commit selinux-policy for openSUSE:Factory
Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2013-07-12 20:57:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "selinux-policy" Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2012-12-28 22:49:31.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new/selinux-policy.changes 2013-07-12 20:57:51.000000000 +0200 @@ -1,0 +2,16 @@ +Thu Jul 11 11:00:14 UTC 2013 - coolo@suse.com + +- install COPYING + +------------------------------------------------------------------- +Fri Mar 22 11:52:43 UTC 2013 - vcizek@suse.com + +- switch to Fedora as upstream +- added patches: + * policy-rawhide-base.patch + * policy-rawhide-contrib.patch + * type_transition_file_class.patch + * type_transition_contrib.patch + * label_sysconfig.selinux-policy.patch + +------------------------------------------------------------------- Old: ---- refpolicy-2.20120725.tar.bz2 selinux-policy-SUSE.patch selinux-policy-run_sepolgen_during_build.patch New: ---- label_sysconfig.selinux-policy.patch modules-mls-base.conf modules-mls-contrib.conf modules-targeted-base.conf modules-targeted-contrib.conf permissivedomains.fc permissivedomains.if permissivedomains.pp permissivedomains.te policy-rawhide-base.patch policy-rawhide-contrib.patch serefpolicy-3.12.1.tgz serefpolicy-contrib-3.12.1.tgz seusers seusers-mls seusers-targeted type_transition_contrib.patch type_transition_file_class.patch users_extra-mls users_extra-targeted ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.wo3kWi/_old 2013-07-12 20:57:53.000000000 +0200 +++ /var/tmp/diff_new_pack.wo3kWi/_new 2013-07-12 20:57:53.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package selinux-policy # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,7 +16,10 @@ # -%define distro suse +# TODO: This turns on distro-specific policies. +# There are almost no SUSE specific modifications available +# in the upstream, so we utilize the ones used by redhat +%define distro redhat %define polyinstatiate n %define monolithic n %if %{?BUILD_DOC:0}%{!?BUILD_DOC:1} @@ -25,35 +28,41 @@ %if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1} %define BUILD_TARGETED 1 %endif -# minimum policy is currently disabled a may not even build %if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1} %define BUILD_MINIMUM 0 %endif %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} %define BUILD_MLS 1 %endif -%define POLICYVER 27 -%define libsepolver 2.0.20-1 -%define POLICYCOREUTILSVER 2.0.71-2 -%define CHECKPOLICYVER 2.0.16-3 - +%define POLICYVER 29 +%define POLICYCOREUTILSVER 2.1.14 +%define CHECKPOLICYVER 2.1.12 Summary: SELinux policy configuration License: GPL-2.0+ Group: System/Management Name: selinux-policy -Version: 2.20120725 -Release: 1%{?dist} -Source: refpolicy-%{version}.tar.bz2 -Source1: modules-targeted.conf +Version: 3.12.1 +Release: 20%{?dist} +Source: serefpolicy-%{version}.tgz +Patch: policy-rawhide-base.patch +Patch1: policy-rawhide-contrib.patch +# The following two patches are a workaround for 812055 +Patch10: type_transition_file_class.patch +Patch11: type_transition_contrib.patch +Patch12: label_sysconfig.selinux-policy.patch + +Source1: modules-targeted-base.conf +Source31: modules-targeted-contrib.conf Source2: booleans-targeted.conf Source3: Makefile.devel Source4: setrans-targeted.conf -Source5: modules-mls.conf +Source5: modules-mls-base.conf +Source32: modules-mls-contrib.conf Source6: booleans-mls.conf Source8: setrans-mls.conf Source14: securetty_types-targeted Source15: securetty_types-mls -Source16: modules-minimum.conf +#Source16: modules-minimum.conf Source17: booleans-minimum.conf Source18: setrans-minimum.conf Source19: securetty_types-minimum @@ -62,19 +71,16 @@ Source22: users-mls Source23: users-targeted Source25: users-minimum -Source26: selinux-policy.sysconfig +Source26: file_contexts.subs_dist Source27: selinux-policy.conf -Source28: file_contexts.subs_dist +Source28: permissivedomains.pp +Source29: serefpolicy-contrib-%{version}.tgz Source30: booleans.subs_dist +Source40: selinux-policy.sysconfig # the following two files are more like a packaging documentation -Source40: Alan_Rouse-openSUSE_with_SELinux.txt -Source41: Alan_Rouse-Policy_Development_Process.txt - -# PATCH-FEATURE-OPENSUSE SUSE specific policy from Alan Rouse -Patch1: selinux-policy-SUSE.patch -# PATCH-FEATURE-OPENSUSE check for errors in .if files -Patch3: selinux-policy-run_sepolgen_during_build.patch +Source50: Alan_Rouse-openSUSE_with_SELinux.txt +Source51: Alan_Rouse-Policy_Development_Process.txt Url: http://oss.tresys.com/repos/refpolicy/ BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -85,42 +91,56 @@ BuildRequires: checkpolicy >= %{CHECKPOLICYVER} BuildRequires: gawk BuildRequires: m4 +BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} BuildRequires: policycoreutils-python >= %{POLICYCOREUTILSVER} BuildRequires: python BuildRequires: python-xml # we need selinuxenabled Requires(post): selinux-tools Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} -Requires(post): /usr/bin/bunzip2 /bin/mktemp /bin/awk -Requires: checkpolicy >= %{CHECKPOLICYVER} -Requires: m4 +Requires(post): /bin/awk /usr/bin/sha512sum Recommends: audit Recommends: selinux-tools -Obsoletes: selinux-policy-devel <= %{version}-%{release} -Provides: selinux-policy-devel = %{version}-%{release} +# for audit2allow +Recommends: policycoreutils-python %description SELinux Base package %files %defattr(-,root,root,-) +%doc COPYING %dir %{_usr}/share/selinux -%dir %{_usr}/share/selinux/packages +#%dir %{_usr}/share/selinux/packages %dir %{_sysconfdir}/selinux -%attr(0600,root,root) %ghost %config(noreplace) %{_sysconfdir}/selinux/config -%dir /usr/lib/tmpfiles.d +%ghost %config(noreplace) %{_sysconfdir}/selinux/config +%dir %{_localstatedir}/adm/fillup-templates +%dir %{_localstatedir}/adm/fillup-templates/sysconfig.%{name} +#%ghost %{_sysconfdir}/sysconfig/selinux %{_usr}/lib/tmpfiles.d/selinux-policy.conf -%{_mandir}/man*/* -# policycoreutils owns these manpage directories, we only own the files within them + +%package devel +Summary: SELinux policy devel +Group: System/Management +Requires(pre): selinux-policy = %{version}-%{release} +Requires: /usr/bin/make +Requires: checkpolicy >= %{CHECKPOLICYVER} +Requires: m4 + +%description devel +SELinux policy development and man page package + +%files devel +%defattr(-,root,root,-) +#%{_mandir}/man*/* %{_mandir}/ru/*/* %dir %{_usr}/share/selinux/devel %dir %{_usr}/share/selinux/devel/include %{_usr}/share/selinux/devel/include/* +#%dir %{_usr}/share/selinux/devel/html +#%{_usr}/share/selinux/devel/html/*html %{_usr}/share/selinux/devel/Makefile %{_usr}/share/selinux/devel/example.