Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2015-06-30 10:15:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2015-01-29 09:57:30.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new/selinux-policy.changes 2015-06-30 10:15:57.000000000 +0200 @@ -1,0 +2,28 @@ +Wed Jun 24 08:27:30 UTC 2015 - [email protected] + +- Transition from unconfined user to cron admin type +- Allow systemd_timedated_t to talk to unconfined dbus for minimal + policy (bsc#932826) +- Allow hostnamectl to set the hostname (bsc#933764) + +------------------------------------------------------------------- +Wed May 20 14:05:04 UTC 2015 - [email protected] + +- Removed ability of staff_t and user_t to use svirt. Will reenable + this later on with a policy upgrade + Added suse_modifications_staff.patch + +------------------------------------------------------------------- +Wed Feb 25 11:38:44 UTC 2015 - [email protected] + +- Added dont_use_xmllint_in_make_conf.patch to remove xmllint usage + in make conf. This currently breaks manual builds. +- Added BuildRequires for libxml2-tools to enable xmllint checks + once the issue mentioned above is solved + +------------------------------------------------------------------- +Thu Jan 29 09:56:40 UTC 2015 - [email protected] + +- adjusted suse_modifications_ntp to match SUSE chroot paths + +------------------------------------------------------------------- New: ---- dont_use_xmllint_in_make_conf.patch suse_modifications_staff.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.J303Bz/_old 2015-06-30 10:15:59.000000000 +0200 +++ /var/tmp/diff_new_pack.J303Bz/_new 2015-06-30 10:15:59.000000000 +0200 @@ -97,6 +97,8 @@ Patch0018: suse_modifications_ssh.patch Patch0019: suse_modifications_usermanage.patch Patch0020: suse_modifications_unprivuser.patch +Patch0021: dont_use_xmllint_in_make_conf.patch +Patch0022: suse_modifications_staff.patch # contrib patches Patch1000: policy-rawhide-contrib.patch @@ -120,6 +122,7 @@ BuildRequires: bzip2 BuildRequires: checkpolicy >= %{CHECKPOLICYVER} BuildRequires: gawk +BuildRequires: libxml2-tools BuildRequires: m4 BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} BuildRequires: policycoreutils-python >= %{POLICYCOREUTILSVER} @@ -362,6 +365,8 @@ %patch0018 -p1 %patch0019 -p1 %patch0020 -p1 +%patch0021 -p1 +%patch0022 -p1 refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib # we use distro=redhat to get all the redhat modifications but we'll still need everything that is defined for suse ++++++ dont_use_xmllint_in_make_conf.patch ++++++ Index: serefpolicy-20140730/Makefile =================================================================== --- serefpolicy-20140730.orig/Makefile 2014-07-30 16:48:48.379896000 +0200 +++ serefpolicy-20140730/Makefile 2015-02-25 12:37:11.262844720 +0100 @@ -431,9 +431,6 @@ $(polxml): $(layerxml) $(tunxml) $(boolx $(verbose) for i in $(basename $(notdir $(layerxml))); do echo "<layer name=\"$$i\">" >> $@; cat $(tmpdir)/$$i.xml >> $@; echo "</layer>" >> $@; done $(verbose) cat $(tunxml) $(boolxml) >> $@ $(verbose) echo '</policy>' >> $@ - $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \ - $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\ - fi xml: $(polxml) ++++++ suse_modifications_cron.patch ++++++ --- /var/tmp/diff_new_pack.J303Bz/_old 2015-06-30 10:16:00.000000000 +0200 +++ /var/tmp/diff_new_pack.J303Bz/_new 2015-06-30 10:16:00.000000000 +0200 @@ -1,7 +1,7 @@ Index: serefpolicy-contrib-20140730/cron.fc =================================================================== ---- serefpolicy-contrib-20140730.orig/cron.fc -+++ serefpolicy-contrib-20140730/cron.fc +--- serefpolicy-contrib-20140730.orig/cron.fc 2015-06-24 10:48:23.073675837 +0200 ++++ serefpolicy-contrib-20140730/cron.fc 2015-06-24 10:48:26.477726111 +0200 @@ -55,6 +55,8 @@ ifdef(`distro_suse', ` /var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0) /var/spool/cron/lastrun/[^/]* -- <<none>> @@ -13,8 +13,8 @@ ifdef(`distro_debian',` Index: serefpolicy-contrib-20140730/cron.te =================================================================== ---- serefpolicy-contrib-20140730.orig/cron.te -+++ serefpolicy-contrib-20140730/cron.te +--- serefpolicy-contrib-20140730.orig/cron.te 2015-06-24 10:48:23.073675837 +0200 ++++ serefpolicy-contrib-20140730/cron.te 2015-06-24 10:48:26.477726111 +0200 @@ -841,3 +841,9 @@ tunable_policy(`cron_userdomain_transiti