Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2022-07-18 18:32:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.1523 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Mon Jul 18 18:32:44 2022 rev:28 rq:989143 version:20220714
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2022-07-13 14:55:57.187021449 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1523/selinux-policy.changes
2022-07-18 18:32:44.773655833 +0200
@@ -1,0 +2,7 @@
+Thu Jul 14 08:44:12 UTC 2022 - Johannes Segitz <jseg...@suse.com>
+
+- Update to version 20220714. Refreshed:
+ * fix_init.patch
+ * fix_systemd_watch.patch
+
+-------------------------------------------------------------------
Old:
----
fedora-policy-20220624.tar.bz2
New:
----
fedora-policy-20220714.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.sXEwo7/_old 2022-07-18 18:32:45.933657483 +0200
+++ /var/tmp/diff_new_pack.sXEwo7/_new 2022-07-18 18:32:45.937657489 +0200
@@ -33,7 +33,7 @@
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20220624
+Version: 20220714
Release: 0
Source: fedora-policy-%{version}.tar.bz2
Source1: selinux-policy-rpmlintrc
++++++ fedora-policy-20220624.tar.bz2 -> fedora-policy-20220714.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/contrib/amanda.te
new/fedora-policy-20220714/policy/modules/contrib/amanda.te
--- old/fedora-policy-20220624/policy/modules/contrib/amanda.te 2022-06-24
08:28:15.514217177 +0200
+++ new/fedora-policy-20220714/policy/modules/contrib/amanda.te 2022-07-14
10:41:34.263983037 +0200
@@ -106,6 +106,7 @@
can_exec(amanda_t, { amanda_exec_t amanda_inetd_exec_t })
kernel_read_kernel_sysctls(amanda_t)
+kernel_read_net_sysctls(amanda_t)
kernel_read_system_state(amanda_t)
kernel_read_network_state(amanda_t)
kernel_dontaudit_getattr_unlabeled_files(amanda_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/contrib/cups.te
new/fedora-policy-20220714/policy/modules/contrib/cups.te
--- old/fedora-policy-20220624/policy/modules/contrib/cups.te 2022-06-24
08:28:15.522217291 +0200
+++ new/fedora-policy-20220714/policy/modules/contrib/cups.te 2022-07-14
10:41:34.279983278 +0200
@@ -562,6 +562,7 @@
stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
+kernel_read_net_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
corenet_all_recvfrom_netlabel(cupsd_lpd_t)
@@ -647,6 +648,7 @@
fs_search_auto_mountpoints(cups_pdf_t)
+kernel_read_net_sysctls(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
auth_use_nsswitch(cups_pdf_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/contrib/dbus.te
new/fedora-policy-20220714/policy/modules/contrib/dbus.te
--- old/fedora-policy-20220624/policy/modules/contrib/dbus.te 2022-06-24
08:28:15.522217291 +0200
+++ new/fedora-policy-20220714/policy/modules/contrib/dbus.te 2022-07-14
10:41:34.279983278 +0200
@@ -215,6 +215,10 @@
')
optional_policy(`
+ rpm_script_rw_stream_sockets(system_dbusd_t)
+')
+
+optional_policy(`
snapper_read_inherited_pipe(system_dbusd_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/contrib/ddclient.if
new/fedora-policy-20220714/policy/modules/contrib/ddclient.if
--- old/fedora-policy-20220624/policy/modules/contrib/ddclient.if
2022-06-24 08:28:15.522217291 +0200
+++ new/fedora-policy-20220714/policy/modules/contrib/ddclient.if
2022-07-14 10:41:34.283983338 +0200
@@ -100,3 +100,21 @@
files_list_tmp($1)
admin_pattern($1, ddclient_tmp_t)
')
+
+########################################
+## <summary>
+## Get the attributes of ddclient PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ddclient_getattr_pid_files',`
+ gen_require(`
+ type ddclient_var_run_t;
+ ')
+
+ getattr_files_pattern($1, ddclient_var_run_t, ddclient_var_run_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/contrib/firewalld.te
new/fedora-policy-20220714/policy/modules/contrib/firewalld.te
--- old/fedora-policy-20220624/policy/modules/contrib/firewalld.te
2022-06-24 08:28:15.526217348 +0200
+++ new/fedora-policy-20220714/policy/modules/contrib/firewalld.te
2022-07-14 10:41:34.287983399 +0200
@@ -81,7 +81,7 @@
corecmd_exec_shell(firewalld_t)
dev_read_urand(firewalld_t)
-dev_search_sysfs(firewalld_t)
