diff --git a/Add-permission-open-to-files_read_inherited_tmp_file.patch b/Add-permission-open-to-files_read_inherited_tmp_file.patch new file mode 100644 index 0000000000000000000000000000000000000000..3b3eb9d1e5cd920f1b39a6b9983882c32a4aa4c2 --- /dev/null +++ b/Add-permission-open-to-files_read_inherited_tmp_file.patch @@ -0,0 +1,29 @@ +From 9c55448c7d59ea537fe8ee9e89b6196a6562ef5f Mon Sep 17 00:00:00 2001 +From: luhuaxin +Date: Thu, 28 Apr 2022 17:10:37 +0800 +Subject: [PATCH] Add permission open to files_read_inherited_tmp_file + +The open permission is deleted from upstream. We add it for +compatibility with historical release versions. + +Signed-off-by: luhuaxin +--- + policy/modules/kernel/files.if | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index bca6f15..498c252 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -6428,7 +6428,7 @@ interface(`files_read_inherited_tmp_files',` + attribute tmpfile; + ') + +- allow $1 tmpfile:file { append read_inherited_file_perms }; ++ allow $1 tmpfile:file { append open read_inherited_file_perms }; + ') + + ######################################## +-- +1.8.3.1 + diff --git a/Allow-init_t-nnp-domain-transition-to-abrtd_t.patch b/Allow-init_t-nnp-domain-transition-to-abrtd_t.patch new file mode 100644 index 0000000000000000000000000000000000000000..c0e9784cd6244a8fa25cdbdf43ef91cbf4def0cb --- /dev/null +++ b/Allow-init_t-nnp-domain-transition-to-abrtd_t.patch @@ -0,0 +1,29 @@ +From b9090951b8dc65f9e4bcf008aff9d353dd025f0a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 7 Feb 2024 16:24:21 +0100 +Subject: [PATCH] Allow init_t nnp domain transition to abrtd_t + +The permission is required in abrt v2.17.2 which contains +miscellaneous service sandboxing features. + +The commit addresses the following AVC denial: +Feb 05 14:39:14 fedora audit[729]: AVC avc: denied { nnp_transition } for pid=729 comm="(abrtd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=process2 permissive=0 +Feb 05 14:39:14 fedora audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 + +Resolves: rhbz#2263210 +--- + policy/modules/contrib/abrt.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te +index 463dd64a9c..59b9f114ab 100644 +--- a/policy/modules/contrib/abrt.te ++++ b/policy/modules/contrib/abrt.te +@@ -38,6 +38,7 @@ roleattribute system_r abrt_helper_roles; + + abrt_basic_types_template(abrt) + init_daemon_domain(abrt_t, abrt_exec_t) ++init_nnp_daemon_domain(abrt_t) + + type abrt_initrc_exec_t; + init_script_file(abrt_initrc_exec_t) diff --git a/Policy-for-restoring-kernel_t.patch b/Policy-for-restoring-kernel_t.patch new file mode 100644 index 0000000000000000000000000000000000000000..cfcf68c6509185e8687062dae9d9f77c894d2b4f --- /dev/null +++ b/Policy-for-restoring-kernel_t.patch @@ -0,0 +1,27 @@ +From 89d0eb2654943472f2ce33bcaa04be015985d5d8 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Tue, 21 Mar 2023 10:15:04 +0800 +Subject: [PATCH] Policy for restoring kernel_t + +--- + policy/modules/kernel/kernel.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index 2df33b0..a7bf2c8 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -504,6 +504,10 @@ optional_policy(` + init_read_utmp(kernel_systemctl_t) + ') + ++optional_policy(` ++ unconfined_domain_noaudit(kernel_t) ++') ++ + optional_policy(` + virt_filetrans_home_content(kernel_t) + ') +-- +2.27.0 + diff --git a/Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch b/Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch new file mode 100644 index 0000000000000000000000000000000000000000..10800a5f0da10fafbdd849f670931f0fd65c6f69 --- /dev/null +++ b/Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch @@ -0,0 +1,48 @@ +From 2a1802c29f4629f06ebd2c8bf1491f98565bf5b1 Mon Sep 17 00:00:00 2001 +From: "GONG, Ruiqi" +Date: Mon, 20 Mar 2023 20:42:49 +0800 +Subject: [PATCH] Revert "Don't allow kernel_t to execute bin_t/usr_t binaries + without a transition" + +This reverts commit 18c5559222ea3ca3588c8d32c06cddc41b66f688. + +--- + policy/modules/kernel/kernel.te | 17 +++-------------- + 1 file changed, 3 insertions(+), 14 deletions(-) + +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index 7dce828..0c1d125 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -356,25 +356,14 @@ selinux_compute_create_context(kernel_t) + term_use_all_terms(kernel_t) + term_use_ptmx(kernel_t) + ++corecmd_exec_shell(kernel_t) + corecmd_list_bin(kernel_t) +- +-# /proc/sys/kernel/modprobe is set to /bin/true if not using modules, +-# thus allow a transition into a minimal helper domain through generic bin +-# types. +-type kernel_generic_helper_t; +-domain_type(kernel_generic_helper_t) +-role system_r types kernel_generic_helper_t; +-corecmd_bin_entry_type(kernel_generic_helper_t) +-corecmd_bin_domtrans(kernel_t, kernel_generic_helper_t) +- +-allow kernel_generic_helper_t kernel_t:fifo_file read_inherited_fifo_file_perms; ++# /proc/sys/kernel/modprobe is set to /bin/true if not using modules. ++corecmd_exec_bin(kernel_t) + + # Enable running `/usr/bin/env [u]mount ...` to support ZFS automounting. + # See the module/os/linux/zfs/zfs_ctldir.c file in + # https://github.com/openzfs/zfs/ for the usermode helper calls. +-optional_policy(` +- mount_domtrans(kernel_generic_helper_t) +-') + + domain_use_all_fds(kernel_t) + domain_signal_all_domains(kernel_t) +-- +2.33.0 + diff --git a/access-to-iptables-run-file.patch b/access-to-iptables-run-file.patch deleted file mode 100644 index 0bcd2e61203486e07520ff5b2bc64b4cebda4b78..0000000000000000000000000000000000000000 --- a/access-to-iptables-run-file.patch +++ /dev/null @@ -1,51 +0,0 @@ -From df3d1a93a1126c15fe540a48515c604217f3202e Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Tue, 25 Feb 2020 20:15:44 +0800 -Subject: [PATCH] access to iptables run file - -Signed-off-by: guoxiaoqi ---- - policy/modules/contrib/firewalld.te | 3 +++ - policy/modules/system/iptables.if | 18 ++++++++++++++++++ - 2 files changed, 21 insertions(+) - -diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te -index 8b78b37..f1cbf0a 100644 ---- a/policy/modules/contrib/firewalld.te -+++ b/policy/modules/contrib/firewalld.te -@@ -139,3 +139,6 @@ optional_policy(` - optional_policy(` - networkmanager_read_state(firewalld_t) - ') -+ -+# avc for openEuler -+iptables_var_run_file(firewalld_t) -diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if -index 5e1a4a5..6bdd8cf 100644 ---- a/policy/modules/system/iptables.if -+++ b/policy/modules/system/iptables.if -@@ -221,3 +221,21 @@ interface(`iptables_read_var_run',` - allow $1 iptables_var_run_t:dir list_dir_perms; - read_files_pattern($1, iptables_var_run_t, iptables_var_run_t) - ') -+ -+##################################### -+## -+## Access to iptables run files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`iptables_var_run_file',` -+gen_require(` -+type iptables_var_run_t; -+') -+ -+allow $1 iptables_var_run_t:file { lock open read }; -+') --- -1.8.3.1 - diff --git a/add-access-to-faillog-file-for-systemd.patch b/add-access-to-faillog-file-for-systemd.patch deleted file mode 100644 index 4692fa42ef481e5804edd4de117d370b476a1eab..0000000000000000000000000000000000000000 --- a/add-access-to-faillog-file-for-systemd.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 6b63c0acdb2e2435e4294f2de08dd376db15e4e8 Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Tue, 25 Feb 2020 21:02:54 +0800 -Subject: [PATCH] add access to faillog file for systemd - -Signed-off-by: guoxiaoqi ---- - policy/modules/system/authlogin.if | 19 +++++++++++++++++++ - policy/modules/system/init.te | 3 +++ - 2 files changed, 22 insertions(+) - -diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 728a1c4..6f35819 100644 ---- a/policy/modules/system/authlogin.if -+++ b/policy/modules/system/authlogin.if -@@ -2413,3 +2413,22 @@ interface(`auth_login_manage_key',` - - allow $1 login_pgm:key manage_key_perms; - ') -+ -+######################################## -+## -+## Manage the login failure log for systemd. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_manage_faillog',` -+gen_require(` -+type faillog_t; -+') -+ -+allow $1 faillog_t:dir { add_name write }; -+allow $1 faillog_t:file create; -+') -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 035720b..e0d584a 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -1868,3 +1868,6 @@ optional_policy(` - ccs_read_config(daemon) - ') - ') -+ -+# avc for oprnEuler -+systemd_manage_faillog(init_t) --- -1.8.3.1 - diff --git a/add-allow-shadow-tool-to-access-sssd-var-lib-file-di.patch b/add-allow-shadow-tool-to-access-sssd-var-lib-file-di.patch deleted file mode 100644 index 798c6463569eb3e68bb9d152aa7c2cee8ba51217..0000000000000000000000000000000000000000 --- a/add-allow-shadow-tool-to-access-sssd-var-lib-file-di.patch +++ /dev/null @@ -1,31 +0,0 @@ -From edba62fdaa8115c0c194ad6d86981e8c9692b8e7 Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Thu, 4 Jun 2020 21:11:52 +0800 -Subject: [PATCH] add allow shadow tool to access sssd var lib file/dir - -Signed-off-by: guoxiaoqi ---- - policy/modules/admin/usermanage.te | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1977309..b8d51ba 100644 ---- a/policy/modules/admin/usermanage.te -+++ b/policy/modules/admin/usermanage.te -@@ -666,8 +666,13 @@ optional_policy(` - # avc for openEuler - #sssd_var_lib_dir(groupadd_t) - optional_policy(` -+ sssd_var_lib_dir(groupadd_t) - sssd_var_lib_map_file(groupadd_t) - sssd_var_lib_write_file(groupadd_t) -+ sssd_var_lib_map_file(passwd_t) -+ sssd_var_lib_write_file(passwd_t) - sssd_var_lib_map_file(useradd_t) - sssd_var_lib_write_file(useradd_t) -+ sssd_var_lib_create_file(useradd_t) -+ sssd_var_lib_dir(useradd_t) - ') --- -1.8.3.1 - diff --git a/add-allow-to-be-access-to-sssd-dir-and-file.patch b/add-allow-to-be-access-to-sssd-dir-and-file.patch deleted file mode 100644 index 22a435cd1b682df23acebd5679bb2f3ad8b8553e..0000000000000000000000000000000000000000 --- a/add-allow-to-be-access-to-sssd-dir-and-file.patch +++ /dev/null @@ -1,110 +0,0 @@ -From e4184b665f1ca1f86fb7554095a73a71ad4a46ef Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Tue, 25 Feb 2020 18:30:13 +0800 -Subject: [PATCH] add allow to be access to sssd dir and file - -Signed-off-by: guoxiaoqi ---- - policy/modules/admin/usermanage.te | 8 +++++ - policy/modules/contrib/sssd.if | 72 ++++++++++++++++++++++++++++++++++++++ - 2 files changed, 80 insertions(+) - -diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 43fed66..c8580a7 100644 ---- a/policy/modules/admin/usermanage.te -+++ b/policy/modules/admin/usermanage.te -@@ -663,3 +663,11 @@ optional_policy(` - optional_policy(` - stapserver_manage_lib(useradd_t) - ') -+# avc for openEuler -+#sssd_var_lib_dir(groupadd_t) -+optional_policy(` -+ sssd_var_lib_map_file(groupadd_t) -+ sssd_var_lib_write_file(groupadd_t) -+ sssd_var_lib_map_file(useradd_t) -+ sssd_var_lib_write_file(useradd_t) -+') -diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if -index 50eee3f..1b61ccd 100644 ---- a/policy/modules/contrib/sssd.if -+++ b/policy/modules/contrib/sssd.if -@@ -576,3 +576,75 @@ interface(`sssd_admin',` - allow $1 sssd_unit_file_t:service all_service_perms; - - ') -+ -+######################################## -+## -+## Allow to be access to sssd lib dir. -+## -+## -+## -+## Domain to allow. -+## -+## -+# -+interface(`sssd_var_lib_dir',` -+gen_require(` -+type sssd_var_lib_t; -+') -+ -+allow $1 sssd_var_lib_t:dir { add_name write }; -+') -+ -+######################################## -+## -+## Allow to map sssd lib files. -+## -+## -+## -+## Domain to allow. -+## -+## -+# -+interface(`sssd_var_lib_map_file',` -+gen_require(` -+type sssd_var_lib_t; -+') -+ -+allow $1 sssd_var_lib_t:file map; -+') -+ -+######################################## -+## -+## Allow to write sssd lib files. -+## -+## -+## -+## Domain to allow. -+## -+## -+# -+interface(`sssd_var_lib_write_file',` -+gen_require(` -+type sssd_var_lib_t; -+') -+ -+allow $1 sssd_var_lib_t:file write; -+') -+ -+######################################## -+## -+## Allow to create sssd lib files. -+## -+## -+## -+## Domain to allow. -+## -+## -+# -+interface(`sssd_var_lib_create_file',` -+gen_require(` -+type sssd_var_lib_t; -+') -+ -+allow $1 sssd_var_lib_t:file create; -+') --- -1.8.3.1 - diff --git a/add-avc-for-kmod.patch b/add-avc-for-kmod.patch deleted file mode 100644 index 1a44778ce08809299ba0f037e5b0bb6dcb9d6b8a..0000000000000000000000000000000000000000 --- a/add-avc-for-kmod.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 9cc71f5e435a8cd95c1d186672ebbdb96e711a92 Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Thu, 16 Jul 2020 18:45:34 +0800 -Subject: [PATCH] add avc for kmod - -Signed-off-by: guoxiaoqi ---- - policy/modules/system/modutils.te | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index add5eca..d512b51 100644 ---- a/policy/modules/system/modutils.te -+++ b/policy/modules/system/modutils.te -@@ -259,3 +259,6 @@ ifdef(`distro_gentoo',` - ') - ') - -+# avc for openEuler -+init_nnp_daemon_domain(insmod_t) -+ --- -1.8.3.1 - diff --git a/add-avc-for-openEuler-1.patch b/add-avc-for-os-1.patch similarity index 98% rename from add-avc-for-openEuler-1.patch rename to add-avc-for-os-1.patch index a7880ea1e51f24d5bbc14fd0359f4ec81cd2f110..5a926364fb3e96058ff4dc3757be321a60ecdb2c 100644 --- a/add-avc-for-openEuler-1.patch +++ b/add-avc-for-os-1.patch @@ -1,7 +1,7 @@ From 076002627934ea3f9ec59de1dde25a840bd1a452 Mon Sep 17 00:00:00 2001 From: HuaxinLuGitee <1539327763@qq.com> Date: Sun, 13 Dec 2020 14:48:26 +0800 -Subject: [PATCH] add-avc-for-openEuler-1 +Subject: [PATCH] add-avc-for-os-1 --- policy/modules/contrib/firewalld.te | 2 ++ diff --git a/add-avc-for-systemd-hostnamed-and-systemd-logind.patch b/add-avc-for-systemd-hostnamed-and-systemd-logind.patch deleted file mode 100644 index c49f1c7380a86c2ab41a5d24c3f6b1c37fa8c2dd..0000000000000000000000000000000000000000 --- a/add-avc-for-systemd-hostnamed-and-systemd-logind.patch +++ /dev/null @@ -1,30 +0,0 @@ -From f5e75734ba636d9a3db9e7fc4a9c7766b5f965aa Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Thu, 16 Jul 2020 19:01:43 +0800 -Subject: [PATCH] add avc for systemd-hostnamed and systemd-logind - -Signed-off-by: guoxiaoqi ---- - policy/modules/system/systemd.te | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 7cb36c4..72f413c 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -373,6 +373,12 @@ optional_policy(` - xserver_search_xdm_tmp_dirs(systemd_logind_t) - ') - -+# avc for openEuler -+allow init_t systemd_logind_var_lib_t:dir { create mounton read }; -+allow init_t systemd_logind_var_run_t:dir mounton; -+init_nnp_daemon_domain(systemd_hostnamed_t) -+init_nnp_daemon_domain(systemd_logind_t) -+ - ######################################## - # - # systemd_machined local policy --- -1.8.3.1 - diff --git a/add-avc-for-systemd-journald.patch b/add-avc-for-systemd-journald.patch index e26cdf085248e04a0cb32b795cd7a86ac29d20e1..71634bc62874bc1c81107aa54021d47ab6597336 100644 --- a/add-avc-for-systemd-journald.patch +++ b/add-avc-for-systemd-journald.patch @@ -1,53 +1,23 @@ -From 9865bc70309c32f731d85e18f8ed29af184086cf Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Thu, 16 Jul 2020 18:54:28 +0800 +From f984d0f1fa193e7f5fdf8bd8aef92b24550eaec4 Mon Sep 17 00:00:00 2001 +From: lujie42 +Date: Tue, 21 Dec 2021 17:19:13 +0800 Subject: [PATCH] add avc for systemd-journald -Signed-off-by: guoxiaoqi +Signed-off-by: lujie42 --- - policy/modules/kernel/devices.if | 18 ++++++++++++++++++ - policy/modules/kernel/kernel.if | 17 +++++++++++++++++ - policy/modules/system/init.te | 5 ++++- + policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ + policy/modules/system/init.te | 5 +++++ policy/modules/system/logging.if | 18 ++++++++++++++++++ - policy/modules/system/logging.te | 3 +++ - 5 files changed, 60 insertions(+), 1 deletion(-) + 3 files changed, 41 insertions(+) -diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 932b9bd..eb8c5c6 100644 ---- a/policy/modules/kernel/devices.if -+++ b/policy/modules/kernel/devices.if -@@ -7343,3 +7343,21 @@ interface(`dev_filetrans_xserver_named_dev',` - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") - ') -+ -+######################################## -+## -+## Allow to read the kernel messages -+## -+## -+## -+## Domain to allow. -+## -+## -+# -+interface(`dev_read_kernel_msg',` -+gen_require(` -+type kmsg_device_t; -+') -+ -+allow $1 kmsg_device_t:chr_file read; -+') diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 023ee09..a1bb39b 100644 +index 62845c1..a2e2750 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if -@@ -4268,3 +4268,20 @@ interface(`kernel_unlabeled_entry_type',` - allow $1 unlabeled_t:file { mmap_exec_file_perms ioctl lock }; - ') +@@ -4245,6 +4245,24 @@ interface(`kernel_read_netlink_audit_socket',` -+######################################## -+## + ######################################## + ## +## Access to netlink audit socket +## +## @@ -57,63 +27,63 @@ index 023ee09..a1bb39b 100644 +## +# +interface(`kernel_netlink_audit_socket',` -+gen_require(` -+type kernel_t; -+') ++ gen_require(` ++ type kernel_t; ++ ') + -+allow $1 kernel_t:netlink_audit_socket $2; ++ allow $1 kernel_t:netlink_audit_socket $2; +') ++ ++######################################## ++## + ## Execute an unlabeled file in the specified domain. + ## + ## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index a92f4d8..6bccd0b 100644 +index 9a4a0d2..0aea278 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -1946,5 +1946,8 @@ optional_policy(` - ') - ') +@@ -731,6 +731,11 @@ auth_rw_lastlog(init_t) + auth_domtrans_chk_passwd(init_t) + auth_manage_passwd(init_t) --# avc for oprnEuler +# avc for openEuler - systemd_manage_faillog(init_t) +kernel_netlink_audit_socket(init_t, getattr) -+dev_read_kernel_msg(init_t) -+logging_journal(init_t) ++logging_access_journal(init_t) ++dev_read_kmsg(init_t) ++ + ifdef(`distro_redhat',` + # it comes from setupr scripts used in systemd unit files + # has been covered by initrc_t diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 408dba0..526a813 100644 +index 8092f3e..3452bd2 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if -@@ -1686,3 +1686,21 @@ interface(`logging_dgram_send',` +@@ -1753,6 +1753,24 @@ interface(`logging_mmap_journal',` - allow $1 syslogd_t:unix_dgram_socket sendto; - ') -+ -+####################################### -+## -+## Access to files in /run/log/journal/ directory. + ####################################### + ## ++## Access to files in /run/log/journal/ directory. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`logging_journal',` -+gen_require(` -+type syslogd_var_run_t; -+') ++interface(`logging_access_journal',` ++ gen_require(` ++ type syslogd_var_run_t; ++ ') + -+allow $1 syslogd_var_run_t:file { create rename write }; ++ allow $1 syslogd_var_run_t:file { create rename write }; +') -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index cdaba23..ddeb00a 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -753,3 +753,6 @@ ifdef(`hide_broken_symptoms',` - ') - - logging_stream_connect_syslog(syslog_client_type) + -+# avc for openEuler -+init_nnp_daemon_domain(syslogd_t) ++####################################### ++## + ## Watch the /run/log/journal directory. + ## + ## -- 1.8.3.1 diff --git a/add-avc-for-systemd.patch b/add-avc-for-systemd.patch index c0c997a7771e30cb926d4692422a973ba05f2a5a..88e321e71c076a6e3ae6c314bbbed777104111e0 100644 --- a/add-avc-for-systemd.patch +++ b/add-avc-for-systemd.patch @@ -1,80 +1,25 @@ -From 89ae7e3f5493d253cbe42e7950e426cd41433230 Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Thu, 16 Jul 2020 19:09:57 +0800 +From dd92e4c3df1b07249810fb824bdddd2cee77c7eb Mon Sep 17 00:00:00 2001 +From: lujie42 +Date: Tue, 21 Dec 2021 17:34:01 +0800 Subject: [PATCH] add avc for systemd -Signed-off-by: guoxiaoqi +Signed-off-by: lujie42 --- - policy/modules/contrib/dbus.te | 3 +++ - policy/modules/kernel/devices.if | 18 ++++++++++++++++++ - policy/modules/system/init.te | 1 + - policy/modules/system/systemd.te | 4 ++++ - 4 files changed, 26 insertions(+) + policy/modules/system/init.te | 1 + + 1 file changed, 1 insertion(+) -diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te -index 4cf41a5..2e2732d 100644 ---- a/policy/modules/contrib/dbus.te -+++ b/policy/modules/contrib/dbus.te -@@ -384,6 +384,9 @@ optional_policy(` - xserver_append_xdm_home_files(session_bus_type) - ') - -+# avc for openEuler -+allow init_t session_dbusd_tmp_t:dir { read remove_name rmdir write }; -+allow init_t system_dbusd_var_run_t:sock_file read; - ######################################## - # - # Unconfined access to this module -diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index eb8c5c6..846bb94 100644 ---- a/policy/modules/kernel/devices.if -+++ b/policy/modules/kernel/devices.if -@@ -7361,3 +7361,21 @@ type kmsg_device_t; - - allow $1 kmsg_device_t:chr_file read; - ') -+ -+######################################## -+## -+## Allow to read the clock device. -+## -+## -+## -+## Domain to allow. -+## -+## -+# -+interface(`dev_read_clock_device',` -+gen_require(` -+type clock_device_t; -+') -+ -+allow $1 clock_device_t:chr_file read; -+') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 6bccd0b..b7a4114 100644 +index 0aea278..b1ed998 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -1951,3 +1951,4 @@ systemd_manage_faillog(init_t) +@@ -735,6 +735,7 @@ auth_manage_passwd(init_t) kernel_netlink_audit_socket(init_t, getattr) - dev_read_kernel_msg(init_t) - logging_journal(init_t) -+dev_read_clock_device(init_t) -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 72f413c..0a65c1d 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -378,6 +378,10 @@ allow init_t systemd_logind_var_lib_t:dir { create mounton read }; - allow init_t systemd_logind_var_run_t:dir mounton; - init_nnp_daemon_domain(systemd_hostnamed_t) - init_nnp_daemon_domain(systemd_logind_t) -+init_nnp_daemon_domain(systemd_coredump_t) -+init_nnp_daemon_domain(systemd_initctl_t) -+init_nnp_daemon_domain(systemd_localed_t) -+init_nnp_daemon_domain(systemd_machined_t) + logging_access_journal(init_t) + dev_read_kmsg(init_t) ++dev_read_realtime_clock(init_t) - ######################################## - # + ifdef(`distro_redhat',` + # it comes from setupr scripts used in systemd unit files -- 1.8.3.1 diff --git a/add-qemu_exec_t-for-stratovirt.patch b/add-qemu_exec_t-for-stratovirt.patch new file mode 100644 index 0000000000000000000000000000000000000000..3b27e8292cdf5c610469238fbfbd488c975c3ef9 --- /dev/null +++ b/add-qemu_exec_t-for-stratovirt.patch @@ -0,0 +1,24 @@ +From 3f9a66fb7bb35a101d8be50d8f2fa238af62d11f Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Tue, 26 Dec 2023 17:18:00 +0800 +Subject: [PATCH] add qemu_exec_t for stratovirt + +--- + policy/modules/contrib/virt_supplementary.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/virt_supplementary.fc b/policy/modules/contrib/virt_supplementary.fc +index d27441f..5563457 100644 +--- a/policy/modules/contrib/virt_supplementary.fc ++++ b/policy/modules/contrib/virt_supplementary.fc +@@ -62,6 +62,7 @@ HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:sv + /usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) + /usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) + /usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) ++/usr/bin/stratovirt -- gen_context(system_u:object_r:qemu_exec_t,s0) + + # support for QEMU-GA + /etc/qemu-ga/fsfreeze-hook\.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0) +-- +2.27.0 + diff --git a/add-rule-for-hostnamed-to-rpmscript-dbus-chat.patch b/add-rule-for-hostnamed-to-rpmscript-dbus-chat.patch new file mode 100644 index 0000000000000000000000000000000000000000..5456ae9049bf26eb9642a22e20c6b83274923e6b --- /dev/null +++ b/add-rule-for-hostnamed-to-rpmscript-dbus-chat.patch @@ -0,0 +1,23 @@ +From ad87c8bd66e7625f87d15735ae4ada8466ff7e7e Mon Sep 17 00:00:00 2001 +From: lixiao +Date: Thu, 29 Dec 2022 16:37:42 +0800 +Subject: [PATCH] add rule for hostnamed to rpmscript dbus chat + +--- + policy/modules/contrib/rpm.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te +index 91337e4..10ab605 100644 +--- a/policy/modules/contrib/rpm.te ++++ b/policy/modules/contrib/rpm.te +@@ -465,6 +465,7 @@ optional_policy(` + systemd_dbus_chat_logind(rpm_script_t) + systemd_dbus_chat_timedated(rpm_script_t) + systemd_dbus_chat_localed(rpm_script_t) ++ systemd_dbus_chat_hostnamed(rpm_script_t) + ') + ') + +-- +2.27.0 diff --git a/allow-httpd-to-put-files-in-httpd-config-dir.patch b/allow-httpd-to-put-files-in-httpd-config-dir.patch new file mode 100644 index 0000000000000000000000000000000000000000..7ccea6c10ead7a388f690417d71c180af0aa0736 --- /dev/null +++ b/allow-httpd-to-put-files-in-httpd-config-dir.patch @@ -0,0 +1,29 @@ +From cf6c809927dfc258f44e55116556625b4ecc7b5d Mon Sep 17 00:00:00 2001 +From: luhuaxin +Date: Fri, 24 Jun 2022 15:03:25 +0800 +Subject: [PATCH] allow httpd to put files in httpd config dir + +Signed-off-by: luhuaxin +--- + policy/modules/contrib/apache.te | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te +index 0e4d4bf..b264818 100644 +--- a/policy/modules/contrib/apache.te ++++ b/policy/modules/contrib/apache.te +@@ -516,9 +516,8 @@ files_var_filetrans(httpd_t, httpd_cache_t, { file dir }) + allow httpd_t httpd_cache_t:file map; + + # Allow the httpd_t to read the web servers config files +-allow httpd_t httpd_config_t:dir list_dir_perms; +-read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) +-read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t) ++# and put files in /etc/httpd ++apache_manage_config(httpd_t) + allow httpd_t httpd_config_t:file map; + + can_exec(httpd_t, httpd_exec_t) +-- +1.8.3.1 + diff --git a/allow-init_t-create-fifo-file-in-net_conf-dir.patch b/allow-init_t-create-fifo-file-in-net_conf-dir.patch new file mode 100644 index 0000000000000000000000000000000000000000..a41b6f34aceec28d2ac124fcfdee780983fc1e8d --- /dev/null +++ b/allow-init_t-create-fifo-file-in-net_conf-dir.patch @@ -0,0 +1,25 @@ +From ebfc55113be3be3a298a14e767712cc5e16a50c3 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Thu, 28 Dec 2023 19:17:52 +0800 +Subject: [PATCH] allow init_t create fifo file in net_conf dir + +Signed-off-by: Huaxin Lu +--- + policy/modules/system/init.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 4f2ce88..5fc8fed 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -879,6 +879,7 @@ optional_policy(` + optional_policy(` + sysnet_filetrans_cloud_net_conf(init_t) + sysnet_manage_config_pipes(init_t) ++ manage_fifo_files_pattern(init_t, net_conf_t, net_conf_t) + ') + + optional_policy(` +-- +2.27.0 + diff --git a/allow-map-postfix_master_t.patch b/allow-map-postfix_master_t.patch new file mode 100644 index 0000000000000000000000000000000000000000..9463970b825235dd1d46ba87948b422150606797 --- /dev/null +++ b/allow-map-postfix_master_t.patch @@ -0,0 +1,24 @@ +From 88bba24aac779da470bcf30dcb851d64a2352e9b Mon Sep 17 00:00:00 2001 +From: xwx1057739 +Date: Mon, 19 Sep 2022 15:37:00 +0800 +Subject: [PATCH] allow map postfix_master_t + +--- + policy/modules/contrib/postfix.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te +index 257b589..b160137 100644 +--- a/policy/modules/contrib/postfix.te ++++ b/policy/modules/contrib/postfix.te +@@ -854,3 +854,7 @@ optional_policy(` + optional_policy(` + udev_read_db(postfix_domain) + ') ++ ++optional_policy(` ++ mta_map_aliases(postfix_master_t) ++') +-- +2.33.0 + diff --git a/allow-systemd-hostnamed-and-logind-read-policy.patch b/allow-systemd-hostnamed-and-logind-read-policy.patch deleted file mode 100644 index 9524c7995d6b6eead465d1e71b9567e80d01f888..0000000000000000000000000000000000000000 --- a/allow-systemd-hostnamed-and-logind-read-policy.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 8b2179cbe385e4b67ab159ac7eee159a664888e3 Mon Sep 17 00:00:00 2001 -From: HuaxinLuGitee <1539327763@qq.com> -Date: Tue, 22 Sep 2020 20:44:36 +0800 -Subject: [PATCH] commit 2 - ---- - policy/modules/system/systemd.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 7cb36c4..a98d366 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -331,6 +331,8 @@ userdom_manage_user_tmp_chr_files(systemd_logind_t) - - xserver_dbus_chat(systemd_logind_t) - -+allow systemd_logind_t security_t:file mmap_read_file_perms; -+ - optional_policy(` - apache_read_tmp_files(systemd_logind_t) - ') -@@ -818,6 +820,8 @@ systemd_read_efivarfs(systemd_hostnamed_t) - userdom_read_all_users_state(systemd_hostnamed_t) - userdom_dbus_send_all_users(systemd_hostnamed_t) - -+allow systemd_hostnamed_t security_t:file mmap_read_file_perms; -+ - optional_policy(` - dbus_system_bus_client(systemd_hostnamed_t) - dbus_connect_system_bus(systemd_hostnamed_t) --- -1.8.3.1 - diff --git a/allow-systemd-machined-create-userdbd-runtime-sock-file.patch b/allow-systemd-machined-create-userdbd-runtime-sock-file.patch deleted file mode 100644 index fcb2ce61bfc0856da993a63aec58719effaa554c..0000000000000000000000000000000000000000 --- a/allow-systemd-machined-create-userdbd-runtime-sock-file.patch +++ /dev/null @@ -1,54 +0,0 @@ -From d4a034518393bd1c0277a4dd3e87c8e94b394317 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 11 Aug 2020 12:47:42 +0200 -Subject: [PATCH] Allow systemd-machined create userdbd runtime sock files - -Create the systemd_create_userdbd_runtime_sock_files() interface. - -Resolves: rhbz#1862686 ---- - policy/modules/system/systemd.if | 18 ++++++++++++++++++ - policy/modules/system/systemd.te | 1 + - 2 files changed, 19 insertions(+) - -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index c9d2ed7..a6d8bd0 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -2374,3 +2374,21 @@ interface(`systemd_userdbd_stream_connect',` - - allow $1 systemd_userdbd_t:unix_stream_socket connectto; - ') -+ -+####################################### -+## -+## Create a named socket in userdbd runtime directory -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_create_userdbd_runtime_sock_files',` -+ gen_require(` -+ type systemd_userdbd_runtime_t; -+ ') -+ -+ create_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) -+') -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 367758a..806b7d6 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -415,6 +415,7 @@ init_manage_config_transient_files(systemd_machined_t) - logging_dgram_send(systemd_machined_t) - - systemd_read_efivarfs(systemd_machined_t) -+systemd_create_userdbd_runtime_sock_files(systemd_machined_t) - - userdom_dbus_send_all_users(systemd_machined_t) - --- -1.8.3.1 - diff --git a/allow-systemd-to-mount-unlabeled-filesystemd.patch b/allow-systemd-to-mount-unlabeled-filesystemd.patch deleted file mode 100644 index 4adc4801f9c48c5393a770d2ba00548b55ce021a..0000000000000000000000000000000000000000 --- a/allow-systemd-to-mount-unlabeled-filesystemd.patch +++ /dev/null @@ -1,25 +0,0 @@ -From e9b8e0daa3fb3f3b7079ffb6095d9842ccda4554 Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Thu, 16 Jul 2020 19:35:21 +0800 -Subject: [PATCH] allow systemd to mount unlabeled filesystemd - -Signed-off-by: guoxiaoqi ---- - policy/modules/system/init.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index b7a4114..d8ca280 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -591,6 +591,7 @@ dev_rw_wireless(init_t) - files_search_all(init_t) - files_mounton_all_mountpoints(init_t) - files_mounton_etc(init_t) -+files_mounton_isid(init_t) - files_unmount_all_file_type_fs(init_t) - files_mounton_kernel_symbol_table(init_t) - files_manage_all_pid_dirs(init_t) --- -1.8.3.1 - diff --git a/allow-systemd_machined_t-delete-userdbd-runtime-sock.patch b/allow-systemd_machined_t-delete-userdbd-runtime-sock.patch deleted file mode 100644 index cd964b836a713aedd29ffa6da328b59ed3a4c7ff..0000000000000000000000000000000000000000 --- a/allow-systemd_machined_t-delete-userdbd-runtime-sock.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 99e2285e42bb9d06dbf1322b2990ccee974e1c92 Mon Sep 17 00:00:00 2001 -From: HuaxinLuGitee <1539327763@qq.com> -Date: Thu, 17 Sep 2020 14:27:25 +0800 -Subject: [PATCH] allow systemd_machined_t delete userdbd runtime sock file - ---- - policy/modules/system/systemd.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 7cb36c4..d0127f6 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -189,6 +189,8 @@ systemd_unit_file(systemd_userdbd_unit_file_t) - type systemd_userdbd_runtime_t; - files_pid_file(systemd_userdbd_runtime_t) - -+delete_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) -+ - ####################################### - # - # Systemd_logind local policy --- -1.8.3.1 - diff --git a/backport-Add-dev_lock_all_blk_files-interface.patch b/backport-Add-dev_lock_all_blk_files-interface.patch deleted file mode 100644 index 48c1da5acfe053eb434a9150d9bc95786c5a8438..0000000000000000000000000000000000000000 --- a/backport-Add-dev_lock_all_blk_files-interface.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 395220122fcd6b93956c758a2a5094487254a89e Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 30 Jul 2020 18:21:16 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/395220122fcd6b93956c758a2a5094487254a89e -Conflict: NA -Subject: [PATCH] Add dev_lock_all_blk_files() interface - -For use in the dev_lock_all_blk_files() interface, create the -lock_blk_files_pattern and lock_blk_file_perms object permissions set. ---- - policy/modules/kernel/devices.if | 20 ++++++++++++++++++++ - policy/support/file_patterns.spt | 5 +++++ - policy/support/obj_perm_sets.spt | 1 + - 3 files changed, 26 insertions(+) - -diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 932b9bd..2a69660 100644 ---- a/policy/modules/kernel/devices.if -+++ b/policy/modules/kernel/devices.if -@@ -1169,6 +1169,26 @@ interface(`dev_getattr_all_blk_files',` - - ######################################## - ## -+## Lock on all block file device nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`dev_lock_all_blk_files',` -+ gen_require(` -+ attribute device_node; -+ type device_t; -+ ') -+ -+ lock_blk_files_pattern($1, device_t, device_node) -+') -+ -+######################################## -+## - ## Read on all block file device nodes. - ## - ## -diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt -index 8aa8c36..7e3fccd 100644 ---- a/policy/support/file_patterns.spt -+++ b/policy/support/file_patterns.spt -@@ -408,6 +408,11 @@ define(`setattr_blk_files_pattern',` - allow $1 $3:blk_file setattr_blk_file_perms; - ') - -+define(`lock_blk_files_pattern',` -+ allow $1 $2:dir search_dir_perms; -+ allow $1 $3:blk_file lock_blk_file_perms; -+') -+ - define(`read_blk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:blk_file read_blk_file_perms; -diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index 399c448..524c586 100644 ---- a/policy/support/obj_perm_sets.spt -+++ b/policy/support/obj_perm_sets.spt -@@ -233,6 +233,7 @@ define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }') - # - define(`getattr_blk_file_perms',`{ getattr }') - define(`setattr_blk_file_perms',`{ setattr }') -+define(`lock_blk_file_perms',`{ getattr lock }') - define(`read_blk_file_perms',`{ getattr open read lock ioctl }') - define(`append_blk_file_perms',`{ getattr open append lock ioctl }') - define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') --- -1.8.3.1 - diff --git a/backport-Add-lvm_dbus_send_msg-lvm_rw_var_run-interfaces.patch b/backport-Add-lvm_dbus_send_msg-lvm_rw_var_run-interfaces.patch deleted file mode 100644 index 95116c87af324cdfc717bae0125ed28c8b1c1191..0000000000000000000000000000000000000000 --- a/backport-Add-lvm_dbus_send_msg-lvm_rw_var_run-interfaces.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 86c35f41cfe150545db77835cb96bf342f35f44f Mon Sep 17 00:00:00 2001 -From: Tony Asleson -Date: Fri, 11 Sep 2020 11:06:28 -0500 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/86c35f41cfe150545db77835cb96bf342f35f44f -Conflict: NA -Subject: [PATCH] Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces - -Signed-off-by: Tony Asleson ---- - policy/modules/system/lvm.if | 36 ++++++++++++++++++++++++++++++++++++ - 1 file changed, 36 insertions(+) - -diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index fbbb39e..7f3903a 100644 ---- a/policy/modules/system/lvm.if -+++ b/policy/modules/system/lvm.if -@@ -452,4 +452,40 @@ interface(`lvm_manage_lock',` - ') - - -+######################################## -+## -+## Allow dbus send for lvm dbus API (only send needed) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lvm_dbus_send_msg',` -+ gen_require(` -+ type lvm_t; -+ class dbus send_msg; -+ ') -+ allow $1 lvm_t:dbus send_msg; - -+') -+ -+######################################## -+## -+## Allow lvm hints file access -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lvm_rw_var_run',` -+ gen_require(` -+ type lvm_t; -+ type lvm_var_run_t; -+ ') -+ allow $1 lvm_var_run_t:file { rw_file_perms }; -+ -+') --- -1.8.3.1 - diff --git a/backport-Add-new-devices-and-filesystem-interfaces.patch b/backport-Add-new-devices-and-filesystem-interfaces.patch deleted file mode 100644 index a5572511b95e80e958c9dec8b6855b26bc2377ca..0000000000000000000000000000000000000000 --- a/backport-Add-new-devices-and-filesystem-interfaces.patch +++ /dev/null @@ -1,102 +0,0 @@ -From e6506d8ed109fe85ae9236a62c17f68a8eeedb8f Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 4 Sep 2020 12:28:24 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/e6506d8ed109fe85ae9236a62c17f68a8eeedb8f -Conflict: NA -Subject: [PATCH] Add new devices and filesystem interfaces - -Add dev_remount_sysfs_fs(), fs_all_mount_fs_perms_xattr_fs(), -fs_all_mount_fs_perms_tmpfs() interfaces. ---- - policy/modules/kernel/devices.if | 18 ++++++++++++++++++ - policy/modules/kernel/filesystem.if | 38 +++++++++++++++++++++++++++++++++++++ - 2 files changed, 56 insertions(+) - -diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 2a69660..61fedbb 100644 ---- a/policy/modules/kernel/devices.if -+++ b/policy/modules/kernel/devices.if -@@ -4832,6 +4832,24 @@ interface(`dev_unmount_sysfs_fs',` - - ######################################## - ## -+## Remount sysfs filesystems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_remount_sysfs_fs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ allow $1 sysfs_t:filesystem remount; -+') -+ -+######################################## -+## - ## Search the sysfs directories. - ## - ## -diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 17a9f08..d3f24d2 100644 ---- a/policy/modules/kernel/filesystem.if -+++ b/policy/modules/kernel/filesystem.if -@@ -169,6 +169,26 @@ interface(`fs_unmount_xattr_fs',` - - ######################################## - ## -+## Mount, remount, unmount a persistent filesystem which -+## has extended attributes, such as -+## ext3, JFS, or XFS. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_all_mount_fs_perms_xattr_fs',` -+ gen_require(` -+ type fs_t; -+ ') -+ -+ allow $1 fs_t:filesystem mount_fs_perms; -+') -+ -+######################################## -+## - ## Get the attributes of persistent - ## filesystems which have extended - ## attributes, such as ext3, JFS, or XFS. -@@ -5206,6 +5226,24 @@ interface(`fs_unmount_tmpfs',` - - ######################################## - ## -+## Mount, remount, unmount a tmpfs filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_all_mount_fs_perms_tmpfs',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ allow $1 tmpfs_t:filesystem mount_fs_perms; -+') -+ -+######################################## -+## - ## Mount on tmpfs directories. - ## - ## --- -1.8.3.1 - diff --git a/backport-Add-systemd_resolved_write_pid_sock_files-interface.patch b/backport-Add-systemd_resolved_write_pid_sock_files-interface.patch deleted file mode 100644 index 62c5d19e165afef27d28515a66341bf29a47be42..0000000000000000000000000000000000000000 --- a/backport-Add-systemd_resolved_write_pid_sock_files-interface.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 33837787642166330b1400133de2023aa931f236 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 10 Dec 2020 00:15:37 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/33837787642166330b1400133de2023aa931f236 -Conflict: NA -Subject: [PATCH] Add systemd_resolved_write_pid_sock_files() interface - ---- - policy/modules/system/systemd.if | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index ffed76c..26d4927 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -318,6 +318,25 @@ interface(`systemd_resolved_read_pid',` - - ###################################### - ## -+## Write to systemd_resolved PID socket files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_resolved_write_pid_sock_files',` -+ gen_require(` -+ type systemd_resolved_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ write_sock_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) -+') -+ -+###################################### -+## - ## Read systemd_login PID files. - ## - ## --- -1.8.3.1 - diff --git a/backport-Allow-IPsec-and-certmonger-to-use-opencryptoki-servi.patch b/backport-Allow-IPsec-and-certmonger-to-use-opencryptoki-servi.patch deleted file mode 100644 index cd4f83320393bb3a84cf2fcb686fd1972c5403b8..0000000000000000000000000000000000000000 --- a/backport-Allow-IPsec-and-certmonger-to-use-opencryptoki-servi.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 6cc668244e41677470f5e97ab0f680436ac61652 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 26 Apr 2021 22:39:43 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/6cc668244e41677470f5e97ab0f680436ac61652 -Conflict: NA -Subject: [PATCH] Allow IPsec and certmonger to use opencryptoki services - -Add to certmonger and ipsec policy interface pkcs_use_opencryptoki(), -which allow use opencryptoki. Opencryptoki implements PKCS#11 -standard. - -The original commit has been split in 2 parts, this is the part for ipsec. - -Resolves: rhbz#1952311 ---- - policy/modules/system/ipsec.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 7e99f16..9d679cb 100644 ---- a/policy/modules/system/ipsec.te -+++ b/policy/modules/system/ipsec.te -@@ -247,6 +247,10 @@ optional_policy(` - ') - ') - -+optional_policy(` -+ pkcs_use_opencryptoki(ipsec_t) -+') -+ - ######################################## - # - # ipsec_mgmt Local policy --- -1.8.3.1 - diff --git a/backport-Allow-all-users-to-connect-to-systemd-userdbd-with-a.patch b/backport-Allow-all-users-to-connect-to-systemd-userdbd-with-a.patch deleted file mode 100644 index 81abf3251c4aec40791e2d7213413df295999a32..0000000000000000000000000000000000000000 --- a/backport-Allow-all-users-to-connect-to-systemd-userdbd-with-a.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 5e9918310dccf6d6dd1da52c19ce2a2927d0a96e Mon Sep 17 00:00:00 2001 -From: Richard Filo -Date: Mon, 24 Aug 2020 10:55:10 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/5e9918310dccf6d6dd1da52c19ce2a2927d0a96e -Conflict: NA -Subject: [PATCH] Allow all users to connect to systemd-userdbd with a unix - socket - -Add interface systemd_userdbd_stream_connect() to allow communication using userdb sockets. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1835630 ---- - policy/modules/system/userdomain.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 89b4867..756ac4a 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -209,6 +209,10 @@ optional_policy(` - xserver_filetrans_home_content(userdomain) - ') - -+optional_policy(` -+ systemd_userdbd_stream_connect(userdomain) -+') -+ - # rules for types which can read home certs - allow userdom_home_reader_certs_type home_cert_t:dir list_dir_perms; - read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t) --- -1.8.3.1 - diff --git a/backport-Allow-auditd-manage-kerberos-host-rcache-files.patch b/backport-Allow-auditd-manage-kerberos-host-rcache-files.patch deleted file mode 100644 index 8ac7cdd941b5465056dd9aa7b130b3d331923228..0000000000000000000000000000000000000000 --- a/backport-Allow-auditd-manage-kerberos-host-rcache-files.patch +++ /dev/null @@ -1,29 +0,0 @@ -From af31e95e95b62fce1e495df73d817f8a533a2190 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 28 Jul 2020 19:41:56 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/af31e95e95b62fce1e495df73d817f8a533a2190 -Conflict: NA -Subject: [PATCH] Allow auditd manage kerberos host rcache files - ---- - policy/modules/system/logging.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index cdaba23..db0b849 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -256,6 +256,10 @@ ifdef(`distro_ubuntu',` - ') - - optional_policy(` -+ kerberos_manage_host_rcache(auditd_t) -+') -+ -+optional_policy(` - mta_send_mail(auditd_t) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-dhcpc_t-domain-transition-to-chronyc_t.patch b/backport-Allow-dhcpc_t-domain-transition-to-chronyc_t.patch deleted file mode 100644 index 79aa9ee61c8e4cb31b608543fa432263a8b788cc..0000000000000000000000000000000000000000 --- a/backport-Allow-dhcpc_t-domain-transition-to-chronyc_t.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 32aa3f5509900563632fec1a1536c84da50553ed Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 1 Apr 2021 17:36:08 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/32aa3f5509900563632fec1a1536c84da50553ed -Conflict: NA -Subject: [PATCH] Allow dhcpc_t domain transition to chronyc_t - -This permission is required when dhclient-script executes -the chrony.sh script from /etc/dhcp/dhclient.d. - -Resolves: rhbz#1897388 ---- - policy/modules/system/sysnetwork.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index fb0a0c8..70eaf92 100644 ---- a/policy/modules/system/sysnetwork.te -+++ b/policy/modules/system/sysnetwork.te -@@ -198,6 +198,7 @@ optional_policy(` - chronyd_initrc_domtrans(dhcpc_t) - chronyd_systemctl(dhcpc_t) - chronyd_domtrans(dhcpc_t) -+ chronyd_domtrans_chronyc(dhcpc_t) - chronyd_read_keys(dhcpc_t) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-domain-stat-proc-filesystem.patch b/backport-Allow-domain-stat-proc-filesystem.patch deleted file mode 100644 index 61c2ee7d0610ab4e443a8547a9b9d88d49fec191..0000000000000000000000000000000000000000 --- a/backport-Allow-domain-stat-proc-filesystem.patch +++ /dev/null @@ -1,27 +0,0 @@ -From d58c107591c0f99ee8003221296f998ad75d8148 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 4 Jan 2021 19:50:49 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/d58c107591c0f99ee8003221296f998ad75d8148 -Conflict: NA -Subject: [PATCH] Allow domain stat /proc filesystem - -Resolves: rhbz#1892401 ---- - policy/modules/kernel/domain.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index c77a6fe..dff8caa 100644 ---- a/policy/modules/kernel/domain.te -+++ b/policy/modules/kernel/domain.te -@@ -129,6 +129,7 @@ allow domain self:fifo_file rw_fifo_file_perms; - allow domain self:sem create_sem_perms; - allow domain self:shm create_shm_perms; - -+kernel_getattr_proc(domain) - kernel_read_proc_symlinks(domain) - kernel_read_crypto_sysctls(domain) - kernel_read_vm_overcommit_sysctls(domain) --- -1.8.3.1 - diff --git a/backport-Allow-domain-stat-the-sys-filesystem.patch b/backport-Allow-domain-stat-the-sys-filesystem.patch deleted file mode 100644 index a7c56f46b28c687810d1f83c8f9928456c9de131..0000000000000000000000000000000000000000 --- a/backport-Allow-domain-stat-the-sys-filesystem.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 506809cbed4f682a030f29b6ee00d79b1570448f Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 19 Feb 2021 21:38:42 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/506809cbed4f682a030f29b6ee00d79b1570448f -Conflict: NA -Subject: [PATCH] Allow domain stat the /sys filesystem - -Checking for the availability of the /sys filesystem is requested -by all services that want to read hardware state information. -As such, adding this permission would semantically fit into the -dev_read_sysfs() interface to allow the getattr permission for each -domain calling this interface. This would, however, add about 300 new -rules into the policy, so the permission is allowed for the domain -attribute instead not to affect performance much. It seems safe allow -it for all domains. - -Example of such services are rngd, pcscd, usbmuxd. - -Resolves: rhbz#1928572 -Resolves: rhbz#1928611 -Resolves: rhbz#1930992 ---- - policy/modules/kernel/domain.te | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index 2ab7a49..8e52b17 100644 ---- a/policy/modules/kernel/domain.te -+++ b/policy/modules/kernel/domain.te -@@ -150,6 +150,11 @@ dev_rw_null(domain) - dev_rw_zero(domain) - term_use_controlling_term(domain) - -+# Allow all domains stat /sys. It is needed by services reading hardware -+# state information, but there is no harm to allow it to all domains in general. -+ -+dev_getattr_sysfs_fs(domain) -+ - # Allow all domains to read /dev/urandom. It is needed by all apps/services - # linked to libgcrypt. There is no harm to allow it by default. - dev_read_urand(domain) --- -1.8.3.1 - diff --git a/backport-Allow-domain-write-to-an-automount-unnamed-pipe.patch b/backport-Allow-domain-write-to-an-automount-unnamed-pipe.patch deleted file mode 100644 index 935b54aadf37530720aea7ca450d70426e0f4827..0000000000000000000000000000000000000000 --- a/backport-Allow-domain-write-to-an-automount-unnamed-pipe.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 93e95ff085a9877e5ab981db18b2ba37409b3cb2 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 24 Sep 2020 13:12:54 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/93e95ff085a9877e5ab981db18b2ba37409b3cb2 -Conflict: NA -Subject: [PATCH] Allow domain write to an automount unnamed pipe - -With the kernel commit 13c164b1a186 ("autofs: switch to kernel_write"), -an additional LSM permission check is done when a process tries to -access a directory on an autofs volume, which has not been mounted yet, -and it results in a write operation to the automount pipe. - -This commit allows any domain write to the unnamed pipe kernel uses to -communicate with automount to service the directory access request and -should be considered a temporary workaround until a different -implementation in kernel is found. - -Resolves: rhbz#1874338 ---- - policy/modules/kernel/domain.te | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index b883be0..c77a6fe 100644 ---- a/policy/modules/kernel/domain.te -+++ b/policy/modules/kernel/domain.te -@@ -570,6 +570,12 @@ optional_policy(` - ') - - optional_policy(` -+ # A workaround to handle additional permissions check -+ # introduced as an involuntary result of a kernel change -+ automount_write_pipes(domain) -+') -+ -+optional_policy(` - sosreport_append_tmp_files(domain) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-domain-write-to-systemd-resolved-PID-socket-fi.patch b/backport-Allow-domain-write-to-systemd-resolved-PID-socket-fi.patch deleted file mode 100644 index 850dc10edbcac0b59d893b6f732eb4f7824aa23f..0000000000000000000000000000000000000000 --- a/backport-Allow-domain-write-to-systemd-resolved-PID-socket-fi.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 7bcba980168b70a4164a1ec768ea56e723ed390b Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 25 Jan 2021 22:08:16 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/7bcba980168b70a4164a1ec768ea56e723ed390b -Conflict: NA -Subject: [PATCH] Allow domain write to systemd-resolved PID socket files - -Previously, the permission was allowed for the nsswitch_domain -attribute which turned out not to be sufficient. - -Resolves: rhbz#1900175 ---- - policy/modules/kernel/domain.te | 1 + - policy/modules/system/authlogin.te | 1 - - 2 files changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index dff8caa..2ab7a49 100644 ---- a/policy/modules/kernel/domain.te -+++ b/policy/modules/kernel/domain.te -@@ -510,6 +510,7 @@ optional_policy(` - systemd_login_reboot(unconfined_domain_type) - systemd_login_halt(unconfined_domain_type) - systemd_login_undefined(unconfined_domain_type) -+ systemd_resolved_write_pid_sock_files(domain) - systemd_filetrans_named_content(named_filetrans_domain) - systemd_filetrans_named_hostname(named_filetrans_domain) - systemd_filetrans_home_content(named_filetrans_domain) -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 576ec5f..068caed 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -562,7 +562,6 @@ optional_policy(` - ') - - optional_policy(` -- systemd_resolved_write_pid_sock_files(nsswitch_domain) - systemd_userdbd_stream_connect(nsswitch_domain) - systemd_machined_stream_connect(nsswitch_domain) - ') --- -1.8.3.1 - diff --git a/backport-Allow-dovecot-bind-to-smtp-ports.patch b/backport-Allow-dovecot-bind-to-smtp-ports.patch deleted file mode 100644 index 6ba675181376af123325a5968f15a5e4901da2fb..0000000000000000000000000000000000000000 --- a/backport-Allow-dovecot-bind-to-smtp-ports.patch +++ /dev/null @@ -1,29 +0,0 @@ -From f5c688321e04364bdfd030dd1412a7e5a4ecc6b6 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 10 Nov 2020 18:04:49 +0100 -Subject: [PATCH] Allow dovecot bind to smtp ports - -When dovecot is configured to listen on submission ports -(tcp 465 or 587), it requires the name_bind permission to ports -labeled smtp_port_t. - -Resolves: rhbz#1881884 ---- - dovecot.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te -index 6cf4b72e9..0b140e932 100644 ---- a/policy/modules/contrib/dovecot.te -+++ b/policy/modules/contrib/dovecot.te -@@ -147,6 +147,7 @@ corenet_tcp_bind_mail_port(dovecot_t) - corenet_tcp_bind_pop_port(dovecot_t) - corenet_tcp_bind_lmtp_port(dovecot_t) - corenet_tcp_bind_sieve_port(dovecot_t) -+corenet_tcp_bind_smtp_port(dovecot_t) - corenet_tcp_connect_all_ports(dovecot_t) - corenet_tcp_connect_postgresql_port(dovecot_t) - corenet_sendrecv_pop_server_packets(dovecot_t) --- -2.23.0 - diff --git a/backport-Allow-dyntransition-from-sshd_t-to-unconfined_t.patch b/backport-Allow-dyntransition-from-sshd_t-to-unconfined_t.patch deleted file mode 100644 index 08484d64f6ea129aa44c8f689b865f76f0c8ffb5..0000000000000000000000000000000000000000 --- a/backport-Allow-dyntransition-from-sshd_t-to-unconfined_t.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 3a9a9a5de73cadfd9629967c3e9b105b3cfc48e0 Mon Sep 17 00:00:00 2001 -From: Patrik Koncity -Date: Wed, 9 Sep 2020 12:09:09 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/3a9a9a5de73cadfd9629967c3e9b105b3cfc48e0 -Conflict: NA -Subject: [PATCH] Allow dyntransition from sshd_t to unconfined_t - -Removing attribute in previous commit affected connecting via ssh to unconfined user. -Missed dyntransition from sshd domain to unconfined domain. -Added ssh_dyntransition_to() interface. ---- - policy/modules/roles/unconfineduser.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te -index ca8947b..4ab04b3 100644 ---- a/policy/modules/roles/unconfineduser.te -+++ b/policy/modules/roles/unconfineduser.te -@@ -91,6 +91,8 @@ logging_send_syslog_msg(unconfined_t) - - systemd_config_all_services(unconfined_t) - -+ssh_dyntransition_to(unconfined_t) -+ - unconfined_domain_noaudit(unconfined_t) - domain_named_filetrans(unconfined_t) - domain_transition_all(unconfined_t) --- -1.8.3.1 - diff --git a/backport-Allow-initrc_t-create-run-chronyd-dhcp-directory-wit.patch b/backport-Allow-initrc_t-create-run-chronyd-dhcp-directory-wit.patch deleted file mode 100644 index 36916e23e211c8083a9a605b471d950498955b41..0000000000000000000000000000000000000000 --- a/backport-Allow-initrc_t-create-run-chronyd-dhcp-directory-wit.patch +++ /dev/null @@ -1,35 +0,0 @@ -From bad3809a314f6e6d1199e2201eb0c4fefbc8766a Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 14 Oct 2020 22:45:29 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/bad3809a314f6e6d1199e2201eb0c4fefbc8766a -Conflict: NA -Subject: [PATCH] Allow initrc_t create /run/chronyd-dhcp directory with a - transition - -Chronyd is required to read preferred sources files stored in -/run/chronyd-dhcp to be able to get correct time settings -from the dhcp server and have them applied. - -Resolves: rhbz#1880948 ---- - policy/modules/system/init.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 50b655b..f72a8ef 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -1210,6 +1210,10 @@ ifdef(`distro_redhat',` - ') - - optional_policy(` -+ chronyd_pid_filetrans(initrc_t) -+ ') -+ -+ optional_policy(` - cyrus_write_data(initrc_t) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-kdump_t-net_admin-capability.patch b/backport-Allow-kdump_t-net_admin-capability.patch deleted file mode 100644 index c1a6a9ad8ae3fe2f223e721138d1eed7dfa425ee..0000000000000000000000000000000000000000 --- a/backport-Allow-kdump_t-net_admin-capability.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 027923e5647f7f0d1ecbaa7fc4d03cbd193a1424 Mon Sep 17 00:00:00 2001 -From: LuLuLu <1539327763@qq.com> -Date: Tue, 25 May 2021 20:06:29 +0800 -Subject: [PATCH] Allow kdump_t net_admin capability - -When reboot with kexec, kdump_t process needs net_admin capability to run ifdown. ---- - policy/modules/contrib/kdump.