Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2021-03-24 16:08:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.2401 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Wed Mar 24 16:08:51 2021 rev:8 rq:878582 version:20210309 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2021-03-02 12:30:53.735600387 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.2401/selinux-policy.changes 2021-03-24 16:08:57.751687790 +0100 @@ -1,0 +2,27 @@ +Fri Mar 12 10:36:06 UTC 2021 - Ales Kedroutek <[email protected]> + +- Adjust fix_init.patch to allow systemd to do sd-listen on + tcp socket [bsc#1183177] + +------------------------------------------------------------------- +Tue Mar 9 13:39:11 UTC 2021 - Johannes Segitz <[email protected]> + +- Update to version 20210309 +- Refreshed + * fix_systemd.patch + * fix_selinuxutil.patch + * fix_iptables.patch + * fix_init.patch + * fix_logging.patch + * fix_nscd.patch + * fix_hadoop.patch + * fix_unconfineduser.patch + * fix_chronyd.patch + * fix_networkmanager.patch + * fix_cron.patch + * fix_usermanage.patch + * fix_unprivuser.patch + * fix_rpm.patch +- Ensure that /usr/etc is labeled according to /etc rules + +------------------------------------------------------------------- Old: ---- fedora-policy-20210223.tar.bz2 New: ---- fedora-policy-20210309.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.ZfSSdA/_old 2021-03-24 16:08:58.799688889 +0100 +++ /var/tmp/diff_new_pack.ZfSSdA/_new 2021-03-24 16:08:58.803688893 +0100 @@ -33,7 +33,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20210223 +Version: 20210309 Release: 0 Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc ++++++ fedora-policy-20210223.tar.bz2 -> fedora-policy-20210309.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/contrib/accountsd.te new/fedora-policy-20210309/policy/modules/contrib/accountsd.te --- old/fedora-policy-20210223/policy/modules/contrib/accountsd.te 2021-02-23 14:51:08.615163495 +0100 +++ new/fedora-policy-20210309/policy/modules/contrib/accountsd.te 2021-03-09 14:39:00.564216789 +0100 @@ -97,4 +97,5 @@ xserver_read_state_xdm(accountsd_t) xserver_dbus_chat_xdm(accountsd_t) xserver_manage_xdm_etc_files(accountsd_t) + xserver_watch_xdm_etc_dirs(accountsd_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/contrib/apm.te new/fedora-policy-20210309/policy/modules/contrib/apm.te --- old/fedora-policy-20210223/policy/modules/contrib/apm.te 2021-02-23 14:51:08.627163523 +0100 +++ new/fedora-policy-20210309/policy/modules/contrib/apm.te 2021-03-09 14:39:00.572216877 +0100 @@ -104,6 +104,7 @@ dev_rw_sysfs(apmd_t) dev_dontaudit_getattr_all_chr_files(apmd_t) dev_dontaudit_getattr_all_blk_files(apmd_t) +dev_watch_generic_dirs(apmd_t) files_exec_etc_files(apmd_t) files_read_etc_runtime_files(apmd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/contrib/avahi.fc new/fedora-policy-20210309/policy/modules/contrib/avahi.fc --- old/fedora-policy-20210223/policy/modules/contrib/avahi.fc 2021-02-23 14:51:08.627163523 +0100 +++ new/fedora-policy-20210309/policy/modules/contrib/avahi.fc 2021-03-09 14:39:00.572216877 +0100 @@ -1,3 +1,5 @@ +/etc/avahi(/.*)? gen_context(system_u:object_r:avahi_conf_t,s0) + /etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0) /usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/contrib/avahi.te new/fedora-policy-20210309/policy/modules/contrib/avahi.te --- old/fedora-policy-20210223/policy/modules/contrib/avahi.te 2021-02-23 14:51:08.627163523 +0100 +++ new/fedora-policy-20210309/policy/modules/contrib/avahi.te 2021-03-09 14:39:00.572216877 +0100 @@ -12,6 +12,9 @@ type avahi_initrc_exec_t; init_script_file(avahi_initrc_exec_t) +type avahi_conf_t; +files_config_file(avahi_conf_t) + type avahi_var_lib_t; files_type(avahi_var_lib_t) @@ -35,6 +38,9 @@ allow avahi_t self:tcp_socket { accept listen }; allow avahi_t self:packet_socket create_socket_perms; +allow avahi_t avahi_conf_t:dir { list_dir_perms watch_dir_perms }; +read_files_pattern(avahi_t, avahi_conf_t, avahi_conf_t) + manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t) files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file }) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/contrib/cron.if new/fedora-policy-20210309/policy/modules/contrib/cron.if --- old/fedora-policy-20210223/policy/modules/contrib/cron.if 2021-02-23 14:51:08.635163542 +0100 +++ new/fedora-policy-20210309/policy/modules/contrib/cron.if 2021-03-09 14:39:00.584217008 +0100 @@ -13,7 +13,6 @@ # template(`cron_common_crontab_template',` gen_require(` - attribute crontab_domain; type crontab_exec_t; ') @@ -22,7 +21,6 @@ # Declarations # - typeattribute $1_t crontab_domain; userdom_user_application_domain($1_t, crontab_exec_t) ############################## @@ -50,9 +48,10 @@ ## Role allowed access ## </summary> ## </param> -## <param name="domain"> +## <param name="userdomain_prefix"> ## <summary> -## User domain for the role +## The prefix of the user domain (e.g., user +## is the prefix for user_t). ## </summary> ## </param> ## <rolecap/> @@ -144,15 +143,17 @@ ## Role allowed access ## </summary> ## </param> -## <param name="domain"> +## <param name="userdomain_prefix"> ## <summary> -## User domain for the role +## The prefix of the user domain (e.g., user +## is the prefix for user_t). ## </summary> ## </param> ## <rolecap/> # interface(`cron_unconfined_role',` gen_require(` + attribute crontab_domain; type