+dev_read_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t)
domain_obj_id_change_exemption(firewalld_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/contrib/insights_client.if
new/fedora-policy-20220714/policy/modules/contrib/insights_client.if
--- old/fedora-policy-20220624/policy/modules/contrib/insights_client.if
2022-06-24 08:28:15.530217406 +0200
+++ new/fedora-policy-20220714/policy/modules/contrib/insights_client.if
2022-07-14 10:41:34.291983459 +0200
@@ -58,6 +58,26 @@
########################################
## <summary>
+## Allow the specified domain to search
+## insights configuration dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`insights_search_config',`
+ gen_require(`
+ type insights_client_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 insights_client_etc_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
## Transition to insights_client named content
## </summary>
## <param name="domain">
@@ -73,8 +93,10 @@
type insights_client_tmp_t;
')
+ filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t,
file, ".cache.json")
filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t,
file, ".cache.json.asc")
filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t,
file, ".insights-core.etag")
+ filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t,
file, ".insights-core-gpg-sig.etag")
filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t,
file, ".lastupload")
filetrans_pattern($1, insights_client_etc_t, insights_client_etc_rw_t,
file, ".last-upload.results")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/contrib/keepalived.te
new/fedora-policy-20220714/policy/modules/contrib/keepalived.te
--- old/fedora-policy-20220624/policy/modules/contrib/keepalived.te
2022-06-24 08:28:15.534217463 +0200
+++ new/fedora-policy-20220714/policy/modules/contrib/keepalived.te
2022-07-14 10:41:34.295983519 +0200
@@ -81,6 +81,7 @@
domain_read_all_domains_state(keepalived_t)
domain_getattr_all_domains(keepalived_t)
+dev_read_sysfs(keepalived_t)
dev_read_urand(keepalived_t)
files_dontaudit_mounton_rootfs(keepalived_var_run_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/contrib/kerberos.te
new/fedora-policy-20220714/policy/modules/contrib/kerberos.te
--- old/fedora-policy-20220624/policy/modules/contrib/kerberos.te
2022-06-24 08:28:15.534217463 +0200
+++ new/fedora-policy-20220714/policy/modules/contrib/kerberos.te
2022-07-14 10:41:34.295983519 +0200
@@ -369,6 +369,7 @@
kernel_read_system_state(kpropd_t)
kernel_read_network_state(kpropd_t)
+kernel_read_net_sysctls(kpropd_t)
can_exec(kpropd_t,kpropd_exec_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/contrib/networkmanager.te
new/fedora-policy-20220714/policy/modules/contrib/networkmanager.te
--- old/fedora-policy-20220624/policy/modules/contrib/networkmanager.te
2022-06-24 08:28:15.538217520 +0200
+++ new/fedora-policy-20220714/policy/modules/contrib/networkmanager.te
2022-07-14 10:41:34.299983580 +0200
@@ -554,6 +554,8 @@
allow NetworkManager_dispatcher_tlp_t self:capability sys_nice;
allow NetworkManager_dispatcher_t self:process setsched;
allow NetworkManager_dispatcher_tlp_t self:process setsched;
+allow NetworkManager_dispatcher_console_t self:process setfscreate;
+
allow NetworkManager_dispatcher_t self:netlink_route_socket
create_netlink_socket_perms;
allow NetworkManager_dispatcher_ddclient_t self:netlink_route_socket
create_netlink_socket_perms;
allow NetworkManager_dispatcher_custom_t self:netlink_route_socket
create_netlink_socket_perms;
@@ -562,10 +564,12 @@
allow NetworkManager_dispatcher_ddclient_t self:udp_socket create_socket_perms;
allow NetworkManager_dispatcher_t self:unix_dgram_socket { create_socket_perms
sendto };
allow NetworkManager_dispatcher_ddclient_t self:unix_dgram_socket {
create_socket_perms sendto };
+allow NetworkManager_dispatcher_custom_t self:unix_dgram_socket {
create_socket_perms sendto };
allow NetworkManager_dispatcher_t NetworkManager_unit_file_t:file getattr;
allow NetworkManager_dispatcher_cloud_t NetworkManager_unit_file_t:file
getattr;
list_dirs_pattern(NetworkManager_dispatcher_t, NetworkManager_etc_t,
