Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2014-09-09 18:59:13
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2014-09-06 12:18:34.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new/selinux-policy.changes 2014-09-09 18:59:15.000000000 +0200
@@ -1,0 +2,21 @@
+Mon Sep 8 09:08:19 UTC 2014 - jsegitz(a)suse.com
+
+- removed remove_duplicate_filetrans_pattern_rules.patch
+
+-------------------------------------------------------------------
+Fri Sep 5 11:22:02 UTC 2014 - jsegitz(a)suse.com
+
+- Updated policy to include everything up until 20140730 (refpolicy and
+ fedora rawhide improvements). Rebased all patches that are still
+ necessary
+- Removed permissivedomains.pp. Doesn't work with the new policy
+- modified spec file so that all modifications for distro=redhat and
+ distro=suse will be used.
+- added selinux-policy-rpmlintrc to suppress some warnings that aren't
+ valid for this package
+- added suse_minimal_cc.patch to create a suse specific module to prevent
+ errors while using the minimum policy. Will rework them in the proper
+ places once the minimum policy is reworked to really only confine a
+ minimal set of domains.
+
+-------------------------------------------------------------------
Old:
----
permissivedomains.pp
remove_duplicate_filetrans_pattern_rules.patch
serefpolicy-3.12.1.tgz
serefpolicy-contrib-3.12.1.tgz
New:
----
selinux-policy-rpmlintrc
serefpolicy-20140730.tgz
serefpolicy-contrib-20140730.tgz
suse_minimal_cc.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:18.000000000 +0200
+++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:18.000000000 +0200
@@ -35,13 +35,13 @@
%define BUILD_MLS 1
%endif
%define POLICYVER 29
-%define POLICYCOREUTILSVER 2.1.14
-%define CHECKPOLICYVER 2.2
+%define POLICYCOREUTILSVER 2.3
+%define CHECKPOLICYVER 2.3
Summary: SELinux policy configuration
License: GPL-2.0+
Group: System/Management
Name: selinux-policy
-Version: 3.12.1
+Version: 20140730
Release: 20%{?dist}
Source: serefpolicy-%{version}.tgz
Patch: policy-rawhide-base.patch
@@ -56,7 +56,7 @@
Patch16: useradd-netlink_selinux_socket.patch
Patch17: systemd-tmpfiles.patch
Patch18: label_var_run_rsyslog.patch
-Patch19: remove_duplicate_filetrans_pattern_rules.patch
+Patch19: suse_minimal_cc.patch
Source1: modules-targeted-base.conf
Source31: modules-targeted-contrib.conf
@@ -80,10 +80,10 @@
Source25: users-minimum
Source26: file_contexts.subs_dist
Source27: selinux-policy.conf
-Source28: permissivedomains.pp
Source29: serefpolicy-contrib-%{version}.tgz
Source30: booleans.subs_dist
Source40: selinux-policy.sysconfig
+Source41: selinux-policy-rpmlintrc
# the following two files are more like a packaging documentation
Source50: Alan_Rouse-openSUSE_with_SELinux.txt
@@ -102,6 +102,7 @@
BuildRequires: policycoreutils-python >= %{POLICYCOREUTILSVER}
BuildRequires: python
BuildRequires: python-xml
+BuildRequires: selinux-policy-devel
# we need selinuxenabled
Requires(post): selinux-tools
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
@@ -247,6 +248,7 @@
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
%dir %{_sysconfdir}/selinux/%1/contexts/files \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
@@ -257,11 +259,7 @@
%{_sysconfdir}/selinux/%1/booleans.subs_dist \
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
%dir %{_sysconfdir}/selinux/%1/contexts/users \
-%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
-%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
-%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
-%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