* -%{_usr}/share/selinux/devel/policy.* -%dir %{_localstatedir}/adm/fillup-templates -%dir %{_localstatedir}/adm/fillup-templates/sysconfig.%{name} %package doc Summary: SELinux policy documentation @@ -135,23 +155,28 @@ %defattr(-,root,root,-) %doc %{_usr}/share/doc/%{name}-%{version} %attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp - -#TODO: this doesn't work currently -#%%check -#/usr/bin/sepolgen-ifgen -v -d -i %{buildroot}%{_usr}/share/selinux/devel/include -o /dev/null +%{_usr}/share/selinux/devel/policy.* %define makeCmds() \ -make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 bare \ -make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 conf \ -cp -f selinux_config/modules-%1.conf ./policy/modules.conf \ +make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \ +make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \ cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ cp -f selinux_config/users-%1 ./policy/users \ +#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \ + +%define makeModulesConf() \ +cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ +cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ +if [ %3 == "contrib" ];then \ + cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \ + cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ +fi; \ %define installCmds() \ -make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \ -make validate UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \ -make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install \ -make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-appconfig \ +make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" base.pp \ +make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \ +make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \ +make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \ %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \ %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \ %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules \ @@ -170,11 +195,14 @@ touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/nodes.local \ touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/users_extra.local \ touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/users.local \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs.bin \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.bin \ cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/base.pp \ rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp \ for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \ rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/modules/sandbox.disabled \ /usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \ /usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ @@ -183,15 +211,15 @@ %define fileList() \ %defattr(-,root,root) \ +%dir %{_usr}/share/selinux/%1 \ %dir %{_sysconfdir}/selinux/%1 \ -#%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ -%ghost %{_sysconfdir}/selinux/%1/seusers \ +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ %dir %{_sysconfdir}/selinux/%1/logins \ %dir %{_sysconfdir}/selinux/%1/modules \ -%verify(not mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \ -%verify(not mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \ -%attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \ +%dir %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \ %dir %{_sysconfdir}/selinux/%1/modules/active/modules \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/policy.kern \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \ @@ -204,7 +232,9 @@ %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/users_extra \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/homedir_template \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/modules/*.pp \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/modules/sandbox.disabled \ %ghost %{_sysconfdir}/selinux/%1/modules/active/*.local \ +%ghost %{_sysconfdir}/selinux/%1/modules/active/*.bin \ %ghost %{_sysconfdir}/selinux/%1/modules/active/seusers \ %dir %{_sysconfdir}/selinux/%1/policy/ \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ @@ -217,7 +247,7 @@ %config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ %config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ -#%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ @@ -227,6 +257,7 @@ %dir %{_sysconfdir}/selinux/%1/contexts/files \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/*.bin \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ @@ -237,24 +268,21 @@ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/virtual_image_context +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u %define relabel() \ . %{_sysconfdir}/sysconfig/selinux-policy; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ -selinuxenabled; \ +/usr/sbin/selinuxenabled; \ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ - fixfiles -C ${FILE_CONTEXT}.pre restore; \ - restorecon -R /root /var/log /var/run /var/lib 2> /dev/null; \ + /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \ rm -f ${FILE_CONTEXT}.pre; \ -fi; +fi; \ +/sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ +/sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null || true; \ %define preInstall() \ -if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \ +if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \ . %{_sysconfdir}/selinux/config; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ @@ -274,7 +302,10 @@ . %{_sysconfdir}/selinux/config; \ if [ -e /etc/selinux/%2/.rebuild ]; then \ rm /etc/selinux/%2/.rebuild; \ + (cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp l2tp.