From 32ea5da14147420fb6550c2f11282731c814887f Mon Sep 17 00:00:00 2001 From: guoxiaoqi Date: Wed, 26 Feb 2020 14:13:26 +0800 Subject: [PATCH] update avc for openEuler --- ...n-to-be-access-to-var-run-files-and-.patch | 44 +++++++ access-to-iptables-run-file.patch | 51 ++++++++ add-access-to-faillog-file-for-systemd.patch | 52 ++++++++ ...ow-to-be-access-to-sssd-dir-and-file.patch | 110 ++++++++++++++++ ...-plymouthd-stream-connect-for-agetty.patch | 24 ++++ add-allowed-avc-for-systemd-1.patch | 76 ++++++++++++ add-avc-for-kmod.patch | 25 ++++ ...systemd-hostnamed-and-systemd-logind.patch | 29 +++++ add-avc-for-systemd-journald.patch | 117 ++++++++++++++++++ selinux-policy.spec | 38 ++++-- 10 files changed, 554 insertions(+), 12 deletions(-) create mode 100644 Allow-local_login-to-be-access-to-var-run-files-and-.patch create mode 100644 access-to-iptables-run-file.patch create mode 100644 add-access-to-faillog-file-for-systemd.patch create mode 100644 add-allow-to-be-access-to-sssd-dir-and-file.patch create mode 100644 add-allow-to-plymouthd-stream-connect-for-agetty.patch create mode 100644 add-allowed-avc-for-systemd-1.patch create mode 100644 add-avc-for-kmod.patch create mode 100644 add-avc-for-systemd-hostnamed-and-systemd-logind.patch create mode 100644 add-avc-for-systemd-journald.patch diff --git a/Allow-local_login-to-be-access-to-var-run-files-and-.patch b/Allow-local_login-to-be-access-to-var-run-files-and-.patch new file mode 100644 index 0000000..1d70250 --- /dev/null +++ b/Allow-local_login-to-be-access-to-var-run-files-and-.patch @@ -0,0 +1,44 @@ +From ce4e53c392075f01176743a66d6f55026d3a1aba Mon Sep 17 00:00:00 2001 +From: guoxiaoqi +Date: Tue, 25 Feb 2020 19:03:50 +0800 +Subject: [PATCH] Allow local_login to be access to var run files and rasdaemon + to write sysfs files + +Signed-off-by: guoxiaoqi +--- + policy/modules/contrib/rasdaemon.te | 2 ++ + policy/modules/system/locallogin.te | 4 ++++ + 2 files changed, 6 insertions(+) + +diff --git a/policy/modules/contrib/rasdaemon.te b/policy/modules/contrib/rasdaemon.te +index dcdca44..c4c46b5 100644 +--- a/policy/modules/contrib/rasdaemon.te ++++ b/policy/modules/contrib/rasdaemon.te +@@ -49,3 +49,5 @@ optional_policy(` + dmidecode_exec(rasdaemon_t) + ') + ++# avc for openEuler ++allow rasdaemon_t sysfs_t:file write; +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index 5412cfe..ce749ce 100644 +--- a/policy/modules/system/locallogin.te ++++ b/policy/modules/system/locallogin.te +@@ -201,6 +201,9 @@ optional_policy(` + xserver_rw_xdm_keys(local_login_t) + ') + ++# avc for openEuler ++allow local_login_t var_run_t:file { getattr open read }; ++ + ################################# + # + # Sulogin local policy +@@ -287,3 +290,4 @@ ifdef(`sulogin_no_pam', ` + optional_policy(` + plymouthd_exec_plymouth(sulogin_t) + ') ++ +-- +1.8.3.1 + diff --git a/access-to-iptables-run-file.patch b/access-to-iptables-run-file.patch new file mode 100644 index 0000000..0bcd2e6 --- /dev/null +++ b/access-to-iptables-run-file.patch @@ -0,0 +1,51 @@ +From df3d1a93a1126c15fe540a48515c604217f3202e Mon Sep 17 00:00:00 2001 +From: guoxiaoqi +Date: Tue, 25 Feb 2020 20:15:44 +0800 +Subject: [PATCH] access to iptables run file + +Signed-off-by: guoxiaoqi +--- + policy/modules/contrib/firewalld.te | 3 +++ + policy/modules/system/iptables.if | 18 ++++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te +index 8b78b37..f1cbf0a 100644 +--- a/policy/modules/contrib/firewalld.te ++++ b/policy/modules/contrib/firewalld.te +@@ -139,3 +139,6 @@ optional_policy(` + optional_policy(` + networkmanager_read_state(firewalld_t) + ') ++ ++# avc for openEuler ++iptables_var_run_file(firewalld_t) +diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if +index 5e1a4a5..6bdd8cf 100644 +--- a/policy/modules/system/iptables.if ++++ b/policy/modules/system/iptables.if +@@ -221,3 +221,21 @@ interface(`iptables_read_var_run',` + allow $1 iptables_var_run_t:dir list_dir_perms; + read_files_pattern($1, iptables_var_run_t, iptables_var_run_t) + ') ++ ++##################################### ++## ++## Access to iptables run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`iptables_var_run_file',` ++gen_require(` ++type iptables_var_run_t; ++') ++ ++allow $1 iptables_var_run_t:file { lock open read }; ++') +-- +1.8.3.1 + diff --git a/add-access-to-faillog-file-for-systemd.patch b/add-access-to-faillog-file-for-systemd.patch new file mode 100644 index 0000000..4692fa4 --- /dev/null +++ b/add-access-to-faillog-file-for-systemd.patch @@ -0,0 +1,52 @@ +From 6b63c0acdb2e2435e4294f2de08dd376db15e4e8 Mon Sep 17 00:00:00 2001 +From: guoxiaoqi +Date: Tue, 25 Feb 2020 21:02:54 +0800 +Subject: [PATCH] add access to faillog file for systemd + +Signed-off-by: guoxiaoqi +--- + policy/modules/system/authlogin.if | 19 +++++++++++++++++++ + policy/modules/system/init.te | 3 +++ + 2 files changed, 22 insertions(+) + +diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if +index 728a1c4..6f35819 100644 +--- a/policy/modules/system/authlogin.if ++++ b/policy/modules/system/authlogin.if +@@ -2413,3 +2413,22 @@ interface(`auth_login_manage_key',` + + allow $1 login_pgm:key manage_key_perms; + ') ++ ++######################################## ++## ++## Manage the login failure log for systemd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_manage_faillog',` ++gen_require(` ++type faillog_t; ++') ++ ++allow $1 faillog_t:dir { add_name write }; ++allow $1 faillog_t:file create; ++') +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 035720b..e0d584a 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -1868,3 +1868,6 @@ optional_policy(` + ccs_read_config(daemon) + ') + ') ++ ++# avc for oprnEuler ++systemd_manage_faillog(init_t) +-- +1.8.3.1 + diff --git a/add-allow-to-be-access-to-sssd-dir-and-file.patch b/add-allow-to-be-access-to-sssd-dir-and-file.patch new file mode 100644 index 0000000..80611ab --- /dev/null +++ b/add-allow-to-be-access-to-sssd-dir-and-file.patch @@ -0,0 +1,110 @@ +From e4184b665f1ca1f86fb7554095a73a71ad4a46ef Mon Sep 17 00:00:00 2001 +From: guoxiaoqi +Date: Tue, 25 Feb 2020 18:30:13 +0800 +Subject: [PATCH] add allow to be access to sssd dir and file + +Signed-off-by: guoxiaoqi +--- + policy/modules/admin/usermanage.te | 8 +++++ + policy/modules/contrib/sssd.if | 72 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 80 insertions(+) + +diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te +index 43fed66..c8580a7 100644 +--- a/policy/modules/admin/usermanage.te ++++ b/policy/modules/admin/usermanage.te +@@ -663,3 +663,11 @@ optional_policy(` + optional_policy(` + stapserver_manage_lib(useradd_t) + ') ++ ++# avc for openEuler ++sssd_var_lib_dir(groupadd_t) ++sssd_var_lib_map_file(groupadd_t) ++sssd_var_lib_create_file(groupadd_t) ++sssd_var_lib_write_file(groupadd_t) ++sssd_var_lib_map_file(useradd_t) ++sssd_var_lib_write_file(useradd_t) +diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if +index 50eee3f..1b61ccd 100644 +--- a/policy/modules/contrib/sssd.if ++++ b/policy/modules/contrib/sssd.if +@@ -576,3 +576,75 @@ interface(`sssd_admin',` + allow $1 sssd_unit_file_t:service all_service_perms; + + ') ++ ++######################################## ++## ++## Allow to be access to sssd lib dir. ++## ++## ++## ++## Domain to allow. ++## ++## ++# ++interface(`sssd_var_lib_dir',` ++gen_require(` ++type sssd_var_lib_t; ++') ++ ++allow $1 sssd_var_lib_t:dir { add_name write }; ++') ++ ++######################################## ++## ++## Allow to map sssd lib files. ++## ++## ++## ++## Domain to allow. ++## ++## ++# ++interface(`sssd_var_lib_map_file',` ++gen_require(` ++type sssd_var_lib_t; ++') ++ ++allow $1 sssd_var_lib_t:file map; ++') ++ ++######################################## ++## ++## Allow