Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2021-04-22 18:03:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.12324 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Thu Apr 22 18:03:46 2021 rev:9 rq:886701 version:20210419 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2021-03-24 16:08:57.751687790 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.12324/selinux-policy.changes 2021-04-22 18:04:22.734544739 +0200 @@ -1,0 +2,10 @@ +Mon Apr 19 11:37:49 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Update to version 20210419 +- Refreshed: + * fix_dbus.patch + * fix_hadoop.patch + * fix_init.patch + * fix_unprivuser.patch + +------------------------------------------------------------------- Old: ---- fedora-policy-20210309.tar.bz2 New: ---- fedora-policy-20210419.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.tElr3W/_old 2021-04-22 18:04:23.710546228 +0200 +++ /var/tmp/diff_new_pack.tElr3W/_new 2021-04-22 18:04:23.710546228 +0200 @@ -33,7 +33,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20210309 +Version: 20210419 Release: 0 Source: fedora-policy-%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc ++++++ fedora-policy-20210309.tar.bz2 -> fedora-policy-20210419.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/admin/netutils.te new/fedora-policy-20210419/policy/modules/admin/netutils.te --- old/fedora-policy-20210309/policy/modules/admin/netutils.te 2021-03-09 14:39:00.564216789 +0100 +++ new/fedora-policy-20210419/policy/modules/admin/netutils.te 2021-04-19 13:33:08.660895600 +0200 @@ -36,6 +36,7 @@ allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot setpcap }; dontaudit netutils_t self:capability { sys_admin sys_tty_config }; allow netutils_t self:process { setcap signal_perms }; +allow netutils_t self:netlink_generic_socket create_socket_perms; allow netutils_t self:netlink_rdma_socket create_socket_perms; allow netutils_t self:netlink_route_socket create_netlink_socket_perms; allow netutils_t self:netlink_socket create_socket_perms; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/accountsd.if new/fedora-policy-20210419/policy/modules/contrib/accountsd.if --- old/fedora-policy-20210309/policy/modules/contrib/accountsd.if 2021-03-09 14:39:00.564216789 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/accountsd.if 2021-04-19 13:33:08.664895649 +0200 @@ -81,6 +81,25 @@ ######################################## ## <summary> +## Watch accountsd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`accountsd_watch_lib',` + gen_require(` + type accountsd_var_lib_t; + ') + + files_search_var_lib($1) + watch_dirs_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) +') + +######################################## +## <summary> ## Read accountsd lib files. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/accountsd.te new/fedora-policy-20210419/policy/modules/contrib/accountsd.te --- old/fedora-policy-20210309/policy/modules/contrib/accountsd.te 2021-03-09 14:39:00.564216789 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/accountsd.te 2021-04-19 13:33:08.664895649 +0200 @@ -49,6 +49,7 @@ files_read_usr_files(accountsd_t) files_watch_etc_dirs(accountsd_t) +fs_getattr_cgroup(accountsd_t) fs_getattr_xattr_fs(accountsd_t) fs_list_inotifyfs(accountsd_t) fs_read_noxattr_fs_files(accountsd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/aide.te new/fedora-policy-20210419/policy/modules/contrib/aide.te --- old/fedora-policy-20210309/policy/modules/contrib/aide.te 2021-03-09 14:39:00.568216833 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/aide.te 2021-04-19 13:33:08.664895649 +0200 @@ -62,6 +62,10 @@ ') optional_policy(` + systemd_userdbd_stream_connect(aide_t) +') + +optional_policy(` sssd_stream_connect(aide_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/anaconda.te new/fedora-policy-20210419/policy/modules/contrib/anaconda.te --- old/fedora-policy-20210309/policy/modules/contrib/anaconda.te 2021-03-09 14:39:00.568216833 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/anaconda.te 2021-04-19 13:33:08.668895697 +0200 @@ -85,6 +85,7 @@ systemd_dbus_chat_localed(install_t) systemd_dbus_chat_logind(install_t) init_dbus_chat(install_t) +init_nnp_daemon_domain(install_t) tunable_policy(`deny_ptrace',`',` domain_ptrace_all_domains(install_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/arpwatch.te new/fedora-policy-20210419/policy/modules/contrib/arpwatch.te --- old/fedora-policy-20210309/policy/modules/contrib/arpwatch.te 2021-03-09 14:39:00.572216877 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/arpwatch.te 2021-04-19 13:33:08.668895697 +0200 @@ -36,6 +36,7 @@ allow arpwatch_t self:tcp_socket { accept listen }; allow arpwatch_t self:packet_socket { create_socket_perms map }; allow arpwatch_t self:socket create_socket_perms; +allow arpwatch_t self:netlink_generic_socket create_socket_perms; allow arpwatch_t self:netlink_rdma_socket create_socket_perms; allow arpwatch_t self:netlink_socket create_socket_perms; allow arpwatch_t self:netlink_netfilter_socket create_socket_perms; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/bluetooth.te new/fedora-policy-20210419/policy/modules/contrib/bluetooth.te --- old/fedora-policy-20210309/policy/modules/contrib/bluetooth.te 2021-03-09 14:39:00.576216920 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/bluetooth.te 2021-04-19 13:33:08.676895793 +0200 @@ -168,6 +168,10 @@ ') optional_policy(` + fwupd_dbus_chat(bluetooth_t) + ') + + optional_policy(` hal_dbus_chat(bluetooth_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/brltty.fc new/fedora-policy-20210419/policy/modules/contrib/brltty.fc --- old/fedora-policy-20210309/policy/modules/contrib/brltty.fc 2021-03-09 14:39:00.576216920 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/brltty.fc 2021-04-19 13:33:08.676895793 +0200 @@ -5,6 +5,7 @@ /usr/bin/brltty -- gen_context(system_u:object_r:brltty_exec_t,s0) /var/lib/BrlAPI(/.