Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2021-04-22 18:03:46
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.12324 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Thu Apr 22 18:03:46 2021 rev:9 rq:886701 version:20210419
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2021-03-24 16:08:57.751687790 +0100
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.12324/selinux-policy.changes
2021-04-22 18:04:22.734544739 +0200
@@ -1,0 +2,10 @@
+Mon Apr 19 11:37:49 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Update to version 20210419
+- Refreshed:
+ * fix_dbus.patch
+ * fix_hadoop.patch
+ * fix_init.patch
+ * fix_unprivuser.patch
+
+-------------------------------------------------------------------
Old:
----
fedora-policy-20210309.tar.bz2
New:
----
fedora-policy-20210419.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.tElr3W/_old 2021-04-22 18:04:23.710546228 +0200
+++ /var/tmp/diff_new_pack.tElr3W/_new 2021-04-22 18:04:23.710546228 +0200
@@ -33,7 +33,7 @@
License: GPL-2.0-or-later
Group: System/Management
Name: selinux-policy
-Version: 20210309
+Version: 20210419
Release: 0
Source: fedora-policy-%{version}.tar.bz2
Source1: selinux-policy-rpmlintrc
++++++ fedora-policy-20210309.tar.bz2 -> fedora-policy-20210419.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/admin/netutils.te
new/fedora-policy-20210419/policy/modules/admin/netutils.te
--- old/fedora-policy-20210309/policy/modules/admin/netutils.te 2021-03-09
14:39:00.564216789 +0100
+++ new/fedora-policy-20210419/policy/modules/admin/netutils.te 2021-04-19
13:33:08.660895600 +0200
@@ -36,6 +36,7 @@
allow netutils_t self:capability { chown dac_read_search net_admin net_raw
setuid setgid sys_chroot setpcap };
dontaudit netutils_t self:capability { sys_admin sys_tty_config };
allow netutils_t self:process { setcap signal_perms };
+allow netutils_t self:netlink_generic_socket create_socket_perms;
allow netutils_t self:netlink_rdma_socket create_socket_perms;
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
allow netutils_t self:netlink_socket create_socket_perms;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/accountsd.if
new/fedora-policy-20210419/policy/modules/contrib/accountsd.if
--- old/fedora-policy-20210309/policy/modules/contrib/accountsd.if
2021-03-09 14:39:00.564216789 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/accountsd.if
2021-04-19 13:33:08.664895649 +0200
@@ -81,6 +81,25 @@
########################################
## <summary>
+## Watch accountsd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`accountsd_watch_lib',`
+ gen_require(`
+ type accountsd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ watch_dirs_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t)
+')
+
+########################################
+## <summary>
## Read accountsd lib files.
## </summary>
## <param name="domain">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/accountsd.te
new/fedora-policy-20210419/policy/modules/contrib/accountsd.te
--- old/fedora-policy-20210309/policy/modules/contrib/accountsd.te
2021-03-09 14:39:00.564216789 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/accountsd.te
2021-04-19 13:33:08.664895649 +0200
@@ -49,6 +49,7 @@
files_read_usr_files(accountsd_t)
files_watch_etc_dirs(accountsd_t)
+fs_getattr_cgroup(accountsd_t)
fs_getattr_xattr_fs(accountsd_t)
fs_list_inotifyfs(accountsd_t)
fs_read_noxattr_fs_files(accountsd_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/aide.te
new/fedora-policy-20210419/policy/modules/contrib/aide.te
--- old/fedora-policy-20210309/policy/modules/contrib/aide.te 2021-03-09
14:39:00.568216833 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/aide.te 2021-04-19
13:33:08.664895649 +0200
@@ -62,6 +62,10 @@
')
optional_policy(`
+ systemd_userdbd_stream_connect(aide_t)
+')
+
+optional_policy(`
sssd_stream_connect(aide_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/anaconda.te
new/fedora-policy-20210419/policy/modules/contrib/anaconda.te
--- old/fedora-policy-20210309/policy/modules/contrib/anaconda.te
2021-03-09 14:39:00.568216833 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/anaconda.te
2021-04-19 13:33:08.668895697 +0200
@@ -85,6 +85,7 @@
systemd_dbus_chat_localed(install_t)
systemd_dbus_chat_logind(install_t)
init_dbus_chat(install_t)
+init_nnp_daemon_domain(install_t)
tunable_policy(`deny_ptrace',`',`
domain_ptrace_all_domains(install_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/arpwatch.te
new/fedora-policy-20210419/policy/modules/contrib/arpwatch.te
--- old/fedora-policy-20210309/policy/modules/contrib/arpwatch.te
2021-03-09 14:39:00.572216877 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/arpwatch.te
2021-04-19 13:33:08.668895697 +0200
@@ -36,6 +36,7 @@
allow arpwatch_t self:tcp_socket { accept listen };
allow arpwatch_t self:packet_socket { create_socket_perms map };
allow arpwatch_t self:socket create_socket_perms;
+allow arpwatch_t self:netlink_generic_socket create_socket_perms;
allow arpwatch_t self:netlink_rdma_socket create_socket_perms;
allow arpwatch_t self:netlink_socket create_socket_perms;
allow arpwatch_t self:netlink_netfilter_socket create_socket_perms;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/bluetooth.te
new/fedora-policy-20210419/policy/modules/contrib/bluetooth.te
--- old/fedora-policy-20210309/policy/modules/contrib/bluetooth.te
2021-03-09 14:39:00.576216920 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/bluetooth.te
2021-04-19 13:33:08.676895793 +0200
@@ -168,6 +168,10 @@
')
optional_policy(`
+ fwupd_dbus_chat(bluetooth_t)
+ ')
+
+ optional_policy(`
hal_dbus_chat(bluetooth_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/brltty.fc
new/fedora-policy-20210419/policy/modules/contrib/brltty.fc
--- old/fedora-policy-20210309/policy/modules/contrib/brltty.fc 2021-03-09
14:39:00.576216920 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/brltty.fc 2021-04-19
13:33:08.676895793 +0200
@@ -5,6 +5,7 @@
/usr/bin/brltty --
gen_context(system_u:object_r:brltty_exec_t,s0)
/var/lib/BrlAPI(/.*)?