NetworkManager_dispatcher_script_t)
+list_dirs_pattern(networkmanager_dispatcher_plugin, NetworkManager_etc_t,
NetworkManager_dispatcher_script_t)
list_dirs_pattern(NetworkManager_dispatcher_t,
NetworkManager_dispatcher_script_t, networkmanager_dispatcher_script)
read_files_pattern(NetworkManager_dispatcher_t,
NetworkManager_dispatcher_script_t, networkmanager_dispatcher_script)
read_lnk_files_pattern(NetworkManager_dispatcher_t,
NetworkManager_dispatcher_script_t, networkmanager_dispatcher_script)
@@ -594,8 +598,7 @@
domain_read_all_domains_state(NetworkManager_dispatcher_dnssec_t)
-files_create_etc_files(NetworkManager_dispatcher_console_t)
-files_rw_etc_files(NetworkManager_dispatcher_console_t)
+files_manage_etc_files(NetworkManager_dispatcher_console_t)
init_status(NetworkManager_dispatcher_cloud_t)
init_status(NetworkManager_dispatcher_ddclient_t)
@@ -626,6 +629,10 @@
')
optional_policy(`
+ ddclient_getattr_pid_files(NetworkManager_dispatcher_ddclient_t)
+')
+
+optional_policy(`
dnssec_trigger_domtrans(NetworkManager_dispatcher_dnssec_t)
')
@@ -643,6 +650,8 @@
')
optional_policy(`
+ samba_domtrans_smbcontrol(NetworkManager_dispatcher_winbind_t)
+ samba_read_config(NetworkManager_dispatcher_winbind_t)
samba_service_status(NetworkManager_dispatcher_winbind_t)
')
@@ -663,6 +672,9 @@
systemd_exec_systemctl(NetworkManager_dispatcher_winbind_t)
systemd_exec_systemctl(NetworkManager_dispatcher_custom_t)
systemd_getattr_unit_files(NetworkManager_dispatcher_ddclient_t)
+ systemd_start_systemd_services(NetworkManager_dispatcher_ddclient_t)
+ systemd_stop_systemd_services(NetworkManager_dispatcher_ddclient_t)
+ systemd_status_systemd_services(NetworkManager_dispatcher_ddclient_t)
systemd_start_systemd_services(NetworkManager_dispatcher_sendmail_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/contrib/rabbitmq.te
new/fedora-policy-20220714/policy/modules/contrib/rabbitmq.te
--- old/fedora-policy-20220624/policy/modules/contrib/rabbitmq.te
2022-06-24 08:28:15.550217692 +0200
+++ new/fedora-policy-20220714/policy/modules/contrib/rabbitmq.te
2022-07-14 10:41:34.311983761 +0200
@@ -81,6 +81,8 @@
fs_tmpfs_filetrans(rabbitmq_t, rabbitmq_tmpfs_t, file)
can_exec(rabbitmq_t, rabbitmq_tmpfs_t)
+init_stream_connect(rabbitmq_t)
+
kernel_dgram_send(rabbitmq_t)
kernel_read_system_state(rabbitmq_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/contrib/rhcd.te
new/fedora-policy-20220714/policy/modules/contrib/rhcd.te
--- old/fedora-policy-20220624/policy/modules/contrib/rhcd.te 2022-06-24
08:28:15.550217692 +0200
+++ new/fedora-policy-20220714/policy/modules/contrib/rhcd.te 2022-07-14
10:41:34.311983761 +0200
@@ -22,11 +22,23 @@
# rhcd local policy
#
allow rhcd_t self:fifo_file rw_fifo_file_perms;
-allow rhcd_t self:unix_stream_socket create_stream_socket_perms;
+allow rhcd_t self:netlink_route_socket create_netlink_socket_perms;
+allow rhcd_t self:tcp_socket create_stream_socket_perms;
+allow rhcd_t self:udp_socket create_socket_perms;
+allow rhcd_t self:unix_stream_socket { connectto create_stream_socket_perms };
manage_dirs_pattern(rhcd_t, rhcd_var_run_t, rhcd_var_run_t)
+manage_files_pattern(rhcd_t, rhcd_var_run_t, rhcd_var_run_t)
files_pid_filetrans(rhcd_t, rhcd_var_run_t, { dir })
+kernel_read_net_sysctls(rhcd_t)
+kernel_read_proc_files(rhcd_t)
+
+corecmd_exec_bin(rhcd_t)
+corecmd_watch_bin_dirs(rhcd_t)
+
+corenet_tcp_connect_http_port(rhcd_t)
+
dev_read_sysfs(rhcd_t)
domain_use_interactive_fds(rhcd_t)
@@ -35,3 +47,13 @@
miscfiles_read_generic_certs(rhcd_t)
miscfiles_read_localization(rhcd_t)
+
+sysnet_read_config(rhcd_t)
+
+optional_policy(`
+ insights_search_config(rhcd_t)
+')
+
+optional_policy(`
+ udev_read_pid_files(rhcd_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fedora-policy-20220624/policy/modules/contrib/rpm.if
new/fedora-policy-20220714/policy/modules/contrib/rpm.if
--- old/fedora-policy-20220624/policy/modules/contrib/rpm.if 2022-06-24
08:28:15.550217692 +0200
+++ new/fedora-policy-20220714/policy/modules/contrib/rpm.if 2022-07-14
10:41:34.315983821 +0200
@@ -977,6 +977,7 @@
rpm_run($1, $2)
')
