Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2023-04-21 14:15:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.1533 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Fri Apr 21 14:15:52 2023 rev:45 rq:1080824 version:20230420
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2023-03-22 22:29:23.349814974 +0100
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1533/selinux-policy.changes
2023-04-21 14:16:05.382270565 +0200
@@ -1,0 +2,68 @@
+Thu Apr 20 10:47:16 UTC 2023 - jseg...@suse.com
+
+- Update to version 20230420:
+ * libzypp creates temporary files in /var/adm/mount. Label it with
+ rpm_var_cache_t to prevent wrong labels in /var/cache/zypp
+ * only use rsync_exec_t for the rsync server, not for the client
+ (bsc#1209890)
+ * properly label sshd-gen-keys-start to ensure ssh host keys have proper
+ labels after creation
+ * Allow dovecot-deliver write to the main process runtime fifo files
+ * Allow dmidecode write to cloud-init tmp files
+ * Allow chronyd send a message to cloud-init over a datagram socket
+ * Allow cloud-init domain transition to insights-client domain
+ * Allow mongodb read filesystem sysctls
+ * Allow mongodb read network sysctls
+ * Allow accounts-daemon read generic systemd unit lnk files
+ * Allow blueman watch generic device dirs
+ * Allow nm-dispatcher tlp plugin create tlp dirs
+ * Allow systemd-coredump mounton /usr
+ * Allow rabbitmq to read network sysctls
+ * Allow certmonger dbus chat with the cron system domain
+ * Allow geoclue read network sysctls
+ * Allow geoclue watch the /etc directory
+ * Allow logwatch_mail_t read network sysctls
+ * allow systemd_resolved_t to bind to all nodes (bsc#1200182)
+ * Allow insights-client read all sysctls
+ * Allow passt manage qemu pid sock files
+ * Allow sssd read accountsd fifo files
+ * Add support for the passt_t domain
+ * Allow virtd_t and svirt_t work with passt
+ * Add new interfaces in the virt module
+ * Add passt interfaces defined conditionally
+ * Allow tshark the setsched capability
+ * Allow poweroff create connections to system dbus
+ * Allow wg load kernel modules, search debugfs dir
+ * Boolean: allow qemu-ga manage ssh home directory
+ * Label smtpd with sendmail_exec_t
+ * Label msmtp and msmtpd with sendmail_exec_t
+ * Allow dovecot to map files in /var/spool/dovecot
+ * Confine gnome-initial-setup
+ * Allow qemu-guest-agent create and use vsock socket
+ * Allow login_pgm setcap permission
+ * Allow chronyc read network sysctls
+ * Enhancement of the /usr/sbin/request-key helper policy
+ * Fix opencryptoki file names in /dev/shm
+ * Allow system_cronjob_t transition to rpm_script_t
+ * Revert "Allow system_cronjob_t domtrans to rpm_script_t"
+ * Add tunable to allow squid bind snmp port
+ * Allow staff_t getattr init pid chr & blk files and read krb5
+ * Allow firewalld to rw z90crypt device
+ * Allow httpd work with tokens in /dev/shm
+ * Allow svirt to map svirt_image_t char files
+ * Allow sysadm_t run initrc_t script and sysadm_r role access
+ * Allow insights-client manage fsadm pid files
+ * Allowing snapper to create snapshots of /home/ subvolume/partition
+ * Add boolean qemu-ga to run unconfined script
+ * Label systemd-journald feature LogNamespace
+ * Add none file context for polyinstantiated tmp dirs
+ * Allow certmonger read the contents of the sysfs filesystem
+ * Add journalctl the sys_resource capability
+ * Allow nm-dispatcher plugins read generic files in /proc
+
+-------------------------------------------------------------------
+Tue Mar 28 12:27:47 UTC 2023 - Hu <cathy...@suse.com>
+
+- Add debug-build.sh script to make debugging without committing easier
+
+-------------------------------------------------------------------
Old:
----
selinux-policy-20230321.tar.xz
New:
----
debug-build.sh
selinux-policy-20230420.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.Rp9391/_old 2023-04-21 14:16:06.318275813 +0200
+++ /var/tmp/diff_new_pack.Rp9391/_new 2023-04-21 14:16:06.326275858 +0200
@@ -33,7 +33,7 @@
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20230321
+Version: 20230420
Release: 0
Source0: %{name}-%{version}.tar.xz
Source1: container.fc
@@ -42,6 +42,7 @@
Source4: selinux-policy-rpmlintrc
Source5: README.Update
Source6: update.sh
+Source7: debug-build.sh
Source10: modules-targeted-base.conf
Source11: modules-targeted-contrib.conf
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.Rp9391/_old 2023-04-21 14:16:06.458276597 +0200
+++ /var/tmp/diff_new_pack.Rp9391/_new 2023-04-21 14:16:06.462276621 +0200
@@ -1,7 +1,7 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param>
- <param
name="changesrevision">0140f0a3f8dbf17ddbd0adb6c8fc7eb23511ba2f</param></service><service
name="tar_scm">
+ <param
name="changesrevision">ca88adc84584e150ecb8f67ec2c1dc5a29618ab9</param></service><service
name="tar_scm">
<param
name="url">https://github.com/containers/container-selinux.git</param>
<param
name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service></servicedata>
(No newline at EOF)
++++++ container.te ++++++
--- /var/tmp/diff_new_pack.Rp9391/_old 2023-04-21 14:16:06.610277450 +0200
+++ /var/tmp/diff_new_pack.Rp9391/_new 2023-04-21 14:16:06.614277473 +0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.205.0)
+policy_module(container, 2.210.0)
gen_require(`
class passwd rootok;
@@ -19,6 +19,13 @@
## <desc>
## <p>
+## Determine whether sshd can launch container engines
+## </p>
+## </desc>
+gen_tunable(sshd_launch_containers, false)
+
+## <desc>
+## <p>
## Allow containers to use any device volume mounted into container
## </p>
## </desc>
@@ -77,7 +84,6 @@
type spc_t, container_domain;
domain_type(spc_t)
role system_r types spc_t;
-init_initrc_domain(spc_t)
type container_auth_t alias docker_auth_t;
type container_auth_exec_t alias docker_auth_exec_t;
@@ -124,6 +130,7 @@
typealias container_ro_file_t alias { container_share_t docker_share_t };
files_mountpoint(container_ro_file_t)
+userdom_user_home_content(container_ro_file_t)
type container_port_t alias docker_port_t;
corenet_port(container_port_t)
@@ -287,6 +294,8 @@
userdom_map_tmp_files(container_runtime_domain)
+anaconda_domtrans_install(container_runtime_domain)
+
optional_policy(`
gnome_map_generic_data_home_files(container_runtime_domain)
allow container_runtime_domain data_home_t:dir { relabelfrom relabelto
};
@@ -575,7 +584,6 @@
fs_exec_fusefs_files(container_runtime_domain)
storage_rw_fuse(container_runtime_domain)
-
optional_policy(`
files_search_all(container_domain)
container_read_share_files(container_domain)
@@ -806,7 +814,7 @@
')
container_manage_files_template(container, container)
-typeattribute container_file_t container_file_type;
+typeattribute container_file_t container_file_type, user_home_type;
typeattribute container_t container_domain, container_net_domain,
container_user_domain;
allow container_user_domain self:process getattr;
allow container_domain { container_var_lib_t container_ro_file_t
container_file_t }:file entrypoint;
@@ -1411,7 +1419,7 @@
type syslogd_t;
')
- allow syslogd_t container_runtime_tmpfs_t:file { read write };
+ allow syslogd_t container_runtime_tmpfs_t:file rw_inherited_file_perms;
logging_send_syslog_msg(container_runtime_t)
')
@@ -1423,3 +1431,14 @@
manage_blk_files_pattern(svirt_sandbox_domain, container_file_t,
container_file_t)
manage_sock_files_pattern(svirt_sandbox_domain, container_file_t,
container_file_t)
+tunable_policy(`sshd_launch_containers',`
+ gen_require(`
+ type sshd_t;
+ type systemd_logind_t;
+ type iptables_var_run_t;
+ ')
+
+ container_runtime_domtrans(sshd_t)
+ dontaudit systemd_logind_t iptables_var_run_t:dir read;
+')
+
++++++ debug-build.sh ++++++
# This script creates a debugging and testing environment when working on the
policy
# Basically a fancy wrapper for "tar --exclude-vcs -cJf
selinux-policy-20230321.tar.xz --transform 's,^,selinux-policy-20230321/,' -C
selinux-policy ."