gen_context(system_u:object_r:brltty_var_lib_t,s0)
+/var/lib/brltty(/.*)?
gen_context(system_u:object_r:brltty_var_lib_t,s0)
/var/run/brltty(/.*)?
gen_context(system_u:object_r:brltty_var_run_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/brltty.te
new/fedora-policy-20210419/policy/modules/contrib/brltty.te
--- old/fedora-policy-20210309/policy/modules/contrib/brltty.te 2021-03-09
14:39:00.576216920 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/brltty.te 2021-04-19
13:33:08.676895793 +0200
@@ -25,7 +25,7 @@
#
# brltty local policy
#
-allow brltty_t self:capability { sys_admin sys_tty_config mknod };
+allow brltty_t self:capability { setgid setuid sys_admin sys_tty_config mknod
};
allow brltty_t self:process { fork signal_perms };
allow brltty_t self:fifo_file rw_fifo_file_perms;
@@ -55,9 +55,11 @@
corenet_tcp_bind_brlp_port(brltty_t)
+dev_read_mouse(brltty_t)
dev_read_sysfs(brltty_t)
dev_rw_generic_usb_dev(brltty_t)
dev_rw_input_dev(brltty_t)
+dev_write_sound(brltty_t)
fs_getattr_all_fs(brltty_t)
@@ -69,8 +71,16 @@
term_use_unallocated_ttys(brltty_t)
+tunable_policy(`deny_bluetooth',`',`
+ allow brltty_t self:bluetooth_socket create_socket_perms;
+')
+
optional_policy(`
dbus_system_bus_client(brltty_t)
bluetooth_dbus_chat(brltty_t)
')
+
+optional_policy(`
+ policykit_dbus_chat(brltty_t)
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/container.te
new/fedora-policy-20210419/policy/modules/contrib/container.te
--- old/fedora-policy-20210309/policy/modules/contrib/container.te
2021-03-09 14:39:01.500227012 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/container.te
2021-04-19 13:37:35.900120244 +0200
@@ -1,4 +1,4 @@
-policy_module(container, 2.158.0)
+policy_module(container, 2.160.0)
gen_require(`
class passwd rootok;
')
@@ -648,6 +648,7 @@
ps_process_pattern(container_runtime_domain, spc_t)
allow container_runtime_domain spc_t:socket_class_set { relabelto relabelfrom
};
allow spc_t unlabeled_t:key manage_key_perms;
+allow spc_t unlabeled_t:socket_class_set create_socket_perms;
init_dbus_chat(spc_t)
@@ -885,7 +886,9 @@
fs_unmount_cgroup(container_t)
dev_read_rand(container_domain)
+dev_write_rand(container_domain)
dev_read_urand(container_domain)
+dev_write_urand(container_domain)
files_read_kernel_modules(container_domain)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/cups.te
new/fedora-policy-20210419/policy/modules/contrib/cups.te
--- old/fedora-policy-20210309/policy/modules/contrib/cups.te 2021-03-09
14:39:00.588217051 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/cups.te 2021-04-19
13:33:08.688895938 +0200
@@ -569,6 +569,7 @@
manage_files_pattern(cupsd_lpd_t, cupsd_lpd_var_run_t, cupsd_lpd_var_run_t)
files_pid_filetrans(cupsd_lpd_t, cupsd_lpd_var_run_t, file)
+read_sock_files_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t)
stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/dbus.if
new/fedora-policy-20210419/policy/modules/contrib/dbus.if
--- old/fedora-policy-20210309/policy/modules/contrib/dbus.if 2021-03-09
14:39:00.588217051 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/dbus.if 2021-04-19
13:33:08.688895938 +0200
@@ -36,6 +36,25 @@
########################################
## <summary>
+## Execute dbus-daemon in the systemd_dbusd_t domain.
+## </summary>
+## <param name="domain" unused="true">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`dbus_exec_system_dbusd',`
+ gen_require(`
+ type dbusd_exec_t, system_dbusd_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dbusd_exec_t, system_dbusd_t)
+')
+
+########################################
+## <summary>
## Role access for dbus
## </summary>
## <param name="role_prefix">
@@ -97,7 +116,7 @@
allow $3 $1_dbusd_t:process { noatsecure rlimitinh siginh };
allow $1_dbusd_t $3:dbus send_msg;
allow $3 $1_dbusd_t:dbus send_msg;
- allow $1_dbusd_t $3:system start;
+ allow $1_dbusd_t $3:system { start reload };
allow $1_dbusd_t session_dbusd_tmp_t:service { start stop };
allow $3 session_dbusd_tmp_t:dir manage_dir_perms;
allow $3 session_dbusd_tmp_t:file manage_file_perms;
@@ -122,6 +141,8 @@
auth_use_nsswitch($1_dbusd_t)
+ files_config_all_files($1_dbusd_t)
+
logging_send_syslog_msg($1_dbusd_t)
dontaudit $1_dbusd_t self:capability net_admin;
@@ -129,6 +150,10 @@
optional_policy(`
mozilla_domtrans_spec($1_dbusd_t, $1_t)
')
+
+ optional_policy(`
+ systemd_start_systemd_services($1_dbusd_t)
+ ')
')
#######################################
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/dbus.te
new/fedora-policy-20210419/policy/modules/contrib/dbus.te
--- old/fedora-policy-20210309/policy/modules/contrib/dbus.te 2021-03-09
14:39:00.588217051 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/dbus.te 2021-04-19
13:33:08.688895938 +0200
@@ -79,7 +79,7 @@
manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file sock_file })
manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t,
system_dbusd_tmpfs_t)
manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/geoclue.te
new/fedora-policy-20210419/policy/modules/contrib/geoclue.te
--- old/fedora-policy-20210309/policy/modules/contrib/geoclue.te
2021-03-09 14:39:00.600217183 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/geoclue.te
2021-04-19 13:33:08.696896034 +0200
@@ -48,6 +48,7 @@
dev_read_urand(geoclue_t)
+fs_getattr_cgroup(geoclue_t)
fs_getattr_xattr_fs(geoclue_t)