+#######################################
## <summary>
## Allow the specified domain to ioctl rpm_script_t
## with a unix domain stream socket.
@@ -994,3 +995,22 @@
allow $1 rpm_script_t:unix_stream_socket ioctl;
')
+
+#######################################
+## <summary>
+## Allow the specified domain read and write to rpm_script_t
+## over a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_script_rw_stream_sockets',`
+ gen_require(`
+ type rpm_script_t;
+ ')
+
+ allow $1 rpm_script_t:unix_stream_socket { read write };
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/contrib/samba.te
new/fedora-policy-20220714/policy/modules/contrib/samba.te
--- old/fedora-policy-20220624/policy/modules/contrib/samba.te 2022-06-24
08:28:15.554217749 +0200
+++ new/fedora-policy-20220714/policy/modules/contrib/samba.te 2022-07-14
10:41:34.315983821 +0200
@@ -1208,6 +1208,7 @@
')
optional_policy(`
+ kerberos_read_keytab(winbind_rpcd_t)
kerberos_use(winbind_rpcd_t)
')
@@ -1216,6 +1217,10 @@
')
optional_policy(`
+ miscfiles_read_generic_certs(winbind_rpcd_t)
+')
+
+optional_policy(`
sssd_read_public_files(winbind_rpcd_t)
sssd_stream_connect(winbind_rpcd_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/contrib/stalld.te
new/fedora-policy-20220714/policy/modules/contrib/stalld.te
--- old/fedora-policy-20220624/policy/modules/contrib/stalld.te 2022-06-24
08:28:15.558217806 +0200
+++ new/fedora-policy-20220714/policy/modules/contrib/stalld.te 2022-07-14
10:41:34.319983882 +0200
@@ -32,6 +32,7 @@
kernel_getsched(stalld_t)
kernel_manage_debugfs(stalld_t)
kernel_read_all_proc(stalld_t)
+kernel_setsched(stalld_t)
dev_read_sysfs(stalld_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/contrib/targetd.fc
new/fedora-policy-20220714/policy/modules/contrib/targetd.fc
--- old/fedora-policy-20220624/policy/modules/contrib/targetd.fc
2022-06-24 08:28:15.558217806 +0200
+++ new/fedora-policy-20220714/policy/modules/contrib/targetd.fc
2022-07-14 10:41:34.319983882 +0200
@@ -3,10 +3,12 @@
/root/\.targetcli(/.*)?
gen_context(system_u:object_r:targetclid_home_t,s0)
/usr/bin/targetd --
gen_context(system_u:object_r:targetd_exec_t,s0)
-/usr/bin/targetclid --
gen_context(system_u:object_r:targetclid_exec_t,s0)
+/usr/bin/targetclid --
gen_context(system_u:object_r:targetclid_exec_t,s0)
/usr/lib/systemd/system/targetd.* --
gen_context(system_u:object_r:targetd_unit_file_t,s0)
/usr/lib/systemd/system/targetclid.* --
gen_context(system_u:object_r:targetclid_unit_file_t,s0)
+/var/target(/.*)?