unconfined_cronjob_t, crontab_t, crontab_exec_t; type crond_t, user_cron_spool_t; bool cron_userdomain_transition; @@ -181,6 +182,7 @@ allow $2_t unconfined_cronjob_t:process signal_perms; cron_common_crontab_template($2) + typeattribute $2_t crontab_domain; tunable_policy(`deny_ptrace',`',` allow $2_t unconfined_cronjob_t:process ptrace; @@ -223,15 +225,17 @@ ## Role allowed access ## </summary> ## </param> -## <param name="domain"> +## <param name="userdomain_prefix"> ## <summary> -## User domain for the role +## The prefix of the user domain (e.g., user +## is the prefix for user_t). ## </summary> ## </param> ## <rolecap/> # interface(`cron_admin_role',` gen_require(` + attribute crontab_domain; type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t; type user_cron_spool_t, crond_t; class passwd crontab; @@ -262,6 +266,7 @@ allow $2_t admin_crontab_t:process signal_perms; cron_common_crontab_template($2) + typeattribute $2_t crontab_domain; tunable_policy(`deny_ptrace',`',` allow $2_t admin_crontab_t:process ptrace; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/contrib/cron.te new/fedora-policy-20210309/policy/modules/contrib/cron.te --- old/fedora-policy-20210223/policy/modules/contrib/cron.te 2021-02-23 14:51:08.635163542 +0100 +++ new/fedora-policy-20210309/policy/modules/contrib/cron.te 2021-03-09 14:39:00.584217008 +0100 @@ -97,7 +97,7 @@ type admin_crontab_tmp_t; files_tmp_file(admin_crontab_tmp_t) -type admin_crontab_t; +type admin_crontab_t, crontab_domain; cron_common_crontab_template(admin_crontab) typealias admin_crontab_t alias sysadm_crontab_t; typealias admin_crontab_tmp_t alias sysadm_crontab_tmp_t; @@ -105,7 +105,7 @@ type crontab_tmp_t; files_tmp_file(crontab_tmp_t) -type crontab_t; +type crontab_t, crontab_domain; cron_common_crontab_template(crontab) typealias crontab_t alias { user_crontab_t staff_crontab_t }; typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t }; @@ -796,6 +796,7 @@ list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +watch_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) allow crond_t user_cron_spool_t:file manage_lnk_file_perms; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/contrib/devicekit.te new/fedora-policy-20210309/policy/modules/contrib/devicekit.te --- old/fedora-policy-20210223/policy/modules/contrib/devicekit.te 2021-02-23 14:51:08.635163542 +0100 +++ new/fedora-policy-20210309/policy/modules/contrib/devicekit.te 2021-03-09 14:39:00.588217051 +0100 @@ -111,6 +111,7 @@ dev_rw_loop_control(devicekit_disk_t) dev_getattr_usbfs_dirs(devicekit_disk_t) dev_manage_generic_files(devicekit_disk_t) +dev_read_rand(devicekit_disk_t) dev_read_urand(devicekit_disk_t) dev_rw_sysfs(devicekit_disk_t) @@ -127,6 +128,7 @@ files_manage_boot_dirs(devicekit_disk_t) files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) +files_watch_etc_dirs(devicekit_disk_t) # udisksd watches /etc files_manage_etc_files(devicekit_disk_t) files_read_etc_runtime_files(devicekit_disk_t) @@ -181,6 +183,8 @@ optional_policy(` mount_domtrans(devicekit_disk_t) mount_read_pid_files(devicekit_disk_t) + mount_watch_pid_files(devicekit_disk_t) + mount_watch_reads_pid_files(devicekit_disk_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/contrib/kdump.te new/fedora-policy-20210309/policy/modules/contrib/kdump.te --- old/fedora-policy-20210223/policy/modules/contrib/kdump.te 2021-02-23 14:51:08.647163570 +0100 +++ new/fedora-policy-20210309/policy/modules/contrib/kdump.te 2021-03-09 14:39:00.608217270 +0100 @@ -63,6 +63,7 @@ files_read_kernel_img(kdump_t) files_map_boot_files(kdump_t) +kernel_kexec_load(kdump_t) kernel_read_system_state(kdump_t) kernel_read_core_if(kdump_t) kernel_read_debugfs(kdump_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/contrib/keepalived.te new/fedora-policy-20210309/policy/modules/contrib/keepalived.te --- old/fedora-policy-20210223/policy/modules/contrib/keepalived.te 2021-02-23 14:51:08.647163570 +0100 +++ new/fedora-policy-20210309/policy/modules/contrib/keepalived.te 2021-03-09 14:39:00.608217270 +0100 @@ -29,6 +29,9 @@ type keepalived_tmp_t; files_tmp_file(keepalived_tmp_t) +type keepalived_tmpfs_t; +files_tmpfs_file(keepalived_tmpfs_t) + ######################################## # # keepalived local policy @@ -49,6 +52,10 @@ files_pid_filetrans(keepalived_t, keepalived_var_run_t, { dir file }) allow keepalived_t keepalived_var_run_t:dir mounton; +manage_files_pattern(keepalived_t, keepalived_tmpfs_t, keepalived_tmpfs_t) +manage_dirs_pattern(keepalived_t, keepalived_tmpfs_t, keepalived_tmpfs_t) +fs_tmpfs_filetrans(keepalived_t, keepalived_tmpfs_t, { dir file }) + kernel_read_system_state(keepalived_t) kernel_read_network_state(keepalived_t) kernel_request_load_module(keepalived_t) @@ -77,6 +84,7 @@ files_dontaudit_mounton_rootfs(keepalived_var_run_t) files_mounton_rootfs(keepalived_t) +fs_read_nsfs_files(keepalived_t) fs_unmount_tmpfs(keepalived_t) modutils_domtrans_kmod(keepalived_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/contrib/rpm.if new/fedora-policy-20210309/policy/modules/contrib/rpm.if --- old/fedora-policy-20210223/policy/modules/contrib/rpm.if 2021-02-23 14:51:08.663163606 +0100 +++ new/fedora-policy-20210309/policy/modules/contrib/rpm.if 2021-03-09 14:39:00.640217619 +0100 @@ -470,6 +470,7 @@ interface(`rpm_named_filetrans',` gen_require(` type rpm_log_t; + type rpm_var_cache_t; type