr_exec_t,s0) diff --git a/rebootmgr.if b/rebootmgr.if deleted file mode 100644 index bb42f80..0000000 --- a/rebootmgr.if +++ /dev/null @@ -1,61 +0,0 @@ - -## policy for rebootmgr - -######################################## -## -## Execute rebootmgr_exec_t in the rebootmgr domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rebootmgr_domtrans',` - gen_require(` - type rebootmgr_t, rebootmgr_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t) -') - -###################################### -## -## Execute rebootmgr in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`rebootmgr_exec',` - gen_require(` - type rebootmgr_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rebootmgr_exec_t) -') - -######################################## -## -## Send and receive messages from -## rebootmgr over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`rebootmgr_dbus_chat',` - gen_require(` - type rebootmgr_t; - class dbus send_msg; - ') - - allow $1 rebootmgr_t:dbus send_msg; - allow rebootmgr_t $1:dbus send_msg; -') diff --git a/rebootmgr.te b/rebootmgr.te deleted file mode 100644 index 4b4e6ab..0000000 --- a/rebootmgr.te +++ /dev/null @@ -1,37 +0,0 @@ -policy_module(rebootmgr, 1.0.0) - -######################################## -# -# Declarations -# - -type rebootmgr_t; -type rebootmgr_exec_t; -init_daemon_domain(rebootmgr_t, rebootmgr_exec_t) - -######################################## -# -# rebootmgr local policy -# -allow rebootmgr_t self:process { fork }; -allow rebootmgr_t self:fifo_file rw_fifo_file_perms; -allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms; - -domain_use_interactive_fds(rebootmgr_t) - -files_manage_etc_files(rebootmgr_t) - -logging_send_syslog_msg(rebootmgr_t) - -miscfiles_read_localization(rebootmgr_t) - -systemd_start_power_services(rebootmgr_t) - -systemd_dbus_chat_logind(rebootmgr_t) - -unconfined_dbus_chat(rebootmgr_t) - -optional_policy(` - dbus_system_bus_client(rebootmgr_t) - dbus_connect_system_bus(rebootmgr_t) -') diff --git a/rtorrent.fc b/rtorrent.fc deleted file mode 100644 index 562f8ad..0000000 --- a/rtorrent.fc +++ /dev/null @@ -1 +0,0 @@ -/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0) diff --git a/rtorrent.if b/rtorrent.if deleted file mode 100644 index 9ea4193..0000000 --- a/rtorrent.if +++ /dev/null @@ -1,95 +0,0 @@ - -## policy for rtorrent - -######################################## -## -## Execute rtorrent_exec_t in the rtorrent domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`rtorrent_domtrans',` - gen_require(` - type rtorrent_t, rtorrent_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, rtorrent_exec_t, rtorrent_t) -') - -###################################### -## -## Execute rtorrent in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`rtorrent_exec',` - gen_require(` - type rtorrent_exec_t; - ') - - corecmd_search_bin($1) - can_exec($1, rtorrent_exec_t) -') - -######################################## -## -## Execute rtorrent in the rtorrent domain, and -## allow the specified role the rtorrent domain. -## -## -## -## Domain allowed to transition -## -## -## -## -## The role to be allowed the rtorrent domain. -## -## -# -interface(`rtorrent_run',` - gen_require(` - type rtorrent_t; - attribute_role rtorrent_roles; - ') - - rtorrent_domtrans($1) - roleattribute $2 rtorrent_roles; -') - -######################################## -## -## Role access for rtorrent -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`rtorrent_role',` - gen_require(` - type rtorrent_t; - attribute_role rtorrent_roles; - ') - - roleattribute $1 rtorrent_roles; - - rtorrent_domtrans($2) - - ps_process_pattern($2, rtorrent_t) - allow $2 rtorrent_t:process { signull signal sigkill }; -') diff --git a/rtorrent.te b/rtorrent.te deleted file mode 100644 index 996f7a7..0000000 --- a/rtorrent.te +++ /dev/null @@ -1,101 +0,0 @@ -policy_module(rtorrent, 1.0.0) - -######################################## -# -# Declarations -# -## -##