#
# 1. Get the git repository with 'osc service manualrun' or './update.sh'
# 2. Do your changes in the selinux-policy repository, test around
# 1. When you want to build locally to debug, call this script. It will
create a .tar.xz with your current selinux-policy working directory.
# 2. Build locally: e.g. with osc build
# 3. Test your rpms that contain your changes and repeat
# 3. When finished, commit your changes in the selinux-policy repository and
push to git
# 4. Run './update.sh' and checkin the changes to OBS
REPO_NAME=selinux-policy
# Check if git repository exists, if not ask the user to fetch the latest
version
if ! test -d "$REPO_NAME"; then
echo "-$REPO_NAME does not exist. Please run 'osc service manualrun' or
'./update.sh' first."
exit 1;
fi
# Get current version: Parse "Version: <current-version>" from specfile
VERSION=$(grep -Po '^Version:\s*\K.*?(?=$)' $REPO_NAME.spec)
# Create tar file with name like selinux-policy-<current-version>.tar.xz
TAR_NAME=$REPO_NAME-$VERSION.tar.xz
echo "Creating tar file: $TAR_NAME"
tar --exclude-vcs -cJf $TAR_NAME --transform "s,^,$REPO_NAME-$VERSION/," -C
$REPO_NAME .
# Some helpful prompts
if test $? -eq 0; then
echo "Success! Now you can run your local build command, e.g. 'osc
build'. It will take the archive that contains your changes."
echo "You can also inspect the created archive with: 'tar tvf
$REPO_NAME-$VERSION.tar.xz'"
else
echo "Error, creating archive failed"
fi
++++++ selinux-policy-20230321.tar.xz -> selinux-policy-20230420.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/accountsd.if
new/selinux-policy-20230420/policy/modules/contrib/accountsd.if
--- old/selinux-policy-20230321/policy/modules/contrib/accountsd.if
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/accountsd.if
2023-04-20 12:45:40.000000000 +0200
@@ -22,6 +22,24 @@
########################################
## <summary>
+## Read accountsd fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`accountsd_read_fifo_file',`
+ gen_require(`
+ type accountsd_t;
+ ')
+
+ allow $1 accountsd_t:fifo_file read_fifo_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read and
## write Accounts Daemon fifo files.
## </summary>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/accountsd.te
new/selinux-policy-20230420/policy/modules/contrib/accountsd.te
--- old/selinux-policy-20230321/policy/modules/contrib/accountsd.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/accountsd.te
2023-04-20 12:45:40.000000000 +0200
@@ -85,6 +85,10 @@
')
optional_policy(`
+ gnome_initial_setup_read_state(accountsd_t)
+')
+
+optional_policy(`
policykit_dbus_chat(accountsd_t)
')
@@ -93,6 +97,10 @@
')
optional_policy(`
+ systemd_read_generic_unit_lnk_files(accountsd_t)
+')
+
+optional_policy(`
xserver_read_xdm_tmp_files(accountsd_t)
xserver_read_state_xdm(accountsd_t)
xserver_dbus_chat_xdm(accountsd_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/apache.te
new/selinux-policy-20230420/policy/modules/contrib/apache.te
--- old/selinux-policy-20230321/policy/modules/contrib/apache.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/apache.te
2023-04-20 12:45:40.000000000 +0200
@@ -887,6 +887,10 @@
fs_manage_fusefs_symlinks(httpd_t)
')
+tunable_policy(`httpd_use_opencryptoki',`
+ allow httpd_t self:capability fowner;
+')
+
tunable_policy(`httpd_setrlimit',`
allow httpd_t self:process setrlimit;
allow httpd_t self:capability sys_resource;
@@ -931,6 +935,9 @@
')
optional_policy(`
+ # type transitions with a filename not allowed inside conditionals
+ pkcs_tmpfs_named_filetrans(httpd_t)
+
tunable_policy(`httpd_use_opencryptoki',`
pkcs_use_opencryptoki(httpd_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/blueman.te
new/selinux-policy-20230420/policy/modules/contrib/blueman.te
--- old/selinux-policy-20230321/policy/modules/contrib/blueman.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/blueman.te
2023-04-20 12:45:40.000000000 +0200
@@ -58,6 +58,7 @@
dev_read_urand(blueman_t)
dev_rw_wireless(blueman_t)
dev_rwx_zero(blueman_t)
+dev_watch_generic_dirs(blueman_t)
domain_use_interactive_fds(blueman_t)
domain_dontaudit_ptrace_all_domains(blueman_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/certmonger.te
new/selinux-policy-20230420/policy/modules/contrib/certmonger.te
--- old/selinux-policy-20230321/policy/modules/contrib/certmonger.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/certmonger.te
2023-04-20 12:45:40.000000000 +0200
@@ -82,6 +82,7 @@
dev_read_rand(certmonger_t)
dev_read_urand(certmonger_t)
+dev_read_sysfs(certmonger_t)
domain_use_interactive_fds(certmonger_t)
@@ -129,6 +130,10 @@
')
optional_policy(`
+ cron_dbus_chat_system_job(certmonger_t)
+')
+
+optional_policy(`
dbus_connect_system_bus(certmonger_t)
dbus_system_bus_client(certmonger_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/chronyd.te
new/selinux-policy-20230420/policy/modules/contrib/chronyd.te
--- old/selinux-policy-20230321/policy/modules/contrib/chronyd.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/chronyd.te
2023-04-20 12:45:40.000000000 +0200
@@ -153,6 +153,10 @@
')
optional_policy(`
+ cloudform_init_dgram_send(chronyd_t)
+')
+
+optional_policy(`
cron_dgram_send(chronyd_t)
')
@@ -235,6 +239,7 @@
kernel_read_system_state(chronyc_t)
kernel_read_network_state(chronyc_t)
+kernel_read_net_sysctls(chronyc_t)
auth_use_nsswitch(chronyc_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/cloudform.if
new/selinux-policy-20230420/policy/modules/contrib/cloudform.if
--- old/selinux-policy-20230321/policy/modules/contrib/cloudform.if
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/cloudform.if
2023-04-20 12:45:40.000000000 +0200
@@ -59,6 +59,43 @@
allow $1 cloud_init_t:fifo_file rw_fifo_file_perms;
')
+########################################
+## <summary>
+## Send a message to cloud-init over a datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cloudform_init_dgram_send',`
+ gen_require(`
+ type cloud_init_t;
+ ')
+
+ allow $1 cloud_init_t:unix_dgram_socket sendto;
+')
+
+########################################
+## <summary>
+## Write to cloud-init temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cloudform_init_write_tmp',`
+ gen_require(`
+ type cloud_init_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ write_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
+')
+
######################################
## <summary>
## Execute mongod in the caller domain.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/cloudform.te
new/selinux-policy-20230420/policy/modules/contrib/cloudform.te
--- old/selinux-policy-20230321/policy/modules/contrib/cloudform.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/cloudform.te
2023-04-20 12:45:40.000000000 +0200
@@ -143,6 +143,10 @@
')
optional_policy(`
+ insights_client_domtrans(cloud_init_t)
+')
+
+optional_policy(`
mount_domtrans(cloud_init_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/colord.te
new/selinux-policy-20230420/policy/modules/contrib/colord.te
--- old/selinux-policy-20230321/policy/modules/contrib/colord.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/colord.te
2023-04-20 12:45:40.000000000 +0200
@@ -146,6 +146,7 @@
# Fixes lots of breakage in F16 on upgrade
gnome_read_generic_data_home_files(colord_t)
gnome_map_generic_data_home_files(colord_t)
+ gnome_initial_setup_read_var_run_files(colord_t)
')
optional_policy(`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/cron.te
new/selinux-policy-20230420/policy/modules/contrib/cron.te
--- old/selinux-policy-20230321/policy/modules/contrib/cron.te 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/cron.te 2023-04-20