init_dbus_chat(geoclue_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/gnome.if
new/fedora-policy-20210419/policy/modules/contrib/gnome.if
--- old/fedora-policy-20210309/policy/modules/contrib/gnome.if 2021-03-09
14:39:00.600217183 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/gnome.if 2021-04-19
13:33:08.700896083 +0200
@@ -108,7 +108,8 @@
# Gkeyringd policy
#
- allow $1_gkeyringd_t $3:unix_stream_socket { connectto
create_stream_socket_perms };
+ allow $1_gkeyringd_t $3:unix_stream_socket { connectto
create_stream_socket_perms };
+ allow $1_gkeyringd_t self:process setsched;
domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/ibacm.te
new/fedora-policy-20210419/policy/modules/contrib/ibacm.te
--- old/fedora-policy-20210309/policy/modules/contrib/ibacm.te 2021-03-09
14:39:00.604217227 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/ibacm.te 2021-04-19
13:33:08.700896083 +0200
@@ -25,7 +25,7 @@
#
# ibacm local policy
#
-allow ibacm_t self:capability ipc_lock;
+allow ibacm_t self:capability { ipc_lock net_raw sys_rawio };
allow ibacm_t self:fifo_file rw_fifo_file_perms;
allow ibacm_t self:unix_stream_socket create_stream_socket_perms;
allow ibacm_t ibacm_t:netlink_rdma_socket { create_socket_perms };
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/mysql.fc
new/fedora-policy-20210419/policy/modules/contrib/mysql.fc
--- old/fedora-policy-20210309/policy/modules/contrib/mysql.fc 2021-03-09
14:39:00.624217445 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/mysql.fc 2021-04-19
13:33:08.716896276 +0200
@@ -34,6 +34,15 @@
/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
#
+# /usr - mariadb
+#
+/usr/bin/mariadbd-safe --
gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
+/usr/bin/mariadbd-safe-helper --
gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/bin/mariadb-upgrade --
gen_context(system_u:object_r:mysqld_exec_t,s0)
+
+/usr/libexec/mariadbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+
+#
# /var
#
/var/lib/mysql(-files|-keyring)?(/.*)?
gen_context(system_u:object_r:mysqld_db_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/mysql.te
new/fedora-policy-20210419/policy/modules/contrib/mysql.te
--- old/fedora-policy-20210309/policy/modules/contrib/mysql.te 2021-03-09
14:39:00.624217445 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/mysql.te 2021-04-19
13:33:08.716896276 +0200
@@ -67,7 +67,7 @@
# Local policy
#
-allow mysqld_t self:capability { dac_read_search ipc_lock setgid setuid
sys_nice sys_resource net_bind_service };
+allow mysqld_t self:capability { dac_read_search ipc_lock sys_nice
sys_resource net_bind_service };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms
rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
@@ -196,6 +196,7 @@
# Local mysqld_safe policy
#
+# setuig/setgid may be used in mysqld_safe and mysqld_safe_helper
allow mysqld_safe_t self:capability { chown dac_read_search setgid setuid
fowner kill sys_nice sys_resource };
dontaudit mysqld_safe_t self:capability sys_ptrace;
allow mysqld_safe_t self:process { setsched getsched setrlimit };
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/plymouthd.te
new/fedora-policy-20210419/policy/modules/contrib/plymouthd.te
--- old/fedora-policy-20210309/policy/modules/contrib/plymouthd.te
2021-03-09 14:39:00.632217532 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/plymouthd.te
2021-04-19 13:33:08.724896372 +0200
@@ -60,6 +60,8 @@
kernel_request_load_module(plymouthd_t)
kernel_change_ring_buffer_level(plymouthd_t)
+corecmd_exec_bin(plymouthd_t)
+
dev_rw_dri(plymouthd_t)
dev_read_sysfs(plymouthd_t)
dev_read_framebuffer(plymouthd_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/policykit.te
new/fedora-policy-20210419/policy/modules/contrib/policykit.te
--- old/fedora-policy-20210309/policy/modules/contrib/policykit.te
2021-03-09 14:39:00.632217532 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/policykit.te
2021-04-19 13:33:08.724896372 +0200
@@ -91,6 +91,7 @@
auth_use_nsswitch(policykit_t)
init_list_pid_dirs(policykit_t)
+init_read_state(policykit_t)
logging_send_syslog_msg(policykit_t)
@@ -98,6 +99,7 @@
systemd_login_watch_session_dirs(policykit_t)
systemd_machined_read_pid_files(policykit_t)
systemd_machined_watch_pid_dirs(policykit_t)
+systemd_read_logind_sessions_files(policykit_t)
userdom_getattr_all_users(policykit_t)
userdom_read_all_users_state(policykit_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/postgrey.te
new/fedora-policy-20210419/policy/modules/contrib/postgrey.te
--- old/fedora-policy-20210309/policy/modules/contrib/postgrey.te
2021-03-09 14:39:00.632217532 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/postgrey.te
2021-04-19 13:33:08.724896372 +0200
@@ -55,6 +55,7 @@
kernel_read_system_state(postgrey_t)
kernel_read_kernel_sysctls(postgrey_t)
+kernel_read_network_state(postgrey_t)
auth_use_nsswitch(postgrey_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/realmd.fc
new/fedora-policy-20210419/policy/modules/contrib/realmd.fc
--- old/fedora-policy-20210309/policy/modules/contrib/realmd.fc 2021-03-09
14:39:00.636217575 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/realmd.fc 2021-04-19
13:33:08.732896469 +0200
@@ -1,5 +1,7 @@
/usr/lib/realmd/realmd --
gen_context(system_u:object_r:realmd_exec_t,s0)
+/usr/libexec/realmd --
gen_context(system_u:object_r:realmd_exec_t,s0)
+
/var/cache/realmd(/.*)?