to write sssd lib files. ++## ++## ++## ++## Domain to allow. ++## ++## ++# ++interface(`sssd_var_lib_write_file',` ++gen_require(` ++type sssd_var_lib_t; ++') ++ ++allow $1 sssd_var_lib_t:file write; ++') ++ ++######################################## ++## ++## Allow to create sssd lib files. ++## ++## ++## ++## Domain to allow. ++## ++## ++# ++interface(`sssd_var_lib_create_file',` ++gen_require(` ++type sssd_var_lib_t; ++') ++ ++allow $1 sssd_var_lib_t:file create; ++') +-- +1.8.3.1 + diff --git a/add-allow-to-plymouthd-stream-connect-for-agetty.patch b/add-allow-to-plymouthd-stream-connect-for-agetty.patch new file mode 100644 index 0000000..6834bb5 --- /dev/null +++ b/add-allow-to-plymouthd-stream-connect-for-agetty.patch @@ -0,0 +1,24 @@ +From c1ecad14ce600f2c3c04bec6e7f49f6ef9fefa76 Mon Sep 17 00:00:00 2001 +From: guoxiaoqi +Date: Tue, 25 Feb 2020 18:45:58 +0800 +Subject: [PATCH] add allow to plymouthd stream connect for agetty + +Signed-off-by: guoxiaoqi +--- + policy/modules/system/getty.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te +index d1967ba..c386dfe 100644 +--- a/policy/modules/system/getty.te ++++ b/policy/modules/system/getty.te +@@ -165,3 +165,6 @@ optional_policy(` + optional_policy(` + udev_read_db(getty_t) + ') ++ ++# avc for openEuler ++plymouthd_stream_connect(getty_t) +-- +1.8.3.1 + diff --git a/add-allowed-avc-for-systemd-1.patch b/add-allowed-avc-for-systemd-1.patch new file mode 100644 index 0000000..d78efe2 --- /dev/null +++ b/add-allowed-avc-for-systemd-1.patch @@ -0,0 +1,76 @@ +From 9592c9a75c610109c17eb8591611826715e3c969 Mon Sep 17 00:00:00 2001 +From: guoxiaoqi +Date: Wed, 26 Feb 2020 17:20:57 +0800 +Subject: [PATCH] add avc for systemd + +Signed-off-by: guoxiaoqi +--- + policy/modules/contrib/dbus.te | 4 ++++ + policy/modules/kernel/devices.if | 18 ++++++++++++++++++ + policy/modules/system/init.te | 1 + + policy/modules/system/systemd.te | 5 +++++ + 4 files changed, 28 insertions(+) + +diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te +index 3bcff01..848342e 100644 +--- a/policy/modules/contrib/dbus.te ++++ b/policy/modules/contrib/dbus.te +@@ -386,3 +386,7 @@ allow session_bus_type dbusd_unconfined:dbus send_msg; + + kernel_stream_connect(session_bus_type) + systemd_login_read_pid_files(session_bus_type) ++ ++# avc for openEuler ++allow init_t session_dbusd_tmp_t:dir { read remove_name rmdir write }; ++allow init_t system_dbusd_var_run_t:sock_file read; +diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if +index 2378f06..c3659c7 100644 +--- a/policy/modules/kernel/devices.if ++++ b/policy/modules/kernel/devices.if +@@ -7276,3 +7276,21 @@ type kmsg_device_t; + + allow $1 kmsg_device_t:chr_file read; + ') ++ ++######################################## ++## ++## Allow to read the clock device. ++## ++## ++## ++## Domain to allow. ++## ++## ++# ++interface(`dev_read_clock_device',` ++gen_require(` ++type clock_device_t; ++') ++ ++allow $1 clock_device_t:chr_file read; ++') +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index afd20b0..8de5b08 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -1874,3 +1874,4 @@ systemd_manage_faillog(init_t) + kernel_netlink_audit_socket(init_t, getattr) + dev_read_kernel_msg(init_t) + logging_journal(init_t) ++dev_read_clock_device(init_t) +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index f2919f0..3634510 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1148,3 +1148,8 @@ allow init_t systemd_logind_var_lib_t:dir { create mounton read }; + allow init_t systemd_logind_var_run_t:dir mounton; + init_nnp_daemon_domain(systemd_hostnamed_t) + init_nnp_daemon_domain(systemd_logind_t) ++init_nnp_daemon_domain(systemd_coredump_t) ++init_nnp_daemon_domain(systemd_initctl_t) ++init_nnp_daemon_domain(systemd_localed_t) ++init_nnp_daemon_domain(systemd_machined_t) ++init_nnp_daemon_domain(systemd_timedated_t) +-- +1.8.3.1 + diff --git a/add-avc-for-kmod.patch b/add-avc-for-kmod.patch new file mode 100644 index 0000000..5d4e565 --- /dev/null +++ b/add-avc-for-kmod.patch @@ -0,0 +1,25 @@ +From b7ba655387f31048655f4b8ad6173144237ae68f Mon Sep 17 00:00:00 2001 +From: guoxiaoqi +Date: Tue, 25 Feb 2020 20:54:43 +0800 +Subject: [PATCH] add avc for kmod + +Signed-off-by: guoxiaoqi +--- + policy/modules/system/modutils.te | 4 +++ + 1 files changed, 4 insertions(+) + +diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te +index 4b7b884..1271b7a 100644 +--- a/policy/modules/system/modutils.te ++++ b/policy/modules/system/modutils.te +@@ -367,3 +367,7 @@ ifdef(`distro_ubuntu',` + unconfined_domain(update_modules_t) + ') + ') ++ ++# avc for openEuler ++init_nnp_daemon_domain(insmod_t) ++ +-- +1.8.3.1 + diff --git a/add-avc-for-systemd-hostnamed-and-systemd-logind.patch b/add-avc-for-systemd-hostnamed-and-systemd-logind.patch new file mode 100644 index 0000000..03b5699 --- /dev/null +++ b/add-avc-for-systemd-hostnamed-and-systemd-logind.patch @@ -0,0 +1,29 @@ +From 5d8386f073adf1b835461382844738aca74cab74 Mon Sep 17 00:00:00 2001 +From: guoxiaoqi +Date: Wed, 26 Feb 2020 11:48:12 +0800 +Subject: [PATCH] add avc for systemd-hostnamed and systemd-logind + +Signed-off-by: guoxiaoqi +--- + policy/modules/system/systemd.te | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index d6ce679..f2919f0 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1140,5 +1140,11 @@ optional_policy(` + optional_policy(` + gpg_exec(systemd_importd_t) + ') ++ ++# avc for openEuler + allow init_t systemd_logind_inhibit_var_run_t:dir mounton; + allow init_t systemd_logind_sessions_t:dir mounton; ++allow init_t systemd_logind_var_lib_t:dir { create mounton read }; ++allow init_t systemd_logind_var_run_t:dir mounton; ++init_nnp_daemon_domain(systemd_hostnamed_t) ++init_nnp_daemon_domain(systemd_logind_t) +-- +1.8.3.1 + diff --git a/add-avc-for-systemd-journald.patch b/add-avc-for-systemd-journald.patch new file mode 100644 index 0000000..32b018d --- /dev/null +++ b/add-avc-for-systemd-journald.patch @@ -0,0 +1,117 @@ +From 1c571a3a7da2b3caac9dabf0fdeda623529b229a Mon Sep 17 00:00:00 2001 +From: guoxiaoqi +Date: Wed, 26 Feb 2020 10:52:31 +0800 +Subject: [PATCH] add avc for systemd-journald + +Signed-off-by: guoxiaoqi +--- + policy/modules/kernel/devices.if | 18 ++++++++++++++++++ + policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ + policy/modules/system/init.te | 3 +++ + policy/modules/system/logging.if | 18 ++++++++++++++++++ + policy/modules/system/logging.te | 3 +++ + 5 files changed, 60 insertions(+) + +diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if +index 155076b..2378f06 100644 +--- a/policy/modules/kernel/devices.if ++++ b/policy/modules/kernel/devices.if +@@ -7258,3 +7258,21 @@ interface(`dev_filetrans_xserver_named_dev',` + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") + ') ++ ++######################################## ++## ++## Allow to read the kernel messages ++## ++## ++## ++## Domain to allow. ++## ++## ++# ++interface(`dev_read_kernel_msg',` ++gen_require(` ++type kmsg_device_t; ++') ++ ++allow $1 kmsg_device_t:chr_file read; ++') +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index be3f313..ed2bd3f 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -4125,3 +4125,21 @@ interface(`kernel_file_mounton',' + + allow $1 sysctl_kernel_t:file mounton; + ') ++ ++######################################## ++## ++## Access to netlink audit socket ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_netlink_audit_socket',` ++gen_require(` ++type kernel_t; ++') ++ ++allow $1 kernel_t:netlink_audit_socket $2; ++') +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index e0d584a..afd20b0 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -1871,3 +1871,6 @@ optional_policy(` + + # avc for oprnEuler + systemd_manage_faillog(init_t) ++kernel_netlink_audit_socket(init_t, getattr) ++dev_read_kernel_msg(init_t) ++logging_journal(init_t) +diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if +index 399fe0d..7718e08 100644 +--- a/policy/modules/system/logging.if ++++ b/policy/modules/system/logging.if +@@ -1685,3 +1685,21 @@ interface(`logging_dgram_send',` + + allow $1 syslogd_t:unix_dgram_socket sendto; + ') ++ ++####################################### ++## ++## Access to files in /run/log/journal/ directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_journal',` ++gen_require(` ++type syslogd_var_run_t; ++') ++ ++allow $1 syslogd_var_run_t:file { create rename write }; ++') +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 03a4c99..93cf69e 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -738,3 +738,6 @@ ifdef(`hide_broken_symptoms',` + ') + + logging_stream_connect_syslog(syslog_client_type) ++ ++# avc for openEuler ++init_nnp_daemon_domain(syslogd_t) +-- +1.8.3.1 + diff --git a/selinux-policy.spec b/selinux-policy.spec index 2c2e211..9457b60 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 47 +Release: 48 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -49,16 +49,25 @@ Source24: rpm.macros # tar czvf container-selinux.tgz container.fc container.if container.te Source35: container-selinux.tgz -Patch9000: add_userman_access_run_dir.patch -Patch9001: add_syslogd_t_domtrans_logrotate.patch -Patch9002: bugfix-add_syslogd_t_domtrans_logrotate.patch -Patch9003: Fix-userdom_write_user_tmp_dirs-to-allow-caller-doma.patch -Patch9004: Fixing-range-for-ephemeral-ports-BZ-1518807.patch -Patch9005: Fix-userdom_admin_user_template-interface-by-adding-.patch -Patch9006: Fix-bug-in-userdom_restricted_xwindows_user_template.patch -Patch9007: add-allow-for-ldconfig-to-map-libsudo_util-so.patch -Patch9008: add-allow-syslogd_t-domain-to-send-null-signal-to-all-do.patch -Patch9009: add-allowed-avc-for-systemd.patch +Patch0: add_userman_access_run_dir.patch +Patch1: add_syslogd_t_domtrans_logrotate.patch +Patch2: bugfix-add_syslogd_t_domtrans_logrotate.patch +Patch3: Fix-userdom_write_user_tmp_dirs-to-allow-caller-doma.patch +Patch4: Fixing-range-for-ephemeral-ports-BZ-1518807.patch +Patch5: Fix-userdom_admin_user_template-interface-by-adding-.patch +Patch6: Fix-bug-in-userdom_restricted_xwindows_user_template.patch +Patch7: add-allow-for-ldconfig-to-map-libsudo_util-so.patch +Patch8: add-allow-syslogd_t-domain-to-send-null-signal-to-all-do.patch +Patch9: add-allowed-avc-for-systemd.patch +Patch10: add-allow-to-be-access-to-sssd-dir-and-file.patch +Patch11: add-allow-to-plymouthd-stream-connect-for-agetty.patch +Patch12: Allow-local_login-to-be-access-to-var-run-files-and-.patch +Patch13: access-to-iptables-run-file.patch +Patch14: add-avc-for-kmod.patch +Patch15: add-access-to-faillog-file-for-systemd.patch +Patch16: add-avc-for-systemd-journald.patch +Patch17: add-avc-for-systemd-hostnamed-and-systemd-logind.patch +Patch18: add-allowed-avc-for-systemd-1.patch BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc @@ -241,11 +250,13 @@ mkdir -p %{buildroot}/%{_libexecdir}/selinux/ \ %setup -n %{name}-contrib-f9b7466780b5250bf94b5d40764277bc9c5b5f62 -q -b 1 tar -xf %{SOURCE35} contrib_path=`pwd` -%autosetup -n %{name}-38fa84dc715893cab1cc76aa9c43ba325b153e10 -p1 +%setup -n %{name}-38fa84dc715893cab1cc76aa9c43ba325b153e10 -q refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib +%autopatch -p1 + mkdir selinux_config for i in %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE7} %{SOURCE8} %{SOURCE9} %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20}; do cp $i selinux_config @@ -653,6 +664,9 @@ exit 0 %endif %changelog +* Wed Feb 26 2020 openEuler Buildteam - 3.14.2-48 +- update avc for openEuler + * Sun Jan 19 2020 openEuler Buildteam - 3.14.2-47 - set selinux to permissive -- Gitee