Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2015-01-29 09:57:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2014-11-18 22:49:02.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new/selinux-policy.changes 2015-01-29 09:57:30.000000000 +0100 @@ -1,0 +2,50 @@ +Wed Jan 28 09:37:06 UTC 2015 - [email protected] + +- Added + * suse_additions_obs.patch to allow local builds by OBS + * suse_additions_sslh.patch to confine sslh +- Added suse_modifications_cron.patch to adjust crontabs contexts +- Modified suse_modifications_postfix.patch to match SUSE paths +- Modified suse_modifications_ssh.patch to bring boolean + sshd_forward_ports back +- Modified + * suse_modifications_dbus.patch + * suse_modifications_unprivuser.patch + * suse_modifications_xserver.patch + to allow users to be confined +- Added + * suse_modifications_apache.patch + * suse_modifications_ntp.patch + and modified + * suse_modifications_xserver.patch + to fix labels on startup scripts used by systemd +- Removed unused and incorrect interface dev_create_all_dev_nodes + from systemd-tmpfiles.patch +- Removed BuildRequire for selinux-policy-devel + +------------------------------------------------------------------- +Fri Jan 23 15:52:02 UTC 2015 - [email protected] + +- Major cleanup of the spec file + +------------------------------------------------------------------- +Fri Jan 23 11:44:52 UTC 2015 - [email protected] + +- removed suse_minimal_cc.patch and splitted them into + * suse_modifications_dbus.patch + * suse_modifications_policykit.patch + * suse_modifications_postfix.patch + * suse_modifications_rtkit.patch + * suse_modifications_unconfined.patch + * suse_modifications_systemd.patch + * suse_modifications_unconfineduser.patch + * suse_modifications_selinuxutil.patch + * suse_modifications_logging.patch + * suse_modifications_getty.patch + * suse_modifications_authlogin.patch + * suse_modifications_xserver.patch + * suse_modifications_ssh.patch + * suse_modifications_usermanage.patch +- Added suse_modifications_virt.patch to enable svirt on s390x + +------------------------------------------------------------------- Old: ---- suse_minimal_cc.patch New: ---- suse_additions_obs.patch suse_additions_sslh.patch suse_modifications_apache.patch suse_modifications_authlogin.patch suse_modifications_cron.patch suse_modifications_dbus.patch suse_modifications_getty.patch suse_modifications_logging.patch suse_modifications_ntp.patch suse_modifications_policykit.patch suse_modifications_postfix.patch suse_modifications_rtkit.patch suse_modifications_selinuxutil.patch suse_modifications_ssh.patch suse_modifications_systemd.patch suse_modifications_unconfined.patch suse_modifications_unconfineduser.patch suse_modifications_unprivuser.patch suse_modifications_usermanage.patch suse_modifications_virt.patch suse_modifications_xserver.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.cOIqfg/_old 2015-01-29 09:57:43.000000000 +0100 +++ /var/tmp/diff_new_pack.cOIqfg/_new 2015-01-29 09:57:43.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package selinux-policy # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,76 +17,100 @@ # TODO: This turns on distro-specific policies. -# There are almost no SUSE specific modifications available -# in the upstream, so we utilize the ones used by redhat +# There are almost no SUSE specific modifications available in the policy, so we utilize the +# ones used by redhat and include also the SUSE specific ones (see sed statement below) %define distro redhat %define polyinstatiate n %define monolithic n -%if %{?BUILD_DOC:0}%{!?BUILD_DOC:1} %define BUILD_DOC 1 -%endif -%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1} %define BUILD_TARGETED 1 -%endif -%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1} %define BUILD_MINIMUM 1 -%endif %if 0%{suse_version} == 1315 %define BUILD_MLS 0 -%endif -%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} +%else %define BUILD_MLS 1 %endif %define POLICYVER 29 %define POLICYCOREUTILSVER 2.3 %define CHECKPOLICYVER 2.3 + Summary: SELinux policy configuration License: GPL-2.0+ Group: System/Management Name: selinux-policy Version: 20140730 -Release: 20%{?dist} +Release: 0 Source: serefpolicy-%{version}.tgz -Patch: policy-rawhide-base.patch -Patch1: policy-rawhide-contrib.patch +Source1: serefpolicy-contrib-%{version}.tgz + +Source10: modules-targeted-base.conf +Source11: modules-targeted-contrib.conf +Source12: modules-mls-base.conf +Source13: modules-mls-contrib.conf +#Source14: modules-minimum.conf + +Source20: booleans-targeted.conf +Source21: booleans-mls.conf +Source22: booleans-minimum.conf +Source23: booleans.subs_dist + +Source30: setrans-targeted.conf +Source31: setrans-mls.conf +Source32: setrans-minimum.conf + +Source40: securetty_types-targeted +Source41: securetty_types-mls +Source42: securetty_types-minimum + +Source50: users-targeted +Source51: users-mls +Source52: users-minimum + +Source60: selinux-policy.conf +Source61: selinux-policy.sysconfig + +Source90: selinux-policy-rpmlintrc +Source91: Makefile.devel +Source92: customizable_types +Source93: config.tgz +Source94: file_contexts.subs_dist + +# base policy patches +Patch0001: policy-rawhide-base.patch # The following two patches are a workaround for 812055 -Patch10: type_transition_file_class.patch -Patch11: type_transition_contrib.patch -Patch12: label_sysconfig.selinux-policy.patch -Patch13: sysconfig_network_scripts.patch -Patch14: allow-local_login_t-read-shadow.patch -Patch15: xconsole.patch -Patch16: useradd-netlink_selinux_socket.patch -Patch17: systemd-tmpfiles.patch -Patch18: label_var_run_rsyslog.patch -Patch19: suse_minimal_cc.patch - -Source1: modules-targeted-base.conf -Source31: modules-targeted-contrib.conf -Source2: booleans-targeted.conf -Source3: Makefile.devel -Source4: setrans-targeted.conf -Source5: modules-mls-base.conf -Source32: modules-mls-contrib.conf -Source6: booleans-mls.conf -Source8: setrans-mls.conf -Source14: securetty_types-targeted -Source15: securetty_types-mls -#Source16: modules-minimum.conf -Source17: booleans-minimum.conf -Source18: setrans-minimum.conf -Source19: securetty_types-minimum -Source20: customizable_types -Source21: config.tgz -Source22: users-mls -Source23: users-targeted -Source25: users-minimum -Source26: file_contexts.subs_dist -Source27: selinux-policy.conf -Source29: serefpolicy-contrib-%{version}.tgz -Source30: booleans.subs_dist -Source40: selinux-policy.sysconfig -Source41: selinux-policy-rpmlintrc +Patch0002: type_transition_file_class.patch +Patch0003: label_sysconfig.selinux-policy.patch +Patch0004: sysconfig_network_scripts.patch +Patch0005: allow-local_login_t-read-shadow.patch +Patch0006: xconsole.patch +Patch0007: useradd-netlink_selinux_socket.patch +Patch0008: systemd-tmpfiles.patch +Patch0009: label_var_run_rsyslog.patch +Patch0010: suse_modifications_unconfined.patch +Patch0011: suse_modifications_systemd.patch +Patch0012: suse_modifications_unconfineduser.patch +Patch0013: suse_modifications_selinuxutil.patch +Patch0014: suse_modifications_logging.patch +Patch0015: suse_modifications_getty.patch +Patch0016: suse_modifications_authlogin.patch +Patch0017: suse_modifications_xserver.patch +Patch0018: suse_modifications_ssh.patch +Patch0019: suse_modifications_usermanage.patch +Patch0020: suse_modifications_unprivuser.patch + +# contrib patches +Patch1000: policy-rawhide-contrib.patch +Patch1001: type_transition_contrib.patch +Patch1002: suse_modifications_virt.patch +Patch1003: suse_modifications_dbus.patch +Patch1004: suse_modifications_policykit.patch +Patch1005: suse_modifications_postfix.patch +Patch1006: suse_modifications_rtkit.patch +Patch1007: suse_modifications_apache.patch +Patch1008: suse_modifications_ntp.patch +Patch1009: suse_modifications_cron.patch +Patch1010: suse_additions_sslh.patch +Patch1011: suse_additions_obs.patch Url: http://oss.tresys.com/repos/refpolicy/ BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -101,7 +125,7 @@ BuildRequires: policycoreutils-python >= %{POLICYCOREUTILSVER} BuildRequires: python BuildRequires: python-xml -BuildRequires: selinux-policy-devel +#BuildRequires: selinux-policy-devel # we need selinuxenabled Requires(post): selinux-tools Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} @@ -111,44 +135,6 @@ # for audit2allow Recommends: policycoreutils-python -%description -SELinux Base package - -%files -%defattr(-,root,root,-) -%doc COPYING -%dir %{_usr}/share/selinux -%dir %{_sysconfdir}/selinux -%ghost %config(noreplace) %{_sysconfdir}/selinux/config -%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} -%{_usr}/lib/tmpfiles.d/selinux-policy.conf - -%package devel -Summary: SELinux policy devel -Group: System/Management -Requires(pre): selinux-policy = %{version}-%{release} -Requires: /usr/bin/make -Requires: checkpolicy >= %{CHECKPOLICYVER} -Requires: m4 - -%description devel -SELinux policy development and man page package - -%files devel -%defattr(-,root,root,-) -%{_mandir}/ru/*/* -%dir %{_usr}/share/selinux/devel -%dir %{_usr}/share/selinux/devel/include -%{_usr}/share/selinux/devel/include/* -%{_usr}/share/selinux/devel/Makefile -%{_usr}/share/selinux/devel/example.* - -%package doc -Summary: SELinux policy documentation -Group: System/Management -Requires(pre): selinux-policy = %{version}-%{release} -Requires: /usr/bin/xdg-open - %define makeCmds() \ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \ @@ -189,7 +175,7 @@ touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/users.local \ touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs.bin \ touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.bin \ -cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ +cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \ bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/base.pp \ rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp \ for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \ @@ -264,12 +250,12 @@ . %{_sysconfdir}/sysconfig/selinux-policy; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ if selinuxenabled; then \ -if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ + if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \ rm -f ${FILE_CONTEXT}.pre; \ -fi; \ -/sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ -/sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null || true; \ + fi; \ + /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ + /sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null || true; \ fi; %define preInstall() \ @@ -302,9 +288,7 @@ if selinuxenabled; then \ load_policy; \ else \ - # selinux isn't enabled \ - # (probably a first install of the policy) \ - # -> we can't load the policy \ + # probably a first install of the policy \ true; \ fi; \ fi; \ @@ -325,45 +309,69 @@ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \ fi; -%description doc -SELinux policy documentation package - -%files doc +%files %defattr(-,root,root,-) -%doc %{_usr}/share/doc/%{name}-%{version} -%{_usr}/share/selinux/devel/policy.