gen_context(system_u:object_r:realmd_var_cache_t,s0)
/var/lib/ipa-client(/.*)?
gen_context(system_u:object_r:realmd_var_lib_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/redis.fc
new/fedora-policy-20210419/policy/modules/contrib/redis.fc
--- old/fedora-policy-20210309/policy/modules/contrib/redis.fc 2021-03-09
14:39:00.636217575 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/redis.fc 2021-04-19
13:33:08.732896469 +0200
@@ -1,5 +1,6 @@
/etc/rc\.d/init\.d/redis --
gen_context(system_u:object_r:redis_initrc_exec_t,s0)
+/etc/redis(/.*)?
gen_context(system_u:object_r:redis_conf_t,s0)
/etc/redis-sentinel.* --
gen_context(system_u:object_r:redis_conf_t,s0)
/usr/lib/systemd/system/redis.* --
gen_context(system_u:object_r:redis_unit_file_t,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/screen.if
new/fedora-policy-20210419/policy/modules/contrib/screen.if
--- old/fedora-policy-20210309/policy/modules/contrib/screen.if 2021-03-09
14:39:00.640217619 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/screen.if 2021-04-19
13:33:08.736896517 +0200
@@ -82,6 +82,7 @@
corecmd_bin_domtrans($1_screen_t, $3)
auth_domtrans_chk_passwd($1_screen_t)
+ auth_domtrans_utempter($1_screen_t)
auth_use_nsswitch($1_screen_t)
logging_send_syslog_msg($1_screen_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/screen.te
new/fedora-policy-20210419/policy/modules/contrib/screen.te
--- old/fedora-policy-20210309/policy/modules/contrib/screen.te 2021-03-09
14:39:00.640217619 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/screen.te 2021-04-19
13:33:08.736896517 +0200
@@ -5,6 +5,14 @@
# Declarations
#
+## <desc>
+## <p>
+## Determine whether screen can
+## use fsetid/setuid/setgid capability.
+## </p>
+## </desc>
+gen_tunable(screen_allow_session_sharing, false)
+
attribute screen_domain;
type screen_exec_t;
@@ -26,7 +34,7 @@
# Local policy
#
-allow screen_domain self:capability { fsetid setgid setuid sys_tty_config };
+allow screen_domain self:capability { sys_tty_config };
dontaudit screen_domain self:capability { dac_read_search };
allow screen_domain self:process signal_perms;
allow screen_domain self:fifo_file rw_fifo_file_perms;
@@ -96,3 +104,7 @@
userdom_create_user_pty(screen_domain)
userdom_setattr_user_ptys(screen_domain)
userdom_setattr_user_ttys(screen_domain)
+
+tunable_policy(`screen_allow_session_sharing',`
+ allow screen_domain self:capability { fsetid setgid setuid };
+')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/sssd.te
new/fedora-policy-20210419/policy/modules/contrib/sssd.te
--- old/fedora-policy-20210309/policy/modules/contrib/sssd.te 2021-03-09
14:39:00.644217663 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/sssd.te 2021-04-19
13:33:08.740896565 +0200
@@ -118,6 +118,7 @@
fs_getattr_cgroup(sssd_t)
fs_search_cgroup_dirs(sssd_t)
fs_list_inotifyfs(sssd_t)
+fs_getattr_tmpfs(sssd_t)
fs_getattr_xattr_fs(sssd_t)
selinux_validate_context(sssd_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/usbmuxd.te
new/fedora-policy-20210419/policy/modules/contrib/usbmuxd.te
--- old/fedora-policy-20210309/policy/modules/contrib/usbmuxd.te
2021-03-09 14:39:00.648217707 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/usbmuxd.te
2021-04-19 13:33:08.748896662 +0200
@@ -52,6 +52,8 @@
dev_read_urand(usbmuxd_t)
dev_rw_generic_usb_dev(usbmuxd_t)
+fs_getattr_cgroup(usbmuxd_t)
+
auth_use_nsswitch(usbmuxd_t)
logging_send_syslog_msg(usbmuxd_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/contrib/vdagent.te
new/fedora-policy-20210419/policy/modules/contrib/vdagent.te
--- old/fedora-policy-20210309/policy/modules/contrib/vdagent.te
2021-03-09 14:39:00.648217707 +0100
+++ new/fedora-policy-20210419/policy/modules/contrib/vdagent.te
2021-04-19 13:33:08.748896662 +0200
@@ -57,6 +57,7 @@
systemd_read_logind_sessions_files(vdagent_t)
systemd_login_read_pid_files(vdagent_t)
+systemd_login_watch_session_dirs(vdagent_t)
systemd_dbus_chat_logind(vdagent_t)
logging_send_syslog_msg(vdagent_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/kernel/corenetwork.te.in
new/fedora-policy-20210419/policy/modules/kernel/corenetwork.te.in
--- old/fedora-policy-20210309/policy/modules/kernel/corenetwork.te.in
2021-03-09 14:39:00.656217795 +0100
+++ new/fedora-policy-20210419/policy/modules/kernel/corenetwork.te.in
2021-04-19 13:33:08.752896710 +0200
@@ -387,6 +387,7 @@
network_port(xinuexpansion3, tcp,2023,s0, udp,2023,s0)
network_port(xinuexpansion4, tcp,2024,s0, udp,2024,s0)
network_port(xfs, tcp,7100,s0)
+network_port(xmsg, tcp,1716,s0, udp,1716,s0)
network_port(xodbc_connect, tcp,6632,s0)
network_port(xserver, tcp,6000-6020,s0)
network_port(qpasa_agent, tcp,2612,s0, udp,2612,s0, tcp,2611,s0, udp,2611,s0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/kernel/devices.if
new/fedora-policy-20210419/policy/modules/kernel/devices.if
--- old/fedora-policy-20210309/policy/modules/kernel/devices.if 2021-03-09
14:39:00.656217795 +0100
+++ new/fedora-policy-20210419/policy/modules/kernel/devices.if 2021-04-19
13:33:08.752896710 +0200
@@ -5075,6 +5075,24 @@
########################################
## <summary>
+## Allow caller create hardware state information files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_create_sysfs_files',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ create_files_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