12:45:40.000000000 +0200
@@ -544,8 +544,8 @@
# via redirection of standard out.
optional_policy(`
- rpm_domtrans_script(system_cronjob_t)
rpm_manage_log(system_cronjob_t)
+ rpm_transition_script(system_cronjob_t, system_r)
')
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/dmidecode.te
new/selinux-policy-20230420/policy/modules/contrib/dmidecode.te
--- old/selinux-policy-20230321/policy/modules/contrib/dmidecode.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/dmidecode.te
2023-04-20 12:45:40.000000000 +0200
@@ -34,6 +34,10 @@
userdom_use_inherited_user_terminals(dmidecode_t)
optional_policy(`
+ cloudform_init_write_tmp(dmidecode_t)
+')
+
+optional_policy(`
rhsmcertd_rw_lock_files(dmidecode_t)
rhsmcertd_read_log(dmidecode_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/dovecot.te
new/selinux-policy-20230420/policy/modules/contrib/dovecot.te
--- old/selinux-policy-20230321/policy/modules/contrib/dovecot.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/dovecot.te
2023-04-20 12:45:40.000000000 +0200
@@ -125,6 +125,7 @@
manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
+allow dovecot_t dovecot_spool_t:file map;
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -346,6 +347,7 @@
manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t,
dovecot_deliver_tmp_t)
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
+allow dovecot_deliver_t dovecot_var_run_t:fifo_file write_fifo_file_perms;
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t,
dovecot_var_run_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/fedoratp.te
new/selinux-policy-20230420/policy/modules/contrib/fedoratp.te
--- old/selinux-policy-20230321/policy/modules/contrib/fedoratp.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/fedoratp.te
2023-04-20 12:45:40.000000000 +0200
@@ -75,4 +75,5 @@
optional_policy(`
userdom_manage_admin_dirs(fedoratp_t)
userdom_manage_admin_files(fedoratp_t)
+ userdom_manage_tmp_dirs(fedoratp_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/firewalld.te
new/selinux-policy-20230420/policy/modules/contrib/firewalld.te
--- old/selinux-policy-20230321/policy/modules/contrib/firewalld.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/firewalld.te
2023-04-20 12:45:40.000000000 +0200
@@ -82,6 +82,7 @@
dev_read_urand(firewalld_t)
dev_read_sysfs(firewalld_t)
+dev_rw_crypto(firewalld_t)
domain_use_interactive_fds(firewalld_t)
domain_obj_id_change_exemption(firewalld_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/geoclue.te
new/selinux-policy-20230420/policy/modules/contrib/geoclue.te
--- old/selinux-policy-20230321/policy/modules/contrib/geoclue.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/geoclue.te
2023-04-20 12:45:40.000000000 +0200
@@ -37,6 +37,7 @@
kernel_read_system_state(geoclue_t)
kernel_read_network_state(geoclue_t)
+kernel_read_net_sysctls(geoclue_t)
auth_read_passwd(geoclue_t)
@@ -48,6 +49,8 @@
dev_read_urand(geoclue_t)
+files_watch_etc_dirs(geoclue_t)
+
fs_getattr_cgroup(geoclue_t)
fs_getattr_xattr_fs(geoclue_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/gnome.fc
new/selinux-policy-20230420/policy/modules/contrib/gnome.fc
--- old/selinux-policy-20230321/policy/modules/contrib/gnome.fc 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/gnome.fc 2023-04-20
12:45:40.000000000 +0200
@@ -25,6 +25,7 @@
/var/run/user/%{USERID}/\.orc(/.*)?
gen_context(system_u:object_r:gstreamer_home_t,s0)
/var/run/user/%{USERID}/dconf(/.*)?
gen_context(system_u:object_r:config_home_t,s0)
/var/run/user/%{USERID}/keyring.*
gen_context(system_u:object_r:gkeyringd_tmp_t,s0)
+/var/run/gnome-initial-setup(/.*)?
gen_context(system_u:object_r:gnome_initial_setup_var_run_t,s0)
/root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
/root/\.color/icc(/.*)?
gen_context(system_u:object_r:icc_data_home_t,s0)
@@ -59,5 +60,7 @@
/usr/libexec/gconf-defaults-mechanism --
gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
+/usr/libexec/gnome-initial-setup.* --
gen_context(system_u:object_r:gnome_initial_setup_exec_t,s0)
+
/usr/libexec/gnome-system-monitor-mechanism --
gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
/usr/libexec/kde(3|4)/ksysguardprocesslist_helper --
gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/gnome.if
new/selinux-policy-20230420/policy/modules/contrib/gnome.if
--- old/selinux-policy-20230321/policy/modules/contrib/gnome.if 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/gnome.if 2023-04-20
12:45:40.000000000 +0200
@@ -2019,3 +2019,116 @@
domtrans_pattern($1, gnome_atspi_exec_t, gnome_atspi_t)
')
+
+########################################
+## <summary>
+## Execute gnome-initial-setup programs in its domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gnome_initial_setup_domtrans',`
+ gen_require(`
+ type gnome_initial_setup_t, gnome_initial_setup_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gnome_initial_setup_exec_t, gnome_initial_setup_t)
+')
+
+########################################
+## <summary>
+## Allow gnome-initial-setup noatsecure
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_initial_setup_noatsecure',`
+ gen_require(`
+ type gnome_initial_setup_t;
+ ')
+
+ allow $1 gnome_initial_setup_t:process noatsecure;
+')
+
+########################################
+## <summary>
+## Allow read gnome-initial-setup runtime files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_initial_setup_read_var_run_files',`
+ gen_require(`
+ type gnome_initial_setup_var_run_t;
+ ')
+
+ read_files_pattern($1, gnome_initial_setup_var_run_t,
gnome_initial_setup_var_run_t)
+ allow $1 gnome_initial_setup_var_run_t:file map;
+')
+
+########################################
+## <summary>
+## Allow manage gnome-initial-setup all runtime files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_initial_setup_manage_var_run',`
+ gen_require(`
+ type gnome_initial_setup_var_run_t;
+ ')
+
+ manage_dirs_pattern($1, gnome_initial_setup_var_run_t,
gnome_initial_setup_var_run_t)
+ manage_files_pattern($1, gnome_initial_setup_var_run_t,
gnome_initial_setup_var_run_t)
+ manage_sock_files_pattern($1, gnome_initial_setup_var_run_t,
gnome_initial_setup_var_run_t)
+ allow $1 gnome_initial_setup_var_run_t:file map;
+')
+
+########################################
+## <summary>
+## Read the process state of gnome-initial-setup
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_initial_setup_read_state',`
+ gen_require(`
+ type gnome_initial_setup_t;
+ ')
+
+ ps_process_pattern($1, gnome_initial_setup_t)
+')
+
+########################################
+## <summary>
+## Transition to gnome-initial-setup named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_initial_setup_filetrans_named_content',`
+ gen_require(`
+ type gnome_initial_setup_var_run_t;
+ ')
+
+ files_pid_filetrans($1, gnome_initial_setup_var_run_t, dir,
"gnome-initial-setup")
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/gnome.te
new/selinux-policy-20230420/policy/modules/contrib/gnome.te
--- old/selinux-policy-20230321/policy/modules/contrib/gnome.te 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/gnome.te 2023-04-20
12:45:40.000000000 +0200
@@ -73,6 +73,13 @@