-## Allow rtorrent to use send mails -##

-## -gen_tunable(rtorrent_send_mails, false) - -## -##

-## Enable necessary permissions for rutorrent -##

-## -gen_tunable(rtorrent_enable_rutorrent, false) - -## -##

-## Allow rtorrent to execute helper scripts in home directories -##

-## -gen_tunable(rtorrent_exec_scripts, false) - -attribute_role rtorrent_roles; -roleattribute system_r rtorrent_roles; - -type rtorrent_t; -type rtorrent_exec_t; -application_domain(rtorrent_t, rtorrent_exec_t) -role rtorrent_roles types rtorrent_t; - -######################################## -# -# rtorrent local policy -# -allow rtorrent_t self:process { fork signal_perms }; - -allow rtorrent_t self:fifo_file manage_fifo_file_perms; -allow rtorrent_t self:unix_stream_socket create_stream_socket_perms; - -domain_use_interactive_fds(rtorrent_t) - -files_read_etc_files(rtorrent_t) - -miscfiles_read_localization(rtorrent_t) - -sysnet_dns_name_resolve(rtorrent_t) - -optional_policy(` - gen_require(` - type staff_t; - role staff_r; - ') - - rtorrent_run(staff_t, staff_r) -') - -type rtorrent_port_t; -corenet_port(rtorrent_port_t) -allow rtorrent_t rtorrent_port_t:tcp_socket name_bind; - -userdom_read_user_home_content_symlinks(rtorrent_t) -userdom_manage_user_home_content_files(rtorrent_t) -userdom_manage_user_home_content_dirs(rtorrent_t) - -allow rtorrent_t self:tcp_socket { accept listen }; - -corenet_tcp_connect_all_ports(rtorrent_t) - -fs_getattr_xattr_fs(rtorrent_t) - -userdom_use_inherited_user_terminals(rtorrent_t) -# this might be to much -userdom_home_manager(rtorrent_t) -userdom_filetrans_home_content(rtorrent_t) - -optional_policy(` - tunable_policy(`rtorrent_send_mails',` - userdom_exec_user_bin_files(rtorrent_t) - userdom_exec_user_home_content_files(rtorrent_t) - files_manage_generic_tmp_files(rtorrent_t) - mta_send_mail(rtorrent_t) - ') -') - -optional_policy(` - tunable_policy(`rtorrent_enable_rutorrent',` - apache_manage_sys_content(rtorrent_t) - apache_exec_sys_content(rtorrent_t) - ') -') - -tunable_policy(`rtorrent_exec_scripts',` - # execute helper scripts - corecmd_exec_bin(rtorrent_t) - userdom_exec_user_bin_files(rtorrent_t) -') diff --git a/sedoctool.patch b/sedoctool.patch deleted file mode 100644 index 82b2eee..0000000 --- a/sedoctool.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: fedora-policy/support/sedoctool.py -=================================================================== ---- fedora-policy.orig/support/sedoctool.py -+++ fedora-policy/support/sedoctool.py -@@ -810,7 +810,7 @@ if booleans: - namevalue_list = [] - if os.path.exists(booleans): - try: -- conf = open(booleans, 'r') -+ conf = open(booleans, 'r', errors='replace') - except: - error("Could not open booleans file for reading") - -@@ -831,7 +831,7 @@ if modules: - namevalue_list = [] - if os.path.exists(modules): - try: -- conf = open(modules, 'r') -+ conf = open(modules, 'r', errors='replace') - except: - error("Could not open modules file for reading") - namevalue_list = get_conf(conf) diff --git a/selinux-policy-20230214.tar.xz b/selinux-policy-20230214.tar.xz new file mode 100644 index 0000000..a99d60c --- /dev/null +++ b/selinux-policy-20230214.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9693ed2c5547a04fe58227ee5f6db761b68cc2f4c7267492220e33678788a83f +size 752564 diff --git a/selinux-policy.changes b/selinux-policy.changes index c83b5af..2656fda 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,90 @@ +------------------------------------------------------------------- +Tue Feb 14 21:41:54 UTC 2023 - Hu + +- Complete packaging rework: Move policy to git repository and + only use tar_scm obs service to refresh from there: + https://gitlab.suse.de/selinux/selinux-policy + + Please use `osc service manualrun` to update this OBS package to the + newest git version. + + * Added README.Update describing how to update this package + * Added _service file that pulls from selinux-policy and + upstream container-selinux and tars them + * Adapted selinux-policy.spec to build selinux-policy with + container-selinux + * Removed update.sh as no longer needed + * Removed suse specific modules as they are now covered by git commits + * packagekit.te packagekit.if packagekit.fc + * rebootmgr.te rebootmgr.if rebootmgr.fc + * rtorrent.te rtorrent.if rtorrent.fc + * wicked.te wicked.if wicked.fc + * Removed *.patch as they are now covered by git commits: + * distro_suse_to_distro_redhat.patch + * dontaudit_interface_kmod_tmpfs.patch + * fix_accountsd.patch + * fix_alsa.patch + * fix_apache.patch + * fix_auditd.patch + * fix_authlogin.patch + * fix_automount.patch + * fix_bitlbee.patch + * fix_chronyd.patch + * fix_cloudform.patch + * fix_colord.patch + * fix_corecommand.patch + * fix_cron.patch + * fix_dbus.patch + * fix_djbdns.patch + * fix_dnsmasq.patch + * fix_dovecot.patch + * fix_entropyd.patch + * fix_firewalld.patch + * fix_fwupd.patch + * fix_geoclue.patch + * fix_hypervkvp.patch + * fix_init.patch + * fix_ipsec.patch + * fix_iptables.patch + * fix_irqbalance.patch + * fix_java.patch + * fix_kernel.patch + * fix_kernel_sysctl.patch + * fix_libraries.patch + * fix_locallogin.patch + * fix_logging.patch + * fix_logrotate.patch + * fix_mcelog.patch + * fix_miscfiles.patch + * fix_nagios.patch + * fix_networkmanager.patch + * fix_nis.patch + * fix_nscd.patch + * fix_ntp.patch + * fix_openvpn.patch + * fix_postfix.patch + * fix_rpm.patch + * fix_rtkit.patch + * fix_screen.patch + * fix_selinuxutil.patch + * fix_sendmail.patch + * fix_smartmon.patch + * fix_snapper.patch + * fix_sslh.patch + * fix_sysnetwork.patch + * fix_systemd.patch + * fix_systemd_watch.patch + * fix_thunderbird.patch + * fix_unconfined.patch + * fix_unconfineduser.patch + * fix_unprivuser.patch + * fix_userdomain.patch + * fix_usermanage.patch + * fix_wine.patch + * fix_xserver.patch + * sedoctool.patch + * systemd_domain_dyntrans_type.patch + ------------------------------------------------------------------- Mon Feb 6 08:36:32 UTC 2023 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 11acb6d..80d04ff 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,10 +33,11 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20230206 +Version: 20230214 Release: 0 -Source: fedora-policy-%{version}.tar.bz2 -Source1: selinux-policy-rpmlintrc +Source0: %{name}-%{version}.tar.xz +Source1: container-selinux-%{version}.tar.xz +Source2: selinux-policy-rpmlintrc Source10: modules-targeted-base.conf Source11: modules-targeted-contrib.conf @@ -70,89 +71,6 @@ Source92: customizable_types #Source93: config.tgz Source94: file_contexts.subs_dist Source95: macros.selinux-policy -Source96: update.sh - -Source120: packagekit.te -Source121: packagekit.if -Source122: packagekit.fc -Source123: rtorrent.te -Source124: rtorrent.if -Source125: rtorrent.fc -Source126: wicked.te -Source127: wicked.if -Source128: wicked.fc -Source129: rebootmgr.te -Source130: rebootmgr.if -Source131: rebootmgr.fc - -Patch000: distro_suse_to_distro_redhat.patch -Patch001: fix_djbdns.patch -Patch002: fix_dbus.patch -Patch004: fix_java.patch -Patch006: fix_thunderbird.patch -Patch007: fix_postfix.patch -Patch008: fix_nscd.patch -Patch009: fix_sysnetwork.patch -Patch010: fix_logging.patch -Patch011: fix_xserver.patch -Patch012: fix_miscfiles.patch -Patch013: fix_init.patch -Patch014: fix_locallogin.patch -Patch016: fix_iptables.patch -Patch017: fix_irqbalance.patch -Patch018: fix_ntp.patch -Patch019: fix_fwupd.patch -Patch020: fix_firewalld.patch -Patch021: fix_logrotate.patch -Patch022: fix_selinuxutil.patch -Patch024: fix_corecommand.patch -Patch025: fix_snapper.patch -Patch026: fix_systemd.patch -Patch027: fix_unconfined.patch -Patch028: fix_unconfineduser.patch -Patch029: fix_chronyd.patch -Patch030: fix_networkmanager.patch -Patch032: fix_accountsd.patch -Patch033: fix_automount.patch -Patch034: fix_colord.patch -Patch035: fix_mcelog.patch -Patch036: fix_sslh.patch -Patch037: fix_nagios.patch -Patch038: fix_openvpn.patch -Patch039: fix_cron.patch -Patch040: fix_usermanage.patch -Patch041: fix_smartmon.patch -Patch042: fix_geoclue.patch -Patch044: fix_authlogin.patch -Patch045: fix_screen.patch -Patch046: fix_unprivuser.patch -Patch047: fix_rpm.patch -Patch048: fix_apache.patch -Patch049: fix_nis.patch -Patch050: fix_libraries.patch -Patch051: fix_dovecot.patch -# https://github.com/cockpit-project/cockpit/pull/15758 -#Patch052: fix_cockpit.patch -Patch053: fix_systemd_watch.patch -# kernel specific sysctl.conf (boo#1184804) -Patch054: fix_kernel_sysctl.patch -Patch055: fix_auditd.patch -Patch056: fix_wine.patch -Patch057: fix_hypervkvp.patch -Patch058: fix_bitlbee.patch -Patch059: systemd_domain_dyntrans_type.patch -Patch060: fix_dnsmasq.patch -Patch061: fix_userdomain.patch -Patch062: fix_cloudform.patch -Patch063: fix_alsa.patch -Patch064: dontaudit_interface_kmod_tmpfs.patch -Patch065: fix_sendmail.patch -Patch066: fix_ipsec.patch -Patch067: fix_kernel.patch -Patch068: fix_entropyd.patch -Patch069: fix_rtkit.patch - -Patch100: sedoctool.patch URL: https://github.com/fedora-selinux/selinux-policy.git BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -413,7 +331,16 @@ fi; exit 0 %prep -%autosetup -n fedora-policy-%{version} -p1 + +# set up selinux-policy +%autosetup -n %{name}-%{version} -p1 + +# dirty hack for container-selinux, because selinux-policy won't build without it +# upstream does not want to include it in main policy tree: +# see discussion in https://github.com/containers/container-selinux/issues/186 +%setup -T -D -b 1 +cp ../container-selinux-%{version}/container.* policy/modules/services/ +rm -rf ../container-selinux-%{version} %build @@ -440,10 +367,6 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} cp $i selinux_config done -for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do - cp $i policy/modules/contrib -done - make clean %if %{BUILD_TARGETED} %makeCmds targeted mcs allow diff --git a/systemd_domain_dyntrans_type.patch b/systemd_domain_dyntrans_type.patch deleted file mode 100644 index 8376c95..0000000 --- a/systemd_domain_dyntrans_type.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: fedora-policy-20220124/policy/modules/system/init.te -=================================================================== ---- fedora-policy-20220124.orig/policy/modules/system/init.te -+++ fedora-policy-20220124/policy/modules/system/init.te -@@ -179,6 +179,8 @@ allow init_t self:tcp_socket { listen ac - allow init_t self:packet_socket create_socket_perms; - allow init_t self:key manage_key_perms; - allow init_t self:bpf { map_create map_read map_write prog_load prog_run }; -+domain_dyntrans_type(init_t) -+allow init_t self:process { dyntransition setcurrent }; - - # is ~sys_module really needed? observed: - # sys_boot diff --git a/update.sh b/update.sh deleted file mode 100644 index 92f709c..0000000 --- a/update.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh - -date=$(date '+%Y%m%d') - -echo Update to $date - -rm -rf fedora-policy container-selinux - -git clone --depth 1 https://github.com/fedora-selinux/selinux-policy.git -git clone --depth 1 https://github.com/containers/container-selinux.git - -mv selinux-policy fedora-policy-$date -rm -rf fedora-policy-$date/.git* -mv container-selinux/container.* fedora-policy-$date/policy/modules/services/ - -rm -f fedora-policy?$date.tar* -tar cf fedora-policy-$date.tar fedora-policy-$date -bzip2 fedora-policy-$date.tar -rm -rf fedora-policy-$date container-selinux - -sed -i -e "s/^Version:.*/Version: $date/" selinux-policy.spec - -echo "remove old tar file, then osc addremove" diff --git a/wicked.fc b/wicked.fc deleted file mode 100644 index 8b84838..0000000 --- a/wicked.fc +++ /dev/null @@ -1,50 +0,0 @@ -# not used -#/etc/wicked/dispatcher\.d(/.*)? gen_context(system_u:object_r:wicked_initrc_exec_t,s0) -#/usr/lib/wicked/dispatcher\.d(/.*)? gen_context(system_u:object_r:wicked_initrc_exec_t,s0) - -/etc/wicked(/.*)? gen_context(system_u:object_r:wicked_etc_t,s0) -/etc/wicked/extensions/.* -- gen_context(system_u:object_r:wicked_exec_t,s0) - -#/etc/wicked/wicked\.conf gen_context(system_u:object_r:wicked_etc_rw_t,s0) -#/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:wicked_var_lib_t, s0) - -/usr/lib/systemd/system/wicked.* -- gen_context(system_u:object_r:wicked_unit_file_t,s0) - -/sbin/ifdown -- gen_context(system_u:object_r:wicked_exec_t,s0) -/sbin/ifprobe -- gen_context(system_u:object_r:wicked_exec_t,s0) -/sbin/ifstatus -- gen_context(system_u:object_r:wicked_exec_t,s0) -/sbin/ifup -- gen_context(system_u:object_r:wicked_exec_t,s0) -/usr/sbin/ifup -- gen_context(system_u:object_r:wicked_exec_t,s0) - -/usr/sbin/rcwicked.* -- gen_context(system_u:object_r:wicked_initrc_exec_t,s0) - -/usr/lib/wicked/bin(/.*)? gen_context(system_u:object_r:wicked_exec_t,s0) -/usr/libexec/wicked/bin(/.*)? gen_context(system_u:object_r:wicked_exec_t,s0) - -#/usr/lib64/libwicked-0.6.63.so - -/usr/sbin/wicked -- gen_context(system_u:object_r:wicked_exec_t,s0) -/usr/sbin/wickedd -- gen_context(system_u:object_r:wicked_exec_t,s0) -/usr/sbin/wickedd-nanny -- gen_context(system_u:object_r:wicked_exec_t,s0) -#/usr/share/wicked/schema/wireless.xml -/var/lib/wicked(/.*)? gen_context(system_u:object_r:wicked_var_lib_t,s0) -#/etc/sysconfig/network/ifcfg-lo - -#/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) -#/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:wicked_exec_t,s0) -#/var/lib/wicd(/.*)? gen_context(system_u:object_r:wicked_var_lib_t,s0) -#/var/log/wicd.* -- gen_context(system_u:object_r:wicked_log_t,s0) - -/var/run/wicked(/.*)? gen_context(system_u:object_r:wicked_var_run_t,s0) - -#/etc/dbus-1 -#/etc/dbus-1/system.d -#/etc/dbus-1/system.d/org.opensuse.Network.AUTO4.conf -#/etc/dbus-1/system.d/org.opensuse.Network.DHCP4.conf -#/etc/dbus-1/system.d/org.opensuse.Network.DHCP6.conf -#/etc/dbus-1/system.d/org.opensuse.Network.Nanny.conf -#/etc/dbus-1/system.d/org.opensuse.Network.conf - -/etc/sysconfig/network/scripts(/.*)? gen_context(system_u:object_r:wicked_script_t,s0) -/etc/sysconfig/network/scripts/samba-winbindd -- gen_context(system_u:object_r:wicked_winbind_script_t,s0) -/etc/sysconfig/network/scripts/dhcpd-restart-hook -- gen_context(system_u:object_r:wicked_dhcp_script_t,s0) diff --git a/wicked.if b/wicked.if deleted file mode 100644 index 0246cda..0000000 --- a/wicked.if +++ /dev/null @@ -1,678 +0,0 @@ -## Manager for dynamically switching between networks. - -######################################## -## -## Read and write wicked UDP sockets. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for named. -interface(`wicked_rw_udp_sockets',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:udp_socket { read write }; -') - -######################################## -## -## Read and write wicked packet sockets. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for named. -interface(`wicked_rw_packet_sockets',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:packet_socket { read write }; -') - -####################################### -## -## Allow caller to relabel tun_socket -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_attach_tun_iface',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:tun_socket relabelfrom; - allow $1 self:tun_socket relabelto; -') - -######################################## -## -## Read and write wicked netlink -## routing sockets. -## -## -## -## Domain allowed access. -## -## -# -# cjp: added for named. -interface(`wicked_rw_routing_sockets',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:netlink_route_socket { read write }; -') - -######################################## -## -## Execute wicked with a domain transition. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`wicked_domtrans',` - gen_require(` - type wicked_t, wicked_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, wicked_exec_t, wicked_t) -') - -####################################### -## -## Execute wicked scripts with an automatic domain transition to initrc. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`wicked_initrc_domtrans',` - gen_require(` - type wicked_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, wicked_initrc_exec_t) -') - -####################################### -## -## Allow reading of wicked link files -## -## -## -## Domain allowed to read the links -## -## -# -interface(`wicked_initrc_read_lnk_files',` - gen_require(` - type wicked_initrc_exec_t; - ') - - read_lnk_files_pattern($1, wicked_initrc_exec_t, wicked_initrc_exec_t) -') - -######################################## -## -## Execute wicked server in the wicked domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`wicked_systemctl',` - gen_require(` - type wicked_unit_file_t; - type wicked_t; - ') - - systemd_exec_systemctl($1) - init_reload_services($1) - allow $1 wicked_unit_file_t:file read_file_perms; - allow $1 wicked_unit_file_t:service manage_service_perms; - - ps_process_pattern($1, wicked_t) -') - -######################################## -## -## Send and receive messages from -## wicked over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_dbus_chat',` - gen_require(` - type wicked_t; - class dbus send_msg; - ') - - allow $1 wicked_t:dbus send_msg; - allow wicked_t $1:dbus send_msg; -') - -####################################### -## -## Read metworkmanager process state files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_read_state',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:dir search_dir_perms; - allow $1 wicked_t:file read_file_perms; - allow $1 wicked_t:lnk_file read_lnk_file_perms; -') - -######################################## -## -## Do not audit attempts to send and -## receive messages from wicked -## over dbus. -## -## -## -## Domain to not audit. -## -## -# -interface(`wicked_dontaudit_dbus_chat',` - gen_require(` - type wicked_t; - class dbus send_msg; - ') - - dontaudit $1 wicked_t:dbus send_msg; - dontaudit wicked_t $1:dbus send_msg; -') - -######################################## -## -## Send a generic signal to wicked -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_signal',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:process signal; -') - -######################################## -## -## Create, read, and write -## wicked library files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_manage_lib_files',` - gen_require(` - type wicked_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t) - allow $1 wicked_var_lib_t:file map; -') - -######################################## -## -## Read wicked lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_read_lib_files',` - gen_require(` - type wicked_var_lib_t; - ') - - files_search_var_lib($1) - list_dirs_pattern($1, wicked_var_lib_t, wicked_var_lib_t) - read_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t) - allow $1 wicked_var_lib_t:file map; -') - -####################################### -## -## Read wicked conf files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_read_conf',` - gen_require(` - type wicked_etc_t; - type wicked_etc_rw_t; - ') - - allow $1 wicked_etc_t:dir list_dir_perms; - read_files_pattern($1,wicked_etc_t,wicked_etc_t) - read_files_pattern($1,wicked_etc_rw_t,wicked_etc_rw_t) -') - -######################################## -## -## Read wicked PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_read_pid_files',` - gen_require(` - type wicked_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, wicked_var_run_t, wicked_var_run_t) -') - -######################################## -## -## Manage wicked PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_manage_pid_files',` - gen_require(` - type wicked_var_run_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, wicked_var_run_t, wicked_var_run_t) - manage_files_pattern($1, wicked_var_run_t, wicked_var_run_t) -') - -######################################## -## -## Manage wicked PID sock files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_manage_pid_sock_files',` - gen_require(` - type wicked_var_run_t; - ') - - files_search_pids($1) - manage_sock_files_pattern($1, wicked_var_run_t, wicked_var_run_t) -') - -######################################## -## -## Create objects in /etc with a private -## type using a type_transition. -## -## -## -## Domain allowed access. -## -## -## -## -## Private file type. -## -## -## -## -## Object classes to be created. -## -## -## -## -## The name of the object being created. -## -## -# -interface(`wicked_pid_filetrans',` - gen_require(` - type wicked_var_run_t; - ') - - filetrans_pattern($1, wicked_var_run_t, $2, $3, $4) -') - -#################################### -## -## Connect to wicked over -## a unix domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_stream_connect',` - gen_require(` - type wicked_t, wicked_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, wicked_var_run_t, wicked_var_run_t, wicked_t) -') - -######################################## -## -## Delete wicked PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_delete_pid_files',` - gen_require(` - type wicked_var_run_t; - ') - - files_search_pids($1) - delete_files_pattern($1, wicked_var_run_t, wicked_var_run_t) -') - -######################################## -## -## Execute wicked in the wicked domain, and -## allow the specified role the wicked domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## Role allowed access. -## -## -## -# -interface(`wicked_run',` - gen_require(` - type wicked_t, wicked_exec_t; - ') - - wicked_domtrans($1) - role $2 types wicked_t; -') - -######################################## -## -## Allow the specified domain to append -## to Network Manager log files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_append_log',` - gen_require(` - type wicked_log_t; - ') - - logging_search_logs($1) - allow $1 wicked_log_t:dir list_dir_perms; - append_files_pattern($1, wicked_log_t, wicked_log_t) - allow $1 wicked_log_t:file map; - -') - -####################################### -## -## Allow the specified domain to manage -## to Network Manager lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_manage_lib',` - gen_require(` - type wicked_var_lib_t; - ') - - manage_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t) - allow $1 wicked_var_lib_t:file map; - -') - -####################################### -## -## Send to wicked with a unix dgram socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_dgram_send',` - gen_require(` - type wicked_t, wicked_var_run_t; - ') - - files_search_pids($1) - dgram_send_pattern($1, wicked_var_run_t, wicked_var_run_t, wicked_t) -') - -######################################## -## -## Send sigchld to wicked. -## -## -## -## Domain allowed access. -## -## -# -# -interface(`wicked_sigchld',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:process sigchld; -') - -######################################## -## -## Send signull to wicked. -## -## -## -## Domain allowed access. -## -## -# -# -interface(`wicked_signull',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:process signull; -') - -######################################## -## -## Send sigkill to wicked. -## -## -## -## Domain allowed access. -## -## -# -# -interface(`wicked_sigkill',` - gen_require(` - type wicked_t; - ') - - allow $1 wicked_t:process sigkill; -') - -######################################## -## -## Transition to wicked named content -## -## -## -## Domain allowed access. -## -## -# -interface(`wicked_filetrans_named_content',` - gen_require(` - type wicked_var_run_t; - type wicked_var_lib_t; - ') - - - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth0.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth1.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth2.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth3.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth4.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth5.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth6.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth7.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth8.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth9.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth0.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth1.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth2.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth3.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth4.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth5.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth6.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth7.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth8.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth9.dhcp.ipv6") - - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em0.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em1.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em2.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em3.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em4.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em5.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em6.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em7.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em8.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em9.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em0.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em1.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em2.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em3.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em4.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em5.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em6.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em7.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em8.dhcp.ipv6") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em9.dhcp.ipv6") - - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.lo.dhcp.ipv4") - files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.lo.dhcp.ipv6") - - files_pid_filetrans($1, wicked_var_run_t, dir, "extension") - files_pid_filetrans($1, wicked_var_run_t, dir, "nanny") - - files_etc_filetrans($1, wicked_var_lib_t, file, "state-1.xml") - files_etc_filetrans($1, wicked_var_lib_t, file, "state-2.xml") - files_etc_filetrans($1, wicked_var_lib_t, file, "state-3.xml") - files_etc_filetrans($1, wicked_var_lib_t, file, "state-4.xml") - files_etc_filetrans($1, wicked_var_lib_t, file, "state-5.xml") - files_etc_filetrans($1, wicked_var_lib_t, file, "state-6.xml") - files_etc_filetrans($1, wicked_var_lib_t, file, "state-7.xml") - files_etc_filetrans($1, wicked_var_lib_t, file, "state-8.xml") - files_etc_filetrans($1, wicked_var_lib_t, file, "state-9.xml") -') - -######################################## -## -## Create a set of derived types for various wicked scripts -## -## -## -## The name to be used for deriving type names. -## -## -# -template(`wicked_script_template',` - gen_require(` - attribute wicked_plugin, wicked_script; - type wicked_t; - ') - - type wicked_$1_t, wicked_plugin; - type wicked_$1_script_t, wicked_script; - application_domain(wicked_$1_t, wicked_$1_script_t) - role system_r types wicked_$1_t; - - domtrans_pattern(wicked_t, wicked_$1_script_t, wicked_$1_t) -') diff --git a/wicked.te b/wicked.te deleted file mode 100644 index 8747b97..0000000 --- a/wicked.te +++ /dev/null @@ -1,572 +0,0 @@ -policy_module(wicked, 1.0.0) - -######################################## -# -# Declarations -# - -type wicked_t; -type wicked_exec_t; -init_daemon_domain(wicked_t, wicked_exec_t) - -type wicked_initrc_exec_t; -init_script_file(wicked_initrc_exec_t) - -type wicked_unit_file_t; -systemd_unit_file(wicked_unit_file_t) - -type wicked_etc_t; -files_config_file(wicked_etc_t) - -type wicked_etc_rw_t; -files_config_file(wicked_etc_rw_t) - -#type wicked_log_t; -#logging_log_file(wicked_log_t) - -type wicked_tmp_t; -files_tmp_file(wicked_tmp_t) - -type wicked_var_lib_t; -files_type(wicked_var_lib_t) - -type wicked_var_run_t; -files_pid_file(wicked_var_run_t) - - -# Wicked scripts - -attribute wicked_plugin; -attribute wicked_script; -type wicked_script_t, wicked_script; -type wicked_custom_t, wicked_plugin; -role system_r types wicked_custom_t; -application_domain(wicked_custom_t, wicked_script_t) -domtrans_pattern(wicked_t, wicked_script_t, wicked_custom_t) - -wicked_script_template(winbind); -wicked_script_template(dhcp); - -#type wpa_cli_t; -#type wpa_cli_exec_t; -#init_system_domain(wpa_cli_t, wpa_cli_exec_t) - -######################################## -# -# Local policy -# - -# wicked will ptrace itself if gdb is installed -# and it receives a unexpected signal (rh bug #204161) -allow wicked_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_read_search dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot }; -dontaudit wicked_t self:capability sys_tty_config; - -allow wicked_t self:bpf { map_create map_read map_write prog_load prog_run }; - -ifdef(`hide_broken_symptoms',` - # caused by some bogus kernel code - dontaudit wicked_t self:capability sys_module; -') -# alternatively allow with -# kernel_load_module( wicked_t ) - -allow wicked_t self:process { getcap setcap setpgid getsched setsched signal_perms }; - -allow wicked_t self:process setfscreate; -selinux_validate_context(wicked_t) - -tunable_policy(`deny_ptrace',`',` - allow wicked_t self:capability sys_ptrace; - allow wicked_t self:process ptrace; -') - -allow wicked_t self:fifo_file rw_fifo_file_perms; -allow wicked_t self:unix_dgram_socket { sendto create_socket_perms }; -allow wicked_t self:unix_stream_socket{ create_stream_socket_perms connectto }; -allow wicked_t self:netlink_generic_socket create_socket_perms; -allow wicked_t self:netlink_route_socket create_netlink_socket_perms; -allow wicked_t self:netlink_xfrm_socket create_netlink_socket_perms; -allow wicked_t self:netlink_socket create_socket_perms; -allow wicked_t self:netlink_kobject_uevent_socket create_socket_perms; -allow wicked_t self:tcp_socket create_stream_socket_perms; -allow wicked_t self:tun_socket { create_socket_perms relabelfrom relabelto }; -allow wicked_t self:udp_socket create_socket_perms; -allow wicked_t self:packet_socket create_socket_perms; -allow wicked_t self:rawip_socket create_socket_perms; -allow wicked_t self:socket create_socket_perms; - -tunable_policy(`deny_bluetooth',`',` - allow wicked_t self:bluetooth_socket create_stream_socket_perms; -') - -#allow wicked_t wpa_cli_t:unix_dgram_socket sendto; - -can_exec(wicked_t, wicked_exec_t) -#wicd -# can_exec(wicked_t, wpa_cli_exec_t) - -list_dirs_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t) -read_files_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t) -read_lnk_files_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t) - -list_dirs_pattern(wicked_t, wicked_etc_t, wicked_etc_t) -read_files_pattern(wicked_t, wicked_etc_t, wicked_etc_t) -read_lnk_files_pattern(wicked_t, wicked_etc_t, wicked_etc_t) - -read_lnk_files_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t) -manage_dirs_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t) -manage_files_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t) -filetrans_pattern(wicked_t, wicked_etc_t, wicked_etc_rw_t, { dir file }) - -#allow wicked_t wicked_log_t:dir setattr_dir_perms; -#append_files_pattern(wicked_t, wicked_log_t, wicked_log_t) -#create_files_pattern(wicked_t, wicked_log_t, wicked_log_t) -#setattr_files_pattern(wicked_t, wicked_log_t, wicked_log_t) -#logging_log_filetrans(wicked_t, wicked_log_t, file) - -can_exec(wicked_t, wicked_tmp_t) -manage_files_pattern(wicked_t, wicked_tmp_t, wicked_tmp_t) -manage_sock_files_pattern(wicked_t, wicked_tmp_t, wicked_tmp_t) -files_tmp_filetrans(wicked_t, wicked_tmp_t, { sock_file file }) - -manage_dirs_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t) -manage_files_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t) -manage_lnk_files_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t) -files_var_lib_filetrans(wicked_t, wicked_var_lib_t, { dir file lnk_file }) - -manage_dirs_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t) -manage_files_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t) -manage_sock_files_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t) -files_pid_filetrans(wicked_t, wicked_var_run_t, { dir file sock_file }) - -kernel_read_system_state(wicked_t) -kernel_read_network_state(wicked_t) -kernel_read_kernel_sysctls(wicked_t) -kernel_request_load_module(wicked_t) -kernel_read_debugfs(wicked_t) -kernel_rw_net_sysctls(wicked_t) -kernel_dontaudit_setsched(wicked_t) -kernel_signull(wicked_t) - -corenet_ib_manage_subnet_unlabeled_endports(wicked_t) -corenet_ib_access_unlabeled_pkeys(wicked_t) -corenet_all_recvfrom_netlabel(wicked_t) -corenet_tcp_sendrecv_generic_if(wicked_t) -corenet_udp_sendrecv_generic_if(wicked_t) -corenet_raw_sendrecv_generic_if(wicked_t) -corenet_tcp_sendrecv_generic_node(wicked_t) -corenet_udp_sendrecv_generic_node(wicked_t) -corenet_raw_sendrecv_generic_node(wicked_t) -corenet_tcp_sendrecv_all_ports(wicked_t) -corenet_udp_sendrecv_all_ports(wicked_t) -corenet_udp_bind_generic_node(wicked_t) -corenet_udp_bind_isakmp_port(wicked_t) -corenet_udp_bind_dhcpc_port(wicked_t) -corenet_tcp_connect_all_ports(wicked_t) -corenet_sendrecv_isakmp_server_packets(wicked_t) -corenet_sendrecv_dhcpc_server_packets(wicked_t) -corenet_sendrecv_all_client_packets(wicked_t) -corenet_rw_tun_tap_dev(wicked_t) -corenet_getattr_ppp_dev(wicked_t) - -dev_access_check_sysfs(wicked_t) -dev_rw_sysfs(wicked_t) -dev_write_sysfs_dirs(wicked_t) -dev_read_rand(wicked_t) -dev_read_urand(wicked_t) -dev_dontaudit_getattr_generic_blk_files(wicked_t) -dev_getattr_all_chr_files(wicked_t) -dev_rw_wireless(wicked_t) - -fs_getattr_all_fs(wicked_t) -fs_search_auto_mountpoints(wicked_t) -fs_list_inotifyfs(wicked_t) -fs_read_nsfs_files(wicked_t) - -mls_file_read_all_levels(wicked_t) - -selinux_dontaudit_search_fs(wicked_t) - -corecmd_exec_shell(wicked_t) -corecmd_exec_bin(wicked_t) - -domain_use_interactive_fds(wicked_t) -domain_read_all_domains_state(wicked_t) - -files_read_etc_runtime_files(wicked_t) -files_read_system_conf_files(wicked_t) -files_read_usr_src_files(wicked_t) -files_read_isid_type_files(wicked_t) - -storage_getattr_fixed_disk_dev(wicked_t) - -term_open_unallocated_ttys(wicked_t) - -init_read_utmp(wicked_t) -init_dontaudit_write_utmp(wicked_t) -init_domtrans_script(wicked_t) -init_signull_script(wicked_t) -init_signal_script(wicked_t) -init_sigkill_script(wicked_t) - -auth_use_nsswitch(wicked_t) - -libs_exec_ldconfig(wicked_t) - -logging_send_syslog_msg(wicked_t) -logging_send_audit_msgs(wicked_t) - -miscfiles_read_generic_certs(wicked_t) - -seutil_read_config(wicked_t) -seutil_run_setfiles(wicked_t, system_r) - -sysnet_domtrans_ifconfig(wicked_t) -sysnet_domtrans_dhcpc(wicked_t) -sysnet_signal_dhcpc(wicked_t) -sysnet_signull_dhcpc(wicked_t) -sysnet_read_dhcpc_pid(wicked_t) -sysnet_read_dhcp_config(wicked_t) -sysnet_delete_dhcpc_pid(wicked_t) -sysnet_kill_dhcpc(wicked_t) -sysnet_read_dhcpc_state(wicked_t) -sysnet_delete_dhcpc_state(wicked_t) -sysnet_search_dhcp_state(wicked_t) -# in /etc created by wicked will be labelled net_conf_t. -sysnet_manage_config(wicked_t) -sysnet_filetrans_named_content(wicked_t) -sysnet_filetrans_net_conf(wicked_t) - -systemd_machined_read_pid_files(wicked_t) - -term_use_unallocated_ttys(wicked_t) - -userdom_stream_connect(wicked_t) -userdom_dontaudit_use_unpriv_user_fds(wicked_t) -userdom_dontaudit_use_user_ttys(wicked_t) -# Read gnome-keyring -userdom_read_home_certs(wicked_t) -userdom_read_user_home_content_files(wicked_t) -userdom_dgram_send(wicked_t) - -hostname_exec(wicked_t) -wicked_systemctl(wicked_t) - -sysnet_manage_config_dirs(wicked_t) - - -# Wicked scripts - -list_dirs_pattern(wicked_t, wicked_script_t, wicked_script) -read_files_pattern(wicked_t, wicked_script_t, wicked_script) -read_lnk_files_pattern(wicked_t, wicked_script_t, wicked_script) -list_dirs_pattern(wicked_plugin, wicked_script_t, wicked_script_t) -read_lnk_files_pattern(wicked_plugin, wicked_script_t, wicked_script) - -auth_read_passwd(wicked_plugin) - -corecmd_exec_bin(wicked_plugin) -corecmd_exec_shell(wicked_winbind_t) - -#tunable_policy(`use_nfs_home_dirs',` -# fs_read_nfs_files(wicked_t) -#') -# -#tunable_policy(`use_samba_home_dirs',` -# fs_read_cifs_files(wicked_t) -#') - -optional_policy(` - avahi_domtrans(wicked_t) - avahi_kill(wicked_t) - avahi_signal(wicked_t) - avahi_signull(wicked_t) - avahi_dbus_chat(wicked_t) -') - -optional_policy(` - packagekit_dbus_chat(wicked_t) -') - -optional_policy(` - firewalld_dbus_chat(wicked_t) -') - -optional_policy(` - wicked_dbus_chat(wicked_t) -') - -optional_policy(` - bind_domtrans(wicked_t) - bind_manage_cache(wicked_t) - bind_kill(wicked_t) - bind_signal(wicked_t) - bind_signull(wicked_t) -') - -optional_policy(` - bluetooth_dontaudit_read_helper_state(wicked_t) -') - -optional_policy(` - consoletype_exec(wicked_t) -') - -optional_policy(` - cron_read_system_job_lib_files(wicked_t) -') - -optional_policy(` - chronyd_domtrans_chronyc(wicked_t) - chronyd_domtrans(wicked_t) -') - -optional_policy(` - dbus_system_domain(wicked_t, wicked_exec_t) - - init_dbus_chat(wicked_t) - - optional_policy(` - consolekit_dbus_chat(wicked_t) - consolekit_read_pid_files(wicked_t) - ') -') - -optional_policy(` - dnsmasq_read_pid_files(wicked_t) - dnsmasq_dbus_chat(wicked_t) - dnsmasq_delete_pid_files(wicked_t) - dnsmasq_domtrans(wicked_t) - dnsmasq_initrc_domtrans(wicked_t) - dnsmasq_kill(wicked_t) - dnsmasq_signal(wicked_t) - dnsmasq_signull(wicked_t) - dnsmasq_systemctl(wicked_t) -') - -optional_policy(` - dnssec_trigger_domtrans(wicked_t) - dnssec_trigger_signull(wicked_t) - dnssec_trigger_sigkill(wicked_t) -') - -optional_policy(` - fcoe_dgram_send_fcoemon(wicked_t) -') - -optional_policy(` - howl_signal(wicked_t) -') - -optional_policy(` - gnome_dontaudit_search_config(wicked_t) -') - -optional_policy(` - iscsid_domtrans(wicked_t) -') - -optional_policy(` - iodined_domtrans(wicked_t) -') - -optional_policy(` - ipsec_domtrans_mgmt(wicked_t) - ipsec_kill_mgmt(wicked_t) - ipsec_signal_mgmt(wicked_t) - ipsec_signull_mgmt(wicked_t) - ipsec_domtrans(wicked_t) - ipsec_kill(wicked_t) - ipsec_signal(wicked_t) - ipsec_signull(wicked_t) -') - -optional_policy(` - iptables_domtrans(wicked_t) -') - -optional_policy(` - l2tpd_domtrans(wicked_t) - l2tpd_sigkill(wicked_t) - l2tpd_signal(wicked_t) - l2tpd_signull(wicked_t) -') - -optional_policy(` - lldpad_dgram_send(wicked_t) -') - -optional_policy(` - kdump_dontaudit_inherited_kdumpctl_tmp_pipes(wicked_t) -') - -optional_policy(` - netutils_exec_ping(wicked_t) - netutils_exec(wicked_t) -') - -optional_policy(` - nscd_domtrans(wicked_t) - nscd_signal(wicked_t) - nscd_signull(wicked_t) - nscd_kill(wicked_t) - nscd_initrc_domtrans(wicked_t) - nscd_systemctl(wicked_t) -') - -optional_policy(` - # Dispatcher starting and stoping ntp - ntp_initrc_domtrans(wicked_t) - ntp_systemctl(wicked_t) -') - -optional_policy(` - modutils_domtrans_kmod(wicked_t) -') - -optional_policy(` - openvpn_read_config(wicked_t) - openvpn_domtrans(wicked_t) - openvpn_kill(wicked_t) - openvpn_signal(wicked_t) - openvpn_signull(wicked_t) - openvpn_stream_connect(wicked_t) - openvpn_noatsecure(wicked_t) -') - -optional_policy(` - policykit_dbus_chat(wicked_t) - policykit_domtrans_auth(wicked_t) - policykit_read_lib(wicked_t) - policykit_read_reload(wicked_t) - userdom_read_all_users_state(wicked_t) -') - -optional_policy(` - polipo_systemctl(wicked_t) -') - -optional_policy(` - ppp_initrc_domtrans(wicked_t) - ppp_domtrans(wicked_t) - ppp_manage_pid_files(wicked_t) - ppp_kill(wicked_t) - ppp_signal(wicked_t) - ppp_signull(wicked_t) - ppp_read_config(wicked_t) - ppp_systemctl(wicked_t) -') - -optional_policy(` - rpm_exec(wicked_t) - rpm_read_db(wicked_t) - rpm_dontaudit_manage_db(wicked_t) -') - -optional_policy(` - samba_service_status(wicked_t) -') - -optional_policy(` - seutil_sigchld_newrole(wicked_t) -') - -optional_policy(` - sysnet_manage_dhcpc_state(wicked_t) -') - -optional_policy(` - systemd_write_inhibit_pipes(wicked_t) - systemd_read_logind_sessions_files(wicked_t) - systemd_dbus_chat_logind(wicked_t) - systemd_dbus_chat_hostnamed(wicked_t) - systemd_hostnamed_manage_config(wicked_t) -') - -optional_policy(` - ssh_basic_client_template(wicked, wicked_t, system_r) - term_use_generic_ptys(wicked_ssh_t) - modutils_domtrans_kmod(wicked_ssh_t) - dbus_connect_system_bus(wicked_ssh_t) - dbus_system_bus_client(wicked_ssh_t) - - wicked_dbus_chat(wicked_ssh_t) -') - -optional_policy(` - udev_exec(wicked_t) - udev_read_db(wicked_t) - udev_read_pid_files(wicked_t) -') - -optional_policy(` - vpn_domtrans(wicked_t) - vpn_kill(wicked_t) - vpn_signal(wicked_t) - vpn_signull(wicked_t) - vpn_relabelfrom_tun_socket(wicked_t) -') - -optional_policy(` - openfortivpn_domtrans(wicked_t) - openfortivpn_sigkill(wicked_t) - openfortivpn_signal(wicked_t) - openfortivpn_signull(wicked_t) -') - -optional_policy(` - openvswitch_stream_connect(wicked_t) -') - -optional_policy(` - virt_dbus_chat(wicked_t) -') - -optional_policy(` - networkmanager_dbus_chat(wicked_t) -') - -optional_policy(` - logging_send_syslog_msg(wicked_winbind_t) -') - -optional_policy(` - sysnet_exec_ifconfig(wicked_plugin) - sysnet_read_config(wicked_plugin) -') - -optional_policy(` - systemd_exec_systemctl(wicked_winbind_t) - systemd_exec_systemctl(wicked_dhcp_t) -') - -optional_policy(` - samba_domtrans_smbcontrol(wicked_winbind_t) - samba_read_config(wicked_winbind_t) - samba_service_status(wicked_winbind_t) -') - -#tunable_policy(`use_ecryptfs_home_dirs',` -#fs_manage_ecryptfs_files(wicked_t) -#') - -######################################## -# -# wpa_cli local policy -# - -#allow wpa_cli_t self:capability { dac_read_search }; -#allow wpa_cli_t self:unix_dgram_socket create_socket_perms; -# -#allow wpa_cli_t wicked_t:unix_dgram_socket sendto; -# -#manage_sock_files_pattern(wpa_cli_t, wicked_tmp_t, wicked_tmp_t) -#files_tmp_filetrans(wpa_cli_t, wicked_tmp_t, sock_file) -# -#list_dirs_pattern(wpa_cli_t, wicked_var_run_t, wicked_var_run_t) -#rw_sock_files_pattern(wpa_cli_t, wicked_var_run_t, wicked_var_run_t) -# -#init_dontaudit_use_fds(wpa_cli_t) -#init_use_script_ptys(wpa_cli_t) -# -#term_dontaudit_use_console(wpa_cli_t) From 5e0b3ff8760e698379135f6166e2c6516507685f7b04dd1a493d29015ddb58a7 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Fri, 24 Feb 2023 10:32:16 +0000 Subject: [PATCH 4/8] OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=174 --- selinux-policy.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/selinux-policy.spec b/selinux-policy.spec index 80d04ff..06ff334 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -412,7 +412,6 @@ install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ %{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} mkdir %{buildroot}%{_datadir}/selinux/devel/html -mv %{buildroot}%{_datadir}/man/man8/SUSE %{buildroot}%{_datadir}/selinux/devel/html mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html rm %{buildroot}%{_mandir}/man8/container_selinux.8* From 00949e479d614e18c1f9840d26f4dad2b0c906c410eaf4ecd6bd638091c3238d Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Fri, 17 Mar 2023 10:46:53 +0000 Subject: [PATCH 5/8] Accepting request 1072556 from home:jsegitz:branches:security:SELinux_final OBS-URL: https://build.opensuse.org/request/show/1072556 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=175 --- _service | 8 - _servicedata | 2 +- container-selinux-20230214.tar.xz | 3 - container.fc | 156 ++++ container.if | 1044 +++++++++++++++++++++ container.te | 1416 +++++++++++++++++++++++++++++ selinux-policy-20230214.tar.xz | 3 - selinux-policy-20230316.tar.xz | 3 + selinux-policy.changes | 28 + selinux-policy.spec | 14 +- update.sh | 27 + 11 files changed, 2683 insertions(+), 21 deletions(-) delete mode 100644 container-selinux-20230214.tar.xz create mode 100644 container.fc create mode 100644 container.if create mode 100644 container.te delete mode 100644 selinux-policy-20230214.tar.xz create mode 100644 selinux-policy-20230316.tar.xz create mode 100644 update.sh diff --git a/_service b/_service index 64a67c0..f74bf15 100644 --- a/_service +++ b/_service @@ -7,14 +7,6 @@ enable factory - - 1 - %cd - https://github.com/containers/container-selinux.git - git - enable - main - xz *.tar diff --git a/_servicedata b/_servicedata index b50b36f..4535cb7 100644 --- a/_servicedata +++ b/_servicedata @@ -1,6 +1,6 @@ https://gitlab.suse.de/selinux/selinux-policy.git - 167da331be8238b650e75d629a925576ca5bf70b + 3fa3ee463c968e6001607a3d25edc2f9971824d7 https://github.com/containers/container-selinux.git 07b3034f6d9625ab84508a2f46515d8ff79b4204 \ No newline at end of file diff --git a/container-selinux-20230214.tar.xz b/container-selinux-20230214.tar.xz deleted file mode 100644 index 16fd854..0000000 --- a/container-selinux-20230214.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:35976ddc019bac7363a4a7eb7f626fc92cf91a19deeca7bb8ff1458dbb0dc936 -size 25128 diff --git a/container.fc b/container.fc new file mode 100644 index 0000000..8fc71ee --- /dev/null +++ b/container.fc @@ -0,0 +1,156 @@ +/root/\.docker gen_context(system_u:object_r:container_home_t,s0) + +/usr/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/libexec/docker/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/libexec/docker/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) + +/usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/lxc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/lxd -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/fuidshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/libexec/lxc/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/libexec/lxd/.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/bin/podman -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0) +/usr/local/bin/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0) +/usr/local/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/buildkit-runc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/crun -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/kata-agent -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/bin/container[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/bin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/sbin/rhel-push-plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/docker-latest -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/docker-current -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0) +/usr/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/crio.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/ocid.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:container_auth_exec_t,s0) +/usr/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/lib/docker/[^/]*plugin -- gen_context(system_u:object_r:container_runtime_exec_t,s0) + +/usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_unit_file_t,s0) +/usr/lib/systemd/system/lxd.* -- gen_context(system_u:object_r:container_unit_file_t,s0) +/usr/lib/systemd/system/containerd.* -- gen_context(system_u:object_r:container_unit_file_t,s0) +/usr/lib/systemd/system/buildkit.* -- gen_context(system_u:object_r:container_unit_file_t,s0) + +/etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0) +/etc/docker-latest(/.*)? gen_context(system_u:object_r:container_config_t,s0) +/etc/containerd(/.*)? gen_context(system_u:object_r:container_config_t,s0) +/etc/buildkit(/.*)? gen_context(system_u:object_r:container_config_t,s0) +/etc/crio(/.*)? gen_context(system_u:object_r:container_config_t,s0) +/exports(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) + +/var/lib/registry(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/lxc(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/lxd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/docker(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/docker/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) +/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) + +/var/lib/containerd(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +# The "snapshots" directory of containerd and BuildKit must be writable, as it is used as an upperdir as well as a lowerdir. +/var/lib/containerd/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0) +/var/lib/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/nerdctl(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/nerdctl/[^/]*/volumes(/.*)? gen_context(system_u:object_r:container_file_t,s0) + +/var/lib/buildkit(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/buildkit/[^/]*/snapshots(/.*)? gen_context(system_u:object_r:container_file_t,s0) +# "/var/lib/buildkit/runc-/executor" contains "resolv.conf" and "hosts.", for OCI (runc) worker mode. +/var/lib/buildkit/runc-.*/executor(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0) +# "/var/lib/buildkit/containerd-" contains resolv.conf and hosts., for containerd worker mode. +# Unlike the runc- directory, this directory does not contain the "executor" directory inside it. +/var/lib/buildkit/containerd-.*(/.*?) gen_context(system_u:object_r:container_ro_file_t,s0) + +HOME_DIR/\.local/share/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0) + +/var/lib/containers(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/containers/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/atomic(/.*)? <> +/var/lib/containers/storage/volumes/[^/]*/.* gen_context(system_u:object_r:container_file_t,s0) +/var/lib/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/storage/overlay-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/storage/overlay2-layers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/ocid(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/ocid/sandboxes(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/cache/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) + +/var/run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0) + +/var/lib/origin(/.*)? gen_context(system_u:object_r:container_file_t,s0) +/var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) + +/var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) +/var/lib/docker-latest/containers/.*/hostname gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker-latest/containers/.*/hosts gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker-latest/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker-latest/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +/var/lib/docker-latest/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) + +/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) +/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) +/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) + +/var/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) +/var/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/var/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0) + +/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0) +/var/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0) + +/var/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0) + +/var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0) +/var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0) +/etc/kubernetes(/.*)? gen_context(system_u:object_r:kubernetes_file_t,s0) diff --git a/container.if b/container.if new file mode 100644 index 0000000..d9c3daf --- /dev/null +++ b/container.if @@ -0,0 +1,1044 @@ +## The open-source application container engine. + +######################################## +## +## Execute container in the container domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`container_runtime_domtrans',` + gen_require(` + type container_runtime_t, container_runtime_exec_t; + type container_runtime_tmpfs_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, container_runtime_exec_t, container_runtime_t) + allow container_runtime_t $1:fifo_file setattr; +') + +######################################## +## +## Execute container runtime in the container runtime domain +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`container_runtime_run',` + gen_require(` + type container_runtime_t; + class dbus send_msg; + ') + + container_runtime_domtrans($1) + role $2 types container_runtime_t; + allow $1 container_runtime_t:dbus send_msg; +') + + +######################################## +## +## Execute container in the caller domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`container_runtime_exec',` + gen_require(` + type container_runtime_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, container_runtime_exec_t) +') + +######################################## +## +## Read the process state of container runtime +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_state',` + gen_require(` + type container_runtime_t; + ') + + ps_process_pattern($1, container_runtime_t) +') + +######################################## +## +## Search container lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_search_lib',` + gen_require(` + type container_var_lib_t; + ') + + allow $1 container_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Execute container lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_exec_lib',` + gen_require(` + type container_var_lib_t; + ') + + allow $1 container_var_lib_t:dir search_dir_perms; + can_exec($1, container_var_lib_t) +') + +######################################## +## +## Read container lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_lib_files',` + gen_require(` + type container_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, container_var_lib_t, container_var_lib_t) +') + +######################################## +## +## Read container share files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_share_files',` + gen_require(` + type container_ro_file_t; + ') + + files_search_var_lib($1) + list_dirs_pattern($1, container_ro_file_t, container_ro_file_t) + read_files_pattern($1, container_ro_file_t, container_ro_file_t) + read_lnk_files_pattern($1, container_ro_file_t, container_ro_file_t) +') + +######################################## +## +## Read container runtime tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_runtime_read_tmpfs_files',` + gen_require(` + type