commit selinux-policy for openSUSE:Factory

Source-Sync Wed, 13 Jul 2022 05:56:09 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package selinux-policy for openSUSE:Factory 
checked in at 2022-07-13 14:55:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
 and      /work/SRC/openSUSE:Factory/.selinux-policy.new.1523 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "selinux-policy"

Wed Jul 13 14:55:54 2022 rev:27 rq:988936 version:20220624

Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes    
2022-06-25 10:23:58.382648982 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1523/selinux-policy.changes  
2022-07-13 14:55:57.187021449 +0200
@@ -1,0 +2,16 @@
+Wed Jul 13 07:48:41 UTC 2022 - Johannes Segitz <jseg...@suse.com>
+
+- Update fix_systemd.patch to add cap sys_admin and kernel_dgram_send for
+  systemd_gpt_generator_t (bsc#1200911)
+
+-------------------------------------------------------------------
+Mon Jul 11 13:45:04 UTC 2022 - Johannes Segitz <jseg...@suse.com>
+
+- postfix: Label PID files and some helpers correctly (bsc#1197242)
+
+-------------------------------------------------------------------
+Fri Jun 24 12:51:40 UTC 2022 - Johannes Segitz <jseg...@suse.com>
+
+- Add fix_userdomain.patch to dontaudit UDP rpc ports (bsc#1193984)
+
+-------------------------------------------------------------------

New:
----
  fix_userdomain.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.xbFgWc/_old  2022-07-13 14:55:58.399022898 +0200
+++ /var/tmp/diff_new_pack.xbFgWc/_new  2022-07-13 14:55:58.407022908 +0200
@@ -141,6 +141,7 @@
 Patch058:       fix_bitlbee.patch
 Patch059:       systemd_domain_dyntrans_type.patch
 Patch060:       fix_dnsmasq.patch
+Patch061:       fix_userdomain.patch
 
 Patch100:       sedoctool.patch
 

++++++ fix_postfix.patch ++++++
--- /var/tmp/diff_new_pack.xbFgWc/_old  2022-07-13 14:55:58.799023377 +0200
+++ /var/tmp/diff_new_pack.xbFgWc/_new  2022-07-13 14:55:58.803023381 +0200
@@ -1,8 +1,8 @@
-Index: fedora-policy/policy/modules/contrib/postfix.fc
+Index: fedora-policy-20220624/policy/modules/contrib/postfix.fc
 ===================================================================
---- fedora-policy.orig/policy/modules/contrib/postfix.fc
-+++ fedora-policy/policy/modules/contrib/postfix.fc
-@@ -1,37 +1,20 @@
+--- fedora-policy-20220624.orig/policy/modules/contrib/postfix.fc
++++ fedora-policy-20220624/policy/modules/contrib/postfix.fc
+@@ -1,37 +1,21 @@
  # postfix
 -/etc/rc\.d/init\.d/postfix    --  
gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
 -/etc/postfix.*                        
gen_context(system_u:object_r:postfix_etc_t,s0)
@@ -41,6 +41,7 @@
 +/etc/postfix.*                                
gen_context(system_u:object_r:postfix_etc_t,s0)
 +/etc/postfix/chroot-update    --      
gen_context(system_u:object_r:postfix_exec_t,s0)
 +/usr/lib/postfix/bin/.*               --      
gen_context(system_u:object_r:postfix_exec_t,s0)
++/usr/lib/postfix/systemd/.*   --      
gen_context(system_u:object_r:postfix_exec_t,s0)
 +/usr/lib/postfix/bin/cleanup  --      
gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
 +/usr/lib/postfix/bin/local    --      
gen_context(system_u:object_r:postfix_local_exec_t,s0)
 +/usr/lib/postfix/bin/master   --      
gen_context(system_u:object_r:postfix_master_exec_t,s0)
@@ -56,7 +57,7 @@
  /etc/postfix/postfix-script.* -- 
gen_context(system_u:object_r:postfix_exec_t,s0)
  /etc/postfix/prng_exch        --      
gen_context(system_u:object_r:postfix_prng_t,s0)
  /usr/sbin/postalias   --      
gen_context(system_u:object_r:postfix_master_exec_t,s0)
-@@ -45,6 +28,9 @@ ifdef(`distro_redhat', `
+@@ -45,13 +29,16 @@ ifdef(`distro_redhat', `
  /usr/sbin/postqueue   --      
gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
  /usr/sbin/postsuper   --      
gen_context(system_u:object_r:postfix_master_exec_t,s0)
  