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te -index a253134..7e73c65 100644 ---- a/policy/modules/contrib/kdump.te -+++ b/policy/modules/contrib/kdump.te -@@ -41,7 +41,7 @@ files_tmp_file(kdumpctl_tmp_t) - # kdump local policy - # - --allow kdump_t self:capability { sys_admin sys_boot dac_read_search }; -+allow kdump_t self:capability { sys_admin sys_boot dac_read_search net_admin }; - #allow kdump_t self:capability2 compromise_kernel; - - allow kdump_t self:udp_socket create_socket_perms; --- -1.8.3.1 - diff --git a/backport-Allow-local_login_t-get-attributes-of-tmpfs-filesyst.patch b/backport-Allow-local_login_t-get-attributes-of-tmpfs-filesyst.patch deleted file mode 100644 index 4290b02e064b7b141983e8ad809f78f786aaa743..0000000000000000000000000000000000000000 --- a/backport-Allow-local_login_t-get-attributes-of-tmpfs-filesyst.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 4f44d3028edb3cda2b2c1d1fc7858b481d866b94 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 19 Mar 2021 16:55:32 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/4f44d3028edb3cda2b2c1d1fc7858b481d866b94 -Conflict: NA -Subject: [PATCH] Allow local_login_t get attributes of tmpfs filesystems - -This permission is required when the system booted with cgroups v1. - -Resolves: rhbz#1894759 ---- - policy/modules/system/locallogin.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 10fa85d..e1e5649 100644 ---- a/policy/modules/system/locallogin.te -+++ b/policy/modules/system/locallogin.te -@@ -113,6 +113,7 @@ files_create_home_dir(local_login_t) - - fs_search_auto_mountpoints(local_login_t) - fs_getattr_cgroup(local_login_t) -+fs_getattr_tmpfs(local_login_t) - - storage_dontaudit_getattr_fixed_disk_dev(local_login_t) - storage_dontaudit_setattr_fixed_disk_dev(local_login_t) --- -1.8.3.1 - diff --git a/backport-Allow-login_pgm-attribute-to-get-attributes-in-proc_.patch b/backport-Allow-login_pgm-attribute-to-get-attributes-in-proc_.patch deleted file mode 100644 index 414ee24a4cb45065c0bfb298ae0d308321c7887c..0000000000000000000000000000000000000000 --- a/backport-Allow-login_pgm-attribute-to-get-attributes-in-proc_.patch +++ /dev/null @@ -1,30 +0,0 @@ -From f2d77890bfcbe5b514c6205f288eeb73fe2225af Mon Sep 17 00:00:00 2001 -From: Patrik Koncity -Date: Fri, 21 Aug 2020 15:48:27 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/f2d77890bfcbe5b514c6205f288eeb73fe2225af -Conflict: NA -Subject: [PATCH] Allow login_pgm attribute to get attributes in proc_t - -Allow login_pgm attribute, which contain domain like local_login_t -and cockpit_session_t, get attributes on filesystem /proc. - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1853730 ---- - policy/modules/system/authlogin.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 6043c45..f3870d3 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -607,6 +607,7 @@ auth_filetrans_home_content(login_pgm) - # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 - kernel_search_network_sysctl(login_pgm) - kernel_rw_afs_state(login_pgm) -+kernel_getattr_proc(login_pgm) - - tunable_policy(`authlogin_radius',` - corenet_udp_bind_all_unreserved_ports(login_pgm) --- -1.8.3.1 - diff --git a/backport-Allow-login_userdomain-write-inaccessible-nodes.patch b/backport-Allow-login_userdomain-write-inaccessible-nodes.patch deleted file mode 100644 index 92f5a5bb875fc7dfd008fabe0946ca6110c132fa..0000000000000000000000000000000000000000 --- a/backport-Allow-login_userdomain-write-inaccessible-nodes.patch +++ /dev/null @@ -1,47 +0,0 @@ -From ed68ca8f488ca36b74b6146f3008a89072ffdcc9 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 5 Mar 2021 18:05:58 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/ed68ca8f488ca36b74b6146f3008a89072ffdcc9 -Conflict: NA -Subject: [PATCH] Allow login_userdomain write inaccessible nodes - -The permissions for creating blk_file, chr_file, fifo_file, sock_file -and regular file were added for systemd to create inaccessible nodes -in /run/user/*/systemd/inaccessible. - -Addresses the following denial: - -type=PATH msg=audit(22.2.2021 09:15:47.751:332) : item=1 -name=/run/user/1000/systemd/inaccessible/chr inode=8 dev=00:29 -mode=character,000 ouid=user ogid=user rdev=00:00 -obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none -cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=AVC msg=audit(22.2.2021 09:15:47.751:332) : avc: denied { create } -for pid=1714 comm=systemd name=chr scontext=user_u:user_r:user_t:s0-s0:c0.c1023 -tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 ---- - policy/modules/system/userdomain.te | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 196bcc0..94c5ff6 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -370,6 +370,14 @@ optional_policy(` - ') - - ############################################################ -+# login_userdomain local policy -+ -+create_blk_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) -+create_chr_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) -+create_fifo_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) -+create_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) -+create_sock_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) -+ - # Local Policy Confined Admin - # - gen_require(` --- -1.8.3.1 - diff --git a/backport-Allow-nsswitch-domain-write-to-systemd-resolved-PID-.patch b/backport-Allow-nsswitch-domain-write-to-systemd-resolved-PID-.patch deleted file mode 100644 index 763d6e40e5fd14eb9453fd891038ccf99be85d54..0000000000000000000000000000000000000000 --- a/backport-Allow-nsswitch-domain-write-to-systemd-resolved-PID-.patch +++ /dev/null @@ -1,28 +0,0 @@ -From a3ec0f513ede0204be0e793b9e4f19214e9ce063 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 10 Dec 2020 00:17:57 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/a3ec0f513ede0204be0e793b9e4f19214e9ce063 -Conflict: NA -Subject: [PATCH] Allow nsswitch-domain write to systemd-resolved PID socket - files - -Resolves: rhbz#1900143 ---- - policy/modules/system/authlogin.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 068caed..576ec5f 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -562,6 +562,7 @@ optional_policy(` - ') - - optional_policy(` -+ systemd_resolved_write_pid_sock_files(nsswitch_domain) - systemd_userdbd_stream_connect(nsswitch_domain) - systemd_machined_stream_connect(nsswitch_domain) - ') --- -1.8.3.1 - diff --git a/backport-Allow-nsswitch_domain-read-cgroup-files.patch b/backport-Allow-nsswitch_domain-read-cgroup-files.patch deleted file mode 100644 index 4dd3ab1dafbaddc0b12fb8d202e014048d7bbbc9..0000000000000000000000000000000000000000 --- a/backport-Allow-nsswitch_domain-read-cgroup-files.patch +++ /dev/null @@ -1,33 +0,0 @@ -From d7924a942d84c255fb9d85f262fd68a9e08c2433 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 30 Mar 2021 20:54:17 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/d7924a942d84c255fb9d85f262fd68a9e08c2433 -Conflict: NA -Subject: [PATCH] Allow nsswitch_domain read cgroup files - -This permission is required when the systemd nss module is used -in nsswitch.conf for users or groups. The module checks whether -the current process is running in the root cgroup, or if rather -cgroup namespaces are in place. - -Resolves: rhbz#1895061 ---- - policy/modules/system/authlogin.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 068caed..0e54d0a 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -465,6 +465,8 @@ files_list_var_lib(nsswitch_domain) - # read /etc/nsswitch.conf - files_read_etc_files(nsswitch_domain) - -+fs_read_cgroup_files(nsswitch_domain) -+ - init_stream_connectto(nsswitch_domain) - - sysnet_dns_name_resolve(nsswitch_domain) --- -1.8.3.1 - diff --git a/backport-Allow-nsswitch_domain-to-connect-to-systemd-machined.patch b/backport-Allow-nsswitch_domain-to-connect-to-systemd-machined.patch deleted file mode 100644 index 91e53e735cc35a3f2e4d351cced3e7da3b522ad9..0000000000000000000000000000000000000000 --- a/backport-Allow-nsswitch_domain-to-connect-to-systemd-machined.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 6fe205674f9cd1face5e2cf1aeb90d265ef89ba8 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 12 Aug 2020 12:09:21 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/6fe205674f9cd1face5e2cf1aeb90d265ef89ba8 -Conflict: NA -Subject: [PATCH] Allow nsswitch_domain to connect to systemd-machined using a - unix socket - -Create the systemd_machined_stream_connect() interface. - -Resolves: rhbz#1865748 ---- - policy/modules/system/authlogin.te | 1 + - policy/modules/system/systemd.if | 19 +++++++++++++++++++ - 2 files changed, 20 insertions(+) - -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 25d1691..6043c45 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -563,6 +563,7 @@ optional_policy(` - - optional_policy(` - systemd_userdbd_stream_connect(nsswitch_domain) -+ systemd_machined_stream_connect(nsswitch_domain) - ') - - optional_policy(` -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index a6d8bd0..dbc8fc9 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -2001,6 +2001,25 @@ interface(`systemd_machined_rw_devpts_chr_files',` - - ######################################## - ## -+## Allow the specified domain to connect to -+## systemd_machined with a unix socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_machined_stream_connect',` -+ gen_require(` -+ type systemd_machined_t; -+ ') -+ -+ allow $1 systemd_machined_t:unix_stream_socket connectto; -+') -+ -+######################################## -+## - ## Send and receive messages from - ## systemd machined over dbus. - ## --- -1.8.3.1 - diff --git a/backport-Allow-passwd-to-get-attributes-in-proc_t.patch b/backport-Allow-passwd-to-get-attributes-in-proc_t.patch deleted file mode 100644 index 2f4b10f54aa886ed6cc06c6faff21fd063484755..0000000000000000000000000000000000000000 --- a/backport-Allow-passwd-to-get-attributes-in-proc_t.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 44a5636ce1fb9d8d306fe49b821b84114ab28746 Mon Sep 17 00:00:00 2001 -From: Patrik Koncity -Date: Fri, 21 Aug 2020 15:47:20 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/44a5636ce1fb9d8d306fe49b821b84114ab28746 -Conflict: NA -Subject: [PATCH] Allow passwd to get attributes in proc_t - -Add interface kernel_getattr_proc() to passwd policy. -This macro allow paswd get attributes on filesystem /proc. - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1858738 ---- - policy/modules/admin/usermanage.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 262f01e..16b43b6 100644 ---- a/policy/modules/admin/usermanage.te -+++ b/policy/modules/admin/usermanage.te -@@ -332,6 +332,7 @@ allow passwd_t crack_db_t:dir list_dir_perms; - read_files_pattern(passwd_t, crack_db_t, crack_db_t) - - kernel_read_kernel_sysctls(passwd_t) -+kernel_getattr_proc(passwd_t) - - # for SSP - dev_read_urand(passwd_t) --- -1.8.3.1 - diff --git a/backport-Allow-stub-resolv.conf-to-be-a-symlink.patch b/backport-Allow-stub-resolv.conf-to-be-a-symlink.patch deleted file mode 100644 index 81ef77336c8eb0344cd95fedc57d88478e2bb47b..0000000000000000000000000000000000000000 --- a/backport-Allow-stub-resolv.conf-to-be-a-symlink.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 82e42900ad8027abed98f0b5d7a0969223fa4a7b Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Fri, 11 Dec 2020 17:21:14 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/82e42900ad8027abed98f0b5d7a0969223fa4a7b -Conflict: NA -Subject: [PATCH] Allow stub-resolv.conf to be a symlink - -It turns out that under certain configurations, -/var/run/systemd/resolve/stub-resolv.conf can be a symlink instead of a -regular file (see [1]). In such case, domains such as NetworkManager_t -and chronyd_t need to be able to read it, which is denied since the -symlink ends up being labeled as systemd_resolved_var_run_t. - -So make sure that such symlink is also labeled net_conf_t and extend -sysnet_read_config() to allow also reading symlinks. - -NOTE: Further unification/simplification of /etc network config symlinks -would now be possible (basically reverting f1505fca7063 ("Label -/etc/resolv.conf as net_conf_t only if it is a plain file")), but that -leads down to a deeper rabbit hole, so it's not addressed here. - -[1] https://src.fedoraproject.org/rpms/selinux-policy/pull-request/135#comment-62439 - -Signed-off-by: Ondrej Mosnacek ---- - policy/modules/system/sysnetwork.fc | 2 +- - policy/modules/system/sysnetwork.if | 3 ++- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 27eb98b..de92927 100644 ---- a/policy/modules/system/sysnetwork.fc -+++ b/policy/modules/system/sysnetwork.fc -@@ -38,7 +38,7 @@ ifdef(`distro_redhat',` - /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) - /var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) - /var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) --/var/run/systemd/resolve/stub-resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) -+/var/run/systemd/resolve/stub-resolv\.conf gen_context(system_u:object_r:net_conf_t,s0) - ') - /var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - -diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index d7b696b..25e6b13 100644 ---- a/policy/modules/system/sysnetwork.if -+++ b/policy/modules/system/sysnetwork.if -@@ -456,6 +456,7 @@ interface(`sysnet_read_config',` - allow $1 net_conf_t:dir list_dir_perms; - allow $1 net_conf_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, net_conf_t, net_conf_t) -+ read_lnk_files_pattern($1, net_conf_t, net_conf_t) - ') - ') - -@@ -1144,7 +1145,7 @@ interface(`sysnet_filetrans_systemd_resolved',` - optional_policy(` - systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf") - systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") -- systemd_resolved_pid_filetrans($1, net_conf_t, file, "stub-resolv.conf") -+ systemd_resolved_pid_filetrans($1, net_conf_t, { file lnk_file }, "stub-resolv.conf") - ') - ') - --- -1.8.3.1 - diff --git a/backport-Allow-syslogd_t-domain-to-read-write-tmpfs-systemd-b.patch b/backport-Allow-syslogd_t-domain-to-read-write-tmpfs-systemd-b.patch deleted file mode 100644 index 5bd11bc61705f35a12d0a2fa94f1a08bd18b25a5..0000000000000000000000000000000000000000 --- a/backport-Allow-syslogd_t-domain-to-read-write-tmpfs-systemd-b.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 204a23cf3da322e59c1b7af2e5cd62c835b91c2a Mon Sep 17 00:00:00 2001 -From: Richard Filo -Date: Thu, 20 Aug 2020 22:25:28 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/204a23cf3da322e59c1b7af2e5cd62c835b91c2a -Conflict: NA -Subject: [PATCH] Allow syslogd_t domain to read/write tmpfs systemd-bootchart - files - -Create the two interfaces to allow mapping and r/w permisions. -Add this two interfaces to the policy for domain syslogd_t. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1838163 - -The one way how can the systemd-journald get a log data from any services is by socket /run/systemd/journal/socket. But when the message is bigger than max size of datagram, it must be done differently. It is by filedescriptor, which is connected to the datagram and in the file to which the file descriptor refers are the log data that were not sent. The file is created by memfd_create() syscall and in kernel the file is implemented as tmpfs. - -That means any service can communicate in this way. ---- - policy/modules/system/logging.te | 5 +++++ - policy/modules/system/systemd.if | 36 ++++++++++++++++++++++++++++++++++++ - 2 files changed, 41 insertions(+) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index db0b849..8f6286d 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -720,6 +720,11 @@ optional_policy(` - ') - - optional_policy(` -+ systemd_rw_bootchart_tmpfs_files(syslogd_t) -+ systemd_map_bootchart_tmpfs_files(syslogd_t) -+') -+ -+optional_policy(` - daemontools_search_svc_dir(syslogd_t) - ') - -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index dbc8fc9..ff31161 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -2096,6 +2096,42 @@ interface(`systemd_rw_coredump_tmpfs_files',` - - ######################################## - ## -+## Mmap to systemd-bootchart temporary file system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_map_bootchart_tmpfs_files',` -+ gen_require(` -+ type systemd_bootchart_tmpfs_t; -+ ') -+ -+ allow $1 systemd_bootchart_tmpfs_t:file map; -+') -+ -+######################################## -+## -+## Read and write to systemd-bootchart temporary file system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_rw_bootchart_tmpfs_files',` -+ gen_require(` -+ type systemd_bootchart_tmpfs_t; -+ ') -+ -+ allow $1 systemd_bootchart_tmpfs_t:file rw_file_perms; -+') -+ -+######################################## -+## - ## Allow process to read hwdb config file. - ## - ## --- -1.8.3.1 - diff --git a/backport-Allow-systemd-logind-dbus-chat-with-fwupd.patch b/backport-Allow-systemd-logind-dbus-chat-with-fwupd.patch deleted file mode 100644 index b1d903ae2622c1f2213c18e7205ae97ce96b33d1..0000000000000000000000000000000000000000 --- a/backport-Allow-systemd-logind-dbus-chat-with-fwupd.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 5867b09c03641f8a270863952a67cff61c3cc8e4 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 24 Jul 2020 21:28:43 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/5867b09c03641f8a270863952a67cff61c3cc8e4 -Conflict: NA -Subject: [PATCH] Allow systemd-logind dbus chat with fwupd - ---- - policy/modules/system/systemd.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 7cb36c4..367758a 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -353,6 +353,10 @@ optional_policy(` - ') - - optional_policy(` -+ fwupd_dbus_chat(systemd_logind_t) -+') -+ -+optional_policy(` - # we label /run/user/$USER/dconf as config_home_t - gnome_manage_home_config_dirs(systemd_logind_t) - gnome_manage_home_config(systemd_logind_t) --- -1.8.3.1 - diff --git a/backport-Allow-systemd-logind-manage-init-s-pid-files.patch b/backport-Allow-systemd-logind-manage-init-s-pid-files.patch deleted file mode 100644 index 2bdca2675ee004ac9fb142cc4f5dcfb24206c1e2..0000000000000000000000000000000000000000 --- a/backport-Allow-systemd-logind-manage-init-s-pid-files.