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \ /usr/sbin/semodule -B -n -s %2; \ +else \ + touch /etc/selinux/%2/modules/active/modules/sandbox.disabled \ fi; \ if [ "${SELINUXTYPE}" == "%2" ]; then \ if selinuxenabled; then \ @@ -290,39 +321,50 @@ if [ %1 -eq 1 ]; then \ /sbin/restorecon -R /root /var/log /var/run 2> /dev/null; \ else \ - %relabel %2; \ + %relabel %2 \ fi; \ else \ # run fixfiles on next boot \ touch /.autorelabel \ -fi; \ +fi; %define modulesList() \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules.lst \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \ +if [ -e ./policy/modules-contrib.conf ];then \ + awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \ +fi; %description SELinux Reference Policy - modular. -Based off of reference policy: Checked out revision 2.20120725 +Based off of reference policy: Checked out revision 2.20091117 + +%build %prep -%setup -n refpolicy -q +%setup -n serefpolicy-contrib-%{version} -q -b 29 %patch1 -p1 -%patch3 -p1 -#%patch4 -p1 - -%build +%patch11 -p1 +contrib_path=`pwd` +%setup -n serefpolicy-%{version} -q +cp COPYING .. +%patch -p1 +%patch10 -p1 +%patch12 -p1 +refpolicy_path=`pwd` +cp $contrib_path/* $refpolicy_path/policy/modules/contrib %install mkdir selinux_config -for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE28};do +for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do cp $i selinux_config done tar zxvf selinux_config/config.tgz # Build targeted policy %{__rm} -fR %{buildroot} -mkdir -p %{buildroot}%{_mandir} -cp -R man/* %{buildroot}%{_mandir} mkdir -p %{buildroot}%{_sysconfdir}/selinux +#mkdir -p %{buildroot}%{_sysconfdir}/sysconfig +#touch %{buildroot}%{_sysconfdir}/selinux/config +#touch %{buildroot}%{_sysconfdir}/sysconfig/selinux mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ @@ -333,51 +375,66 @@ make clean %if %{BUILD_TARGETED} # Build targeted policy -%makeCmds targeted mcs n y allow -%installCmds targeted mcs n y allow +mkdir -p %{buildroot}%{_usr}/share/selinux/targeted +cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/targeted +%makeCmds targeted mcs n allow +%makeModulesConf targeted base contrib +%installCmds targeted mcs n allow +%modulesList targeted %endif %if %{BUILD_MINIMUM} # Build minimum policy -%makeCmds minimum mcs n y allow -%installCmds minimum mcs n y allow +mkdir -p %{buildroot}%{_usr}/share/selinux/minimum +cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/minimum +%makeCmds minimum mcs n allow +%makeModulesConf targeted base contrib +%installCmds minimum mcs n allow %modulesList minimum %endif %if %{BUILD_MLS} # Build mls policy -%makeCmds mls mls n y deny -%installCmds mls mls n y deny +%makeCmds mls mls n deny +%makeModulesConf mls base contrib +%installCmds mls mls n deny +%modulesList mls %endif -make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs +mkdir -p %{buildroot}%{_mandir} +cp -R man/* %{buildroot}%{_mandir} +make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs +make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers mkdir %{buildroot}%{_usr}/share/selinux/devel/ -mkdir %{buildroot}%{_usr}/share/selinux/packages/ mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/ install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/ echo "xdg-open file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp -rm -rf selinux_config +#/usr/bin/sepolicy manpage -a -p %{buildroot}/usr/share/man/man8/ -w -r %{buildroot} +#mkdir %{buildroot}%{_usr}/share/selinux/devel/html +#htmldir=`compgen -d %{buildroot}%{_usr}/share/man/man8/` +#mv ${htmldir}/* %{buildroot}%{_usr}/share/selinux/devel/html +#rm -rf ${htmldir} +#mkdir %{buildroot}%{_usr}/share/selinux/packages/ +rm -rf selinux_config # fillup sysconfig mkdir -p %{buildroot}%{_localstatedir}/adm/fillup-templates -cp %{SOURCE26} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} +cp %{SOURCE40} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} %clean -#%%{__rm} -fR %{buildroot} #TODO: add minimum to the policies list in /etc/selinux/config once the package is built # minimum - Modification of targeted policy. Only selected processes are protected. %post -if [ ! -s /etc/sysconfig/selinux-policy ]; then -# New install so we will default to targeted policy - %{fillup_only} +%{fillup_only} +if [ ! -s /etc/selinux/config ]; then + # new install ln -sf /etc/sysconfig/selinux-policy /etc/selinux/config restorecon /etc/selinux/config 2> /dev/null || : else - %{fillup_only} . /etc/sysconfig/selinux-policy # if first time update booleans.local needs to be copied to sandbox [ -f /etc/selinux/${SELINUXTYPE}/booleans.local ] && mv /etc/selinux/${SELINUXTYPE}/booleans.local /etc/selinux/targeted/modules/active/ @@ -388,11 +445,11 @@ %postun if [ $1 = 0 ]; then setenforce 0 2> /dev/null - if [ ! -s /etc/selinux/config ]; then - echo "SELINUX=disabled" > /etc/selinux/config - else - sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config - fi + #if [ ! -s /etc/selinux/config ]; then + #echo "SELINUX=disabled" > /etc/selinux/config + #else + #sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config + #fi fi exit 0 @@ -401,14 +458,10 @@ Summary: SELinux targeted base policy Group: System/Management Provides: selinux-policy-base = %{version}-%{release} -Obsoletes: selinux-policy-targeted-sources < 2 Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} -Conflicts: audispd-plugins <= 1.7.7-1 -Obsoletes: mod_fcgid-selinux <= %{version}-%{release} -Conflicts: seedit %description targeted SELinux Reference policy targeted base module. @@ -420,7 +473,7 @@ %postInstall $1 targeted exit 0 -%triggerpostun targeted -- selinux-policy-targeted < 3.9.0 +%triggerpostun targeted -- selinux-policy-targeted < 3.12.1-7.fc19 restorecon -R -p /home exit 0 @@ -428,6 +481,8 @@ %defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u %fileList targeted +%{_usr}/share/selinux/targeted/modules-base.lst +%{_usr}/share/selinux/targeted/modules-contrib.lst %endif %if %{BUILD_MINIMUM} @@ -447,17 +502,17 @@ %pre minimum %preInstall minimum if [ $1 -ne 1 ]; then - /usr/sbin/semodule -s minimum -l 2>/dev/null | awk '{ print $1 }' > /usr/share/selinux/minimum/instmodules.lst + /usr/sbin/semodule -s minimum -l 2>/dev/null | awk '{ if ($3 != "Disabled") print $1; }' > /usr/share/selinux/minimum/instmodules.lst fi %post minimum -allpackages=`cat /usr/share/selinux/minimum/modules.lst` +contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst` +basepackages=`cat /usr/share/selinux/minimum/modules-base.lst` if [ $1 -eq 1 ]; then -packages="clock.pp execmem.pp unconfined.pp unconfineduser.pp application.pp userdomain.pp authlogin.pp logging.pp selinuxutil.pp init.pp systemd.pp sysnetwork.pp miscfiles.pp libraries.pp modutils.pp sysadm.pp locallogin.pp dbus.pp rpm.pp mount.pp fstools.pp usermanage.pp mta.pp" -for p in $allpackages; do +for p in $contribpackages; do touch /etc/selinux/minimum/modules/active/modules/$p.disabled done -for p in $packages; do +for p in $basepackages apache.pp dbus.pp inetd.pp kerberos.pp mta.pp nis.pp; do rm -f /etc/selinux/minimum/modules/active/modules/$p.disabled done /usr/sbin/semanage -S minimum -i - << __eof @@ -468,10 +523,10 @@ /usr/sbin/semodule -B -s minimum else instpackages=`cat /usr/share/selinux/minimum/instmodules.lst` -for p in $allpackages; do +for p in $contribpackages; do touch /etc/selinux/minimum/modules/active/modules/$p.disabled done -for p in $instpackages; do +for p in $instpackages apache dbus inetd kerberos mta nis; do rm -f /etc/selinux/minimum/modules/active/modules/$p.pp.disabled done /usr/sbin/semodule -B -s minimum @@ -483,8 +538,8 @@ %defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u %fileList minimum -%dir %{_usr}/share/selinux/minimum -%{_usr}/share/selinux/minimum/modules.lst +%{_usr}/share/selinux/minimum/modules-base.lst +%{_usr}/share/selinux/minimum/modules-contrib.lst %endif %if %{BUILD_MLS} @@ -509,13 +564,13 @@ %post mls %postInstall $1 mls -exit 0 %files mls %defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u %fileList mls - +%{_usr}/share/selinux/mls/modules-base.lst +%{_usr}/share/selinux/mls/modules-contrib.lst %endif %changelog ++++++ booleans-mls.conf ++++++ --- /var/tmp/diff_new_pack.wo3kWi/_old 2013-07-12 20:57:53.000000000 +0200 +++ /var/tmp/diff_new_pack.wo3kWi/_new 2013-07-12 20:57:53.000000000 +0200 @@ -1,233 +1,6 @@ -d# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. -# -allow_execmem = false - -# Allow making a modified private filemapping executable (text relocation). -# -allow_execmod = false - -# Allow making the stack executable via mprotect.Also requires allow_execmem. -# -allow_execstack = false - -# Allow ftp servers to modify public filesused for public file transfer services. -# -allow_ftpd_anon_write = false - -# Allow gssd to read temp directory. -# -allow_gssd_read_tmp = false - -# Allow Apache to modify public filesused for public file transfer services. -# -allow_httpd_anon_write = false - -# Allow system to run with kerberos -# -allow_kerberos = true - -# Allow rsync to modify public filesused for public file transfer services. -# -allow_rsync_anon_write = false - -# Allow sasl to read shadow -# -allow_saslauthd_read_shadow = false - -# Allow samba to modify public filesused for public file transfer services. -# -allow_smbd_anon_write = false - -# Allow sysadm to ptrace all processes -# -allow_ptrace = false - -# Allow system to run with NIS -# -allow_ypbind = false - -# Enable extra rules in the cron domainto support fcron. -# -fcron_crond = false - -# Allow ftp to read and write files in the user home directories -# -ftp_home_dir = false - -# Allow ftpd to run directly without inetd -# +kerberos_enabled = true +mount_anyfile = true +polyinstantiation_enabled = true ftpd_is_daemon = true - -# Allow httpd to use built in scripting (usually php) -# -httpd_builtin_scripting = false - -# Allow http daemon to tcp connect -# -httpd_can_network_connect = false - -# Allow httpd cgi support -# -httpd_enable_cgi = false - -# Allow httpd to act as a FTP server bylistening on the ftp port. -# -httpd_enable_ftp_server = false - -# Allow httpd to read home directories -# -httpd_enable_homedirs = false - -# Run SSI execs in system CGI script domain. -# -httpd_ssi_exec = false - -# Allow http daemon to communicate with the TTY -# -httpd_tty_comm = false - -# Run CGI in the main httpd domain -# -httpd_unified = false - -# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. -# -named_write_master_zones = false - -# Allow nfs to be exported read/write. -# -nfs_export_all_rw = false - -# Allow nfs to be exported read only -# -nfs_export_all_ro = false - -# Allow pppd to load kernel modules for certain modems -# -pppd_can_insmod = false - -# Allow reading of default_t files. -# -read_default_t = false - -# Allow ssh to run from inetd instead of as a daemon. -# -run_ssh_inetd = false - -# Allow samba to export user home directories. -# -samba_enable_home_dirs = false - -# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. -# -squid_connect_any = false - -# Allow ssh logins as sysadm_r:sysadm_t -# -ssh_sysadm_login = false - -# Configure stunnel to be a standalone daemon orinetd service. -# -stunnel_is_daemon = false - -# Support NFS home directories -# -use_nfs_home_dirs = false - -# Support SAMBA home directories -# -use_samba_home_dirs = false - -# Control users use of ping and traceroute -# -user_ping = true - -# Allow gpg executable stack -# -allow_gpg_execstack = false - -# allow host key based authentication -# -allow_ssh_keysign = false - -# Allow users to connect to mysql -# -allow_user_mysql_connect = false - -# Allow system cron jobs to relabel filesystemfor restoring file contexts. -# -cron_can_relabel = false - -# Allow pppd to be run for a regular user -# -pppd_for_user = false - -# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted -# -read_untrusted_content = false - -# Allow user spamassassin clients to use the network. -# -spamassassin_can_network = false - -# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc) -# -staff_read_sysadm_file = false - -# Allow regular users direct mouse access -# -user_direct_mouse = false - -# Allow users to read system messages. -# -user_dmesg = false - -# Allow users to control network interfaces(also needs USERCTL=true) -# -user_net_control = false - -# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) -# -user_rw_noexattrfile = false - -# Allow users to rw usb devices -# -user_rw_usb = false - -# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. -# -user_tcp_server = false - -# Allow w to display everyone -# -user_ttyfile_stat = false - -# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. -# -write_untrusted_content = false - -spamd_enable_home_dirs = false - -# Allow login domains to polyinstatiate directories -# -allow_polyinstantiation = true - -# Allow mount command to mounton any directory -# -allow_mounton_anydir = true - -# Allow unlabeled packets to flow -# -allow_unlabeled_packets = true - -# Allow samba to act as the domain controller -# -samba_domain_controller = false - -# Run the xserver as an object manager -# +selinuxuser_ping = true xserver_object_manager = true - -# System uses init upstart program -# -init_upstart = true ++++++ booleans-targeted.conf ++++++ --- /var/tmp/diff_new_pack.wo3kWi/_old 2013-07-12 20:57:53.000000000 +0200 +++ /var/tmp/diff_new_pack.wo3kWi/_new 2013-07-12 20:57:53.000000000 +0200 @@ -1,269 +1,24 @@ -# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. -# -allow_execmem = true - -# Allow making a modified private filemapping executable (text relocation). -# -allow_execmod = false - -# Allow making the stack executable via mprotect.Also requires