## Relabel hardware state directories.
## </summary>
## <param name="domain">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/kernel/domain.te
new/fedora-policy-20210419/policy/modules/kernel/domain.te
--- old/fedora-policy-20210309/policy/modules/kernel/domain.te 2021-03-09
14:39:00.656217795 +0100
+++ new/fedora-policy-20210419/policy/modules/kernel/domain.te 2021-04-19
13:33:08.756896759 +0200
@@ -122,13 +122,18 @@
#
# read /proc/(pid|self) entries
-allow domain self:dir list_dir_perms;
+allow domain self:dir { list_dir_perms watch_dir_perms };
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
allow domain self:file rw_file_perms;
allow domain self:fifo_file rw_fifo_file_perms;
allow domain self:sem create_sem_perms;
allow domain self:shm create_shm_perms;
+# This is a temporary rule to work around a problem in kernel/xfs
+# triggering a false fowner capability AVC
+# https://bugzilla.redhat.com/show_bug.cgi?id=1933437
+dontaudit domain self:capability fowner;
+
kernel_getattr_proc(domain)
kernel_read_proc_symlinks(domain)
kernel_read_crypto_sysctls(domain)
@@ -277,7 +282,7 @@
allow unconfined_domain_type domain:msg { send receive };
# For /proc/pid
-allow unconfined_domain_type domain:dir list_dir_perms;
+allow unconfined_domain_type domain:dir { list_dir_perms watch_dir_perms };
allow unconfined_domain_type domain:file manage_file_perms;
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock
};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/kernel/files.fc
new/fedora-policy-20210419/policy/modules/kernel/files.fc
--- old/fedora-policy-20210309/policy/modules/kernel/files.fc 2021-03-09
14:39:00.656217795 +0100
+++ new/fedora-policy-20210419/policy/modules/kernel/files.fc 2021-04-19
13:33:08.756896759 +0200
@@ -317,6 +317,7 @@
/var/tmp -d
gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/var/tmp -l gen_context(system_u:object_r:tmp_t,s0)
/var/tmp-inst -d
gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/var/tmp/tmp-inst -d
gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d
gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/kernel/files.if
new/fedora-policy-20210419/policy/modules/kernel/files.if
--- old/fedora-policy-20210309/policy/modules/kernel/files.if 2021-03-09
14:39:00.656217795 +0100
+++ new/fedora-policy-20210419/policy/modules/kernel/files.if 2021-04-19
13:33:08.756896759 +0200
@@ -2982,6 +2982,60 @@
########################################
## <summary>
+## Watch directories in /boot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_watch_boot_dirs',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir watch_dir_perms;
+')
+
+########################################
+## <summary>
+## Watch_mount directories in /boot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_watch_mount_boot_dirs',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir watch_mount_dir_perms;
+')
+
+########################################
+## <summary>
+## Watch_with_perm directories in /boot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_watch_with_perm_boot_dirs',`
+ gen_require(`
+ type boot_t;
+ ')
+
+ allow $1 boot_t:dir watch_with_perm_dir_perms;
+')
+
+########################################
+## <summary>
## Create a private type object in boot
## with an automatic type transition
## </summary>
@@ -4892,6 +4946,42 @@
')
########################################
+## <summary>
+## Watch_mount home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_watch_mount_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir watch_mount_dir_perms;
+')
+
+########################################
+## <summary>
+## Watch_with_perm home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_watch_with_perm_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir watch_with_perm_dir_perms;
+')
+
+########################################
## <summary>
## Relabel to user home root (/home).
## </summary>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/kernel/filesystem.if
new/fedora-policy-20210419/policy/modules/kernel/filesystem.if
--- old/fedora-policy-20210309/policy/modules/kernel/filesystem.if
2021-03-09 14:39:00.656217795 +0100
+++ new/fedora-policy-20210419/policy/modules/kernel/filesystem.if
2021-04-19 13:33:08.756896759 +0200
@@ -995,6 +995,25 @@
########################################
## <summary>
+## Create cgroup files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_create_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ dev_search_sysfs($1)
+ create_files_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
## Manage cgroup files.
## </summary>
## <param name="domain">
@@ -1006,7 +1025,6 @@
interface(`fs_manage_cgroup_files',`
gen_require(`
type cgroup_t;
-
')
manage_files_pattern($1, cgroup_t, cgroup_t)
@@ -2210,6 +2228,42 @@
########################################
## <summary>
+## Watch_mount dirs on a DOS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_watch_mount_dos_dirs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ watch_mount_dirs_pattern($1, dosfs_t, dosfs_t)
+')
+
+########################################
+## <summary>
+## Watch_with_perm dirs on a DOS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_watch_with_perm_dos_dirs',`
+ gen_require(`
+ type dosfs_t;
+ ')
+
+ watch_with_perm_dirs_pattern($1, dosfs_t, dosfs_t)
+')
+
+########################################
+## <summary>
## Mmap files on a DOS filesystem.
## </summary>
## <param name="domain">
@@ -4700,7 +4754,7 @@
########################################
## <summary>
-## Manage NFS server files.
+## Manage NFS server files and directories.