container_runtime_tmpfs_t; + ') + + files_search_var_lib($1) + list_dirs_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t) + read_files_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t) + read_lnk_files_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +') + +######################################## +## +## Manage container share files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_share_files',` + gen_require(` + type container_ro_file_t; + ') + + files_search_var_lib($1) + list_dirs_pattern($1, container_ro_file_t, container_ro_file_t) + manage_files_pattern($1, container_ro_file_t, container_ro_file_t) + manage_lnk_files_pattern($1, container_ro_file_t, container_ro_file_t) +') + +######################################## +## +## Manage container share dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_share_dirs',` + gen_require(` + type container_ro_file_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, container_ro_file_t, container_ro_file_t) +') + +###################################### +## +## Allow the specified domain to execute container shared files +## in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_exec_share_files',` + gen_require(` + type container_ro_file_t; + ') + + can_exec($1, container_ro_file_t) +') + +######################################## +## +## Manage container config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_config_files',` + gen_require(` + type container_config_t; + type kubernetes_file_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, container_config_t, container_config_t) + manage_dirs_pattern($1, kubernetes_file_t, kubernetes_file_t) + manage_files_pattern($1, kubernetes_file_t, kubernetes_file_t) +') + +######################################## +## +## Manage container lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_lib_files',` + gen_require(` + type container_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, container_var_lib_t, container_var_lib_t) + manage_lnk_files_pattern($1, container_var_lib_t, container_var_lib_t) +') + +######################################## +## +## Manage container files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_files',` + gen_require(` + type container_file_t; + ') + + manage_files_pattern($1, container_file_t, container_file_t) + manage_lnk_files_pattern($1, container_file_t, container_file_t) +') + +######################################## +## +## Manage container directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_dirs',` + gen_require(` + type container_file_t; + ') + + manage_dirs_pattern($1, container_file_t, container_file_t) +') + +######################################## +## +## Manage container lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_lib_dirs',` + gen_require(` + type container_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, container_var_lib_t, container_var_lib_t) +') + +######################################## +## +## Create objects in a container var lib directory +## with an automatic type transition to +## a specified private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`container_lib_filetrans',` + gen_require(` + type container_var_lib_t; + ') + + filetrans_pattern($1, container_var_lib_t, $2, $3, $4) +') + +######################################## +## +## Read container PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_pid_files',` + gen_require(` + type container_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, container_var_run_t, container_var_run_t) +') + +######################################## +## +## Execute container server in the container domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`container_systemctl',` + gen_require(` + type container_runtime_t; + type container_unit_file_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + systemd_read_fifo_file_passwd_run($1) + allow $1 container_unit_file_t:file read_file_perms; + allow $1 container_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, container_runtime_t) +') + +######################################## +## +## Read and write container shared memory. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_rw_sem',` + gen_require(` + type container_runtime_t; + ') + + allow $1 container_runtime_t:sem rw_sem_perms; +') + +######################################## +## +## Allow the specified domain to append +## to container files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_append_file',` + gen_require(` + type container_file_t; + ') + + append_files_pattern($1, container_file_t, container_file_t) +') + +####################################### +## +## Read and write the container pty type. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_use_ptys',` + gen_require(` + type container_devpts_t; + ') + + allow $1 container_devpts_t:chr_file rw_term_perms; +') + +####################################### +## +## Allow domain to create container content +## +## +## +## Domain allowed access. +## +## +# +interface(`container_filetrans_named_content',` + + gen_require(` + type container_var_lib_t; + type container_file_t; + type container_ro_file_t; + type container_log_t; + type container_var_run_t; + type container_home_t; + type kubernetes_file_t; + type container_runtime_tmpfs_t; + type container_kvm_var_run_t; + type data_home_t; + ') + + files_pid_filetrans($1, container_var_run_t, file, "container.pid") + files_pid_filetrans($1, container_var_run_t, file, "docker.pid") + files_pid_filetrans($1, container_var_run_t, sock_file, "container.sock") + files_pid_filetrans($1, container_var_run_t, dir, "container-client") + files_pid_filetrans($1, container_var_run_t, dir, "docker") + files_pid_filetrans($1, container_var_run_t, dir, "containerd") + files_pid_filetrans($1, container_var_run_t, dir, "buildkit") + files_pid_filetrans($1, container_var_run_t, dir, "ocid") + files_pid_filetrans($1, container_var_run_t, dir, "containers") + files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers") + + logging_log_filetrans($1, container_log_t, dir, "lxc") + files_var_lib_filetrans($1, container_var_lib_t, dir, "containers") + files_var_lib_filetrans($1, container_file_t, dir, "origin") + files_var_lib_filetrans($1, container_var_lib_t, dir, "ocid") + files_var_lib_filetrans($1, container_var_lib_t, dir, "docker") + files_var_lib_filetrans($1, container_var_lib_t, dir, "docker-latest") + files_var_filetrans($1, container_ro_file_t, dir, "kata-containers") + files_var_lib_filetrans($1, container_ro_file_t, dir, "kata-containers") + files_var_lib_filetrans($1, container_var_lib_t, dir, "containerd") + files_var_lib_filetrans($1, container_var_lib_t, dir, "buildkit") + + filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "_data") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "config.env") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "hosts") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "hostname") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "resolv.conf") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "sandboxes") + # The "snapshots" directory of containerd and BuildKit must be writable, as it is used as an upperdir as well as a lowerdir. + # (lowerdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs, + # upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/fs, + # workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/4/work) + filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "snapshots") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "init") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-images") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-layers") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2-images") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2-layers") + + # "/var/lib/buildkit/runc-/executor" contains "resolv.conf" and "hosts.", for OCI (runc) worker mode. + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "executor") + + # "/var/lib/buildkit/containerd-" contains resolv.conf and hosts., for containerd worker mode. + # Unlike the runc- directory, this directory does not contain the "executor" directory inside it. + # Core snapshotters + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-overlayfs") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-native") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-btrfs") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-zfs") + # Non-core snapshotters + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-fuse-overlayfs") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-nydus") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-overlaybd") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-stargz") + # Third-party snapshotters + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "containerd-soci") + + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-images") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-layers") + + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "atomic") + userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".container") + filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers") + filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers") + filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm") + files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes") +') + +######################################## +## +## Connect to container over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_stream_connect',` + gen_require(` + type container_runtime_t, container_var_run_t, container_runtime_tmpfs_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, container_var_run_t, container_var_run_t, container_runtime_t) + stream_connect_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t, container_runtime_t) + allow $1 container_runtime_tmpfs_t:lnk_file read_lnk_file_perms; +') + +######################################## +## +## Connect to SPC containers over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_spc_stream_connect',` + gen_require(` + type spc_t, spc_var_run_t; + ') + + files_search_pids($1) + allow $1 spc_t:unix_stream_socket connectto; +') + +######################################## +## +## All of the rules required to administrate +## an container environment +## +## +## +## Domain allowed access. +## +## +# +interface(`container_admin',` + gen_require(` + type container_runtime_t; + type container_var_lib_t, container_var_run_t; + type container_unit_file_t; + type container_lock_t; + type container_log_t; + type container_config_t; + type container_file_t; + ') + + allow $1 container_runtime_t:process { ptrace signal_perms }; + ps_process_pattern($1, container_runtime_t) + + admin_pattern($1, container_config_t) + + files_search_var_lib($1) + admin_pattern($1, container_var_lib_t) + + files_search_pids($1) + admin_pattern($1, container_var_run_t) + + files_search_locks($1) + admin_pattern($1, container_lock_t) + + logging_search_logs($1) + admin_pattern($1, container_log_t) + + container_systemctl($1) + admin_pattern($1, container_unit_file_t) + allow $1 container_unit_file_t:service all_service_perms; + + admin_pattern($1, container_file_t) + + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') + +######################################## +## +## Execute container_auth_exec_t in the container_auth domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`container_auth_domtrans',` + gen_require(` + type container_auth_t, container_auth_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, container_auth_exec_t, container_auth_t) +') + +###################################### +## +## Execute container_auth in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_auth_exec',` + gen_require(` + type container_auth_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, container_auth_exec_t) +') + +######################################## +## +## Connect to container_auth over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_auth_stream_connect',` + gen_require(` + type container_auth_t, container_plugin_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t) +') + +######################################## +## +## container domain typebounds calling domain. +## +## +## +## Domain to be typebound. +## +## +# +interface(`container_runtime_typebounds',` + gen_require(` + type container_runtime_t; + ') + + allow container_runtime_t $1:process2 nnp_transition; +') + +######################################## +## +## Allow any container_runtime_exec_t to be an entrypoint of this domain +## +## +## +## Domain allowed access. +## +## +## +# +interface(`container_runtime_entrypoint',` + gen_require(` + type container_runtime_exec_t; + ') + allow $1 container_runtime_exec_t:file entrypoint; +') + +interface(`docker_exec_lib',` + container_exec_lib($1) +') + +interface(`docker_read_share_files',` + container_read_share_files($1) +') + +interface(`docker_exec_share_files',` + container_exec_share_files($1) +') + +interface(`docker_manage_lib_files',` + container_manage_lib_files($1) +') + + +interface(`docker_manage_lib_dirs',` + container_manage_lib_dirs($1) +') + +interface(`docker_lib_filetrans',` + container_lib_filetrans($1, $2, $3, $4) +') + +interface(`docker_read_pid_files',` + container_read_pid_files($1) +') + +interface(`docker_systemctl',` + container_systemctl($1) +') + +interface(`docker_use_ptys',` + container_use_ptys($1) +') + +interface(`docker_stream_connect',` + container_stream_connect($1) +') + +interface(`docker_spc_stream_connect',` + container_spc_stream_connect($1) +') + +######################################## +## +## Read the process state of spc containers +## +## +## +## Domain allowed access. +## +## +# +interface(`container_spc_read_state',` + gen_require(` + type spc_t; + ') + + ps_process_pattern($1, spc_t) +') + +######################################## +## +## Creates types and rules for a basic +## container runtime process domain. +## +## +## +## Prefix for the domain. +## +## +# +template(`container_runtime_domain_template',` + gen_require(` + attribute container_runtime_domain; + type container_runtime_t; + type container_var_lib_t; + type container_ro_file_t; + role system_r, sysadm_r; + ') + + type $1_t, container_runtime_domain; + role system_r types $1_t; + role sysadm_r types $1_t; + domain_type($1_t) + domain_subj_id_change_exemption($1_t) + domain_role_change_exemption($1_t) + + kernel_read_system_state($1_t) + kernel_read_all_proc($1_t) + + mls_file_read_to_clearance($1_t) + mls_file_write_to_clearance($1_t) + + storage_raw_rw_fixed_disk($1_t) + auth_use_nsswitch($1_t) + logging_send_syslog_msg($1_t) +') + +######################################## +## +## Creates types and rules for a basic +## container process domain. +## +## +## +## Prefix for the domain. +## +## +## +## +## Prefix for the file type. +## +## +# +template(`container_domain_template',` + gen_require(` + attribute container_domain; + type container_runtime_t; + type container_var_lib_t; + type container_ro_file_t; + ') + + type $1_t, container_domain; + domain_type($1_t) + domain_user_exemption_target($1_t) + allow $1_t $2_file_t:file entrypoint; + + container_manage_files_template($1, $2) +') + + +######################################## +## +## Manage container files template +## +## +## +## Prefix for the domain. +## +## +## +## +## Prefix for the file type. +## +## +# +template(`container_manage_files_template',` + gen_require(` + attribute container_domain; + type container_runtime_t; + type container_var_lib_t; + type container_ro_file_t; + ') + + + mls_rangetrans_target($1_t) + mcs_constrained($1_t) + role system_r types $1_t; + + kernel_read_all_proc($1_t) + + allow $1_t $2_file_t:dir_file_class_set { relabelfrom relabelto map }; + + manage_files_pattern($1_t, $2_file_t, $2_file_t) + exec_files_pattern($1_t, $2_file_t, $2_file_t) + manage_lnk_files_pattern($1_t, $2_file_t, $2_file_t) + manage_dirs_pattern($1_t, $2_file_t, $2_file_t) + manage_chr_files_pattern($1_t, $2_file_t, $2_file_t) + allow $1_t $2_file_t:chr_file { mmap_file_perms watch watch_reads }; + manage_blk_files_pattern($1_t, $2_file_t, $2_file_t) + manage_fifo_files_pattern($1_t, $2_file_t, $2_file_t) + manage_sock_files_pattern($1_t, $2_file_t, $2_file_t) + allow $1_t $2_file_t:{file dir} mounton; + allow $1_t $2_file_t:filesystem { mount remount unmount }; + allow $1_t $2_file_t:dir_file_class_set { relabelfrom relabelto map }; + + fs_tmpfs_filetrans($1_t, $2_file_t, { dir file lnk_file }) +') + +######################################## +## +## Read and write a spc_t unnamed pipe. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_spc_rw_pipes',` + gen_require(` + type spc_t; + ') + + allow $1 spc_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## +## Execute container in the container domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`container_kubelet_domtrans',` + gen_require(` + type kubelet_t, kubelet_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, kubelet_exec_t, kubelet_t) +') + +######################################## +## +## Execute kubelet_exec_t in the kubelet_t domain +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`container_kubelet_run',` + gen_require(` + type kubelet_t; + class dbus send_msg; + ') + + container_kubelet_domtrans($1) + role $2 types kubelet_t; +') + +######################################## +## +## Connect to kubelet over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_kubelet_stream_connect',` + gen_require(` + type kubelet_t, container_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, container_var_run_t, container_var_run_t, kubelet_t) +') + +####################################### +## +## Create a file type used for container files. +## +## +## +## Type to be used for an container file. +## +## +# +interface(`container_file',` + gen_require(` + attribute container_file_type; + ') + + typeattribute $1 container_file_type; + files_type($1) + files_mountpoint($1) +') diff --git a/container.te b/container.te new file mode 100644 index 0000000..d649eb0 --- /dev/null +++ b/container.te @@ -0,0 +1,1416 @@ +policy_module(container, 2.204.0) + +gen_require(` + class passwd rootok; +') + +######################################## +# +# Declarations +# + +## +##