allow_execmem. -# -allow_execstack = true - -# Allow ftpd to read cifs directories. -# -allow_ftpd_use_cifs = false - -# Allow ftpd to read nfs directories. -# -allow_ftpd_use_nfs = false - -# Allow ftp servers to modify public filesused for public file transfer services. -# -allow_ftpd_anon_write = false - -# Allow gssd to read temp directory. -# -allow_gssd_read_tmp = true - -# Allow Apache to modify public filesused for public file transfer services. -# -allow_httpd_anon_write = false - -# Allow Apache to use mod_auth_pam module -# -allow_httpd_mod_auth_pam = false - -# Allow system to run with kerberos -# -allow_kerberos = true - -# Allow rsync to modify public filesused for public file transfer services. -# -allow_rsync_anon_write = false - -# Allow sasl to read shadow -# -allow_saslauthd_read_shadow = false - -# Allow samba to modify public filesused for public file transfer services. -# -allow_smbd_anon_write = false - -# Allow system to run with NIS -# -allow_ypbind = false - -# Allow zebra to write it own configuration files -# -allow_zebra_write_config = true - -# Enable extra rules in the cron domainto support fcron. -# -fcron_crond = false - -# Allow ftp to read and write files in the user home directories -# -ftp_home_dir = false - -# -# allow httpd to connect to mysql/posgresql -httpd_can_network_connect_db = false - -# -# allow httpd to send dbus messages to avahi -httpd_dbus_avahi = true - -# -# allow httpd to network relay -httpd_can_network_relay = false - -# Allow httpd to use built in scripting (usually php) -# +gssd_read_tmp = true httpd_builtin_scripting = true - -# Allow http daemon to tcp connect -# -httpd_can_network_connect = false - -# Allow httpd cgi support -# httpd_enable_cgi = true - -# Allow httpd to act as a FTP server bylistening on the ftp port. -# -httpd_enable_ftp_server = false - -# Allow httpd to read home directories -# -httpd_enable_homedirs = false - -# Run SSI execs in system CGI script domain. -# -httpd_ssi_exec = false - -# Allow http daemon to communicate with the TTY -# -httpd_tty_comm = true - -# Run CGI in the main httpd domain -# -httpd_unified = true - -# Allow BIND to write the master zone files.Generally this is used for dynamic DNS. -# -named_write_master_zones = false - -# Allow nfs to be exported read/write. -# -nfs_export_all_rw = true - -# Allow nfs to be exported read only -# +httpd_graceful_shutdown = true +kerberos_enabled = true +mount_anyfile = true nfs_export_all_ro = true - -## Allow openvpn to read home directories -## +nfs_export_all_rw = true +nscd_use_shm = true openvpn_enable_homedirs = true - -# Allow pppd to load kernel modules for certain modems -# +postfix_local_write_mail_spool=true pppd_can_insmod = false - -# Allow samba to export user home directories. -# -samba_enable_home_dirs = false - -# Allow squid to connect to all ports, not justHTTP, FTP, and Gopher ports. -# -squid_connect_any = false - -# Support NFS home directories -# -use_nfs_home_dirs = true - -# Support SAMBA home directories -# -use_samba_home_dirs = false - -# Control users use of ping and traceroute -# -user_ping = true - -# allow host key based authentication -# -allow_ssh_keysign = false - -# Allow pppd to be run for a regular user -# -pppd_for_user = false - -# Allow applications to read untrusted contentIf this is disallowed, Internet content hasto be manually relabeled for read access to be granted -# -read_untrusted_content = true - -# Allow spamd to write to users homedirs -# -spamd_enable_home_dirs = true - -# Allow regular users direct mouse access -# -user_direct_mouse = false - -# Allow regular users direct dri access -# -user_direct_dri = true - -# Allow users to read system messages. -# -user_dmesg = true - -# Allow user to r/w files on filesystemsthat do not have extended attributes (FAT, CDROM, FLOPPY) -# -user_rw_noexattrfile = false - -# Allow users to run TCP servers (bind to ports and accept connection fromthe same domain and outside users) disabling this forces FTP passive modeand may change other protocols. -# -user_tcp_server = true - -# Allow w to display everyone -# -user_ttyfile_stat = false - -# Allow applications to write untrusted contentIf this is disallowed, no Internet contentwill be stored. -# -write_untrusted_content = true - -# Allow all domains to talk to ttys -# -allow_daemons_use_tty = true - -# Allow login domains to polyinstatiate directories -# -allow_polyinstantiation = false - -# Allow all domains to dump core -# -allow_daemons_dump_core = true - -# Allow samba to act as the domain controller -# -samba_domain_controller = false - -# Allow samba to export user home directories. -# -samba_run_unconfined = false - -# Allows XServer to execute writable memory -# -allow_xserver_execmem = false - -# disallow guest accounts to execute files that they can create -# -allow_guest_exec_content = false -allow_xguest_exec_content = false - -# Only allow browser to use the web -# -browser_confine_xguest=false - -# Allow postfix locat to write to mail spool -# -allow_postfix_local_write_mail_spool=true - -# Allow common users to read/write noexattrfile systems -# -user_rw_noexattrfile=true - -# Allow qemu to connect fully to the network -# -qemu_full_network=true - -# Allow nsplugin execmem/execstack for bad plugins -# -allow_nsplugin_execmem=true - -# Allow unconfined domain to transition to confined domain -# -allow_unconfined_nsplugin_transition=false - -# System uses init upstart program -# -init_upstart = true - -# Allow mount to mount any file/dir -# -allow_mount_anyfile = true - -# Allow confined domains to communicate with ncsd via shared memory -# -nscd_use_shm = true - -# Allow fenced domain to connect to the network using TCP. -# -fenced_can_network_connect=false - -# Allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports. -# privoxy_connect_any = true - +selinuxuser_direct_dri_enabled = true +selinuxuser_execmem = true +selinuxuser_execmod = true +selinuxuser_execstack = true +selinuxuser_rw_noexattrfile=true +selinuxuser_ping = true +squid_connect_any = true +telepathy_tcp_connect_generic_network_ports=true +unconfined_chrome_sandbox_transition=true +unconfined_mozilla_plugin_transition=true +xguest_exec_content = true ++++++ booleans.subs_dist ++++++ --- /var/tmp/diff_new_pack.wo3kWi/_old 2013-07-12 20:57:53.000000000 +0200 +++ /var/tmp/diff_new_pack.wo3kWi/_new 2013-07-12 20:57:53.000000000 +0200 @@ -42,3 +42,8 @@ user_direct_dri selinuxuser_direct_dri_enabled user_ping selinuxuser_ping user_share_music