rpm_var_lib_t; ') logging_log_named_filetrans($1, rpm_log_t, file, "yum.log") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/contrib/rsync.if new/fedora-policy-20210309/policy/modules/contrib/rsync.if --- old/fedora-policy-20210223/policy/modules/contrib/rsync.if 2021-02-23 14:51:08.667163616 +0100 +++ new/fedora-policy-20210309/policy/modules/contrib/rsync.if 2021-03-09 14:39:00.640217619 +0100 @@ -276,7 +276,7 @@ type rsync_var_run_t; ') - files_etc_filetrans($1, rsync_etc_t, file, "rsyncd.cond") + files_etc_filetrans($1, rsync_etc_t, file, "rsyncd.conf") files_pid_filetrans($1, rsync_var_run_t, file, "swift_server.lock") files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock") ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/contrib/sssd.te new/fedora-policy-20210309/policy/modules/contrib/sssd.te --- old/fedora-policy-20210223/policy/modules/contrib/sssd.te 2021-02-23 14:51:08.671163625 +0100 +++ new/fedora-policy-20210309/policy/modules/contrib/sssd.te 2021-03-09 14:39:00.644217663 +0100 @@ -115,6 +115,8 @@ files_list_var_lib(sssd_t) files_watch_etc_dirs(sssd_t) +fs_getattr_cgroup(sssd_t) +fs_search_cgroup_dirs(sssd_t) fs_list_inotifyfs(sssd_t) fs_getattr_xattr_fs(sssd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/contrib/virt.te new/fedora-policy-20210309/policy/modules/contrib/virt.te --- old/fedora-policy-20210223/policy/modules/contrib/virt.te 2021-02-23 14:51:08.675163634 +0100 +++ new/fedora-policy-20210309/policy/modules/contrib/virt.te 2021-03-09 14:39:00.652217750 +0100 @@ -393,7 +393,8 @@ # virtd local policy # -allow virtd_t self:capability { chown dac_read_search fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; +# fsetid - for chmod'ing its runtime files +allow virtd_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; #allow virtd_t self:capability2 compromise_kernel; allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; ifdef(`hide_broken_symptoms',` @@ -410,6 +411,7 @@ allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms; allow virtd_t self:netlink_route_socket create_netlink_socket_perms; allow virtd_t self:netlink_socket create_socket_perms; +allow virtd_t self:netlink_generic_socket create_socket_perms; manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t) manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t) @@ -586,6 +588,7 @@ auth_use_nsswitch(virtd_t) init_dbus_chat(virtd_t) +init_read_utmp(virtd_t) miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/kernel/kernel.if new/fedora-policy-20210309/policy/modules/kernel/kernel.if --- old/fedora-policy-20210223/policy/modules/kernel/kernel.if 2021-02-23 14:51:08.679163643 +0100 +++ new/fedora-policy-20210309/policy/modules/kernel/kernel.if 2021-03-09 14:39:00.656217795 +0100 @@ -1392,6 +1392,7 @@ ') allow $1 self:capability sys_rawio; + allow $1 self:lockdown confidentiality; read_files_pattern($1, proc_t, proc_kcore_t) list_dirs_pattern($1, proc_t, proc_t) @@ -4283,3 +4284,17 @@ allow $1 unlabeled_t:file { mmap_exec_file_perms ioctl lock }; ') +######################################## +## <summary> +## Allow the caller load a new kernel +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`kernel_kexec_load',` + allow $1 self:capability sys_boot; + allow $1 self:lockdown integrity; +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/kernel/storage.te new/fedora-policy-20210309/policy/modules/kernel/storage.te --- old/fedora-policy-20210223/policy/modules/kernel/storage.te 2021-02-23 14:51:08.683163653 +0100 +++ new/fedora-policy-20210309/policy/modules/kernel/storage.te 2021-03-09 14:39:00.656217795 +0100 @@ -16,6 +16,8 @@ # /dev/hd* and /dev/sd*. # type fixed_disk_device_t; +# Obsoleted in F34: nvme_device_t was merged into fixed_disk_device_t +typealias fixed_disk_device_t alias nvme_device_t; dev_node(fixed_disk_device_t) neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/kernel/terminal.if new/fedora-policy-20210309/policy/modules/kernel/terminal.if --- old/fedora-policy-20210223/policy/modules/kernel/terminal.if 2021-02-23 14:51:08.683163653 +0100 +++ new/fedora-policy-20210309/policy/modules/kernel/terminal.if 2021-03-09 14:39:00.656217795 +0100 @@ -1301,6 +1301,42 @@ ######################################## ## <summary> +## Watch unallocated tty device nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`term_watch_unallocated_ttys',` + gen_require(` + type tty_device_t; + ') + + allow $1 tty_device_t:chr_file watch_chr_file_perms; +') + +######################################## +## <summary> +## Watch_reads unallocated tty device nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`term_watch_reads_unallocated_ttys',` + gen_require(` + type tty_device_t; + ') + + allow $1 tty_device_t:chr_file watch_reads_chr_file_perms; +') + +######################################## +## <summary> ## Relabel from and to the unallocated ## tty type. ## </summary> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/roles/staff.te new/fedora-policy-20210309/policy/modules/roles/staff.te --- old/fedora-policy-20210223/policy/modules/roles/staff.te 2021-02-23 14:51:08.683163653 +0100 +++ new/fedora-policy-20210309/policy/modules/roles/staff.te 2021-03-09 14:39:00.656217795 +0100 @@ -421,10 +421,6 @@ ') optional_policy(` - su_role_template(staff, staff_r, staff_t) - ') - - optional_policy(` systemd_systemctl_entrypoint(staff_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/roles/unconfineduser.if new/fedora-policy-20210309/policy/modules/roles/unconfineduser.if --- old/fedora-policy-20210223/policy/modules/roles/unconfineduser.if 2021-02-23 14:51:08.683163653 +0100 +++ new/fedora-policy-20210309/policy/modules/roles/unconfineduser.if 2021-03-09 14:39:00.656217795 +0100 @@ -91,6 +91,29 @@ ######################################## ## <summary> +## Execute an Xserver session in unconfined domain. This +## is an explicit transition, requiring the +## caller to use setexeccon(). +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`unconfined_xsession_spec_domtrans',` + gen_require(` + type unconfined_t; + ') + + xserver_xsession_spec_domtrans($1, unconfined_t) + allow unconfined_t $1:fd use; + allow unconfined_t $1:fifo_file rw_file_perms; + allow unconfined_t $1:process sigchld; +') + +######################################## +## <summary> ## Allow unconfined to execute the specified program in ## the specified domain. ## </summary> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/roles/unprivuser.te new/fedora-policy-20210309/policy/modules/roles/unprivuser.te --- old/fedora-policy-20210223/policy/modules/roles/unprivuser.te 2021-02-23 14:51:08.683163653 +0100 +++ new/fedora-policy-20210309/policy/modules/roles/unprivuser.te 2021-03-09 14:39:00.656217795 +0100 @@ -250,13 +250,6 @@ optional_policy(` ssh_role_template(user, user_r, user_t) ') - optional_policy(` - su_role_template(user, user_r, user_t) - ') - - optional_policy(` - sudo_role_template(user, user_r, user_t) - ') optional_policy(` systemd_systemctl_entrypoint(user_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/services/xserver.if new/fedora-policy-20210309/policy/modules/services/xserver.if --- old/fedora-policy-20210223/policy/modules/services/xserver.if 2021-02-23 14:51:08.683163653 +0100 +++ new/fedora-policy-20210309/policy/modules/services/xserver.if 2021-03-09 14:39:00.660217838 +0100 @@ -1330,6 +1330,25 @@ ######################################## ## <summary> +## Watch xdm config directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit +## </summary> +## </param> +# +interface(`xserver_watch_xdm_etc_dirs',` + gen_require(` + type xdm_etc_t; + ') + + files_search_etc($1) + watch_dirs_pattern($1, xdm_etc_t, xdm_etc_t) +') + +######################################## +## <summary> ## Read xdm temporary files. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/services/xserver.te new/fedora-policy-20210309/policy/modules/services/xserver.te --- old/fedora-policy-20210223/policy/modules/services/xserver.te 2021-02-23 14:51:08.683163653 +0100 +++ new/fedora-policy-20210309/policy/modules/services/xserver.te 2021-03-09 14:39:00.660217838 +0100 @@ -1118,6 +1118,7 @@ optional_policy(` unconfined_signal(xdm_t) + unconfined_xsession_spec_domtrans(xdm_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/system/init.te new/fedora-policy-20210309/policy/modules/system/init.te --- old/fedora-policy-20210223/policy/modules/system/init.te 2021-02-23 14:51:08.683163653 +0100 +++ new/fedora-policy-20210309/policy/modules/system/init.te 2021-03-09 14:39:00.660217838 +0100 @@ -371,6 +371,8 @@ term_use_all_ptys(init_t) term_setattr_all_ptys(init_t) term_use_virtio_console(init_t) +term_watch_unallocated_ttys(init_t) +term_watch_reads_unallocated_ttys(init_t) # Run init scripts. init_domtrans_script(init_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/system/iptables.fc new/fedora-policy-20210309/policy/modules/system/iptables.fc --- old/fedora-policy-20210223/policy/modules/system/iptables.fc 2021-02-23 14:51:08.683163653 +0100 +++ new/fedora-policy-20210309/policy/modules/system/iptables.fc 2021-03-09 14:39:00.660217838 +0100 @@ -12,32 +12,16 @@ /usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/xtables-legacy-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/xtables-nft-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/arptables-legacy -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) +/usr/sbin/ebtables-legacy -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/usr/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) /usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/system/locallogin.te new/fedora-policy-20210309/policy/modules/system/locallogin.te --- old/fedora-policy-20210223/policy/modules/system/locallogin.te 2021-02-23 14:51:08.683163653 +0100 +++ new/fedora-policy-20210309/policy/modules/system/locallogin.te 2021-03-09 14:39:00.660217838 +0100 @@ -113,6 +113,7 @@ fs_search_auto_mountpoints(local_login_t) fs_getattr_cgroup(local_login_t) +fs_getattr_xattr_fs(local_login_t) storage_dontaudit_getattr_fixed_disk_dev(local_login_t) storage_dontaudit_setattr_fixed_disk_dev(local_login_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/system/systemd.if new/fedora-policy-20210309/policy/modules/system/systemd.if --- old/fedora-policy-20210223/policy/modules/system/systemd.if 2021-02-23 14:51:08.687163662 +0100 +++ new/fedora-policy-20210309/policy/modules/system/systemd.if 2021-03-09 14:39:00.664217882 +0100 @@ -102,7 +102,7 @@ systemd_login_read_pid_files($1) systemd_passwd_agent_exec($1) - dontaudit $1 self:capability net_admin; + dontaudit $1 self:capability { net_admin sys_ptrace }; ') # ######################################## diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/modules/system/systemd.te new/fedora-policy-20210309/policy/modules/system/systemd.te --- old/fedora-policy-20210223/policy/modules/system/systemd.te 2021-02-23 14:51:08.687163662 +0100 +++ new/fedora-policy-20210309/policy/modules/system/systemd.te 2021-03-09 14:39:00.664217882 +0100 @@ -849,6 +849,10 @@ dbus_connect_system_bus(systemd_hostnamed_t) ') +optional_policy(` + udev_read_pid_files(systemd_hostnamed_t) +') + ####################################### # # rfkill policy diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210223/policy/support/obj_perm_sets.spt new/fedora-policy-20210309/policy/support/obj_perm_sets.spt --- old/fedora-policy-20210223/policy/support/obj_perm_sets.spt 2021-02-23 14:51:08.687163662 +0100 +++ new/fedora-policy-20210309/policy/support/obj_perm_sets.spt 2021-03-09 14:39:00.664217882 +0100 @@ -275,6 +275,7 @@ define(`relabelto_chr_file_perms',`{ getattr relabelto }') define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }') define(`watch_chr_file_perms',`{ getattr watch }') +define(`watch_reads_chr_file_perms',`{ getattr watch_reads }') ######################################## # ++++++ file_contexts.subs_dist ++++++ --- /var/tmp/diff_new_pack.ZfSSdA/_old 2021-03-24 16:08:59.667689800 +0100 +++ /var/tmp/diff_new_pack.ZfSSdA/_new 2021-03-24 16:08:59.667689800 +0100 @@ -14,3 +14,4 @@ /var/run/netconfig /etc /var/adm/netconfig/md5/etc /etc /var/adm/netconfig/md5/var /var +/usr/etc /etc ++++++ fix_chronyd.patch ++++++ --- /var/tmp/diff_new_pack.ZfSSdA/_old 2021-03-24 16:08:59.687689821 +0100 +++ /var/tmp/diff_new_pack.ZfSSdA/_new 2021-03-24 16:08:59.687689821 +0100 @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/contrib/chronyd.te +Index: fedora-policy-20210309/policy/modules/contrib/chronyd.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/chronyd.te -+++ fedora-policy/policy/modules/contrib/chronyd.te -@@ -136,6 +136,14 @@ systemd_exec_systemctl(chronyd_t) +--- fedora-policy-20210309.orig/policy/modules/contrib/chronyd.te ++++ fedora-policy-20210309/policy/modules/contrib/chronyd.te +@@ -140,6 +140,14 @@ systemd_exec_systemctl(chronyd_t) userdom_dgram_send(chronyd_t) optional_policy(` @@ -17,10 +17,10 @@ cron_dgram_send(chronyd_t) ') -Index: fedora-policy/policy/modules/contrib/chronyd.fc +Index: fedora-policy-20210309/policy/modules/contrib/chronyd.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/chronyd.fc -+++ fedora-policy/policy/modules/contrib/chronyd.fc +--- fedora-policy-20210309.orig/policy/modules/contrib/chronyd.fc ++++ fedora-policy-20210309/policy/modules/contrib/chronyd.fc @@ -6,6 +6,7 @@ /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) ++++++ fix_cron.patch ++++++ --- /var/tmp/diff_new_pack.ZfSSdA/_old 2021-03-24 16:08:59.703689838 +0100 +++ /var/tmp/diff_new_pack.ZfSSdA/_new 2021-03-24 16:08:59.703689838 +0100 @@ -1,7 +1,7 @@ -Index: fedora-policy/policy/modules/contrib/cron.fc +Index: fedora-policy-20210309/policy/modules/contrib/cron.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/cron.fc -+++ fedora-policy/policy/modules/contrib/cron.fc +--- fedora-policy-20210309.orig/policy/modules/contrib/cron.fc ++++ fedora-policy-20210309/policy/modules/contrib/cron.fc @@ -34,7 +34,7 @@ /var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0) @@ -21,11 +21,11 @@ -/var/spool/cron/lastrun/[^/]* -- <<none>> -/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0) -') -Index: fedora-policy/policy/modules/contrib/cron.if +Index: fedora-policy-20210309/policy/modules/contrib/cron.if =================================================================== ---- fedora-policy.orig/policy/modules/contrib/cron.if -+++ fedora-policy/policy/modules/contrib/cron.if -@@ -1031,7 +1031,7 @@ interface(`cron_generic_log_filetrans_lo +--- fedora-policy-20210309.orig/policy/modules/contrib/cron.if ++++ fedora-policy-20210309/policy/modules/contrib/cron.if +@@ -1057,7 +1057,7 @@ interface(`cron_generic_log_filetrans_lo # interface(`cron_system_spool_entrypoint',` gen_require(` ++++++ fix_hadoop.patch ++++++ --- /var/tmp/diff_new_pack.ZfSSdA/_old 2021-03-24 16:08:59.731689867 +0100 +++ /var/tmp/diff_new_pack.ZfSSdA/_new 2021-03-24 16:08:59.731689867 +0100 @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/roles/sysadm.te +Index: fedora-policy-20210309/policy/modules/roles/sysadm.te =================================================================== ---- fedora-policy.orig/policy/modules/roles/sysadm.te -+++ fedora-policy/policy/modules/roles/sysadm.te -@@ -293,10 +293,6 @@ optional_policy(` +--- fedora-policy-20210309.orig/policy/modules/roles/sysadm.te ++++ fedora-policy-20210309/policy/modules/roles/sysadm.te +@@ -298,10 +298,6 @@ optional_policy(` ') optional_policy(` @@ -13,10 +13,10 @@ iotop_run(sysadm_t, sysadm_r) ') -Index: fedora-policy/policy/modules/roles/unprivuser.te +Index: fedora-policy-20210309/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy/policy/modules/roles/unprivuser.te +--- fedora-policy-20210309.