* +%doc COPYING +%dir %{_usr}/share/selinux +%dir %{_sysconfdir}/selinux +%ghost %config(noreplace) %{_sysconfdir}/selinux/config +%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} +%{_usr}/lib/tmpfiles.d/selinux-policy.conf %description -SELinux Reference Policy - modular. -Based off of reference policy: Checked out revision 2.20091117 - -%build +SELinux Reference Policy. A complete SELinux policy that can be used as the system policy for a variety of +systems and used as the basis for creating other policies. %prep -%setup -n serefpolicy-contrib-%{version} -q -b 29 -%patch1 -p1 -%patch11 -p1 -%patch19 -p1 +# contrib modules +%setup -n serefpolicy-contrib-%{version} -q -b 1 +%patch1000 -p1 +%patch1001 -p1 +%patch1002 -p1 +%patch1003 -p1 +%patch1004 -p1 +%patch1005 -p1 +%patch1006 -p1 +%patch1007 -p1 +%patch1008 -p1 +%patch1009 -p1 +%patch1010 -p1 +%patch1011 -p1 + +# base policy contrib_path=`pwd` %setup -n serefpolicy-%{version} -q cp COPYING .. -%patch -p1 -%patch10 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p0 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 +%patch0001 -p1 +%patch0002 -p1 +%patch0003 -p1 +%patch0004 -p1 +%patch0005 -p1 +%patch0006 -p0 +%patch0007 -p1 +%patch0008 -p1 +%patch0009 -p1 +%patch0010 -p1 +%patch0011 -p1 +%patch0012 -p1 +%patch0013 -p1 +%patch0014 -p1 +%patch0015 -p1 +%patch0016 -p1 +%patch0017 -p1 +%patch0018 -p1 +%patch0019 -p1 +%patch0020 -p1 refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib # we use distro=redhat to get all the redhat modifications but we'll still need everything that is defined for suse find "$refpolicy_path" -type f -print0 | xargs -0 sed -i -e 's/ifdef(`distro_suse/ifdef(`distro_redhat/g' +%build + %install mkdir selinux_config -for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do +for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE93} %{SOURCE94};do cp $i selinux_config done tar zxvf selinux_config/config.tgz @@ -371,12 +379,11 @@ %{__rm} -fR %{buildroot} mkdir -p %{buildroot}%{_sysconfdir}/selinux mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ -cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ +cp %{SOURCE60} %{buildroot}%{_usr}/lib/tmpfiles.d/ # Always create policy module package directories mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/ -# Install devel make clean %if %{BUILD_TARGETED} # Build targeted policy @@ -398,18 +405,21 @@ %if %{BUILD_MLS} # Build mls policy +mkdir -p %{buildroot}%{_usr}/share/selinux/mls %makeCmds mls mls n deny %makeModulesConf mls base contrib %installCmds mls mls n deny %modulesList mls %endif +# Install devel mkdir -p %{buildroot}%{_mandir} cp -R man/* %{buildroot}%{_mandir} make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers mkdir %{buildroot}%{_usr}/share/selinux/devel/ mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include +chmod +x %{buildroot}%{_usr}/share/selinux/devel/include/support/segenxml.py install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/ install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/ @@ -417,7 +427,7 @@ rm -rf selinux_config # fillup sysconfig mkdir -p %{buildroot}%{_localstatedir}/adm/fillup-templates -cp %{SOURCE40} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} +cp %{SOURCE61} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} %clean @@ -438,14 +448,53 @@ %postun if [ $1 = 0 ]; then setenforce 0 2> /dev/null - #if [ ! -s /etc/selinux/config ]; then - #echo "SELINUX=disabled" > /etc/selinux/config - #else - #sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config - #fi + if [ -s /etc/selinux/config ]; then + sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config + fi fi exit 0 +%package devel +Summary: SELinux policy devel +Group: System/Management +Requires(pre): selinux-policy = %{version}-%{release} +Requires: /usr/bin/make +Requires: checkpolicy >= %{CHECKPOLICYVER} +Requires: m4 + +%description devel +SELinux policy development and man page package + +%files devel +%defattr(-,root,root,-) +%{_mandir}/ru/man8/ftpd_selinux.8.gz +%{_mandir}/ru/man8/httpd_selinux.8.gz +%{_mandir}/ru/man8/kerberos_selinux.8.gz +%{_mandir}/ru/man8/named_selinux.8.gz +%{_mandir}/ru/man8/nfs_selinux.8.gz +%{_mandir}/ru/man8/rsync_selinux.8.gz +%{_mandir}/ru/man8/samba_selinux.8.gz +%{_mandir}/ru/man8/ypbind_selinux.8.gz +%dir %{_usr}/share/selinux/devel +%dir %{_usr}/share/selinux/devel/include +%{_usr}/share/selinux/devel/include/* +%{_usr}/share/selinux/devel/Makefile +%{_usr}/share/selinux/devel/example.* + +%package doc +Summary: SELinux policy documentation +Group: System/Management +Requires(pre): selinux-policy = %{version}-%{release} +Requires: /usr/bin/xdg-open + +%description doc +SELinux policy documentation package + +%files doc +%defattr(-,root,root,-) +%doc %{_usr}/share/doc/%{name}-%{version} +%{_usr}/share/selinux/devel/policy.