@@ -66,10 +67,18 @@
  /var/lib/postfix.*            gen_context(system_u:object_r:postfix_data_t,s0)
  
  /var/spool/postfix.*          
gen_context(system_u:object_r:postfix_spool_t,s0)
-Index: fedora-policy/policy/modules/contrib/postfix.te
+ /var/spool/postfix/deferred(/.*)? 
gen_context(system_u:object_r:postfix_spool_t,s0)
+ /var/spool/postfix/defer(/.*)?          
gen_context(system_u:object_r:postfix_spool_t,s0)
+ /var/spool/postfix/maildrop(/.*)? 
gen_context(system_u:object_r:postfix_spool_t,s0)
+-/var/spool/postfix/pid/.*     
gen_context(system_u:object_r:postfix_var_run_t,s0)
++/var/spool/postfix/pid(/.*)?  
gen_context(system_u:object_r:postfix_var_run_t,s0)
+ /var/spool/postfix/private(/.*)? 
gen_context(system_u:object_r:postfix_private_t,s0)
+ /var/spool/postfix/public(/.*)? 
gen_context(system_u:object_r:postfix_public_t,s0)
+ /var/spool/postfix/bounce(/.*)? 
gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
+Index: fedora-policy-20220624/policy/modules/contrib/postfix.te
 ===================================================================
---- fedora-policy.orig/policy/modules/contrib/postfix.te
-+++ fedora-policy/policy/modules/contrib/postfix.te
+--- fedora-policy-20220624.orig/policy/modules/contrib/postfix.te
++++ fedora-policy-20220624/policy/modules/contrib/postfix.te
 @@ -447,6 +447,14 @@ logging_send_syslog_msg(postfix_map_t)
  
  userdom_use_inherited_user_ptys(postfix_map_t)

++++++ fix_systemd.patch ++++++
--- /var/tmp/diff_new_pack.xbFgWc/_old  2022-07-13 14:55:58.839023424 +0200
+++ /var/tmp/diff_new_pack.xbFgWc/_new  2022-07-13 14:55:58.839023424 +0200
@@ -1,7 +1,7 @@
-Index: fedora-policy-20220428/policy/modules/system/systemd.te
+Index: fedora-policy-20220624/policy/modules/system/systemd.te
 ===================================================================
---- fedora-policy-20220428.orig/policy/modules/system/systemd.te
-+++ fedora-policy-20220428/policy/modules/system/systemd.te
+--- fedora-policy-20220624.orig/policy/modules/system/systemd.te
++++ fedora-policy-20220624/policy/modules/system/systemd.te
 @@ -355,6 +355,10 @@ userdom_manage_user_tmp_chr_files(system
  xserver_dbus_chat(systemd_logind_t)
  
@@ -24,4 +24,22 @@
  #######################################
  #
  # rfkill policy
+@@ -1105,7 +1113,7 @@ systemd_read_efivarfs(systemd_hwdb_t)
+ # systemd_gpt_generator domain
+ #
+ 
+-allow systemd_gpt_generator_t self:capability sys_rawio;
++allow systemd_gpt_generator_t self:capability { sys_rawio sys_admin};
+ allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket 
create_socket_perms;
+ 
+ dev_read_sysfs(systemd_gpt_generator_t)
+@@ -1127,6 +1135,8 @@ systemd_unit_file_filetrans(systemd_gpt_
+ systemd_create_unit_file_dirs(systemd_gpt_generator_t)
+ systemd_create_unit_file_lnk(systemd_gpt_generator_t)
+ 
++kernel_dgram_send(systemd_gpt_generator_t)
++
+ optional_policy(`
+       udev_read_pid_files(systemd_gpt_generator_t)
+ ')
 

++++++ fix_userdomain.patch ++++++
Index: fedora-policy-20220624/policy/modules/system/userdomain.if
===================================================================
--- fedora-policy-20220624.orig/policy/modules/system/userdomain.if
+++ fedora-policy-20220624/policy/modules/system/userdomain.if
@@ -1497,6 +1497,7 @@ tunable_policy(`deny_bluetooth',`',`
 
        # port access is audited even if dac would not have allowed it, so 
dontaudit it here
 #      corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+       corenet_dontaudit_udp_bind_all_rpc_ports($1_t)
        # Need the following rule to allow users to run vpnc
        corenet_tcp_bind_xserver_port($1_t)
        corenet_tcp_bind_generic_node($1_usertype)

commit selinux-policy for openSUSE:Factory

Reply via email to