-%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/*
%define relabel() \
. %{_sysconfdir}/sysconfig/selinux-policy; \
@@ -334,7 +332,6 @@
%files doc
%defattr(-,root,root,-)
%doc %{_usr}/share/doc/%{name}-%{version}
-%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
%{_usr}/share/selinux/devel/policy.*
%description
@@ -362,6 +359,8 @@
%patch18 -p1
refpolicy_path=`pwd`
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
+# we use distro=redhat to get all the redhat modifications but we'll still need everything that is defined for suse
+find "$refpolicy_path" -type f -print0 | xargs -0 sed -i -e 's/ifdef(`distro_suse/ifdef(`distro_redhat/g'
%install
mkdir selinux_config
@@ -383,7 +382,6 @@
%if %{BUILD_TARGETED}
# Build targeted policy
mkdir -p %{buildroot}%{_usr}/share/selinux/targeted
-cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/targeted
%makeCmds targeted mcs n allow
%makeModulesConf targeted base contrib
%installCmds targeted mcs n allow
@@ -393,7 +391,6 @@
%if %{BUILD_MINIMUM}
# Build minimum policy
mkdir -p %{buildroot}%{_usr}/share/selinux/minimum
-cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/minimum
%makeCmds minimum mcs n allow
%makeModulesConf targeted base contrib
%installCmds minimum mcs n allow
@@ -417,14 +414,6 @@
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
-echo "xdg-open file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp
-chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
-#/usr/bin/sepolicy manpage -a -p %{buildroot}/usr/share/man/man8/ -w -r %{buildroot}
-#mkdir %{buildroot}%{_usr}/share/selinux/devel/html
-#htmldir=`compgen -d %{buildroot}%{_usr}/share/man/man8/`
-#mv ${htmldir}/* %{buildroot}%{_usr}/share/selinux/devel/html
-#rm -rf ${htmldir}
-#mkdir %{buildroot}%{_usr}/share/selinux/packages/
rm -rf selinux_config
# fillup sysconfig
@@ -517,13 +506,17 @@
for p in $contribpackages; do
touch /etc/selinux/minimum/modules/active/modules/$p.disabled
done
-for p in $basepackages apache.pp dbus.pp inetd.pp kerberos.pp mta.pp nis.pp; do
+# this is temporarily needed to make minimum policy work without errors. Will be included
+# into the proper places later on
+rm /etc/selinux/minimum/modules/active/modules/suse.pp.disabled
+for p in $basepackages apache.pp dbus.pp inetd.pp kerberos.pp mta.pp nis.pp nscd.pp cron.pp; do
rm -f /etc/selinux/minimum/modules/active/modules/$p.disabled
done
-/usr/sbin/semanage -S minimum -i - << __eof
-login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
-login -m -s unconfined_u -r s0-s0:c0.c1023 root
-__eof
+# those are default anyway
+# /usr/sbin/semanage -S minimum -i - << __eof
+# login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
+# login -m -s unconfined_u -r s0-s0:c0.c1023 root
+# __eof
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null
/usr/sbin/semodule -B -s minimum
else
++++++ label_var_run_rsyslog.patch ++++++
--- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:18.000000000 +0200
+++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:18.000000000 +0200
@@ -1,7 +1,7 @@
-Index: serefpolicy-3.12.1/policy/modules/system/logging.fc
+Index: serefpolicy-20140730/policy/modules/system/logging.fc
===================================================================
---- serefpolicy-3.12.1.orig/policy/modules/system/logging.fc 2013-11-12 10:31:33.161234336 +0100
-+++ serefpolicy-3.12.1/policy/modules/system/logging.fc 2013-11-13 15:31:41.233552569 +0100
+--- serefpolicy-20140730.orig/policy/modules/system/logging.fc
++++ serefpolicy-20140730/policy/modules/system/logging.fc
@@ -83,6 +83,7 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