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 099b9776b76a31cdf8281e06f9cc27946b26cf9f Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 7 Dec 2020 22:15:18 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/099b9776b76a31cdf8281e06f9cc27946b26cf9f -Conflict: NA -Subject: [PATCH] Allow systemd-logind manage init's pid files - -Added init_manage_pid_files() interface. - -Resolves: rhbz#1856399 ---- - policy/modules/system/init.if | 18 ++++++++++++++++++ - policy/modules/system/systemd.te | 1 + - 2 files changed, 19 insertions(+) - -diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 629af26..4674755 100644 ---- a/policy/modules/system/init.if -+++ b/policy/modules/system/init.if -@@ -2838,6 +2838,24 @@ interface(`init_read_pid_files',` - - ######################################## - ## -+## Manage init pid files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_manage_pid_files',` -+ gen_require(` -+ type init_var_run_t; -+ ') -+ -+ manage_files_pattern($1, init_var_run_t, init_var_run_t) -+') -+ -+######################################## -+## - ## Read init unnamed pipes. - ## - ## -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 24cf02e..332d716 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -297,6 +297,7 @@ init_signal_script(systemd_logind_t) - init_getattr_script_status_files(systemd_logind_t) - init_read_utmp(systemd_logind_t) - init_config_transient_files(systemd_logind_t) -+init_manage_pid_files(systemd_logind_t) - - getty_systemctl(systemd_logind_t) - --- -1.8.3.1 - diff --git a/backport-Allow-systemd-machined-manage-systemd-userdbd-runtim.patch b/backport-Allow-systemd-machined-manage-systemd-userdbd-runtim.patch deleted file mode 100644 index 390a4846f8a87c43425359a660e9efa21b09b441..0000000000000000000000000000000000000000 --- a/backport-Allow-systemd-machined-manage-systemd-userdbd-runtim.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 9b31818705c564f94c46366ef83efa4951ffa64a Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 12 Jan 2021 18:36:07 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/9b31818705c564f94c46366ef83efa4951ffa64a -Conflict: NA -Subject: [PATCH] Allow systemd-machined manage systemd-userdbd runtime sockets - -Add the systemd_manage_userdbd_runtime_sock_files() interface -and remove systemd_create_userdbd_runtime_sock_files() -which is not used any longer. - -Resolves: rhbz#1891182 ---- - policy/modules/system/systemd.if | 6 +++--- - policy/modules/system/systemd.te | 2 +- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index d10ae16..67479ce 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -2486,7 +2486,7 @@ interface(`systemd_userdbd_stream_connect',` - - ####################################### - ## --## Create a named socket in userdbd runtime directory -+## Manage named sockets in userdbd runtime directory - ## - ## - ## -@@ -2494,10 +2494,10 @@ interface(`systemd_userdbd_stream_connect',` - ## - ## - # --interface(`systemd_create_userdbd_runtime_sock_files',` -+interface(`systemd_manage_userdbd_runtime_sock_files',` - gen_require(` - type systemd_userdbd_runtime_t; - ') - -- create_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) -+ manage_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) - ') -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index c806b29..3eb12be 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -416,7 +416,7 @@ init_manage_config_transient_files(systemd_machined_t) - logging_dgram_send(systemd_machined_t) - - systemd_read_efivarfs(systemd_machined_t) --systemd_create_userdbd_runtime_sock_files(systemd_machined_t) -+systemd_manage_userdbd_runtime_sock_files(systemd_machined_t) - - userdom_dbus_send_all_users(systemd_machined_t) - --- -1.8.3.1 - diff --git a/backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch b/backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch deleted file mode 100644 index 5d563f4775b3d5b573bf17f98414552960e2de4e..0000000000000000000000000000000000000000 --- a/backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 17fe432dfcf5b3e3b4d6185cfdab6489135045e8 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 8 Dec 2020 15:53:05 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/17fe432dfcf5b3e3b4d6185cfdab6489135045e8 -Conflict: NA -Subject: [PATCH] Allow systemd-resolved manage its private runtime symlinks - -Resolves: rhbz#1896796 ---- - policy/modules/system/systemd.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 806b7d6..24cf02e 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1047,6 +1047,7 @@ allow systemd_resolved_t self:unix_dgram_socket create_socket_perms; - - manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) - manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) -+manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) - init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir) - - list_dirs_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) --- -1.8.3.1 - diff --git a/backport-Allow-traceroute_t-and-ping_t-to-bind-generic-nodes.patch b/backport-Allow-traceroute_t-and-ping_t-to-bind-generic-nodes.patch deleted file mode 100644 index 461078ebd35e4bce58f0f7f82eea7fe4b5fdb374..0000000000000000000000000000000000000000 --- a/backport-Allow-traceroute_t-and-ping_t-to-bind-generic-nodes.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 1aa9e5609375815103d2445df1746cb90a02b55a Mon Sep 17 00:00:00 2001 -From: Patrik Koncity -Date: Tue, 11 Aug 2020 14:19:29 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/1aa9e5609375815103d2445df1746cb90a02b55a -Conflict: NA -Subject: [PATCH] Allow traceroute_t and ping_t to bind generic nodes. - -Use newly created macro corenet_icmp_bind_generic_node() for ping_t and traceroute_t. -This macro allowing bind generic nodes in node_t domain. ---- - policy/modules/admin/netutils.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index f835af5..5793fe9 100644 ---- a/policy/modules/admin/netutils.te -+++ b/policy/modules/admin/netutils.te -@@ -140,6 +140,7 @@ corenet_raw_sendrecv_generic_node(ping_t) - corenet_tcp_sendrecv_generic_node(ping_t) - corenet_raw_bind_generic_node(ping_t) - corenet_tcp_sendrecv_all_ports(ping_t) -+corenet_icmp_bind_generic_node(ping_t) - - fs_dontaudit_getattr_xattr_fs(ping_t) - fs_dontaudit_rw_anon_inodefs_files(ping_t) -@@ -245,6 +246,7 @@ corenet_tcp_connect_all_ports(traceroute_t) - corenet_sendrecv_all_client_packets(traceroute_t) - corenet_sendrecv_traceroute_server_packets(traceroute_t) - corenet_sctp_bind_generic_node(traceroute_t) -+corenet_icmp_bind_generic_node(traceroute_t) - - corecmd_exec_bin(traceroute_t) - --- -1.8.3.1 - diff --git a/backport-Allow-unconfined_t-to-node_bind-icmp_sockets-in-node.patch b/backport-Allow-unconfined_t-to-node_bind-icmp_sockets-in-node.patch deleted file mode 100644 index c8e9d7d65452001dc054c4481fae949a19b3d109..0000000000000000000000000000000000000000 --- a/backport-Allow-unconfined_t-to-node_bind-icmp_sockets-in-node.patch +++ /dev/null @@ -1,31 +0,0 @@ -From e4f9c9f4f4c5af851410fde006f6589c0bf7f863 Mon Sep 17 00:00:00 2001 -From: Patrik Koncity -Date: Wed, 5 Aug 2020 17:26:20 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/e4f9c9f4f4c5af851410fde006f6589c0bf7f863 -Conflict: NA -Subject: [PATCH] Allow unconfined_t to node_bind icmp_sockets in node_t domain - -When uncofined user run ping or traceroute, this process get label unconfined_t. -Allow to ping or traceroute, which run as unconfined_t, to node_bind icmp_sockets in node_t domain. - -Bugzila: https://bugzilla.redhat.com/show_bug.cgi?id=1848929#c0 ---- - policy/modules/kernel/corenetwork.te.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index c317449..b718ab0 100644 ---- a/policy/modules/kernel/corenetwork.te.in -+++ b/policy/modules/kernel/corenetwork.te.in -@@ -465,7 +465,7 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; - - # Bind to any network address. - allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket sctp_socket} name_bind; --allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind; -+allow corenet_unconfined_type node_type:{ dccp_socket icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind; - - # Infiniband - corenet_ib_access_all_pkeys(corenet_unconfined_type) --- -1.8.3.1 - diff --git a/backport-Create-chronyd_pid_filetrans-interface.patch b/backport-Create-chronyd_pid_filetrans-interface.patch deleted file mode 100644 index 6b092a82dd0333afb881db9e4f68ccdc638e390c..0000000000000000000000000000000000000000 --- a/backport-Create-chronyd_pid_filetrans-interface.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 25d2a5c01c34d72c20f5d219227ad87897411967 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 14 Oct 2020 22:41:52 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/25d2a5c01c34d72c20f5d219227ad87897411967 -Conflict: NA -Subject: [PATCH] Create chronyd_pid_filetrans() interface - ---- - policy/modules/contrib/chronyd.if | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if -index c1b1b71..3d47264 100644 ---- a/policy/modules/contrib/chronyd.if -+++ b/policy/modules/contrib/chronyd.if -@@ -236,6 +236,25 @@ interface(`chronyd_manage_pid',` - manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t) - ') - -+###################################### -+## -+## Create objects in /var/run -+## with chronyd runtime private file type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`chronyd_pid_filetrans',` -+ gen_require(` -+ type chronyd_var_run_t; -+ ') -+ -+ files_pid_filetrans($1, chronyd_var_run_t, dir, "chrony-dhcp") -+') -+ - #################################### - ## - ## All of the rules required to --- -1.8.3.1 - diff --git a/backport-Create-macro-corenet_icmp_bind_generic_node.patch b/backport-Create-macro-corenet_icmp_bind_generic_node.patch deleted file mode 100644 index 0bdaac612725a57d2176a008f10306eb89799d33..0000000000000000000000000000000000000000 --- a/backport-Create-macro-corenet_icmp_bind_generic_node.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 65c1a66265908f3d5a39fa201d6b6f9f2a2981a4 Mon Sep 17 00:00:00 2001 -From: Patrik Koncity -Date: Tue, 11 Aug 2020 13:51:55 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/65c1a66265908f3d5a39fa201d6b6f9f2a2981a4 -Conflict: NA -Subject: [PATCH] Create macro corenet_icmp_bind_generic_node() - -This macro allowing bind ICMP sockets to generic nodes in node_t domain. ---- - policy/modules/kernel/corenetwork.if.in | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in -index 1ed5283..1858e41 100644 ---- a/policy/modules/kernel/corenetwork.if.in -+++ b/policy/modules/kernel/corenetwork.if.in -@@ -863,6 +863,24 @@ interface(`corenet_sctp_bind_generic_node',` - - ######################################## - ## -+## Bind ICMP sockets to generic nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_icmp_bind_generic_node',` -+ gen_require(` -+ type node_t; -+ ') -+ -+ allow $1 node_t:icmp_socket node_bind; -+') -+ -+######################################## -+## - ## Bind TCP sockets to generic nodes. - ## - ## --- -1.8.3.1 - diff --git a/backport-Define-named-file-transition-for-sshd-on-tmp-krb5_0..patch b/backport-Define-named-file-transition-for-sshd-on-tmp-krb5_0..patch deleted file mode 100644 index 430035b6962dff2d21db784da01245df4c93ad6d..0000000000000000000000000000000000000000 --- a/backport-Define-named-file-transition-for-sshd-on-tmp-krb5_0..patch +++ /dev/null @@ -1,26 +0,0 @@ -From 5d5feca5ce10b7b4f45c44431c8c258685eeef61 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 11 Aug 2020 22:15:55 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/5d5feca5ce10b7b4f45c44431c8c258685eeef61 -Conflict: NA -Subject: [PATCH] Define named file transition for sshd on /tmp/krb5_0.rcache2 - ---- - policy/modules/services/ssh.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 7b09f29..b06cc76 100644 ---- a/policy/modules/services/ssh.te -+++ b/policy/modules/services/ssh.te -@@ -380,6 +380,7 @@ optional_policy(` - - optional_policy(` - kerberos_read_keytab(sshd_t) -+ kerberos_tmp_filetrans_host_rcache(sshd_t, "krb5_0.rcache2") - kerberos_use(sshd_t) - kerberos_write_kadmind_tmp_files(sshd_t) - ') --- -1.8.3.1 - diff --git a/backport-Update-systemd_resolved_read_pid-to-also-read-symlin.patch b/backport-Update-systemd_resolved_read_pid-to-also-read-symlin.patch deleted file mode 100644 index 46edcbd3b34e512c04c4fb41bbcefcc031019670..0000000000000000000000000000000000000000 --- a/backport-Update-systemd_resolved_read_pid-to-also-read-symlin.patch +++ /dev/null @@ -1,30 +0,0 @@ -From ade23054745c5a738abc8760dfc425f8bf916944 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 8 Dec 2020 16:05:22 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/ade23054745c5a738abc8760dfc425f8bf916944 -Conflict: NA -Subject: [PATCH] Update systemd_resolved_read_pid() to also read symlinks - -In the systemd_resolved_read_pid() interface, list and read permissions -were allowed for directories and plain files. However, symlinks also can -be in the same directory. This commit adds read permissions for the -lnk_file class. ---- - policy/modules/system/systemd.if | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index ff31161..ffed76c 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -313,6 +313,7 @@ interface(`systemd_resolved_read_pid',` - files_search_pids($1) - list_dirs_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) - read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) -+ read_lnk_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) - ') - - ###################################### --- -1.8.3.1 - diff --git a/backport-iptables.fc-Add-missing-legacy-entries.patch b/backport-iptables.fc-Add-missing-legacy-entries.patch deleted file mode 100644 index adfbb0694a6f4073933e0ece46d03a77dcbdd839..0000000000000000000000000000000000000000 --- a/backport-iptables.fc-Add-missing-legacy-entries.patch +++ /dev/null @@ -1,39 +0,0 @@ -From feefaa074e75466aa75c29f17a3d83ac6ce004f0 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Thu, 18 Feb 2021 10:00:12 +0100 -Subject: [PATCH] iptables.fc: Add missing legacy entries - -The iptables, arptables, and ebtables stack is being deprecated in favor -of nftables. For now, netfilter reimplementations of these tools are -available for backwards compatibility, but have a diffferent filename -now (the main location is now a symlink). Add file context entries for -arptables and ebtables; iptables is already covered by the wildcard -rule. - -This change fixed several ebtables-related denials for me. - -Signed-off-by: Ondrej Mosnacek ---- - policy/modules/system/iptables.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 2c19023..9fb2e34 100644 ---- a/policy/modules/system/iptables.fc -+++ b/policy/modules/system/iptables.fc -@@ -13,10 +13,12 @@ - /usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) - - /usr/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/arptables-legacy -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/ebtables-legacy -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) --- -1.8.3.1 - diff --git a/backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch b/backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch deleted file mode 100644 index 97e1784251908de13f7f102921067aca2736cfd3..0000000000000000000000000000000000000000 --- a/backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch +++ /dev/null @@ -1,40 +0,0 @@ -From dfbaf8f3be6470e0964df8c1b5ae9717f85a4675 Mon Sep 17 00:00:00 2001 -From: LuLuLu <1539327763@qq.com> -Date: Fri, 11 Jun 2021 11:25:18 +0800 -Subject: [PATCH] iptables.fc: Add missing legacy-restore and legacy-save - entries - -/usr/sbin/ebtables-restore and /usr/sbin/ebtables-save are miss labeled now. Each of them is a link file that can link to two differenet files. - -For /usr/sbin/ebtables-restore on fc 34: - -Remove iptables-nft and install ebtables-legacy: -lrwxrwxrwx. 1 root root 34 Apr 23 06:56 /sbin/ebtables-restore -> /etc/alternatives/ebtables-restore -lrwxrwxrwx. 1 root root 33 Jun 10 20:31 /etc/alternatives/ebtables-restore -> /usr/sbin/ebtables-legacy-restore - -Remove ebtables-legacy and install iptables-nft: -lrwxrwxrwx. 1 root root 34 Apr 23 06:56 /sbin/ebtables-restore -> /etc/alternatives/ebtables-restore -lrwxrwxrwx. 1 root root 30 Jun 10 20:35 /etc/alternatives/ebtables-restore -> /usr/sbin/ebtables-nft-restore -lrwxrwxrwx. 1 root root 17 Jan 28 08:48 /usr/sbin/ebtables-nft-restore -> xtables-nft-multi - -/sbin/ebtables-save is similar. But the label of /usr/sbin/ebtables-legacy-restore and /usr/sbin/ebtables-legacy-save is lack. ---- - policy/modules/system/iptables.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 9fb2e34..e8ee5c0 100644 ---- a/policy/modules/system/iptables.fc -+++ b/policy/modules/system/iptables.fc -@@ -19,6 +19,8 @@ - /usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ebtables-legacy -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/ebtables-legacy-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/ebtables-legacy-save -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) --- -1.8.3.1 - diff --git a/backport-iptables.fc-Remove-duplicate-file-context-entries.patch b/backport-iptables.fc-Remove-duplicate-file-context-entries.patch deleted file mode 100644 index a6d0c402c4cf86c8ba1bba54d4d728a8059c11d7..0000000000000000000000000000000000000000 --- a/backport-iptables.fc-Remove-duplicate-file-context-entries.patch +++ /dev/null @@ -1,49 +0,0 @@ -From c33aa1f2bdb74f689bd54565e363fa67f3aa148f Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Thu, 18 Feb 2021 09:50:50 +0100 -Subject: [PATCH] iptables.fc: Remove duplicate file context entries - -There is an quivalency rule /sbin -> /usr/sbin so these are redundant. -A few entries were missing in the /usr/sbin block - add them to avoid -regressions. - -Signed-off-by: Ondrej Mosnacek ---- - policy/modules/system/iptables.fc | 20 ++------------------ - 1 file changed, 2 insertions(+), 18 deletions(-) - -diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index d8161fc..639a59b 100644 ---- a/policy/modules/system/iptables.fc -+++ b/policy/modules/system/iptables.fc -@@ -12,25 +12,9 @@ - - /usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) - --/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/xtables-legacy-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/xtables-nft-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -- - /usr/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) --- -1.8.3.1 - diff --git a/backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch b/backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch deleted file mode 100644 index 1a8adbb657ad6913b63361b869330811dab93355..0000000000000000000000000000000000000000 --- a/backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch +++ /dev/null @@ -1,145 +0,0 @@ -From bc79683118e529a8325fd229840915efe30c3f48 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Mon, 3 Aug 2020 14:49:31 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/bc79683118e529a8325fd229840915efe30c3f48 -Conflict: NA -Subject: [PATCH] sysnetwork.if: avoid directly referencing - systemd_resolved_var_run_t - -Instead create a systemd_resolved_pid_filetrans() interface in -systemd.if and use that. Also used a unified interface for adding these -transitions in sysnet_filetrans_named_content() and directly in the -systemd module. - -Signed-off-by: Ondrej Mosnacek ---- - policy/modules/system/sysnetwork.if | 36 +++++++++++++++++++++++++++--------- - policy/modules/system/systemd.if | 34 ++++++++++++++++++++++++++++++++++ - policy/modules/system/systemd.te | 4 +--- - 3 files changed, 62 insertions(+), 12 deletions(-) - -diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 10172d6..d7b696b 100644 ---- a/policy/modules/system/sysnetwork.if -+++ b/policy/modules/system/sysnetwork.if -@@ -1127,6 +1127,29 @@ interface(`sysnet_role_transition_dhcpc',` - - ######################################## - ## -+## Set up filename transitions for systemd-resolved network -+## configuration content. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sysnet_filetrans_systemd_resolved',` -+ gen_require(` -+ type net_conf_t; -+ ') -+ -+ optional_policy(` -+ systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf") -+ systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") -+ systemd_resolved_pid_filetrans($1, net_conf_t, file, "stub-resolv.conf") -+ ') -+') -+ -+######################################## -+## - ## Transition to sysnet named content - ## - ## -@@ -1138,7 +1161,6 @@ interface(`sysnet_role_transition_dhcpc',` - interface(`sysnet_filetrans_named_content',` - gen_require(` - type net_conf_t; -- type systemd_resolved_var_run_t; - ') - - files_etc_filetrans($1, net_conf_t, file, "resolv.conf") -@@ -1160,15 +1182,11 @@ interface(`sysnet_filetrans_named_content',` - init_pid_filetrans($1, net_conf_t, dir, "network") - - optional_policy(` -- networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf") -- networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") -- ') -+ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf") -+ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") -+ ') - -- optional_policy(` -- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf") -- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf.tmp") -- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "stub-resolv.conf") -- ') -+ sysnet_filetrans_systemd_resolved($1) - ') - - ######################################## -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index 26d4927..d10ae16 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -335,6 +335,40 @@ interface(`systemd_resolved_write_pid_sock_files',` - write_sock_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) - ') - -+######################################## -+## -+## Create objects in /var/run/systemd/resolve with a private -+## type using a type_transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Private file type. -+## -+## -+## -+## -+## Object classes to be created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`systemd_resolved_pid_filetrans',` -+ gen_require(` -+ type systemd_resolved_var_run_t; -+ ') -+ -+ filetrans_pattern($1, systemd_resolved_var_run_t, $2, $3, $4) -+') -+ - ###################################### - ## - ## Read systemd_login PID files. -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 332d716..c806b29 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1071,9 +1071,7 @@ dev_write_kmsg(systemd_resolved_t) - dev_read_sysfs(systemd_resolved_t) - - sysnet_manage_config(systemd_resolved_t) --sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf") --sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "stub-resolv.conf") --sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf.tmp") -+sysnet_filetrans_systemd_resolved(systemd_resolved_t) - - systemd_read_efivarfs(systemd_resolved_t) - --- -1.8.3.1 - diff --git a/backport-systemd-allow-all-systemd-services-to-check-selinux-.patch b/backport-systemd-allow-all-systemd-services-to-check-selinux-.patch deleted file mode 100644 index 424b3a33260771bf0ad038f5db80e5bfae32f44a..0000000000000000000000000000000000000000 --- a/backport-systemd-allow-all-systemd-services-to-check-selinux-.patch +++ /dev/null @@ -1,42 +0,0 @@ -From a96ac9ed374cab65f53a26cd39053705569532bc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 28 Oct 2020 09:17:15 +0100 -Subject: [PATCH] systemd: allow all systemd services to check selinux status - -After https://github.com/systemd/systemd/commit/fd5e402fa9 most systemd -services fail to start with: - -Oct 27 13:50:38 workstation-uefi systemd[1]: Starting systemd-hostnamed.service... -Oct 27 13:50:38 workstation-uefi systemd-hostnamed[944]: Failed to open SELinux status page: Permission denied -Oct 27 13:50:38 workstation-uefi systemd[1]: systemd-hostnamed.service: Main process exited, code=exited, status=1/FAILURE - -After disabling dontaudit: - -Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc: denied { read } for pid=1043 comm="systemd-hostnam" name="status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 -Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc: denied { open } for pid=1043 comm="systemd-hostnam" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 -Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc: denied { map } for pid=1043 comm="systemd-hostnam" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 - -As first step, allow all systemd services to check selinux status. -The check for selinux status is called from mac_selinux_init() which -is called in 16 different places, so I don't think it makes sense to -try to list them all. Any code which wants to create a labelled file is -likely to call mac_selinux_init(). ---- - policy/modules/system/systemd.if | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index ff3116142..253396f1c 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -24,6 +24,7 @@ template(`systemd_domain_template',` - kernel_read_system_state($1_t) - - auth_use_nsswitch($1_t) -+ selinux_get_enforce_mode($1_t) - ') - - ###################################### --- -2.23.0 - diff --git a/booleans-targeted.conf b/booleans-targeted.conf index 8789a08b23dffa8fae3670f3c9ff0ac49a07ed01..439ce8a80ee490b2f046e1c94c26318f39b2bb66 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -1,6 +1,7 @@ gssd_read_tmp = true httpd_builtin_scripting = true httpd_enable_cgi = true +httpd_can_network_connect = true kerberos_enabled = true mount_anyfile = true nfs_export_all_ro = true diff --git a/container-selinux.tgz b/container-selinux.tgz index 61071fb2dfcb44e08ea537eac40571144655838a..99d2beafc1820266eeed4bc062285179009bee92 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist index 8b288f7131bf09fb1c8dc8d22d98107f41a2ebab..1bf47105126cc8787a9e14a36635be58cc725576 100644 --- a/file_contexts.subs_dist +++ b/file_contexts.subs_dist @@ -19,3 +19,4 @@ /sbin /usr/sbin /sysroot/tmp /tmp /var/usrlocal /usr/local +/var/mnt /mnt diff --git a/fix-context-of-usr-bin-rpmdb.patch b/fix-context-of-usr-bin-rpmdb.patch new file mode 100644 index 0000000000000000000000000000000000000000..0c3b63715c8e1ce8e662dbe928b7d397834de72d --- /dev/null +++ b/fix-context-of-usr-bin-rpmdb.patch @@ -0,0 +1,25 @@ +From 52211f802fa1a34f22fca6acbc5a6dd5119d0f8e Mon Sep 17 00:00:00 2001 +From: lujie42 +Date: Mon, 28 Feb 2022 11:59:33 +0800 +Subject: [PATCH] fix context of /usr/bin/rpmdb + +Signed-off-by: lujie42 +--- + policy/modules/contrib/rpm.fc | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc +index 8a5a4ad..2db8826 100644 +--- a/policy/modules/contrib/rpm.fc ++++ b/policy/modules/contrib/rpm.fc +@@ -8,7 +8,6 @@ + /usr/bin/dnf-automatic -- gen_context(system_u:object_r:rpm_exec_t,s0) + /usr/bin/dnf-[0-9]+ -- gen_context(system_u:object_r:rpm_exec_t,s0) + /usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) +-/usr/bin/rpmdb -- gen_context(system_u:object_r:rpmdb_exec_t,s0) + /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) + + /bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0) +-- +1.8.3.1 + diff --git a/fix-selinux-label-for-hostname-digest-list.patch b/fix-selinux-label-for-hostname-digest-list.patch index ca696723ebb197f869e9a1ca8c19d4986276e1ac..44afe43b11124f03965db676fe5cbfed5ed3d0ac 100644 --- a/fix-selinux-label-for-hostname-digest-list.patch +++ b/fix-selinux-label-for-hostname-digest-list.patch @@ -15,9 +15,9 @@ index cfafbfa..bb5e759 100644 @@ -3,6 +3,7 @@ HOME_DIR/\.config/systemd/user(/.*)? gen_context(system_u:object_r:systemd_unit /root/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_home_t,s0) - /etc/.*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) -+/etc/[^/]*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) - /etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) + /etc/.*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) ++/etc/[^/]*hostname.* -- gen_context(system_u:object_r:hostname_etc_t,s0) + /etc/machine-info -- gen_context(system_u:object_r:hostname_etc_t,s0) /etc/udev/.*hwdb.* -- gen_context(system_u:object_r:systemd_hwdb_etc_t,s0) -- diff --git a/ls -l b/ls -l new file mode 100644 index 0000000000000000000000000000000000000000..0c400a6c8eaab65ea33040b7c628f8dd28972358 --- /dev/null +++ b/ls -l @@ -0,0 +1,1063 @@ +commit 82659116a590fbde846762f9a045127a58d38d97 (HEAD -> hyongkang, origin/master, origin/HEAD, master) +Merge: 8af89b9 2dfaab4 +Author: openeuler-ci-bot +Date: Tue Aug 13 08:22:42 2024 +0000 + + !253 [sync] PR-252: Allow init_t nnp domain transition to abrtd_t + + From: @openeuler-sync-bot + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit 2dfaab4e6a61392d5547ab7aba973357d3969c95 +Author: lyn1001 +Date: Tue Aug 13 15:21:24 2024 +0800 + + Allow init_t nnp domain transition to abrtd_t + + (cherry picked from commit fa07f7534f24f966474849a308d844ade311954a) + +commit 8af89b9bb5e4f0cff0f445a3e966d75fbc6ad23d +Merge: 27f6587 f1ca975 +Author: openeuler-ci-bot +Date: Fri Jun 7 07:57:34 2024 +0000 + + !250 [sync] PR-249: update modules-targeted-contrib.conf + + From: @openeuler-sync-bot + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit f1ca975a798502eb818f4093adff1c9f17e71dab +Author: jinlun +Date: Thu Apr 11 17:17:08 2024 +0800 + + update modules-targeted-contrib.conf + + (cherry picked from commit 81b001bdf43dc026b5eb5961a14ff087f63bb850) + +commit 27f6587f0eb31a4d8385a0a05f9bcaa3277908e4 +Merge: 4f94b5e 77c5b8e +Author: openeuler-ci-bot +Date: Mon Jan 29 08:26:46 2024 +0000 + + !240 update version to 40.7 + + From: @jinlun123123 + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit 77c5b8e28435e235b5fac316562e26103a69c3d5 +Author: jinlun +Date: Thu Dec 28 19:33:26 2023 +0800 + + update version to 40.7 + +commit 4f94b5ea932d53837757e8a4dde4443512287732 (tag: openEuler-23.09-rc5, origin/openEuler-23.09) +Merge: 1b601a0 ccec791 +Author: openeuler-ci-bot +Date: Sat Jul 22 03:45:54 2023 +0000 + + !224 selinux-policy:update version to 38.21 + + From: @jinlun123123 + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit ccec791b8a1c70922e52a3a58911b7f227193599 +Author: jinlun +Date: Fri Jul 21 09:43:04 2023 +0800 + + selinux-policy:update version to 38.21 + +commit 1b601a0825d10c440bf34fa97cd21f75a190a530 +Merge: de81d60 ed48d45 +Author: openeuler-ci-bot +Date: Wed May 31 11:28:27 2023 +0000 + + !217 backport some upstream patches + + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit ed48d454cb75bf4a842f0b652ee75977b3010b49 +Author: Huaxin Lu +Date: Wed May 31 09:59:01 2023 +0800 + + backport some upstream patches + +commit de81d60d925174e83f1459d1d9c043f1582867df +Merge: 6dfc000 de38b55 +Author: openeuler-ci-bot +Date: Thu Mar 30 01:20:47 2023 +0000 + + !216 allow login_pgm setcap permission + + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit de38b55dfe6aa437bf43d9d26814b098a3fb34ae +Author: Huaxin Lu +Date: Wed Mar 29 16:41:00 2023 +0800 + + allow login_pgm setcap permission + +commit 6dfc00001aa1f07a98b9edf2a989193bc92b54cc +Merge: 7878b97 98ef00f +Author: openeuler-ci-bot +Date: Thu Mar 23 10:54:47 2023 +0000 + + !215 Don't allow kernel_t to execute bin_t/usr_t binaries without a transition + + From: @jinlun123123 + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit 98ef00f443521d2383cdef07fb3b6644f9a14233 +Author: jinlun +Date: Thu Mar 23 14:59:51 2023 +0800 + + Don't allow kernel_t to execute bin_t/usr_t binaries without a transition + +commit 7878b97e6e8edd1b4af98ddca73004e1061988ad +Merge: 036edbe a3e27ea +Author: openeuler-ci-bot +Date: Tue Feb 7 02:30:10 2023 +0000 + + !209 add avc rules for cloud-init + + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit a3e27ea362a7cebd98fd5864e502ca716b026ae1 +Author: Huaxin Lu +Date: Sun Jan 29 00:38:39 2023 +0800 + + add avc rules for cloud-init + +commit 036edbe0d778cb0e4e5fb358bbf4fed9e45b3ac4 +Merge: 6ffaf8f bd458c8 +Author: openeuler-ci-bot +Date: Sat Feb 4 02:16:03 2023 +0000 + + !208 update version to 38.6 + + From: @zgzxx + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit bd458c8790d9371ef03d2f89ff72de2a67b5c0df +Author: zgzxx +Date: Wed Feb 1 16:42:06 2023 +0800 + + update version to 38.6 + +commit 6ffaf8fb576785a9ba5dab5a74801bf33b73abba +Merge: 93a4b87 d01c30e +Author: openeuler-ci-bot +Date: Fri Dec 30 09:57:31 2022 +0000 + + !207 add rule for hostnamed to rpmscript dbus chat + + From: @likou2022 + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit d01c30e10412f22ba5936f3c3b27362d396de44b +Author: lixiao +Date: Fri Dec 30 11:49:26 2022 +0800 + + add rule for hostnamed to rpmscript dbus chat + +commit 93a4b87311a55e44be4f32faf6fbb3dbf50b80a1 +Merge: e51c043 3318771 +Author: openeuler-ci-bot +Date: Mon Dec 26 03:43:54 2022 +0000 + + !202 add the dependency between packages + + From: @likou2022 + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit 3318771e475cf1be816ed5208d448cac47158e59 +Author: lixiao +Date: Sat Dec 24 08:12:36 2022 +0000 + + add the dependency between packages + + Signed-off-by: lixiao + +commit e51c04325560720169238cf76445a2ee5ae3860d +Merge: 9ea9984 276d709 +Author: openeuler-ci-bot +Date: Mon Dec 5 01:15:52 2022 +0000 + + !192 modify the patch name for the problem of vendor hard code + + From: @lujie42 + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit 276d709d83a22540869b56953b8538b3edb92524 +Author: xuraoqing <609179072@qq.com> +Date: Sat Dec 3 21:23:03 2022 +0800 + + modify the patch name for the problem of vendor hard code + +commit 9ea9984d7c481784a4d804182ef7e708e27b0269 +Merge: 5517afb 8f5a728 +Author: openeuler-ci-bot +Date: Mon Nov 28 03:08:29 2022 +0000 + + !187 update upstream patches + + From: @lujie42 + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit 8f5a7284a7841792a98c29daccad2b8d40a4776e +Author: lujie42 +Date: Sun Nov 27 22:53:05 2022 +0800 + + update upstream patches + +commit 5517afbdc61deeb784766f20d8ab4dc979c1a9b2 +Merge: 0289bc3 9fe5293 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Mon Sep 19 08:51:16 2022 +0000 + + !183 allow map postfix_master_t + + From: @xinghe_1 + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit 9fe529338f671b838014267a7617c8c5d2ed4983 +Author: xinghe +Date: Mon Sep 19 15:59:02 2022 +0800 + + allow map postfix_master_t + +commit 0289bc3f8b6fb705fcaacfebaed0dd8c14ecb055 +Merge: 7de1ff2 bed9e54 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Thu Sep 15 08:51:52 2022 +0000 + + !179 update upstream patches + + From: @lujie42 + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit bed9e54ba5b7bdd343cb206debfe27be301e9bc5 +Author: lujie54 +Date: Thu Sep 15 10:25:08 2022 +0800 + + backport upstream patches + +commit 7de1ff268474c8e44276ebacd9c6fbecb6f9a529 +Merge: 62ad05c 21f06ca +Author: openeuler-ci-bot <80474298@qq.com> +Date: Thu Sep 15 01:48:18 2022 +0000 + + !175 update upstream patches + + From: @lujie42 + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit 21f06ca0b312fdcf9e596d660a19cec932413bd0 +Author: lujie54 +Date: Thu Sep 15 09:20:10 2022 +0800 + + backport upstream patches + +commit 62ad05ce61c51bf870694a7542217bcb93b8f910 +Merge: 899a7b1 738fcaf +Author: openeuler-ci-bot <80474298@qq.com> +Date: Wed Sep 14 09:10:09 2022 +0000 + + !171 update upstream patches + + From: @lujie42 + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit 738fcaf614f1873eadc47c1cb49fe15d0eb9aa58 +Author: lujie54 +Date: Tue Sep 13 20:45:40 2022 +0800 + + update upstream patches + +commit 899a7b17a328b6b060d96c021c797eafbee0be4c +Merge: 3ef622f 45421a2 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Tue Sep 13 12:25:30 2022 +0000 + + !167 update upstream patches + + From: @lujie42 + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit 45421a28ba6bef1e238675809a1cac1738b98c84 +Author: lujie54 +Date: Tue Sep 13 19:52:03 2022 +0800 + + update upstream patches + +commit 3ef622fcc2f2193101a1f5a2bd6d29a80db380f4 +Merge: 50a98d9 3c7c076 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Mon Sep 5 03:36:03 2022 +0000 + + !163 update upstream patches + + From: @lujie42 + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit 3c7c07692627ca1644adc36f184ed13f8c674edd +Author: lujie54 +Date: Fri Sep 2 15:54:31 2022 +0800 + + backport upstream patches + +commit 50a98d956e8ed44dbc560fb5b3acf2ce8fd0a0e2 +Merge: 634a717 ef438f3 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Fri Aug 19 02:57:34 2022 +0000 + + !159 Allow chage domtrans to sssd + + From: @wxdl + Reviewed-by: @HuaxinLuGitee + Signed-off-by: @HuaxinLuGitee + +commit ef438f32fe2160f119586cd7dc2438cf3fbca606 +Author: wxdl <490514142@qq.com> +Date: Thu Aug 18 11:42:50 2022 +0800 + + Allow chage domtrans to sssd + +commit 634a717a51c455328b0a5565c64df159882c83bc +Merge: a3631e7 4fcb059 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Thu Jun 30 12:49:52 2022 +0000 + + !156 Allow domain transition to sssd_t and role access to sssd + From: @lujie42 + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit 4fcb05937d188beb60fe4f5a206152c008c64c5e +Author: lujie54 +Date: Mon Jun 27 21:35:58 2022 +0800 + + Allow domain transition to sssd_t and role access to sssd + +commit a3631e7ab5ce1adb5b925992d524581cd124e720 +Merge: 1fb1efd 14c13b3 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Sat Jun 25 09:26:31 2022 +0000 + + !151 allow httpd to create files in /etc/httpd + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit 14c13b3f9c18ebf2372d387f31e21da8a5b3f71c +Author: luhuaxin +Date: Sat Jun 25 15:21:34 2022 +0800 + + allow httpd to create files in /etc/httpd + +commit 1fb1efdfd1eda661b7660f1793e5512d96238409 +Merge: e91cac7 4fb7ff7 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Thu Apr 28 11:03:58 2022 +0000 + + !148 add open permission to files_read_inherited_tmp_file + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit 4fb7ff7fee307b8b3a8e6cc6b60245110bae2766 +Author: luhuaxin +Date: Thu Apr 28 17:20:43 2022 +0800 + + add open permission to files_read_inherited_tmp_file + +commit e91cac707ed194d023e8b43e8718c0d3d5c54f26 +Merge: 101f681 5d8b207 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Tue Mar 1 02:16:52 2022 +0000 + + !145 fix context of /usr/bin/rpmdb + From: @lujie42 + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit 5d8b207b89bb62ba8d45f2ce434c2e1c3d6526f7 +Author: lujie42 +Date: Mon Feb 28 14:12:17 2022 +0800 + + fix context of /usr/bin/rpmdb + +commit 101f6817a00f37983f98390660be52e41f98ad5f +Merge: c8d151d c098ffa +Author: openeuler-ci-bot <80474298@qq.com> +Date: Mon Feb 21 12:52:14 2022 +0000 + + !143 selinux-requires macro shouldn't depend on policycoreutils-python + From: @lujie42 + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit c098ffa16a791764be34355d3ebd087eaca24090 +Author: lujie42 +Date: Mon Feb 21 10:26:43 2022 +0800 + + selinux-requires macro shouldn't depend on policycoreutils-python + +commit c8d151dfa04302e2a260d0d9090afbfdd3c4d753 +Merge: 2238867 6ebc7b5 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Mon Feb 21 01:46:21 2022 +0000 + + !141 update selinux-policy-3.14.2 