Accepting request 714653 from home:jsegitz:branches:security:SELinux

- Update to refpolicy 20190609. New modules for stubby and several systemd updates, including initial support for systemd --user sessions. Refreshed * label_var_run_rsyslog.patch * suse_modifications_cron.patch * suse_modifications_logging.patch * suse_modifications_ntp.patch * suse_modifications_usermanage.patch * suse_modifications_xserver.patch * sysconfig_network_scripts.patch OBS-URL: https://build.opensuse.org/request/show/714653 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=72
2019-07-16 12:19:29 +00:00 · 2019-07-16 12:19:29 +00:00 · deab87434d
commit deab87434d
parent 177da0b45c
11 changed files with 53 additions and 38 deletions
--- a/label_var_run_rsyslog.patch
+++ b/label_var_run_rsyslog.patch
@ -1,8 +1,8 @@
 Index: refpolicy/policy/modules/system/logging.fc
 ===================================================================
--- refpolicy.orig/policy/modules/system/logging.fc	2018-11-27 11:50:10.755599120 +0100
+--- refpolicy.orig/policy/modules/system/logging.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/system/logging.fc	2018-11-27 11:50:32.611949480 +0100
+++ refpolicy/policy/modules/system/logging.fc	2019-07-11 14:31:20.605624453 +0200
-@@ -60,6 +60,7 @@ ifdef(`distro_suse', `
+@@ -62,6 +62,7 @@ ifdef(`distro_suse', `
 /var/log/spooler[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
 /var/log/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
--- a/refpolicy-2.20190201.tar.bz2
+++ b/refpolicy-2.20190201.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:ed620dc91c4e09eee6271b373f7c61a364a82ea57bd2dc86ca1f7075304e2843
 size 552750
--- a/refpolicy-2.20190609.tar.bz2
+++ b/refpolicy-2.20190609.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:67bd1213e9d014ada15512028bb7f35ef6610c2d209cc5117b8577474aa6147f
 size 555882
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,18 @@
 -------------------------------------------------------------------
 Thu Jul 11 12:29:29 UTC 2019 -  <jsegitz@suse.com>
 - Update to refpolicy 20190609. New modules for stubby and several
  systemd updates, including initial support for systemd --user
  sessions.
  Refreshed
  * label_var_run_rsyslog.patch
  * suse_modifications_cron.patch
  * suse_modifications_logging.patch
  * suse_modifications_ntp.patch
  * suse_modifications_usermanage.patch
  * suse_modifications_xserver.patch
  * sysconfig_network_scripts.patch
 -------------------------------------------------------------------
 Mon Feb  4 07:59:49 UTC 2019 - jsegitz@suse.com
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -122,7 +122,7 @@ Summary:        SELinux policy configuration
 License:        GPL-2.0-or-later
 Group:          System/Management
 Name:           selinux-policy
-Version:        20190201
+Version:        20190609
 Release:        0
 Source:         https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_%{version}/refpolicy-2.%{version}.tar.bz2
--- a/suse_modifications_cron.patch
+++ b/suse_modifications_cron.patch
@ -1,8 +1,8 @@
 Index: refpolicy/policy/modules/services/cron.fc
 ===================================================================
--- refpolicy.orig/policy/modules/services/cron.fc	2018-11-27 13:46:40.344580166 +0100
+--- refpolicy.orig/policy/modules/services/cron.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/cron.fc	2018-11-27 13:47:44.725617173 +0100
+++ refpolicy/policy/modules/services/cron.fc	2019-07-11 14:31:20.905629406 +0200
-@@ -68,7 +68,9 @@ ifdef(`distro_gentoo',`
+@@ -69,7 +69,9 @@ ifdef(`distro_gentoo',`
 ')
 ifdef(`distro_suse',`
@ -16,9 +16,9 @@ Index: refpolicy/policy/modules/services/cron.fc
 ')
 Index: refpolicy/policy/modules/services/cron.te
 ===================================================================