*)? gen_context(system_u:object_r:brltty_var_lib_t,s0) +/var/lib/brltty(/.*)? gen_context(system_u:object_r:brltty_var_lib_t,s0) /var/run/brltty(/.*)? gen_context(system_u:object_r:brltty_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/brltty.te new/fedora-policy-20210419/policy/modules/contrib/brltty.te --- old/fedora-policy-20210309/policy/modules/contrib/brltty.te 2021-03-09 14:39:00.576216920 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/brltty.te 2021-04-19 13:33:08.676895793 +0200 @@ -25,7 +25,7 @@ # # brltty local policy # -allow brltty_t self:capability { sys_admin sys_tty_config mknod }; +allow brltty_t self:capability { setgid setuid sys_admin sys_tty_config mknod }; allow brltty_t self:process { fork signal_perms }; allow brltty_t self:fifo_file rw_fifo_file_perms; @@ -55,9 +55,11 @@ corenet_tcp_bind_brlp_port(brltty_t) +dev_read_mouse(brltty_t) dev_read_sysfs(brltty_t) dev_rw_generic_usb_dev(brltty_t) dev_rw_input_dev(brltty_t) +dev_write_sound(brltty_t) fs_getattr_all_fs(brltty_t) @@ -69,8 +71,16 @@ term_use_unallocated_ttys(brltty_t) +tunable_policy(`deny_bluetooth',`',` + allow brltty_t self:bluetooth_socket create_socket_perms; +') + optional_policy(` dbus_system_bus_client(brltty_t) bluetooth_dbus_chat(brltty_t) ') + +optional_policy(` + policykit_dbus_chat(brltty_t) +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/container.te new/fedora-policy-20210419/policy/modules/contrib/container.te --- old/fedora-policy-20210309/policy/modules/contrib/container.te 2021-03-09 14:39:01.500227012 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/container.te 2021-04-19 13:37:35.900120244 +0200 @@ -1,4 +1,4 @@ -policy_module(container, 2.158.0) +policy_module(container, 2.160.0) gen_require(` class passwd rootok; ') @@ -648,6 +648,7 @@ ps_process_pattern(container_runtime_domain, spc_t) allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom }; allow spc_t unlabeled_t:key manage_key_perms; +allow spc_t unlabeled_t:socket_class_set create_socket_perms; init_dbus_chat(spc_t) @@ -885,7 +886,9 @@ fs_unmount_cgroup(container_t) dev_read_rand(container_domain) +dev_write_rand(container_domain) dev_read_urand(container_domain) +dev_write_urand(container_domain) files_read_kernel_modules(container_domain) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/cups.te new/fedora-policy-20210419/policy/modules/contrib/cups.te --- old/fedora-policy-20210309/policy/modules/contrib/cups.te 2021-03-09 14:39:00.588217051 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/cups.te 2021-04-19 13:33:08.688895938 +0200 @@ -569,6 +569,7 @@ manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t) files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file) +read_sock_files_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t) stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) kernel_read_kernel_sysctls(cupsd_lpd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/dbus.if new/fedora-policy-20210419/policy/modules/contrib/dbus.if --- old/fedora-policy-20210309/policy/modules/contrib/dbus.if 2021-03-09 14:39:00.588217051 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/dbus.if 2021-04-19 13:33:08.688895938 +0200 @@ -36,6 +36,25 @@ ######################################## ## <summary> +## Execute dbus-daemon in the systemd_dbusd_t domain. +## </summary> +## <param name="domain" unused="true"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`dbus_exec_system_dbusd',` + gen_require(` + type dbusd_exec_t, system_dbusd_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dbusd_exec_t, system_dbusd_t) +') + +######################################## +## <summary> ## Role access for dbus ## </summary> ## <param name="role_prefix"> @@ -97,7 +116,7 @@ allow $3 $1_dbusd_t:process { noatsecure rlimitinh siginh }; allow $1_dbusd_t $3:dbus send_msg; allow $3 $1_dbusd_t:dbus send_msg; - allow $1_dbusd_t $3:system start; + allow $1_dbusd_t $3:system { start reload }; allow $1_dbusd_t session_dbusd_tmp_t:service { start stop }; allow $3 session_dbusd_tmp_t:dir manage_dir_perms; allow $3 session_dbusd_tmp_t:file manage_file_perms; @@ -122,6 +141,8 @@ auth_use_nsswitch($1_dbusd_t) + files_config_all_files($1_dbusd_t) + logging_send_syslog_msg($1_dbusd_t) dontaudit $1_dbusd_t self:capability net_admin; @@ -129,6 +150,10 @@ optional_policy(` mozilla_domtrans_spec($1_dbusd_t, $1_t) ') + + optional_policy(` + systemd_start_systemd_services($1_dbusd_t) + ') ') ####################################### diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/dbus.te new/fedora-policy-20210419/policy/modules/contrib/dbus.te --- old/fedora-policy-20210309/policy/modules/contrib/dbus.te 2021-03-09 14:39:00.588217051 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/dbus.te 2021-04-19 13:33:08.688895938 +0200 @@ -79,7 +79,7 @@ manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) -files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) +files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file sock_file }) manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/geoclue.te new/fedora-policy-20210419/policy/modules/contrib/geoclue.te --- old/fedora-policy-20210309/policy/modules/contrib/geoclue.te 2021-03-09 14:39:00.600217183 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/geoclue.te 2021-04-19 13:33:08.696896034 +0200 @@ -48,6 +48,7 @@ dev_read_urand(geoclue_t) +fs_getattr_cgroup(geoclue_t) fs_getattr_xattr_fs(geoclue_t) init_dbus_chat(geoclue_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/gnome.if new/fedora-policy-20210419/policy/modules/contrib/gnome.if --- old/fedora-policy-20210309/policy/modules/contrib/gnome.if 2021-03-09 14:39:00.600217183 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/gnome.if 2021-04-19 13:33:08.700896083 +0200 @@ -108,7 +108,8 @@ # Gkeyringd policy # - allow $1_gkeyringd_t $3:unix_stream_socket { connectto create_stream_socket_perms }; + allow $1_gkeyringd_t $3:unix_stream_socket { connectto create_stream_socket_perms }; + allow $1_gkeyringd_t self:process setsched; domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/ibacm.te new/fedora-policy-20210419/policy/modules/contrib/ibacm.te --- old/fedora-policy-20210309/policy/modules/contrib/ibacm.te 2021-03-09 14:39:00.604217227 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/ibacm.te 2021-04-19 13:33:08.700896083 +0200 @@ -25,7 +25,7 @@ # # ibacm local policy # -allow ibacm_t self:capability ipc_lock; +allow ibacm_t self:capability { ipc_lock net_raw sys_rawio }; allow ibacm_t self:fifo_file rw_fifo_file_perms; allow ibacm_t self:unix_stream_socket create_stream_socket_perms; allow ibacm_t ibacm_t:netlink_rdma_socket { create_socket_perms }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/mysql.fc new/fedora-policy-20210419/policy/modules/contrib/mysql.fc --- old/fedora-policy-20210309/policy/modules/contrib/mysql.fc 2021-03-09 14:39:00.624217445 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/mysql.fc 2021-04-19 13:33:08.716896276 +0200 @@ -34,6 +34,15 @@ /usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) # +# /usr - mariadb +# +/usr/bin/mariadbd-safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0) +/usr/bin/mariadbd-safe-helper -- gen_context(system_u:object_r:mysqld_exec_t,s0) +/usr/bin/mariadb-upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0) + +/usr/libexec/mariadbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) + +# # /var # /var/lib/mysql(-files|-keyring)?(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/mysql.te new/fedora-policy-20210419/policy/modules/contrib/mysql.te --- old/fedora-policy-20210309/policy/modules/contrib/mysql.te 2021-03-09 14:39:00.624217445 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/mysql.te 2021-04-19 13:33:08.716896276 +0200 @@ -67,7 +67,7 @@ # Local policy # -allow mysqld_t self:capability { dac_read_search ipc_lock setgid setuid sys_nice sys_resource net_bind_service }; +allow mysqld_t self:capability { dac_read_search ipc_lock sys_nice sys_resource net_bind_service }; dontaudit mysqld_t self:capability sys_tty_config; allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; allow mysqld_t self:fifo_file rw_fifo_file_perms; @@ -196,6 +196,7 @@ # Local mysqld_safe policy # +# setuig/setgid may be used in mysqld_safe and mysqld_safe_helper allow mysqld_safe_t self:capability { chown dac_read_search setgid setuid fowner kill sys_nice sys_resource }; dontaudit mysqld_safe_t self:capability sys_ptrace; allow mysqld_safe_t self:process { setsched getsched setrlimit }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/plymouthd.te new/fedora-policy-20210419/policy/modules/contrib/plymouthd.te --- old/fedora-policy-20210309/policy/modules/contrib/plymouthd.te 2021-03-09 14:39:00.632217532 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/plymouthd.te 2021-04-19 13:33:08.724896372 +0200 @@ -60,6 +60,8 @@ kernel_request_load_module(plymouthd_t) kernel_change_ring_buffer_level(plymouthd_t) +corecmd_exec_bin(plymouthd_t) + dev_rw_dri(plymouthd_t) dev_read_sysfs(plymouthd_t) dev_read_framebuffer(plymouthd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/policykit.te new/fedora-policy-20210419/policy/modules/contrib/policykit.te --- old/fedora-policy-20210309/policy/modules/contrib/policykit.te 2021-03-09 14:39:00.632217532 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/policykit.te 2021-04-19 13:33:08.724896372 +0200 @@ -91,6 +91,7 @@ auth_use_nsswitch(policykit_t) init_list_pid_dirs(policykit_t) +init_read_state(policykit_t) logging_send_syslog_msg(policykit_t) @@ -98,6 +99,7 @@ systemd_login_watch_session_dirs(policykit_t) systemd_machined_read_pid_files(policykit_t) systemd_machined_watch_pid_dirs(policykit_t) +systemd_read_logind_sessions_files(policykit_t) userdom_getattr_all_users(policykit_t) userdom_read_all_users_state(policykit_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/postgrey.te