Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2020-10-07 14:18:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.4249 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Wed Oct 7 14:18:21 2020 rev:2 rq:839873 version:20200910 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2020-10-06 17:08:56.977415305 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.4249/selinux-policy.changes 2020-10-07 14:18:29.829486196 +0200 @@ -1,0 +2,29 @@ +Tue Sep 10 07:16:50 UTC 2020 - Johannes Segitz <[email protected]> + +- Update to version 20200910. Refreshed + * fix_authlogin.patch + * fix_nagios.patch + * fix_systemd.patch + * fix_usermanage.patch +- Delete suse_specific.patch, moved content into fix_selinuxutil.patch +- Cleanup of booleans-* presets + * Enabled + user_rw_noexattrfile + unconfined_chrome_sandbox_transition + unconfined_mozilla_plugin_transition + for the minimal policy + * Disabled + xserver_object_manager + for the MLS policy + * Disabled + openvpn_enable_homedirs + privoxy_connect_any + selinuxuser_direct_dri_enabled + selinuxuser_ping (aka user_ping) + squid_connect_any + telepathy_tcp_connect_generic_network_ports + for the targeted policy + Change your local config if you need them +- Build HTML version of manpages for the -devel package + +------------------------------------------------------------------- Old: ---- fedora-policy.20200717.tar.bz2 suse_specific.patch New: ---- fedora-policy.20200910.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.54yTTq/_old 2020-10-07 14:18:31.325487386 +0200 +++ /var/tmp/diff_new_pack.54yTTq/_new 2020-10-07 14:18:31.329487389 +0200 @@ -15,7 +15,6 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# TODO: This turns on distro-specific policies. # There are almost no SUSE specific modifications available in the policy, so we utilize the # ones used by redhat and include also the SUSE specific ones (see sed statement below) %define distro redhat @@ -33,7 +32,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20200717 +Version: 20200910 Release: 0 Source: fedora-policy.%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc @@ -65,7 +64,6 @@ Source60: selinux-policy.conf -Source90: selinux-policy-rpmlintrc Source91: Makefile.devel Source92: customizable_types #Source93: config.tgz @@ -123,7 +121,7 @@ Patch040: fix_usermanage.patch Patch041: fix_smartmon.patch Patch042: fix_geoclue.patch -Patch043: suse_specific.patch +#Patch043: suse_specific.patch Patch044: fix_authlogin.patch Patch045: fix_screen.patch Patch046: fix_unprivuser.patch @@ -154,6 +152,7 @@ # for audit2allow Recommends: python3-policycoreutils Recommends: policycoreutils-python-utils +Recommends: container-selinux %define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 @@ -351,7 +350,6 @@ %dir %{_datadir}/selinux/packages %dir %{_sysconfdir}/selinux %ghost %config(noreplace) %{_sysconfdir}/selinux/config -#%ghost %{_sysconfdir}/sysconfig/selinux-policy %{_tmpfilesdir}/selinux-policy.conf %{_rpmconfigdir}/macros.d/macros.selinux-policy @@ -426,7 +424,7 @@ %patch040 -p1 %patch041 -p1 %patch042 -p1 -%patch043 -p1 +#% patch043 -p1 %patch044 -p1 %patch045 -p1 %patch046 -p1 @@ -442,8 +440,6 @@ %install mkdir -p %{buildroot}%{_sysconfdir}/selinux touch %{buildroot}%{_sysconfdir}/selinux/config -#mkdir -p %{buildroot}%{_sysconfdir}/sysconfig -#touch %{buildroot}%{_sysconfdir}/sysconfig/selinux-policy mkdir -p %{buildroot}%{_tmpfilesdir} cp %{SOURCE60} %{buildroot}%{_tmpfilesdir} @@ -512,11 +508,10 @@ install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ -#XXX what's missing for html? -#%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} -#mkdir %{buildroot}%{_datadir}/selinux/devel/html -#mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html -#mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html +%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} +mkdir %{buildroot}%{_datadir}/selinux/devel/html +mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html +mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html %post if [ ! -s %{_sysconfdir}/selinux/config ]; then @@ -525,7 +520,6 @@ if [ -f %{_sysconfdir}/sysconfig/selinux-policy ]; then mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config else - # XXX right default for SELINUXTYPE? echo " # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: @@ -594,7 +588,10 @@ %files devel %defattr(-,root,root,-) %doc %{_datadir}/man/ru/man8/* +%doc %{_datadir}/man/man8/* %dir %{_datadir}/selinux/devel +%dir %{_datadir}/selinux/devel/html/ +%doc %{_datadir}/selinux/devel/html/* %dir %{_datadir}/selinux/devel/include %{_datadir}/selinux/devel/include/* %{_datadir}/selinux/devel/Makefile ++++++ booleans-minimum.conf ++++++ --- /var/tmp/diff_new_pack.54yTTq/_old 2020-10-07 14:18:31.429487469 +0200 +++ /var/tmp/diff_new_pack.54yTTq/_new 2020-10-07 14:18:31.433487473 +0200 @@ -4,19 +4,19 @@ # Allow making a modified private filemapping executable (text relocation). # -allow_execmod = false +selinuxuser_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # -allow_execstack = true +selinuxuser_execstack = false # Allow ftpd to read cifs directories. # -allow_ftpd_use_cifs = false +ftpd_use_cifs = false # Allow ftpd to read nfs directories. # -allow_ftpd_use_nfs = false +ftpd_use_nfs = false # Allow ftp servers to modify public filesused for public file transfer services. # @@ -24,7 +24,7 @@ # Allow gssd to read temp directory. # -allow_gssd_read_tmp = true +gssd_read_tmp = true # Allow Apache to modify public filesused for public file transfer services. # @@ -32,7 +32,7 @@ # Allow Apache to use mod_auth_pam module # -allow_httpd_mod_auth_pam = false +httpd_mod_auth_pam = false # Allow system to run with kerberos # @@ -44,7 +44,7 @@ # Allow sasl to read shadow # -allow_saslauthd_read_shadow = false +saslauthd_read_shadow = false # Allow samba to modify public filesused for public file transfer services. # @@ -56,7 +56,7 @@ # Allow zebra to write it own configuration files # -allow_zebra_write_config = false +zebra_write_config = false # Enable extra rules in the cron domainto support fcron. # @@ -148,55 +148,35 @@ # allow host key based authentication # -allow_ssh_keysign = false +ssh_keysign = false # Allow pppd to be run for a regular user # pppd_for_user = false -# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted -# -read_untrusted_content = false - # Allow spamd to write to users homedirs # spamd_enable_home_dirs = false -# Allow regular users direct mouse access -# -user_direct_mouse = false - -# Allow users to read system messages. -# -user_dmesg = false - # Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) # -user_rw_noexattrfile = false +user_rw_noexattrfile = true # Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. # user_tcp_server = false -# Allow w to display everyone -# -user_ttyfile_stat = false - -# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. -# -write_untrusted_content = false - # Allow all domains to talk to ttys # -allow_daemons_use_tty = false +daemons_use_tty = false # Allow login domains to polyinstatiate directories # -allow_polyinstantiation = false +polyinstantiation_enabled = false # Allow all domains to dump core # -allow_daemons_dump_core = true +daemons_dump_core = true # Allow samba to act as the domain controller # @@ -208,36 +188,24 @@ # Allows XServer to execute writable memory # -allow_xserver_execmem = false +xserver_execmem = false # disallow guest accounts to execute files that they can create # -allow_guest_exec_content = false -allow_xguest_exec_content = false - -# Only allow browser to use the web -# -browser_confine_xguest=false +guest_exec_content = false +xguest_exec_content = false # Allow postfix locat to write to mail spool # -allow_postfix_local_write_mail_spool=false +postfix_local_write_mail_spool = false # Allow common users to read/write noexattrfile systems # -user_rw_noexattrfile=true +user_rw_noexattrfile = true # Allow qemu to