--- refpolicy.orig/policy/modules/services/cron.te	2018-11-27 13:46:21.396274896 +0100
+--- refpolicy.orig/policy/modules/services/cron.te	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/cron.te	2018-11-27 13:46:40.344580166 +0100
+++ refpolicy/policy/modules/services/cron.te	2019-07-11 14:31:20.909629472 +0200
-@@ -761,3 +761,9 @@ tunable_policy(`cron_userdomain_transiti
+@@ -788,3 +788,9 @@ tunable_policy(`cron_userdomain_transiti
 optional_policy(`
 	unconfined_domain(unconfined_cronjob_t)
 ')
@ -30,8 +30,8 @@ Index: refpolicy/policy/modules/services/cron.te
 +')
 Index: refpolicy/policy/modules/services/cron.if
 ===================================================================
--- refpolicy.orig/policy/modules/services/cron.if	2018-11-27 13:46:40.344580166 +0100
+--- refpolicy.orig/policy/modules/services/cron.if	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/cron.if	2018-11-27 13:49:17.339129179 +0100
+++ refpolicy/policy/modules/services/cron.if	2019-07-11 14:31:20.909629472 +0200
@@ -139,7 +139,7 @@ interface(`cron_role',`
 #
 interface(`cron_unconfined_role',`
--- a/suse_modifications_logging.patch
+++ b/suse_modifications_logging.patch
@ -1,8 +1,8 @@
 Index: refpolicy/policy/modules/system/logging.te
 ===================================================================
--- refpolicy.orig/policy/modules/system/logging.te	2018-07-01 17:02:31.000000000 +0200
+--- refpolicy.orig/policy/modules/system/logging.te	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/system/logging.te	2018-11-27 14:51:58.508861896 +0100
+++ refpolicy/policy/modules/system/logging.te	2019-07-11 14:31:20.937629934 +0200
-@@ -554,6 +554,9 @@ ifdef(`init_systemd',`
+@@ -555,6 +555,9 @@ ifdef(`init_systemd',`
 	udev_read_pid_files(syslogd_t)
 ')
--- a/suse_modifications_ntp.patch
+++ b/suse_modifications_ntp.patch
@ -1,8 +1,8 @@
 Index: refpolicy/policy/modules/services/ntp.fc
 ===================================================================
--- refpolicy.orig/policy/modules/services/ntp.fc	2018-11-27 14:54:54.495739330 +0100
+--- refpolicy.orig/policy/modules/services/ntp.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/ntp.fc	2018-11-27 14:55:32.792361276 +0100
+++ refpolicy/policy/modules/services/ntp.fc	2019-07-11 14:31:20.957630264 +0200
-@@ -37,3 +37,13 @@
+@@ -39,3 +39,13 @@
 /var/log/ntp.*				--	gen_context(system_u:object_r:ntpd_log_t,s0)
 /var/log/ntpstats(/.*)?				gen_context(system_u:object_r:ntpd_log_t,s0)
 /var/log/xntpd.*			--	gen_context(system_u:object_r:ntpd_log_t,s0)
--- a/suse_modifications_usermanage.patch
+++ b/suse_modifications_usermanage.patch
@ -1,7 +1,7 @@
 Index: refpolicy/policy/modules/admin/usermanage.te
 ===================================================================
--- refpolicy.orig/policy/modules/admin/usermanage.te	2019-02-01 21:03:42.000000000 +0100
+--- refpolicy.orig/policy/modules/admin/usermanage.te	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/admin/usermanage.te	2019-02-04 09:51:12.007425927 +0100
+++ refpolicy/policy/modules/admin/usermanage.te	2019-07-11 14:31:20.965630396 +0200
@@ -251,6 +251,9 @@ userdom_use_unpriv_users_fds(groupadd_t)
 # for when /root is the cwd
 userdom_dontaudit_search_user_home_dirs(groupadd_t)
@ -12,7 +12,7 @@ Index: refpolicy/policy/modules/admin/usermanage.te
 optional_policy(`
 	apt_use_fds(groupadd_t)
 ')
-@@ -570,6 +573,9 @@ optional_policy(`
+@@ -571,6 +574,9 @@ optional_policy(`
 	puppet_rw_tmp(useradd_t)
 ')
--- a/suse_modifications_xserver.patch
+++ b/suse_modifications_xserver.patch
@ -1,8 +1,8 @@
 Index: refpolicy/policy/modules/services/xserver.fc
 ===================================================================
--- refpolicy.orig/policy/modules/services/xserver.fc	2018-06-25 01:11:14.000000000 +0200