type gconfdefaultsm_exec_t;
init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+type gnome_initial_setup_t;
+type gnome_initial_setup_exec_t;
+init_system_domain(gnome_initial_setup_t, gnome_initial_setup_exec_t);
+
+type gnome_initial_setup_var_run_t;
+files_pid_file(gnome_initial_setup_var_run_t);
+
type gnomesystemmm_t;
type gnomesystemmm_exec_t;
init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
@@ -325,3 +332,139 @@
xserver_read_xdm_lib_files(gnome_atspi_t)
xserver_stream_connect(gnome_atspi_t)
')
+
+######################################
+#
+# gnome-initial-setup local policy
+#
+
+allow gnome_initial_setup_t self:capability { audit_write dac_read_search
setgid setuid };
+allow gnome_initial_setup_t self:cap_userns { dac_override net_admin setpcap
sys_admin sys_ptrace };
+allow gnome_initial_setup_t self:netlink_route_socket
create_netlink_socket_perms;
+allow gnome_initial_setup_t self:netlink_audit_socket {
create_netlink_socket_perms nlmsg_relay };
+allow gnome_initial_setup_t self:process { setcap setrlimit setsched };
+allow gnome_initial_setup_t self:tcp_socket create_stream_socket_perms;
+allow gnome_initial_setup_t self:udp_socket create_socket_perms;
+allow gnome_initial_setup_t self:unix_dgram_socket create_socket_perms;
+allow gnome_initial_setup_t self:unix_stream_socket connectto;
+allow gnome_initial_setup_t self:user_namespace create;
+
+allow gnome_initial_setup_t gnome_initial_setup_exec_t:file execute_no_trans;
+allow gnome_initial_setup_t gkeyringd_exec_t:file exec_file_perms;
+
+manage_dirs_pattern(gnome_initial_setup_t, gnome_initial_setup_var_run_t,
gnome_initial_setup_var_run_t)
+manage_files_pattern(gnome_initial_setup_t, gnome_initial_setup_var_run_t,
gnome_initial_setup_var_run_t)
+manage_sock_files_pattern(gnome_initial_setup_t,
gnome_initial_setup_var_run_t, gnome_initial_setup_var_run_t)
+files_pid_filetrans(gnome_initial_setup_t, gnome_initial_setup_var_run_t, dir)
+allow gnome_initial_setup_t gnome_initial_setup_var_run_t:file map;
+
+rw_files_pattern(gnome_initial_setup_t, config_home_t, config_home_t)
+allow gnome_initial_setup_t config_home_t:file map;
+
+kernel_dgram_send(gnome_initial_setup_t)
+kernel_mount_proc(gnome_initial_setup_t)
+kernel_read_net_sysctls(gnome_initial_setup_t)
+kernel_read_network_state_symlinks(gnome_initial_setup_t)
+kernel_read_proc_files(gnome_initial_setup_t)
+kernel_stream_connect(gnome_initial_setup_t)
+
+auth_read_passwd_file(gnome_initial_setup_t)
+
+corecmd_exec_bin(gnome_initial_setup_t)
+
+corenet_tcp_connect_http_port(gnome_initial_setup_t)
+
+dev_read_sysfs(gnome_initial_setup_t)
+dev_remount_sysfs_fs(gnome_initial_setup_t)
+dev_rw_dri(gnome_initial_setup_t)
+
+files_map_read_etc_files(gnome_initial_setup_t)
+files_mounton_non_security(gnome_initial_setup_t)
+files_watch_etc_dirs(gnome_initial_setup_t)
+files_watch_tmpfs_dirs(gnome_initial_setup_t)
+
+fs_all_mount_fs_perms_tmpfs(gnome_initial_setup_t)
+fs_all_mount_fs_perms_xattr_fs(gnome_initial_setup_t)
+fs_getattr_nsfs_files(gnome_initial_setup_t)
+fs_manage_tmpfs_dirs(gnome_initial_setup_t)
+fs_manage_tmpfs_files(gnome_initial_setup_t)
+fs_manage_tmpfs_symlinks(gnome_initial_setup_t)
+fs_read_cgroup_files(gnome_initial_setup_t)
+
+# memfd objects created by gnome-shell
+fs_map_tmpfs_files(gnome_initial_setup_t)
+fs_rw_inherited_tmpfs_files(gnome_initial_setup_t)
+
+sysnet_read_config(gnome_initial_setup_t)
+
+term_mount_pty_fs(gnome_initial_setup_t)
+term_use_unallocated_ttys(gnome_initial_setup_t)
+
+tunable_policy(`deny_execmem',`',`
+ allow gnome_initial_setup_t self:process execmem;
+')
+
+optional_policy(`
+ dbus_system_bus_client(gnome_initial_setup_t)
+ dbus_write_session_tmp_sock_files(gnome_initial_setup_t)
+
+ optional_policy(`
+ accountsd_dbus_chat(gnome_initial_setup_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(gnome_initial_setup_t)
+ ')
+
+ optional_policy(`
+ policykit_dbus_chat(gnome_initial_setup_t)
+ ')
+
+ optional_policy(`
+ realmd_dbus_chat(gnome_initial_setup_t)
+ ')
+
+ optional_policy(`
+ xserver_connect_xdm_bus(gnome_initial_setup_t)
+ xserver_dbus_chat_xdm(gnome_initial_setup_t)
+ ')
+')
+
+optional_policy(`
+ fedoratp_domtrans(gnome_initial_setup_t)
+')
+
+optional_policy(`
+ logging_create_devlog_dev(gnome_initial_setup_t)
+ logging_write_syslog_pid_socket(gnome_initial_setup_t)
+')
+
+optional_policy(`
+ miscfiles_map_generic_certs(gnome_initial_setup_t)
+ miscfiles_read_generic_certs(gnome_initial_setup_t)
+')
+
+optional_policy(`
+ systemd_dbus_chat_localed(gnome_initial_setup_t)
+ systemd_dbus_chat_logind(gnome_initial_setup_t)
+ systemd_dbus_chat_timedated(gnome_initial_setup_t)
+ systemd_login_read_pid_files(gnome_initial_setup_t)
+ systemd_read_logind_sessions_files(gnome_initial_setup_t)
+ systemd_machined_stream_connect(gnome_initial_setup_t)
+ systemd_userdbd_stream_connect(gnome_initial_setup_t)
+')
+
+optional_policy(`
+ unconfined_domain(gnome_initial_setup_t)
+')
+
+optional_policy(`
+ userdom_manage_tmp_dirs(gnome_initial_setup_t)
+ userdom_manage_tmp_files(gnome_initial_setup_t)
+ userdom_manage_tmp_sockets(gnome_initial_setup_t)
+')
+
+optional_policy(`
+ xserver_stream_connect_xdm(gnome_initial_setup_t)
+ xserver_xdm_signull(gnome_initial_setup_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/insights_client.te
new/selinux-policy-20230420/policy/modules/contrib/insights_client.te
--- old/selinux-policy-20230321/policy/modules/contrib/insights_client.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/insights_client.te
2023-04-20 12:45:40.000000000 +0200
@@ -101,21 +101,14 @@
kernel_dgram_send(insights_client_t)
kernel_get_sysvipc_info(insights_client_t)
+kernel_read_all_sysctls(insights_client_t)
kernel_list_all_proc(insights_client_t)
-kernel_read_device_sysctls(insights_client_t)
-kernel_read_fs_sysctls(insights_client_t)
-kernel_read_kernel_ns_lastpid_sysctls(insights_client_t)
-kernel_read_net_sysctls(insights_client_t)
kernel_read_network_state(insights_client_t)
kernel_read_proc_files(insights_client_t)
-kernel_read_rpc_sysctls(insights_client_t)
kernel_read_ring_buffer(insights_client_t)
kernel_read_security_state(insights_client_t)
kernel_read_software_raid_state(insights_client_t)
kernel_read_system_state(insights_client_t)
-kernel_read_unix_sysctls(insights_client_t)
-kernel_read_usermodehelper_state(insights_client_t)
-kernel_read_vm_sysctls(insights_client_t)
kernel_request_load_module(insights_client_t)
kernel_view_key(insights_client_t)
@@ -241,6 +234,7 @@
optional_policy(`
fstools_domtrans(insights_client_t)
+ fsadm_manage_pid(insights_client_t)
')
optional_policy(`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/journalctl.te
new/selinux-policy-20230420/policy/modules/contrib/journalctl.te
--- old/selinux-policy-20230321/policy/modules/contrib/journalctl.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/journalctl.te
2023-04-20 12:45:40.000000000 +0200
@@ -18,6 +18,7 @@
#
# journalctl local policy
#
+allow journalctl_t self:capability sys_resource;
allow journalctl_t self:process { fork setrlimit signal_perms };
allow journalctl_t self:fifo_file manage_fifo_file_perms;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/keyutils.te
