From deab87434d5273c76ea64b5bdaee99faaf1b1fe2e544e9579c419f83d33706ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=C4=9Bzslav=20=C4=8C=C3=AD=C5=BEek?= Date: Tue, 16 Jul 2019 12:19:29 +0000 Subject: [PATCH] Accepting request 714653 from home:jsegitz:branches:security:SELinux - Update to refpolicy 20190609. New modules for stubby and several systemd updates, including initial support for systemd --user sessions. Refreshed * label_var_run_rsyslog.patch * suse_modifications_cron.patch * suse_modifications_logging.patch * suse_modifications_ntp.patch * suse_modifications_usermanage.patch * suse_modifications_xserver.patch * sysconfig_network_scripts.patch OBS-URL: https://build.opensuse.org/request/show/714653 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=72 --- label_var_run_rsyslog.patch | 6 +++--- refpolicy-2.20190201.tar.bz2 | 3 --- refpolicy-2.20190609.tar.bz2 | 3 +++ selinux-policy.changes | 15 +++++++++++++++ selinux-policy.spec | 2 +- suse_modifications_cron.patch | 16 ++++++++-------- suse_modifications_logging.patch | 6 +++--- suse_modifications_ntp.patch | 6 +++--- suse_modifications_usermanage.patch | 6 +++--- suse_modifications_xserver.patch | 12 ++++++------ sysconfig_network_scripts.patch | 16 ++++++++-------- 11 files changed, 53 insertions(+), 38 deletions(-) delete mode 100644 refpolicy-2.20190201.tar.bz2 create mode 100644 refpolicy-2.20190609.tar.bz2 diff --git a/label_var_run_rsyslog.patch b/label_var_run_rsyslog.patch index 9a38abf..897d2fc 100644 --- a/label_var_run_rsyslog.patch +++ b/label_var_run_rsyslog.patch @@ -1,8 +1,8 @@ Index: refpolicy/policy/modules/system/logging.fc =================================================================== ---- refpolicy.orig/policy/modules/system/logging.fc 2018-11-27 11:50:10.755599120 +0100 -+++ refpolicy/policy/modules/system/logging.fc 2018-11-27 11:50:32.611949480 +0100 -@@ -60,6 +60,7 @@ ifdef(`distro_suse', ` +--- refpolicy.orig/policy/modules/system/logging.fc 2019-06-09 20:05:20.000000000 +0200 ++++ refpolicy/policy/modules/system/logging.fc 2019-07-11 14:31:20.605624453 +0200 +@@ -62,6 +62,7 @@ ifdef(`distro_suse', ` /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) /var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) diff --git a/refpolicy-2.20190201.tar.bz2 b/refpolicy-2.20190201.tar.bz2 deleted file mode 100644 index d797823..0000000 --- a/refpolicy-2.20190201.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ed620dc91c4e09eee6271b373f7c61a364a82ea57bd2dc86ca1f7075304e2843 -size 552750 diff --git a/refpolicy-2.20190609.tar.bz2 b/refpolicy-2.20190609.tar.bz2 new file mode 100644 index 0000000..097281b --- /dev/null +++ b/refpolicy-2.20190609.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:67bd1213e9d014ada15512028bb7f35ef6610c2d209cc5117b8577474aa6147f +size 555882 diff --git a/selinux-policy.changes b/selinux-policy.changes index 1db77ab..ade175f 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Thu Jul 11 12:29:29 UTC 2019 - + +- Update to refpolicy 20190609. New modules for stubby and several + systemd updates, including initial support for systemd --user + sessions. + Refreshed + * label_var_run_rsyslog.patch + * suse_modifications_cron.patch + * suse_modifications_logging.patch + * suse_modifications_ntp.patch + * suse_modifications_usermanage.patch + * suse_modifications_xserver.patch + * sysconfig_network_scripts.patch + ------------------------------------------------------------------- Mon Feb 4 07:59:49 UTC 2019 - jsegitz@suse.com diff --git a/selinux-policy.spec b/selinux-policy.spec index 5fb1a78..d9b4e78 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -122,7 +122,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20190201 +Version: 20190609 Release: 0 Source: https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_%{version}/refpolicy-2.