connect fully to the network # -qemu_full_network=true - -# Allow nsplugin execmem/execstack for bad plugins -# -allow_nsplugin_execmem=true - -# Allow unconfined domain to transition to confined domain -# -allow_unconfined_nsplugin_transition=true +qemu_full_network = true # System uses init upstart program # @@ -245,9 +213,20 @@ # Allow mount to mount any file/dir # -allow_mount_anyfile = true +mount_anyfile = true # Allow all domains to mmap files # domain_can_mmap_files = true +# Allow confined applications to use nscd shared memory +# +nscd_use_shm = true + +# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox +# +unconfined_chrome_sandbox_transition = true + +# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. +# +unconfined_mozilla_plugin_transition = true ++++++ booleans-mls.conf ++++++ --- /var/tmp/diff_new_pack.54yTTq/_old 2020-10-07 14:18:31.469487501 +0200 +++ /var/tmp/diff_new_pack.54yTTq/_new 2020-10-07 14:18:31.469487501 +0200 @@ -1,6 +1,232 @@ -kerberos_enabled = true +# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. +# +allow_execmem = false + +# Allow making a modified private filemapping executable (text relocation). +# +selinuxuser_execmod = false + +# Allow making the stack executable via mprotect.Also requires allow_execmem. +# +selinuxuser_execstack = false + +# Allow ftpd to read cifs directories. +# +ftpd_use_cifs = false + +# Allow ftpd to read nfs directories. +# +ftpd_use_nfs = false + +# Allow ftp servers to modify public filesused for public file transfer services. +# +allow_ftpd_anon_write = false + +# Allow gssd to read temp directory. +# +gssd_read_tmp = true + +# Allow Apache to modify public filesused for public file transfer services. +# +allow_httpd_anon_write = false + +# Allow Apache to use mod_auth_pam module +# +httpd_mod_auth_pam = false + +# Allow system to run with kerberos +# +allow_kerberos = true + +# Allow rsync to modify public filesused for public file transfer services. +# +allow_rsync_anon_write = false + +# Allow sasl to read shadow +# +saslauthd_read_shadow = false + +# Allow samba to modify public filesused for public file transfer services. +# +allow_smbd_anon_write = false + +# Allow system to run with NIS +# +allow_ypbind = false + +# Allow zebra to write it own configuration files +# +zebra_write_config = false + +# Enable extra rules in the cron domainto support fcron. +# +fcron_crond = false + +# +# allow httpd to connect to mysql/posgresql +httpd_can_network_connect_db = false + +# +# allow httpd to send dbus messages to avahi +httpd_dbus_avahi = true + +# +# allow httpd to network relay +httpd_can_network_relay = false + +# Allow httpd to use built in scripting (usually php) +# +httpd_builtin_scripting = true + +# Allow http daemon to tcp connect +# +httpd_can_network_connect = false + +# Allow httpd cgi support +# +httpd_enable_cgi = true + +# Allow httpd to act as a FTP server bylistening on the ftp port. +# +httpd_enable_ftp_server = false + +# Allow httpd to read home directories +# +httpd_enable_homedirs = false + +# Run SSI execs in system CGI script domain. +# +httpd_ssi_exec = false + +# Allow http daemon to communicate with the TTY +# +httpd_tty_comm = false + +# Run CGI in the main httpd domain +# +httpd_unified = false + +# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. +# +named_write_master_zones = false + +# Allow nfs to be exported read/write. +# +nfs_export_all_rw = true + +# Allow nfs to be exported read only +# +nfs_export_all_ro = true + +# Allow pppd to load kernel modules for certain modems +# +pppd_can_insmod = false + +# Allow reading of default_t files. +# +read_default_t = false + +# Allow samba to export user home directories. +# +samba_enable_home_dirs = false + +# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. +# +squid_connect_any = false + +# Support NFS home directories +# +use_nfs_home_dirs = true + +# Support SAMBA home directories +# +use_samba_home_dirs = false + +# Control