## </summary>
## <param name="domain">
## <summary>
@@ -4713,6 +4767,7 @@
type nfsd_fs_t;
')
+ manage_dirs_pattern($1, nfsd_fs_t, nfsd_fs_t)
manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/roles/staff.te
new/fedora-policy-20210419/policy/modules/roles/staff.te
--- old/fedora-policy-20210309/policy/modules/roles/staff.te 2021-03-09
14:39:00.656217795 +0100
+++ new/fedora-policy-20210419/policy/modules/roles/staff.te 2021-04-19
13:33:08.756896759 +0200
@@ -23,6 +23,7 @@
#
allow staff_t self:cap_userns { setpcap };
+allow staff_t self:netlink_generic_socket { create_socket_perms };
corenet_ib_access_unlabeled_pkeys(staff_t)
@@ -74,6 +75,7 @@
miscfiles_read_hwdata(staff_t)
mount_sigkill(staff_t)
+mount_signal(staff_t)
ifndef(`enable_mls',`
selinux_read_policy(staff_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/roles/unprivuser.te
new/fedora-policy-20210419/policy/modules/roles/unprivuser.te
--- old/fedora-policy-20210309/policy/modules/roles/unprivuser.te
2021-03-09 14:39:00.656217795 +0100
+++ new/fedora-policy-20210419/policy/modules/roles/unprivuser.te
2021-04-19 13:33:08.756896759 +0200
@@ -19,6 +19,13 @@
userdom_unpriv_user_template(user)
+########################################
+#
+# Local policy
+#
+
+allow user_t self:netlink_generic_socket { create_socket_perms };
+
kernel_read_numa_state(user_t)
kernel_write_numa_state(user_t)
@@ -36,6 +43,8 @@
init_dbus_chat(user_t)
init_status(user_t)
+mount_signal(user_t)
+
tunable_policy(`selinuxuser_execmod',`
userdom_execmod_user_home_files(user_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/services/xserver.te
new/fedora-policy-20210419/policy/modules/services/xserver.te
--- old/fedora-policy-20210309/policy/modules/services/xserver.te
2021-03-09 14:39:00.660217838 +0100
+++ new/fedora-policy-20210419/policy/modules/services/xserver.te
2021-04-19 13:33:08.760896807 +0200
@@ -738,6 +738,7 @@
systemd_hwdb_mmap_config(xdm_t)
systemd_hwdb_read_config(xdm_t)
systemd_coredump_domtrans(xdm_t)
+systemd_login_watch_session_dirs(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
@@ -790,6 +791,7 @@
userdom_filetrans_generic_home_content(xdm_t)
optional_policy(`
+ dbus_exec_system_dbusd(xdm_t)
dbus_stream_connect_session_bus(xdm_t)
dbus_systemctl(xdm_t)
')
@@ -935,6 +937,7 @@
optional_policy(`
accountsd_read_lib_files(xdm_t)
accountsd_dbus_chat(xdm_t)
+ accountsd_watch_lib(xdm_t)
')
optional_policy(`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/system/authlogin.te
new/fedora-policy-20210419/policy/modules/system/authlogin.te
--- old/fedora-policy-20210309/policy/modules/system/authlogin.te
2021-03-09 14:39:00.660217838 +0100
+++ new/fedora-policy-20210419/policy/modules/system/authlogin.te
2021-04-19 13:33:08.760896807 +0200
@@ -470,6 +470,8 @@
# read /etc/nsswitch.conf
files_read_etc_files(nsswitch_domain)
+fs_read_cgroup_files(nsswitch_domain)
+
init_stream_connectto(nsswitch_domain)
sysnet_dns_name_resolve(nsswitch_domain)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/fedora-policy-20210309/policy/modules/system/init.te
new/fedora-policy-20210419/policy/modules/system/init.te
--- old/fedora-policy-20210309/policy/modules/system/init.te 2021-03-09
14:39:00.660217838 +0100
+++ new/fedora-policy-20210419/policy/modules/system/init.te 2021-04-19
13:33:08.760896807 +0200
@@ -51,6 +51,13 @@
## </desc>
gen_tunable(init_create_dirs, true)
+## <desc>
+## <p>
+## Allow init audit_control capability
+## </p>
+## </desc>
+gen_tunable(init_audit_control, false)
+
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
@@ -554,6 +561,10 @@
files_setattr_non_security_dirs(init_t)
')
+tunable_policy(`init_audit_control',`
+ allow init_t self:capability audit_control;
+')
+
allow init_t self:system all_system_perms;
allow init_t self:system module_load;
allow init_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -1825,6 +1836,7 @@
')
dontaudit daemon init_t:dir search_dir_perms;
+ dontaudit daemon init_t:file read_file_perms;
')
optional_policy(`
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/system/locallogin.te
new/fedora-policy-20210419/policy/modules/system/locallogin.te
--- old/fedora-policy-20210309/policy/modules/system/locallogin.te
2021-03-09 14:39:00.660217838 +0100
+++ new/fedora-policy-20210419/policy/modules/system/locallogin.te
2021-04-19 13:33:08.760896807 +0200
@@ -113,6 +113,7 @@
fs_search_auto_mountpoints(local_login_t)
fs_getattr_cgroup(local_login_t)
+fs_getattr_tmpfs(local_login_t)
fs_getattr_xattr_fs(local_login_t)
storage_dontaudit_getattr_fixed_disk_dev(local_login_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/system/sysnetwork.te
new/fedora-policy-20210419/policy/modules/system/sysnetwork.te
--- old/fedora-policy-20210309/policy/modules/system/sysnetwork.te
2021-03-09 14:39:00.664217882 +0100
+++ new/fedora-policy-20210419/policy/modules/system/sysnetwork.te
2021-04-19 13:33:08.764896855 +0200
@@ -198,6 +198,7 @@
chronyd_initrc_domtrans(dhcpc_t)
chronyd_systemctl(dhcpc_t)
chronyd_domtrans(dhcpc_t)
