Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2014-09-09 18:59:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2014-09-06 12:18:34.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new/selinux-policy.changes 2014-09-09 18:59:15.000000000 +0200 @@ -1,0 +2,21 @@ +Mon Sep 8 09:08:19 UTC 2014 - [email protected] + +- removed remove_duplicate_filetrans_pattern_rules.patch + +------------------------------------------------------------------- +Fri Sep 5 11:22:02 UTC 2014 - [email protected] + +- Updated policy to include everything up until 20140730 (refpolicy and + fedora rawhide improvements). Rebased all patches that are still + necessary +- Removed permissivedomains.pp. Doesn't work with the new policy +- modified spec file so that all modifications for distro=redhat and + distro=suse will be used. +- added selinux-policy-rpmlintrc to suppress some warnings that aren't + valid for this package +- added suse_minimal_cc.patch to create a suse specific module to prevent + errors while using the minimum policy. Will rework them in the proper + places once the minimum policy is reworked to really only confine a + minimal set of domains. + +------------------------------------------------------------------- Old: ---- permissivedomains.pp remove_duplicate_filetrans_pattern_rules.patch serefpolicy-3.12.1.tgz serefpolicy-contrib-3.12.1.tgz New: ---- selinux-policy-rpmlintrc serefpolicy-20140730.tgz serefpolicy-contrib-20140730.tgz suse_minimal_cc.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:18.000000000 +0200 +++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:18.000000000 +0200 @@ -35,13 +35,13 @@ %define BUILD_MLS 1 %endif %define POLICYVER 29 -%define POLICYCOREUTILSVER 2.1.14 -%define CHECKPOLICYVER 2.2 +%define POLICYCOREUTILSVER 2.3 +%define CHECKPOLICYVER 2.3 Summary: SELinux policy configuration License: GPL-2.0+ Group: System/Management Name: selinux-policy -Version: 3.12.1 +Version: 20140730 Release: 20%{?dist} Source: serefpolicy-%{version}.tgz Patch: policy-rawhide-base.patch @@ -56,7 +56,7 @@ Patch16: useradd-netlink_selinux_socket.patch Patch17: systemd-tmpfiles.patch Patch18: label_var_run_rsyslog.patch -Patch19: remove_duplicate_filetrans_pattern_rules.patch +Patch19: suse_minimal_cc.patch Source1: modules-targeted-base.conf Source31: modules-targeted-contrib.conf @@ -80,10 +80,10 @@ Source25: users-minimum Source26: file_contexts.subs_dist Source27: selinux-policy.conf -Source28: permissivedomains.pp Source29: serefpolicy-contrib-%{version}.tgz Source30: booleans.subs_dist Source40: selinux-policy.sysconfig +Source41: selinux-policy-rpmlintrc # the following two files are more like a packaging documentation Source50: Alan_Rouse-openSUSE_with_SELinux.txt @@ -102,6 +102,7 @@ BuildRequires: policycoreutils-python >= %{POLICYCOREUTILSVER} BuildRequires: python BuildRequires: python-xml +BuildRequires: selinux-policy-devel # we need selinuxenabled Requires(post): selinux-tools Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} @@ -247,6 +248,7 @@ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \ %dir %{_sysconfdir}/selinux/%1/contexts/files \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ @@ -257,11 +259,7 @@ %{_sysconfdir}/selinux/%1/booleans.subs_dist \ %config %{_sysconfdir}/selinux/%1/contexts/files/media \ %dir %{_sysconfdir}/selinux/%1/contexts/users \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/* %define relabel() \ . %{_sysconfdir}/sysconfig/selinux-policy; \ @@ -334,7 +332,6 @@ %files doc %defattr(-,root,root,-) %doc %{_usr}/share/doc/%{name}-%{version} -%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp %{_usr}/share/selinux/devel/policy.