From a739fb7124353d6614a83a27db5fa21114ee31f4 Mon Sep 17 00:00:00 2001 From: HuaxinLuGitee <1539327763@qq.com> Date: Thu, 10 Sep 2020 21:03:18 +0800 Subject: [PATCH] add patch for virt --- ...ned-create-userdbd-runtime-sock-file.patch | 54 +++++++++++++++++++ selinux-policy.spec | 6 ++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 allow-systemd-machined-create-userdbd-runtime-sock-file.patch diff --git a/allow-systemd-machined-create-userdbd-runtime-sock-file.patch b/allow-systemd-machined-create-userdbd-runtime-sock-file.patch new file mode 100644 index 0000000..fcb2ce6 --- /dev/null +++ b/allow-systemd-machined-create-userdbd-runtime-sock-file.patch @@ -0,0 +1,54 @@ +From d4a034518393bd1c0277a4dd3e87c8e94b394317 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 11 Aug 2020 12:47:42 +0200 +Subject: [PATCH] Allow systemd-machined create userdbd runtime sock files + +Create the systemd_create_userdbd_runtime_sock_files() interface. + +Resolves: rhbz#1862686 +--- + policy/modules/system/systemd.if | 18 ++++++++++++++++++ + policy/modules/system/systemd.te | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index c9d2ed7..a6d8bd0 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -2374,3 +2374,21 @@ interface(`systemd_userdbd_stream_connect',` + + allow $1 systemd_userdbd_t:unix_stream_socket connectto; + ') ++ ++####################################### ++## ++## Create a named socket in userdbd runtime directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_create_userdbd_runtime_sock_files',` ++ gen_require(` ++ type systemd_userdbd_runtime_t; ++ ') ++ ++ create_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) ++') +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 367758a..806b7d6 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -415,6 +415,7 @@ init_manage_config_transient_files(systemd_machined_t) + logging_dgram_send(systemd_machined_t) + + systemd_read_efivarfs(systemd_machined_t) ++systemd_create_userdbd_runtime_sock_files(systemd_machined_t) + + userdom_dbus_send_all_users(systemd_machined_t) + +-- +1.8.3.1 + diff --git a/selinux-policy.spec b/selinux-policy.spec index bd5444b..2a76bb1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 57 +Release: 58 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -64,6 +64,7 @@ Patch11: add-avc-for-systemd-hostnamed-and-systemd-logind.patch Patch12: add-avc-for-systemd.patch Patch13: allow-systemd-to-mount-unlabeled-filesystemd.patch Patch14: add_userman_access_run_dir.patch +Patch15: allow-systemd-machined-create-userdbd-runtime-sock-file.patch BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc @@ -729,6 +730,9 @@ exit 0 %endif %changelog +* Wed Sep 10 2020 openEuler Buildteam - 3.14.2-58 +- add allow-systemd-machined-create-userdbd-runtime-sock-file.patch + * Fri Aug 28 2020 openEuler Buildteam - 3.14.2-57 - add add_userman_access_run_dir.patch -- Gitee