+ chronyd_domtrans_chronyc(dhcpc_t)
chronyd_read_keys(dhcpc_t)
')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/system/systemd.te
new/fedora-policy-20210419/policy/modules/system/systemd.te
--- old/fedora-policy-20210309/policy/modules/system/systemd.te 2021-03-09
14:39:00.664217882 +0100
+++ new/fedora-policy-20210419/policy/modules/system/systemd.te 2021-04-19
13:33:08.764896855 +0200
@@ -1333,14 +1333,16 @@
#
allow systemd_sleep_t self:capability sys_resource;
+# systemd-sleep needs to set timer for suspend-then-hibernate
+allow systemd_sleep_t self:capability2 wake_alarm;
dontaudit systemd_sleep_t self:capability sys_ptrace;
# systemd-sleep needs the permission to change sleep state
allow systemd_sleep_t self:lockdown integrity;
kernel_dgram_send(systemd_sleep_t)
+dev_create_sysfs_files(systemd_sleep_t)
dev_rw_sysfs(systemd_sleep_t)
-dev_write_sysfs_dirs(systemd_sleep_t)
dev_write_kmsg(systemd_sleep_t)
fstools_rw_swap_files(systemd_sleep_t)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/modules/system/userdomain.te
new/fedora-policy-20210419/policy/modules/system/userdomain.te
--- old/fedora-policy-20210309/policy/modules/system/userdomain.te
2021-03-09 14:39:00.664217882 +0100
+++ new/fedora-policy-20210419/policy/modules/system/userdomain.te
2021-04-19 13:33:08.764896855 +0200
@@ -372,10 +372,25 @@
############################################################
# login_userdomain local policy
+corenet_tcp_bind_xmsg_port(login_userdomain)
+
+create_blk_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
+create_chr_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
+create_fifo_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
+create_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
+create_sock_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
+
+tunable_policy(`deny_bluetooth',`',`
+ allow login_userdomain self:bluetooth_socket rw_stream_socket_perms;
+')
+
+dev_watch_generic_dirs(login_userdomain)
+
files_watch_etc_dirs(login_userdomain)
files_watch_usr_dirs(login_userdomain)
files_watch_var_lib_dirs(login_userdomain)
+fs_create_cgroup_files(login_userdomain)
fs_watch_cgroup_files(login_userdomain)
miscfiles_watch_localization_symlinks(login_userdomain)
@@ -390,6 +405,10 @@
gnome_watch_home_config_files(login_userdomain)
')
+optional_policy(`
+ systemd_login_watch_session_dirs(login_userdomain)
+')
+
############################################################
# Local Policy Confined Admin
#
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/fedora-policy-20210309/policy/support/file_patterns.spt
new/fedora-policy-20210419/policy/support/file_patterns.spt
--- old/fedora-policy-20210309/policy/support/file_patterns.spt 2021-03-09
14:39:00.664217882 +0100
+++ new/fedora-policy-20210419/policy/support/file_patterns.spt 2021-04-19
13:33:08.764896855 +0200
@@ -80,10 +80,18 @@
allow $1 $2:dir search_dir_perms;
allow $1 $3:dir watch_dir_perms;
')
+define(`watch_mount_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir watch_mount_dir_perms;
+')
define(`watch_reads_dirs_pattern',`
allow $1 $2:dir search_dir_perms;
allow $1 $3:dir watch_reads_dir_perms;
')
+define(`watch_with_perm_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir watch_with_perm_dir_perms;
+')
#
# Regular file patterns (file)
++++++ fix_dbus.patch ++++++
--- /var/tmp/diff_new_pack.tElr3W/_old 2021-04-22 18:04:24.554547516 +0200
+++ /var/tmp/diff_new_pack.tElr3W/_new 2021-04-22 18:04:24.554547516 +0200
@@ -1,11 +1,11 @@
-Index: fedora-policy/policy/modules/contrib/dbus.te
+Index: fedora-policy-20210419/policy/modules/contrib/dbus.te
===================================================================
---- fedora-policy.orig/policy/modules/contrib/dbus.te 2020-02-25
08:22:02.846623845 +0000
-+++ fedora-policy/policy/modules/contrib/dbus.te 2020-02-25
08:22:31.991108418 +0000
+--- fedora-policy-20210419.orig/policy/modules/contrib/dbus.te
++++ fedora-policy-20210419/policy/modules/contrib/dbus.te
@@ -80,6 +80,7 @@ read_lnk_files_pattern(system_dbusd_t, d
manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
- files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file sock_file
})
+allow system_dbusd_t system_dbusd_tmp_t:file execute;
manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t,
system_dbusd_tmpfs_t)
++++++ fix_hadoop.patch ++++++
--- /var/tmp/diff_new_pack.tElr3W/_old 2021-04-22 18:04:24.574547546 +0200
+++ /var/tmp/diff_new_pack.tElr3W/_new 2021-04-22 18:04:24.574547546 +0200
@@ -1,7 +1,7 @@
-Index: fedora-policy-20210309/policy/modules/roles/sysadm.te
+Index: fedora-policy-20210419/policy/modules/roles/sysadm.te
===================================================================
---- fedora-policy-20210309.orig/policy/modules/roles/sysadm.te
-+++ fedora-policy-20210309/policy/modules/roles/sysadm.te
+--- fedora-policy-20210419.orig/policy/modules/roles/sysadm.te
++++ fedora-policy-20210419/policy/modules/roles/sysadm.te
@@ -298,10 +298,6 @@ optional_policy(`
')
@@ -13,11 +13,11 @@