to selinux-policy-35.5-1 + From: @lujie42 + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit 6ebc7b5b535a52ae558ca3c86c8635470d3776b2 +Author: lujie42 +Date: Tue Jan 11 20:10:16 2022 +0800 + + update selinux-policy-3.14.2 to selinux-policy-35.5-1 + +commit 22388671cbb00d428170a7920920434a6bbf79cf +Merge: b0507f8 df3c36d +Author: openeuler-ci-bot <80474298@qq.com> +Date: Tue Nov 16 04:10:11 2021 +0000 + + !134 Fix CVE-2020-24612 + From: @lujie42 + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit df3c36d34cc81604dc4f34748efc6db9845eb0e5 +Author: lujie42 <572084868@qq.com> +Date: Fri Oct 8 11:35:33 2021 +0800 + + Fix CVE-2020-24612 + +commit b0507f843a004da306838f7cc1778b966ef84ef0 +Merge: a44af5a be31537 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Thu Sep 30 07:20:42 2021 +0000 + + !131 set httpd_can_network_connect bool true + From: @lujie42 + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit be315378dfbb9e2ff8404983df05ec8087f22946 +Author: lujie42 <572084868@qq.com> +Date: Wed Sep 22 09:47:17 2021 +0800 + + set httpd_can_network_connect bool true + +commit a44af5a0ee74e5ef8de590931896f181e031b89d +Merge: f3b4286 ed7a2bd +Author: openeuler-ci-bot <80474298@qq.com> +Date: Tue Sep 7 01:43:46 2021 +0000 + + !127 Add allow rasdaemon cap_sys_admin + From: @lujie42 + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit ed7a2bd00877103c5b24c4d90465f533d3cbce19 +Merge: 77e27bb f3b4286 +Author: lujie42 <572084868@qq.com> +Date: Fri Sep 3 20:55:13 2021 +0800 + + Merge branch 'master' of https://gitee.com/lujie42/selinux-policy + +commit 77e27bb287812f4fa8b687f6d91b80523d566439 +Author: lujie42 <572084868@qq.com> +Date: Fri Sep 3 20:45:51 2021 +0800 + + Add allow rasdaemon cap_sys_admin + +commit f3b4286d02636436807847f93e1e43c1a48d8eae +Merge: 40252f9 2530406 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Tue Aug 31 12:21:18 2021 +0000 + + !126 Allow systemd hostnamed read udev runtime data + From: @lujie42 + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit 2530406b8f3dc620f886455d747ca3c08b882cd2 +Author: lujie42 <572084868@qq.com> +Date: Tue Aug 31 16:06:49 2021 +0800 + + Allow systemd hostnamed read udev runtime data + +commit 40252f9d443e8dcc7d30facaa3c020f535acd41c +Merge: f4a5821 ad1f8e0 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Sat Aug 28 06:10:43 2021 +0000 + + !124 add avc for systemd selinux page + From: @extinctfire + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit ad1f8e0d0d94690aadb9856336ad539a0ad1d3f4 +Author: ExtinctFire +Date: Sat Aug 28 11:26:03 2021 +0800 + + add avc for systemd selinux page + + Signed-off-by: ExtinctFire + +commit f4a58218c6b5825e2faee8ca523313ded6e41ad7 +Merge: ee95a50 a7e5891 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Fri Aug 20 07:04:51 2021 +0000 + + !121 Add qemu_exec_t for stratovirt. + From: @yangming73 + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit a7e58912d2461c8915181f7af88c5c889cebaaef +Author: Ming Yang +Date: Fri Aug 20 14:17:15 2021 +0800 + + Add qemu_exec_t for stratovirt. + + Signed-off-by: Ming Yang + +commit ee95a508effae0362cac27aa2e95d03556573f4c +Merge: 106ec7c afff97a +Author: openeuler-ci-bot <80474298@qq.com> +Date: Sat Jul 31 11:38:01 2021 +0000 + + !119 add weak dep of selinux-policy-targeted + From: @lujie42 + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit afff97ac55ad6403d78ebe9cbc4891982fb878af +Author: lujie42 <572084868@qq.com> +Date: Thu Jul 22 20:06:32 2021 +0800 + + Add weak dep of selinux-policy-targeted + +commit 106ec7cd525d54aea83fbc0f0ef04a59087f7ff8 +Merge: f216084 c1e30c1 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Mon Jun 21 12:50:40 2021 +0000 + + !113 [backport] iptables.fc: Add missing legacy-restore and legacy-save entries + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit c1e30c15e937bb226adf263da574a855f511a2ad +Author: luhuaxin <1539327763@qq.com> +Date: Thu Jun 17 21:40:29 2021 +0800 + + [backport] iptables.fc: Add missing legacy-restore and legacy-save entries + +commit f2160847b603eb8d7db26123371afe8a96f6a9d8 +Merge: bbb7898 83e1d46 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Tue Jun 15 11:45:38 2021 +0000 + + !112 fix context of ebtables + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit 83e1d46407c7024727d0ff5e0a5fdc021f06a369 +Author: 卢华歆 <1539327763@qq.com> +Date: Wed Jun 9 10:32:09 2021 +0800 + + fix context of ebtables + +commit 95b77d54382df891cedc826f5d9e76b172d1c5a7 +Author: luhuaxin <1539327763@qq.com> +Date: Wed Jun 9 10:24:39 2021 +0800 + + fix context of ebtables + +commit bbb7898a9998f88b62fc546ce16cc53e8ab351b4 +Merge: a80a853 67a202c +Author: openeuler-ci-bot <80474298@qq.com> +Date: Tue Jun 1 10:11:42 2021 +0800 + + !102 backport upstream patch + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit 67a202caa456cad47b9518a783fa93cc571626e1 +Author: luhuaxin <1539327763@qq.com> +Date: Mon May 31 16:38:15 2021 +0800 + + backport some upstream patches + +commit a80a853d59f93d96a28e242ac2e71f1c3e65d5d6 +Merge: e5328d3 376ce47 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Sat May 29 16:33:38 2021 +0800 + + !100 allow kdump_t net_admin capability + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit 376ce47dad2634d983242e87f588d185f40dda87 +Author: luhuaxin <1539327763@qq.com> +Date: Sat May 29 14:50:37 2021 +0800 + + allow kdump_t net_admin capability + +commit e5328d37b4a5b658191a363f1c50195b9a48bfa9 +Merge: 77c0703 f6c6e70 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Thu May 27 22:10:38 2021 +0800 + + !95 allow rpcbind to bind all udp ports + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit f6c6e703eba75f663b4459422da44cdb66f2b44e +Author: luhuaxin <1539327763@qq.com> +Date: Thu May 27 20:46:18 2021 +0800 + + allow rpcbind to bind all port + +commit 77c0703f3394d9a18b23e5b74b3814b42512ab1f +Merge: 0c24e3d 64b450c +Author: openeuler-ci-bot <80474298@qq.com> +Date: Fri Mar 5 11:35:29 2021 +0800 + + !80 sync modification on other branches + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit 64b450cf9949c3a54e706da28466f718a1d6072e +Author: HuaxinLuGitee <1539327763@qq.com> +Date: Fri Mar 5 09:56:07 2021 +0800 + + sync modification on other branches + +commit 0c24e3de8b9065c5620f9cb1801050d8325feadd +Merge: 6a2a24f ee48de4 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Thu Mar 4 21:27:47 2021 +0800 + + !72 revert sync pr + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit ee48de4148a97306ac824878c8adcb2592436d32 +Author: HuaxinLuGitee <1539327763@qq.com> +Date: Thu Mar 4 20:51:15 2021 +0800 + + Revert "!63 [sync] PR-61: add patch for allowing systemd services to check selinux status" + + This reverts commit 6a2a24f73728bc6f9f84ee86a9b9e55f990ab159, reversing + changes made to e32b39f7dceeba4920507a916d6f6856d274c076. + +commit 6a2a24f73728bc6f9f84ee86a9b9e55f990ab159 +Merge: e32b39f c94c44a +Author: openeuler-ci-bot <80474298@qq.com> +Date: Thu Mar 4 19:58:02 2021 +0800 + + !63 [sync] PR-61: add patch for allowing systemd services to check selinux status + From: @openeuler-sync-bot + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit c94c44a3e16ec05cee22327e8d765425a1607f24 +Author: HuaxinLuGitee <1539327763@qq.com> +Date: Sat Feb 27 16:27:04 2021 +0800 + + add patch + + (cherry picked from commit 2d0372bd1827949321901de7d997f5c88ee9cd9d) + +commit e32b39f7dceeba4920507a916d6f6856d274c076 +Merge: b9f56b9 8e67f05 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Sun Dec 13 20:36:02 2020 +0800 + + !57 add avc for openEuler on master + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit 8e67f056a610a10db9843c675b6ad0c2deec7636 +Author: HuaxinLuGitee <1539327763@qq.com> +Date: Sun Dec 13 15:36:39 2020 +0800 + + add avc + +commit b9f56b9c5608bf960b5c6467f590383e487259e0 +Merge: 3ec8181 262c228 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Thu Dec 10 19:23:24 2020 +0800 + + !52 add rule for systemd timedated on master + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit 262c228f6121ef81819e0487799fe9ed20b0cbd3 +Author: HuaxinLuGitee <1539327763@qq.com> +Date: Tue Dec 8 21:01:54 2020 +0800 + + add rule for systemd timedated + +commit 3ec818194a166c2e5c78f3ec43201f28202bd0bb +Merge: d57e5a8 1a12ac8 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Mon Dec 7 09:15:44 2020 +0800 + + !47 add release require of policycoreutils on master + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit 1a12ac8216dce8181ab7c78f1ff54d3340bfe151 +Author: HuaxinLuGitee <1539327763@qq.com> +Date: Fri Dec 4 18:08:16 2020 +0800 + + fix spec + +commit d57e5a8d2bf09e444c8e9128068d24a83fc1d3e2 +Merge: db13a39 75a1e4b +Author: openeuler-ci-bot <80474298@qq.com> +Date: Fri Sep 25 09:20:12 2020 +0800 + + !34 添加YAML文件 + From: @caffeaulait + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit 75a1e4b90fb86f26803ebe33085d17295e6586bb +Author: caffeaulait +Date: Thu Sep 24 20:17:16 2020 +0800 + + Add yaml file + +commit db13a397f4272f12f7243d538e4f3145b4201c05 +Merge: 9364846 3a0f999 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Thu Sep 24 14:07:40 2020 +0800 + + !32 add file context for firewalld temporary file + From: @nettingsisyphus + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit 3a0f999a8132764ec9c846681ee3a261991b3d00 +Author: Anakin Zhang +Date: Thu Sep 24 09:40:51 2020 +0800 + + add file context for firewalld temporary file + +commit 9364846f4620349489eaf45c47675a8dcae4b59a +Merge: abf02cd f65bfeb +Author: openeuler-ci-bot <80474298@qq.com> +Date: Wed Sep 23 12:48:25 2020 +0800 + + !31 同步20.09分支补丁到master分支 + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit f65bfeb2f7289d5df9aa0c37c7dc40d31b2759f8 +Merge: c13c700 5298b81 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Tue Sep 22 21:36:01 2020 +0800 + + !30 add patch for systemd hostnamed and logind + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit 5298b813e1f9121faac34d0ffba13c18bad7e845 +Author: HuaxinLuGitee <1539327763@qq.com> +Date: Tue Sep 22 21:14:15 2020 +0800 + + add patch for systemd hostnamed and logind + +commit c13c700791f6434a19b67e8b3a6641c92de59ff3 +Merge: 49142c8 06fcfa3 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Mon Sep 21 12:17:44 2020 +0800 + + !29 add patch for machined to delete userdbd socket + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001,@zhujianwei001 + Signed-off-by: @zhujianwei001,@zhujianwei001 + +commit 06fcfa3a98a5ab9fecb8e4bbb310412abe9ccc1a +Author: HuaxinLuGitee <1539327763@qq.com> +Date: Thu Sep 17 17:21:33 2020 +0800 + + add patches for machined to delete userdbd socket + +commit 49142c8bddad18b90ed8e349bf9dce27328e1abe +Merge: 63c58d1 a739fb7 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Fri Sep 11 11:33:43 2020 +0800 + + !27 add patch for virt + From: @HuaxinLuGitee + Reviewed-by: @zhujianwei001 + Signed-off-by: @zhujianwei001 + +commit a739fb7124353d6614a83a27db5fa21114ee31f4 +Author: HuaxinLuGitee <1539327763@qq.com> +Date: Thu Sep 10 21:03:18 2020 +0800 + + add patch for virt + +commit 63c58d14b97a1e337d6a9f7079d70b3a51d5c30f +Merge: abf02cd 68df94f +Author: openeuler-ci-bot <80474298@qq.com> +Date: Fri Aug 28 23:20:52 2020 +0800 + + !21 add add_userman_access_run_dir.patch + Merge pull request !21 from 卢华歆/openEuler-20.09 + +commit 68df94f5e3114fcaa05209aabca3e008e5f4b167 +Author: HuaxinLuGitee <1539327763@qq.com> +Date: Fri Aug 28 22:45:33 2020 +0800 + + add add_userman_access_run_dir.patch + +commit abf02cdf15b82979ffca5ad22d11540c7a8ad14f +Merge: 4eeae61 52b068a +Author: openeuler-ci-bot <80474298@qq.com> +Date: Wed Jul 29 16:42:43 2020 +0800 + + !19 update to 20200711 + Merge pull request !19 from guoxiaoqi/next + +commit 52b068a5c680022da150afd3a3055e72b459dc69 +Author: guoxiaoqi +Date: Mon Jul 27 09:36:04 2020 +0800 + + update selinux-policy + +commit 4eeae61a0529e69461968ae39eed840f46c17443 +Merge: e2be45c 6829f2b +Author: openeuler-ci-bot <80474298@qq.com> +Date: Tue Jul 21 14:36:56 2020 +0800 + + !16 add patch to fixing logind read issue of dist device + Merge pull request !16 from steven/master + +commit 6829f2b54dea543cf0aca5c5d3482c53ad8546fa +Author: huangzq6 +Date: Mon Jul 20 17:40:10 2020 +0800 + + add patch to fixing logind read issue of dist device + +commit e2be45cea535c942b9768c7a1190a12e021f57fe +Merge: c00d8c0 dfcc13f +Author: openeuler-ci-bot <80474298@qq.com> +Date: Tue Jul 7 15:47:49 2020 +0800 + + !15 add yaml file + Merge pull request !15 from guoxiaoqi/next + +commit dfcc13fd93e129134c7757bd9722caff6780e1df +Author: guoxiaoqi +Date: Fri Jul 3 15:46:10 2020 +0800 + + add yaml file + +commit c00d8c0dbccf1b1d9a706c154a87025120563b98 +Merge: 5a2206f 8ad71f4 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Fri Jun 5 20:25:50 2020 +0800 + + !13 selinux-policy: add avc for openEuler + Merge pull request !13 from guoxiaoqi/next + +commit 8ad71f4dc61f4ea22f6220d332f022d8451de6a4 +Author: guoxiaoqi +Date: Thu Jun 4 20:48:55 2020 +0800 + + add avc for openEuler + +commit 5a2206fa24fb0e5611e209f8659c488bfbcf8131 +Merge: 0532f2d 899b6a7 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Tue Jun 2 14:23:56 2020 +0800 + + !11 selinux-policy: allow passwd to write and map sssd var lib + Merge pull request !11 from guoxiaoqi/next + +commit 899b6a7957fce2a594b62848cffa1642c6158bd4 +Author: guoxiaoqi +Date: Sat May 30 10:59:50 2020 +0800 + + allow passwd to map and write sssd var lib + +commit 0532f2d6f9b4c2cea9cfe333d81371d4614b6ef2 (tag: openEuler-20.03-LTS-tag) +Merge: 8a188b6 072717c +Author: openeuler-ci-bot <80474298@qq.com> +Date: Fri Mar 20 18:21:26 2020 +0800 + + !10 use container-selinux of version 2.73 + Merge pull request !10 from guoxiaoqi/next + +commit 072717ccd5544863a12427ae4213ead13ff5ebc0 +Author: guoxiaoqi +Date: Fri Mar 20 17:29:41 2020 +0800 + + use container-selinux.tgz of 2.73 + +commit 8a188b6def8fcbe7efe316d09e6197c68ded8de6 +Merge: ee1eebb 65e8657 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Tue Mar 17 19:53:20 2020 +0800 + + !9 fix upgrade error + Merge pull request !9 from guoxiaoqi/host + +commit 65e8657831d358c0ecdff421da16c62acac1f7a8 +Author: guoxiaoqi +Date: Tue Mar 17 18:02:15 2020 +0800 + + fix upgrade error + +commit ee1eebbb7e02edc0c92f8790eb64c5780dadfdb4 +Merge: d2a37ad 7cd2124 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Fri Mar 13 09:23:57 2020 +0800 + + !8 fix upgrade error + Merge pull request !8 from guoxiaoqi/host + +commit 7cd212411fdddfddfcba190cf040708ec6e347df +Author: guoxiaoqi +Date: Thu Mar 12 15:23:53 2020 +0800 + + fix upgrade error + +commit d2a37ad8941961c78c7af33dd1d285070569c890 +Merge: f4cdc6c f47e6a3 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Sat Feb 29 17:46:48 2020 +0800 + + !7 enable selinux + Merge pull request !7 from guoxiaoqi/next + +commit f47e6a357b1427c1db8583248587376627ea246a +Author: guoxiaoqi +Date: Sat Feb 29 14:26:54 2020 +0800 + + enable selinux + +commit f4cdc6c2cc077d2721a63c8acaf183f72c75b376 +Merge: 4d7d525 32ea5da +Author: openeuler-ci-bot <80474298@qq.com> +Date: Wed Feb 26 18:38:27 2020 +0800 + + !6 selinux-policy: update avc for openEuler + Merge pull request !6 from guoxiaoqi/next + +commit 32ea5da14147420fb6550c2f11282731c814887f +Author: guoxiaoqi +Date: Wed Feb 26 14:13:26 2020 +0800 + + update avc for openEuler + +commit 4d7d525568895345ef554df0e61a634908c2a5a3 (origin/openEuler1.0-base, origin/openEuler1.0) +Merge: 49fe53e d81e448 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Sun Jan 19 11:06:37 2020 +0800 + + !5 selinux: set selinux to permissive + Merge pull request !5 from guoxiaoqi/next + +commit d81e448206a6bd3fed873e2f553b8dddfe004123 +Author: guoxiaoqi +Date: Sun Jan 19 10:55:56 2020 +0800 + + set selinux to permissive + +commit 49fe53efe712274c37c24ca8ec1f9443a6efdbe8 +Merge: 2db7a5b ee35537 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Sat Jan 18 14:57:39 2020 +0800 + + !4 enable selinux + Merge pull request !4 from guoxiaoqi/next + +commit ee355371e26c11d6dc2bc69f2c11f95850f62709 +Author: guoxiaoqi +Date: Fri Jan 17 18:18:35 2020 +0800 + + enable selinux + +commit 2db7a5b459e289b340357d0d27fd43a36ab209b1 +Merge: bd1c260 1466a1c +Author: openeuler-ci-bot <80474298@qq.com> +Date: Wed Jan 15 22:39:21 2020 +0800 + + !2 selinux-policy: clean code + Merge pull request !2 from guoxiaoqi/local + +commit 1466a1c64d16a16cfb7506e2901919c4fe585374 +Author: openeuler_eason +Date: Wed Jan 15 21:54:30 2020 +0800 + + selinux-policy: clean code + +commit bd1c2601f2aab8d42279149c1ba55f81dbde8707 +Merge: 8fe7953 e7cf434 +Author: openeuler-ci-bot <80474298@qq.com> +Date: Sat Jan 11 17:38:40 2020 +0800 + + !1 selinux-policy: update container-selinux.tgz + Merge pull request !1 from guoxiaoqi/next + +commit e7cf434c202d9a2d86f8c680c32c4af341e609c1 +Author: guoxiaoqi +Date: Fri Jan 10 15:38:12 2020 +0800 + + update container-selinux.tgz + +commit 8fe7953f61c98493cd8f9f944c67bb22ae1c304b +Author: dogsheng <960055655@qq.com> +Date: Wed Dec 25 16:07:15 2019 +0800 + + Package init + +commit fcfd9753407deaf5166f5dbd2582c91751642a4c +Author: overweight <5324761+overweight@user.noreply.gitee.com> +Date: Mon Sep 30 11:16:49 2019 -0400 + + Package init diff --git a/macro-expander b/macro-expander new file mode 100644 index 0000000000000000000000000000000000000000..2670b61dcaa29b7e89146f773c21bc45595abaf4 --- /dev/null +++ b/macro-expander @@ -0,0 +1,81 @@ +#!/bin/bash + +function usage { + echo "Usage: $0 [ -c | -t [ -M ] ] " + echo "Options: + -c generate CIL output + -t generate standard policy source format (.te) allow rules - this is default + -M generate complete module .te output +" +} + +function cleanup { + rm -rf $TEMP_STORE +} + +while getopts "chMt" opt; do + case $opt in + c) GENCIL=1 + ;; + t) GENTE=1 + ;; + M) GENTEMODULE=1 + ;; + h) usage + exit 0 + ;; + \?) usage + exit 1 + ;; + esac +done + +shift $((OPTIND-1)) + +SELINUX_MACRO=$1 + +if [ -z "$SELINUX_MACRO" ] +then + exit 1 +fi + +TEMP_STORE="$(mktemp -d)" +cd $TEMP_STORE || exit 1 + +IFS="(" +set $1 +SELINUX_DOMAIN="${2::-1}" + +echo -e "policy_module(expander, 1.0.0) \n" \ + "gen_require(\`\n" \ + "type $SELINUX_DOMAIN ; \n" \ + "')" > expander.te + +echo "$SELINUX_MACRO" >> expander.te + +make -f /usr/share/selinux/devel/Makefile tmp/all_interfaces.conf &> /dev/null + +if [ "x$GENCIL" = "x1" ]; then + + make -f /usr/share/selinux/devel/Makefile expander.pp &> /dev/null + MAKE_RESULT=$? + + if [ $MAKE_RESULT -ne 2 ] + then + /usr/libexec/selinux/hll/pp < $TEMP_STORE/expander.pp > $TEMP_STORE/expander.cil 2> /dev/null + grep -v "cil_gen_require" $TEMP_STORE/expander.cil | sort -u + fi +fi + +if [ "$GENTE" = "1" ] || [ "x$GENCIL" != "x1" ]; then + m4 -D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/loadable_module.spt tmp/all_interfaces.conf expander.te > expander.tmp 2> /dev/null + if [ "x$GENTEMODULE" = "x1" ]; then + # sed '/^#.*$/d;/^\s*$/d;/^\s*class .*/d;/^\s*category .*/d;s/^\s*//' expander.tmp + sed '/^#.*$/d;/^\s*$/d;/^\s*category .