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20210309/policy/modules/roles/unprivuser.te @@ -200,10 +200,6 @@ ifndef(`distro_redhat',` ') ++++++ fix_init.patch ++++++ --- /var/tmp/diff_new_pack.ZfSSdA/_old 2021-03-24 16:08:59.739689876 +0100 +++ /var/tmp/diff_new_pack.ZfSSdA/_new 2021-03-24 16:08:59.743689880 +0100 @@ -1,6 +1,8 @@ ---- fedora-policy/policy/modules/system/init.if 2021-02-23 14:51:08.683163653 +0100 -+++ fedora-policy/policy/modules/system/init.if 2021-02-23 15:04:46.397087937 +0100 -@@ -3242,6 +3242,7 @@ +Index: fedora-policy-20210309/policy/modules/system/init.if +=================================================================== +--- fedora-policy-20210309.orig/policy/modules/system/init.if ++++ fedora-policy-20210309/policy/modules/system/init.if +@@ -3242,6 +3242,7 @@ interface(`init_filetrans_named_content' files_etc_filetrans($1, machineid_t, file, "machine-id" ) files_pid_filetrans($1, initctl_t, fifo_file, "fifo" ) init_pid_filetrans($1, systemd_unit_file_t, dir, "generator") @@ -8,17 +10,20 @@ init_pid_filetrans($1, systemd_unit_file_t, dir, "system") ') ---- fedora-policy/policy/modules/system/init.te 2021-02-23 14:51:08.683163653 +0100 -+++ fedora-policy/policy/modules/system/init.te 2021-02-23 15:06:10.293290652 +0100 -@@ -262,6 +262,7 @@ +Index: fedora-policy-20210309/policy/modules/system/init.te +=================================================================== +--- fedora-policy-20210309.orig/policy/modules/system/init.te ++++ fedora-policy-20210309/policy/modules/system/init.te +@@ -262,6 +262,8 @@ corecmd_exec_bin(init_t) corenet_all_recvfrom_netlabel(init_t) corenet_tcp_bind_all_ports(init_t) corenet_udp_bind_all_ports(init_t) +corenet_udp_bind_generic_node(init_t) ++corenet_tcp_bind_generic_node(init_t) dev_create_all_files(init_t) dev_create_all_chr_files(init_t) -@@ -388,6 +389,7 @@ +@@ -390,6 +391,7 @@ logging_manage_audit_config(init_t) logging_create_syslog_netlink_audit_socket(init_t) logging_write_var_log_dirs(init_t) logging_manage_var_log_symlinks(init_t) @@ -26,7 +31,7 @@ seutil_read_config(init_t) seutil_read_login_config(init_t) -@@ -437,11 +439,16 @@ +@@ -439,11 +441,16 @@ ifdef(`distro_redhat',` corecmd_shell_domtrans(init_t, initrc_t) storage_raw_rw_fixed_disk(init_t) @@ -43,7 +48,7 @@ bootloader_domtrans(init_t) ') -@@ -555,10 +562,10 @@ +@@ -557,10 +564,10 @@ tunable_policy(`init_create_dirs',` allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -56,7 +61,7 @@ allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; # Until systemd is fixed -@@ -616,6 +623,7 @@ +@@ -618,6 +625,7 @@ files_delete_all_spool_sockets(init_t) files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -64,7 +69,7 @@ files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -652,7 +660,7 @@ +@@ -654,7 +662,7 @@ fs_list_all(init_t) fs_list_auto_mountpoints(init_t) fs_register_binary_executable_type(init_t) fs_relabel_tmpfs_sock_file(init_t) @@ -73,7 +78,7 @@ fs_relabel_cgroup_dirs(init_t) fs_search_cgroup_dirs(init_t) # for network namespaces -@@ -708,6 +716,7 @@ +@@ -710,6 +718,7 @@ systemd_write_inherited_logind_sessions_ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -81,7 +86,7 @@ auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1561,6 +1570,8 @@ +@@ -1563,6 +1572,8 @@ optional_policy(` optional_policy(` postfix_list_spool(initrc_t) ++++++ fix_iptables.patch ++++++ --- /var/tmp/diff_new_pack.ZfSSdA/_old 2021-03-24 16:08:59.751689888 +0100 +++ /var/tmp/diff_new_pack.ZfSSdA/_new 2021-03-24 16:08:59.751689888 +0100 @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/system/iptables.te +Index: fedora-policy-20210309/policy/modules/system/iptables.te =================================================================== ---- fedora-policy.orig/policy/modules/system/iptables.te 2020-02-19 09:36:25.440182406 +0000 -+++ fedora-policy/policy/modules/system/iptables.te 2020-02-21 12:19:23.060595602 +0000 -@@ -76,6 +76,7 @@ kernel_read_network_state(iptables_t) +--- fedora-policy-20210309.orig/policy/modules/system/iptables.te ++++ fedora-policy-20210309/policy/modules/system/iptables.te +@@ -74,6 +74,7 @@ kernel_read_network_state(iptables_t) kernel_read_kernel_sysctls(iptables_t) kernel_use_fds(iptables_t) kernel_rw_net_sysctls(iptables_t) ++++++ fix_logging.patch ++++++ --- /var/tmp/diff_new_pack.ZfSSdA/_old 2021-03-24 16:08:59.771689909 +0100 +++ /var/tmp/diff_new_pack.ZfSSdA/_new 2021-03-24 16:08:59.771689909 +0100 @@ -1,7 +1,7 @@ -Index: fedora-policy/policy/modules/system/logging.fc +Index: fedora-policy-20210309/policy/modules/system/logging.fc =================================================================== ---- fedora-policy.orig/policy/modules/system/logging.fc -+++ fedora-policy/policy/modules/system/logging.fc +--- fedora-policy-20210309.orig/policy/modules/system/logging.fc ++++ fedora-policy-20210309/policy/modules/system/logging.fc @@ -3,6 +3,8 @@ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) @@ -19,11 +19,11 @@ /var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) /var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh) -Index: fedora-policy/policy/modules/system/logging.if +Index: fedora-policy-20210309/policy/modules/system/logging.if =================================================================== ---- fedora-policy.orig/policy/modules/system/logging.if -+++ fedora-policy/policy/modules/system/logging.if -@@ -1686,3 +1686,22 @@ interface(`logging_dgram_send',` +--- fedora-policy-20210309.orig/policy/modules/system/logging.if ++++ fedora-policy-20210309/policy/modules/system/logging.if +@@ -1722,3 +1722,22 @@ interface(`logging_dgram_send',` allow $1 syslogd_t:unix_dgram_socket sendto; ') ++++++ fix_networkmanager.patch ++++++ --- /var/tmp/diff_new_pack.ZfSSdA/_old 2021-03-24 16:08:59.791689930 +0100 +++ /var/tmp/diff_new_pack.ZfSSdA/_new 2021-03-24 16:08:59.791689930 +0100 @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/contrib/networkmanager.te +Index: fedora-policy-20210309/policy/modules/contrib/networkmanager.