From 888d9152760325c9e3ef32518a6ad7033930f700 Mon Sep 17 00:00:00 2001 From: basebuilder_pel7ppc64lebuilder0 Date: Sat, 23 Nov 2019 23:00:52 +0100 Subject: [PATCH] selinux-policy package update Signed-off-by: basebuilder_pel7ppc64lebuilder0 --- SOURCES/modules-targeted-contrib.conf | 14 ++ SOURCES/rpm.macros | 107 ++++---- .../selinux-policy-migrate-local-changes.sh | 2 +- SPECS/selinux-policy.spec | 236 +++++++++++++++++- 4 files changed, 297 insertions(+), 62 deletions(-) diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf index 32c88ba9..acd46bbc 100644 --- a/SOURCES/modules-targeted-contrib.conf +++ b/SOURCES/modules-targeted-contrib.conf @@ -2565,3 +2565,17 @@ tlp = module # tangd # tangd = module + +# Layer: contrib +# Module: kpatch +# +# kpatch +# +kpatch = module + +# Layer: contrib +# Module: boltd +# +# boltd +# +boltd = module diff --git a/SOURCES/rpm.macros b/SOURCES/rpm.macros index cc598d60..3eadcbf7 100644 --- a/SOURCES/rpm.macros +++ b/SOURCES/rpm.macros @@ -21,12 +21,13 @@ %_selinux_policy_version SELINUXPOLICYVERSION %_selinux_store_path SELINUXSTOREPATH +%_selinux_store_policy_path %{_selinux_store_path}/${_policytype} %_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts %_file_context_file_pre %{_localstatedir}/lib/rpm-state/file_contexts.pre -%_file_custom_defined_booleans %{_selinux_store_path}/${_policytype}/rpmbooleans.custom -%_file_custom_defined_booleans_tmp %{_selinux_store_path}/${_policytype}/rpmbooleans.custom.tmp +%_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom +%_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp # %selinux_requires %selinux_requires \ @@ -38,7 +39,7 @@ BuildRequires: selinux-policy-devel \ Requires(post): selinux-policy-base >= %{_selinux_policy_version} \ Requires(post): libselinux-utils \ Requires(post): policycoreutils \ -%if 0%{?fedora} \ +%if 0%{?fedora} || 0%{?rhel} > 7\ Requires(post): policycoreutils-python-utils \ %else \ Requires(post): policycoreutils-python \ @@ -52,9 +53,9 @@ _policytype=%{-s*} \ if [ -z "${_policytype}" ]; then \ _policytype="targeted" \ fi \ -%{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \ -if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ - %{_sbindir}/load_policy \ +if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \ + %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ fi \ %{nil} @@ -66,9 +67,9 @@ if [ -z "${_policytype}" ]; then \ _policytype="targeted" \ fi \ if [ $1 -eq 0 ]; then \ - %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \ - if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ - %{_sbindir}/load_policy \ + if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \ + %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ fi \ fi \ %{nil} @@ -108,33 +109,35 @@ _policytype=%{-s*} \ if [ -z "${_policytype}" ]; then \ _policytype="targeted" \ fi \ -LOCAL_MODIFICATIONS=$(semanage boolean -E) \ -if [ ! -f %_file_custom_defined_booleans ]; then \ - /bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \ -fi \ -semanage_import='' \ -for boolean in %*; do \ - boolean_name=${boolean%=*} \ - boolean_value=${boolean#*=} \ - boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \ - if [ -n "$boolean_local_string" ]; then \ - semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ - boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \ - if [ -n "$boolean_customized_string" ]; then \ - /bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \ - else \ - /bin/echo $boolean_local_string >> %_file_custom_defined_booleans \ - fi \ - else \ - semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ - boolean_default_value=$(semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \ - /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \ - fi \ -done; \ -if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ - /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ -else \ - /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype} -N" \ +if [ -d "%{_selinux_store_policy_path}" ]; then \ + LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \ + if [ ! -f %_file_custom_defined_booleans ]; then \ + /bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \ + fi \ + semanage_import='' \ + for boolean in %*; do \ + boolean_name=${boolean%=*} \ + boolean_value=${boolean#*=} \ + boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \ + if [ -n "$boolean_local_string" ]; then \ + semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ + boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \ + if [ -n "$boolean_customized_string" ]; then \ + /bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \ + else \ + /bin/echo $boolean_local_string >> %_file_custom_defined_booleans \ + fi \ + else \ + semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ + boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \ + /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \ + fi \ + done; \ + if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ + elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \ + fi \ fi \ %{nil} @@ -145,20 +148,22 @@ _policytype=%{-s*} \ if [ -z "${_policytype}" ]; then \ _policytype="targeted" \ fi \ -semanage_import='' \ -for boolean in %*; do \ - boolean_name=${boolean%=*} \ - boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \ - if [ -n "$boolean_customized_string" ]; then \ - awk "/$boolean_customized_string/ && !f{f=1; next} 1" %_file_custom_defined_booleans > %_file_custom_defined_booleans_tmp && mv %_file_custom_defined_booleans_tmp %_file_custom_defined_booleans \ - if ! grep -q "$boolean_name\$" %_file_custom_defined_booleans; then \ - semanage_import="${semanage_import}\\n${boolean_customized_string}" \ - fi \ - fi \ -done; \ -if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ - /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ -else \ - /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype} -N" \ +if [ -d "%{_selinux_store_policy_path}" ]; then \ + semanage_import='' \ + for boolean in %*; do \ + boolean_name=${boolean%=*} \ + boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \ + if [ -n "$boolean_customized_string" ]; then \ + awk "/$boolean_customized_string/ && !f{f=1; next} 1" %_file_custom_defined_booleans > %_file_custom_defined_booleans_tmp && mv %_file_custom_defined_booleans_tmp %_file_custom_defined_booleans \ + if ! grep -q "$boolean_name\$" %_file_custom_defined_booleans; then \ + semanage_import="${semanage_import}\\n${boolean_customized_string}" \ + fi \ + fi \ + done; \ + if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ + elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \ + fi \ fi \ %{nil} diff --git a/SOURCES/selinux-policy-migrate-local-changes.sh b/SOURCES/selinux-policy-migrate-local-changes.sh index 297b25c5..533be53c 100755 --- a/SOURCES/selinux-policy-migrate-local-changes.sh +++ b/SOURCES/selinux-policy-migrate-local-changes.sh @@ -43,7 +43,7 @@ for i in `find /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/modules/ -name \ done for i in `find /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/modules/ -name \*.pp 2> /dev/null`; do module=`basename $i | sed 's/\.pp$//'` - if [ $module == "pkcsslotd" ] || [ $module == "vbetool" ] || [ $module == "ctdbd" ] || [ $module == "docker" ] || [ $module == "gear" ]; then + if [ $module == "audioentropy" ] || [ $module == "pkcsslotd" ] || [ $module == "vbetool" ] || [ $module == "ctdbd" ] || [ $module == "docker" ] || [ $module == "gear" ]; then continue fi if [ ! -d /etc/selinux/$MIGRATE_SELINUXTYPE/active/modules/100/$module ]; then diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index 1c3e0efa..74747b80 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -20,14 +20,13 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 230%{?dist} +Release: 252%{?dist}.1 License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz -patch0: policy-rhel-7.6-base.patch -patch3: policy-rhel-7.6.z-base.patch -patch1: policy-rhel-7.6-contrib.patch -patch2: policy-rhel-7.6.z-contrib.patch +patch0: policy-rhel-7.7-base.patch +patch1: policy-rhel-7.7-contrib.patch +patch2: policy-rhel-7.7.z-contrib.patch Source1: modules-targeted-base.conf Source31: modules-targeted-contrib.conf Source2: booleans-targeted.conf @@ -346,7 +345,6 @@ Based off of reference policy: Checked out revision 2.20091117 contrib_path=`pwd` %setup -n serefpolicy-%{version} -q %patch0 -p1 -%patch3 -p1 refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib rm -rf $refpolicy_path/policy/modules/contrib/kubernetes.