new/fedora-policy-20210419/policy/modules/contrib/postgrey.te --- old/fedora-policy-20210309/policy/modules/contrib/postgrey.te 2021-03-09 14:39:00.632217532 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/postgrey.te 2021-04-19 13:33:08.724896372 +0200 @@ -55,6 +55,7 @@ kernel_read_system_state(postgrey_t) kernel_read_kernel_sysctls(postgrey_t) +kernel_read_network_state(postgrey_t) auth_use_nsswitch(postgrey_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/realmd.fc new/fedora-policy-20210419/policy/modules/contrib/realmd.fc --- old/fedora-policy-20210309/policy/modules/contrib/realmd.fc 2021-03-09 14:39:00.636217575 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/realmd.fc 2021-04-19 13:33:08.732896469 +0200 @@ -1,5 +1,7 @@ /usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0) +/usr/libexec/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0) + /var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0) /var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/redis.fc new/fedora-policy-20210419/policy/modules/contrib/redis.fc --- old/fedora-policy-20210309/policy/modules/contrib/redis.fc 2021-03-09 14:39:00.636217575 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/redis.fc 2021-04-19 13:33:08.732896469 +0200 @@ -1,5 +1,6 @@ /etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0) +/etc/redis(/.*)? gen_context(system_u:object_r:redis_conf_t,s0) /etc/redis-sentinel.* -- gen_context(system_u:object_r:redis_conf_t,s0) /usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/screen.if new/fedora-policy-20210419/policy/modules/contrib/screen.if --- old/fedora-policy-20210309/policy/modules/contrib/screen.if 2021-03-09 14:39:00.640217619 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/screen.if 2021-04-19 13:33:08.736896517 +0200 @@ -82,6 +82,7 @@ corecmd_bin_domtrans($1_screen_t, $3) auth_domtrans_chk_passwd($1_screen_t) + auth_domtrans_utempter($1_screen_t) auth_use_nsswitch($1_screen_t) logging_send_syslog_msg($1_screen_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/screen.te new/fedora-policy-20210419/policy/modules/contrib/screen.te --- old/fedora-policy-20210309/policy/modules/contrib/screen.te 2021-03-09 14:39:00.640217619 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/screen.te 2021-04-19 13:33:08.736896517 +0200 @@ -5,6 +5,14 @@ # Declarations # +## <desc> +## <p> +## Determine whether screen can +## use fsetid/setuid/setgid capability. +## </p> +## </desc> +gen_tunable(screen_allow_session_sharing, false) + attribute screen_domain; type screen_exec_t; @@ -26,7 +34,7 @@ # Local policy # -allow screen_domain self:capability { fsetid setgid setuid sys_tty_config }; +allow screen_domain self:capability { sys_tty_config }; dontaudit screen_domain self:capability { dac_read_search }; allow screen_domain self:process signal_perms; allow screen_domain self:fifo_file rw_fifo_file_perms; @@ -96,3 +104,7 @@ userdom_create_user_pty(screen_domain) userdom_setattr_user_ptys(screen_domain) userdom_setattr_user_ttys(screen_domain) + +tunable_policy(`screen_allow_session_sharing',` + allow screen_domain self:capability { fsetid setgid setuid }; +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/sssd.te new/fedora-policy-20210419/policy/modules/contrib/sssd.te --- old/fedora-policy-20210309/policy/modules/contrib/sssd.te 2021-03-09 14:39:00.644217663 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/sssd.te 2021-04-19 13:33:08.740896565 +0200 @@ -118,6 +118,7 @@ fs_getattr_cgroup(sssd_t) fs_search_cgroup_dirs(sssd_t) fs_list_inotifyfs(sssd_t) +fs_getattr_tmpfs(sssd_t) fs_getattr_xattr_fs(sssd_t) selinux_validate_context(sssd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/usbmuxd.te new/fedora-policy-20210419/policy/modules/contrib/usbmuxd.te --- old/fedora-policy-20210309/policy/modules/contrib/usbmuxd.te 2021-03-09 14:39:00.648217707 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/usbmuxd.te 2021-04-19 13:33:08.748896662 +0200 @@ -52,6 +52,8 @@ dev_read_urand(usbmuxd_t) dev_rw_generic_usb_dev(usbmuxd_t) +fs_getattr_cgroup(usbmuxd_t) + auth_use_nsswitch(usbmuxd_t) logging_send_syslog_msg(usbmuxd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/contrib/vdagent.te new/fedora-policy-20210419/policy/modules/contrib/vdagent.te --- old/fedora-policy-20210309/policy/modules/contrib/vdagent.te 2021-03-09 14:39:00.648217707 +0100 +++ new/fedora-policy-20210419/policy/modules/contrib/vdagent.te 2021-04-19 13:33:08.748896662 +0200 @@ -57,6 +57,7 @@ systemd_read_logind_sessions_files(vdagent_t) systemd_login_read_pid_files(vdagent_t) +systemd_login_watch_session_dirs(vdagent_t) systemd_dbus_chat_logind(vdagent_t) logging_send_syslog_msg(vdagent_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/kernel/corenetwork.te.in new/fedora-policy-20210419/policy/modules/kernel/corenetwork.te.in --- old/fedora-policy-20210309/policy/modules/kernel/corenetwork.te.in 2021-03-09 14:39:00.656217795 +0100 +++ new/fedora-policy-20210419/policy/modules/kernel/corenetwork.te.in 2021-04-19 13:33:08.752896710 +0200 @@ -387,6 +387,7 @@ network_port(xinuexpansion3, tcp,2023,s0, udp,2023,s0) network_port(xinuexpansion4, tcp,2024,s0, udp,2024,s0) network_port(xfs, tcp,7100,s0) +network_port(xmsg, tcp,1716,s0, udp,1716,s0) network_port(xodbc_connect, tcp,6632,s0) network_port(xserver, tcp,6000-6020,s0) network_port(qpasa_agent, tcp,2612,s0, udp,2612,s0, tcp,2611,s0, udp,2611,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/kernel/devices.if new/fedora-policy-20210419/policy/modules/kernel/devices.if --- old/fedora-policy-20210309/policy/modules/kernel/devices.if 2021-03-09 14:39:00.656217795 +0100 +++ new/fedora-policy-20210419/policy/modules/kernel/devices.if 2021-04-19 13:33:08.752896710 +0200 @@ -5075,6 +5075,24 @@ ######################################## ## <summary> +## Allow caller create hardware state information files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_create_sysfs_files',` + gen_require(` + type sysfs_t; + ') + + create_files_pattern($1, sysfs_t, sysfs_t) +') + +######################################## +## <summary> ## Relabel hardware state directories. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/kernel/domain.te new/fedora-policy-20210419/policy/modules/kernel/domain.te --- old/fedora-policy-20210309/policy/modules/kernel/domain.te 2021-03-09 14:39:00.656217795 +0100 +++ new/fedora-policy-20210419/policy/modules/kernel/domain.te 2021-04-19 13:33:08.756896759 +0200 @@ -122,13 +122,18 @@ # # read /proc/(pid|self) entries -allow domain self:dir list_dir_perms; +allow domain self:dir { list_dir_perms watch_dir_perms }; allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; allow domain self:file rw_file_perms; allow domain self:fifo_file rw_fifo_file_perms; allow domain self:sem create_sem_perms; allow domain self:shm create_shm_perms; +# This is a temporary rule to work around a problem in kernel/xfs +# triggering a false fowner capability AVC +# https://bugzilla.redhat.com/show_bug.cgi?id=1933437 +dontaudit domain self:capability fowner; + kernel_getattr_proc(domain) kernel_read_proc_symlinks(domain) kernel_read_crypto_sysctls(domain) @@ -277,7 +282,7 @@ allow unconfined_domain_type domain:msg { send receive }; # For /proc/pid -allow unconfined_domain_type domain:dir list_dir_perms; +allow unconfined_domain_type domain:dir { list_dir_perms watch_dir_perms }; allow unconfined_domain_type domain:file manage_file_perms; allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/kernel/files.fc new/fedora-policy-20210419/policy/modules/kernel/files.fc --- old/fedora-policy-20210309/policy/modules/kernel/files.fc 2021-03-09 14:39:00.656217795 +0100 +++ new/fedora-policy-20210419/policy/modules/kernel/files.fc 2021-04-19 13:33:08.756896759 +0200 @@ -317,6 +317,7 @@ /var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /var/tmp -l gen_context(system_u:object_r:tmp_t,s0) /var/tmp-inst -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) +/var/tmp/tmp-inst -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /var/tmp/.* <<none>> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <<none>> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/kernel/files.if new/fedora-policy-20210419/policy/modules/kernel/files.if --- old/fedora-policy-20210309/policy/modules/kernel/files.if 2021-03-09 14:39:00.656217795 +0100 +++ new/fedora-policy-20210419/policy/modules/kernel/files.if 2021-04-19 13:33:08.756896759 +0200 @@ -2982,6 +2982,60 @@ ######################################## ## <summary> +## Watch directories in /boot. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_watch_boot_dirs',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir watch_dir_perms; +') + +######################################## +## <summary> +## Watch_mount directories in /boot. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_watch_mount_boot_dirs',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir watch_mount_dir_perms; +') + +######################################## +## <summary> +## Watch_with_perm directories in /boot. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_watch_with_perm_boot_dirs',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:dir watch_with_perm_dir_perms; +') + +######################################## +## <summary> ## Create a private type object in boot ## with an automatic type transition ## </summary> @@ -4892,6 +4946,42 @@ ') ######################################## +## <summary> +## Watch_mount home directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_watch_mount_home',` + gen_require(` + type home_root_t; + ') + + allow $1 home_root_t:dir watch_mount_dir_perms; +') + +######################################## +## <summary> +## Watch_with_perm home directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_watch_with_perm_home',` + gen_require(` + type home_root_t; + ') + + allow $1 home_root_t:dir watch_with_perm_dir_perms; +') + +######################################## ## <summary> ## Relabel to user home root (/home). ## </summary> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/kernel/filesystem.if new/fedora-policy-20210419/policy/modules/kernel/filesystem.if --- old/fedora-policy-20210309/policy/modules/kernel/filesystem.if 2021-03-09 14:39:00.656217795 +0100 +++ new/fedora-policy-20210419/policy/modules/kernel/filesystem.if 2021-04-19 13:33:08.756896759 +0200 @@ -995,6 +995,25 @@ ######################################## ## <summary> +## Create cgroup