@@ -10,16 +10,14 @@
/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
-Index: serefpolicy-3.12.1/policy/modules/system/init.te
+Index: serefpolicy-20140730/policy/modules/system/init.te
===================================================================
---- serefpolicy-3.12.1.orig/policy/modules/system/init.te 2013-11-12 10:31:33.161234336 +0100
-+++ serefpolicy-3.12.1/policy/modules/system/init.te 2013-11-18 12:50:40.828965515 +0100
-@@ -1577,3 +1577,8 @@ ifdef(`direct_sysadm_daemon',`
- allow daemon direct_run_init:process sigchld;
- allow direct_run_init direct_init_entry:file { getattr open read execute };
- ')
-+
+--- serefpolicy-20140730.orig/policy/modules/system/init.te
++++ serefpolicy-20140730/policy/modules/system/init.te
+@@ -1676,3 +1676,6 @@ optional_policy(`
+ ccs_read_config(daemon)
+ ')
+ ')
+
+# relabel /var/run/rsyslog
+filetrans_pattern(init_t, var_run_t, syslogd_var_run_t, dir, "rsyslog")
-+
++++++ modules-targeted-contrib.conf ++++++
--- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:18.000000000 +0200
+++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:18.000000000 +0200
@@ -1313,13 +1313,6 @@
#
piranha = module
-# Layer: contrib
-# Module: pkcsslotd
-#
-# daemon manages PKCS#11 objects between PKCS#11-enabled applications
-#
-pkcsslotd = module
-
# Layer: services
# Module: plymouthd
#
@@ -1530,6 +1523,13 @@
#
realmd = module
+# Layer: contrib
+# Module: suse
+#
+# suse modifications
+#
+suse = module
+
# Layer: services
# Module: remotelogin
#
++++++ policy-rawhide-base.patch ++++++
++++ 32501 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/selinux-policy/policy-rawhide-base.patch
++++ and /work/SRC/openSUSE:Factory/.selinux-policy.new/policy-rawhide-base.patch
++++++ policy-rawhide-contrib.patch ++++++
++++ 59032 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/selinux-policy/policy-rawhide-contrib.patch
++++ and /work/SRC/openSUSE:Factory/.selinux-policy.new/policy-rawhide-contrib.patch
++++++ selinux-policy-rpmlintrc ++++++
addFilter("W: non-conffile-in-etc.*")
addFilter("W: zero-length /etc/selinux/.*")
addFilter("W: hidden-file-or-dir /etc/selinux/minimum/.policy.sha512")
addFilter("W: hidden-file-or-dir /etc/selinux/targeted/.policy.sha512")
addFilter("W: hidden-file-or-dir /etc/selinux/mls/.policy.sha512")
addFilter("W: files-duplicate /etc/selinux/minimum/seusers /etc/selinux/minimum/modules/active/seusers.final")
addFilter("W: files-duplicate /etc/selinux/minimum/contexts/files/file_contexts /etc/selinux/minimum/modules/active/file_contexts")
addFilter("W: files-duplicate /etc/selinux/minimum/modules/active/file_contexts.homedirs /etc/selinux/minimum/contexts/files/file_contexts.homedirs")
addFilter("W: files-duplicate /etc/selinux/targeted/modules/active/seusers.final /etc/selinux/targeted/seusers")
addFilter("W: files-duplicate /etc/selinux/targeted/modules/active/file_contexts /etc/selinux/targeted/contexts/files/file_contexts")
addFilter("W: files-duplicate /etc/selinux/targeted/contexts/files/file_contexts.homedirs /etc/selinux/targeted/modules/active/file_contexts.homedirs")
addFilter("W: files-duplicate /etc/selinux/mls/modules/active/seusers.final /etc/selinux/mls/seusers")
addFilter("W: files-duplicate /etc/selinux/mls/modules/active/file_contexts /etc/selinux/mls/contexts/files/file_contexts")
addFilter("W: files-duplicate /etc/selinux/mls/contexts/files/file_contexts.homedirs /etc/selinux/mls/modules/active/file_contexts.homedirs")
++++++ serefpolicy-3.12.1.tgz -> serefpolicy-20140730.tgz ++++++
++++ 6821 lines of diff (skipped)
++++++ serefpolicy-contrib-3.12.1.tgz -> serefpolicy-contrib-20140730.tgz ++++++
++++ 10821 lines of diff (skipped)
++++++ suse_minimal_cc.patch ++++++
Index: serefpolicy-contrib-20140730/suse.te
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/suse.te
@@ -0,0 +1,88 @@
+policy_module(suse, 1.1.2)
+
+require {
+ type bin_t;
+ type chkpwd_t;
+ type getty_t;
+ type groupadd_t;
+ type init_exec_t;
+ type init_t;
+ type policykit_t;
+ type postfix_master_t;
+ type restorecond_t;
+ type rtkit_daemon_t;
+ type sshd_t;
+ type syslogd_t;
+ type system_dbusd_t;
+ type systemd_localed_t;
+ type systemd_logind_t;
+ type systemd_systemctl_exec_t;
+ type unconfined_service_t;
+ type unconfined_t;
+ type useradd_t;
+ type var_run_t;
+
+ class file { read open getattr entrypoint };
+ class netlink_selinux_socket { create bind };
+ class sock_file write;
+}
+
+#============= chkpwd_t ==============
+allow chkpwd_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(chkpwd_t)
+
+#============= getty_t ==============
+allow getty_t var_run_t:sock_file write;
+plymouthd_exec_plymouth(getty_t)
+kernel_stream_connect(getty_t)
+
+#============= policykit_t ==============
+allow policykit_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(policykit_t)
+
+#============= postfix_master_t ==============
+allow postfix_master_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(postfix_master_t)
+
+#============= rtkit_daemon_t ==============
+allow rtkit_daemon_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(rtkit_daemon_t)
+
+#============= sshd_t ==============
+allow sshd_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(sshd_t)
+
+#============= restorecond_t ==============
+allow restorecond_t var_run_t:sock_file write;
+
+#============= syslogd_t ==============
+allow syslogd_t var_run_t:file { read getattr open };
+allow syslogd_t var_run_t:sock_file write;
+
+#============= systemd_localed_t ==============
+systemd_dbus_chat_localed(unconfined_service_t)
+
+#============= systemd_logind_t ==============
+allow systemd_logind_t var_run_t:sock_file write;
+files_rw_inherited_generic_pid_files(systemd_logind_t)
+systemd_dbus_chat_logind(unconfined_service_t)
+
+#============= unconfined_service_t ==============
+unconfined_shell_domtrans(unconfined_service_t)
+
+#============= unconfined_t ==============
+allow unconfined_t systemd_systemctl_exec_t:file entrypoint;
+allow init_t unconfined_t:process transition;
+allow unconfined_t init_exec_t:file entrypoint;
+
+#============= groupadd_t ==============
+allow groupadd_t self:netlink_selinux_socket { create bind };
+allow groupadd_t var_run_t:sock_file write;
+
+#============= system_dbusd_t ==============
+allow system_dbusd_t var_run_t:sock_file write;
+
+#============= useradd_t ==============
+allow useradd_t var_run_t:sock_file write;
+selinux_compute_access_vector(useradd_t)
+
Index: serefpolicy-contrib-20140730/suse.fc
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/suse.fc
@@ -0,0 +1 @@
+/usr/lib/gdm/.* -- gen_context(system_u:object_r:bin_t,s0)
Index: serefpolicy-contrib-20140730/suse.if
===================================================================
--- /dev/null
+++ serefpolicy-contrib-20140730/suse.if
@@ -0,0 +1,24 @@
+## <summary>asdfsdfABRT - automated bug-reporting tool</summary>
+
+######################################
+## <summary>
+## Creates types and rules for a basic
+## ABRT daemon domainadsasdf
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`abrt_asdfasfasfbasic_types_template',`
+ gen_require(`
+ attribute abrt_domain;
+ ')
+
+ type $1_t, abrt_domain;
+ type $1_exec_t;
+
+ kernel_read_system_state($1_t)
+')
+
++++++ sysconfig_network_scripts.patch ++++++
--- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:19.000000000 +0200
+++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:19.000000000 +0200
@@ -1,7 +1,7 @@
-Index: serefpolicy-3.12.1/policy/modules/system/sysnetwork.fc
+Index: serefpolicy-20140730/policy/modules/system/sysnetwork.fc
===================================================================
---- serefpolicy-3.12.1.orig/policy/modules/system/sysnetwork.fc 2013-11-12 10:31:33.113233800 +0100
-+++ serefpolicy-3.12.1/policy/modules/system/sysnetwork.fc 2013-11-20 15:33:05.611791575 +0100
+--- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.fc
++++ serefpolicy-20140730/policy/modules/system/sysnetwork.fc
@@ -11,6 +11,15 @@ ifdef(`distro_debian',`
/dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
@@ -18,8 +18,8 @@
#
# /etc
#
-@@ -36,6 +45,10 @@ ifdef(`distro_redhat',`
- /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+@@ -37,6 +46,10 @@ ifdef(`distro_redhat',`
+ /var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
+/etc/sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
@@ -29,11 +29,11 @@
#
# /sbin
#
-Index: serefpolicy-3.12.1/policy/modules/system/sysnetwork.te
+Index: serefpolicy-20140730/policy/modules/system/sysnetwork.te
===================================================================
---- serefpolicy-3.12.1.orig/policy/modules/system/sysnetwork.te 2013-11-12 10:31:33.113233800 +0100
-+++ serefpolicy-3.12.1/policy/modules/system/sysnetwork.te 2013-11-12 10:31:33.132234012 +0100
-@@ -56,7 +56,8 @@ files_config_file(net_conf_t)
+--- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.te
++++ serefpolicy-20140730/policy/modules/system/sysnetwork.te
+@@ -60,7 +60,8 @@ ifdef(`distro_debian',`
#
# DHCP client local policy
#
@@ -43,7 +43,7 @@
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-@@ -91,6 +92,12 @@ allow dhcpc_t net_conf_t:file relabel_fi
+@@ -95,6 +96,12 @@ allow dhcpc_t net_conf_t:file relabel_fi
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
@@ -56,10 +56,10 @@
# create temp files
manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
-Index: serefpolicy-3.12.1/policy/modules/kernel/devices.fc
+Index: serefpolicy-20140730/policy/modules/kernel/devices.fc
===================================================================
---- serefpolicy-3.12.1.orig/policy/modules/kernel/devices.fc 2013-11-12 10:31:33.096233609 +0100
-+++ serefpolicy-3.12.1/policy/modules/kernel/devices.fc 2013-11-12 10:31:33.132234012 +0100
+--- serefpolicy-20140730.orig/policy/modules/kernel/devices.fc
++++ serefpolicy-20140730/policy/modules/kernel/devices.fc
@@ -2,6 +2,7 @@
/dev -d gen_context(system_u:object_r:device_t,s0)
/dev/.* gen_context(system_u:object_r:device_t,s0)
++++++ systemd-tmpfiles.patch ++++++
--- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:19.000000000 +0200
+++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:19.000000000 +0200
@@ -1,8 +1,8 @@
-Index: serefpolicy-3.12.1/policy/modules/kernel/devices.if
+Index: serefpolicy-20140730/policy/modules/kernel/devices.if
===================================================================
---- serefpolicy-3.12.1.orig/policy/modules/kernel/devices.if 2013-11-21 11:53:52.857807940 +0100
-+++ serefpolicy-3.12.1/policy/modules/kernel/devices.if 2013-11-21 11:53:52.923808669 +0100
-@@ -6506,3 +6506,25 @@ interface(`dev_filetrans_xserver_named_d
+--- serefpolicy-20140730.orig/policy/modules/kernel/devices.if
++++ serefpolicy-20140730/policy/modules/kernel/devices.if
+@@ -6602,3 +6602,25 @@ interface(`dev_filetrans_xserver_named_d
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
')
@@ -28,20 +28,11 @@
+ allow $1 device_node {create};
+')
+
-Index: serefpolicy-3.12.1/policy/modules/kernel/devices.te
+Index: serefpolicy-20140730/policy/modules/system/systemd.te
===================================================================
---- serefpolicy-3.12.1.orig/policy/modules/kernel/devices.te 2013-11-21 11:53:52.857807940 +0100
-+++ serefpolicy-3.12.1/policy/modules/kernel/devices.te 2013-11-21 11:53:52.923808669 +0100
-@@ -334,3 +334,4 @@ files_associate_tmp(device_node)
- allow devices_unconfined_type self:capability sys_rawio;
- allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
- allow devices_unconfined_type mtrr_device_t:file *;
-+
-Index: serefpolicy-3.12.1/policy/modules/system/systemd.te
-===================================================================
---- serefpolicy-3.12.1.orig/policy/modules/system/systemd.te 2013-11-21 11:53:52.874808128 +0100
-+++ serefpolicy-3.12.1/policy/modules/system/systemd.te 2013-11-21 11:55:29.271873271 +0100
-@@ -274,6 +274,11 @@ dev_read_cpu_online(systemd_tmpfiles_t)
+--- serefpolicy-20140730.orig/policy/modules/system/systemd.te
++++ serefpolicy-20140730/policy/modules/system/systemd.te
+@@ -320,6 +320,11 @@ dev_read_cpu_online(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
dev_relabel_all_dev_nodes(systemd_tmpfiles_t)
@@ -53,20 +44,11 @@
domain_obj_id_change_exemption(systemd_tmpfiles_t)
# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
-@@ -606,7 +611,7 @@ optional_policy(`
- #
- # systemd_sysctl domains local policy
- #
--allow systemd_sysctl_t self:capability net_admin;
-+allow systemd_sysctl_t self:capability { net_admin sys_admin };
- allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
-
- kernel_dgram_send(systemd_sysctl_t)
-Index: serefpolicy-3.12.1/policy/modules/system/systemd.if
+Index: serefpolicy-20140730/policy/modules/system/systemd.if
===================================================================
---- serefpolicy-3.12.1.orig/policy/modules/system/systemd.if 2013-11-21 11:53:52.874808128 +0100
-+++ serefpolicy-3.12.1/policy/modules/system/systemd.if 2013-11-21 11:53:52.923808669 +0100
-@@ -1398,3 +1398,22 @@ interface(`systemd_dontaudit_dbus_chat',
+--- serefpolicy-20140730.orig/policy/modules/system/systemd.if
++++ serefpolicy-20140730/policy/modules/system/systemd.if
+@@ -1458,3 +1458,22 @@ interface(`systemd_dontaudit_dbus_chat',
dontaudit $1 systemd_domain:dbus send_msg;
')
++++++ type_transition_contrib.patch ++++++
--- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:19.000000000 +0200
+++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:19.000000000 +0200
@@ -1,8 +1,8 @@
-diff --git a/glusterd.te b/glusterd.te
-index 8f595f8..253ba1a 100644
---- a/glusterd.te
-+++ b/glusterd.te
-@@ -40,7 +40,7 @@ allow glusterd_t self:unix_stream_socket { accept listen };
+Index: serefpolicy-contrib-20140730/glusterd.te
+===================================================================
+--- serefpolicy-contrib-20140730.orig/glusterd.te
++++ serefpolicy-contrib-20140730/glusterd.te
+@@ -68,7 +68,7 @@ allow glusterd_t self:unix_stream_socket
manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
++++++ type_transition_file_class.patch ++++++
--- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:19.000000000 +0200
+++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:19.000000000 +0200
@@ -1,8 +1,8 @@
-Index: serefpolicy-3.12.1/policy/modules/system/miscfiles.if
+Index: serefpolicy-20140730/policy/modules/system/miscfiles.if
===================================================================
---- serefpolicy-3.12.1.orig/policy/modules/system/miscfiles.if 2013-11-21 11:53:52.871808095 +0100
-+++ serefpolicy-3.12.1/policy/modules/system/miscfiles.if 2013-12-11 16:25:41.304059941 +0100
-@@ -875,7 +875,8 @@ interface(`miscfiles_etc_filetrans_local
+--- serefpolicy-20140730.orig/policy/modules/system/miscfiles.if
++++ serefpolicy-20140730/policy/modules/system/miscfiles.if
+@@ -896,7 +896,8 @@ interface(`miscfiles_etc_filetrans_local
')
files_etc_filetrans($1, locale_t, lnk_file)
@@ -12,7 +12,7 @@
files_etc_filetrans($1, locale_t, file, "locale.conf" )
files_etc_filetrans($1, locale_t, file, "timezone" )
files_etc_filetrans($1, locale_t, file, "vconsole.conf" )
-@@ -917,7 +918,8 @@ interface(`miscfiles_filetrans_locale_na
+@@ -938,7 +939,8 @@ interface(`miscfiles_filetrans_locale_na
type locale_t;
')
++++++ useradd-netlink_selinux_socket.patch ++++++
--- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:19.000000000 +0200
+++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:19.000000000 +0200
@@ -1,8 +1,8 @@
-Index: serefpolicy-3.12.1/policy/modules/admin/usermanage.te
+Index: serefpolicy-20140730/policy/modules/admin/usermanage.te
===================================================================
---- serefpolicy-3.12.1.orig/policy/modules/admin/usermanage.te 2013-10-23 11:44:16.797098128 +0200
-+++ serefpolicy-3.12.1/policy/modules/admin/usermanage.te 2013-10-23 11:44:16.894099171 +0200
-@@ -503,6 +503,7 @@ allow useradd_t self:unix_dgram_socket c
+--- serefpolicy-20140730.orig/policy/modules/admin/usermanage.te
++++ serefpolicy-20140730/policy/modules/admin/usermanage.te
+@@ -497,6 +497,7 @@ allow useradd_t self:unix_dgram_socket c
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
++++++ xconsole.patch ++++++
--- /var/tmp/diff_new_pack.BgfG6U/_old 2014-09-09 18:59:19.000000000 +0200
+++ /var/tmp/diff_new_pack.BgfG6U/_new 2014-09-09 18:59:19.000000000 +0200
@@ -15,22 +15,23 @@
Index: policy/modules/services/xserver.te
===================================================================
---- policy/modules/services/xserver.te.orig 2013-10-23 11:44:16.810098267 +0200
-+++ policy/modules/services/xserver.te 2013-10-23 11:44:16.887099095 +0200
-@@ -189,12 +189,6 @@ typealias xauth_tmp_t alias { xguest_xau
+--- policy/modules/services/xserver.te.orig
++++ policy/modules/services/xserver.te
+@@ -189,13 +189,6 @@ typealias xauth_tmp_t alias { xguest_xau
typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
userdom_user_tmp_file(xauth_tmp_t)
-# this is not actually a device, its a pipe
-type xconsole_device_t;
-files_type(xconsole_device_t)
+-dev_associate(xconsole_device_t)
-fs_associate_tmpfs(xconsole_device_t)
-files_associate_tmp(xconsole_device_t)
-
type xdm_unconfined_exec_t;
application_executable_file(xdm_unconfined_exec_t)
-@@ -438,7 +432,6 @@ allow xdm_t self:dbus { send_msg acquire
+@@ -437,7 +430,6 @@ allow xdm_t self:dbus { send_msg acquire
allow xdm_t xauth_home_t:file manage_file_perms;
@@ -38,7 +39,7 @@
manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
-@@ -669,6 +662,10 @@ libs_exec_lib_files(xdm_t)
+@@ -663,6 +655,10 @@ libs_exec_lib_files(xdm_t)
libs_exec_ldconfig(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -51,8 +52,8 @@
miscfiles_read_fonts(xdm_t)
Index: policy/modules/services/xserver.fc
===================================================================
---- policy/modules/services/xserver.fc.orig 2013-10-23 11:44:16.809098257 +0200
-+++ policy/modules/services/xserver.fc 2013-10-23 11:44:16.887099095 +0200
+--- policy/modules/services/xserver.fc.orig
++++ policy/modules/services/xserver.fc