selinuxuser_share_music +user_tcp_server selinuxuser_tcp_server +sepgsql_enable_pitr_implementation postgresql_can_rsync +sepgsql_enable_users_ddl postgresql_selinux_users_ddl +sepgsql_transmit_client_label postgresql_selinux_transmit_client_label +sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm ++++++ config.tgz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/appconfig-mcs/virtual_domain_context new/config/appconfig-mcs/virtual_domain_context --- old/config/appconfig-mcs/virtual_domain_context 2009-08-28 21:06:34.000000000 +0200 +++ new/config/appconfig-mcs/virtual_domain_context 2012-12-16 23:57:29.000000000 +0100 @@ -1 +1,2 @@ system_u:system_r:svirt_t:s0 +system_u:system_r:svirt_tcg_t:s0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/appconfig-standard/virtual_domain_context new/config/appconfig-standard/virtual_domain_context --- old/config/appconfig-standard/virtual_domain_context 1970-01-01 01:00:00.000000000 +0100 +++ new/config/appconfig-standard/virtual_domain_context 2012-12-17 10:36:41.000000000 +0100 @@ -0,0 +1,2 @@ +system_u:system_r:svirt_t:s0 +system_u:system_r:svirt_tcg_t:s0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/config/appconfig-standard/virtual_image_context new/config/appconfig-standard/virtual_image_context --- old/config/appconfig-standard/virtual_image_context 1970-01-01 01:00:00.000000000 +0100 +++ new/config/appconfig-standard/virtual_image_context 2012-12-17 10:36:41.000000000 +0100 @@ -0,0 +1,2 @@ +system_u:object_r:svirt_image_t:s0 +system_u:object_r:virt_content_t:s0 ++++++ customizable_types ++++++ --- /var/tmp/diff_new_pack.wo3kWi/_old 2013-07-12 20:57:53.000000000 +0200 +++ /var/tmp/diff_new_pack.wo3kWi/_new 2013-07-12 20:57:53.000000000 +0200 @@ -1,8 +1,13 @@ +sandbox_file_t svirt_image_t +svirt_home_t +svirt_lxc_file_t virt_content_t httpd_user_htaccess_t httpd_user_script_exec_t -httpd_user_content_ra_t -httpd_user_content_rw_t +httpd_user_rw_content_t +httpd_user_ra_content_t httpd_user_content_t git_session_content_t +home_bin_t +user_tty_device_t ++++++ file_contexts.subs_dist ++++++ --- /var/tmp/diff_new_pack.wo3kWi/_old 2013-07-12 20:57:53.000000000 +0200 +++ /var/tmp/diff_new_pack.wo3kWi/_new 2013-07-12 20:57:53.000000000 +0200 @@ -1,10 +1,13 @@ /run /var/run /run/lock /var/lock /var/run/lock /var/lock -/lib64 /lib +/lib /usr/lib +/lib64 /usr/lib /usr/lib64 /usr/lib /usr/local /usr /usr/local/lib64 /usr/lib /usr/local/lib32 /usr/lib -/etc/systemd/system /lib/systemd/system +/etc/systemd/system /usr/lib/systemd/system +/run/systemd/system /usr/lib/systemd/system +/run/systemd/generator /usr/lib/systemd/system /var/lib/xguest/home /home ++++++ label_sysconfig.selinux-policy.patch ++++++ Index: serefpolicy-3.12.1/policy/modules/system/selinuxutil.fc =================================================================== --- serefpolicy-3.12.1.orig/policy/modules/system/selinuxutil.fc 2013-03-29 13:54:24.693412923 +0100 +++ serefpolicy-3.12.1/policy/modules/system/selinuxutil.fc 2013-03-29 14:02:18.187588333 +0100 @@ -4,6 +4,7 @@ # /etc # /etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0) +/etc/sysconfig/selinux-policy gen_context(system_u:object_r:selinux_config_t,s0) /etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0) /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0) /etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0) ++++++ modules-minimum.conf ++++++ ++++ 1643 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/selinux-policy/modules-minimum.conf ++++ and /work/SRC/openSUSE:Factory/.selinux-policy.new/modules-minimum.conf ++++++ modules-mls-base.conf ++++++ # Layer: kernel # Module: bootloader # # Policy for the kernel modules, kernel image, and bootloader. # bootloader = module # Layer: kernel # Module: corenetwork # Required in base # # Policy controlling access to network objects # corenetwork = base # Layer: admin # Module: dmesg # # Policy for dmesg. # dmesg = module # Layer: admin # Module: netutils # # Network analysis utilities # netutils = module # Layer: admin # Module: sudo # # Execute a command with a substitute user # sudo = module # Layer: admin # Module: su # # Run shells with substitute user and group # su = module # Layer: admin # Module: usermanage # # Policy for managing user accounts. # usermanage = module # Layer: apps # Module: seunshare # # seunshare executable # seunshare = module # Layer: kernel # Module: corecommands # Required in base # # Core policy for shells, and generic programs # in /bin, /sbin, /usr/bin, and /usr/sbin. # corecommands = base # Module: devices # Required in base # # Device nodes and interfaces for many basic system devices. # devices = base # Module: domain # Required in base # # Core policy for domains. # domain = base # Layer: system # Module: userdomain # # Policy for user domains # userdomain = module # Module: files # Required in base # # Basic filesystem types and interfaces. # files = base # Layer: system # Module: miscfiles # # Miscelaneous files. # miscfiles = module # Module: filesystem # Required in base # # Policy for filesystems. # filesystem = base # Module: kernel # Required in base # # Policy for kernel threads, proc filesystem,and unlabeled processes and objects. # kernel = base # Module: mcs # Required in base # # MultiCategory security policy # mcs = base # Module: mls # Required in base # # Multilevel security policy # mls = base # Module: selinux # Required in base # # Policy for kernel security interface, in particular, selinuxfs. # selinux = base # Layer: kernel # Module: storage # # Policy controlling access to storage devices # storage = base # Module: terminal # Required in base # # Policy for terminals. # terminal = base # Layer: kernel # Module: ubac # # # ubac = base # Layer: kernel # Module: unlabelednet # # The unlabelednet module. # unlabelednet = module # Layer: role # Module: auditadm # # auditadm account on tty logins # auditadm = module # Layer: role # Module: logadm # # Minimally prived root role for managing logging system # logadm = module # Layer: role # Module: logadm # # logadm account on tty logins # logadm = module # Layer:role # Module: sysadm_secadm # # System Administrator with Security Admin rules # sysadm_secadm = module # Layer: role # Module: secadm # # secadm account on tty logins # secadm = module # Layer:role # Module: staff # # admin account # staff = module # Layer:role # Module: sysadm_secadm # # System Administrator with Security Admin rules # sysadm_secadm = module # Layer:role # Module: sysadm # # System Administrator # sysadm = module # Layer: role # Module: unprivuser # # Minimally privs guest account on tty logins # unprivuser = module # Layer: services # Module: postgresql # # PostgreSQL relational database # postgresql = module # Layer: services # Module: ssh # # Secure shell client and server policy. # ssh = module # Layer: services # Module: xserver # # X windows login display manager # xserver = module # Module: application # Required in base # # Defines attributs and interfaces for all user applications # application = module # Layer: system # Module: authlogin # # Common policy for authentication and user login. # authlogin = module # Layer: system # Module: clock # # Policy for reading and setting the hardware clock. # clock = module # Layer: system # Module: fstools # # Tools for filesystem management, such as mkfs and fsck. # fstools = module # Layer: system # Module: getty # # Policy for getty. # getty = module # Layer: system # Module: hostname # # Policy for changing the system host name. # hostname = module # Layer: system # Module: init # # System initialization programs (init and init scripts). # init = module # Layer: system # Module: ipsec # # TCP/IP encryption # ipsec = module # Layer: system # Module: iptables # # Policy for iptables. # iptables = module # Layer: system # Module: libraries # # Policy for system libraries. # libraries = module # Layer: system # Module: locallogin # # Policy for local logins. # locallogin = module # Layer: system # Module: logging # # Policy for the kernel message logger and system logging daemon. # logging = module # Layer: system # Module: lvm # # Policy for logical volume management programs. # lvm = module # Layer: system # Module: miscfiles # # Miscelaneous files. # miscfiles = module # Layer: system # Module: modutils # # Policy for kernel module utilities # modutils = module # Layer: services # Module: automount # # Filesystem automounter service. # automount = module # Layer: system # Module: mount # # Policy for mount. # mount = module # Layer: system # Module: netlabel # # Basic netlabel types and interfaces. # netlabel = module # Layer: system # Module: selinuxutil # # Policy for SELinux policy and userland applications. # selinuxutil = module # Module: setrans # Required in base # # Policy for setrans # setrans = module # Layer: system # Module: sysnetwork # # Policy for network configuration: ifconfig and dhcp client. # sysnetwork = module # Layer: system # Module: systemd # # Policy for systemd components # systemd = module # Layer: system # Module: udev # # Policy for udev. # udev = module # Layer: system # Module: userdomain # # Policy for user domains # userdomain = module ++++++ modules-mls-contrib.conf ++++++ ++++ 1644 lines (skipped) ++++++ modules-mls.conf ++++++ ++++ 1031 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/selinux-policy/modules-mls.conf ++++ and /work/SRC/openSUSE:Factory/.selinux-policy.new/modules-mls.conf ++++++ modules-targeted-base.conf ++++++ # Layer: kernel # Module: bootloader # # Policy for the kernel modules, kernel image, and bootloader. # bootloader = module # Layer: kernel # Module: corecommands # Required in base # # Core policy for shells, and generic programs # in /bin, /sbin, /usr/bin, and /usr/sbin. # corecommands = base # Layer: kernel # Module: corenetwork # Required in base # # Policy controlling access to network objects # corenetwork = base # Layer: admin # Module: dmesg # # Policy for dmesg. # dmesg = module # Layer: admin # Module: netutils # # Network analysis utilities # netutils = module # Layer: admin # Module: sudo # # Execute a command with a substitute user # sudo = module # Layer: admin # Module: su # # Run shells with substitute user and group # su = module # Layer: admin # Module: usermanage # # Policy for managing user accounts. # usermanage = module # Layer: apps # Module: seunshare # # seunshare executable # seunshare = module # Module: devices # Required in base # # Device nodes and interfaces for many basic system devices. # devices = base # Module: domain # Required in base # # Core policy for domains. # domain = base # Layer: system # Module: userdomain # # Policy for user domains # userdomain = module # Module: files # Required in base # # Basic filesystem types and interfaces. # files = base # Layer: system # Module: miscfiles # # Miscelaneous files. # miscfiles = module # Module: filesystem # Required in base # # Policy for filesystems. # filesystem = base # Module: kernel # Required in base # # Policy for kernel threads, proc filesystem,and unlabeled processes and objects. # kernel = base # Module: mcs # Required in base # # MultiCategory security policy # mcs = base # Module: mls # Required in base # # Multilevel security policy # mls = base # Module: selinux # Required in base # # Policy for kernel security interface, in particular, selinuxfs. # selinux = base # Layer: kernel # Module: storage # # Policy controlling access to storage devices # storage = base # Module: terminal # Required in base # # Policy for terminals. # terminal = base # Layer: kernel # Module: ubac # # # ubac = base # Layer: kernel # Module: unconfined # # The unlabelednet module. # unlabelednet = module # Layer: role # Module: auditadm # # auditadm account on tty logins # auditadm = module # Layer: role # Module: logadm # # Minimally prived root role for managing logging system # logadm = module # Layer: role # Module: secadm # # secadm account on tty logins # secadm = module # Layer:role # Module: sysadm_secadm # # System Administrator with Security Admin rules # sysadm_secadm = module # Module: staff # # admin account # staff = module # Layer:role # Module: sysadm_secadm # # System Administrator with Security Admin rules # sysadm_secadm = module # Layer:role # Module: sysadm # # System Administrator # sysadm = module # Layer: role # Module: unconfineduser # # The unconfined user domain. # unconfineduser = module # Layer: role # Module: unprivuser # # Minimally privs guest account on tty logins # unprivuser = module # Layer: services # Module: postgresql # # PostgreSQL relational database # postgresql = module # Layer: services # Module: ssh # # Secure shell client and server policy. # ssh = module # Layer: apps # Module: rssh # # Restricted (scp/sftp) only shell # rssh = module # Layer: services # Module: xserver # # X windows login display manager # xserver = module # Module: application # Required in base # # Defines attributs and interfaces for all user