optional_policy(` unconfined_domain(unconfined_cronjob_t) @@ -25,3 +25,25 @@ + userdom_manage_user_home_dirs(crontab_t) + xserver_non_drawing_client(crontab_t) +') +Index: serefpolicy-contrib-20140730/cron.if +=================================================================== +--- serefpolicy-contrib-20140730.orig/cron.if 2015-06-24 10:48:23.073675837 +0200 ++++ serefpolicy-contrib-20140730/cron.if 2015-06-24 10:48:47.318033927 +0200 +@@ -158,7 +158,7 @@ interface(`cron_role',` + # + interface(`cron_unconfined_role',` + gen_require(` +- type unconfined_cronjob_t, crontab_t, crontab_exec_t; ++ type unconfined_cronjob_t, admin_crontab_t, crontab_t, crontab_exec_t; + type crond_t, user_cron_spool_t; + bool cron_userdomain_transition; + ') +@@ -175,7 +175,7 @@ interface(`cron_unconfined_role',` + # Local policy + # + +- domtrans_pattern($2, crontab_exec_t, crontab_t) ++ domtrans_pattern($2, crontab_exec_t, admin_crontab_t) + + dontaudit crond_t $2:process { noatsecure siginh rlimitinh }; + ++++++ suse_modifications_ntp.patch ++++++ --- /var/tmp/diff_new_pack.J303Bz/_old 2015-06-30 10:16:00.000000000 +0200 +++ /var/tmp/diff_new_pack.J303Bz/_new 2015-06-30 10:16:00.000000000 +0200 @@ -2,11 +2,75 @@ =================================================================== --- serefpolicy-contrib-20140730.orig/ntp.fc +++ serefpolicy-contrib-20140730/ntp.fc -@@ -10,6 +10,7 @@ - /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) +@@ -1,25 +1,36 @@ + /etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0) + /etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0) - /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) -+/usr/sbin/start-ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) - /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) - /usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) +-/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0) +-/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) +-/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +-/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) +-/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0) +- +-/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) +- +-/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) +-/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) +-/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) +- +-/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) +- +-/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +-/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +- +-/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) +-/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) +-/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) +- +-/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) ++/etc/ntpd.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0) ++/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) ++/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) ++/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) ++/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0) ++ ++/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0) ++ ++/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) ++/usr/sbin/start-ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0) ++/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0) ++/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0) ++ ++/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0) ++ ++/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) ++/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) ++ ++/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0) ++/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0) ++/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0) ++ ++/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0) ++ ++# SUSE chroot ++/var/lib/ntp/etc/ntpd?.*\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0) ++/var/lib/ntp/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0) ++/var/lib/ntp/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) ++/var/lib/ntp/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0) ++/var/lib/ntp/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0) ++/var/lib/ntp/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) ++/var/lib/ntp/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) ++/var/lib/ntp/var/run/ntp(/.