gen_context(system_u:object_r:targetd_var_t,s0)
+
/var/run/targetclid\.pid --
gen_context(system_u:object_r:targetclid_var_run_t,s0)
/var/run/targetclid\.sock -s
gen_context(system_u:object_r:targetclid_var_run_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/contrib/targetd.te
new/fedora-policy-20220714/policy/modules/contrib/targetd.te
--- old/fedora-policy-20220624/policy/modules/contrib/targetd.te
2022-06-24 08:28:15.558217806 +0200
+++ new/fedora-policy-20220714/policy/modules/contrib/targetd.te
2022-07-14 10:41:34.319983882 +0200
@@ -22,6 +22,9 @@
type targetclid_unit_file_t;
systemd_unit_file(targetclid_unit_file_t)
+type targetd_var_t;
+files_type(targetd_var_t)
+
type targetd_tmp_t;
files_tmp_file(targetd_tmp_t)
@@ -133,6 +136,9 @@
manage_files_pattern(targetclid_t, targetclid_home_t, targetclid_home_t)
userdom_admin_home_dir_filetrans(targetclid_t, targetclid_home_t, dir,
".targetcli")
+list_dirs_pattern(targetclid_t, targetd_var_t, targetd_var_t)
+read_files_pattern(targetclid_t, targetd_var_t, targetd_var_t)
+
manage_files_pattern(targetclid_t, targetclid_var_run_t, targetclid_var_run_t)
manage_sock_files_pattern(targetclid_t, targetclid_var_run_t,
targetclid_var_run_t)
files_pid_filetrans(targetclid_t, targetclid_var_run_t, { file sock_file })
@@ -167,6 +173,7 @@
')
optional_policy(`
+ miscfiles_read_generic_certs(targetclid_t)
miscfiles_read_localization(targetclid_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/kernel/domain.te
new/fedora-policy-20220714/policy/modules/kernel/domain.te
--- old/fedora-policy-20220624/policy/modules/kernel/domain.te 2022-06-24
08:28:15.566217921 +0200
+++ new/fedora-policy-20220714/policy/modules/kernel/domain.te 2022-07-14
10:41:34.331984062 +0200
@@ -121,7 +121,7 @@
# Rules applied to all domains
#
-allow domain self:anon_inode common_anon_inode_perms;
+allow domain domain:anon_inode common_anon_inode_perms;
# read /proc/(pid|self) entries
allow domain self:dir { list_dir_perms watch_dir_perms };
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/kernel/kernel.if
new/fedora-policy-20220714/policy/modules/kernel/kernel.if
--- old/fedora-policy-20220624/policy/modules/kernel/kernel.if 2022-06-24
08:28:15.566217921 +0200
+++ new/fedora-policy-20220714/policy/modules/kernel/kernel.if 2022-07-14
10:41:34.331984062 +0200
@@ -1114,6 +1114,24 @@
########################################
## <summary>
+## Read generic files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_proc_files',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ read_files_pattern($1, proc_t, proc_t)
+')
+
+########################################
+## <summary>
## Read generic symbolic links in /proc.
## </summary>
## <desc>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fedora-policy-20220624/policy/modules/system/init.te
new/fedora-policy-20220714/policy/modules/system/init.te
--- old/fedora-policy-20220624/policy/modules/system/init.te 2022-06-24
08:28:15.570217978 +0200
+++ new/fedora-policy-20220714/policy/modules/system/init.te 2022-07-14
10:41:34.335984123 +0200
@@ -526,6 +526,7 @@
optional_policy(`
rpm_read_db(init_t)
rpm_script_ioctl_stream_sockets(init_t)
+ rpm_script_rw_stream_sockets(init_t)
')
optional_policy(`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20220624/policy/modules/system/systemd.if
new/fedora-policy-20220714/policy/modules/system/systemd.if
--- old/fedora-policy-20220624/policy/modules/system/systemd.if 2022-06-24
08:28:15.574218035 +0200
+++ new/fedora-policy-20220714/policy/modules/system/systemd.if 2022-07-14
10:41:34.335984123 +0200
@@ -1442,6 +1442,42 @@
allow $1 systemd_unit_file_t:service start;
')
+########################################
+## <summary>
+## Allow the specified domain to stop systemd services.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_stop_systemd_services',`
+ gen_require(`
+ type systemd_unit_file_t;
+ ')
+
+ allow $1 systemd_unit_file_t:service stop;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to status systemd services.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_status_systemd_services',`