files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_create_cgroup_files',` + gen_require(` + type cgroup_t; + ') + + dev_search_sysfs($1) + create_files_pattern($1, cgroup_t, cgroup_t) +') + +######################################## +## <summary> ## Manage cgroup files. ## </summary> ## <param name="domain"> @@ -1006,7 +1025,6 @@ interface(`fs_manage_cgroup_files',` gen_require(` type cgroup_t; - ') manage_files_pattern($1, cgroup_t, cgroup_t) @@ -2210,6 +2228,42 @@ ######################################## ## <summary> +## Watch_mount dirs on a DOS filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_watch_mount_dos_dirs',` + gen_require(` + type dosfs_t; + ') + + watch_mount_dirs_pattern($1, dosfs_t, dosfs_t) +') + +######################################## +## <summary> +## Watch_with_perm dirs on a DOS filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_watch_with_perm_dos_dirs',` + gen_require(` + type dosfs_t; + ') + + watch_with_perm_dirs_pattern($1, dosfs_t, dosfs_t) +') + +######################################## +## <summary> ## Mmap files on a DOS filesystem. ## </summary> ## <param name="domain"> @@ -4700,7 +4754,7 @@ ######################################## ## <summary> -## Manage NFS server files. +## Manage NFS server files and directories. ## </summary> ## <param name="domain"> ## <summary> @@ -4713,6 +4767,7 @@ type nfsd_fs_t; ') + manage_dirs_pattern($1, nfsd_fs_t, nfsd_fs_t) manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/roles/staff.te new/fedora-policy-20210419/policy/modules/roles/staff.te --- old/fedora-policy-20210309/policy/modules/roles/staff.te 2021-03-09 14:39:00.656217795 +0100 +++ new/fedora-policy-20210419/policy/modules/roles/staff.te 2021-04-19 13:33:08.756896759 +0200 @@ -23,6 +23,7 @@ # allow staff_t self:cap_userns { setpcap }; +allow staff_t self:netlink_generic_socket { create_socket_perms }; corenet_ib_access_unlabeled_pkeys(staff_t) @@ -74,6 +75,7 @@ miscfiles_read_hwdata(staff_t) mount_sigkill(staff_t) +mount_signal(staff_t) ifndef(`enable_mls',` selinux_read_policy(staff_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/roles/unprivuser.te new/fedora-policy-20210419/policy/modules/roles/unprivuser.te --- old/fedora-policy-20210309/policy/modules/roles/unprivuser.te 2021-03-09 14:39:00.656217795 +0100 +++ new/fedora-policy-20210419/policy/modules/roles/unprivuser.te 2021-04-19 13:33:08.756896759 +0200 @@ -19,6 +19,13 @@ userdom_unpriv_user_template(user) +######################################## +# +# Local policy +# + +allow user_t self:netlink_generic_socket { create_socket_perms }; + kernel_read_numa_state(user_t) kernel_write_numa_state(user_t) @@ -36,6 +43,8 @@ init_dbus_chat(user_t) init_status(user_t) +mount_signal(user_t) + tunable_policy(`selinuxuser_execmod',` userdom_execmod_user_home_files(user_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/services/xserver.te new/fedora-policy-20210419/policy/modules/services/xserver.te --- old/fedora-policy-20210309/policy/modules/services/xserver.te 2021-03-09 14:39:00.660217838 +0100 +++ new/fedora-policy-20210419/policy/modules/services/xserver.te 2021-04-19 13:33:08.760896807 +0200 @@ -738,6 +738,7 @@ systemd_hwdb_mmap_config(xdm_t) systemd_hwdb_read_config(xdm_t) systemd_coredump_domtrans(xdm_t) +systemd_login_watch_session_dirs(xdm_t) userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) @@ -790,6 +791,7 @@ userdom_filetrans_generic_home_content(xdm_t) optional_policy(` + dbus_exec_system_dbusd(xdm_t) dbus_stream_connect_session_bus(xdm_t) dbus_systemctl(xdm_t) ') @@ -935,6 +937,7 @@ optional_policy(` accountsd_read_lib_files(xdm_t) accountsd_dbus_chat(xdm_t) + accountsd_watch_lib(xdm_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/system/authlogin.te new/fedora-policy-20210419/policy/modules/system/authlogin.te --- old/fedora-policy-20210309/policy/modules/system/authlogin.te 2021-03-09 14:39:00.660217838 +0100 +++ new/fedora-policy-20210419/policy/modules/system/authlogin.te 2021-04-19 13:33:08.760896807 +0200 @@ -470,6 +470,8 @@ # read /etc/nsswitch.conf files_read_etc_files(nsswitch_domain) +fs_read_cgroup_files(nsswitch_domain) + init_stream_connectto(nsswitch_domain) sysnet_dns_name_resolve(nsswitch_domain) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/system/init.te new/fedora-policy-20210419/policy/modules/system/init.te --- old/fedora-policy-20210309/policy/modules/system/init.te 2021-03-09 14:39:00.660217838 +0100 +++ new/fedora-policy-20210419/policy/modules/system/init.te 2021-04-19 13:33:08.760896807 +0200 @@ -51,6 +51,13 @@ ## </desc> gen_tunable(init_create_dirs, true) +## <desc> +## <p> +## Allow init audit_control capability +## </p> +## </desc> +gen_tunable(init_audit_control, false) + # used for direct running of init scripts # by admin domains attribute direct_run_init; @@ -554,6 +561,10 @@ files_setattr_non_security_dirs(init_t) ') +tunable_policy(`init_audit_control',` + allow init_t self:capability audit_control; +') + allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -1825,6 +1836,7 @@ ') dontaudit daemon init_t:dir search_dir_perms; + dontaudit daemon init_t:file read_file_perms; ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/system/locallogin.te new/fedora-policy-20210419/policy/modules/system/locallogin.te --- old/fedora-policy-20210309/policy/modules/system/locallogin.te 2021-03-09 14:39:00.660217838 +0100 +++ new/fedora-policy-20210419/policy/modules/system/locallogin.te 2021-04-19 13:33:08.760896807 +0200 @@ -113,6 +113,7 @@ fs_search_auto_mountpoints(local_login_t) fs_getattr_cgroup(local_login_t) +fs_getattr_tmpfs(local_login_t) fs_getattr_xattr_fs(local_login_t) storage_dontaudit_getattr_fixed_disk_dev(local_login_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/system/sysnetwork.te new/fedora-policy-20210419/policy/modules/system/sysnetwork.te --- old/fedora-policy-20210309/policy/modules/system/sysnetwork.te 2021-03-09 14:39:00.664217882 +0100 +++ new/fedora-policy-20210419/policy/modules/system/sysnetwork.te 2021-04-19 13:33:08.764896855 +0200 @@ -198,6 +198,7 @@ chronyd_initrc_domtrans(dhcpc_t) chronyd_systemctl(dhcpc_t) chronyd_domtrans(dhcpc_t) + chronyd_domtrans_chronyc(dhcpc_t) chronyd_read_keys(dhcpc_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/system/systemd.te new/fedora-policy-20210419/policy/modules/system/systemd.te --- old/fedora-policy-20210309/policy/modules/system/systemd.te 2021-03-09 14:39:00.664217882 +0100 +++ new/fedora-policy-20210419/policy/modules/system/systemd.te 2021-04-19 13:33:08.764896855 +0200 @@ -1333,14 +1333,16 @@ # allow systemd_sleep_t self:capability sys_resource; +# systemd-sleep needs to set timer for suspend-then-hibernate +allow systemd_sleep_t self:capability2 wake_alarm; dontaudit systemd_sleep_t self:capability sys_ptrace; # systemd-sleep needs the permission to change sleep state allow systemd_sleep_t self:lockdown integrity; kernel_dgram_send(systemd_sleep_t) +dev_create_sysfs_files(systemd_sleep_t) dev_rw_sysfs(systemd_sleep_t) -dev_write_sysfs_dirs(systemd_sleep_t) dev_write_kmsg(systemd_sleep_t) fstools_rw_swap_files(systemd_sleep_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/system/userdomain.te new/fedora-policy-20210419/policy/modules/system/userdomain.te --- old/fedora-policy-20210309/policy/modules/system/userdomain.te 2021-03-09 14:39:00.664217882 +0100 +++ new/fedora-policy-20210419/policy/modules/system/userdomain.te 2021-04-19 13:33:08.764896855 +0200 @@ -372,10 +372,25 @@ ############################################################ # login_userdomain local policy +corenet_tcp_bind_xmsg_port(login_userdomain) + +create_blk_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) +create_chr_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) +create_fifo_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) +create_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) +create_sock_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) + +tunable_policy(`deny_bluetooth',`',` + allow login_userdomain self:bluetooth_socket rw_stream_socket_perms; +') + +dev_watch_generic_dirs(login_userdomain) + files_watch_etc_dirs(login_userdomain) files_watch_usr_dirs(login_userdomain) files_watch_var_lib_dirs(login_userdomain) +fs_create_cgroup_files(login_userdomain) fs_watch_cgroup_files(login_userdomain) miscfiles_watch_localization_symlinks(login_userdomain) @@ -390,6 +405,10 @@ gnome_watch_home_config_files(login_userdomain) ') +optional_policy(` + systemd_login_watch_session_dirs(login_userdomain) +') + ############################################################ # Local Policy Confined Admin # diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy-20210309/policy/support/file_patterns.spt new/fedora-policy-20210419/policy/support/file_patterns.spt --- old/fedora-policy-20210309/policy/support/file_patterns.spt 2021-03-09 14:39:00.664217882 +0100 +++ new/fedora-policy-20210419/policy/support/file_patterns.spt 2021-04-19 13:33:08.764896855 +0200 @@ -80,10 +80,18 @@ allow $1 $2:dir search_dir_perms; allow $1 $3:dir watch_dir_perms; ') +define(`watch_mount_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir watch_mount_dir_perms; +') define(`watch_reads_dirs_pattern',` allow $1 $2:dir search_dir_perms; allow $1 $3:dir watch_reads_dir_perms; ') +define(`watch_with_perm_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir watch_with_perm_dir_perms; +') # # Regular file patterns (file) ++++++ fix_dbus.patch ++++++ --- /var/tmp/diff_new_pack.tElr3W/_old 2021-04-22 18:04:24.554547516 +0200 +++ /var/tmp/diff_new_pack.tElr3W/_new 2021-04-22 18:04:24.554547516 +0200 @@ -1,11 +1,11 @@ -Index: fedora-policy/policy/modules/contrib/dbus.te +Index: fedora-policy-20210419/policy/modules/contrib/dbus.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/dbus.te 2020-02-25 08:22:02.846623845 +0000 -+++ fedora-policy/policy/modules/contrib/dbus.te 2020-02-25 08:22:31.991108418 +0000 +--- fedora-policy-20210419.orig/policy/modules/contrib/dbus.te ++++ fedora-policy-20210419/policy/modules/contrib/dbus.te @@ -80,6 +80,7 @@ read_lnk_files_pattern(system_dbusd_t, d manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) - files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir }) + files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file sock_file }) +allow system_dbusd_t system_dbusd_tmp_t:file execute; manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) ++++++ fix_hadoop.patch ++++++ --- /var/tmp/diff_new_pack.tElr3W/_old 2021-04-22 18:04:24.574547546 +0200 +++ /var/tmp/diff_new_pack.tElr3W/_new 2021-04-22 18:04:24.574547546 +0200 @@ -1,7 +1,7 @@ -Index: fedora-policy-20210309/policy/modules/roles/sysadm.te +Index: fedora-policy-20210419/policy/modules/roles/sysadm.