new/selinux-policy-20230420/policy/modules/contrib/keyutils.te
--- old/selinux-policy-20230321/policy/modules/contrib/keyutils.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/keyutils.te
2023-04-20 12:45:40.000000000 +0200
@@ -6,6 +6,9 @@
type keyutils_request_t;
domain_type(keyutils_request_t)
domain_entry_file(keyutils_request_t, keyutils_request_exec_t)
+role system_r types keyutils_request_t;
+
+allow keyutils_request_t self:unix_dgram_socket create_socket_perms;
kernel_view_key(keyutils_request_t)
kernel_read_key(keyutils_request_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/logwatch.te
new/selinux-policy-20230420/policy/modules/contrib/logwatch.te
--- old/selinux-policy-20230321/policy/modules/contrib/logwatch.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/logwatch.te
2023-04-20 12:45:40.000000000 +0200
@@ -198,6 +198,8 @@
manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
+kernel_read_net_sysctls(logwatch_mail_t)
+
dev_read_rand(logwatch_mail_t)
dev_read_urand(logwatch_mail_t)
dev_read_sysfs(logwatch_mail_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/mongodb.te
new/selinux-policy-20230420/policy/modules/contrib/mongodb.te
--- old/selinux-policy-20230321/policy/modules/contrib/mongodb.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/mongodb.te
2023-04-20 12:45:40.000000000 +0200
@@ -71,6 +71,8 @@
kernel_read_system_state(mongod_t)
kernel_read_network_state(mongod_t)
+kernel_read_fs_sysctls(mongod_t)
+kernel_read_net_sysctls(mongod_t)
kernel_read_vm_sysctls(mongod_t)
corecmd_exec_bin(mongod_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/mta.fc
new/selinux-policy-20230420/policy/modules/contrib/mta.fc
--- old/selinux-policy-20230321/policy/modules/contrib/mta.fc 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/mta.fc 2023-04-20
12:45:40.000000000 +0200
@@ -28,6 +28,13 @@
/usr/bin/esmtp-wrapper --
gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/sendmail --
gen_context(system_u:object_r:sendmail_exec_t,s0)
+# msmtp
+/usr/bin/msmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/bin/msmtpd --
gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+# opensmtpd
+/usr/sbin/smtpd --
gen_context(system_u:object_r:sendmail_exec_t,s0)
+
/usr/sbin/rmail --
gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail\.postfix --
gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/sendmail(\.sendmail)? --
gen_context(system_u:object_r:sendmail_exec_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/networkmanager.te
new/selinux-policy-20230420/policy/modules/contrib/networkmanager.te
--- old/selinux-policy-20230321/policy/modules/contrib/networkmanager.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/networkmanager.te
2023-04-20 12:45:40.000000000 +0200
@@ -606,6 +606,7 @@
read_files_pattern(NetworkManager_dispatcher_dnssec_t, NetworkManager_etc_t,
NetworkManager_etc_rw_t)
+kernel_read_proc_files(networkmanager_dispatcher_plugin)
kernel_request_load_module(NetworkManager_dispatcher_ddclient_t)
auth_read_passwd(networkmanager_dispatcher_plugin)
@@ -720,6 +721,7 @@
')
optional_policy(`
+ tlp_create_pid_dirs(NetworkManager_dispatcher_tlp_t)
tlp_manage_pid_files(NetworkManager_dispatcher_tlp_t)
tlp_filetrans_named_content(NetworkManager_dispatcher_tlp_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/passt.if
new/selinux-policy-20230420/policy/modules/contrib/passt.if
--- old/selinux-policy-20230321/policy/modules/contrib/passt.if 1970-01-01
01:00:00.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/passt.if 2023-04-20
12:45:40.000000000 +0200
@@ -0,0 +1,40 @@
+## <summary>passt: usermode networking daemons for vms</summary>
+
+ifndef(`passt_stub',`
+ interface(`passt_stub',`
+ gen_require(`
+ type passt_t;
+ ')
+ ')
+')
+
+ifndef(`passt_domtrans',`
+ interface(`passt_domtrans',`
+ gen_require(`
+ type passt_t, passt_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, passt_exec_t, passt_t)
+ ')
+')
+
+ifndef(`passt_entrypoint',`
+ interface(`passt_entrypoint',`
+ gen_require(`
+ type passt_exec_t;
+ ')
+
+ allow $1 passt_exec_t:file entrypoint;
+ ')
+')
+
+ifndef(`passt_stream_connect',`
+ interface(`passt_stream_connect',`
+ gen_require(`
+ type passt_t;
+ ')
+
+ allow $1 passt_t:unix_stream_socket connectto;
+ ')
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/pkcs.if
new/selinux-policy-20230420/policy/modules/contrib/pkcs.if
--- old/selinux-policy-20230321/policy/modules/contrib/pkcs.if 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/pkcs.if 2023-04-20
12:45:40.000000000 +0200
@@ -151,12 +151,11 @@
type pkcs_slotd_tmpfs_t;
')
- allow $1 pkcs_slotd_tmpfs_t:file map;
-
- manage_files_pattern($1, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
fs_tmpfs_filetrans($1, pkcs_slotd_tmpfs_t, file,
"var.lib.opencryptoki.ccatok")
fs_tmpfs_filetrans($1, pkcs_slotd_tmpfs_t, file,
"var.lib.opencryptoki.ep11tok")
fs_tmpfs_filetrans($1, pkcs_slotd_tmpfs_t, file,
"var.lib.opencryptoki.lite")
+ fs_tmpfs_filetrans($1, pkcs_slotd_tmpfs_t, file,
"var.lib.opencryptoki_stats_0")
+ fs_tmpfs_filetrans($1, pkcs_slotd_tmpfs_t, file,
"var.lib.opencryptoki_stats_48")
fs_tmpfs_filetrans($1, pkcs_slotd_tmpfs_t, file,
"var.lib.opencryptoki.swtok")
fs_tmpfs_filetrans($1, pkcs_slotd_tmpfs_t, file,
"var.lib.opencryptoki.tpm.root")
')
@@ -174,10 +173,12 @@
interface(`pkcs_use_opencryptoki',`
gen_require(`
type pkcs_slotd_t;
+ type pkcs_slotd_tmpfs_t;
')
allow $1 self:capability fsetid;
allow pkcs_slotd_t $1:process signull;
+ allow $1 pkcs_slotd_tmpfs_t:file { create_file_perms mmap_rw_file_perms };
kernel_search_proc($1)
ps_process_pattern(pkcs_slotd_t, $1)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/rabbitmq.te
new/selinux-policy-20230420/policy/modules/contrib/rabbitmq.te
--- old/selinux-policy-20230321/policy/modules/contrib/rabbitmq.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/rabbitmq.te
2023-04-20 12:45:40.000000000 +0200
@@ -85,6 +85,7 @@
kernel_read_system_state(rabbitmq_t)
kernel_read_fs_sysctls(rabbitmq_t)
+kernel_read_net_sysctls(rabbitmq_t)
corecmd_exec_bin(rabbitmq_t)
corecmd_exec_shell(rabbitmq_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/rpc.te
new/selinux-policy-20230420/policy/modules/contrib/rpc.te
--- old/selinux-policy-20230321/policy/modules/contrib/rpc.te 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/rpc.te 2023-04-20
12:45:40.000000000 +0200
@@ -446,9 +446,11 @@
type nfsidmap_t;
domain_type(nfsidmap_t)
domain_entry_file(nfsidmap_t, nfsidmap_exec_t)
+role system_r types nfsidmap_t;
allow nfsidmap_t self:key write;
allow nfsidmap_t self:netlink_route_socket r_netlink_socket_perms;
+allow nfsidmap_t self:udp_socket create_socket_perms;
kernel_setattr_key(nfsidmap_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/rpm.fc
new/selinux-policy-20230420/policy/modules/contrib/rpm.fc
--- old/selinux-policy-20230321/policy/modules/contrib/rpm.fc 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/rpm.fc 2023-04-20
12:45:40.000000000 +0200
@@ -60,6 +60,7 @@
/usr/bin/apt-shell --
gen_context(system_u:object_r:rpm_exec_t,s0)
')
+/var/adm/mount(/.*)?
gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/cache/PackageKit(/.*)?
gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/cache/yum(/.*)?
gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/cache/dnf(/.*)?
gen_context(system_u:object_r:rpm_var_cache_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/rsync.fc
new/selinux-policy-20230420/policy/modules/contrib/rsync.fc
--- old/selinux-policy-20230321/policy/modules/contrib/rsync.fc 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/rsync.fc 2023-04-20
12:45:40.000000000 +0200
@@ -1,6 +1,9 @@
/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0)
-/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
+# we only want to confine the rsync server for now. Otherwise client workloads
+# transition to rsync_t and fail
+#/usr/bin/rsync --
gen_context(system_u:object_r:rsync_exec_t,s0)
+/usr/sbin/rsyncd -- gen_context(system_u:object_r:rsync_exec_t,s0)
/var/log/rsync.* gen_context(system_u:object_r:rsync_log_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/snapper.fc
new/selinux-policy-20230420/policy/modules/contrib/snapper.fc
--- old/selinux-policy-20230321/policy/modules/contrib/snapper.fc
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/snapper.fc
2023-04-20 12:45:40.000000000 +0200
@@ -7,12 +7,13 @@
/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0)
-/mnt/(.*/)?\.snapshots(/.*)?
gen_context(system_u:object_r:snapperd_data_t,s0)
-/\.snapshots(/.*)?
gen_context(system_u:object_r:snapperd_data_t,s0)
-/usr/\.snapshots(/.*)?
gen_context(system_u:object_r:snapperd_data_t,s0)
-/var/\.snapshots(/.*)?
gen_context(system_u:object_r:snapperd_data_t,s0)
-/etc/\.snapshots(/.*)?
gen_context(system_u:object_r:snapperd_data_t,s0)
-HOME_ROOT/(.*/)?\.snapshots(/.*)?
gen_context(system_u:object_r:snapperd_data_t,s0)
+/mnt/(.*/)?\.snapshots(/.*)?
gen_context(system_u:object_r:snapperd_data_t,s0)
+/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
+/usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
+/var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
+/etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
+/home/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0)
+HOME_ROOT/(.*/)?\.snapshots(/.*)?
gen_context(system_u:object_r:snapperd_data_t,s0)
# ensure that the snapshots itself aren't relabled
/mnt/(.*/)?\.snapshots/[^/]*/snapshot(/.*)? <<none>>
@@ -20,4 +21,5 @@
/usr/\.snapshots/[^/]*/snapshot(/.*)? <<none>>
/var/\.snapshots/[^/]*/snapshot(/.*)? <<none>>
/etc/\.snapshots/[^/]*/snapshot(/.*)? <<none>>
+/home/\.snapshots/[^/]*/snapshot(/.*)? <<none>>
HOME_ROOT/(.*/)?\.snapshots/[^/]*/snapshot(/.*)? <<none>>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/squid.te
new/selinux-policy-20230420/policy/modules/contrib/squid.te
--- old/selinux-policy-20230321/policy/modules/contrib/squid.te 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/squid.te 2023-04-20
12:45:40.000000000 +0200
@@ -21,6 +21,14 @@
## </desc>
gen_tunable(squid_use_tproxy, false)
+## <desc>
+## <p>
+## Determine whether squid should
+## have access to snmp port.
+## </p>
+## </desc>
+gen_tunable(squid_bind_snmp_port, false)
+
type squid_t;
type squid_exec_t;
init_daemon_domain(squid_t, squid_exec_t)
@@ -205,6 +213,10 @@
corenet_tcp_sendrecv_netport_port(squid_t)
')
+tunable_policy(`squid_bind_snmp_port',`
+ corenet_udp_bind_snmp_port(squid_t)
+')
+
optional_policy(`
apache_content_template(squid)
apache_content_alias_template(squid, squid)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/sssd.te
new/selinux-policy-20230420/policy/modules/contrib/sssd.te
--- old/selinux-policy-20230321/policy/modules/contrib/sssd.te 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/sssd.te 2023-04-20
12:45:40.000000000 +0200
@@ -182,6 +182,10 @@
')
optional_policy(`
+ accountsd_read_fifo_file(sssd_t)
+')
+
+optional_policy(`
bind_read_cache(sssd_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/tlp.if
new/selinux-policy-20230420/policy/modules/contrib/tlp.if
--- old/selinux-policy-20230321/policy/modules/contrib/tlp.if 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/tlp.if 2023-04-20
12:45:40.000000000 +0200
@@ -141,7 +141,7 @@
########################################
## <summary>
-## Read all dbus pid files
+## Manage tlp pid files
## </summary>
## <param name="domain">
## <summary>
@@ -159,6 +159,25 @@
')
########################################
+## <summary>
+## Create tlp pid directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tlp_create_pid_dirs',`
+ gen_require(`
+ type tlp_var_run_t;
+ ')
+
+ files_search_pids($1)
+ create_dirs_pattern($1, tlp_var_run_t, tlp_var_run_t)
+')
+
+########################################
## <summary>
## All of the rules required to administrate
## an tlp environment
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/virt.if
new/selinux-policy-20230420/policy/modules/contrib/virt.if
--- old/selinux-policy-20230321/policy/modules/contrib/virt.if 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/virt.if 2023-04-20
12:45:40.000000000 +0200
@@ -1743,6 +1743,24 @@
########################################
## <summary>
+## Write svirt tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_svirt_write_tmp',`
+ gen_require(`
+ type svirt_tmp_t;
+ ')
+
+ write_files_pattern($1, svirt_tmp_t, svirt_tmp_t)
+')
+
+########################################
+## <summary>
## Manage svirt tmp files,dirs and sockfiles.
## </summary>
## <param name="domain">
@@ -1780,3 +1798,60 @@
list_dirs_pattern($1, qemu_var_run_t, qemu_var_run_t)
read_files_pattern($1, qemu_var_run_t, qemu_var_run_t)
')
+
+########################################
+## <summary>
+## Write qemu PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_write_qemu_pid_files',`
+ gen_require(`
+ type qemu_var_run_t;
+ ')
+
+ files_search_pids($1)
+ write_files_pattern($1, qemu_var_run_t, qemu_var_run_t)
+')
+
+########################################
+## <summary>
+## Create qemu PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_create_qemu_pid_files',`
+ gen_require(`
+ type qemu_var_run_t;
+ ')
+
+ files_search_pids($1)
+ create_files_pattern($1, qemu_var_run_t, qemu_var_run_t)
+')
+
+########################################
+## <summary>
+## Manage qemu PID socket files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_manage_qemu_pid_sock_files',`
+ gen_require(`
+ type qemu_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_sock_files_pattern($1, qemu_var_run_t, qemu_var_run_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/virt.te
new/selinux-policy-20230420/policy/modules/contrib/virt.te
--- old/selinux-policy-20230321/policy/modules/contrib/virt.te 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/virt.te 2023-04-20