* %description @@ -362,6 +359,8 @@ %patch18 -p1 refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib +# we use distro=redhat to get all the redhat modifications but we'll still need everything that is defined for suse +find "$refpolicy_path" -type f -print0 | xargs -0 sed -i -e 's/ifdef(`distro_suse/ifdef(`distro_redhat/g' %install mkdir selinux_config @@ -383,7 +382,6 @@ %if %{BUILD_TARGETED} # Build targeted policy mkdir -p %{buildroot}%{_usr}/share/selinux/targeted -cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/targeted %makeCmds targeted mcs n allow %makeModulesConf targeted base contrib %installCmds targeted mcs n allow @@ -393,7 +391,6 @@ %if %{BUILD_MINIMUM} # Build minimum policy mkdir -p %{buildroot}%{_usr}/share/selinux/minimum -cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/minimum %makeCmds minimum mcs n allow %makeModulesConf targeted base contrib %installCmds minimum mcs n allow @@ -417,14 +414,6 @@ install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/ install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/ -echo "xdg-open file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp -chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp -#/usr/bin/sepolicy manpage -a -p %{buildroot}/usr/share/man/man8/ -w -r %{buildroot} -#mkdir %{buildroot}%{_usr}/share/selinux/devel/html -#htmldir=`compgen -d %{buildroot}%{_usr}/share/man/man8/` -#mv ${htmldir}/* %{buildroot}%{_usr}/share/selinux/devel/html -#rm -rf ${htmldir} -#mkdir %{buildroot}%{_usr}/share/selinux/packages/ rm -rf selinux_config # fillup sysconfig @@ -517,13 +506,17 @@ for p in $contribpackages; do touch /etc/selinux/minimum/modules/active/modules/$p.disabled done -for p in $basepackages apache.pp dbus.pp inetd.pp kerberos.pp mta.pp nis.pp; do +# this is temporarily needed to make minimum policy work without errors. Will be included +# into the proper places later on +rm /etc/selinux/minimum/modules/active/modules/suse.pp.disabled +for p in $basepackages apache.pp dbus.pp inetd.pp kerberos.pp mta.pp nis.pp nscd.pp cron.pp; do rm -f /etc/selinux/minimum/modules/active/modules/$p.disabled done -/usr/sbin/semanage -S minimum -i - << __eof -login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ -login -m -s unconfined_u -r s0-s0:c0.c1023 root -__eof +# those are default anyway +# /usr/sbin/semanage -S minimum -i - << __eof +# login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ +# login -m -s unconfined_u -r s0-s0:c0.c1023 root +# __eof /sbin/restorecon -R /root /var/log /var/run 2> /dev/null /usr/sbin/semodule -B -s minimum else ++++++ label_var_run_rsyslog.patch ++++++ --- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:18.000000000 +0200 +++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:18.000000000 +0200 @@ -1,7 +1,7 @@ -Index: serefpolicy-3.12.1/policy/modules/system/logging.fc +Index: serefpolicy-20140730/policy/modules/system/logging.fc =================================================================== ---- serefpolicy-3.12.1.orig/policy/modules/system/logging.fc 2013-11-12 10:31:33.161234336 +0100 -+++ serefpolicy-3.12.1/policy/modules/system/logging.fc 2013-11-13 15:31:41.233552569 +0100 +--- serefpolicy-20140730.orig/policy/modules/system/logging.fc ++++ serefpolicy-20140730/policy/modules/system/logging.fc @@ -83,6 +83,7 @@ ifdef(`distro_redhat',` /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) /var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0) @@ -10,16 +10,14 @@ /var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) -Index: serefpolicy-3.12.1/policy/modules/system/init.te +Index: serefpolicy-20140730/policy/modules/system/init.te =================================================================== ---- serefpolicy-3.12.1.orig/policy/modules/system/init.te 2013-11-12 10:31:33.161234336 +0100 -+++ serefpolicy-3.12.1/policy/modules/system/init.te 2013-11-18 12:50:40.828965515 +0100 -@@ -1577,3 +1577,8 @@ ifdef(`direct_sysadm_daemon',` - allow daemon direct_run_init:process sigchld; - allow direct_run_init direct_init_entry:file { getattr open read execute }; - ') -+ +--- serefpolicy-20140730.orig/policy/modules/system/init.te ++++ serefpolicy-20140730/policy/modules/system/init.te +@@ -1676,3 +1676,6 @@ optional_policy(` + ccs_read_config(daemon) + ') + ') + +# relabel /var/run/rsyslog +filetrans_pattern(init_t, var_run_t, syslogd_var_run_t, dir, "rsyslog") -+ ++++++ modules-targeted-contrib.conf ++++++ --- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:18.000000000 +0200 +++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:18.000000000 +0200 @@ -1313,13 +1313,6 @@ # piranha = module -# Layer: contrib -# Module: pkcsslotd -# -# daemon manages PKCS#11 objects between PKCS#11-enabled applications -# -pkcsslotd = module - # Layer: services # Module: plymouthd # @@ -1530,6 +1523,13 @@ # realmd = module +# Layer: contrib +# Module: suse +# +# suse modifications +# +suse = module + # Layer: services # Module: remotelogin # ++++++ policy-rawhide-base.patch ++++++ ++++ 32501 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/selinux-policy/policy-rawhide-base.patch ++++ and /work/SRC/openSUSE:Factory/.selinux-policy.new/policy-rawhide-base.patch ++++++ policy-rawhide-contrib.patch ++++++ ++++ 59032 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/selinux-policy/policy-rawhide-contrib.patch ++++ and /work/SRC/openSUSE:Factory/.selinux-policy.new/policy-rawhide-contrib.patch ++++++ selinux-policy-rpmlintrc ++++++ addFilter("W: non-conffile-in-etc.*") addFilter("W: zero-length /etc/selinux/.*") addFilter("W: hidden-file-or-dir /etc/selinux/minimum/.policy.sha512") addFilter("W: hidden-file-or-dir /etc/selinux/targeted/.policy.sha512") addFilter("W: hidden-file-or-dir /etc/selinux/mls/.policy.sha512") addFilter("W: files-duplicate /etc/selinux/minimum/seusers /etc/selinux/minimum/modules/active/seusers.final") addFilter("W: files-duplicate /etc/selinux/minimum/contexts/files/file_contexts /etc/selinux/minimum/modules/active/file_contexts") addFilter("W: files-duplicate /etc/selinux/minimum/modules/active/file_contexts.homedirs /etc/selinux/minimum/contexts/files/file_contexts.homedirs") addFilter("W: files-duplicate /etc/selinux/targeted/modules/active/seusers.final /etc/selinux/targeted/seusers") addFilter("W: files-duplicate /etc/selinux/targeted/modules/active/file_contexts /etc/selinux/targeted/contexts/files/file_contexts") addFilter("W: files-duplicate /etc/selinux/targeted/contexts/files/file_contexts.homedirs /etc/selinux/targeted/modules/active/file_contexts.homedirs") addFilter("W: files-duplicate /etc/selinux/mls/modules/active/seusers.final /etc/selinux/mls/seusers") addFilter("W: files-duplicate /etc/selinux/mls/modules/active/file_contexts /etc/selinux/mls/contexts/files/file_contexts") addFilter("W: files-duplicate /etc/selinux/mls/contexts/files/file_contexts.homedirs /etc/selinux/mls/modules/active/file_contexts.homedirs") ++++++ serefpolicy-3.12.1.tgz -> serefpolicy-20140730.tgz ++++++ ++++ 6821 lines of diff (skipped) ++++++ serefpolicy-contrib-3.12.1.tgz -> serefpolicy-contrib-20140730.tgz ++++++ ++++ 10821 lines of diff (skipped) ++++++ suse_minimal_cc.patch ++++++ Index: serefpolicy-contrib-20140730/suse.te =================================================================== --- /dev/null +++ serefpolicy-contrib-20140730/suse.te @@ -0,0 +1,88 @@ +policy_module(suse, 1.1.2) + +require { + type bin_t; + type chkpwd_t; + type getty_t; + type groupadd_t; + type init_exec_t; + type init_t; + type policykit_t; + type postfix_master_t; + type restorecond_t; + type rtkit_daemon_t; + type sshd_t; + type syslogd_t; + type system_dbusd_t; + type systemd_localed_t; + type systemd_logind_t; + type systemd_systemctl_exec_t; + type unconfined_service_t; + type unconfined_t; + type useradd_t; + type var_run_t; + + class file { read open getattr entrypoint }; + class netlink_selinux_socket { create bind }; + class sock_file write; +} + +#============= chkpwd_t ============== +allow chkpwd_t var_run_t:sock_file write; +files_rw_inherited_generic_pid_files(chkpwd_t) + +#============= getty_t ============== +allow getty_t var_run_t:sock_file write; +plymouthd_exec_plymouth(getty_t) +kernel_stream_connect(getty_t) + +#============= policykit_t ============== +allow policykit_t var_run_t:sock_file write; +files_rw_inherited_generic_pid_files(policykit_t) + +#============= postfix_master_t ============== +allow postfix_master_t var_run_t:sock_file write; +files_rw_inherited_generic_pid_files(postfix_master_t) + +#============= rtkit_daemon_t ============== +allow rtkit_daemon_t var_run_t:sock_file write; +files_rw_inherited_generic_pid_files(rtkit_daemon_t) + +#============= sshd_t ============== +allow sshd_t var_run_t:sock_file write; +files_rw_inherited_generic_pid_files(sshd_t) + +#============= restorecond_t ============== +allow restorecond_t var_run_t:sock_file write; + +#============= syslogd_t ============== +allow syslogd_t var_run_t:file { read getattr open }; +allow syslogd_t var_run_t:sock_file write; + +#============= systemd_localed_t ============== +systemd_dbus_chat_localed(unconfined_service_t) + +#============= systemd_logind_t ============== +allow systemd_logind_t var_run_t:sock_file write; +files_rw_inherited_generic_pid_files(systemd_logind_t) +systemd_dbus_chat_logind(unconfined_service_t) + +#============= unconfined_service_t ============== +unconfined_shell_domtrans(unconfined_service_t) + +#============= unconfined_t ============== +allow unconfined_t systemd_systemctl_exec_t:file entrypoint; +allow init_t unconfined_t:process transition; +allow unconfined_t init_exec_t:file entrypoint; + +#============= groupadd_t ============== +allow groupadd_t self:netlink_selinux_socket { create bind }; +allow groupadd_t var_run_t:sock_file write; + +#============= system_dbusd_t ============== +allow system_dbusd_t var_run_t:sock_file write; + +#============= useradd_t ============== +allow useradd_t var_run_t:sock_file write; +selinux_compute_access_vector(useradd_t) + Index: serefpolicy-contrib-20140730/suse.fc =================================================================== --- /dev/null +++ serefpolicy-contrib-20140730/suse.fc @@ -0,0 +1 @@ +/usr/lib/gdm/.* -- gen_context(system_u:object_r:bin_t,s0) Index: serefpolicy-contrib-20140730/suse.if =================================================================== --- /dev/null +++ serefpolicy-contrib-20140730/suse.if @@ -0,0 +1,24 @@ +## <summary>asdfsdfABRT - automated bug-reporting tool</summary> + +###################################### +## <summary> +## Creates types and rules for a basic +## ABRT daemon domainadsasdf +## </summary> +## <param name="prefix"> +## <summary> +## Prefix for the domain. +## </summary> +## </param> +# +template(`abrt_asdfasfasfbasic_types_template',` + gen_require(` + attribute abrt_domain; + ') + + type $1_t, abrt_domain; + type $1_exec_t; + + kernel_read_system_state($1_t) +') + ++++++ sysconfig_network_scripts.patch ++++++ --- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:19.000000000 +0200 +++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:19.000000000 +0200 @@ -1,7 +1,7 @@ -Index: serefpolicy-3.12.1/policy/modules/system/sysnetwork.fc +Index: serefpolicy-20140730/policy/modules/system/sysnetwork.fc =================================================================== ---- serefpolicy-3.12.1.orig/policy/modules/system/sysnetwork.fc 2013-11-12 10:31:33.113233800 +0100 -+++ serefpolicy-3.12.1/policy/modules/system/sysnetwork.fc 2013-11-20 15:33:05.611791575 +0100 +--- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.fc ++++ serefpolicy-20140730/policy/modules/system/sysnetwork.fc @@ -11,6 +11,15 @@ ifdef(`distro_debian',` /dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') @@ -18,8 +18,8 @@ # # /etc # -@@ -36,6 +45,10 @@ ifdef(`distro_redhat',` - /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) +@@ -37,6 +46,10 @@ ifdef(`distro_redhat',` + /var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') +/etc/sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) @@ -29,11 +29,11 @@ # # /sbin # -Index: serefpolicy-3.12.1/policy/modules/system/sysnetwork.te +Index: serefpolicy-20140730/policy/modules/system/sysnetwork.te =================================================================== ---- serefpolicy-3.12.1.orig/policy/modules/system/sysnetwork.te 2013-11-12 10:31:33.113233800 +0100 -+++ serefpolicy-3.12.1/policy/modules/system/sysnetwork.te 2013-11-12 10:31:33.132234012 +0100 -@@ -56,7 +56,8 @@ files_config_file(net_conf_t) +--- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.te ++++ serefpolicy-20140730/policy/modules/system/sysnetwork.te +@@ -60,7 +60,8 @@ ifdef(`distro_debian',` # # DHCP client local policy # @@ -43,7 +43,7 @@ dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; -@@ -91,6 +92,12 @@ allow dhcpc_t net_conf_t:file relabel_fi +@@ -95,6 +96,12 @@ allow dhcpc_t net_conf_t:file relabel_fi sysnet_manage_config(dhcpc_t) files_etc_filetrans(dhcpc_t, net_conf_t, file) @@ -56,10 +56,10 @@ # create temp files manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t) manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t) -Index: serefpolicy-3.12.1/policy/modules/kernel/devices.fc +Index: serefpolicy-20140730/policy/modules/kernel/devices.fc =================================================================== ---- serefpolicy-3.12.1.orig/policy/modules/kernel/devices.fc 2013-11-12 10:31:33.096233609 +0100 -+++ serefpolicy-3.12.1/policy/modules/kernel/devices.fc 2013-11-12 10:31:33.132234012 +0100 +--- serefpolicy-20140730.orig/policy/modules/kernel/devices.fc ++++ serefpolicy-20140730/policy/modules/kernel/devices.fc @@ -2,6 +2,7 @@ /dev -d gen_context(system_u:object_r:device_t,s0) /dev/.* gen_context(system_u:object_r:device_t,s0) ++++++ systemd-tmpfiles.patch ++++++ --- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:19.000000000 +0200 +++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:19.000000000 +0200 @@ -1,8 +1,8 @@ -Index: serefpolicy-3.12.1/policy/modules/kernel/devices.if +Index: serefpolicy-20140730/policy/modules/kernel/devices.if =================================================================== ---- serefpolicy-3.12.1.orig/policy/modules/kernel/devices.if 2013-11-21 11:53:52.857807940 +0100 -+++ serefpolicy-3.12.1/policy/modules/kernel/devices.if 2013-11-21 11:53:52.923808669 +0100 -@@ -6506,3 +6506,25 @@ interface(`dev_filetrans_xserver_named_d +--- serefpolicy-20140730.orig/policy/modules/kernel/devices.if ++++ serefpolicy-20140730/policy/modules/kernel/devices.if +@@ -6602,3 +6602,25 @@ interface(`dev_filetrans_xserver_named_d filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") ') @@ -28,20 +28,11 @@ + allow $1 device_node {create}; +') + -Index: serefpolicy-3.12.1/policy/modules/kernel/devices.te +Index: serefpolicy-20140730/policy/modules/system/systemd.te =================================================================== ---- serefpolicy-3.12.1.orig/policy/modules/kernel/devices.te 2013-11-21 11:53:52.857807940 +0100 -+++ serefpolicy-3.12.1/policy/modules/kernel/devices.te 2013-11-21 11:53:52.923808669 +0100 -@@ -334,3 +334,4 @@ files_associate_tmp(device_node) - allow devices_unconfined_type self:capability sys_rawio; - allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *; - allow devices_unconfined_type mtrr_device_t:file *; -+ -Index: serefpolicy-3.12.1/policy/modules/system/systemd.te -=================================================================== ---- serefpolicy-3.12.1.orig/policy/modules/system/systemd.te 2013-11-21 11:53:52.874808128 +0100 -+++ serefpolicy-3.12.1/policy/modules/system/systemd.te 2013-11-21 11:55:29.271873271 +0100 -@@ -274,6 +274,11 @@ dev_read_cpu_online(systemd_tmpfiles_t) +--- serefpolicy-20140730.orig/policy/modules/system/systemd.te ++++ serefpolicy-20140730/policy/modules/system/systemd.te +@@ -320,6 +320,11 @@ dev_read_cpu_online(systemd_tmpfiles_t) dev_manage_all_dev_nodes(systemd_tmpfiles_t) dev_relabel_all_dev_nodes(systemd_tmpfiles_t) @@ -53,20 +44,11 @@ domain_obj_id_change_exemption(systemd_tmpfiles_t) # systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev -@@ -606,7 +611,7 @@ optional_policy(` - # - # systemd_sysctl domains local policy - # --allow systemd_sysctl_t self:capability net_admin; -+allow systemd_sysctl_t self:capability { net_admin sys_admin }; - allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms; - - kernel_dgram_send(systemd_sysctl_t) -Index: serefpolicy-3.12.1/policy/modules/system/systemd.if +Index: serefpolicy-20140730/policy/modules/system/systemd.if =================================================================== ---- serefpolicy-3.12.1.orig/policy/modules/system/systemd.if 2013-11-21 11:53:52.874808128 +0100 -+++ serefpolicy-3.12.1/policy/modules/system/systemd.if 2013-11-21 11:53:52.923808669 +0100 -@@ -1398,3 +1398,22 @@ interface(`systemd_dontaudit_dbus_chat', +--- serefpolicy-20140730.orig/policy/modules/system/systemd.if ++++ serefpolicy-20140730/policy/modules/system/systemd.if +@@ -1458,3 +1458,22 @@ interface(`systemd_dontaudit_dbus_chat', dontaudit $1 systemd_domain:dbus send_msg; ') ++++++ type_transition_contrib.patch ++++++ --- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:19.000000000 +0200 +++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:19.000000000 +0200 @@ -1,8 +1,8 @@ -diff --git a/glusterd.te b/glusterd.te -index 8f595f8..253ba1a 100644 ---- a/glusterd.te -+++ b/glusterd.te -@@ -40,7 +40,7 @@ allow glusterd_t self:unix_stream_socket { accept listen }; +Index: serefpolicy-contrib-20140730/glusterd.te +=================================================================== +--- serefpolicy-contrib-20140730.orig/glusterd.te ++++ serefpolicy-contrib-20140730/glusterd.te +@@ -68,7 +68,7 @@ allow glusterd_t self:unix_stream_socket manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) ++++++ type_transition_file_class.patch ++++++ --- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:19.000000000 +0200 +++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:19.000000000 +0200 @@ -1,8 +1,8 @@ -Index: serefpolicy-3.12.1/policy/modules/system/miscfiles.if +Index: serefpolicy-20140730/policy/modules/system/miscfiles.if =================================================================== ---- serefpolicy-3.12.1.orig/policy/modules/system/miscfiles.if 2013-11-21 11:53:52.871808095 +0100 -+++ serefpolicy-3.12.1/policy/modules/system/miscfiles.if 2013-12-11 16:25:41.304059941 +0100 -@@ -875,7 +875,8 @@ interface(`miscfiles_etc_filetrans_local +--- serefpolicy-20140730.orig/policy/modules/system/miscfiles.if ++++ serefpolicy-20140730/policy/modules/system/miscfiles.if +@@ -896,7 +896,8 @@ interface(`miscfiles_etc_filetrans_local ') files_etc_filetrans($1, locale_t, lnk_file) @@ -12,7 +12,7 @@ files_etc_filetrans($1, locale_t, file, "locale.conf" ) files_etc_filetrans($1, locale_t, file, "timezone" ) files_etc_filetrans($1, locale_t, file, "vconsole.conf" ) -@@ -917,7 +918,8 @@ interface(`miscfiles_filetrans_locale_na +@@ -938,7 +939,8 @@ interface(`miscfiles_filetrans_locale_na type locale_t; ') ++++++ useradd-netlink_selinux_socket.patch ++++++ --- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:19.000000000 +0200 +++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:19.000000000 +0200 @@ -1,8 +1,8 @@ -Index: serefpolicy-3.12.1/policy/modules/admin/usermanage.te +Index: serefpolicy-20140730/policy/modules/admin/usermanage.te =================================================================== ---- serefpolicy-3.12.1.orig/policy/modules/admin/usermanage.te 2013-10-23 11:44:16.797098128 +0200 -+++ serefpolicy-3.12.1/policy/modules/admin/usermanage.te 2013-10-23 11:44:16.894099171 +0200 -@@ -503,6 +503,7 @@ allow useradd_t self:unix_dgram_socket c +--- serefpolicy-20140730.orig/policy/modules/admin/usermanage.te ++++ serefpolicy-20140730/policy/modules/admin/usermanage.te +@@ -497,6 +497,7 @@ allow useradd_t self:unix_dgram_socket c allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; ++++++ xconsole.patch ++++++ --- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:19.000000000 +0200 +++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:19.000000000 +0200 @@ -15,22 +15,23 @@ Index: policy/modules/services/xserver.te =================================================================== ---- policy/modules/services/xserver.te.orig 2013-10-23 11:44:16.810098267 +0200 -+++ policy/modules/services/xserver.te 2013-10-23 11:44:16.887099095 +0200 -@@ -189,12 +189,6 @@ typealias xauth_tmp_t alias { xguest_xau +--- policy/modules/services/xserver.te.orig ++++ policy/modules/services/xserver.te +@@ -189,13 +189,6 @@ typealias xauth_tmp_t alias { xguest_xau typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t }; userdom_user_tmp_file(xauth_tmp_t) -# this is not actually a device, its a pipe -type xconsole_device_t; -files_type(xconsole_device_t) +-dev_associate(xconsole_device_t) -fs_associate_tmpfs(xconsole_device_t) -files_associate_tmp(xconsole_device_t) - type xdm_unconfined_exec_t; application_executable_file(xdm_unconfined_exec_t) -@@ -438,7 +432,6 @@ allow xdm_t self:dbus { send_msg acquire +@@ -437,7 +430,6 @@ allow xdm_t self:dbus { send_msg acquire allow xdm_t xauth_home_t:file manage_file_perms; @@ -38,7 +39,7 @@ manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t) -@@ -669,6 +662,10 @@ libs_exec_lib_files(xdm_t) +@@ -663,6 +655,10 @@ libs_exec_lib_files(xdm_t) libs_exec_ldconfig(xdm_t) logging_read_generic_logs(xdm_t) @@ -51,8 +52,8 @@ miscfiles_read_fonts(xdm_t) Index: policy/modules/services/xserver.fc =================================================================== ---- policy/modules/services/xserver.fc.orig 2013-10-23 11:44:16.809098257 +0200 -+++ policy/modules/services/xserver.fc 2013-10-23 11:44:16.887099095 +0200 +--- policy/modules/services/xserver.fc.orig ++++ policy/modules/services/xserver.fc @@ -33,11 +33,6 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0) @@ -67,9 +68,9 @@ /etc/gdm(3)?/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0) Index: policy/modules/system/logging.te =================================================================== ---- policy/modules/system/logging.te.orig 2013-10-23 11:44:16.815098321 +0200 -+++ policy/modules/system/logging.te 2013-10-23 11:44:16.888099106 +0200 -@@ -107,6 +107,12 @@ ifdef(`enable_mls',` +--- policy/modules/system/logging.te.orig ++++ policy/modules/system/logging.te +@@ -110,6 +110,12 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) ') @@ -82,7 +83,7 @@ ######################################## # # Auditctl local policy -@@ -167,6 +173,9 @@ manage_files_pattern(auditd_t, auditd_va +@@ -173,6 +179,9 @@ manage_files_pattern(auditd_t, auditd_va manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file }) @@ -92,7 +93,7 @@ kernel_read_kernel_sysctls(auditd_t) # Needs to be able to run dispatcher. see /etc/audit/auditd.conf # Probably want a transition, and a new auditd_helper app -@@ -619,11 +628,6 @@ optional_policy(` +@@ -631,11 +640,6 @@ optional_policy(` udev_read_db(syslogd_t) ') @@ -106,9 +107,9 @@ # syslog client rules Index: policy/modules/system/logging.if =================================================================== ---- policy/modules/system/logging.if.orig 2013-10-23 11:44:16.815098321 +0200 -+++ policy/modules/system/logging.if 2013-10-23 11:44:16.888099106 +0200 -@@ -1355,3 +1355,40 @@ interface(`logging_filetrans_named_conte +--- policy/modules/system/logging.if.orig ++++ policy/modules/system/logging.if +@@ -1431,3 +1431,40 @@ interface(`logging_filetrans_named_conte logging_log_filetrans($1, var_log_t, dir, "anaconda") ') @@ -151,9 +152,9 @@ + Index: policy/modules/system/init.te =================================================================== ---- policy/modules/system/init.te.orig 2013-10-23 11:44:16.813098300 +0200 -+++ policy/modules/system/init.te 2013-10-23 11:44:16.888099106 +0200 -@@ -731,6 +731,7 @@ logging_manage_generic_logs(initrc_t) +--- policy/modules/system/init.te.orig ++++ policy/modules/system/init.te +@@ -797,6 +797,7 @@ logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) logging_append_all_logs(initrc_t) logging_read_audit_config(initrc_t) @@ -161,7 +162,7 @@ # slapd needs to read cert files from its initscript miscfiles_manage_generic_cert_files(initrc_t) -@@ -1376,9 +1377,6 @@ optional_policy(` +@@ -1453,9 +1454,6 @@ optional_policy(` ') optional_policy(` @@ -173,8 +174,8 @@ ') Index: policy/modules/system/logging.fc =================================================================== ---- policy/modules/system/logging.fc.orig 2013-10-23 11:44:16.815098321 +0200 -+++ policy/modules/system/logging.fc 2013-10-23 11:44:16.888099106 +0200 +--- policy/modules/system/logging.fc.orig ++++ policy/modules/system/logging.fc @@ -1,4 +1,5 @@ /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) +/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0) @@ -183,9 +184,9 @@ /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) Index: policy/modules/services/xserver.if =================================================================== ---- policy/modules/services/xserver.if.orig 2013-10-23 11:44:16.810098267 +0200 -+++ policy/modules/services/xserver.if 2013-10-23 11:44:16.888099106 +0200 -@@ -636,42 +636,6 @@ interface(`xserver_manage_user_xauth',` +--- policy/modules/services/xserver.if.orig ++++ policy/modules/services/xserver.if +@@ -635,42 +635,6 @@ interface(`xserver_manage_user_xauth',` ######################################## ## <summary> -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