* + %if %{BUILD_TARGETED} %package targeted Summary: SELinux targeted base policy @@ -466,10 +515,6 @@ %postInstall $1 targeted exit 0 -%triggerpostun targeted -- selinux-policy-targeted < 3.12.1-7.fc19 -restorecon -R -p /home -exit 0 - %files targeted %defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u @@ -507,7 +552,6 @@ done # this is temporarily needed to make minimum policy work without errors. Will be included # into the proper places later on -rm /etc/selinux/minimum/modules/active/modules/suse.pp.disabled for p in $basepackages apache.pp dbus.pp inetd.pp kerberos.pp mta.pp nis.pp nscd.pp cron.pp; do rm -f /etc/selinux/minimum/modules/active/modules/$p.disabled done ++++++ modules-targeted-contrib.conf ++++++ --- /var/tmp/diff_new_pack.cOIqfg/_old 2015-01-29 09:57:43.000000000 +0100 +++ /var/tmp/diff_new_pack.cOIqfg/_new 2015-01-29 09:57:43.000000000 +0100 @@ -1523,13 +1523,6 @@ # realmd = module -# Layer: contrib -# Module: suse -# -# suse modifications -# -suse = module - # Layer: services # Module: remotelogin # @@ -2229,3 +2222,17 @@ # policy for smsd # smsd = module + +# Layer: contrib +# Module: sslh +# +# policy for sslh +# +sslh = module + +# Layer: contrib +# Module: obs +# +# policy for obs +# +obs = module ++++++ selinux-policy-rpmlintrc ++++++ --- /var/tmp/diff_new_pack.cOIqfg/_old 2015-01-29 09:57:43.000000000 +0100 +++ /var/tmp/diff_new_pack.cOIqfg/_new 2015-01-29 09:57:43.000000000 +0100 @@ -12,4 +12,7 @@ addFilter("W: files-duplicate /etc/selinux/mls/modules/active/seusers.final /etc/selinux/mls/seusers") addFilter("W: files-duplicate /etc/selinux/mls/modules/active/file_contexts /etc/selinux/mls/contexts/files/file_contexts") addFilter("W: files-duplicate /etc/selinux/mls/contexts/files/file_contexts.homedirs /etc/selinux/mls/modules/active/file_contexts.homedirs") +addFilter("E: files-duplicated-waste") +addFilter("E: files-duplicated-waste") +addFilter("E: files-duplicated-waste") ++++++ suse_additions_obs.patch ++++++ Index: serefpolicy-contrib-20140730/obs.fc =================================================================== --- /dev/null +++ serefpolicy-contrib-20140730/obs.fc @@ -0,0 +1,63 @@ +/usr/lib/build/Build(/.*)? -- gen_context(system_u:object_r:lib_t,s0) +/usr/lib/build/Build.pm -- gen_context(system_u:object_r:lib_t,s0) + +/usr/lib/build/configs(/.*)? -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/baselibs_global.conf -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/baselibs_global-deb.conf -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-pkg -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-pkg-arch -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-pkg-deb -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-pkg-rpm -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-recipe -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-recipe-arch -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-recipe-dsc -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-recipe-kiwi -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-recipe-livebuild -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-recipe-mock -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-recipe-preinstallimage -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-recipe-spec -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-vm -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-vm-ec2 -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-vm-emulator -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-vm-kvm -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-vm-lxc -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-vm-openstack -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-vm-qemu -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-vm-uml -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-vm-xen -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/build-vm-zvm -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/lxc.conf -- gen_context(system_u:object_r:etc_t,s0) +/usr/lib/build/qemu-reg -- gen_context(system_u:object_r:etc_t,s0) + +/usr/lib/build/emulator/.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/build -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/changelog2spec -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/common_functions -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/computeblocklists -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/createarchdeps -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/createdebdeps -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/createrepomddeps -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/createrpmdeps -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/createyastdeps -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/createzyppdeps -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/debtransform -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/debtransformbz2 -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/debtransformzip -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/download -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/expanddeps -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/extractbuild -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/getbinaryid -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/init_buildsystem -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/killchroot -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/mkbaselibs -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/mkdrpms -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/order -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/queryconfig -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/signdummy -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/spec2changelog -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/spec_add_patch -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/spectool -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/substitutedeps -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/unrpm -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/build/vc -- gen_context(system_u:object_r:bin_t,s0) + Index: serefpolicy-contrib-20140730/obs.if =================================================================== --- /dev/null +++ serefpolicy-contrib-20140730/obs.if @@ -0,0 +1 @@ +# Index: serefpolicy-contrib-20140730/obs.te =================================================================== --- /dev/null +++ serefpolicy-contrib-20140730/obs.te @@ -0,0 +1,17 @@ +policy_module(obs, 1.0.0) + +######################################## +# +# Declarations +# + +# work out a real policy later on +#type obs_t; +#type obs_exec_t; +#application_domain(obs_t, obs_exec_t) +# +#type obs_conf_t; +#files_config_file(obs_conf_t) +# +#permissive obs_t; + ++++++ suse_additions_sslh.patch ++++++ Index: serefpolicy-contrib-20140730/sslh.fc =================================================================== --- /dev/null +++ serefpolicy-contrib-20140730/sslh.fc @@ -0,0 +1,9 @@ +/etc/conf.d/sslh -- gen_context(system_u:object_r:sslh_conf_t,s0) +/etc/default/sslh -- gen_context(system_u:object_r:sslh_conf_t,s0) + +/etc/init.d/sslh -- gen_context(system_u:object_r:sslh_initrc_exec_t,s0) +/usr/lib/systemd/system/sslh.service -- gen_context(system_u:object_r:sslh_unit_file_t,s0) + +#/usr/sbin/rcsslh -- gen_context(system_u:object_r:sslh_exec_t,s0) +/usr/sbin/sslh -- gen_context(system_u:object_r:sslh_exec_t,s0) + Index: serefpolicy-contrib-20140730/sslh.if =================================================================== --- /dev/null +++ serefpolicy-contrib-20140730/sslh.if @@ -0,0 +1,77 @@ +## <summary>sslh Applicative Protocol Multiplexer</summary> + +####################################### +## <summary> +## Allow a domain to getattr on sslh binary. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`sslh_getattr_exec',` + gen_require(` + type sslh_exec_t; + ') + + allow $1 sslh_exec_t:file getattr; +') + +####################################### +## <summary> +## Read sslh configuration. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sslh_read_config',` + gen_require(` + type sslh_conf_t; + ') + + files_search_etc($1) + list_dirs_pattern($1, sslh_conf_t, sslh_conf_t) + read_files_pattern($1, sslh_conf_t, sslh_conf_t) +') + +###################################### +## <summary> +## Write sslh configuration. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sslh_write_config',` + gen_require(` + type sslh_conf_t; + ') + + files_search_etc($1) + write_files_pattern($1, sslh_conf_t, sslh_conf_t) +') + +#################################### +## <summary> +## Manage sslh configuration. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`sslh_manage_config',` + gen_require(` + type sslh_conf_t; + ') + + files_search_etc($1) + manage_files_pattern($1, sslh_conf_t, sslh_conf_t) +') Index: serefpolicy-contrib-20140730/sslh.te =================================================================== --- /dev/null +++ serefpolicy-contrib-20140730/sslh.te @@ -0,0 +1,48 @@ +policy_module(sslh, 1.0.0) + +######################################## +# +# Declarations +# + +type sslh_t; +type sslh_exec_t; +init_daemon_domain(sslh_t, sslh_exec_t) + +type sslh_initrc_exec_t; +init_script_file(sslh_initrc_exec_t) + +type sslh_conf_t; +files_config_file(sslh_conf_t) + +type sslh_unit_file_t; +systemd_unit_file(sslh_unit_file_t) + +######################################## +# +# sslh local policy +# + +allow sslh_t self:capability { setuid net_bind_service setgid }; +allow sslh_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; +allow sslh_t self:process { setcap signal }; +allow sslh_t self:tcp_socket { getattr setopt bind create listen accept connect write read }; + +corenet_tcp_bind_generic_node(sslh_t) +corenet_tcp_bind_all_ports(sslh_t) +corenet_tcp_connect_all_ports(sslh_t) + +corenet_udp_bind_all_ports(sslh_t) +corenet_udp_send_generic_if(sslh_t) +corenet_udp_receive_generic_if(sslh_t) + +read_files_pattern(sslh_t, sslh_conf_t, sslh_conf_t) + +nscd_shm_use(sslh_t) + +allow sslh_t nscd_var_run_t:file read; + +# dontaudit? +#allow sshd_t chkpwd_t:process { siginh rlimitinh noatsecure }; +#allow sshd_t unconfined_t:process { siginh noatsecure }; + ++++++ suse_modifications_apache.patch ++++++ Index: serefpolicy-contrib-20140730/apache.fc =================================================================== --- serefpolicy-contrib-20140730.orig/apache.fc +++ serefpolicy-contrib-20140730/apache.fc @@ -64,6 +64,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.