users use of ping and traceroute +# +user_ping = false + +# allow host key based authentication +# +ssh_keysign = false + +# Allow pppd to be run for a regular user +# +pppd_for_user = false + +# Allow spamd to write to users homedirs +# +spamd_enable_home_dirs = false + +# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) +# +user_rw_noexattrfile = true + +# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. +# +user_tcp_server = false + +# Allow all domains to talk to ttys +# +daemons_use_tty = false + +# Allow login domains to polyinstatiate directories +# +polyinstantiation_enabled = false + +# Allow all domains to dump core +# +daemons_dump_core = true + +# Allow samba to act as the domain controller +# +samba_domain_controller = false + +# Allow samba to export user home directories. +# +samba_run_unconfined = false + +# Allows XServer to execute writable memory +# +xserver_execmem = false + +# disallow guest accounts to execute files that they can create +# +guest_exec_content = false +xguest_exec_content = false + +# Allow postfix locat to write to mail spool +# +postfix_local_write_mail_spool = false + +# Allow common users to read/write noexattrfile systems +# +user_rw_noexattrfile = true + +# Allow qemu to connect fully to the network +# +qemu_full_network = true + +# System uses init upstart program +# +init_upstart = true + +# Allow mount to mount any file/dir +# mount_anyfile = true -polyinstantiation_enabled = true -ftpd_is_daemon = true -selinuxuser_ping = true -xserver_object_manager = true + +# Allow all domains to mmap files +# +domain_can_mmap_files = true + +# Allow confined applications to use nscd shared memory +# +nscd_use_shm = true + +# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox +# +unconfined_chrome_sandbox_transition = false + +# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. +# +unconfined_mozilla_plugin_transition = false ++++++ booleans-targeted.conf ++++++ --- /var/tmp/diff_new_pack.54yTTq/_old 2020-10-07 14:18:31.493487520 +0200 +++ /var/tmp/diff_new_pack.54yTTq/_new 2020-10-07 14:18:31.493487520 +0200 @@ -1,23 +1,232 @@ +# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. +# +allow_execmem = false + +# Allow making a modified private filemapping executable (text relocation). +# +selinuxuser_execmod = false + +# Allow making the stack executable via mprotect.Also requires allow_execmem. +# +selinuxuser_execstack = false + +# Allow ftpd to read cifs directories. +# +ftpd_use_cifs = false + +# Allow ftpd to read nfs directories. +# +ftpd_use_nfs = false + +# Allow ftp servers to modify public filesused for public file transfer services. +# +allow_ftpd_anon_write = false + +# Allow gssd to read temp directory. +# gssd_read_tmp = true + +# Allow Apache to modify public filesused for public file transfer services. +# +allow_httpd_anon_write = false + +# Allow Apache to use mod_auth_pam module +# +httpd_mod_auth_pam = false + +# Allow system to run with kerberos +# +allow_kerberos = true + +# Allow rsync to modify public filesused for public file transfer services. +# +allow_rsync_anon_write = false + +# Allow sasl to read shadow +# +saslauthd_read_shadow = false + +# Allow samba to modify public filesused for public file transfer services. +# +allow_smbd_anon_write = false + +# Allow system to run with NIS +# +allow_ypbind = false + +# Allow zebra to write it own configuration files +# +zebra_write_config = false + +# Enable extra rules in the cron domainto support fcron. +# +fcron_crond = false + +# +# allow httpd to connect to mysql/posgresql +httpd_can_network_connect_db = false + +# +# allow httpd to send dbus messages to avahi +httpd_dbus_avahi = true + +# +# allow httpd to network relay +httpd_can_network_relay = false + +# Allow httpd to use built in scripting (usually php) +# httpd_builtin_scripting = true + +# Allow http daemon to tcp connect +# +httpd_can_network_connect = false + +# Allow httpd cgi support +# httpd_enable_cgi = true -kerberos_enabled = true -mount_anyfile = true -nfs_export_all_ro = true + +# Allow httpd to act as a FTP server bylistening on the ftp port. +# +httpd_enable_ftp_server = false + +# Allow httpd to read home directories +# +httpd_enable_homedirs = false + +# Run SSI execs in system CGI script domain. +# +httpd_ssi_exec = false + +# Allow http daemon to communicate with the TTY +# +httpd_tty_comm = false + +# Run CGI in the main httpd domain +# +httpd_unified = false + +# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. +# +named_write_master_zones = false + +# Allow nfs to be exported read/write. +# nfs_export_all_rw = true -nscd_use_shm = true -openvpn_enable_homedirs = true -postfix_local_write_mail_spool= true + +# Allow nfs to be exported read only +# +nfs_export_all_ro = true + +# Allow pppd to load kernel modules for certain modems +# pppd_can_insmod = false -privoxy_connect_any = true -selinuxuser_direct_dri_enabled = true -selinuxuser_rw_noexattrfile = true -selinuxuser_ping = true -squid_connect_any = true -telepathy_tcp_connect_generic_network_ports=true -unconfined_chrome_sandbox_transition=true -unconfined_mozilla_plugin_transition=true -xguest_exec_content = true -mozilla_plugin_can_network_connect = true + +# Allow reading of default_t files. +# +read_default_t = false + +# Allow samba to export user home directories. +# +samba_enable_home_dirs = false + +# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. +# +squid_connect_any = false + +# Support NFS home directories +# +use_nfs_home_dirs = true + +# Support SAMBA home directories +# +use_samba_home_dirs = false + +# Control users use of ping and traceroute +# +user_ping = false + +# allow host key based authentication +# +ssh_keysign = false + +# Allow pppd to be run for a regular user +# +pppd_for_user = false + +# Allow spamd to write to users homedirs +# +spamd_enable_home_dirs = false + +# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) +# +user_rw_noexattrfile = true + +# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. +# +user_tcp_server = false + +# Allow all domains to talk to ttys +# +daemons_use_tty = false + +# Allow login domains to polyinstatiate directories +# +polyinstantiation_enabled = false + +# Allow all domains to dump core +# +daemons_dump_core = true + +# Allow samba to act as the domain controller +# +samba_domain_controller = false + +# Allow samba to export user home directories. +# +samba_run_unconfined = false + +# Allows XServer to execute writable memory +# +xserver_execmem = false + +# disallow guest accounts to execute files that they can create +# +guest_exec_content = false +xguest_exec_content = false + +# Allow postfix locat to write to mail spool +# +postfix_local_write_mail_spool = false + +# Allow common users to read/write noexattrfile systems +# +user_rw_noexattrfile = true + +# Allow qemu to connect fully to the network +# +qemu_full_network = true + +# System uses init upstart program +# +init_upstart = true + +# Allow mount to mount any file/dir +# +mount_anyfile = true + # Allow all domains to mmap files +# domain_can_mmap_files = true + +# Allow confined applications to use nscd shared memory +# +nscd_use_shm = true + +# allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox +# +unconfined_chrome_sandbox_transition = true + +# Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container. +# +unconfined_mozilla_plugin_transition = true ++++++ fedora-policy.20200717.tar.bz2 -> fedora-policy.20200910.tar.bz2 ++++++ ++++ 2520 lines of diff (skipped) ++++++ fix_authlogin.patch ++++++ --- /var/tmp/diff_new_pack.54yTTq/_old 2020-10-07 14:18:32.461488290 +0200 +++ /var/tmp/diff_new_pack.54yTTq/_new 2020-10-07 14:18:32.461488290 +0200 @@ -2,7 +2,7 @@ =================================================================== --- fedora-policy.orig/policy/modules/system/authlogin.fc +++ fedora-policy/policy/modules/system/authlogin.fc -@@ -47,6 +47,7 @@ ifdef(`distro_gentoo', ` +@@ -49,6 +49,7 @@ ifdef(`distro_gentoo', ` /usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) /usr/libexec/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) ++++++ fix_nagios.patch ++++++ --- /var/tmp/diff_new_pack.54yTTq/_old 2020-10-07 14:18:32.549488360 +0200 +++ /var/tmp/diff_new_pack.54yTTq/_new 2020-10-07 14:18:32.553488363 +0200 @@ -14,7 +14,7 @@ =================================================================== --- fedora-policy.orig/policy/modules/contrib/nagios.te +++ fedora-policy/policy/modules/contrib/nagios.te -@@ -157,6 +157,7 @@ allow nagios_t nagios_spool_t:file map; +@@ -161,6 +161,7 @@ allow nagios_t nagios_spool_t:file map; manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) manage_dirs_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t) ++++++ fix_selinuxutil.patch ++++++ --- /var/tmp/diff_new_pack.54yTTq/_old 2020-10-07 14:18:32.613488411 +0200 +++ /var/tmp/diff_new_pack.54yTTq/_new 2020-10-07 14:18:32.617488414 +0200 @@ -24,3 +24,16 @@ cloudform_dontaudit_write_cloud_log(setfiles_t) ') +Index: fedora-policy/policy/modules/system/selinuxutil.if +=================================================================== +--- fedora-policy.orig/policy/modules/system/selinuxutil.if ++++ fedora-policy/policy/modules/system/selinuxutil.if +@@ -777,6 +777,8 @@ interface(`seutil_dontaudit_read_config' + + dontaudit $1 selinux_config_t:dir search_dir_perms; + dontaudit $1 selinux_config_t:file read_file_perms; ++ # /etc/selinux/config was a link to /etc/sysconfig/selinux-policy, ignore read attemps ++ dontaudit $1 selinux_config_t:lnk_file read_lnk_file_perms; + ') + + ######################################## ++++++ fix_systemd.patch ++++++ --- /var/tmp/diff_new_pack.54yTTq/_old 2020-10-07 14:18:32.653488442 +0200 +++ /var/tmp/diff_new_pack.54yTTq/_new 2020-10-07 14:18:32.653488442 +0200 @@ -13,7 +13,7 @@ apache_read_tmp_files(systemd_logind_t) ') -@@ -823,6 +827,10 @@ optional_policy(` +@@ -828,6 +832,10 @@ optional_policy(` dbus_connect_system_bus(systemd_hostnamed_t) ') ++++++ fix_usermanage.patch ++++++ --- /var/tmp/diff_new_pack.54yTTq/_old 2020-10-07 14:18:32.693488474 +0200 +++ /var/tmp/diff_new_pack.54yTTq/_new 2020-10-07 14:18:32.693488474 +0200 @@ -10,7 +10,7 @@ fs_getattr_xattr_fs(groupadd_t) fs_search_auto_mountpoints(groupadd_t) -@@ -529,6 +530,7 @@ allow useradd_t self:unix_dgram_socket c +@@ -530,6 +531,7 @@ allow useradd_t self:unix_dgram_socket c allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -18,7 +18,7 @@ manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) -@@ -537,6 +539,8 @@ files_pid_filetrans(useradd_t, useradd_v +@@ -538,6 +540,8 @@ files_pid_filetrans(useradd_t, useradd_v # for getting the number of groups kernel_read_kernel_sysctls(useradd_t) ++++++ modules-minimum-base.conf ++++++ --- /var/tmp/diff_new_pack.54yTTq/_old 2020-10-07 14:18:32.769488535 +0200 +++ /var/tmp/diff_new_pack.54yTTq/_new 2020-10-07 14:18:32.769488535 +0200 @@ -392,13 +392,6 @@ # unconfined = module -# Layer: system -# Module: kdbus -# -# Policy for kdbus. -# -kdbus = module - # Layer: admin # Module: rpm # ++++++ modules-targeted-base.conf ++++++ --- /var/tmp/diff_new_pack.54yTTq/_old 2020-10-07 14:18:32.885488627 +0200 +++ /var/tmp/diff_new_pack.54yTTq/_new 2020-10-07 14:18:32.885488627 +0200 @@ -392,13 +392,6 @@ # unconfined = module -# Layer: system -# Module: kdbus -# -# Policy for kdbus. -# -kdbus = module - # Layer: contrib # Module: packagekit # ++++++ update.sh ++++++ --- /var/tmp/diff_new_pack.54yTTq/_old 2020-10-07 14:18:33.085488786 +0200 +++ /var/tmp/diff_new_pack.54yTTq/_new 2020-10-07 14:18:33.089488789 +0200 @@ -13,7 +13,7 @@ mv selinux-policy fedora-policy rm -rf fedora-policy/.git* mv selinux-policy-contrib/* fedora-policy/policy/modules/contrib/ -mv container-selinux/* fedora-policy/policy/modules/contrib/ +mv container-selinux/container.* fedora-policy/policy/modules/contrib/ rm -f fedora-policy.$date.tar* tar cf fedora-policy.$date.tar fedora-policy