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/roles/sysadm.te -+++ fedora-policy-20210309/policy/modules/roles/sysadm.te +--- fedora-policy-20210419.orig/policy/modules/roles/sysadm.te ++++ fedora-policy-20210419/policy/modules/roles/sysadm.te @@ -298,10 +298,6 @@ optional_policy(` ') @@ -13,11 +13,11 @@ iotop_run(sysadm_t, sysadm_r) ') -Index: fedora-policy-20210309/policy/modules/roles/unprivuser.te +Index: fedora-policy-20210419/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20210309/policy/modules/roles/unprivuser.te -@@ -200,10 +200,6 @@ ifndef(`distro_redhat',` +--- fedora-policy-20210419.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20210419/policy/modules/roles/unprivuser.te +@@ -209,10 +209,6 @@ ifndef(`distro_redhat',` ') optional_policy(` ++++++ fix_init.patch ++++++ --- /var/tmp/diff_new_pack.tElr3W/_old 2021-04-22 18:04:24.582547558 +0200 +++ /var/tmp/diff_new_pack.tElr3W/_new 2021-04-22 18:04:24.582547558 +0200 @@ -1,7 +1,7 @@ -Index: fedora-policy-20210309/policy/modules/system/init.if +Index: fedora-policy-20210419/policy/modules/system/init.if =================================================================== ---- fedora-policy-20210309.orig/policy/modules/system/init.if -+++ fedora-policy-20210309/policy/modules/system/init.if +--- fedora-policy-20210419.orig/policy/modules/system/init.if ++++ fedora-policy-20210419/policy/modules/system/init.if @@ -3242,6 +3242,7 @@ interface(`init_filetrans_named_content' files_etc_filetrans($1, machineid_t, file, "machine-id" ) files_pid_filetrans($1, initctl_t, fifo_file, "fifo" ) @@ -10,11 +10,11 @@ init_pid_filetrans($1, systemd_unit_file_t, dir, "system") ') -Index: fedora-policy-20210309/policy/modules/system/init.te +Index: fedora-policy-20210419/policy/modules/system/init.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/system/init.te -+++ fedora-policy-20210309/policy/modules/system/init.te -@@ -262,6 +262,8 @@ corecmd_exec_bin(init_t) +--- fedora-policy-20210419.orig/policy/modules/system/init.te ++++ fedora-policy-20210419/policy/modules/system/init.te +@@ -269,6 +269,8 @@ corecmd_exec_bin(init_t) corenet_all_recvfrom_netlabel(init_t) corenet_tcp_bind_all_ports(init_t) corenet_udp_bind_all_ports(init_t) @@ -23,7 +23,7 @@ dev_create_all_files(init_t) dev_create_all_chr_files(init_t) -@@ -390,6 +391,7 @@ logging_manage_audit_config(init_t) +@@ -397,6 +399,7 @@ logging_manage_audit_config(init_t) logging_create_syslog_netlink_audit_socket(init_t) logging_write_var_log_dirs(init_t) logging_manage_var_log_symlinks(init_t) @@ -31,7 +31,7 @@ seutil_read_config(init_t) seutil_read_login_config(init_t) -@@ -439,11 +441,16 @@ ifdef(`distro_redhat',` +@@ -446,11 +449,16 @@ ifdef(`distro_redhat',` corecmd_shell_domtrans(init_t, initrc_t) storage_raw_rw_fixed_disk(init_t) @@ -48,7 +48,7 @@ bootloader_domtrans(init_t) ') -@@ -557,10 +564,10 @@ tunable_policy(`init_create_dirs',` +@@ -568,10 +576,10 @@ tunable_policy(`init_audit_control',` allow init_t self:system all_system_perms; allow init_t self:system module_load; allow init_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -61,7 +61,7 @@ allow init_t self:netlink_selinux_socket create_socket_perms; allow init_t self:unix_dgram_socket lock; # Until systemd is fixed -@@ -618,6 +625,7 @@ files_delete_all_spool_sockets(init_t) +@@ -629,6 +637,7 @@ files_delete_all_spool_sockets(init_t) files_create_var_lib_dirs(init_t) files_create_var_lib_symlinks(init_t) files_read_var_lib_symlinks(init_t) @@ -69,7 +69,7 @@ files_manage_urandom_seed(init_t) files_list_locks(init_t) files_list_spool(init_t) -@@ -654,7 +662,7 @@ fs_list_all(init_t) +@@ -665,7 +674,7 @@ fs_list_all(init_t) fs_list_auto_mountpoints(init_t) fs_register_binary_executable_type(init_t) fs_relabel_tmpfs_sock_file(init_t) @@ -78,7 +78,7 @@ fs_relabel_cgroup_dirs(init_t) fs_search_cgroup_dirs(init_t) # for network namespaces -@@ -710,6 +718,7 @@ systemd_write_inherited_logind_sessions_ +@@ -721,6 +730,7 @@ systemd_write_inherited_logind_sessions_ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type) create_dirs_pattern(init_t, var_log_t, var_log_t) @@ -86,7 +86,7 @@ auth_use_nsswitch(init_t) auth_rw_login_records(init_t) -@@ -1563,6 +1572,8 @@ optional_policy(` +@@ -1574,6 +1584,8 @@ optional_policy(` optional_policy(` postfix_list_spool(initrc_t) ++++++ fix_unprivuser.patch ++++++ --- /var/tmp/diff_new_pack.tElr3W/_old 2021-04-22 18:04:24.638547644 +0200 +++ /var/tmp/diff_new_pack.tElr3W/_new 2021-04-22 18:04:24.638547644 +0200 @@ -1,8 +1,8 @@ -Index: fedora-policy-20210309/policy/modules/roles/unprivuser.te +Index: fedora-policy-20210419/policy/modules/roles/unprivuser.te =================================================================== ---- fedora-policy-20210309.orig/policy/modules/roles/unprivuser.te -+++ fedora-policy-20210309/policy/modules/roles/unprivuser.te -@@ -282,6 +282,13 @@ ifndef(`distro_redhat',` +--- fedora-policy-20210419.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy-20210419/policy/modules/roles/unprivuser.te +@@ -291,6 +291,13 @@ ifndef(`distro_redhat',` ') optional_policy(`