%{version}.tar.bz2 diff --git a/suse_modifications_cron.patch b/suse_modifications_cron.patch index 874045f..f519d8c 100644 --- a/suse_modifications_cron.patch +++ b/suse_modifications_cron.patch @@ -1,8 +1,8 @@ Index: refpolicy/policy/modules/services/cron.fc =================================================================== ---- refpolicy.orig/policy/modules/services/cron.fc 2018-11-27 13:46:40.344580166 +0100 -+++ refpolicy/policy/modules/services/cron.fc 2018-11-27 13:47:44.725617173 +0100 -@@ -68,7 +68,9 @@ ifdef(`distro_gentoo',` +--- refpolicy.orig/policy/modules/services/cron.fc 2019-06-09 20:05:20.000000000 +0200 ++++ refpolicy/policy/modules/services/cron.fc 2019-07-11 14:31:20.905629406 +0200 +@@ -69,7 +69,9 @@ ifdef(`distro_gentoo',` ') ifdef(`distro_suse',` @@ -16,9 +16,9 @@ Index: refpolicy/policy/modules/services/cron.fc ') Index: refpolicy/policy/modules/services/cron.te =================================================================== ---- refpolicy.orig/policy/modules/services/cron.te 2018-11-27 13:46:21.396274896 +0100 -+++ refpolicy/policy/modules/services/cron.te 2018-11-27 13:46:40.344580166 +0100 -@@ -761,3 +761,9 @@ tunable_policy(`cron_userdomain_transiti +--- refpolicy.orig/policy/modules/services/cron.te 2019-06-09 20:05:20.000000000 +0200 ++++ refpolicy/policy/modules/services/cron.te 2019-07-11 14:31:20.909629472 +0200 +@@ -788,3 +788,9 @@ tunable_policy(`cron_userdomain_transiti optional_policy(` unconfined_domain(unconfined_cronjob_t) ') @@ -30,8 +30,8 @@ Index: refpolicy/policy/modules/services/cron.te +') Index: refpolicy/policy/modules/services/cron.if =================================================================== ---- refpolicy.orig/policy/modules/services/cron.if 2018-11-27 13:46:40.344580166 +0100 -+++ refpolicy/policy/modules/services/cron.if 2018-11-27 13:49:17.339129179 +0100 +--- refpolicy.orig/policy/modules/services/cron.if 2019-06-09 20:05:20.000000000 +0200 ++++ refpolicy/policy/modules/services/cron.if 2019-07-11 14:31:20.909629472 +0200 @@ -139,7 +139,7 @@ interface(`cron_role',` # interface(`cron_unconfined_role',` diff --git a/suse_modifications_logging.patch b/suse_modifications_logging.patch index bd7643e..03840c8 100644 --- a/suse_modifications_logging.patch +++ b/suse_modifications_logging.patch @@ -1,8 +1,8 @@ Index: refpolicy/policy/modules/system/logging.te =================================================================== ---- refpolicy.orig/policy/modules/system/logging.te 2018-07-01 17:02:31.000000000 +0200 -+++ refpolicy/policy/modules/system/logging.te 2018-11-27 14:51:58.508861896 +0100 -@@ -554,6 +554,9 @@ ifdef(`init_systemd',` +--- refpolicy.orig/policy/modules/system/logging.te 2019-06-09 20:05:20.000000000 +0200 ++++ refpolicy/policy/modules/system/logging.te 2019-07-11 14:31:20.937629934 +0200 +@@ -555,6 +555,9 @@ ifdef(`init_systemd',` udev_read_pid_files(syslogd_t) ') diff --git a/suse_modifications_ntp.patch b/suse_modifications_ntp.patch index f1e076d..1ee7af5 100644 --- a/suse_modifications_ntp.patch +++ b/suse_modifications_ntp.patch @@ -1,8 +1,8 @@ Index: refpolicy/policy/modules/services/ntp.fc =================================================================== ---- refpolicy.orig/policy/modules/services/ntp.fc 2018-11-27 14:54:54.495739330 +0100 -+++ refpolicy/policy/modules/services/ntp.fc 2018-11-27 14:55:32.792361276 +0100 -@@ -37,3 +37,13 @@ +--- refpolicy.orig/policy/modules/services/ntp.fc 2019-06-09 20:05:20.000000000 +0200 ++++ refpolicy/policy/modules/services/ntp.fc 2019-07-11 14:31:20.957630264 +0200 +@@ -39,3 +39,13 @@ /var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) /var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) /var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) diff --git a/suse_modifications_usermanage.patch b/suse_modifications_usermanage.patch index 7edfc42..13ec915 100644 --- a/suse_modifications_usermanage.patch +++ b/suse_modifications_usermanage.patch @@ -1,7 +1,7 @@ Index: refpolicy/policy/modules/admin/usermanage.te =================================================================== ---- refpolicy.orig/policy/modules/admin/usermanage.te 2019-02-01 21:03:42.000000000 +0100 -+++ refpolicy/policy/modules/admin/usermanage.te 2019-02-04 09:51:12.007425927 +0100 +--- refpolicy.orig/policy/modules/admin/usermanage.te 2019-06-09 20:05:20.000000000 +0200 ++++ refpolicy/policy/modules/admin/usermanage.te 2019-07-11 14:31:20.965630396 +0200 @@ -251,6 +251,9 @@ userdom_use_unpriv_users_fds(groupadd_t) # for when /root is the cwd userdom_dontaudit_search_user_home_dirs(groupadd_t) @@ -12,7 +12,7 @@ Index: refpolicy/policy/modules/admin/usermanage.te optional_policy(` apt_use_fds(groupadd_t) ') -@@ -570,6 +573,9 @@ optional_policy(` +@@ -571,6 +574,9 @@ optional_policy(` puppet_rw_tmp(useradd_t) ') diff --git a/suse_modifications_xserver.patch b/suse_modifications_xserver.patch index 714722f..d97b3bd 100644 --- a/suse_modifications_xserver.patch +++ b/suse_modifications_xserver.patch @@ -1,8 +1,8 @@ Index: refpolicy/policy/modules/services/xserver.fc =================================================================== ---- refpolicy.orig/policy/modules/services/xserver.fc 2018-06-25 01:11:14.000000000 +0200 -+++ refpolicy/policy/modules/services/xserver.fc 2018-11-27 15:03:58.228581598 +0100 -@@ -76,6 +76,9 @@ HOME_DIR/\.Xauthority.