+--- refpolicy.orig/policy/modules/services/xserver.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/xserver.fc	2018-11-27 15:03:58.228581598 +0100
+++ refpolicy/policy/modules/services/xserver.fc	2019-07-11 14:31:20.989630792 +0200
-@@ -76,6 +76,9 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
+@@ -77,6 +77,9 @@ HOME_DIR/\.Xauthority.*	--	gen_context(s
 /usr/bin/xauth		--	gen_context(system_u:object_r:xauth_exec_t,s0)
 /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
@ -14,9 +14,9 @@ Index: refpolicy/policy/modules/services/xserver.fc
 /usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 Index: refpolicy/policy/modules/services/xserver.te
 ===================================================================
--- refpolicy.orig/policy/modules/services/xserver.te	2018-07-01 17:02:32.000000000 +0200
+--- refpolicy.orig/policy/modules/services/xserver.te	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/services/xserver.te	2018-11-27 15:03:58.228581598 +0100
+++ refpolicy/policy/modules/services/xserver.te	2019-07-11 14:31:20.989630792 +0200
-@@ -893,6 +893,17 @@ corenet_tcp_bind_vnc_port(xserver_t)
+@@ -912,6 +912,17 @@ corenet_tcp_bind_vnc_port(xserver_t)
 init_use_fds(xserver_t)
--- a/sysconfig_network_scripts.patch
+++ b/sysconfig_network_scripts.patch
@ -1,7 +1,7 @@
 Index: refpolicy/policy/modules/system/sysnetwork.fc
 ===================================================================
--- refpolicy.orig/policy/modules/system/sysnetwork.fc	2018-11-27 16:09:33.159358187 +0100
+--- refpolicy.orig/policy/modules/system/sysnetwork.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/system/sysnetwork.fc	2018-11-27 16:09:36.851417892 +0100
+++ refpolicy/policy/modules/system/sysnetwork.fc	2019-07-11 14:31:20.997630924 +0200
@@ -6,6 +6,15 @@ ifdef(`distro_debian',`
 /dev/shm/network(/.*)?		gen_context(system_u:object_r:net_conf_t,s0)
 ')
@ -18,7 +18,7 @@ Index: refpolicy/policy/modules/system/sysnetwork.fc
 #
 # /etc
 #
-@@ -33,6 +42,10 @@ ifdef(`distro_redhat',`
+@@ -34,6 +43,10 @@ ifdef(`distro_redhat',`
 /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
 ')
@ -31,8 +31,8 @@ Index: refpolicy/policy/modules/system/sysnetwork.fc
 #
 Index: refpolicy/policy/modules/system/sysnetwork.te
 ===================================================================
--- refpolicy.orig/policy/modules/system/sysnetwork.te	2018-11-27 16:09:33.163358252 +0100
+--- refpolicy.orig/policy/modules/system/sysnetwork.te	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/system/sysnetwork.te	2018-11-27 16:10:36.920389270 +0100
+++ refpolicy/policy/modules/system/sysnetwork.te	2019-07-11 14:31:21.001630990 +0200
@@ -47,7 +47,8 @@ ifdef(`distro_debian',`
 #
 # DHCP client local policy
@ -43,7 +43,7 @@ Index: refpolicy/policy/modules/system/sysnetwork.te
 dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-@@ -79,6 +80,12 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r
+@@ -80,6 +81,12 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r
 sysnet_manage_config(dhcpc_t)
 files_etc_filetrans(dhcpc_t, net_conf_t, file)
@ -58,8 +58,8 @@ Index: refpolicy/policy/modules/system/sysnetwork.te
 manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
 Index: refpolicy/policy/modules/kernel/devices.fc
 ===================================================================
--- refpolicy.orig/policy/modules/kernel/devices.fc	2018-11-27 16:09:33.163358252 +0100
+--- refpolicy.orig/policy/modules/kernel/devices.fc	2019-06-09 20:05:20.000000000 +0200
-+++ refpolicy/policy/modules/kernel/devices.fc	2018-11-27 16:09:36.851417892 +0100
+++ refpolicy/policy/modules/kernel/devices.fc	2019-07-11 14:31:21.001630990 +0200
@@ -2,6 +2,7 @@
 /dev			-d	gen_context(system_u:object_r:device_t,s0)
 /dev/.*				gen_context(system_u:object_r:device_t,s0)