*/d;s/^\s*//' expander.tmp + else + grep '^\s*allow' expander.tmp | sed 's/^\s*//' + fi +fi + +cd - > /dev/null || exit 1 +cleanup diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf index a8775dbe058fcd04ae3046b411fbfdd016ede092..e7456ef911ae21223b0edaa9a656e3695ba96210 100644 --- a/modules-targeted-base.conf +++ b/modules-targeted-base.conf @@ -391,10 +391,3 @@ udev = module # The unconfined domain. # unconfined = module - -# Layer: system -# Module: kdbus -# -# Policy for kdbus. -# -kdbus = module diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 9568fe60afce9d48ea15b9ed02e9e6647f8d5ffc..ac38e25cd14914978d0a444acf8ebdb978a78cd8 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -342,13 +342,6 @@ cmirrord = module # cobbler = module -# Layer: contrib -# Module: cockpit -# -# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines. -# -cockpit = module - # Layer: services # Module: collectd # @@ -2381,13 +2374,6 @@ minissdpd = module # freeipmi = module -# Layer: contrib -# Module: freeipmi -# -# ipa policy module contain SELinux policies for IPA services -# -ipa = module - # Layer: contrib # Module: mirrormanager # @@ -2663,3 +2649,24 @@ rrdcached = module # stratisd # stratisd = module + +# Layer: contrib +# Module: ica +# +# ica +# +ica = module + +# Layer: contrib +# Module: fedoratp +# +# fedoratp +# +fedoratp = module + +# Layer: services +# Module: virt_supplementary +# +# non-libvirt virtualization libraries +# +virt_supplementary = module diff --git a/selinux-policy-9c84d68.tar.gz b/selinux-policy-9c84d68.tar.gz deleted file mode 100644 index c245c80fc1566cd634467117b3c6466e9cbb1506..0000000000000000000000000000000000000000 Binary files a/selinux-policy-9c84d68.tar.gz and /dev/null differ diff --git a/selinux-policy-contrib-27225b9.tar.gz b/selinux-policy-contrib-27225b9.tar.gz deleted file mode 100644 index 035d809aa7b1fc4a06bcd634bff3a8707a9f9121..0000000000000000000000000000000000000000 Binary files a/selinux-policy-contrib-27225b9.tar.gz and /dev/null differ diff --git a/selinux-policy.spec b/selinux-policy.spec index ba89c36c22cc5a5af09b170ec8538d404a7a62b5..6dfdf8470ff69665a7458757d95d219455c95b4b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -5,19 +5,22 @@ %define BUILD_TARGETED 1 %define BUILD_MINIMUM 1 %define BUILD_MLS 1 -%define POLICYVER 32 -%define POLICYCOREUTILSVER 3.0-5 -%define CHECKPOLICYVER 3.0 +%define POLICYVER 33 +%define POLICYCOREUTILSVER 3.4 +%define CHECKPOLICYVER 3.2 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.14.2 -Release: 71 +Version: 40.7 +Release: 3 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ -Source0: https://github.com/fedora-selinux/selinux-policy/archive/9c84d687e0fef5d8e4e25273bd25f58c28a7c67c/selinux-policy-9c84d68.tar.gz -Source1: https://github.com/fedora-selinux/selinux-policy-contrib/archive/27225b9de42be65760194536680c9d596f1a1895/selinux-policy-contrib-27225b9.tar.gz +Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v40.7.tar.gz + +# Tool helps during policy development, to expand system m4 macros to raw allow rules +# Git repo: https://github.com/fedora-selinux/macro-expander.git +Source1: macro-expander # We obtain Source2~Source24 from https://src.fedoraproject.org/rpms/selinux-policy/tree/master Source2: modules-targeted-base.conf @@ -50,74 +53,35 @@ Source24: rpm.macros Source35: container-selinux.tgz Patch0: Allow-local_login-to-be-access-to-var-run-files-and-.patch -Patch1: access-to-iptables-run-file.patch -Patch2: add-access-to-faillog-file-for-systemd.patch -Patch3: add-allow-to-be-access-to-sssd-dir-and-file.patch -Patch4: add-allow-shadow-tool-to-access-sssd-var-lib-file-di.patch -Patch5: fix-selinux-label-for-hostname-digest-list.patch -Patch6: solve-shutdown-permission-denied-caused-by-dracut.patch -Patch7: add-allow-for-ldconfig-to-map-libsudo_util-so.patch -Patch8: add-avc-for-kmod.patch -Patch9: allow-ipmievd-to-read-the-process-state-proc-pid-of-.patch -Patch10: add-avc-for-systemd-journald.patch -Patch11: add-avc-for-systemd-hostnamed-and-systemd-logind.patch -Patch12: add-avc-for-systemd.patch -Patch13: allow-systemd-to-mount-unlabeled-filesystemd.patch -Patch14: add_userman_access_run_dir.patch -Patch15: allow-systemd-machined-create-userdbd-runtime-sock-file.patch -Patch16: allow-systemd_machined_t-delete-userdbd-runtime-sock.patch -Patch17: allow-systemd-hostnamed-and-logind-read-policy.patch -Patch18: add-firewalld-fc.patch -Patch19: add-allow-systemd-timedated-to-unlink-etc-link.patch -Patch20: add-avc-for-openEuler-1.patch -Patch21: backport-systemd-allow-all-systemd-services-to-check-selinux-.patch -Patch22: backport-Allow-dovecot-bind-to-smtp-ports.patch -Patch23: allow-rpcbind-to-bind-all-port.patch - -Patch6000: backport-Allow-kdump_t-net_admin-capability.patch -Patch6001: backport-Allow-systemd-logind-dbus-chat-with-fwupd.patch -Patch6002: backport-Allow-auditd-manage-kerberos-host-rcache-files.patch -Patch6003: backport-Add-dev_lock_all_blk_files-interface.patch -Patch6005: backport-Define-named-file-transition-for-sshd-on-tmp-krb5_0..patch -Patch6006: backport-Allow-nsswitch_domain-to-connect-to-systemd-machined.patch -Patch6007: backport-Allow-unconfined_t-to-node_bind-icmp_sockets-in-node.patch -Patch6008: backport-Create-macro-corenet_icmp_bind_generic_node.patch -Patch6009: backport-Allow-traceroute_t-and-ping_t-to-bind-generic-nodes.patch -Patch6010: backport-Allow-passwd-to-get-attributes-in-proc_t.patch -Patch6011: backport-Allow-login_pgm-attribute-to-get-attributes-in-proc_.patch -Patch6012: backport-Allow-syslogd_t-domain-to-read-write-tmpfs-systemd-b.patch -Patch6013: backport-Allow-all-users-to-connect-to-systemd-userdbd-with-a.patch -Patch6014: backport-Add-new-devices-and-filesystem-interfaces.patch -Patch6015: backport-Add-lvm_dbus_send_msg-lvm_rw_var_run-interfaces.patch -Patch6016: backport-Allow-domain-write-to-an-automount-unnamed-pipe.patch -Patch6017: backport-Allow-dyntransition-from-sshd_t-to-unconfined_t.patch -Patch6018: backport-Allow-initrc_t-create-run-chronyd-dhcp-directory-wit.patch -Patch6019: backport-Update-systemd_resolved_read_pid-to-also-read-symlin.patch -Patch6020: backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch -Patch6021: backport-Allow-systemd-logind-manage-init-s-pid-files.patch -Patch6022: backport-Add-systemd_resolved_write_pid_sock_files-interface.patch -Patch6023: backport-Allow-nsswitch-domain-write-to-systemd-resolved-PID-.patch -Patch6024: backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch -Patch6025: backport-Allow-stub-resolv.conf-to-be-a-symlink.patch -Patch6026: backport-Allow-domain-stat-proc-filesystem.patch -Patch6027: backport-Allow-domain-write-to-systemd-resolved-PID-socket-fi.patch -Patch6028: backport-Allow-systemd-machined-manage-systemd-userdbd-runtim.patch -Patch6029: backport-Allow-domain-stat-the-sys-filesystem.patch -Patch6030: backport-Allow-login_userdomain-write-inaccessible-nodes.patch -Patch6031: backport-Allow-local_login_t-get-attributes-of-tmpfs-filesyst.patch -Patch6032: backport-Allow-dhcpc_t-domain-transition-to-chronyc_t.patch -Patch6033: backport-Allow-nsswitch_domain-read-cgroup-files.patch -Patch6034: backport-Allow-IPsec-and-certmonger-to-use-opencryptoki-servi.patch -Patch6035: backport-Create-chronyd_pid_filetrans-interface.patch -Patch6036: backport-iptables.fc-Remove-duplicate-file-context-entries.patch -Patch6037: backport-iptables.fc-Add-missing-legacy-entries.patch -Patch6038: backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch +Patch1: fix-selinux-label-for-hostname-digest-list.patch +Patch2: add-allow-for-ldconfig-to-map-libsudo_util-so.patch +Patch3: allow-ipmievd-to-read-the-process-state-proc-pid-of-.patch +Patch4: add_userman_access_run_dir.patch +Patch5: add-firewalld-fc.patch +Patch6: add-allow-systemd-timedated-to-unlink-etc-link.patch +Patch7: add-avc-for-os-1.patch +Patch8: allow-rpcbind-to-bind-all-port.patch +Patch9: add-avc-for-systemd-journald.patch +Patch10: add-avc-for-systemd.patch + +Patch9000: add-qemu_exec_t-for-stratovirt.patch +Patch9001: fix-context-of-usr-bin-rpmdb.patch +Patch9002: Add-permission-open-to-files_read_inherited_tmp_file.patch +Patch9003: allow-httpd-to-put-files-in-httpd-config-dir.patch +Patch9004: allow-map-postfix_master_t.patch +Patch9005: add-rule-for-hostnamed-to-rpmscript-dbus-chat.patch +Patch9006: allow-init_t-create-fifo-file-in-net_conf-dir.patch +Patch9007: Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch +Patch9008: Policy-for-restoring-kernel_t.patch +Patch9009: Allow-init_t-nnp-domain-transition-to-abrtd_t.patch BuildArch: noarch -BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc +BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc procps-ng Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(post): /bin/awk /usr/bin/sha512sum Requires: rpm-plugin-selinux +Requires: selinux-policy-any = %{version}-%{release} +Provides: selinux-policy-base = %{version}-%{release} Suggests: selinux-policy-targeted %description @@ -225,6 +189,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \ %nil %define relabel() \ @@ -236,13 +201,14 @@ if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.p %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \ rm -f ${FILE_CONTEXT}.pre; \ fi; \ +%{_sbindir}/restorecon -R /var/lib/rpm \ if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ continue; \ fi; %define preInstall() \ if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \ - for MOD_NAME in ganesha ipa_custodia; do \ + for MOD_NAME in ganesha ipa_custodia kdbus; do \ if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \ %{_sbindir}/semodule -n -d $MOD_NAME; \ fi; \ @@ -335,13 +301,8 @@ end %build %prep -%setup -n %{name}-contrib-27225b9de42be65760194536680c9d596f1a1895 -q -b 1 -tar -xf %{SOURCE35} -contrib_path=`pwd` -%setup -n %{name}-9c84d687e0fef5d8e4e25273bd25f58c28a7c67c -q - -refpolicy_path=`pwd` -cp $contrib_path/* $refpolicy_path/policy/modules/contrib +%setup -n %{name}-%{version} -q +tar -C policy/modules/contrib -xf %{SOURCE35} %autopatch -p1 @@ -358,6 +319,8 @@ touch %{buildroot}%{_sysconfdir}/selinux/config touch %{buildroot}%{_sysconfdir}/sysconfig/selinux mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ cp %{SOURCE21} %{buildroot}%{_usr}/lib/tmpfiles.d/ +mkdir -p %{buildroot}%{_bindir} +install -m 755 %{SOURCE1} %{buildroot}%{_bindir}/ mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ @@ -491,6 +454,7 @@ exit 0 %package devel Summary: SELinux policy devel +Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} m4 checkpolicy >= %{CHECKPOLICYVER} /usr/bin/make Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER} @@ -502,6 +466,7 @@ selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null exit 0 %files devel +%{_bindir}/macro-expander %dir %{_usr}/share/selinux/devel %dir %{_usr}/share/selinux/devel/include %{_usr}/share/selinux/devel/include/* @@ -530,7 +495,7 @@ Summary: SELinux targeted base policy Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} coreutils selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} -Provides: selinux-policy-base = %{version}-%{release} +Provides: selinux-policy-any = %{version}-%{release} Obsoletes: selinux-policy-targeted-sources < 2 Obsoletes: mod_fcgid-selinux <= %{version}-%{release} Obsoletes: cachefilesd-selinux <= 0.10-1 @@ -615,7 +580,7 @@ Requires(pre): coreutils selinux-policy = %{version}-%{release} Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER} Requires: selinux-policy = %{version}-%{release} -Provides: selinux-policy-base = %{version}-%{release} +Provides: selinux-policy-any = %{version}-%{release} Conflicts: seedit Conflicts: container-selinux <= 1.9.0-9 @@ -714,9 +679,9 @@ exit 0 %package mls Summary: SELinux mls base policy Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd selinux-policy = %{version}-%{release} -Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} coreutils +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} coreutils selinux-policy = %{version}-%{release} -Provides: selinux-policy-base = %{version}-%{release} +Provides: selinux-policy-any = %{version}-%{release} Obsoletes: selinux-policy-mls-sources < 2 Conflicts: seedit Conflicts: container-selinux <= 1.9.0-9 @@ -778,6 +743,112 @@ exit 0 %endif %changelog +* Tue Aug 13 2024 liyanan - 40.7-3 +- Allow init_t nnp domain transition to abrtd_t + +* Thu Apr 11 2024 jinlun - 40.7-2 +- update modules-targeted-contrib.conf + +* Thu Dec 28 2023 jinlun - 40.7-1 +- update version to 40.7 + - Allow chronyd-restricted read chronyd key files + - Allow systemd-sleep set attributes of efivarfs files + - Make name_zone_t and named_var_run_t a part of the mountpoint attribute + - Update cifs interfaces to include fs_search_auto_mountpoints() + - Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on + - Add map_read map_write to kernel_prog_run_bpf + - Add policy for nvme-stas + - Make new virt drivers permissive + - Allow named and ndc use the io_uring api + - Allow sssd send SIGKILL to passket_child running in ipa_otpd_t + +* Fri Jul 21 2023 jinlun - 38.21-1 +- update version to 38.21 + +* Wed May 31 2023 luhuaxin - 38.6-5 +- backport some upstream patches + +* Wed Mar 29 2023 luhuaxin - 38.6-4 +- allow login_pgm setcap permission + +* Mon Mar 20 2023 jinlun - 38.6-3 +- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition + +* Mon Feb 6 2023 luhuaxin - 38.6-2 +- allow init_t create fifo file in net_conf dir + +* Wed Feb 1 2023 zhangguangzhi - 38.6-1 +- update version to 38.6 + +* Thu Dec 29 2022 lixiao - 35.5-17 +- add rule for hostnamed to rpmscript dbus chat + +* Sat Dec 24 2022 lixiao - 35.5-16 +- add the dependency between packages + +* Sun Dec 3 2022 lujie - 35.5-15 +- modify the patch name for the problem of vendor hard code + +* Sun Nov 27 2022 lujie - 35.5-14 +- backport upstream patches + +* Mon Sep 19 2022 xinghe - 35.5-13 +- allow map postfix_master_t + +* Thu Sep 15 2022 lujie - 35.5-12 +- backport upstream patches + +* Tue Sep 13 2022 lujie - 35.5-11 +- backport upstream patches + +* Tue Sep 13 2022 lujie - 35.5-10 +- backport upstream patches + +* Tue Sep 13 2022 lujie - 35.5-9 +- backport upstream patches + +* Fri Sep 2 2022 lujie - 35.5-8 +- backport upstream patches + +* Thu Aug 18 2022 xuwenlong - 35.5-7 +- Allow chage domtrans to sssd + +* Mon Jun 27 2022 lujie - 35.5-6 +- Allow domain transition to sssd_t and role access to sssd + +* Sat Jun 25 2022 luhuaxin - 35.5-5 +- allow httpd to create files in /etc/httpd + +* Thu Apr 28 2022 luhuaxin - 35.5-4 +- add open permission to files_read_inherited_tmp_file + +* Mon Feb 28 2022 lujie42 - 35.5-3 +- fix context of /usr/bin/rpmdb + +* Mon Feb 21 2022 lujie42 - 35.5-2 +- selinux-requires macro shouldn't depend on policycoreutils-python + +* Tue Jan 11 2022 lujie42 - 35.5-1 +- update selinux-policy-3.14.2 to selinux-policy-35.5-1 + +* Fri Oct 8 2021 lujie42 -3.14.2-77 +- Fix CVE-2020-24612 + +* Wed Sep 22 2021 lujie42 <572084868@qq.com> -3.14.2-76 +- Set httpd_can_network_connect bool true + +* Fri Sep 3 2021 lujie42 <572084868@qq.com> -3.14.2-75 +- Add allow rasdaemon cap_sys_admin + +* Tue Aug 31 2021 lujie42 <572084868@qq.com> -3.14.2-74 +- Allow systemd hostnamed read udev runtime data + +* Fri Aug 20 2021 ExtinctFire -3.14.2-73 +- Add avc for systemd selinux page + +* Fri Aug 20 2021 mingyang -3.14.2-72 +- Add qemu_exec_t for stratovirt + * Thu Jul 22 2021 lujie42 <572084868@qq.com> - 3.14.2-71 - Add weak dep of selinux-policy-targeted @@ -828,7 +899,7 @@ exit 0 * Sat May 29 2021 luhuaxin <1539327763@qq.com> - 3.14.2-67 - allow kdump_t net_admin capability -* Thu Mar 27 2021 luhuaxin <1539327763@qq.com> - 3.14.2-66 +* Sat Mar 27 2021 luhuaxin <1539327763@qq.com> - 3.14.2-66 - allow rpcbind to bind all port * Fri Mar 5 2021 luhuaxin <1539327763@qq.com> - 3.14.2-65 @@ -848,7 +919,7 @@ exit 0 * Thu Sep 24 2020 openEuler Buildteam - 3.14.2-61 - add add-firewalld-fc.patch -* Thu Sep 22 2020 openEuler Buildteam - 3.14.2-60 +* Tue Sep 22 2020 openEuler Buildteam - 3.14.2-60 - add allow-systemd-hostnamed-and-logind-read-policy.patch * Thu Sep 17 2020 openEuler Buildteam - 3.14.2-59 diff --git a/solve-shutdown-permission-denied-caused-by-dracut.patch b/solve-shutdown-permission-denied-caused-by-dracut.patch deleted file mode 100644 index 94b7a4fd00f5c47e55b6ee994688137a648578ce..0000000000000000000000000000000000000000 --- a/solve-shutdown-permission-denied-caused-by-dracut.patch +++ /dev/null @@ -1,52 +0,0 @@ -From f14eec646bb7aaef59c4e5a9fa37be21e9797964 Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Thu, 4 Jun 2020 20:41:46 +0800 -Subject: [PATCH] solve shutdown permission denied caused by dracut - -Signed-off-by: guoxiaoqi ---- - policy/modules/system/init.te | 2 ++ - policy/modules/system/lvm.te | 1 + - policy/modules/system/mount.te | 1 + - 3 files changed, 4 insertions(+) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index e3e8b37..73cccdc 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -215,6 +215,8 @@ dev_filetrans(init_t, initctl_t, fifo_file) - # Modify utmp. - allow init_t initrc_var_run_t:file { rw_file_perms setattr }; - -+allow init_t root_t:dir create; -+ - kernel_read_system_state(init_t) - kernel_share_state(init_t) - kernel_stream_connect(init_t) -diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 99babc9..77fb8f7 100644 ---- a/policy/modules/system/lvm.te -+++ b/policy/modules/system/lvm.te -@@ -323,6 +323,7 @@ init_use_fds(lvm_t) - init_dontaudit_getattr_initctl(lvm_t) - init_use_script_ptys(lvm_t) - init_read_script_state(lvm_t) -+init_nnp_daemon_domain(lvm_t) - - logging_send_syslog_msg(lvm_t) - logging_stream_connect_syslog(lvm_t) -diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 816066d..e884bf5 100644 ---- a/policy/modules/system/mount.te -+++ b/policy/modules/system/mount.te -@@ -186,6 +186,7 @@ init_use_script_ptys(mount_t) - init_dontaudit_getattr_initctl(mount_t) - init_stream_connect_script(mount_t) - init_rw_script_stream_sockets(mount_t) -+init_nnp_daemon_domain(mount_t) - - logging_send_syslog_msg(mount_t) - --- -1.8.3.1 - diff --git a/users-minimum b/users-minimum index 8207eed482a0a21d7877bd22395646c7bae3ea35..72cbbe00c3169d1ac6b93e82306240fb2aca02d3 100644 --- a/users-minimum +++ b/users-minimum @@ -36,3 +36,4 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user,unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/users-mls b/users-mls index 05d26712efe0bd41abcea6464ff5f2c4c31b005f..21ec0c3e3081b89bd00b8649adb01cf2fe23f5dc 100644 --- a/users-mls +++ b/users-mls @@ -36,3 +36,8 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) + +gen_user(secadm_u, user, secadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(auditadm_u, user, auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/users-targeted b/users-targeted index 8207eed482a0a21d7877bd22395646c7bae3ea35..a875306f1258f02deacfcb82d3537c85f84988db 100644 --- a/users-targeted +++ b/users-targeted @@ -36,3 +36,6 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/v40.7.tar.gz b/v40.7.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..03b06ba3bd0f04e2ab48fdb76c8dc6b48c3c857d Binary files /dev/null and b/v40.7.tar.gz differ