applications # application = module # Layer: system # Module: authlogin # # Common policy for authentication and user login. # authlogin = module # Layer: system # Module: clock # # Policy for reading and setting the hardware clock. # clock = module # Layer: system # Module: fstools # # Tools for filesystem management, such as mkfs and fsck. # fstools = module # Layer: system # Module: getty # # Policy for getty. # getty = module # Layer: system # Module: hostname # # Policy for changing the system host name. # hostname = module # Layer: system # Module: init # # System initialization programs (init and init scripts). # init = module # Layer: system # Module: ipsec # # TCP/IP encryption # ipsec = module # Layer: system # Module: iptables # # Policy for iptables. # iptables = module # Layer: system # Module: libraries # # Policy for system libraries. # libraries = module # Layer: system # Module: locallogin # # Policy for local logins. # locallogin = module # Layer: system # Module: logging # # Policy for the kernel message logger and system logging daemon. # logging = module # Layer: system # Module: lvm # # Policy for logical volume management programs. # lvm = module # Layer: system # Module: miscfiles # # Miscelaneous files. # miscfiles = module # Layer: system # Module: modutils # # Policy for kernel module utilities # modutils = module # Layer: services # Module: automount # # Filesystem automounter service. # automount = module # Layer: system # Module: mount # # Policy for mount. # mount = module # Layer: system # Module: netlabel # # Basic netlabel types and interfaces. # netlabel = module # Layer: system # Module: selinuxutil # # Policy for SELinux policy and userland applications. # selinuxutil = module # Module: setrans # Required in base # # Policy for setrans # setrans = module # Layer: system # Module: sysnetwork # # Policy for network configuration: ifconfig and dhcp client. # sysnetwork = module # Layer: system # Module: systemd # # Policy for systemd components # systemd = module # Layer: system # Module: udev # # Policy for udev. # udev = module # Layer: system # Module: unconfined # # The unconfined domain. # unconfined = module # Layer: system # Module: userdomain # # Policy for user domains # userdomain = module ++++++ modules-targeted-contrib.conf ++++++ ++++ 2231 lines (skipped) ++++++ modules-targeted.conf ++++++ ++++ 1792 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/selinux-policy/modules-targeted.conf ++++ and /work/SRC/openSUSE:Factory/.selinux-policy.new/modules-targeted.conf ++++++ permissivedomains.fc ++++++ # No file contexts ++++++ permissivedomains.if ++++++ ## <summary>No Interfaces</summary> ++++++ permissivedomains.te ++++++ policy_module(permissivedomains,19) optional_policy(` gen_require(` type systemd_localed_t; ') permissive systemd_localed_t; ') optional_policy(` gen_require(` type httpd_mythtv_script_t; ') permissive httpd_mythtv_script_t; ') optional_policy(` gen_require(` type systemd_hostnamed_t; ') permissive systemd_hostnamed_t; ') optional_policy(` gen_require(` type systemd_sysctl_t; ') permissive systemd_sysctl_t; ') optional_policy(` gen_require(` type openshift_cron_t; ') permissive openshift_cron_t; ') optional_policy(` gen_require(` type swift_t; ') permissive swift_t; ') ++++++ policy-rawhide-base.patch ++++++ ++++ 39915 lines (skipped) ++++++ policy-rawhide-contrib.patch ++++++ ++++ 91075 lines (skipped) ++++++ securetty_types-minimum ++++++ --- /var/tmp/diff_new_pack.wo3kWi/_old 2013-07-12 20:57:53.000000000 +0200 +++ /var/tmp/diff_new_pack.wo3kWi/_new 2013-07-12 20:57:53.000000000 +0200 @@ -1,3 +1,4 @@ +console_device_t sysadm_tty_device_t user_tty_device_t staff_tty_device_t ++++++ securetty_types-mls ++++++ --- /var/tmp/diff_new_pack.wo3kWi/_old 2013-07-12 20:57:53.000000000 +0200 +++ /var/tmp/diff_new_pack.wo3kWi/_new 2013-07-12 20:57:53.000000000 +0200 @@ -1,3 +1,4 @@ +console_device_t sysadm_tty_device_t user_tty_device_t staff_tty_device_t ++++++ securetty_types-targeted ++++++ --- /var/tmp/diff_new_pack.wo3kWi/_old 2013-07-12 20:57:53.000000000 +0200 +++ /var/tmp/diff_new_pack.wo3kWi/_new 2013-07-12 20:57:53.000000000 +0200 @@ -1,3 +1,4 @@ +console_device_t sysadm_tty_device_t user_tty_device_t staff_tty_device_t ++++++ seusers ++++++ root:root:s0-s0:c0.c1023 system_u:system_u:s0-s0:c0.c1023 __default__:user_u:s0 ++++++ seusers-mls ++++++ system_u:system_u:s0-s15:c0.c1023 root:root:s0-s15:c0.c1023 __default__:user_u:s0 ++++++ seusers-targeted ++++++ root:root:s0-s0:c0.c1023 system_u:system_u:s0-s0:c0.c1023 __default__:user_u:s0 ++++++ type_transition_contrib.patch ++++++ diff --git a/glusterd.te b/glusterd.te index 8f595f8..253ba1a 100644 --- a/glusterd.te +++ b/glusterd.te @@ -40,7 +40,7 @@ allow glusterd_t self:unix_stream_socket { accept listen }; manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) -files_etc_filetrans(glusterd_t, glusterd_conf_t, { dir file }, "glusterfs") +files_etc_filetrans(glusterd_t, glusterd_conf_t, file, "glusterfs") manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) ++++++ type_transition_file_class.patch ++++++ Index: serefpolicy-3.12.1/policy/modules/system/miscfiles.if =================================================================== --- serefpolicy-3.12.1.orig/policy/modules/system/miscfiles.if 2013-02-18 17:05:53.027143604 +0100 +++ serefpolicy-3.12.1/policy/modules/system/miscfiles.if 2013-02-27 15:23:39.743957136 +0100 @@ -836,7 +836,7 @@ interface(`miscfiles_etc_filetrans_local ') files_etc_filetrans($1, locale_t, lnk_file) - files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" ) + files_etc_filetrans($1, locale_t, file, "localtime" ) files_etc_filetrans($1, locale_t, file, "locale.conf" ) files_etc_filetrans($1, locale_t, file, "timezone" ) files_etc_filetrans($1, locale_t, file, "vconsole.conf" ) @@ -878,7 +878,7 @@ interface(`miscfiles_filetrans_locale_na type locale_t; ') - files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime") + files_etc_filetrans($1, locale_t, file, "localtime") files_etc_filetrans($1, locale_t, file, "locale.conf") files_etc_filetrans($1, locale_t, file, "locale.conf.new") files_etc_filetrans($1, locale_t, file, "timezone") ++++++ users_extra-mls ++++++ user root prefix staff; user staff_u prefix staff; user user_u prefix user; user sysadm_u prefix sysadm; user secadm_u prefix secadm; ++++++ users_extra-targeted ++++++ user root prefix user; user user_u prefix user; -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@hilbert.suse.de