Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2015-07-23 15:22:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2015-06-30 10:15:57.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new/selinux-policy.changes 2015-07-23 15:22:54.000000000 +0200 @@ -1,0 +2,6 @@ +Tue Jul 21 14:56:07 UTC 2015 - [email protected] + +- Minor changes for CC evaluation. Allow reading of /dev/random + and ipc_lock for dbus and dhcp + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ suse_modifications_dbus.patch ++++++ --- /var/tmp/diff_new_pack.nXd6xO/_old 2015-07-23 15:22:56.000000000 +0200 +++ /var/tmp/diff_new_pack.nXd6xO/_new 2015-07-23 15:22:56.000000000 +0200 @@ -1,8 +1,25 @@ Index: serefpolicy-contrib-20140730/dbus.te =================================================================== ---- serefpolicy-contrib-20140730.orig/dbus.te -+++ serefpolicy-contrib-20140730/dbus.te -@@ -154,6 +154,8 @@ userdom_dontaudit_search_user_home_dirs( +--- serefpolicy-contrib-20140730.orig/dbus.te 2015-07-21 16:39:25.588407411 +0200 ++++ serefpolicy-contrib-20140730/dbus.te 2015-07-21 16:41:17.738197485 +0200 +@@ -55,7 +55,7 @@ ifdef(`enable_mls',` + # dac_override: /var/run/dbus is owned by messagebus on Debian + # cjp: dac_override should probably go in a distro_debian + allow system_dbusd_t self:capability2 block_suspend; +-allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid }; ++allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid ipc_lock}; + dontaudit system_dbusd_t self:capability sys_tty_config; + allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; + allow system_dbusd_t self:fifo_file rw_fifo_file_perms; +@@ -87,6 +87,7 @@ kernel_read_kernel_sysctls(system_dbusd_ + kernel_stream_connect(system_dbusd_t) + + dev_read_urand(system_dbusd_t) ++dev_read_rand(system_dbusd_t) + dev_read_sysfs(system_dbusd_t) + + dev_rw_inherited_input_dev(system_dbusd_t) +@@ -154,6 +155,8 @@ userdom_dontaudit_search_user_home_dirs( userdom_home_reader(system_dbusd_t) @@ -13,8 +30,8 @@ ') Index: serefpolicy-contrib-20140730/dbus.if =================================================================== ---- serefpolicy-contrib-20140730.orig/dbus.if -+++ serefpolicy-contrib-20140730/dbus.if +--- serefpolicy-contrib-20140730.orig/dbus.if 2015-07-21 16:39:25.588407411 +0200 ++++ serefpolicy-contrib-20140730/dbus.if 2015-07-21 16:39:28.964461299 +0200 @@ -111,6 +111,26 @@ template(`dbus_role_template',` logging_send_syslog_msg($1_dbusd_t) ++++++ sysconfig_network_scripts.patch ++++++ --- /var/tmp/diff_new_pack.nXd6xO/_old 2015-07-23 15:22:56.000000000 +0200 +++ /var/tmp/diff_new_pack.nXd6xO/_new 2015-07-23 15:22:56.000000000 +0200 @@ -1,7 +1,7 @@ Index: serefpolicy-20140730/policy/modules/system/sysnetwork.fc =================================================================== ---- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.fc -+++ serefpolicy-20140730/policy/modules/system/sysnetwork.fc +--- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.fc 2015-07-21 16:52:51.913277147 +0200 ++++ serefpolicy-20140730/policy/modules/system/sysnetwork.fc 2015-07-21 16:52:55.461333779 +0200 @@ -11,6 +11,15 @@ ifdef(`distro_debian',` /dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') @@ -31,15 +31,15 @@ # Index: serefpolicy-20140730/policy/modules/system/sysnetwork.te =================================================================== ---- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.te -+++ serefpolicy-20140730/policy/modules/system/sysnetwork.te +--- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.te 2015-07-21 16:52:51.913277147 +0200 ++++ serefpolicy-20140730/policy/modules/system/sysnetwork.te 2015-07-21 16:54:15.998619244 +0200 @@ -60,7 +60,8 @@ ifdef(`distro_debian',` # # DHCP client local policy # -allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config }; +# need sys_admin to set hostname/domainname -+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config sys_admin }; ++allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config sys_admin ipc_lock }; dontaudit dhcpc_t self:capability sys_tty_config; # for access("/etc/bashrc", X_OK) on Red Hat dontaudit dhcpc_t self:capability { dac_read_search sys_module }; @@ -58,8 +58,8 @@ manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t) Index: serefpolicy-20140730/policy/modules/kernel/devices.fc =================================================================== ---- serefpolicy-20140730.orig/policy/modules/kernel/devices.fc -+++ serefpolicy-20140730/policy/modules/kernel/devices.fc +--- serefpolicy-20140730.orig/policy/modules/kernel/devices.fc 2015-07-21 16:52:51.913277147 +0200 ++++ serefpolicy-20140730/policy/modules/kernel/devices.fc 2015-07-21 16:52:55.461333779 +0200 @@ -2,6 +2,7 @@ /dev -d gen_context(system_u:object_r:device_t,s0) /dev/.* gen_context(system_u:object_r:device_t,s0)