+## Determine whether container can +## connect to all TCP ports. +##

+## +gen_tunable(container_connect_any, false) + +## +##

+## Allow containers to use any device volume mounted into container +##

+## +gen_tunable(container_use_devices, false) + +## +##

+## Allow sandbox containers to manage cgroup (systemd) +##

+## +gen_tunable(container_manage_cgroup, false) + +## +##

+## Determine whether container can +## use ceph file system +##

+## +gen_tunable(container_use_cephfs, false) + +## +##

+## Determine whether container can +## use ecrypt file system +##

+## +gen_tunable(container_use_ecryptfs, false) + +attribute container_runtime_domain; +container_runtime_domain_template(container_runtime) +typealias container_runtime_t alias docker_t; + +type container_runtime_exec_t alias docker_exec_t; +can_exec(container_runtime_t,container_runtime_exec_t) +attribute container_domain; +attribute container_user_domain; +attribute container_net_domain; +attribute container_init_domain; +attribute container_file_type; +allow container_runtime_domain container_domain:process { dyntransition transition }; +allow container_domain container_runtime_domain:process sigchld; +allow container_runtime_domain container_domain:process2 { nnp_transition nosuid_transition }; +dontaudit container_runtime_domain container_domain:process { noatsecure rlimitinh siginh }; + +type conmon_exec_t; +application_executable_file(conmon_exec_t) +can_exec(container_runtime_t, conmon_exec_t) +allow container_runtime_domain conmon_exec_t:file entrypoint; +ifdef(`enable_mcs',` + range_transition container_runtime_t conmon_exec_t:process s0; +') +ifdef(`enable_mls',` + range_transition container_runtime_t conmon_exec_t:process s0; +') + +type spc_t, container_domain; +domain_type(spc_t) +role system_r types spc_t; +init_initrc_domain(spc_t) + +type container_auth_t alias docker_auth_t; +type container_auth_exec_t alias docker_auth_exec_t; +init_daemon_domain(container_auth_t, container_auth_exec_t) + +type spc_var_run_t; +files_pid_file(spc_var_run_t) + +type kubernetes_file_t; +files_config_file(kubernetes_file_t) + +type container_var_lib_t alias docker_var_lib_t; +files_type(container_var_lib_t) + +type container_home_t alias docker_home_t; +userdom_user_home_content(container_home_t) + +type container_config_t alias docker_config_t; +files_config_file(container_config_t) + +type container_lock_t alias docker_lock_t; +files_lock_file(container_lock_t) + +type container_log_t alias docker_log_t; +logging_log_file(container_log_t) + +type container_runtime_tmp_t alias docker_tmp_t; +files_tmp_file(container_runtime_tmp_t) + +type container_runtime_tmpfs_t alias docker_tmpfs_t; +files_tmpfs_file(container_runtime_tmpfs_t) + +type container_var_run_t alias docker_var_run_t; +files_pid_file(container_var_run_t) + +type container_plugin_var_run_t alias docker_plugin_var_run_t; +files_pid_file(container_plugin_var_run_t) + +type container_unit_file_t alias docker_unit_file_t; +systemd_unit_file(container_unit_file_t) + +type container_devpts_t alias docker_devpts_t; +term_pty(container_devpts_t) + +typealias container_ro_file_t alias { container_share_t docker_share_t }; +files_mountpoint(container_ro_file_t) + +type container_port_t alias docker_port_t; +corenet_port(container_port_t) + +init_daemon_domain(container_runtime_t, container_runtime_exec_t) +#ifdef(`enable_mcs',` +# init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mcs_systemhigh) +#') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mls_systemhigh) +') +mls_trusted_object(container_runtime_t) + + +######################################## +# +# container local policy +# +allow container_runtime_domain self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap sys_resource }; +allow container_runtime_domain self:tun_socket { create_socket_perms relabelto }; +allow container_runtime_domain self:process ~setcurrent; +allow container_runtime_domain self:passwd rootok; +allow container_runtime_domain self:fd use; +allow container_runtime_domain self:dir mounton; +allow container_runtime_domain self:file mounton; + +allow container_runtime_domain self:fifo_file rw_fifo_file_perms; +allow container_runtime_domain self:fifo_file manage_file_perms; +allow container_runtime_domain self:msg all_msg_perms; +allow container_runtime_domain self:sem create_sem_perms; +allow container_runtime_domain self:shm create_shm_perms; +allow container_runtime_domain self:msgq create_msgq_perms; +allow container_runtime_domain self:unix_stream_socket create_stream_socket_perms; +allow container_runtime_domain self:tcp_socket create_stream_socket_perms; +allow container_runtime_domain self:udp_socket create_socket_perms; +allow container_runtime_domain self:capability2 block_suspend; +allow container_runtime_domain container_port_t:tcp_socket name_bind; +allow container_runtime_domain self:filesystem associate; +allow container_runtime_domain self:packet_socket create_socket_perms; +allow container_runtime_domain self:socket create_socket_perms; +allow container_runtime_domain self:rawip_socket create_stream_socket_perms; +allow container_runtime_domain self:netlink_netfilter_socket create_socket_perms; +allow container_runtime_domain self:netlink_kobject_uevent_socket create_socket_perms; +allow container_runtime_domain self:netlink_tcpdiag_socket create_netlink_socket_perms; +allow container_runtime_domain self:netlink_socket create_socket_perms; + +corenet_tcp_bind_generic_node(container_runtime_domain) +corenet_udp_bind_generic_node(container_runtime_domain) +corenet_raw_bind_generic_node(container_runtime_domain) +corenet_tcp_sendrecv_all_ports(container_runtime_domain) +corenet_udp_sendrecv_all_ports(container_runtime_domain) +corenet_udp_bind_all_ports(container_runtime_domain) +corenet_tcp_bind_all_ports(container_runtime_domain) +corenet_tcp_connect_all_ports(container_runtime_domain) +corenet_sctp_bind_all_ports(container_net_domain) +corenet_sctp_connect_all_ports(container_net_domain) +corenet_rw_tun_tap_dev(container_runtime_domain) + +container_auth_stream_connect(container_runtime_domain) + +manage_files_pattern(container_runtime_domain, container_file_type, container_file_type) +manage_lnk_files_pattern(container_runtime_domain, container_file_type, container_file_type) +manage_blk_files_pattern(container_runtime_domain, container_file_type, container_file_type) +allow container_runtime_domain container_domain:key manage_key_perms; +manage_sock_files_pattern(container_runtime_domain, container_file_type, container_file_type) +allow container_runtime_domain container_file_type:dir_file_class_set {relabelfrom relabelto execmod}; +allow container_runtime_domain container_file_type:dir_file_class_set mmap_file_perms; + +manage_files_pattern(container_runtime_domain, container_home_t, container_home_t) +manage_dirs_pattern(container_runtime_domain, container_home_t, container_home_t) +manage_lnk_files_pattern(container_runtime_domain, container_home_t, container_home_t) +userdom_admin_home_dir_filetrans(container_runtime_domain, container_home_t, dir, ".container") +userdom_manage_user_home_content(container_runtime_domain) + +manage_dirs_pattern(container_runtime_domain, container_config_t, container_config_t) +manage_files_pattern(container_runtime_domain, container_config_t, container_config_t) +files_etc_filetrans(container_runtime_domain, container_config_t, dir, "container") + +manage_dirs_pattern(container_runtime_domain, container_lock_t, container_lock_t) +manage_files_pattern(container_runtime_domain, container_lock_t, container_lock_t) +files_lock_filetrans(container_runtime_domain, container_lock_t, { dir file }, "lxc") + +manage_dirs_pattern(container_runtime_domain, container_log_t, container_log_t) +manage_files_pattern(container_runtime_domain, container_log_t, container_log_t) +manage_lnk_files_pattern(container_runtime_domain, container_log_t, container_log_t) +logging_log_filetrans(container_runtime_domain, container_log_t, { dir file lnk_file }) +allow container_runtime_domain container_log_t:dir_file_class_set { relabelfrom relabelto }; +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_log_t, file, "container-json.log") +allow container_runtime_domain { container_var_lib_t container_ro_file_t }:file entrypoint; + +manage_dirs_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) +manage_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) +manage_sock_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) +manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) + +manage_dirs_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +manage_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +manage_fifo_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +manage_chr_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +manage_blk_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) +allow container_runtime_domain container_runtime_tmpfs_t:dir relabelfrom; +can_exec(container_runtime_domain, container_runtime_tmpfs_t) +fs_tmpfs_filetrans(container_runtime_domain, container_runtime_tmpfs_t, dir_file_class_set) +allow container_runtime_domain container_runtime_tmpfs_t:chr_file mounton; + +manage_dirs_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_chr_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_blk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +manage_lnk_files_pattern(container_runtime_domain, container_ro_file_t, container_ro_file_t) +allow container_runtime_domain container_ro_file_t:dir_file_class_set { relabelfrom relabelto }; +can_exec(container_runtime_domain, container_ro_file_t) +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "init") +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay") +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, dir, "overlay2") +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "config.env") +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "hostname") +filetrans_pattern(container_runtime_domain, container_var_lib_t, container_ro_file_t, file, "hosts") + +#container_filetrans_named_content(container_runtime_domain) + +manage_dirs_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_chr_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_blk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_sock_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +manage_lnk_files_pattern(container_runtime_domain, container_var_lib_t, container_var_lib_t) +allow container_runtime_domain container_var_lib_t:dir_file_class_set { relabelfrom relabelto }; +files_var_lib_filetrans(container_runtime_domain, container_var_lib_t, { dir file lnk_file }) + +manage_dirs_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) +manage_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) +manage_fifo_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) +manage_sock_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) +manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) +files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file }) +files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file }) + +allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms }; +term_create_pty(container_runtime_domain, container_devpts_t) +term_use_all_ttys(container_runtime_domain) +term_use_all_inherited_terms(container_runtime_domain) + +kernel_read_network_state(container_runtime_domain) +kernel_read_all_sysctls(container_runtime_domain) +kernel_rw_net_sysctls(container_runtime_domain) +kernel_setsched(container_runtime_domain) +kernel_rw_all_sysctls(container_runtime_domain) + +domain_obj_id_change_exemption(container_runtime_t) +domain_subj_id_change_exemption(container_runtime_t) +domain_role_change_exemption(container_runtime_t) +domain_use_interactive_fds(container_runtime_domain) +domain_dontaudit_read_all_domains_state(container_runtime_domain) +domain_sigchld_all_domains(container_runtime_domain) +domain_use_interactive_fds(container_runtime_domain) +domain_read_all_domains_state(container_runtime_domain) +domain_getattr_all_domains(container_runtime_domain) + +userdom_map_tmp_files(container_runtime_domain) + +optional_policy(` + gnome_map_generic_data_home_files(container_runtime_domain) + allow container_runtime_domain data_home_t:dir { relabelfrom relabelto }; +') + +gen_require(` + attribute domain; +') + +allow container_runtime_domain domain:fifo_file rw_fifo_file_perms; +allow container_runtime_domain domain:fd use; + +corecmd_exec_bin(container_runtime_domain) +corecmd_exec_shell(container_runtime_domain) +corecmd_exec_all_executables(container_runtime_domain) +corecmd_bin_entry_type(container_runtime_domain) +corecmd_shell_entry_type(container_runtime_domain) + +corenet_tcp_bind_generic_node(container_runtime_domain) +corenet_tcp_sendrecv_generic_if(container_runtime_domain) +corenet_tcp_sendrecv_generic_node(container_runtime_domain) +corenet_tcp_sendrecv_generic_port(container_runtime_domain) +corenet_tcp_bind_all_ports(container_runtime_domain) +corenet_tcp_connect_http_port(container_runtime_domain) +corenet_tcp_connect_commplex_main_port(container_runtime_domain) +corenet_udp_sendrecv_generic_if(container_runtime_domain) +corenet_udp_sendrecv_generic_node(container_runtime_domain) +corenet_udp_sendrecv_all_ports(container_runtime_domain) +corenet_udp_bind_generic_node(container_runtime_domain) +corenet_udp_bind_all_ports(container_runtime_domain) + +files_read_kernel_modules(container_runtime_domain) +files_read_config_files(container_runtime_domain) +files_dontaudit_getattr_all_dirs(container_runtime_domain) +files_dontaudit_getattr_all_files(container_runtime_domain) +files_execmod_all_files(container_runtime_domain) +files_search_all(container_runtime_domain) +files_read_usr_symlinks(container_runtime_domain) +files_search_locks(container_runtime_domain) +files_dontaudit_unmount_all_mountpoints(container_runtime_domain) + +fs_read_cgroup_files(container_runtime_domain) +fs_read_tmpfs_symlinks(container_runtime_domain) +fs_search_all(container_runtime_domain) +fs_getattr_all_fs(container_runtime_domain) +fs_rw_onload_sockets(container_runtime_domain) + +auth_dontaudit_getattr_shadow(container_runtime_domain) + +init_read_state(container_runtime_domain) +init_status(container_runtime_domain) +init_stop(container_runtime_domain) +init_start(container_runtime_domain) +init_manage_config_transient_files(container_runtime_domain) + +logging_send_audit_msgs(container_runtime_domain) + +miscfiles_read_localization(container_runtime_domain) +miscfiles_dontaudit_access_check_cert(container_runtime_domain) +miscfiles_dontaudit_setattr_fonts_cache_dirs(container_runtime_domain) +miscfiles_read_fonts(container_runtime_domain) +miscfiles_read_hwdata(container_runtime_domain) +fs_relabel_cgroup_dirs(container_runtime_domain) +# fs_relabel_cgroup_files(container_runtime_domain) +allow container_runtime_domain container_domain:file relabelfrom; + +mount_domtrans(container_runtime_domain) + +seutil_read_default_contexts(container_runtime_domain) +seutil_read_config(container_runtime_domain) + +sysnet_dns_name_resolve(container_runtime_domain) +sysnet_exec_ifconfig(container_runtime_domain) + +optional_policy(` + cron_system_entry(container_runtime_t, container_runtime_exec_t) +') + +optional_policy(` + ssh_use_ptys(container_runtime_domain) +') + +optional_policy(` + rpm_exec(container_runtime_domain) + rpm_read_cache(container_runtime_domain) + rpm_read_db(container_runtime_domain) + rpm_exec(container_runtime_domain) +') + +optional_policy(` + fstools_domtrans(container_runtime_domain) +') + +optional_policy(` + iptables_domtrans(container_runtime_domain) + + container_read_pid_files(iptables_t) + container_read_state(iptables_t) + container_append_file(iptables_t) + allow iptables_t container_runtime_domain:fifo_file rw_fifo_file_perms; + allow iptables_t container_file_type:dir list_dir_perms; +') + +optional_policy(` + openvswitch_stream_connect(container_runtime_domain) +') + +optional_policy(` + gen_require(` + attribute named_filetrans_domain; + ') + container_filetrans_named_content(named_filetrans_domain) +') + +# +# lxc rules +# + +allow container_runtime_domain self:capability ~{ sys_module }; +allow container_runtime_domain self:capability2 ~{ mac_override mac_admin }; +allow container_runtime_domain self:cap_userns ~{ sys_module }; +allow container_runtime_domain self:cap2_userns ~{ mac_override mac_admin }; + +allow container_runtime_domain self:process { getcap setcap setexec setpgid setsched signal_perms }; + +allow container_runtime_domain self:netlink_route_socket rw_netlink_socket_perms;; +allow container_runtime_domain self:netlink_xfrm_socket create_netlink_socket_perms; +allow container_runtime_domain self:netlink_audit_socket create_netlink_socket_perms; +allow container_runtime_domain self:unix_dgram_socket { create_socket_perms sendto }; +allow container_runtime_domain self:unix_stream_socket { create_stream_socket_perms connectto }; + +allow container_runtime_domain container_var_lib_t:dir mounton; +allow container_runtime_domain container_var_lib_t:chr_file mounton; +can_exec(container_runtime_domain, container_var_lib_t) + +kernel_dontaudit_setsched(container_runtime_domain) +kernel_get_sysvipc_info(container_runtime_domain) +kernel_request_load_module(container_runtime_domain) +kernel_mounton_messages(container_runtime_domain) +kernel_mounton_all_proc(container_runtime_domain) +kernel_mounton_all_sysctls(container_runtime_domain) +kernel_list_all_proc(container_runtime_domain) +kernel_read_all_sysctls(container_runtime_domain) +kernel_rw_net_sysctls(container_runtime_domain) +kernel_rw_unix_sysctls(container_runtime_domain) +kernel_dontaudit_search_kernel_sysctl(container_runtime_domain) +kernel_dontaudit_access_check_proc(container_runtime_domain) +kernel_dontaudit_setattr_proc_files(container_runtime_domain) +kernel_dontaudit_setattr_proc_dirs(container_runtime_domain) +kernel_dontaudit_write_usermodehelper_state(container_runtime_domain) + +dev_setattr_null_dev(container_runtime_t) +dev_getattr_all(container_runtime_domain) +dev_getattr_sysfs_fs(container_runtime_domain) +dev_read_rand(container_runtime_domain) +dev_read_urand(container_runtime_domain) +dev_read_lvm_control(container_runtime_domain) +dev_rw_sysfs(container_runtime_domain) +dev_rw_loop_control(container_runtime_domain) +dev_rw_lvm_control(container_runtime_domain) +dev_read_mtrr(container_runtime_domain) + +files_getattr_isid_type_dirs(container_runtime_domain) +files_manage_isid_type_dirs(container_runtime_domain) +files_manage_isid_type_files(container_runtime_domain) +files_manage_isid_type_symlinks(container_runtime_domain) +files_manage_isid_type_chr_files(container_runtime_domain) +files_manage_isid_type_blk_files(container_runtime_domain) +files_exec_isid_files(container_runtime_domain) +files_mounton_isid(container_runtime_domain) +files_mounton_non_security(container_runtime_domain) +files_mounton_isid_type_chr_file(container_runtime_domain) + +fs_mount_all_fs(container_runtime_domain) +fs_unmount_all_fs(container_runtime_domain) +fs_remount_all_fs(container_runtime_domain) +files_mounton_isid(container_runtime_domain) +fs_manage_cgroup_dirs(container_runtime_domain) +fs_manage_cgroup_files(container_runtime_domain) +fs_rw_nsfs_files(container_runtime_domain) +fs_relabelfrom_xattr_fs(container_runtime_domain) +fs_relabelfrom_tmpfs(container_runtime_domain) +fs_read_tmpfs_symlinks(container_runtime_domain) +fs_getattr_all_fs(container_runtime_domain) +fs_rw_inherited_tmpfs_files(container_runtime_domain) +fs_read_tmpfs_symlinks(container_runtime_domain) +fs_search_tmpfs(container_runtime_domain) +fs_list_hugetlbfs(container_runtime_domain) +fs_manage_hugetlbfs_files(container_runtime_domain) + + +term_use_generic_ptys(container_runtime_domain) +term_use_ptmx(container_runtime_domain) +term_getattr_pty_fs(container_runtime_domain) +term_relabel_pty_fs(container_runtime_domain) +term_mounton_unallocated_ttys(container_runtime_domain) + +modutils_domtrans_kmod(container_runtime_domain) + +systemd_status_all_unit_files(container_runtime_domain) +systemd_start_systemd_services(container_runtime_domain) +systemd_dbus_chat_logind(container_runtime_domain) +systemd_chat_resolved(container_runtime_domain) + +userdom_stream_connect(container_runtime_domain) +userdom_search_user_home_content(container_runtime_domain) +userdom_read_all_users_state(container_runtime_domain) +userdom_relabel_user_home_files(container_runtime_domain) +userdom_relabel_user_tmp_files(container_runtime_domain) +userdom_relabel_user_tmp_dirs(container_runtime_domain) +userdom_use_inherited_user_terminals(container_runtime_domain) +userdom_use_user_ptys(container_runtime_domain) +userdom_connectto_stream(container_runtime_domain) +allow container_domain init_t:socket_class_set { accept ioctl read getattr lock write append getopt }; + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(container_runtime_domain) + fs_manage_nfs_files(container_runtime_domain) + fs_manage_nfs_named_sockets(container_runtime_domain) + fs_manage_nfs_symlinks(container_runtime_domain) + fs_remount_nfs(container_runtime_domain) + fs_mount_nfs(container_runtime_domain) + fs_unmount_nfs(container_runtime_domain) + fs_exec_nfs_files(container_runtime_domain) + kernel_rw_fs_sysctls(container_runtime_domain) + allow container_runtime_domain nfs_t:file execmod; +') + +tunable_policy(`virt_use_samba',` + fs_manage_cifs_files(container_runtime_domain) + fs_manage_cifs_dirs(container_runtime_domain) + fs_manage_cifs_named_sockets(container_runtime_domain) + fs_manage_cifs_symlinks(container_runtime_domain) + fs_exec_cifs_files(container_runtime_domain) + allow container_runtime_domain cifs_t:file execmod; + + fs_manage_cifs_files(container_domain) + fs_manage_cifs_dirs(container_domain) + fs_manage_cifs_named_sockets(container_domain) + fs_manage_cifs_symlinks(container_domain) + fs_exec_cifs_files(container_domain) + allow container_domain cifs_t:file execmod; +') + +tunable_policy(`virt_use_nfs',` + fs_manage_nfs_dirs(container_domain) + fs_manage_nfs_files(container_domain) + fs_manage_nfs_named_sockets(container_domain) + fs_manage_nfs_symlinks(container_domain) + fs_mount_nfs(container_domain) + fs_unmount_nfs(container_domain) + fs_exec_nfs_files(container_domain) + allow container_domain nfs_t:file execmod; +') + +gen_require(` + type cephfs_t; +') + +tunable_policy(`container_use_cephfs',` + manage_files_pattern(container_domain, cephfs_t, cephfs_t) + manage_lnk_files_pattern(container_domain, cephfs_t, cephfs_t) + manage_dirs_pattern(container_domain, cephfs_t, cephfs_t) + exec_files_pattern(container_domain, cephfs_t, cephfs_t) + allow container_domain cephfs_t:file execmod; +') + +gen_require(` + type ecryptfs_t; +') + +tunable_policy(`container_use_ecryptfs',` + manage_files_pattern(container_domain, ecryptfs_t, ecryptfs_t) + manage_lnk_files_pattern(container_domain, ecryptfs_t, ecryptfs_t) + manage_dirs_pattern(container_domain, ecryptfs_t, ecryptfs_t) + exec_files_pattern(container_domain, ecryptfs_t, ecryptfs_t) + allow container_domain ecryptfs_t:file execmod; +') + +fs_manage_fusefs_named_sockets(container_runtime_domain) +fs_manage_fusefs_dirs(container_runtime_domain) +fs_manage_fusefs_files(container_runtime_domain) +fs_manage_fusefs_symlinks(container_runtime_domain) +fs_mount_fusefs(container_runtime_domain) +fs_unmount_fusefs(container_runtime_domain) +fs_exec_fusefs_files(container_runtime_domain) +storage_rw_fuse(container_runtime_domain) + + +optional_policy(` + files_search_all(container_domain) + container_read_share_files(container_domain) + container_exec_share_files(container_domain) + allow container_domain container_ro_file_t:file execmod; + container_lib_filetrans(container_domain,container_file_t, sock_file) + container_use_ptys(container_domain) + container_spc_stream_connect(container_domain) + fs_dontaudit_remount_tmpfs(container_domain) + dev_dontaudit_mounton_sysfs(container_domain) +') + +optional_policy(` + apache_exec_modules(container_runtime_domain) + apache_read_sys_content(container_runtime_domain) +') + +optional_policy(` + gpm_getattr_gpmctl(container_runtime_domain) +') + +optional_policy(` + dbus_system_bus_client(container_runtime_domain) + dbus_session_bus_client(container_runtime_domain) + init_dbus_chat(container_runtime_domain) + init_start_transient_unit(container_runtime_domain) + + optional_policy(` + systemd_dbus_chat_logind(container_runtime_domain) + systemd_dbus_chat_machined(container_runtime_domain) + ') + + optional_policy(` + dnsmasq_dbus_chat(container_runtime_domain) + ') + + optional_policy(` + firewalld_dbus_chat(container_runtime_domain) + ') +') + +optional_policy(` + lvm_domtrans(container_runtime_domain) +') + +optional_policy(` + gen_require(` + type systemd_logind_t; + ') + + domtrans_pattern(systemd_logind_t, container_runtime_exec_t , container_runtime_t) + container_manage_dirs(systemd_logind_t) + container_manage_files(systemd_logind_t) +') + +optional_policy(` + udev_read_db(container_runtime_domain) +') + +optional_policy(` + gen_require(` + role unconfined_r; + ') + role unconfined_r types container_user_domain; + unconfined_domain(container_runtime_t) + unconfined_run_to(container_runtime_t, container_runtime_exec_t) + role_transition unconfined_r container_runtime_exec_t system_r; + allow container_domain unconfined_domain_type:fifo_file { rw_fifo_file_perms map }; + allow container_runtime_domain unconfined_t:fifo_file setattr; + allow unconfined_domain_type container_domain:process {transition dyntransition }; + allow unconfined_t unlabeled_t:key manage_key_perms; + allow container_runtime_t unconfined_t:process transition; + allow unconfined_domain_type { container_var_lib_t container_ro_file_t }:file entrypoint; + fs_fusefs_entrypoint(unconfined_domain_type) + + domtrans_pattern(unconfined_domain_type, container_runtime_exec_t , container_runtime_t) +') + +optional_policy(` + gen_require(` + type virtd_lxc_t; + ') + virt_read_config(container_runtime_domain) + virt_exec(container_runtime_domain) + virt_stream_connect(container_runtime_domain) + virt_stream_connect_sandbox(container_runtime_domain) + virt_exec_sandbox_files(container_runtime_domain) + virt_manage_sandbox_files(container_runtime_domain) + virt_relabel_sandbox_filesystem(container_runtime_domain) + # for lxc + virt_mounton_sandbox_file(container_runtime_domain) +# virt_attach_sandbox_tun_iface(container_runtime_domain) + allow container_runtime_domain container_domain:tun_socket relabelfrom; + virt_sandbox_entrypoint(container_runtime_domain) + allow container_runtime_domain virtd_lxc_t:unix_stream_socket { rw_stream_socket_perms connectto }; + +') + +tunable_policy(`container_connect_any',` + corenet_tcp_connect_all_ports(container_runtime_domain) + corenet_sendrecv_all_packets(container_runtime_domain) + corenet_tcp_sendrecv_all_ports(container_runtime_domain) +') + +######################################## +# +# spc local policy +# +allow spc_t { container_var_lib_t container_ro_file_t }:file entrypoint; +role system_r types spc_t; + +domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t) +domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t) +domtrans_pattern(container_runtime_domain, fusefs_t, spc_t) +fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file }) + +allow container_runtime_domain spc_t:process2 nnp_transition; +admin_pattern(spc_t, kubernetes_file_t) + +allow spc_t container_runtime_domain:fifo_file manage_fifo_file_perms; +allow spc_t { container_ro_file_t container_file_t }:system module_load; + +allow container_runtime_domain spc_t:process { setsched signal_perms }; +ps_process_pattern(container_runtime_domain, spc_t) +allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom }; +allow spc_t unlabeled_t:key manage_key_perms; +allow spc_t unlabeled_t:socket_class_set create_socket_perms; + +init_dbus_chat(spc_t) + +optional_policy(` + systemd_dbus_chat_machined(spc_t) + systemd_dbus_chat_logind(spc_t) +') + +optional_policy(` + dbus_chat_system_bus(spc_t) + dbus_chat_session_bus(spc_t) + dnsmasq_dbus_chat(spc_t) +') + +optional_policy(` + unconfined_domain_noaudit(spc_t) + domain_ptrace_all_domains(spc_t) + # This should eventually be in upstream policy. + # https://github.com/fedora-selinux/selinux-policy/pull/806 + allow spc_t domain:bpf { map_create map_read map_write prog_load prog_run }; +') + +optional_policy(` + virt_transition_svirt_sandbox(spc_t, system_r) + virt_sandbox_entrypoint(spc_t) + virt_sandbox_domtrans(container_runtime_domain, spc_t) + virt_transition_svirt(spc_t, system_r) + virt_sandbox_entrypoint(container_file_t) + virt_sandbox_entrypoint(container_ro_file_t) + + gen_require(` + attribute virt_domain; + type virtd_t; + ') + container_spc_read_state(virt_domain) + container_spc_rw_pipes(virt_domain) + allow container_runtime_t virtd_t:process transition; + allow container_runtime_t virt_domain:process transition; + allow virt_domain container_file_t:file entrypoint; + allow virtd_t container_file_t:file entrypoint; + manage_files_pattern(virt_domain, container_file_t, container_file_t) + manage_dirs_pattern(virt_domain, container_file_t, container_file_t) + manage_lnk_files_pattern(virt_domain, container_file_t, container_file_t) + read_files_pattern(virt_domain, container_ro_file_t, container_ro_file_t) + read_lnk_files_pattern(virt_domain, container_ro_file_t, container_ro_file_t) + + can_exec(virt_domain, container_file_t) + + manage_files_pattern(virtd_t, container_file_t, container_file_t) + manage_dirs_pattern(virtd_t, container_file_t, container_file_t) + manage_lnk_files_pattern(virtd_t, container_file_t, container_file_t) + read_files_pattern(virtd_t, container_ro_file_t, container_ro_file_t) + read_lnk_files_pattern(virtd_t, container_ro_file_t, container_ro_file_t) + + can_exec(virtd_t, container_file_t) + + +') + +######################################## +# +# container_auth local policy +# +allow container_auth_t self:fifo_file rw_fifo_file_perms; +allow container_auth_t self:unix_stream_socket create_stream_socket_perms; +dontaudit container_auth_t self:capability net_admin; + +container_stream_connect(container_auth_t) + +manage_dirs_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) +manage_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) +manage_sock_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) +manage_lnk_files_pattern(container_auth_t, container_plugin_var_run_t, container_plugin_var_run_t) +files_pid_filetrans(container_auth_t, container_plugin_var_run_t, { dir file lnk_file sock_file }) + +stream_connect_pattern(container_runtime_domain, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t) +list_dirs_pattern(container_runtime_domain, container_plugin_var_run_t, container_plugin_var_run_t) + +domain_use_interactive_fds(container_auth_t) + +kernel_read_net_sysctls(container_auth_t) + +auth_use_nsswitch(container_auth_t) + +files_read_etc_files(container_auth_t) + +miscfiles_read_localization(container_auth_t) + +sysnet_dns_name_resolve(container_auth_t) + +######################################## +# +# container_t local policy +# +# Currently this is called in virt.te +# virt_sandbox_domain_template(container) +# typealias container_t alias svirt_lxc_net_t; +gen_require(` + type container_t; + type container_file_t; +') +container_manage_files_template(container, container) + +typeattribute container_file_t container_file_type; +typeattribute container_t container_domain, container_net_domain, container_user_domain; +allow container_user_domain self:process getattr; +allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint; +allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms; +allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map }; +allow container_domain container_runtime_t:unix_dgram_socket sendto; + +allow container_domain container_runtime_domain:tun_socket relabelfrom; +allow container_domain container_runtime_domain:fd use; +allow container_runtime_domain container_domain:fd use; +allow container_domain self:socket_class_set { create_socket_perms map accept }; +allow container_domain self:lnk_file setattr; +allow container_domain self:user_namespace create; + +dontaudit container_domain self:capability fsetid; +allow container_domain self:association sendto; +allow container_domain self:dir list_dir_perms; +dontaudit container_domain self:dir { write add_name }; +allow container_domain self:file rw_file_perms; +allow container_domain self:lnk_file read_file_perms; +allow container_domain self:fifo_file create_fifo_file_perms; +allow container_domain self:filesystem associate; +allow container_domain self:key manage_key_perms; +allow container_domain self:netlink_route_socket r_netlink_socket_perms; +allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; +allow container_domain self:netlink_xfrm_socket create_socket_perms; +allow container_domain self:packet_socket create_socket_perms; +allow container_domain self:passwd rootok; +allow container_domain self:peer recv; +allow container_domain self:process { execmem execstack fork getattr getcap getpgid getsched getsession setcap setpgid setrlimit setsched sigchld sigkill signal signull sigstop setexec setfscreate}; +allow container_domain self:sem create_sem_perms; +allow container_domain self:shm create_shm_perms; +allow container_domain self:socket create_socket_perms; +allow container_domain self:tcp_socket create_socket_perms; +allow container_domain self:tun_socket { create_socket_perms relabelfrom relabelto attach_queue }; +allow container_domain self:udp_socket create_socket_perms; +allow container_domain self:unix_dgram_socket create_socket_perms; +allow container_domain self:unix_stream_socket create_stream_socket_perms; +dontaudit container_domain self:capability2 block_suspend ; +allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms }; +fs_rw_onload_sockets(container_domain) +fs_fusefs_entrypoint(container_domain) + + +container_read_share_files(container_domain) +container_exec_share_files(container_domain) +container_use_ptys(container_domain) +container_spc_stream_connect(container_domain) +fs_dontaudit_remount_tmpfs(container_domain) +dev_dontaudit_mounton_sysfs(container_domain) +dev_dontaudit_mounton_sysfs(container_domain) +fs_mount_tmpfs(container_domain) + +dontaudit container_domain container_runtime_tmpfs_t:dir read; +allow container_domain container_runtime_tmpfs_t:dir mounton; + +dev_getattr_mtrr_dev(container_domain) +dev_list_sysfs(container_domain) +allow container_domain sysfs_t:dir watch; + +dev_rw_kvm(container_domain) +dev_rwx_zero(container_domain) + +allow container_domain self:key manage_key_perms; +dontaudit container_domain container_domain:key search; + +allow container_domain self:process { getrlimit getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit }; +allow container_domain self:fifo_file manage_file_perms; +allow container_domain self:msg all_msg_perms; +allow container_domain self:sem create_sem_perms; +allow container_domain self:shm create_shm_perms; +allow container_domain self:msgq create_msgq_perms; +allow container_domain self:unix_stream_socket { create_stream_socket_perms connectto }; +allow container_domain self:unix_dgram_socket { sendto create_socket_perms }; +allow container_domain self:passwd rootok; +allow container_domain self:filesystem associate; +allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; +allow container_domain container_runtime_domain:socket_class_set { accept ioctl read getattr lock write append getopt setopt }; + +kernel_getattr_proc(container_domain) +kernel_list_all_proc(container_domain) +kernel_read_all_sysctls(container_domain) +kernel_dontaudit_write_kernel_sysctl(container_domain) +kernel_read_network_state(container_domain) +kernel_rw_net_sysctls(container_domain) +kernel_rw_unix_sysctls(container_domain) +kernel_dontaudit_search_kernel_sysctl(container_domain) +kernel_dontaudit_access_check_proc(container_domain) +kernel_dontaudit_setattr_proc_files(container_domain) +kernel_dontaudit_setattr_proc_dirs(container_domain) +kernel_dontaudit_write_usermodehelper_state(container_domain) +kernel_read_irq_sysctls(container_domain) +kernel_get_sysvipc_info(container_domain) + +fs_getattr_all_fs(container_domain) +fs_rw_inherited_tmpfs_files(container_domain) +fs_read_tmpfs_symlinks(container_domain) +fs_search_tmpfs(container_domain) +fs_list_hugetlbfs(container_domain) +fs_manage_hugetlbfs_files(container_domain) +fs_exec_hugetlbfs_files(container_domain) +fs_dontaudit_getattr_all_dirs(container_domain) +fs_dontaudit_getattr_all_files(container_domain) +fs_read_nsfs_files(container_domain) + +term_use_all_inherited_terms(container_domain) + +userdom_use_user_ptys(container_domain) +userdom_rw_inherited_user_pipes(container_domain) + +domain_user_exemption_target(container_t) +domain_dontaudit_link_all_domains_keyrings(container_domain) +domain_dontaudit_search_all_domains_keyrings(container_domain) +domain_dontaudit_search_all_domains_state(container_domain) + +virt_sandbox_net_domain(container_t) + +logging_send_syslog_msg(container_t) + +gen_require(` + type container_file_t; +') +# fs_associate_cgroupfs(container_file_t) +gen_require(` + type cgroup_t; +') + +dev_read_sysfs(container_domain) +dev_read_mtrr(container_domain) +dev_mounton_sysfs(container_t) + +fs_mounton_cgroup(container_t) +fs_unmount_cgroup(container_t) + +dev_read_rand(container_domain) +dev_write_rand(container_domain) +dev_read_urand(container_domain) +dev_write_urand(container_domain) + +files_read_kernel_modules(container_domain) + +allow container_file_t cgroup_t:filesystem associate; +term_pty(container_file_t) +logging_log_file(container_file_t) +tunable_policy(`virt_sandbox_use_sys_admin',` + allow container_t self:capability sys_admin; + allow container_t self:cap_userns sys_admin; +') + +allow container_domain self:cap_userns sys_admin; +allow container_domain self:process { getsession execstack execmem }; + +corenet_unconfined(container_t) + +optional_policy(` + virt_default_capabilities(container_t) +') +kernel_rw_rpc_sysctls(container_domain) +kernel_rw_net_sysctls(container_domain) +kernel_read_messages(container_t) +kernel_read_network_state(container_domain) +kernel_dontaudit_write_proc_files(container_domain) + +# Container Net Domain +corenet_tcp_bind_generic_node(container_net_domain) +corenet_udp_bind_generic_node(container_net_domain) +corenet_raw_bind_generic_node(container_net_domain) +corenet_tcp_sendrecv_all_ports(container_net_domain) +corenet_udp_sendrecv_all_ports(container_net_domain) +corenet_udp_bind_all_ports(container_net_domain) +corenet_tcp_bind_all_ports(container_net_domain) +corenet_tcp_connect_all_ports(container_net_domain) + +allow container_net_domain self:udp_socket create_socket_perms; +allow container_net_domain self:tcp_socket create_stream_socket_perms; +allow container_net_domain self:tun_socket create_socket_perms; +allow container_net_domain self:netlink_route_socket create_netlink_socket_perms; +allow container_net_domain self:sctp_socket listen; +allow container_net_domain self:packet_socket create_socket_perms; +allow container_net_domain self:socket create_socket_perms; +allow container_net_domain self:rawip_socket create_stream_socket_perms; +allow container_net_domain self:netlink_kobject_uevent_socket create_socket_perms; +allow container_net_domain self:netlink_xfrm_socket create_netlink_socket_perms; + + +kernel_unlabeled_domtrans(container_runtime_domain, spc_t) +kernel_unlabeled_entry_type(spc_t) +allow container_runtime_domain unlabeled_t:key manage_key_perms; +#kernel_dontaudit_write_usermodehelper_state(container_t) +gen_require(` + type usermodehelper_t; +') +dontaudit container_domain usermodehelper_t:file write; + +fs_read_cgroup_files(container_domain) +fs_list_cgroup_dirs(container_domain) + +sysnet_read_config(container_domain) + +allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; + +optional_policy(` + gssproxy_stream_connect(container_domain) +') + +optional_policy(` + rpm_read_cache(container_domain) + rpm_read_db(container_domain) + rpm_transition_script(spc_t, system_r) +') + +optional_policy(` + sssd_stream_connect(container_domain) +') + +optional_policy(` + systemd_dbus_chat_logind(container_domain) +') + +tunable_policy(`container_manage_cgroup',` + fs_manage_cgroup_dirs(container_domain) + fs_manage_cgroup_files(container_domain) +') + +fs_manage_fusefs_named_sockets(container_domain) +fs_manage_fusefs_named_pipes(container_domain) +fs_manage_fusefs_dirs(container_domain) +fs_manage_fusefs_files(container_domain) +fs_manage_fusefs_symlinks(container_domain) +fs_manage_fusefs_named_sockets(container_domain) +fs_manage_fusefs_named_pipes(container_domain) +fs_exec_fusefs_files(container_domain) +fs_mount_xattr_fs(container_domain) +fs_unmount_xattr_fs(container_domain) +fs_remount_xattr_fs(container_domain) +fs_mount_fusefs(container_domain) +fs_unmount_fusefs(container_domain) +fs_mounton_fusefs(container_domain) +storage_rw_fuse(container_domain) +allow container_domain fusefs_t:file { mounton execmod }; +allow container_domain fusefs_t:filesystem remount; + +tunable_policy(`virt_sandbox_use_netlink',` + allow container_domain self:netlink_socket create_socket_perms; + allow container_domain self:netlink_tcpdiag_socket create_netlink_socket_perms; + allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; +', ` + logging_dontaudit_send_audit_msgs(container_domain) +') + +tunable_policy(`virt_sandbox_use_audit',` + logging_send_audit_msgs(container_t) +') + +optional_policy(` + gen_require(` + type sysctl_kernel_ns_last_pid_t; + ') + + kernel_search_network_sysctl(container_domain) + allow container_domain sysctl_kernel_ns_last_pid_t:file rw_file_perms; + allow container_domain sysctl_kernel_ns_last_pid_t:dir list_dir_perms; +') + +tunable_policy(`virt_sandbox_use_all_caps',` + allow container_domain self:capability ~{ sys_module }; + allow container_domain self:capability2 ~{ mac_override mac_admin }; + allow container_domain self:cap_userns ~{ sys_module }; + allow container_domain self:cap2_userns ~{ mac_override mac_admin }; +') + +tunable_policy(`virt_sandbox_use_mknod',` + allow container_domain self:capability mknod; + allow container_domain self:cap_userns mknod; +') + +optional_policy(` + gen_require(` + role unconfined_r; + type unconfined_service_t; + type unconfined_service_exec_t; + ') + + virt_transition_svirt_sandbox(unconfined_service_t, system_r) + container_filetrans_named_content(unconfined_service_t) + container_runtime_domtrans(unconfined_service_t) + role_transition unconfined_r unconfined_service_exec_t system_r; + allow container_runtime_domain unconfined_service_t:fifo_file setattr; + allow unconfined_service_t container_domain:process dyntransition; + allow unconfined_service_t unlabeled_t:key manage_key_perms; +') + +optional_policy(` + gen_require(` + attribute unconfined_domain_type; + ') + + container_filetrans_named_content(unconfined_domain_type) + allow unconfined_domain_type container_domain:process2 { nnp_transition nosuid_transition }; + allow unconfined_domain_type unlabeled_t:key manage_key_perms; +') + +# +# container_userns_t policy +# +container_domain_template(container_userns, container) + +typeattribute container_userns_t sandbox_net_domain, container_user_domain; +dev_mount_sysfs_fs(container_userns_t) +dev_mounton_sysfs(container_userns_t) + +fs_mount_tmpfs(container_userns_t) +fs_relabelfrom_tmpfs(container_userns_t) +fs_remount_cgroup(container_userns_t) + +kernel_mount_proc(container_userns_t) +kernel_mounton_proc(container_userns_t) + +term_use_generic_ptys(container_userns_t) +term_setattr_generic_ptys(container_userns_t) +term_mount_pty_fs(container_userns_t) + +allow container_userns_t self:capability ~{ sys_module }; +allow container_userns_t self:capability2 ~{ mac_override mac_admin }; +allow container_userns_t self:cap_userns ~{ sys_module }; +allow container_userns_t self:cap2_userns ~{ mac_override mac_admin }; +allow container_userns_t self:capability mknod; +allow container_userns_t self:cap_userns mknod; + +optional_policy(` + gen_require(` + type proc_t, proc_kcore_t; + type sysctl_t, sysctl_irq_t; + ') + + allow container_userns_t proc_t:filesystem { remount }; + allow container_userns_t proc_kcore_t:file mounton; + allow container_userns_t sysctl_irq_t:dir mounton; + allow container_userns_t sysctl_t:dir mounton; + allow container_userns_t sysctl_t:file mounton; +') + + +tunable_policy(`virt_sandbox_use_sys_admin',` + allow container_userns_t self:capability sys_admin; + allow container_userns_t self:cap_userns sys_admin; +') + +# Container Logreader +container_domain_template(container_logreader, container) +typeattribute container_logreader_t container_net_domain; +logging_read_all_logs(container_logreader_t) +# Remove once https://github.com/fedora-selinux/selinux-policy/pull/898 merges +allow container_logreader_t logfile:lnk_file read_lnk_file_perms; +logging_read_audit_log(container_logreader_t) +logging_list_logs(container_logreader_t) + +# Container Logwriter +container_domain_template(container_logwriter, container) +typeattribute container_logwriter_t container_net_domain; +logging_read_all_logs(container_logwriter_t) +manage_files_pattern(container_logwriter_t, logfile, logfile) +manage_dirs_pattern(container_logwriter_t, logfile, logfile) +manage_lnk_files_pattern(container_logwriter_t, logfile, logfile) +logging_manage_audit_log(container_logwriter_t) + +optional_policy(` + gen_require(` + type sysadm_t, staff_t, user_t; + role sysadm_r, staff_r, user_r; + attribute userdomain; + ') + + can_exec(userdomain, container_runtime_exec_t) + container_manage_files(userdomain) + container_manage_share_dirs(userdomain) + container_manage_share_files(userdomain) + + allow userdomain conmon_exec_t:file entrypoint; + container_runtime_run(sysadm_t, sysadm_r) + role sysadm_r types container_domain; + role sysadm_r types spc_t; + + container_runtime_run(staff_t, staff_r) + role staff_r types container_user_domain; + + allow userdomain self:cap_userns ~{ sys_module }; + container_read_state(userdomain) + allow userdomain container_runtime_t:process { noatsecure rlimitinh siginh }; + container_runtime_run(user_t, user_r) + role user_r types container_user_domain; + + staff_role_change_to(system_r) + + allow staff_t container_runtime_t:process signal_perms; + allow staff_t container_domain:process signal_perms; + allow container_domain userdomain:socket_class_set { accept ioctl read getattr lock write append getopt shutdown setopt }; +') + +gen_require(` + type init_t; +') +container_manage_lib_files(init_t) +container_manage_lib_dirs(init_t) +container_manage_share_files(init_t) +container_manage_share_dirs(init_t) +container_filetrans_named_content(init_t) +container_runtime_read_tmpfs_files(init_t) + +gen_require(` + attribute device_node; + type device_t; + attribute sysctl_type; +') +dontaudit container_domain device_node:chr_file setattr; +dontaudit container_domain sysctl_type:file write; +allow container_domain init_t:unix_stream_socket { accept ioctl read getattr lock write append getopt }; + +allow container_t proc_t:filesystem remount; + +# Container kvm - Policy for running kata containers +container_domain_template(container_kvm, container) +typeattribute container_kvm_t container_net_domain, container_user_domain; + +type container_kvm_var_run_t; +files_pid_file(container_kvm_var_run_t) +filetrans_pattern(container_kvm_t, container_var_run_t, container_kvm_var_run_t, {file sock_file dir}) +filetrans_pattern(container_runtime_t, container_var_run_t, container_kvm_var_run_t, dir, "kata-containers") + +manage_dirs_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) +manage_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) +manage_fifo_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) +manage_sock_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) +manage_lnk_files_pattern(container_kvm_t, container_kvm_var_run_t, container_kvm_var_run_t) +files_pid_filetrans(container_kvm_t, container_kvm_var_run_t, { dir file lnk_file sock_file }) +files_pid_filetrans(container_kvm_t, container_kvm_var_run_t, { dir file lnk_file sock_file }) +allow container_kvm_t container_kvm_var_run_t:{file dir} mounton; + +allow container_kvm_t container_runtime_t:unix_stream_socket rw_stream_socket_perms; + +container_stream_connect(container_kvm_t) + +allow container_kvm_t container_runtime_t:tun_socket attach_queue; + +dev_rw_inherited_vhost(container_kvm_t) +dev_rw_vfio_dev(container_kvm_t) + +corenet_rw_inherited_tun_tap_dev(container_kvm_t) +corecmd_exec_shell(container_kvm_t) +corecmd_exec_bin(container_kvm_t) +corecmd_bin_entry_type(container_kvm_t) + +# virtiofs causes these AVC messages. +kernel_mount_proc(container_kvm_t) +kernel_mounton_proc(container_kvm_t) +kernel_unmount_proc(container_kvm_t) +kernel_dgram_send(container_kvm_t) +files_mounton_rootfs(container_kvm_t) + +auth_read_passwd(container_kvm_t) +logging_send_syslog_msg(container_kvm_t) + +optional_policy(` + qemu_entry_type(container_kvm_t) + qemu_exec(container_kvm_t) +') + +manage_sock_files_pattern(container_kvm_t, container_file_t, container_file_t) + +dev_rw_kvm(container_kvm_t) + +sssd_read_public_files(container_kvm_t) + +# Container init - Policy for running systemd based containers +container_domain_template(container_init, container) +typeattribute container_init_t container_init_domain, container_net_domain, container_user_domain; + +corenet_unconfined(container_init_t) + +allow container_init_t device_t:filesystem { remount unmount }; + +dev_mounton_sysfs(container_init_domain) + +fs_manage_cgroup_dirs(container_init_domain) +fs_manage_cgroup_files(container_init_domain) +fs_mounton_cgroup(container_init_domain) +fs_unmount_cgroup(container_init_domain) +fs_unmount_tmpfs(container_init_domain) + +kernel_mounton_proc(container_init_t) +kernel_unmount_proc(container_init_t) + +logging_send_syslog_msg(container_init_t) + +allow container_init_domain proc_t:filesystem remount; + +optional_policy(` + virt_default_capabilities(container_init_t) +') + +tunable_policy(`container_use_devices',` + allow container_domain device_node:chr_file rw_chr_file_perms; + allow container_domain device_node:blk_file rw_blk_file_perms; +') + +tunable_policy(`virt_sandbox_use_sys_admin',` + allow container_init_t self:capability sys_admin; + allow container_init_t self:cap_userns sys_admin; +') + +allow container_init_domain self:netlink_audit_socket nlmsg_relay; + +# container_engine_t is for running a container engine within a container +# +container_domain_template(container_engine, container) +typeattribute container_engine_t container_net_domain; + +fs_mounton_cgroup(container_engine_t) +fs_unmount_cgroup(container_engine_t) +fs_manage_cgroup_dirs(container_engine_t) +fs_manage_cgroup_files(container_engine_t) +fs_mount_tmpfs(container_engine_t) +fs_write_cgroup_files(container_engine_t) + +allow container_engine_t proc_t:file mounton; +allow container_engine_t sysctl_t:file mounton; +allow container_engine_t sysfs_t:filesystem remount; + +kernel_mount_proc(container_engine_t) +kernel_mounton_core_if(container_engine_t) +kernel_mounton_proc(container_engine_t) +kernel_mounton_systemd_ProtectKernelTunables(container_engine_t) + +term_mount_pty_fs(container_engine_t) + +type kubelet_t, container_runtime_domain; +domain_type(kubelet_t) + +optional_policy(` + gen_require(` + role unconfined_r; + ') + role unconfined_r types kubelet_t; + unconfined_domain(kubelet_t) +') + + +type kubelet_exec_t; +application_executable_file(kubelet_exec_t) +can_exec(container_runtime_t, kubelet_exec_t) +allow kubelet_t kubelet_exec_t:file entrypoint; + +ifdef(`enable_mcs',` + init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mcs_systemhigh) +') + +ifdef(`enable_mls',` + init_ranged_daemon_domain(kubelet_t, kubelet_exec_t, s0 - mls_systemhigh) +') +mls_trusted_object(kubelet_t) + +init_daemon_domain(kubelet_t, kubelet_exec_t) + +admin_pattern(kubelet_t, kubernetes_file_t) + +optional_policy(` + gen_require(` + type sysadm_t; + role sysadm_r; + attribute userdomain; + role unconfined_r; + ') + + container_kubelet_run(sysadm_t, sysadm_r) + + unconfined_run_to(kubelet_t, kubelet_exec_t) + role_transition unconfined_r kubelet_exec_t system_r; +') + +# Standard container which needs to be allowed to use any device +container_domain_template(container_device, container) +allow container_device_t device_node:chr_file rw_chr_file_perms; + +# Standard container which needs to be allowed to use any device and +# communicate with kubelet +container_domain_template(container_device_plugin, container) +allow container_device_plugin_t device_node:chr_file rw_chr_file_perms; +dev_rw_sysfs(container_device_plugin_t) +container_kubelet_stream_connect(container_device_plugin_t) + +# Standard container which needs to be allowed to use any device and +# modify kubelet configuration +container_domain_template(container_device_plugin_init, container) +allow container_device_plugin_init_t device_node:chr_file rw_chr_file_perms; +dev_rw_sysfs(container_device_plugin_init_t) +manage_dirs_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t) +manage_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t) +manage_lnk_files_pattern(container_device_plugin_init_t, kubernetes_file_t, kubernetes_file_t) + +optional_policy(` + gen_require(` + type syslogd_t; + ') + + allow syslogd_t container_runtime_tmpfs_t:file { read write }; + logging_send_syslog_msg(container_runtime_t) +') diff --git a/selinux-policy-20230214.tar.xz b/selinux-policy-20230214.tar.xz deleted file mode 100644 index a99d60c..0000000 --- a/selinux-policy-20230214.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9693ed2c5547a04fe58227ee5f6db761b68cc2f4c7267492220e33678788a83f -size 752564 diff --git a/selinux-policy-20230316.tar.xz b/selinux-policy-20230316.tar.xz new file mode 100644 index 0000000..f813276 --- /dev/null +++ b/selinux-policy-20230316.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4b5384b23b8bf5fe9cbd1b3da67c54a08c99b029b65b2005f345951b8763fd8a +size 752624 diff --git a/selinux-policy.changes b/selinux-policy.changes index 2656fda..f2414e7 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,31 @@ +------------------------------------------------------------------- +Thu Mar 16 15:43:19 UTC 2023 - jsegitz@suse.com + +- Update to version 20230316: + * prevent labeling of overlayfs filesystems based on the /var/lib/overlay + path + * allow kernel_t to relabel etc_t files + * allow kernel_t to relabel sysnet config files + * allow kernel_t to relabel systemd hwdb etc files + * add systemd_hwdb_relabel_etc_files to allow labeling of hwdb files + * change sysnet_relabelto_net_conf and sysnet_relabelfrom_net_conf to apply + to files and lnk_files. lnk_files are commonly used in SUSE to allow easy + management of config files + * add files_relabel_etc_files_basic and files_relabel_etc_lnk_files_basic + interfaces to allow labeling on etc_t, not on the broader configfiles + attribute + * Allow systemd-timesyncd to bind to generic UDP ports (bsc#1207962). The + watch permissions reported are already fixed in a current policy. +- Reinstate update.sh and remove container-selinux from the service. + Having both repos in there causes issues and update.sh makes the update + process easier in general + +------------------------------------------------------------------- +Tue Mar 7 08:49:05 UTC 2023 - Johannes Segitz + +- Remove erroneous SUSE man page. Will not be created with the + 3.5 toolchain + ------------------------------------------------------------------- Tue Feb 14 21:41:54 UTC 2023 - Hu diff --git a/selinux-policy.spec b/selinux-policy.spec index 06ff334..3f3482d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,11 +33,13 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20230214 +Version: 20230316 Release: 0 Source0: %{name}-%{version}.tar.xz -Source1: container-selinux-%{version}.tar.xz -Source2: selinux-policy-rpmlintrc +Source1: container.fc +Source2: container.te +Source3: container.if +Source4: selinux-policy-rpmlintrc Source10: modules-targeted-base.conf Source11: modules-targeted-contrib.conf @@ -338,9 +340,9 @@ exit 0 # dirty hack for container-selinux, because selinux-policy won't build without it # upstream does not want to include it in main policy tree: # see discussion in https://github.com/containers/container-selinux/issues/186 -%setup -T -D -b 1 -cp ../container-selinux-%{version}/container.* policy/modules/services/ -rm -rf ../container-selinux-%{version} +for i in %{SOURCE1} %{SOURCE2} %{SOURCE3}; do + cp $i policy/modules/services/ +done %build diff --git a/update.sh b/update.sh new file mode 100644 index 0000000..823357d --- /dev/null +++ b/update.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +date=$(date '+%Y%m%d') +base_name_pattern='selinux-policy-*.tar.xz' + +echo Update to $date + +old_tar_file=$(ls -1 $base_name_pattern) + +osc service manualrun + +rm -rf container-selinux +git clone --depth 1 https://github.com/containers/container-selinux.git +rm -f container.* +mv container-selinux/container.* . +rm -rf container-selinux + +# delete old files. Might need a better sanity check +tar_cnt=$(ls -1 $base_name_pattern | wc -l) +if [ $tar_cnt -gt 1 ]; then + echo delte old file $old_tar_file + rm "$old_tar_file" + osc addremove +fi + +osc status + From a019d5e5d8cd70f6eaf3e03587c1b1832fa5efd59775b81e14823cd9a6801534 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Fri, 17 Mar 2023 11:19:42 +0000 Subject: [PATCH 6/8] process easier in general. Updated README.Update OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=176 --- README.Update | 2 +- selinux-policy.changes | 2 +- selinux-policy.spec | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.Update b/README.Update index d0e3b5c..70c2483 100644 --- a/README.Update +++ b/README.Update @@ -11,7 +11,7 @@ sudo zypper in obs-service-tar_scm obs-service-recompress obs-service-set_versio Then, generate new tarballs, changelog and version number for this repository by running this command: ``` -osc service manualrun +sh update.sh ``` Afterwards, please check your local project state and remove old tarballs if necessary. diff --git a/selinux-policy.changes b/selinux-policy.changes index f2414e7..bb64a8f 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -18,7 +18,7 @@ Thu Mar 16 15:43:19 UTC 2023 - jsegitz@suse.com watch permissions reported are already fixed in a current policy. - Reinstate update.sh and remove container-selinux from the service. Having both repos in there causes issues and update.sh makes the update - process easier in general + process easier in general. Updated README.Update ------------------------------------------------------------------- Tue Mar 7 08:49:05 UTC 2023 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 3f3482d..867b348 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -40,6 +40,7 @@ Source1: container.fc Source2: container.te Source3: container.if Source4: selinux-policy-rpmlintrc +Source5: README.Update Source10: modules-targeted-base.conf Source11: modules-targeted-contrib.conf From 0f3ba0a5f9da601e443c373d552d917c4a3391347bb7743c8f67abe937973703 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Fri, 17 Mar 2023 11:20:02 +0000 Subject: [PATCH 7/8] OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=177 --- selinux-policy.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/selinux-policy.spec b/selinux-policy.spec index 867b348..36d0d7a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -41,6 +41,7 @@ Source2: container.te Source3: container.if Source4: selinux-policy-rpmlintrc Source5: README.Update +Source6: update.sh Source10: modules-targeted-base.conf Source11: modules-targeted-contrib.conf From 4bd800106fafa52cfcde6533a5301d78cee279f56c4e2fe5428507b44bbd895b Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Tue, 21 Mar 2023 15:56:46 +0000 Subject: [PATCH 8/8] Accepting request 1073586 from home:jsegitz:branches:security:SELinux - Update to version 20230321: * make kernel_t unconfined again OBS-URL: https://build.opensuse.org/request/show/1073586 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=178 --- _servicedata | 2 +- container.te | 10 +++++++++- selinux-policy-20230316.tar.xz | 3 --- selinux-policy-20230321.tar.xz | 3 +++ selinux-policy.changes | 6 ++++++ selinux-policy.spec | 2 +- 6 files changed, 20 insertions(+), 6 deletions(-) delete mode 100644 selinux-policy-20230316.tar.xz create mode 100644 selinux-policy-20230321.tar.xz diff --git a/_servicedata b/_servicedata index 4535cb7..03f6b76 100644 --- a/_servicedata +++ b/_servicedata @@ -1,6 +1,6 @@ https://gitlab.suse.de/selinux/selinux-policy.git - 3fa3ee463c968e6001607a3d25edc2f9971824d7 + 0140f0a3f8dbf17ddbd0adb6c8fc7eb23511ba2f https://github.com/containers/container-selinux.git 07b3034f6d9625ab84508a2f46515d8ff79b4204 \ No newline at end of file diff --git a/container.te b/container.te index d649eb0..7b156e7 100644 --- a/container.te +++ b/container.te @@ -1,4 +1,4 @@ -policy_module(container, 2.204.0) +policy_module(container, 2.205.0) gen_require(` class passwd rootok; @@ -1414,3 +1414,11 @@ optional_policy(` allow syslogd_t container_runtime_tmpfs_t:file { read write }; logging_send_syslog_msg(container_runtime_t) ') + + +manage_dirs_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +manage_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +manage_lnk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +manage_chr_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +manage_blk_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) +manage_sock_files_pattern(svirt_sandbox_domain, container_file_t, container_file_t) diff --git a/selinux-policy-20230316.tar.xz b/selinux-policy-20230316.tar.xz deleted file mode 100644 index f813276..0000000 --- a/selinux-policy-20230316.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4b5384b23b8bf5fe9cbd1b3da67c54a08c99b029b65b2005f345951b8763fd8a -size 752624 diff --git a/selinux-policy-20230321.tar.xz b/selinux-policy-20230321.tar.xz new file mode 100644 index 0000000..99b7daa --- /dev/null +++ b/selinux-policy-20230321.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aca29203873cc2fdec23e233e89e56471f06c7b7fa02ed29fa3978e85b994e04 +size 752588 diff --git a/selinux-policy.changes b/selinux-policy.changes index bb64a8f..361ee04 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Mar 21 15:37:23 UTC 2023 - jsegitz@suse.com + +- Update to version 20230321: + * make kernel_t unconfined again + ------------------------------------------------------------------- Thu Mar 16 15:43:19 UTC 2023 - jsegitz@suse.com diff --git a/selinux-policy.spec b/selinux-policy.spec index 36d0d7a..ede9b73 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20230316 +Version: 20230321 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc