powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
Browse Source

selinux-policy package update 

Signed-off-by: basebuilder_pel7ppc64lebuilder0 <basebuilder@powerel.org>
master
basebuilder_pel7ppc64lebuilder0 5 years ago
parent
7622d51837
commit
888d915276
4 changed files with 297 additions and 62 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      SOURCES/modules-targeted-contrib.conf
  2. 53
      SOURCES/rpm.macros
  3. 2
      SOURCES/selinux-policy-migrate-local-changes.sh
  4. 236
      SPECS/selinux-policy.spec

14
SOURCES/modules-targeted-contrib.conf
Unescape View File

@ -2565,3 +2565,17 @@ tlp = module @@ -2565,3 +2565,17 @@ tlp = module
# tangd
#
tangd = module

# Layer: contrib
# Module: kpatch
#
# kpatch
#
kpatch = module

# Layer: contrib
# Module: boltd
#
# boltd
#
boltd = module

53
SOURCES/rpm.macros
Unescape View File

@ -21,12 +21,13 @@ @@ -21,12 +21,13 @@
%_selinux_policy_version SELINUXPOLICYVERSION

%_selinux_store_path SELINUXSTOREPATH
%_selinux_store_policy_path %{_selinux_store_path}/${_policytype}

%_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts
%_file_context_file_pre %{_localstatedir}/lib/rpm-state/file_contexts.pre

%_file_custom_defined_booleans %{_selinux_store_path}/${_policytype}/rpmbooleans.custom
%_file_custom_defined_booleans_tmp %{_selinux_store_path}/${_policytype}/rpmbooleans.custom.tmp
%_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom
%_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp

# %selinux_requires
%selinux_requires \
@ -38,7 +39,7 @@ BuildRequires: selinux-policy-devel \ @@ -38,7 +39,7 @@ BuildRequires: selinux-policy-devel \
Requires(post): selinux-policy-base >= %{_selinux_policy_version} \
Requires(post): libselinux-utils \
Requires(post): policycoreutils \
%if 0%{?fedora} \
%if 0%{?fedora} || 0%{?rhel} > 7\
Requires(post): policycoreutils-python-utils \
%else \
Requires(post): policycoreutils-python \
@ -52,9 +53,9 @@ _policytype=%{-s*} \ @@ -52,9 +53,9 @@ _policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
%{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
%{_sbindir}/load_policy \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
%{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
fi \
%{nil}

@ -66,9 +67,9 @@ if [ -z "${_policytype}" ]; then \ @@ -66,9 +67,9 @@ if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
if [ $1 -eq 0 ]; then \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
%{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
%{_sbindir}/load_policy \
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
fi \
fi \
%{nil}
@ -108,12 +109,13 @@ _policytype=%{-s*} \ @@ -108,12 +109,13 @@ _policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
LOCAL_MODIFICATIONS=$(semanage boolean -E) \
if [ ! -f %_file_custom_defined_booleans ]; then \
if [ -d "%{_selinux_store_policy_path}" ]; then \
LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \
if [ ! -f %_file_custom_defined_booleans ]; then \
/bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \
fi \
semanage_import='' \
for boolean in %*; do \
fi \
semanage_import='' \
for boolean in %*; do \
boolean_name=${boolean%=*} \
boolean_value=${boolean#*=} \
boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \
@ -127,14 +129,15 @@ for boolean in %*; do \ @@ -127,14 +129,15 @@ for boolean in %*; do \
fi \
else \
semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
boolean_default_value=$(semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
/bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
fi \
done; \
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
done; \
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
else \
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype} -N" \
elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
fi \
fi \
%{nil}

@ -145,8 +148,9 @@ _policytype=%{-s*} \ @@ -145,8 +148,9 @@ _policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \
_policytype="targeted" \
fi \
semanage_import='' \
for boolean in %*; do \
if [ -d "%{_selinux_store_policy_path}" ]; then \
semanage_import='' \
for boolean in %*; do \
boolean_name=${boolean%=*} \
boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
if [ -n "$boolean_customized_string" ]; then \
@ -155,10 +159,11 @@ for boolean in %*; do \ @@ -155,10 +159,11 @@ for boolean in %*; do \
semanage_import="${semanage_import}\\n${boolean_customized_string}" \
fi \
fi \
done; \
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
done; \
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
else \
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype} -N" \
elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \
/bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \
fi \
fi \
%{nil}

2
SOURCES/selinux-policy-migrate-local-changes.sh
Unescape View File

@ -43,7 +43,7 @@ for i in `find /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/modules/ -name \ @@ -43,7 +43,7 @@ for i in `find /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/modules/ -name \
done
for i in `find /etc/selinux/$MIGRATE_SELINUXTYPE/modules/active/modules/ -name \*.pp 2> /dev/null`; do
module=`basename $i | sed 's/\.pp$//'`
if [ $module == "pkcsslotd" ] || [ $module == "vbetool" ] || [ $module == "ctdbd" ] || [ $module == "docker" ] || [ $module == "gear" ]; then
if [ $module == "audioentropy" ] || [ $module == "pkcsslotd" ] || [ $module == "vbetool" ] || [ $module == "ctdbd" ] || [ $module == "docker" ] || [ $module == "gear" ]; then
continue
fi
if [ ! -d /etc/selinux/$MIGRATE_SELINUXTYPE/active/modules/100/$module ]; then

236
SPECS/selinux-policy.spec
Unescape View File

@ -20,14 +20,13 @@ @@ -20,14 +20,13 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 230%{?dist}
Release: 252%{?dist}.1
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch0: policy-rhel-7.6-base.patch
patch3: policy-rhel-7.6.z-base.patch
patch1: policy-rhel-7.6-contrib.patch
patch2: policy-rhel-7.6.z-contrib.patch
patch0: policy-rhel-7.7-base.patch
patch1: policy-rhel-7.7-contrib.patch
patch2: policy-rhel-7.7.z-contrib.patch
Source1: modules-targeted-base.conf
Source31: modules-targeted-contrib.conf
Source2: booleans-targeted.conf
@ -346,7 +345,6 @@ Based off of reference policy: Checked out revision 2.20091117 @@ -346,7 +345,6 @@ Based off of reference policy: Checked out revision 2.20091117
contrib_path=`pwd`
%setup -n serefpolicy-%{version} -q
%patch0 -p1
%patch3 -p1
refpolicy_path=`pwd`
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
rm -rf $refpolicy_path/policy/modules/contrib/kubernetes.*
@ -657,11 +655,229 @@ fi @@ -657,11 +655,229 @@ fi
%endif

%changelog
* Fri Nov 02 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.6
- Allow nova_t domain to use pam
Resolves: rhbz:#1645270
* Wed Jul 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-252.1
- Allow sbd_t domain to use nsswitch
Resolves: rhbz#1728593

* Thu Jun 27 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-252
- Allow ganesha_t domain to connect to tcp portmap_port_t
Resolves: rhbz#1715088

* Mon Jun 10 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-251
- Allow redis to creating tmp files with own label
Resolves: rhbz#1646765

* Wed Jun 05 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-250
- Allow ctdb_t domain to manage samba_var_t files/links/sockets and dirs
Resolves: rhbz#1716400

* Wed May 22 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-249
- Allow nrpe_t domain to read process state of systemd_logind_t
- Add interface systemd_logind_read_state()
Resolves: rhbz#1653309

* Tue May 21 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-248
- Label /etc/rhsm as rhsmcertd_config_t
Resolves: rhbz#1703573

* Fri May 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-247
- Fix typo in gpg SELinux module
- Update gpg policy to make ti working with confined users
Resolves: rhbz#1535109
- Alow nrpe_t to send signull to sssd domain when nagios_run_sudo boolean is turned on
Resolves: rhbz#1653309
- Allow nrpe_t domain to be dbus cliennt
Resolves: rhbz#1653309
- Add interface sssd_signull()
Resolves: rhbz#1653309
- Update userdomains to allow confined users to create gpg keys
Resolves: rhbz#1535109

* Thu May 02 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-246
- Allow ngaios to use chown capability
Resolves: rhbz#1653309
- Dontaudit gpg_domain to create netlink_audit sockets
Resolves: rhbz#1535109
- Update fs_rw_cephfs_files() interface to allow also caller domain to read/write cephpfs_t lnk files
Resolves: rhbz#1558836
- Update domain_can_mmap_files() boolean to allow also mmap lnk files

* Thu Apr 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-245
- Allow rhsmcertd_t domain to read yum.log file labeled as rpm_log_t
Resolves: rhbz#1695342

* Tue Apr 23 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-244
- Update Nagios policy when sudo is used
Resolves: rhbz#1653309

* Mon Apr 08 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-243
- Allow modemmanager_t domain to write to raw_ip file labeled as sysfs_t
Resolves: rhbz#1676810

* Tue Mar 26 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-242
- Make shell_exec_t type as entrypoint for vmtools_unconfined_t.
Resolves: rhbz#1656814

* Wed Mar 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-241
- Update vmtools policy Resolves: rhbz#1656814 Allow domain transition from vmtools_t to vmtools_unconfined_t when shell_exec_t is entrypoint.
- Allow virt_qemu_ga_t domain to read udev_var_run_t files
Resolves: rhbz#1663092
- Update nagios_run_sudo boolean with few allow rules related to accessing sssd
Resolves: rhbz#1653309
- Allow nfsd_t to read nvme block devices BZ(1562554)
Resolves: rhbz#1655493
- Allow tangd_t domain to bind on tcp ports labeled as tangd_port_t
Resolves: rhbz#1650909
- Allow all domains to send dbus msgs to vmtools_unconfined_t processes
Resolves: rhbz#1656814
- Label /dev/pkey as crypt_device_t
Resolves: rhbz#1623068
- Allow sudodomains to write to systemd_logind_sessions_t pipes.
Resolves: rhbz#1687452
- Allow all user domains to read realmd_var_lib_t files and dirs to check if IPA is configured on the system
Resolves: rhbz#1667962
- Fixes: xenconsole does not start
Resolves: rhbz#1601525
- Label /usr/lib64/libcuda.so.XX.XX library as textrel_shlib_t.
Resolves: rhbz#1636197
- Create tangd_port_t with default label tcp/7406
Resolves: rhbz#1650909

* Tue Mar 05 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-240
- named wants to access /proc/sys/net/ipv4/ip_local_port_range to get ehphemeral range.
Resolves: rhbz#1683754
- Allow sbd_t domain to bypass permission checks for sending signals
Resolves: rhbz#1671132
- Allow sbd_t domain read/write all sysctls
Resolves: rhbz#1671132
- Allow kpatch_t domain to communicate with policykit_t domsin over dbus
Resolves: rhbz#1602435
- Allow boltd_t to stream connect to sytem dbus
Resolves: rhbz#1589086
- Update userdom_admin_user_template() and init_prog_run_bpf() interfaces to make working bpftool for confined admin
Resolves: rhbz#1626115
- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.
Resolves: rhbz#1589086

* Fri Mar 01 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-239
- Allow sbd_t domain read/write all sysctls
Resolves: rhbz#1671132
- Allow kpatch_t domain to communicate with policykit_t domsin over dbus
Resolves: rhbz#1602435
- Allow boltd_t to stream connect to sytem dbus
Resolves: rhbz#1589086
- Update unconfined_dbus_send() interface to allow both direction communication over dbus with unconfined process.
Resolves: rhbz#1589086

* Mon Feb 25 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-238
- Update redis_enable_notify() boolean to fix sending e-mail by redis when this boolean is turned on
Resolves: rhbz#1646765

* Tue Feb 19 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-237
- Allow virtd_lxc_t domains use BPF
Resolves: rhbz#1626115
- F29 NetworkManager implements a new code for IPv4 address conflict detection (RFC 5227) based on n-acd [1], which uses eBPF to process ARP packets from the network.
Resolves: rhbz#1626115
- Allow unconfined user all perms under bpf class BZ(1565738
Resolves: rhbz#1626115
- Allow unconfined and sysadm users to use bpftool BZ(1591440)
Resolves: rhbz#1626115
- Allow systemd to manage bpf dirs/files
Resolves: rhbz#1626115
- Create new type bpf_t and label /sys/fs/bpf with this type
Resolves:rhbz#1626115
- Add new interface init_prog_run_bpf()
Resolves:rhbz#1626115
- add definition of bpf class and systemd perms
Resolves: rhbz#1626115

* Sun Feb 03 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-236
- Update policy with multiple allow rules to make working installing VM in MLS policy
Resolves: rhbz#1558121
- Allow virt domain to use interited virtlogd domains fifo_file
Resolves: rhbz#1558121
- Allow chonyc_t domain to rw userdomain pipes
Resolves: rhbz#1618757
- Add file contexts in ganesha.fc file to label logging ganesha files properly.
Resolves: rhbz#1628247

* Thu Jan 31 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-235
- Allow sandbox_xserver_t domain write to user_tmp_t files
Resolves: rhbz#1646521
- Allow virt_qemu_ga_t domain to read network state
Resolves: rhbz#1630347
- Bolt added d-bus API for force-powering the thunderbolt controller, so system-dbusd needs acces to boltd pipes
Resolves: rhbz#1589086
- Add boltd policy
Resolves: rhbz#1589086
- Allow virt domains to read/write cephfs filesystems
Resolves: rhbz#1558836
- Allow gpg_t to create own tmpfs dirs and sockets
Resolves: rhbz#1535109
- Allow gpg_agent_t to send msgs to syslog/journal
Resolves: rhbz#1535109
- Allow virtual machine to write to fixed_disk_device_t
Resolves: rhbz#1499208
- Update kdump_manage_crash() interface to allow also manage dirs by caller domain
Resolves: rhbz#1491585
- Add kpatch policy
Resolves: rhbz#1602435
- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t
Resolves: rhbz#1623942
- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t
Resolves: rhbz#1475271
- Allow systemd to mount boltd_var_run_t dirs
Resolves: rhbz#1589086
- Allow systemd to mounont boltd lib dirs
Resolves: rhbz#1589086
- Allow sysadm_t,staff_t and unconfined_t domain to execute kpatch as kpatch_t domain
Resolves: rhbz#1602435
- Allow passwd_t domain chroot
- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block
- Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t
Resolves: rhbz#1447278
- Allow staff_t user to systemctl iptables units.
Resolves: rhbz#1360470

* Thu Jan 31 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-234
- Label /usr/bin/mysqld_safe_helper as mysqld_exec_t instead of bin_t
Resolves: rhbz#1623942
- Allow svnserve_t domain to create in /tmp svn_0 file labeled as krb5_host_rcache_t
Resolves: rhbz#1475271
- Allow passwd_t domain chroot
- Add miscfiles_filetrans_named_content_letsencrypt() to optional_block
- Allow unconfined domains to create letsencrypt directory in /var/lib labeled as cert_t
Resolves: rhbz#1447278
- Allow staff_t user to systemctl iptables units.
Resolves: rhbz#1360470

* Thu Jan 17 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-233
- Allow gssd_t domain to manage kernel keyrings of every domain.
Resolves: rhbz#1487350
- Add new interface domain_manage_all_domains_keyrings()
Resolves: rhbz#1487350

* Sun Jan 13 2019 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-232
- Allow gssd_t domain to read/write kernel keyrings of every domain.
Resolves: rhbz#1487350
- Add interface domain_rw_all_domains_keyrings()
Resolves: rhbz#1487350

* Wed Dec 19 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-231
- Update snapperd policy to allow snapperd manage all non security dirs.
Resolves: rhbz#1619306

* Fri Nov 09 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-230
-Allow nova_t domain to use pam
Resolves: rhbz:#1640528
- sysstat: grant sysstat_t the search_dir_perms set
Resolves: rhbz#1645271
Resolves: rhbz#1637416
- Allow cinder_volume_t domain to dbus chat with systemd_logind_t domain
Resolves: rhbz#1630318
- Allow staff_t userdomain and confined_admindomain attribute to allow use generic ptys because of new sudo feature 'io logging'
Resolves: rhbz#1564470
- Make ganesha policy active again
Resolves: rhbz#1511489

* Fri Oct 12 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-229.5
- Remove disabling ganesha module in pre install phase of installation new selinux-policy package where ganesha is again standalone module

Write Preview
Loading…
Cancel
Save