+ gen_require(`
+ type systemd_unit_file_t;
+ ')
+
+ allow $1 systemd_unit_file_t:service status;
+')
+
#######################################
## <summary>
## Allow the specified domain to reload all systemd services.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fedora-policy-20220624/support/sedoctool.py
new/fedora-policy-20220714/support/sedoctool.py
--- old/fedora-policy-20220624/support/sedoctool.py 2022-06-24
08:28:15.574218035 +0200
+++ new/fedora-policy-20220714/support/sedoctool.py 2022-07-14
10:41:34.339984183 +0200
@@ -272,7 +272,7 @@
desc_buf = ''
for desc in node.childNodes:
if desc.nodeName == "#text":
- if desc.data is not '':
+ if desc.data != '':
if desc.parentNode.nodeName != "p":
desc_buf += "<p>" + desc.data + "</p>"
else:
++++++ fix_init.patch ++++++
--- /var/tmp/diff_new_pack.sXEwo7/_old 2022-07-18 18:32:46.853658791 +0200
+++ /var/tmp/diff_new_pack.sXEwo7/_new 2022-07-18 18:32:46.857658797 +0200
@@ -1,7 +1,7 @@
-Index: fedora-policy-20220624/policy/modules/system/init.te
+Index: fedora-policy-20220714/policy/modules/system/init.te
===================================================================
---- fedora-policy-20220624.orig/policy/modules/system/init.te
-+++ fedora-policy-20220624/policy/modules/system/init.te
+--- fedora-policy-20220714.orig/policy/modules/system/init.te
++++ fedora-policy-20220714/policy/modules/system/init.te
@@ -187,6 +187,8 @@ allow init_t self:bpf { map_create map_r
# setuid (from /sbin/shutdown)
# sys_chroot (from /usr/bin/chroot): now provided by
corecmd_chroot_exec_chroot()
@@ -48,7 +48,7 @@
optional_policy(`
anaconda_stream_connect(init_t)
anaconda_create_unix_stream_sockets(init_t)
-@@ -580,10 +595,10 @@ tunable_policy(`init_audit_control',`
+@@ -581,10 +596,10 @@ tunable_policy(`init_audit_control',`
allow init_t self:system all_system_perms;
allow init_t self:system module_load;
allow init_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -61,7 +61,7 @@
allow init_t self:netlink_selinux_socket create_socket_perms;
allow init_t self:unix_dgram_socket lock;
# Until systemd is fixed
-@@ -642,6 +657,7 @@ files_delete_all_spool_sockets(init_t)
+@@ -643,6 +658,7 @@ files_delete_all_spool_sockets(init_t)
files_create_var_lib_dirs(init_t)
files_create_var_lib_symlinks(init_t)
files_read_var_lib_symlinks(init_t)
@@ -69,7 +69,7 @@
files_manage_urandom_seed(init_t)
files_list_locks(init_t)
files_list_spool(init_t)
-@@ -679,7 +695,7 @@ fs_list_all(init_t)
+@@ -680,7 +696,7 @@ fs_list_all(init_t)
fs_list_auto_mountpoints(init_t)
fs_register_binary_executable_type(init_t)
fs_relabel_tmpfs_sock_file(init_t)
@@ -78,7 +78,7 @@
fs_relabel_cgroup_dirs(init_t)
fs_search_cgroup_dirs(init_t)
# for network namespaces
-@@ -735,6 +751,7 @@ systemd_write_inherited_logind_sessions_
+@@ -736,6 +752,7 @@ systemd_write_inherited_logind_sessions_
create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
create_dirs_pattern(init_t, var_log_t, var_log_t)
@@ -86,7 +86,7 @@
auth_use_nsswitch(init_t)
auth_rw_login_records(init_t)
-@@ -1589,6 +1606,8 @@ optional_policy(`
+@@ -1590,6 +1607,8 @@ optional_policy(`
optional_policy(`
postfix_list_spool(initrc_t)
++++++ fix_systemd_watch.patch ++++++
--- /var/tmp/diff_new_pack.sXEwo7/_old 2022-07-18 18:32:46.917658883 +0200
+++ /var/tmp/diff_new_pack.sXEwo7/_new 2022-07-18 18:32:46.921658888 +0200
@@ -1,8 +1,8 @@
-Index: fedora-policy-20220428/policy/modules/system/systemd.te
+Index: fedora-policy-20220714/policy/modules/system/systemd.te
===================================================================
---- fedora-policy-20220428.orig/policy/modules/system/systemd.te
-+++ fedora-policy-20220428/policy/modules/system/systemd.te
-@@ -1445,6 +1445,12 @@ fstools_rw_swap_files(systemd_sleep_t)
+--- fedora-policy-20220714.orig/policy/modules/system/systemd.te
++++ fedora-policy-20220714/policy/modules/system/systemd.te
+@@ -1447,6 +1447,12 @@ fstools_rw_swap_files(systemd_sleep_t)
storage_getattr_fixed_disk_dev(systemd_sleep_t)
storage_getattr_removable_dev(systemd_sleep_t)