* /usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) +/usr/sbin/start_apache2 -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/htcacheclean -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0) ++++++ suse_modifications_authlogin.patch ++++++ Index: serefpolicy-20140730/policy/modules/system/authlogin.te =================================================================== --- serefpolicy-20140730.orig/policy/modules/system/authlogin.te +++ serefpolicy-20140730/policy/modules/system/authlogin.te @@ -152,6 +152,9 @@ seutil_dontaudit_use_newrole_fds(chkpwd_ userdom_dontaudit_use_user_ttys(chkpwd_t) +allow chkpwd_t var_run_t:sock_file write; +files_rw_inherited_generic_pid_files(chkpwd_t) + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(chkpwd_t) ++++++ suse_modifications_cron.patch ++++++ Index: serefpolicy-contrib-20140730/cron.fc =================================================================== --- serefpolicy-contrib-20140730.orig/cron.fc +++ serefpolicy-contrib-20140730/cron.fc @@ -55,6 +55,8 @@ ifdef(`distro_suse', ` /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) /var/spool/cron/lastrun/[^/]* -- <<none>> /var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) +/var/spool/cron/tabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0) +/var/spool/cron/tabs/[^/]* -- gen_context(system_u:object_r:user_cron_spool_t,s0) ') ifdef(`distro_debian',` Index: serefpolicy-contrib-20140730/cron.te =================================================================== --- serefpolicy-contrib-20140730.orig/cron.te +++ serefpolicy-contrib-20140730/cron.te @@ -841,3 +841,9 @@ tunable_policy(`cron_userdomain_transiti optional_policy(` unconfined_domain(unconfined_cronjob_t) ') + +ifdef(`distro_suse',` + files_read_default_symlinks(crontab_t) + userdom_manage_user_home_dirs(crontab_t) + xserver_non_drawing_client(crontab_t) +') ++++++ suse_modifications_dbus.patch ++++++ Index: serefpolicy-contrib-20140730/dbus.te =================================================================== --- serefpolicy-contrib-20140730.orig/dbus.te +++ serefpolicy-contrib-20140730/dbus.te @@ -154,6 +154,8 @@ userdom_dontaudit_search_user_home_dirs( userdom_home_reader(system_dbusd_t) +allow system_dbusd_t var_run_t:sock_file write; + optional_policy(` bind_domtrans(system_dbusd_t) ') Index: serefpolicy-contrib-20140730/dbus.if =================================================================== --- serefpolicy-contrib-20140730.orig/dbus.if +++ serefpolicy-contrib-20140730/dbus.if @@ -111,6 +111,26 @@ template(`dbus_role_template',` logging_send_syslog_msg($1_dbusd_t) + ifdef(`distro_suse',` + gen_require(` + type config_home_t, xdm_var_run_t; + ') + allow $1_dbusd_t self:unix_stream_socket connectto; + + # is this firefox mislabeled? + #allow $1_dbusd_t lib_t:file execute_no_trans; + allow $1_dbusd_t config_home_t:file { rename unlink create read write getattr }; + allow $1_dbusd_t xdm_var_run_t:file { getattr open read }; + + allow $1_dbusd_t $1_t:dbus send_msg; + + auth_login_pgm_domain($1_dbusd_t) + xserver_non_drawing_client($1_dbusd_t) + gnome_manage_home_config_dirs($1_dbusd_t) + gnome_delete_home_config_dirs($1_dbusd_t) + corenet_tcp_connect_xserver_port($1_dbusd_t) + ') + optional_policy(` mozilla_domtrans_spec($1_dbusd_t, $1_t) ') ++++++ suse_modifications_getty.patch ++++++ Index: serefpolicy-20140730/policy/modules/system/getty.te =================================================================== --- serefpolicy-20140730.orig/policy/modules/system/getty.te +++ serefpolicy-20140730/policy/modules/system/getty.te @@ -109,6 +109,10 @@ locallogin_domtrans(getty_t) logging_send_syslog_msg(getty_t) +allow getty_t var_run_t:sock_file write; +plymouthd_exec_plymouth(getty_t) +kernel_stream_connect(getty_t) + ifdef(`distro_gentoo',` # Gentoo default /etc/issue makes agetty # do a DNS lookup for the hostname ++++++ suse_modifications_logging.patch ++++++ Index: serefpolicy-20140730/policy/modules/system/logging.te =================================================================== --- serefpolicy-20140730.orig/policy/modules/system/logging.te +++ serefpolicy-20140730/policy/modules/system/logging.te @@ -565,6 +565,9 @@ userdom_dontaudit_use_unpriv_user_fds(sy userdom_search_user_home_dirs(syslogd_t) userdom_rw_inherited_user_tmp_files(syslogd_t) +allow syslogd_t var_run_t:file { read getattr open }; +allow syslogd_t var_run_t:sock_file write; + ifdef(`distro_gentoo',` # default gentoo syslog-ng config appends kernel # and high priority messages to /dev/tty12 ++++++ suse_modifications_ntp.patch ++++++ Index: serefpolicy-contrib-20140730/ntp.fc =================================================================== --- serefpolicy-contrib-20140730.orig/ntp.fc +++ serefpolicy-contrib-20140730/ntp.fc @@ -10,6 +10,7 @@ /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) +/usr/sbin/start-ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) ++++++ suse_modifications_policykit.patch ++++++ Index: serefpolicy-contrib-20140730/policykit.te =================================================================== --- serefpolicy-contrib-20140730.orig/policykit.te +++ serefpolicy-contrib-20140730/policykit.te @@ -94,6 +94,9 @@ userdom_getattr_all_users(policykit_t) userdom_read_all_users_state(policykit_t) userdom_dontaudit_search_admin_dir(policykit_t) +allow policykit_t var_run_t:sock_file write; +files_rw_inherited_generic_pid_files(policykit_t) + optional_policy(` dbus_system_domain(policykit_t, policykit_exec_t) ++++++ suse_modifications_postfix.patch ++++++ Index: serefpolicy-contrib-20140730/postfix.te =================================================================== --- serefpolicy-contrib-20140730.orig/postfix.te +++ serefpolicy-contrib-20140730/postfix.te @@ -132,6 +132,9 @@ allow postfix_master_t postfix_map_exec_ allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms; +allow postfix_master_t var_run_t:sock_file write; +files_rw_inherited_generic_pid_files(postfix_master_t) + manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t) Index: serefpolicy-contrib-20140730/postfix.fc =================================================================== --- serefpolicy-contrib-20140730.orig/postfix.fc +++ serefpolicy-contrib-20140730/postfix.fc @@ -1,22 +1,6 @@ # postfix /etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0) /etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0) -ifdef(`distro_redhat', ` -/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) -/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) -/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) -/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0) -/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0) -/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0) -/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0) -/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0) -/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) -/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) -/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) -/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0) -', ` /usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0) /usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0) /usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0) @@ -30,7 +14,6 @@ ifdef(`distro_redhat', ` /usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0) /usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0) /usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0) -') /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0) /etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0) /usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0) ++++++ suse_modifications_rtkit.patch ++++++ Index: serefpolicy-contrib-20140730/rtkit.te =================================================================== --- serefpolicy-contrib-20140730.orig/rtkit.te +++ serefpolicy-contrib-20140730/rtkit.te @@ -20,6 +20,9 @@ init_script_file(rtkit_daemon_initrc_exe allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace }; allow rtkit_daemon_t self:process { setsched getcap setcap setrlimit }; +allow rtkit_daemon_t var_run_t:sock_file write; +files_rw_inherited_generic_pid_files(rtkit_daemon_t) + kernel_read_system_state(rtkit_daemon_t) domain_getsched_all_domains(rtkit_daemon_t) ++++++ suse_modifications_selinuxutil.patch ++++++ Index: serefpolicy-20140730/policy/modules/system/selinuxutil.te =================================================================== --- serefpolicy-20140730.orig/policy/modules/system/selinuxutil.te +++ serefpolicy-20140730/policy/modules/system/selinuxutil.te @@ -337,6 +337,8 @@ optional_policy(` xserver_dontaudit_exec_xauth(newrole_t) ') +allow restorecond_t var_run_t:sock_file write; + ifdef(`distro_ubuntu',` optional_policy(` unconfined_domain(newrole_t) ++++++ suse_modifications_ssh.patch ++++++ Index: serefpolicy-20140730/policy/modules/services/ssh.te =================================================================== --- serefpolicy-20140730.orig/policy/modules/services/ssh.te +++ serefpolicy-20140730/policy/modules/services/ssh.te @@ -27,6 +27,16 @@ gen_tunable(ssh_sysadm_login, false) ## </desc> gen_tunable(ssh_chroot_rw_homedirs, false) +## <desc> +## <p> +## Allow sshd to forward port connections. This should work +## out-of-the-box according to 11b328b4cfa484d55db01a0f127cbc94fa776f48 +## but it doesn't +## </p> +## </desc> +## +gen_tunable(sshd_forward_ports, false) + attribute ssh_dyntransition_domain; attribute ssh_server; attribute ssh_agent_type; @@ -291,6 +301,11 @@ corenet_tcp_bind_xserver_port(sshd_t) corenet_tcp_bind_vnc_port(sshd_t) corenet_sendrecv_xserver_server_packets(sshd_t) +tunable_policy(`sshd_forward_ports',` + corenet_tcp_bind_all_unreserved_ports(sshd_t) + corenet_tcp_connect_all_ports(sshd_t) +') + auth_exec_login_program(sshd_t) userdom_read_user_home_content_files(sshd_t) @@ -300,6 +315,9 @@ userdom_spec_domtrans_unpriv_users(sshd_ userdom_signal_unpriv_users(sshd_t) userdom_dyntransition_unpriv_users(sshd_t) +allow sshd_t var_run_t:sock_file write; +files_rw_inherited_generic_pid_files(sshd_t) + tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to ++++++ suse_modifications_systemd.patch ++++++ Index: serefpolicy-20140730/policy/modules/system/systemd.te =================================================================== --- serefpolicy-20140730.orig/policy/modules/system/systemd.te +++ serefpolicy-20140730/policy/modules/system/systemd.te @@ -189,6 +189,9 @@ userdom_manage_tmpfs_role(system_r, syst xserver_dbus_chat(systemd_logind_t) +allow systemd_logind_t var_run_t:sock_file write; +files_rw_inherited_generic_pid_files(systemd_logind_t) + optional_policy(` apache_read_tmp_files(systemd_logind_t) ') ++++++ suse_modifications_unconfined.patch ++++++ Index: serefpolicy-20140730/policy/modules/system/unconfined.te =================================================================== --- serefpolicy-20140730.orig/policy/modules/system/unconfined.te +++ serefpolicy-20140730/policy/modules/system/unconfined.te @@ -15,6 +15,10 @@ unconfined_domain(unconfined_service_t) corecmd_bin_entry_type(unconfined_service_t) corecmd_shell_entry_type(unconfined_service_t) +systemd_dbus_chat_localed(unconfined_service_t) +systemd_dbus_chat_logind(unconfined_service_t) +unconfined_shell_domtrans(unconfined_service_t) + optional_policy(` rpm_transition_script(unconfined_service_t, system_r) ') ++++++ suse_modifications_unconfineduser.patch ++++++ Index: serefpolicy-20140730/policy/modules/roles/unconfineduser.te =================================================================== --- serefpolicy-20140730.orig/policy/modules/roles/unconfineduser.te +++ serefpolicy-20140730/policy/modules/roles/unconfineduser.te @@ -79,6 +79,11 @@ domain_transition_all(unconfined_t) usermanage_run_passwd(unconfined_t, unconfined_r) +# FIXME SUSE +#allow unconfined_t systemd_systemctl_exec_t:file entrypoint; +allow unconfined_t init_exec_t:file entrypoint; +allow init_t unconfined_t:process transition; + tunable_policy(`deny_execmem',`',` allow unconfined_t self:process execmem; ') ++++++ suse_modifications_unprivuser.patch ++++++ Index: serefpolicy-20140730/policy/modules/roles/unprivuser.te =================================================================== --- serefpolicy-20140730.orig/policy/modules/roles/unprivuser.te +++ serefpolicy-20140730/policy/modules/roles/unprivuser.te @@ -259,7 +259,7 @@ ifndef(`distro_redhat',` ') optional_policy(` - vmtools_run_helper(user_t, user_r) + vmtools_run_helper(user_t, user_r) ') @@ -273,3 +273,9 @@ optional_policy(` virt_manage_images(user_t) ') ') + +ifdef(`distro_suse',` + xserver_xsession_entry_type(user_t) + dbus_system_bus_client(user_t) +') + ++++++ suse_modifications_usermanage.patch ++++++ Index: serefpolicy-20140730/policy/modules/admin/usermanage.te =================================================================== --- serefpolicy-20140730.orig/policy/modules/admin/usermanage.te +++ serefpolicy-20140730/policy/modules/admin/usermanage.te @@ -274,6 +274,9 @@ userdom_use_unpriv_users_fds(groupadd_t) # for when /root is the cwd userdom_dontaudit_search_user_home_dirs(groupadd_t) +allow groupadd_t self:netlink_selinux_socket { create bind }; +allow groupadd_t var_run_t:sock_file write; + optional_policy(` dpkg_use_fds(groupadd_t) dpkg_rw_pipes(groupadd_t) @@ -572,6 +575,9 @@ userdom_home_filetrans_user_home_dir(use userdom_manage_home_role(system_r, useradd_t) userdom_delete_all_user_home_content(useradd_t) +allow useradd_t var_run_t:sock_file write; +selinux_compute_access_vector(useradd_t) + optional_policy(` mta_manage_spool(useradd_t) ') ++++++ suse_modifications_virt.patch ++++++ Index: serefpolicy-contrib-20140730/virt.te =================================================================== --- serefpolicy-contrib-20140730.orig/virt.te +++ serefpolicy-contrib-20140730/virt.te @@ -280,6 +280,8 @@ corenet_udp_bind_all_ports(svirt_t) corenet_tcp_bind_all_ports(svirt_t) corenet_tcp_connect_all_ports(svirt_t) +allow svirt_t qemu_exec_t:file execmod; + ####################################### # # svirt_prot_exec local policy ++++++ suse_modifications_xserver.patch ++++++ Index: serefpolicy-20140730/policy/modules/services/xserver.fc =================================================================== --- serefpolicy-20140730.orig/policy/modules/services/xserver.fc +++ serefpolicy-20140730/policy/modules/services/xserver.fc @@ -97,6 +97,9 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /usr/bin/Xvnc -- gen_context(system_u:object_r:xserver_exec_t,s0) /usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0) +#/usr/lib/gdm/.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/X11/display-manager -- gen_context(system_u:object_r:xdm_exec_t,s0) + /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) /usr/X11R6/bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) Index: serefpolicy-20140730/policy/modules/services/xserver.te =================================================================== --- serefpolicy-20140730.orig/policy/modules/services/xserver.te +++ serefpolicy-20140730/policy/modules/services/xserver.te @@ -810,6 +810,17 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') +ifndef(`distro_suse',` + # this is a neverallow, maybe dontaudit it + #allow xdm_t proc_kcore_t:file getattr; + allow xdm_t var_run_t:lnk_file create; + allow xdm_t var_lib_t:lnk_file read; + + dev_getattr_all_blk_files( xdm_t ) + dev_getattr_all_chr_files( xdm_t ) + logging_r_xconsole(xdm_t) +') + tunable_policy(`use_nfs_home_dirs',` fs_exec_nfs_files(xdm_t) ') ++++++ systemd-tmpfiles.patch ++++++ --- /var/tmp/diff_new_pack.cOIqfg/_old 2015-01-29 09:57:43.000000000 +0100 +++ /var/tmp/diff_new_pack.cOIqfg/_new 2015-01-29 09:57:43.000000000 +0100 @@ -1,33 +1,3 @@ -Index: serefpolicy-20140730/policy/modules/kernel/devices.if -=================================================================== ---- serefpolicy-20140730.orig/policy/modules/kernel/devices.if -+++ serefpolicy-20140730/policy/modules/kernel/devices.if -@@ -6602,3 +6602,25 @@ interface(`dev_filetrans_xserver_named_d - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") - ') -+ -+ -+######################################## -+## <summary> -+## Allow full relabeling (to and from) of all device nodes. -+## </summary> -+## <param name="domain"> -+## <summary> -+## Domain allowed access. -+## </summary> -+## </param> -+## <rolecap/> -+# -+interface(`dev_create_all_dev_nodes',` -+ gen_require(` -+ attribute device_node; -+ type device_t; -+ ') -+ -+ allow $1 device_node {create}; -+') -+ Index: serefpolicy-20140730/policy/modules/system/systemd.te =================================================================== --- serefpolicy-20140730.orig/policy/modules/system/systemd.te -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