@@ -33,11 +33,6 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
/root/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
@@ -67,9 +68,9 @@
/etc/gdm(3)?/PostSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
Index: policy/modules/system/logging.te
===================================================================
---- policy/modules/system/logging.te.orig 2013-10-23 11:44:16.815098321 +0200
-+++ policy/modules/system/logging.te 2013-10-23 11:44:16.888099106 +0200
-@@ -107,6 +107,12 @@ ifdef(`enable_mls',`
+--- policy/modules/system/logging.te.orig
++++ policy/modules/system/logging.te
+@@ -110,6 +110,12 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
')
@@ -82,7 +83,7 @@
########################################
#
# Auditctl local policy
-@@ -167,6 +173,9 @@ manage_files_pattern(auditd_t, auditd_va
+@@ -173,6 +179,9 @@ manage_files_pattern(auditd_t, auditd_va
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
@@ -92,7 +93,7 @@
kernel_read_kernel_sysctls(auditd_t)
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
-@@ -619,11 +628,6 @@ optional_policy(`
+@@ -631,11 +640,6 @@ optional_policy(`
udev_read_db(syslogd_t)
')
@@ -106,9 +107,9 @@
# syslog client rules
Index: policy/modules/system/logging.if
===================================================================
---- policy/modules/system/logging.if.orig 2013-10-23 11:44:16.815098321 +0200
-+++ policy/modules/system/logging.if 2013-10-23 11:44:16.888099106 +0200
-@@ -1355,3 +1355,40 @@ interface(`logging_filetrans_named_conte
+--- policy/modules/system/logging.if.orig
++++ policy/modules/system/logging.if
+@@ -1431,3 +1431,40 @@ interface(`logging_filetrans_named_conte
logging_log_filetrans($1, var_log_t, dir, "anaconda")
')
@@ -151,9 +152,9 @@
+
Index: policy/modules/system/init.te
===================================================================
---- policy/modules/system/init.te.orig 2013-10-23 11:44:16.813098300 +0200
-+++ policy/modules/system/init.te 2013-10-23 11:44:16.888099106 +0200
-@@ -731,6 +731,7 @@ logging_manage_generic_logs(initrc_t)
+--- policy/modules/system/init.te.orig
++++ policy/modules/system/init.te
+@@ -797,6 +797,7 @@ logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -161,7 +162,7 @@
# slapd needs to read cert files from its initscript
miscfiles_manage_generic_cert_files(initrc_t)
-@@ -1376,9 +1377,6 @@ optional_policy(`
+@@ -1453,9 +1454,6 @@ optional_policy(`
')
optional_policy(`
@@ -173,8 +174,8 @@
')
Index: policy/modules/system/logging.fc
===================================================================
---- policy/modules/system/logging.fc.orig 2013-10-23 11:44:16.815098321 +0200
-+++ policy/modules/system/logging.fc 2013-10-23 11:44:16.888099106 +0200
+--- policy/modules/system/logging.fc.orig
++++ policy/modules/system/logging.fc
@@ -1,4 +1,5 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/dev/xconsole -p gen_context(system_u:object_r:xconsole_device_t,s0)
@@ -183,9 +184,9 @@
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
Index: policy/modules/services/xserver.if
===================================================================
---- policy/modules/services/xserver.if.orig 2013-10-23 11:44:16.810098267 +0200
-+++ policy/modules/services/xserver.if 2013-10-23 11:44:16.888099106 +0200
-@@ -636,42 +636,6 @@ interface(`xserver_manage_user_xauth',`
+--- policy/modules/services/xserver.if.orig
++++ policy/modules/services/xserver.if
+@@ -635,42 +635,6 @@ interface(`xserver_manage_user_xauth',`
########################################
## <summary>
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-commit+help(a)opensuse.org