Accepting request 894639 from home:lnussel:branches:systemsmanagement:cockpit

- allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units that trigger on changes in those. - own /usr/share/selinux/packages/$SELINUXTYPE/ and /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install files there OBS-URL: https://build.opensuse.org/request/show/894639 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=108
2021-05-20 15:02:09 +00:00 · 2021-05-20 15:02:09 +00:00 · b8952f6e0d
commit b8952f6e0d
parent d46782358c
3 changed files with 53 additions and 1 deletions
--- a/fix_systemd_watch.patch
+++ b/fix_systemd_watch.patch
@ -0,0 +1,38 @@
+Index: fedora-policy-20210419/policy/modules/system/systemd.te
+===================================================================
+--- fedora-policy-20210419.orig/policy/modules/system/systemd.te
+++ fedora-policy-20210419/policy/modules/system/systemd.te
+@@ -1357,3 +1357,10 @@ fstools_rw_swap_files(systemd_sleep_t)
+ 
+ # systemd-sleep needs to getattr swap partitions
+ storage_getattr_fixed_disk_dev(systemd_sleep_t)
+
+
+#######################################
+#
+# Allow systemd to watch certificate dir for ca-certificates
+# 
+watch_dirs_pattern(init_t,cert_t,cert_t)
+Index: fedora-policy-20210419/policy/modules/system/init.te
+===================================================================
+--- fedora-policy-20210419.orig/policy/modules/system/init.te
+++ fedora-policy-20210419/policy/modules/system/init.te
+@@ -317,7 +317,10 @@ files_etc_filetrans_etc_runtime(init_t,
+ # Run /etc/X11/prefdm:
+ files_exec_etc_files(init_t)
+ files_watch_etc_dirs(init_t)
+files_watch_etc_files(init_t)
+ files_read_usr_files(init_t)
+files_watch_usr_dirs(init_t)
+files_watch_usr_files(init_t)
+ files_watch_root_dirs(init_t)
+ files_write_root_dirs(init_t)
+ files_watch_var_dirs(init_t)
+@@ -334,6 +337,7 @@ files_remount_rootfs(init_t)
+ files_create_var_dirs(init_t)
+ files_watch_home(init_t)
+ files_watch_all_pid(init_t)
+watch_dirs_pattern(init_t,lib_t,lib_t)
+ 
+ fs_list_inotifyfs(init_t)
+ # cjp: this may be related to /dev/log
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue May 18 11:10:59 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
+
+- allow systemd to watch /usr, /usr/lib, /etc, /etc/pki as we have path units
+  that trigger on changes in those.
+- own /usr/share/selinux/packages/$SELINUXTYPE/ and
+  /var/lib/selinux/$SELINUXTYPE/active/modules/* to allow packages to install
+  files there
+
 -------------------------------------------------------------------
 Wed Apr 28 15:18:37 UTC 2021 - Ludwig Nussel <lnussel@suse.de>

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -131,6 +131,7 @@ Patch050:       fix_libraries.patch
 Patch051:       fix_dovecot.patch
 # https://github.com/cockpit-project/cockpit/pull/15758
 Patch052:       fix_cockpit.patch
+Patch053:       fix_systemd_watch.patch

 Patch100:       sedoctool.patch

@ -183,6 +184,7 @@ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \
 make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \
 make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \
 %{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
+%{__mkdir} -p %{buildroot}%{_sharedstatedir}/selinux/%1/active/modules/{1,2,4}00 \
 touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
 install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
 install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
@ -210,6 +212,8 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
 %dir %attr(700,root,root) %{_sharedstatedir}/selinux/%1/active/modules \
 %dir %{_sharedstatedir}/selinux/%1/active/modules/100 \
+%dir %{_sharedstatedir}/selinux/%1/active/modules/200 \
+%dir %{_sharedstatedir}/selinux/%1/active/modules/400 \
 %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
 %dir %{_sysconfdir}/selinux/%1/policy/ \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.* \
@ -250,6 +254,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
 %dir %{_datadir}/selinux/%1 \
+%dir %{_datadir}/selinux/packages/%1 \
 %{_datadir}/selinux/%1/base.lst \
 %{_datadir}/selinux/%1/modules-base.lst \
 %{_datadir}/selinux/%1/modules-contrib.lst \
@ -409,7 +414,7 @@ sed -i 's|SELINUXSTOREPATH|%{_sharedstatedir}/selinux|' %{buildroot}%{_rpmconfig
 mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
 mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/

-mkdir -p %{buildroot}%{_datadir}/selinux/packages
+mkdir -p %{buildroot}%{_datadir}/selinux/packages/{targeted,mls,minimum,modules}/

 mkdir selinux_config
 for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do