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/networkmanager.te -+++ fedora-policy/policy/modules/contrib/networkmanager.te -@@ -236,6 +236,9 @@ userdom_read_home_certs(NetworkManager_t +--- fedora-policy-20210309.orig/policy/modules/contrib/networkmanager.te ++++ fedora-policy-20210309/policy/modules/contrib/networkmanager.te +@@ -241,6 +241,9 @@ userdom_read_home_certs(NetworkManager_t userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) @@ -12,7 +12,7 @@ tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(NetworkManager_t) ') -@@ -253,6 +256,14 @@ optional_policy(` +@@ -258,6 +261,14 @@ optional_policy(` ') optional_policy(` @@ -27,10 +27,10 @@ bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_kill(NetworkManager_t) -Index: fedora-policy/policy/modules/contrib/networkmanager.if +Index: fedora-policy-20210309/policy/modules/contrib/networkmanager.if =================================================================== ---- fedora-policy.orig/policy/modules/contrib/networkmanager.if -+++ fedora-policy/policy/modules/contrib/networkmanager.if +--- fedora-policy-20210309.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy-20210309/policy/modules/contrib/networkmanager.if @@ -114,6 +114,24 @@ interface(`networkmanager_initrc_domtran init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) ') ++++++ fix_nscd.patch ++++++ --- /var/tmp/diff_new_pack.ZfSSdA/_old 2021-03-24 16:08:59.803689943 +0100 +++ /var/tmp/diff_new_pack.ZfSSdA/_new 2021-03-24 16:08:59.803689943 +0100 @@ -1,7 +1,7 @@ -Index: fedora-policy/policy/modules/contrib/nscd.fc +Index: fedora-policy-20210309/policy/modules/contrib/nscd.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/nscd.fc -+++ fedora-policy/policy/modules/contrib/nscd.fc +--- fedora-policy-20210309.orig/policy/modules/contrib/nscd.fc ++++ fedora-policy-20210309/policy/modules/contrib/nscd.fc @@ -8,8 +8,10 @@ /var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) @@ -14,11 +14,11 @@ /usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0) + -Index: fedora-policy/policy/modules/contrib/nscd.te +Index: fedora-policy-20210309/policy/modules/contrib/nscd.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/nscd.te -+++ fedora-policy/policy/modules/contrib/nscd.te -@@ -127,6 +127,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns +--- fedora-policy-20210309.orig/policy/modules/contrib/nscd.te ++++ fedora-policy-20210309/policy/modules/contrib/nscd.te +@@ -131,6 +131,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns userdom_dontaudit_search_user_home_dirs(nscd_t) optional_policy(` ++++++ fix_rpm.patch ++++++ --- /var/tmp/diff_new_pack.ZfSSdA/_old 2021-03-24 16:08:59.823689964 +0100 +++ /var/tmp/diff_new_pack.ZfSSdA/_new 2021-03-24 16:08:59.823689964 +0100 @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/contrib/rpm.fc +Index: fedora-policy-20210309/policy/modules/contrib/rpm.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/rpm.fc -+++ fedora-policy/policy/modules/contrib/rpm.fc -@@ -17,6 +17,10 @@ +--- fedora-policy-20210309.orig/policy/modules/contrib/rpm.fc ++++ fedora-policy-20210309/policy/modules/contrib/rpm.fc +@@ -18,6 +18,10 @@ /usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -13,7 +13,7 @@ /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0) -@@ -54,6 +58,8 @@ ifdef(`distro_redhat', ` +@@ -55,6 +59,8 @@ ifdef(`distro_redhat', ` /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) @@ -22,11 +22,11 @@ /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -Index: fedora-policy/policy/modules/contrib/rpm.if +Index: fedora-policy-20210309/policy/modules/contrib/rpm.if =================================================================== ---- fedora-policy.orig/policy/modules/contrib/rpm.if -+++ fedora-policy/policy/modules/contrib/rpm.if -@@ -431,8 +431,10 @@ interface(`rpm_named_filetrans',` +--- fedora-policy-20210309.orig/policy/modules/contrib/rpm.if ++++ fedora-policy-20210309/policy/modules/contrib/rpm.if +@@ -476,8 +476,10 @@ interface(`rpm_named_filetrans',` logging_log_named_filetrans($1, rpm_log_t, file, "yum.log") logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log") logging_log_named_filetrans($1, rpm_log_t, file, "up2date") @@ -37,10 +37,10 @@ files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm") -Index: fedora-policy/policy/modules/kernel/files.fc +Index: fedora-policy-20210309/policy/modules/kernel/files.fc =================================================================== ---- fedora-policy.orig/policy/modules/kernel/files.fc -+++ fedora-policy/policy/modules/kernel/files.fc +--- fedora-policy-20210309.orig/policy/modules/kernel/files.fc ++++ fedora-policy-20210309/policy/modules/kernel/files.fc @@ -67,6 +67,7 @@ ifdef(`distro_suse',` /etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) ++++++ fix_selinuxutil.patch ++++++ --- /var/tmp/diff_new_pack.ZfSSdA/_old 2021-03-24 16:08:59.835689977 +0100 +++ /var/tmp/diff_new_pack.ZfSSdA/_new 2021-03-24 16:08:59.835689977 +0100 @@ -1,7 +1,7 @@ -Index: fedora-policy/policy/modules/system/selinuxutil.te +Index: fedora-policy-20210309/policy/modules/system/selinuxutil.te =================================================================== ---- fedora-policy.orig/policy/modules/system/selinuxutil.te 2020-02-19 09:36:25.444182470 +0000 -+++ fedora-policy/policy/modules/system/selinuxutil.te 2020-02-24 07:57:26.556813139 +0000 +--- fedora-policy-20210309.orig/policy/modules/system/selinuxutil.te ++++ fedora-policy-20210309/policy/modules/system/selinuxutil.te @@ -238,6 +238,10 @@ ifdef(`hide_broken_symptoms',` ') @@ -13,7 +13,7 @@ portage_dontaudit_use_fds(load_policy_t) ') -@@ -613,6 +617,10 @@ logging_send_audit_msgs(setfiles_t) +@@ -619,6 +623,10 @@ logging_send_audit_msgs(setfiles_t) logging_send_syslog_msg(setfiles_t) optional_policy(` @@ -24,10 +24,10 @@ cloudform_dontaudit_write_cloud_log(setfiles_t) ') -Index: fedora-policy/policy/modules/system/selinuxutil.if +Index: fedora-policy-20210309/policy/modules/system/selinuxutil.if =================================================================== ---- fedora-policy.orig/policy/modules/system/selinuxutil.if -+++ fedora-policy/policy/modules/system/selinuxutil.if +--- fedora-policy-20210309.orig/policy/modules/system/selinuxutil.if ++++ fedora-policy-20210309/policy/modules/system/selinuxutil.if @@ -777,6 +777,8 @@ interface(`seutil_dontaudit_read_config' dontaudit $1 selinux_config_t:dir search_dir_perms; ++++++ fix_systemd.patch ++++++ --- /var/tmp/diff_new_pack.ZfSSdA/_old 2021-03-24 16:08:59.855689998 +0100 +++ /var/tmp/diff_new_pack.ZfSSdA/_new 2021-03-24 16:08:59.855689998 +0100 @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/system/systemd.te +Index: fedora-policy-20210309/policy/modules/system/systemd.te =================================================================== ---- fedora-policy.orig/policy/modules/system/systemd.te -+++ fedora-policy/policy/modules/system/systemd.te -@@ -332,6 +332,10 @@ userdom_manage_user_tmp_chr_files(system +--- fedora-policy-20210309.orig/policy/modules/system/systemd.te ++++ fedora-policy-20210309/policy/modules/system/systemd.te +@@ -347,6 +347,10 @@ userdom_manage_user_tmp_chr_files(system xserver_dbus_chat(systemd_logind_t) optional_policy(` @@ -13,8 +13,8 @@ apache_read_tmp_files(systemd_logind_t) ') -@@ -828,6 +832,10 @@ optional_policy(` - dbus_connect_system_bus(systemd_hostnamed_t) +@@ -853,6 +857,10 @@ optional_policy(` + udev_read_pid_files(systemd_hostnamed_t) ') +optional_policy(` ++++++ fix_unconfineduser.patch ++++++ --- /var/tmp/diff_new_pack.ZfSSdA/_old 2021-03-24 16:08:59.867690010 +0100 +++ /var/tmp/diff_new_pack.ZfSSdA/_new 2021-03-24 16:08:59.871690014 +0100 @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/roles/unconfineduser.te +Index: fedora-policy-20210309/policy/modules/roles/unconfineduser.te =================================================================== ---- fedora-policy.orig/policy/modules/roles/unconfineduser.te -+++ fedora-policy/policy/modules/roles/unconfineduser.te -@@ -120,6 +120,11 @@ tunable_policy(`unconfined_dyntrans_all' +--- fedora-policy-20210309.orig/policy/modules/roles/unconfineduser.te ++++ fedora-policy-20210309/policy/modules/roles/unconfineduser.te +@@ -124,6 +124,11 @@ tunable_policy(`unconfined_dyntrans_all' domain_dyntrans(unconfined_t) ') @@ -14,7 +14,7 @@ optional_policy(` gen_require(` type unconfined_t; -@@ -210,6 +215,10 @@ optional_policy(` +@@ -214,6 +219,10 @@ optional_policy(` ') optional_policy(` @@ -25,7 +25,7 @@ chrome_role_notrans(unconfined_r, unconfined_t) tunable_policy(`unconfined_chrome_sandbox_transition',` -@@ -244,6 +253,18 @@ optional_policy(` +@@ -248,6 +257,18 @@ optional_policy(` dbus_stub(unconfined_t) optional_policy(` ++++++ fix_unprivuser.patch ++++++ --- /var/tmp/diff_new_pack.ZfSSdA/_old 2021-03-24 16:08:59.879690022 +0100 +++ /var/tmp/diff_new_pack.ZfSSdA/_new 2021-03-24 16:08:59.879690022 +0100 @@ -1,8 +1,8 @@ -Index: fedora-policy/policy/modules/roles/unprivuser.te +Index: fedora-policy-20210309/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy/policy/modules/roles/unprivuser.te -@@ -289,6 +289,13 @@ ifndef(`distro_redhat',` +--- fedora-policy-20210309.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20210309/policy/modules/roles/unprivuser.te +@@ -282,6 +282,13 @@ ifndef(`distro_redhat',` ') optional_policy(` ++++++ fix_usermanage.patch ++++++ --- /var/tmp/diff_new_pack.ZfSSdA/_old 2021-03-24 16:08:59.891690035 +0100 +++ /var/tmp/diff_new_pack.ZfSSdA/_new 2021-03-24 16:08:59.891690035 +0100 @@ -1,7 +1,7 @@ -Index: fedora-policy/policy/modules/admin/usermanage.te +Index: fedora-policy-20210309/policy/modules/admin/usermanage.te =================================================================== ---- fedora-policy.orig/policy/modules/admin/usermanage.te -+++ fedora-policy/policy/modules/admin/usermanage.te +--- fedora-policy-20210309.orig/policy/modules/admin/usermanage.te ++++ fedora-policy-20210309/policy/modules/admin/usermanage.te @@ -226,6 +226,7 @@ allow groupadd_t self:unix_dgram_socket allow groupadd_t self:unix_stream_socket create_stream_socket_perms; allow groupadd_t self:unix_dgram_socket sendto; @@ -10,7 +10,7 @@ fs_getattr_xattr_fs(groupadd_t) fs_search_auto_mountpoints(groupadd_t) -@@ -530,6 +531,7 @@ allow useradd_t self:unix_dgram_socket c +@@ -529,6 +530,7 @@ allow useradd_t self:unix_dgram_socket c allow useradd_t self:unix_stream_socket create_stream_socket_perms; allow useradd_t self:unix_dgram_socket sendto; allow useradd_t self:unix_stream_socket connectto; @@ -18,7 +18,7 @@ manage_dirs_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) manage_files_pattern(useradd_t, useradd_var_run_t, useradd_var_run_t) -@@ -538,6 +540,8 @@ files_pid_filetrans(useradd_t, useradd_v +@@ -537,6 +539,8 @@ files_pid_filetrans(useradd_t, useradd_v # for getting the number of groups kernel_read_kernel_sysctls(useradd_t)