12:45:40.000000000 +0200
@@ -203,7 +203,14 @@
## Allow qemu-ga read ssh home directory content.
## </p>
## </desc>
-gen_tunable(virt_qemu_ga_read_ssh, false)
+gen_tunable(virt_qemu_ga_manage_ssh, false)
+
+## <desc>
+## <p>
+## Allow qemu-ga to run unconfined scripts
+## </p>
+## </desc>
+gen_tunable(virt_qemu_ga_run_unconfined, false)
virt_domain_template(svirt)
role system_r types svirt_t;
@@ -335,6 +342,8 @@
type virt_qemu_ga_unconfined_exec_t, virt_file_type;
application_executable_file(virt_qemu_ga_unconfined_exec_t)
+type virt_qemu_ga_unconfined_t;
+
########################################
#
# Declarations
@@ -743,6 +752,10 @@
')
optional_policy(`
+ passt_domtrans(virtd_t)
+')
+
+optional_policy(`
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
@@ -927,6 +940,7 @@
fs_hugetlbfs_filetrans(virt_domain, svirt_image_t, file)
allow svirt_t svirt_image_t:file map;
allow svirt_t svirt_image_t:blk_file map;
+allow svirt_t svirt_image_t:chr_file map;
manage_dirs_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
manage_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
@@ -1041,6 +1055,25 @@
')
optional_policy(`
+ passt_domtrans(svirt_t)
+ passt_entrypoint(svirt_t)
+ passt_stream_connect(svirt_t)
+
+ optional_policy(`
+ userdom_write_user_tmp_sockets(svirt_t)
+ ')
+
+ optional_policy(`
+ passt_stub(svirt_t)
+ virt_write_qemu_pid_files(passt_t)
+ virt_create_qemu_pid_files(passt_t)
+ virt_manage_qemu_pid_sock_files(passt_t)
+ virt_read_pid_files(passt_t)
+ virt_svirt_write_tmp(passt_t)
+ ')
+')
+
+optional_policy(`
ptchown_domtrans(virt_domain)
')
@@ -1727,6 +1760,7 @@
allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
+allow virt_qemu_ga_t self:vsock_socket create_socket_perms;
allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms;
can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t)
@@ -1801,11 +1835,17 @@
')
optional_policy(`
- tunable_policy(`virt_qemu_ga_read_ssh',`
- ssh_read_user_home_files(virt_qemu_ga_t)
+ tunable_policy(`virt_qemu_ga_manage_ssh',`
+ ssh_manage_home_files(virt_qemu_ga_t)
')
')
+tunable_policy(`virt_qemu_ga_run_unconfined',`
+ domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t,
virt_qemu_ga_unconfined_t)
+',`
+ can_exec(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t)
+')
+
optional_policy(`
bootloader_domtrans(virt_qemu_ga_t)
')
@@ -1850,14 +1890,11 @@
#
optional_policy(`
- type virt_qemu_ga_unconfined_t;
domain_type(virt_qemu_ga_unconfined_t)
domain_entry_file(virt_qemu_ga_unconfined_t,
virt_qemu_ga_unconfined_exec_t)
role system_r types virt_qemu_ga_unconfined_t;
- domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t,
virt_qemu_ga_unconfined_t)
-
allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms;
allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms;
allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/wireguard.te
new/selinux-policy-20230420/policy/modules/contrib/wireguard.te
--- old/selinux-policy-20230321/policy/modules/contrib/wireguard.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/wireguard.te
2023-04-20 12:45:40.000000000 +0200
@@ -16,7 +16,7 @@
#
# wireguard local policy
#
-allow wireguard_t self:capability { net_admin };
+allow wireguard_t self:capability { net_admin net_bind_service };
allow wireguard_t self:fifo_file rw_fifo_file_perms;
allow wireguard_t self:netlink_generic_socket create_socket_perms;
allow wireguard_t self:netlink_netfilter_socket create_socket_perms;
@@ -26,7 +26,9 @@
allow wireguard_t self:unix_stream_socket create_stream_socket_perms;
kernel_dgram_send(wireguard_t)
+kernel_load_module(wireguard_t)
kernel_request_load_module(wireguard_t)
+kernel_search_debugfs(wireguard_t)
corecmd_exec_bin(wireguard_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/contrib/wireshark.te
new/selinux-policy-20230420/policy/modules/contrib/wireshark.te
--- old/selinux-policy-20230321/policy/modules/contrib/wireshark.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/contrib/wireshark.te
2023-04-20 12:45:40.000000000 +0200
@@ -35,7 +35,8 @@
#
allow wireshark_t self:capability { net_admin net_raw };
-allow wireshark_t self:process { setcap signal getsched };
+allow wireshark_t self:process { setcap signal getsched setsched };
+dontaudit wireshark_t self:process execmem;
allow wireshark_t self:fifo_file rw_fifo_file_perms;
allow wireshark_t self:shm create_shm_perms;
allow wireshark_t self:packet_socket { create_socket_perms map };
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/kernel/files.fc
new/selinux-policy-20230420/policy/modules/kernel/files.fc
--- old/selinux-policy-20230321/policy/modules/kernel/files.fc 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/kernel/files.fc 2023-04-20
12:45:40.000000000 +0200
@@ -221,6 +221,7 @@
/tmp
gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/tmp-inst
gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/tmp/.* <<none>>
+/tmp-inst/.* <<none>>
/tmp/\.journal <<none>>
/tmp/lost\+found -d
gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
@@ -328,6 +329,7 @@
/var/tmp-inst -d
gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/var/tmp/tmp-inst -d
gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/var/tmp/.* <<none>>
+/var/tmp/tmp-inst/.* <<none>>
/var/tmp/lost\+found -d
gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/kernel/files.if
new/selinux-policy-20230420/policy/modules/kernel/files.if
--- old/selinux-policy-20230321/policy/modules/kernel/files.if 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/kernel/files.if 2023-04-20
12:45:40.000000000 +0200
@@ -3805,6 +3805,24 @@
########################################
## <summary>
+## Mounton directories on the /usr filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_usr',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir mounton;
+')
+
+########################################
+## <summary>
## Search the contents of /etc directories.
## </summary>
## <param name="domain">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/kernel/filesystem.if
new/selinux-policy-20230420/policy/modules/kernel/filesystem.if
--- old/selinux-policy-20230321/policy/modules/kernel/filesystem.if
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/kernel/filesystem.if
2023-04-20 12:45:40.000000000 +0200
@@ -5853,7 +5853,25 @@
type tmpfs_t;
')
- allow $1 tmpfs_t:file { read write };
+ allow $1 tmpfs_t:file { rw_inherited_file_perms };
+')
+
+########################################
+## <summary>
+## Map generic tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_map_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:file map;
')
########################################
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/kernel/kernel.te
new/selinux-policy-20230420/policy/modules/kernel/kernel.te
--- old/selinux-policy-20230321/policy/modules/kernel/kernel.te 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/kernel/kernel.te 2023-04-20
12:45:40.000000000 +0200
@@ -532,6 +532,9 @@
# and trigger the respective service unit.
systemd_systemctl_domain(kernel)
systemd_config_power_services(kernel_systemctl_t)
+ systemd_dbus_chat_logind(kernel_systemctl_t)
+
+ dbus_system_bus_client(kernel_systemctl_t)
init_read_utmp(kernel_systemctl_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/roles/staff.te
new/selinux-policy-20230420/policy/modules/roles/staff.te
--- old/selinux-policy-20230321/policy/modules/roles/staff.te 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/roles/staff.te 2023-04-20
12:45:40.000000000 +0200
@@ -70,6 +70,8 @@
init_dbus_chat(staff_t)
init_dbus_chat_script(staff_t)
+init_getattr_pid_blk_file(staff_t)
+init_getattr_pid_chr_file(staff_t)
init_status(staff_t)
miscfiles_read_hwdata(staff_t)
@@ -178,6 +180,10 @@
')
optional_policy(`
+ kerberos_read_keytab(staff_t)
+')
+
+optional_policy(`
kerneloops_dbus_chat(staff_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/roles/sysadm.te
new/selinux-policy-20230420/policy/modules/roles/sysadm.te
--- old/selinux-policy-20230321/policy/modules/roles/sysadm.te 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/roles/sysadm.te 2023-04-20
12:45:40.000000000 +0200
@@ -90,7 +90,7 @@
init_undefined(sysadm_t)
init_ioctl_stream_sockets(sysadm_t)
init_prog_run_bpf(sysadm_t)
-init_domtrans_script(sysadm_t)
+init_run_script(sysadm_t, sysadm_r)
logging_filetrans_named_content(sysadm_t)
logging_map_audit_config(sysadm_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/services/ssh.fc
new/selinux-policy-20230420/policy/modules/services/ssh.fc
--- old/selinux-policy-20230321/policy/modules/services/ssh.fc 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/services/ssh.fc 2023-04-20
12:45:40.000000000 +0200
@@ -33,6 +33,7 @@
/usr/sbin/sshd --
gen_context(system_u:object_r:sshd_exec_t,s0)
/usr/sbin/sshd-keygen --
gen_context(system_u:object_r:sshd_keygen_exec_t,s0)
+/usr/sbin/sshd-gen-keys-start --
gen_context(system_u:object_r:sshd_keygen_exec_t,s0)
/usr/sbin/gsisshd --
gen_context(system_u:object_r:sshd_exec_t,s0)
/var/run/sshd\.init\.pid --
gen_context(system_u:object_r:sshd_var_run_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/services/xserver.if
new/selinux-policy-20230420/policy/modules/services/xserver.if
--- old/selinux-policy-20230321/policy/modules/services/xserver.if
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/services/xserver.if
2023-04-20 12:45:40.000000000 +0200
@@ -904,6 +904,25 @@
########################################
## <summary>
+## Connect to the xdm dbus for service (acquire_svc).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_connect_xdm_bus',`
+ gen_require(`
+ type xdm_t;
+ class dbus acquire_svc;
+ ')
+
+ allow $1 xdm_t:dbus acquire_svc;
+')