iotop_run(sysadm_t, sysadm_r)
')
-Index: fedora-policy-20210309/policy/modules/roles/unprivuser.te
+Index: fedora-policy-20210419/policy/modules/roles/unprivuser.te
===================================================================
---- fedora-policy-20210309.orig/policy/modules/roles/unprivuser.te
-+++ fedora-policy-20210309/policy/modules/roles/unprivuser.te
-@@ -200,10 +200,6 @@ ifndef(`distro_redhat',`
+--- fedora-policy-20210419.orig/policy/modules/roles/unprivuser.te
++++ fedora-policy-20210419/policy/modules/roles/unprivuser.te
+@@ -209,10 +209,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
++++++ fix_init.patch ++++++
--- /var/tmp/diff_new_pack.tElr3W/_old 2021-04-22 18:04:24.582547558 +0200
+++ /var/tmp/diff_new_pack.tElr3W/_new 2021-04-22 18:04:24.582547558 +0200
@@ -1,7 +1,7 @@
-Index: fedora-policy-20210309/policy/modules/system/init.if
+Index: fedora-policy-20210419/policy/modules/system/init.if
===================================================================
---- fedora-policy-20210309.orig/policy/modules/system/init.if
-+++ fedora-policy-20210309/policy/modules/system/init.if
+--- fedora-policy-20210419.orig/policy/modules/system/init.if
++++ fedora-policy-20210419/policy/modules/system/init.if
@@ -3242,6 +3242,7 @@ interface(`init_filetrans_named_content'
files_etc_filetrans($1, machineid_t, file, "machine-id" )
files_pid_filetrans($1, initctl_t, fifo_file, "fifo" )
@@ -10,11 +10,11 @@
init_pid_filetrans($1, systemd_unit_file_t, dir, "system")
')
-Index: fedora-policy-20210309/policy/modules/system/init.te
+Index: fedora-policy-20210419/policy/modules/system/init.te
===================================================================
---- fedora-policy-20210309.orig/policy/modules/system/init.te
-+++ fedora-policy-20210309/policy/modules/system/init.te
-@@ -262,6 +262,8 @@ corecmd_exec_bin(init_t)
+--- fedora-policy-20210419.orig/policy/modules/system/init.te
++++ fedora-policy-20210419/policy/modules/system/init.te
+@@ -269,6 +269,8 @@ corecmd_exec_bin(init_t)
corenet_all_recvfrom_netlabel(init_t)
corenet_tcp_bind_all_ports(init_t)
corenet_udp_bind_all_ports(init_t)
@@ -23,7 +23,7 @@
dev_create_all_files(init_t)
dev_create_all_chr_files(init_t)
-@@ -390,6 +391,7 @@ logging_manage_audit_config(init_t)
+@@ -397,6 +399,7 @@ logging_manage_audit_config(init_t)
logging_create_syslog_netlink_audit_socket(init_t)
logging_write_var_log_dirs(init_t)
logging_manage_var_log_symlinks(init_t)
@@ -31,7 +31,7 @@
seutil_read_config(init_t)
seutil_read_login_config(init_t)
-@@ -439,11 +441,16 @@ ifdef(`distro_redhat',`
+@@ -446,11 +449,16 @@ ifdef(`distro_redhat',`
corecmd_shell_domtrans(init_t, initrc_t)
storage_raw_rw_fixed_disk(init_t)
@@ -48,7 +48,7 @@
bootloader_domtrans(init_t)
')
-@@ -557,10 +564,10 @@ tunable_policy(`init_create_dirs',`
+@@ -568,10 +576,10 @@ tunable_policy(`init_audit_control',`
allow init_t self:system all_system_perms;
allow init_t self:system module_load;
allow init_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -61,7 +61,7 @@
allow init_t self:netlink_selinux_socket create_socket_perms;
allow init_t self:unix_dgram_socket lock;
# Until systemd is fixed
-@@ -618,6 +625,7 @@ files_delete_all_spool_sockets(init_t)
+@@ -629,6 +637,7 @@ files_delete_all_spool_sockets(init_t)
files_create_var_lib_dirs(init_t)
files_create_var_lib_symlinks(init_t)
files_read_var_lib_symlinks(init_t)
@@ -69,7 +69,7 @@
files_manage_urandom_seed(init_t)
files_list_locks(init_t)
files_list_spool(init_t)
-@@ -654,7 +662,7 @@ fs_list_all(init_t)
+@@ -665,7 +674,7 @@ fs_list_all(init_t)
fs_list_auto_mountpoints(init_t)
fs_register_binary_executable_type(init_t)
fs_relabel_tmpfs_sock_file(init_t)
@@ -78,7 +78,7 @@
fs_relabel_cgroup_dirs(init_t)
fs_search_cgroup_dirs(init_t)
# for network namespaces
-@@ -710,6 +718,7 @@ systemd_write_inherited_logind_sessions_
+@@ -721,6 +730,7 @@ systemd_write_inherited_logind_sessions_
create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
create_dirs_pattern(init_t, var_log_t, var_log_t)
@@ -86,7 +86,7 @@
auth_use_nsswitch(init_t)
auth_rw_login_records(init_t)
-@@ -1563,6 +1572,8 @@ optional_policy(`
+@@ -1574,6 +1584,8 @@ optional_policy(`
optional_policy(`
postfix_list_spool(initrc_t)
++++++ fix_unprivuser.patch ++++++
--- /var/tmp/diff_new_pack.tElr3W/_old 2021-04-22 18:04:24.638547644 +0200
+++ /var/tmp/diff_new_pack.tElr3W/_new 2021-04-22 18:04:24.638547644 +0200
@@ -1,8 +1,8 @@
-Index: fedora-policy-20210309/policy/modules/roles/unprivuser.te
+Index: fedora-policy-20210419/policy/modules/roles/unprivuser.te
===================================================================
---- fedora-policy-20210309.orig/policy/modules/roles/unprivuser.te
-+++ fedora-policy-20210309/policy/modules/roles/unprivuser.te
-@@ -282,6 +282,13 @@ ifndef(`distro_redhat',`
+--- fedora-policy-20210419.orig/policy/modules/roles/unprivuser.te
++++ fedora-policy-20210419/policy/modules/roles/unprivuser.te
+@@ -291,6 +291,13 @@ ifndef(`distro_redhat',`
')
optional_policy(`