* -- gen_context(s +--- refpolicy.orig/policy/modules/services/xserver.fc 2019-06-09 20:05:20.000000000 +0200 ++++ refpolicy/policy/modules/services/xserver.fc 2019-07-11 14:31:20.989630792 +0200 +@@ -77,6 +77,9 @@ HOME_DIR/\.Xauthority.* -- gen_context(s /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) @@ -14,9 +14,9 @@ Index: refpolicy/policy/modules/services/xserver.fc /usr/lib/xorg/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0) Index: refpolicy/policy/modules/services/xserver.te =================================================================== ---- refpolicy.orig/policy/modules/services/xserver.te 2018-07-01 17:02:32.000000000 +0200 -+++ refpolicy/policy/modules/services/xserver.te 2018-11-27 15:03:58.228581598 +0100 -@@ -893,6 +893,17 @@ corenet_tcp_bind_vnc_port(xserver_t) +--- refpolicy.orig/policy/modules/services/xserver.te 2019-06-09 20:05:20.000000000 +0200 ++++ refpolicy/policy/modules/services/xserver.te 2019-07-11 14:31:20.989630792 +0200 +@@ -912,6 +912,17 @@ corenet_tcp_bind_vnc_port(xserver_t) init_use_fds(xserver_t) diff --git a/sysconfig_network_scripts.patch b/sysconfig_network_scripts.patch index f5417c8..4a48015 100644 --- a/sysconfig_network_scripts.patch +++ b/sysconfig_network_scripts.patch @@ -1,7 +1,7 @@ Index: refpolicy/policy/modules/system/sysnetwork.fc =================================================================== ---- refpolicy.orig/policy/modules/system/sysnetwork.fc 2018-11-27 16:09:33.159358187 +0100 -+++ refpolicy/policy/modules/system/sysnetwork.fc 2018-11-27 16:09:36.851417892 +0100 +--- refpolicy.orig/policy/modules/system/sysnetwork.fc 2019-06-09 20:05:20.000000000 +0200 ++++ refpolicy/policy/modules/system/sysnetwork.fc 2019-07-11 14:31:20.997630924 +0200 @@ -6,6 +6,15 @@ ifdef(`distro_debian',` /dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') @@ -18,7 +18,7 @@ Index: refpolicy/policy/modules/system/sysnetwork.fc # # /etc # -@@ -33,6 +42,10 @@ ifdef(`distro_redhat',` +@@ -34,6 +43,10 @@ ifdef(`distro_redhat',` /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') @@ -31,8 +31,8 @@ Index: refpolicy/policy/modules/system/sysnetwork.fc # Index: refpolicy/policy/modules/system/sysnetwork.te =================================================================== ---- refpolicy.orig/policy/modules/system/sysnetwork.te 2018-11-27 16:09:33.163358252 +0100 -+++ refpolicy/policy/modules/system/sysnetwork.te 2018-11-27 16:10:36.920389270 +0100 +--- refpolicy.orig/policy/modules/system/sysnetwork.te 2019-06-09 20:05:20.000000000 +0200 ++++ refpolicy/policy/modules/system/sysnetwork.te 2019-07-11 14:31:21.001630990 +0200 @@ -47,7 +47,8 @@ ifdef(`distro_debian',` # # DHCP client local policy @@ -43,7 +43,7 @@ Index: refpolicy/policy/modules/system/sysnetwork.te dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config }; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -@@ -79,6 +80,12 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r +@@ -80,6 +81,12 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) @@ -58,8 +58,8 @@ Index: refpolicy/policy/modules/system/sysnetwork.te manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t) Index: refpolicy/policy/modules/kernel/devices.fc =================================================================== ---- refpolicy.orig/policy/modules/kernel/devices.fc 2018-11-27 16:09:33.163358252 +0100 -+++ refpolicy/policy/modules/kernel/devices.fc 2018-11-27 16:09:36.851417892 +0100 +--- refpolicy.orig/policy/modules/kernel/devices.fc 2019-06-09 20:05:20.000000000 +0200 ++++ refpolicy/policy/modules/kernel/devices.fc 2019-07-11 14:31:21.001630990 +0200 @@ -2,6 +2,7 @@ /dev -d gen_context(system_u:object_r:device_t,s0) /dev/.* gen_context(system_u:object_r:device_t,s0)