+
+########################################
+## <summary>
## Read xserver configuration files.
## </summary>
## <param name="domain">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/services/xserver.te
new/selinux-policy-20230420/policy/modules/services/xserver.te
--- old/selinux-policy-20230321/policy/modules/services/xserver.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/services/xserver.te
2023-04-20 12:45:40.000000000 +0200
@@ -500,6 +500,7 @@
manage_lnk_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_fifo_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t, xdm_tmpfs_t, xdm_tmpfs_t)
+#fs_tmpfs_filetrans(xdm_t, xdm_tmpfs_t, file)
manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
@@ -567,9 +568,11 @@
kernel_read_system_state(xdm_t)
kernel_read_device_sysctls(xdm_t)
kernel_read_sysctl(xdm_t)
+kernel_read_fs_sysctls(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
kernel_read_net_sysctls(xdm_t)
kernel_read_network_state(xdm_t)
+kernel_read_vm_sysctls(xdm_t)
kernel_request_load_module(xdm_t)
kernel_stream_connect(xdm_t)
kernel_read_key(xdm_t)
@@ -677,6 +680,10 @@
fs_manage_cgroup_files(xdm_t)
fs_getattr_nsfs_files(xdm_t)
+# memfd objects created by gnome-shell
+fs_map_tmpfs_files(xdm_t)
+fs_rw_tmpfs_files(xdm_t)
+
miscfiles_watch_fonts_dirs(xdm_t)
mount_read_pid_files(xdm_t)
@@ -698,7 +705,8 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
-storage_dontaudit_rw_fuse(xdm_t)
+#storage_dontaudit_rw_fuse(xdm_t)
+storage_rw_fuse(xdm_t)
term_mount_pty_fs(xdm_t)
term_setattr_console(xdm_t)
@@ -806,6 +814,10 @@
userdom_filetrans_generic_home_content(xdm_t)
optional_policy(`
+ alsa_read_lib(xdm_t)
+')
+
+optional_policy(`
dbus_exec_dbusd(xdm_t)
dbus_rw_tmp_sock_files(xdm_t)
dbus_stream_connect_session_bus(xdm_t)
@@ -881,6 +893,10 @@
')
optional_policy(`
+ rpm_dbus_chat(xdm_t)
+')
+
+optional_policy(`
spamassassin_filetrans_home_content(xdm_t)
spamassassin_filetrans_admin_home_content(xdm_t)
')
@@ -1048,6 +1064,11 @@
gnome_read_gconf_config(xdm_t)
gnome_transition_gkeyringd(xdm_t)
gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm")
+ gnome_initial_setup_domtrans(xdm_t)
+ gnome_initial_setup_filetrans_named_content(xdm_t)
+ gnome_initial_setup_manage_var_run(xdm_t)
+ gnome_initial_setup_noatsecure(xdm_t)
+ gnome_initial_setup_read_state(xdm_t)
')
optional_policy(`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/system/authlogin.te
new/selinux-policy-20230420/policy/modules/system/authlogin.te
--- old/selinux-policy-20230321/policy/modules/system/authlogin.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/system/authlogin.te
2023-04-20 12:45:40.000000000 +0200
@@ -593,7 +593,7 @@
allow login_pgm self:netlink_selinux_socket create_socket_perms;
allow login_pgm self:capability ipc_lock;
dontaudit login_pgm self:capability net_admin;
-allow login_pgm self:process setkeycreate;
+allow login_pgm self:process { setcap setkeycreate };
allow login_pgm self:key manage_key_perms;
userdom_manage_all_users_keys(login_pgm)
allow login_pgm nsswitch_domain:key manage_key_perms;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/system/init.if
new/selinux-policy-20230420/policy/modules/system/init.if
--- old/selinux-policy-20230321/policy/modules/system/init.if 2023-03-21
16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/system/init.if 2023-04-20
12:45:40.000000000 +0200
@@ -1187,6 +1187,32 @@
########################################
## <summary>
+## Execute init scripts with a domain transition
+## and allow the specified role the init script type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_run_script',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ init_domtrans_script($1)
+ role $2 types initrc_t;
+')
+
+########################################
+## <summary>
## Execute a file in a bin directory
## in the initrc_t domain
## </summary>
@@ -2619,6 +2645,42 @@
allow $1 init_var_run_t:dir watch_dir_perms;
')
+########################################
+## <summary>
+## Get the attributes of block nodes in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_pid_blk_file',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:blk_file getattr;
+')
+
+########################################
+## <summary>
+## Get the attributes of character device nodes in the /run/systemd
directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_pid_chr_file',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:chr_file getattr;
+')
+
#######################################
## <summary>
## Create objects in /run/systemd directory
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/system/logging.fc
new/selinux-policy-20230420/policy/modules/system/logging.fc
--- old/selinux-policy-20230321/policy/modules/system/logging.fc
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/system/logging.fc
2023-04-20 12:45:40.000000000 +0200
@@ -64,7 +64,7 @@
/var/log/audit(/.*)?
gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
/var/run/log(/.*)?
gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/systemd/journal(/.*)?
gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
-
+/var/run/systemd/journal\.[^/]+(/.*)?
gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
ifndef(`distro_gentoo',`
/var/log/audit\.log.* --
gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
')
@@ -86,8 +86,9 @@
/var/run/syslog-ng.ctl --
gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng(/.*)?
gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/rsyslog(/.*)?
gen_context(system_u:object_r:syslogd_var_run_t,s0)
-/var/run/systemd/journal/syslog -s
gen_context(system_u:object_r:devlog_t,mls_systemhigh)
-
+/var/run/systemd/journal/syslog -s
gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/var/run/systemd/journal\.[^/]+/syslog -s
gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/var/run/systemd/journal\.[^/]+/dev-log -s
gen_context(system_u:object_r:devlog_t,mls_systemhigh)
/var/spool/audit(/.*)?
gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/system/systemd.if
new/selinux-policy-20230420/policy/modules/system/systemd.if
--- old/selinux-policy-20230321/policy/modules/system/systemd.if
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/system/systemd.if
2023-04-20 12:45:40.000000000 +0200
@@ -1687,6 +1687,24 @@
#######################################
## <summary>
+## Read generic systemd unit lnk files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_generic_unit_lnk_files',`
+ gen_require(`
+ type systemd_unit_file_t;
+ ')
+
+ read_lnk_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t)
+')
+
+#######################################
+## <summary>
## Create a directory in the /usr/lib/systemd/system directory.
## </summary>
## <param name="domain">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-policy-20230321/policy/modules/system/systemd.te
new/selinux-policy-20230420/policy/modules/system/systemd.te
--- old/selinux-policy-20230321/policy/modules/system/systemd.te
2023-03-21 16:21:51.000000000 +0100
+++ new/selinux-policy-20230420/policy/modules/system/systemd.te
2023-04-20 12:45:40.000000000 +0200
@@ -1156,6 +1156,7 @@
files_map_non_security_files(systemd_coredump_t)
files_mounton_rootfs(systemd_coredump_t)
+files_mounton_usr(systemd_coredump_t)
fs_getattr_nsfs_files(systemd_coredump_t)
@@ -1248,6 +1249,8 @@
auth_read_passwd(systemd_resolved_t)
+corenet_tcp_bind_all_nodes(systemd_resolved_t)
+corenet_udp_bind_all_nodes(systemd_resolved_t)
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
corenet_udp_bind_llmnr_port(systemd_resolved_t)
corenet_tcp_connect_llmnr_port(systemd_resolved_t)
