rpm/selinux-policy
SHA256
1
0
Fork 0
forked from pool/selinux-policy
Code Pull Requests Activity
2c0c138859
selinux-policy/fix_init.patch
Johannes Segitz c4556003bf Accepting request 1061575 from home:jsegitz:branches:security:SELinux 
- Update to version 20230125. Refreshed:
  * distro_suse_to_distro_redhat.patch
  * fix_dnsmasq.patch
  * fix_init.patch
  * fix_ipsec.patch
  * fix_kernel_sysctl.patch
  * fix_logging.patch
  * fix_rpm.patch
  * fix_selinuxutil.patch
  * fix_systemd_watch.patch
  * fix_userdomain.patch
- More flexible lib(exec) matching in fix_fwupd.patch
- Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch
- Dropped fix_container.patch, is now upstream
- Added fix_entropyd.patch
  * Added new interface entropyd_semaphore_filetrans to properly transfer
    semaphore created during early boot. That doesn't work yet, so work
    around with next item
  * Allow reading tempfs files
- Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace
  to allow kmod_tmpfs_t files to be executed. Necessary for firewalld
- Added fix_rtkit.patch to fix labeling of binary
- Modified fix_ntp.patch:
  * Proper labeling for start-ntpd
  * Fixed label rules for chroot path
  * Temporarily allow dac_override for ntpd_t (bsc#1207577)
  * Add interface ntp_manage_pid_files to allow management of pid
    files
- Updated fix_networkmanager.patch to allow managing ntp pid files

OBS-URL: https://build.opensuse.org/request/show/1061575
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=171
2023-01-27 14:51:33 +00:00

89 lines
3.1 KiB
Diff
Raw Blame History

Index: fedora-policy-20230116/policy/modules/system/init.te
===================================================================
--- fedora-policy-20230116.orig/policy/modules/system/init.te
+++ fedora-policy-20230116/policy/modules/system/init.te
@@ -270,6 +270,8 @@ corecmd_exec_bin(init_t)
corenet_all_recvfrom_netlabel(init_t)
corenet_tcp_bind_all_ports(init_t)
corenet_udp_bind_all_ports(init_t)
+corenet_udp_bind_generic_node(init_t)
+corenet_tcp_bind_generic_node(init_t)
dev_create_all_files(init_t)
dev_create_all_chr_files(init_t)
@@ -396,6 +398,7 @@ logging_manage_audit_config(init_t)
logging_create_syslog_netlink_audit_socket(init_t)
logging_write_var_log_dirs(init_t)
logging_manage_var_log_symlinks(init_t)
+logging_dgram_accept(init_t)
seutil_read_config(init_t)
seutil_read_login_config(init_t)
@@ -448,9 +451,19 @@ ifdef(`distro_redhat',`
corecmd_shell_domtrans(init_t, initrc_t)
storage_raw_rw_fixed_disk(init_t)
+storage_raw_read_removable_device(init_t)
sysnet_read_dhcpc_state(init_t)
+# bsc#1197610, find a better, generic solution
+optional_policy(`
+ mta_getattr_spool(init_t)
+')
+
+optional_policy(`
+ networkmanager_initrc_read_lnk_files(init_t)
+')
+
optional_policy(`
anaconda_stream_connect(init_t)
anaconda_create_unix_stream_sockets(init_t)
@@ -582,10 +595,10 @@ tunable_policy(`init_audit_control',`
allow init_t self:system all_system_perms;
allow init_t self:system module_load;
allow init_t self:unix_dgram_socket { create_socket_perms sendto };
-allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec };
+allow init_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec execmem };
allow init_t self:process { getcap setcap };
allow init_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom };
-allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
allow init_t self:netlink_selinux_socket create_socket_perms;
allow init_t self:unix_dgram_socket lock;
# Until systemd is fixed
@@ -645,6 +658,7 @@ files_delete_all_spool_sockets(init_t)
files_create_var_lib_dirs(init_t)
files_create_var_lib_symlinks(init_t)
files_read_var_lib_symlinks(init_t)
+files_read_var_files(init_t)
files_manage_urandom_seed(init_t)
files_list_locks(init_t)
files_list_spool(init_t)
@@ -682,7 +696,7 @@ fs_list_all(init_t)
fs_list_auto_mountpoints(init_t)
fs_register_binary_executable_type(init_t)
fs_relabel_tmpfs_sock_file(init_t)
-fs_rw_tmpfs_files(init_t)
+fs_rw_tmpfs_files(init_t)
fs_relabel_cgroup_dirs(init_t)
fs_search_cgroup_dirs(init_t)
# for network namespaces
@@ -738,6 +752,7 @@ systemd_write_inherited_logind_sessions_
create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
create_dirs_pattern(init_t, var_log_t, var_log_t)
+files_manage_var_files(init_t)
auth_use_nsswitch(init_t)
auth_rw_login_records(init_t)
@@ -1592,6 +1607,8 @@ optional_policy(`
optional_policy(`
postfix_list_spool(initrc_t)
+ #allow init_t postfix_map_exec_t:file { open read execute execute_no_trans ioctl };
+ postfix_domtrans_map(init_t)
')
optional_policy(`
View Git Blame Copy Permalink