*)? gen_context(system_u:object_r:ntpd_var_run_t,s0) +Index: serefpolicy-contrib-20140730/ntp.te +=================================================================== +--- serefpolicy-contrib-20140730.orig/ntp.te ++++ serefpolicy-contrib-20140730/ntp.te +@@ -76,7 +76,7 @@ manage_files_pattern(ntpd_t, ntpd_tmpfs_ + fs_tmpfs_filetrans(ntpd_t, ntpd_tmpfs_t, { dir file }) + + manage_files_pattern(ntpd_t, ntpd_var_run_t, ntpd_var_run_t) +-files_pid_filetrans(ntpd_t, ntpd_var_run_t, file) ++files_pid_filetrans(ntpd_t, ntpd_var_run_t, { file lnk_file } ) + + can_exec(ntpd_t, ntpd_exec_t) ++++++ suse_modifications_staff.patch ++++++ Index: serefpolicy-20140730/policy/modules/roles/staff.te =================================================================== --- serefpolicy-20140730.orig/policy/modules/roles/staff.te 2015-05-20 15:15:49.646097573 +0200 +++ serefpolicy-20140730/policy/modules/roles/staff.te 2015-05-20 15:59:47.483684401 +0200 @@ -388,18 +388,3 @@ ifndef(`distro_redhat',` tunable_policy(`selinuxuser_execmod',` userdom_execmod_user_home_files(staff_t) ') - -optional_policy(` - virt_transition_svirt(staff_t, staff_r) - virt_filetrans_home_content(staff_t) -') - -optional_policy(` - tunable_policy(`staff_use_svirt',` - allow staff_t self:fifo_file relabelfrom; - dev_rw_kvm(staff_t) - virt_manage_images(staff_t) - virt_stream_connect_svirt(staff_t) - virt_exec(staff_t) - ') -') ++++++ suse_modifications_systemd.patch ++++++ --- /var/tmp/diff_new_pack.J303Bz/_old 2015-06-30 10:16:00.000000000 +0200 +++ /var/tmp/diff_new_pack.J303Bz/_new 2015-06-30 10:16:00.000000000 +0200 @@ -1,7 +1,7 @@ Index: serefpolicy-20140730/policy/modules/system/systemd.te =================================================================== ---- serefpolicy-20140730.orig/policy/modules/system/systemd.te -+++ serefpolicy-20140730/policy/modules/system/systemd.te +--- serefpolicy-20140730.orig/policy/modules/system/systemd.te 2015-06-24 14:42:23.931790867 +0200 ++++ serefpolicy-20140730/policy/modules/system/systemd.te 2015-06-24 15:34:50.677937166 +0200 @@ -189,6 +189,9 @@ userdom_manage_tmpfs_role(system_r, syst xserver_dbus_chat(systemd_logind_t) @@ -12,3 +12,29 @@ optional_policy(` apache_read_tmp_files(systemd_logind_t) ') +@@ -528,9 +531,14 @@ allow systemd_hostnamed_t self:unix_stre + allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms; + + manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) ++manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) + manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) + files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "hostname" ) + files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file, "machine-info" ) ++# since we have unpredictable filenames for the link file we can't use a named transition ++create_lnk_files_pattern( systemd_hostnamed_t, etc_t, etc_t ) ++delete_lnk_files_pattern( systemd_hostnamed_t, etc_t, etc_t ) ++rename_lnk_files_pattern( systemd_hostnamed_t, etc_t, etc_t ) + + kernel_dgram_send(systemd_hostnamed_t) + +@@ -608,6 +616,10 @@ optional_policy(` + ') + + optional_policy(` ++ unconfined_dbus_send(systemd_timedated_t) ++') ++ ++optional_policy(` + gnome_manage_usr_config(systemd_timedated_t) + gnome_manage_home_config(systemd_timedated_t) + gnome_manage_home_config_dirs(systemd_timedated_t) ++++++ suse_modifications_unprivuser.patch ++++++ --- /var/tmp/diff_new_pack.J303Bz/_old 2015-06-30 10:16:00.000000000 +0200 +++ /var/tmp/diff_new_pack.J303Bz/_new 2015-06-30 10:16:00.000000000 +0200 @@ -1,8 +1,8 @@ Index: serefpolicy-20140730/policy/modules/roles/unprivuser.te =================================================================== ---- serefpolicy-20140730.orig/policy/modules/roles/unprivuser.te -+++ serefpolicy-20140730/policy/modules/roles/unprivuser.te -@@ -259,7 +259,7 @@ ifndef(`distro_redhat',` +--- serefpolicy-20140730.orig/policy/modules/roles/unprivuser.te 2015-05-20 15:15:49.646097573 +0200 ++++ serefpolicy-20140730/policy/modules/roles/unprivuser.te 2015-05-20 16:00:16.212137319 +0200 +@@ -259,17 +259,12 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -11,13 +11,16 @@ ') -@@ -273,3 +273,9 @@ optional_policy(` - virt_manage_images(user_t) - ') - ') -+ +-optional_policy(` +- virt_transition_svirt(user_t, user_r) +- virt_filetrans_home_content(user_t) +ifdef(`distro_suse',` + xserver_xsession_entry_type(user_t) + dbus_system_bus_client(user_t) -+') -+ + ') + +-optional_policy(` +- tunable_policy(`unprivuser_use_svirt',` +- virt_manage_images(user_t) +- ') +-')