* @@ -657,11 +655,229 @@ fi %endif %changelog -* Fri Nov 02 2018 Lukas Vrabec - 3.13.1-229.6 -- Allow nova_t domain to use pam -Resolves: rhbz:#1645270 +* Wed Jul 10 2019 Lukas Vrabec - 3.13.1-252.1 +- Allow sbd_t domain to use nsswitch +Resolves: rhbz#1728593 + +* Thu Jun 27 2019 Lukas Vrabec - 3.13.1-252 +- Allow ganesha_t domain to connect to tcp portmap_port_t +Resolves: rhbz#1715088 + +* Mon Jun 10 2019 Lukas Vrabec - 3.13.1-251 +- Allow redis to creating tmp files with own label +Resolves: rhbz#1646765 + +* Wed Jun 05 2019 Lukas Vrabec - 3.13.1-250 +- Allow ctdb_t domain to manage samba_var_t files/links/sockets and dirs +Resolves: rhbz#1716400 + +* Wed May 22 2019 Lukas Vrabec - 3.13.1-249 +- Allow nrpe_t domain to read process state of systemd_logind_t +- Add interface systemd_logind_read_state() +Resolves: rhbz#1653309 + +* Tue May 21 2019 Lukas Vrabec - 3.13.1-248 +- Label /etc/rhsm as rhsmcertd_config_t +Resolves: rhbz#1703573 + +* Fri May 17 2019 Lukas Vrabec - 3.13.1-247 +- Fix typo in gpg SELinux module +- Update gpg policy to make ti working with confined users +Resolves: rhbz#1535109 +- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on +Resolves: rhbz#1653309 +- Allow nrpe_t domain to be dbus cliennt +Resolves: rhbz#1653309 +- Add interface sssd_signull() +Resolves: rhbz#1653309 +- Update userdomains to allow confined users to create gpg keys +Resolves: rhbz#1535109 + +* Thu May 02 2019 Lukas Vrabec - 3.13.1-246 +- Allow ngaios to use chown capability +Resolves: rhbz#1653309 +- Dontaudit gpg_domain to create netlink_audit sockets +Resolves: rhbz#1535109 +- Update fs_rw_cephfs_files() interface to allow also caller domain to read/write cephpfs_t lnk files +Resolves: rhbz#1558836 +- Update domain_can_mmap_files() boolean to allow also mmap lnk files + +* Thu Apr 25 2019 Lukas Vrabec - 3.13.1-245 +- Allow rhsmcertd_t domain to read yum.log file labeled as rpm_log_t +Resolves: rhbz#1695342 + +* Tue Apr 23 2019 Lukas Vrabec - 3.13.1-244 +- Update Nagios policy when sudo is used +Resolves: rhbz#1653309 + +* Mon Apr 08 2019 Lukas Vrabec - 3.13.1-243 +- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t +Resolves: rhbz#1676810 + +* Tue Mar 26 2019 Lukas Vrabec - 3.13.1-242 +- Make shell_exec_t type as entrypoint for vmtools_unconfined_t. +Resolves: rhbz#1656814 + +* Wed Mar 13 2019 Lukas Vrabec - 3.13.1-241 +- Update vmtools policy Resolves: rhbz#1656814 Allow domain transition from vmtools_t to vmtools_unconfined_t when shell_exec_t is entrypoint. +- Allow virt_qemu_ga_t domain to read udev_var_run_t files +Resolves: rhbz#1663092 +- Update nagios_run_sudo boolean with few allow rules related to accessing sssd +Resolves: rhbz#1653309 +- Allow nfsd_t to read nvme block devices BZ(1562554) +Resolves: rhbz#1655493 +- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_t +Resolves: rhbz#1650909 +- Allow all domains to send dbus msgs to vmtools_unconfined_t processes +Resolves: rhbz#1656814 +- Label /dev/pkey as crypt_device_t +Resolves: rhbz#1623068 +- Allow sudodomains to write to systemd_logind_sessions_t pipes. +Resolves: rhbz#1687452 +- Allow all user domains to read realmd_var_lib_t files and dirs to check if IPA is configured on the system +Resolves: rhbz#1667962 +- Fixes: xenconsole does not start +Resolves: rhbz#1601525 +- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t. +Resolves: rhbz#1636197 +- Create tangd_port_t with default label tcp/7406 +Resolves: rhbz#1650909 + +* Tue Mar 05 2019 Lukas Vrabec - 3.13.1-240 +- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range. +Resolves: rhbz#1683754 +- Allow sbd_t domain to bypass permission checks for sending signals +Resolves: rhbz#1671132 +- Allow sbd_t domain read/write all sysctls +Resolves: rhbz#1671132 +- Allow kpatch_t domain to communicate with policykit_t domsin over dbus +Resolves: rhbz#1602435 +- Allow boltd_t to stream connect to sytem dbus +Resolves: rhbz#1589086 +- Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin +Resolves: rhbz#1626115 +- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process. +Resolves: rhbz#1589086 + +* Fri Mar 01 2019 Lukas Vrabec - 3.13.1-239 +- Allow sbd_t domain read/write all sysctls +Resolves: rhbz#1671132 +- Allow kpatch_t domain to communicate with policykit_t domsin over dbus +Resolves: rhbz#1602435 +- Allow boltd_t to stream connect to sytem dbus +Resolves: rhbz#1589086 +- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process. +Resolves: rhbz#1589086 + +* Mon Feb 25 2019 Lukas Vrabec - 3.13.1-238 +- Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned on +Resolves: rhbz#1646765 + +* Tue Feb 19 2019 Lukas Vrabec - 3.13.1-237 +- Allow virtd_lxc_t domains use BPF +Resolves: rhbz#1626115 +- F29 NetworkManager implements a new code for IPv4 address conflict detection (RFC 5227) based on n-acd [1], which uses eBPF to process ARP packets from the network. +Resolves: rhbz#1626115 +- Allow unconfined user all perms under bpf class BZ(1565738 +Resolves: rhbz#1626115 +- Allow unconfined and sysadm users to use bpftool BZ(1591440) +Resolves: rhbz#1626115 +- Allow systemd to manage bpf dirs/files +Resolves: rhbz#1626115 +- Create new type bpf_t and label /sys/fs/bpf with this type +Resolves:rhbz#1626115 +- Add new interface init_prog_run_bpf() +Resolves:rhbz#1626115 +- add definition of bpf class and systemd perms +Resolves: rhbz#1626115 + +* Sun Feb 03 2019 Lukas Vrabec - 3.13.1-236 +- Update policy with multiple allow rules to make working installing VM in MLS policy +Resolves: rhbz#1558121 +- Allow virt domain to use interited virtlogd domains fifo_file +Resolves: rhbz#1558121 +- Allow chonyc_t domain to rw userdomain pipes +Resolves: rhbz#1618757 +- Add file contexts in ganesha.fc file to label logging ganesha files properly. +Resolves: rhbz#1628247 + +* Thu Jan 31 2019 Lukas Vrabec - 3.13.1-235 +- Allow sandbox_xserver_t domain write to user_tmp_t files +Resolves: rhbz#1646521 +- Allow virt_qemu_ga_t domain to read network state +Resolves: rhbz#1630347 +- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes +Resolves: rhbz#1589086 +- Add boltd policy +Resolves: rhbz#1589086 +- Allow virt domains to read/write cephfs filesystems +Resolves: rhbz#1558836 +- Allow gpg_t to create own tmpfs dirs and sockets +Resolves: rhbz#1535109 +- Allow gpg_agent_t to send msgs to syslog/journal +Resolves: rhbz#1535109 +- Allow virtual machine to write to fixed_disk_device_t +Resolves: rhbz#1499208 +- Update kdump_manage_crash() interface to allow also manage dirs by caller domain +Resolves: rhbz#1491585 +- Add kpatch policy +Resolves: rhbz#1602435 +- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t +Resolves: rhbz#1623942 +- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t +Resolves: rhbz#1475271 +- Allow systemd to mount boltd_var_run_t dirs +Resolves: rhbz#1589086 +- Allow systemd to mounont boltd lib dirs +Resolves: rhbz#1589086 +- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domain +Resolves: rhbz#1602435 +- Allow passwd_t domain chroot +- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block +- Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t +Resolves: rhbz#1447278 +- Allow staff_t user to systemctl iptables units. +Resolves: rhbz#1360470 + +* Thu Jan 31 2019 Lukas Vrabec - 3.13.1-234 +- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t +Resolves: rhbz#1623942 +- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t +Resolves: rhbz#1475271 +- Allow passwd_t domain chroot +- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block +- Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t +Resolves: rhbz#1447278 +- Allow staff_t user to systemctl iptables units. +Resolves: rhbz#1360470 + +* Thu Jan 17 2019 Lukas Vrabec - 3.13.1-233 +- Allow gssd_t domain to manage kernel keyrings of every domain. +Resolves: rhbz#1487350 +- Add new interface domain_manage_all_domains_keyrings() +Resolves: rhbz#1487350 + +* Sun Jan 13 2019 Lukas Vrabec - 3.13.1-232 +- Allow gssd_t domain to read/write kernel keyrings of every domain. +Resolves: rhbz#1487350 +- Add interface domain_rw_all_domains_keyrings() +Resolves: rhbz#1487350 + +* Wed Dec 19 2018 Lukas Vrabec - 3.13.1-231 +- Update snapperd policy to allow snapperd manage all non security dirs. +Resolves: rhbz#1619306 + +* Fri Nov 09 2018 Lukas Vrabec - 3.13.1-230 +-Allow nova_t domain to use pam +Resolves: rhbz:#1640528 - sysstat: grant sysstat_t the search_dir_perms set -Resolves: rhbz#1645271 +Resolves: rhbz#1637416 +- Allow cinder_volume_t domain to dbus chat with systemd_logind_t domain +Resolves: rhbz#1630318 +- Allow staff_t userdomain and confined_admindomain attribute to allow use generic ptys because of new sudo feature 'io logging' +Resolves: rhbz#1564470 +- Make ganesha policy active again +Resolves: rhbz#1511489 * Fri Oct 12 2018 Lukas Vrabec - 3.13.1-229.5 - Remove disabling ganesha module in pre install phase of installation new selinux-policy package where ganesha is again standalone module