diff --git a/add-firewalld-fc.patch b/add-firewalld-fc.patch new file mode 100644 index 0000000000000000000000000000000000000000..524cd2ccd7d58f1038401fbd75e865fa06e2beb0 --- /dev/null +++ b/add-firewalld-fc.patch @@ -0,0 +1,12 @@ +diff -uprN selinux-policy-9c84d687e0fef5d8e4e25273bd25f58c28a7c67c.orig/policy/modules/contrib/firewalld.fc selinux-policy-9c84d687e0fef5d8e4e25273bd25f58c28a7c67c/policy/modules/contrib/firewalld.fc +--- selinux-policy-9c84d687e0fef5d8e4e25273bd25f58c28a7c67c.orig/policy/modules/contrib/firewalld.fc 2020-09-03 14:43:46.690880806 +0200 ++++ selinux-policy-9c84d687e0fef5d8e4e25273bd25f58c28a7c67c/policy/modules/contrib/firewalld.fc 2020-09-10 17:25:25.126199087 +0200 +@@ -6,6 +6,8 @@ + + /usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0) + ++/usr/share/firewalld/firewalld-tmp-mmap -- gen_context(system_u:object_r:firewalld_tmp_t,s0) ++ + /var/log/firewalld.* -- gen_context(system_u:object_r:firewalld_var_log_t,s0) + + /var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0) diff --git a/add_userman_access_run_dir.patch b/add_userman_access_run_dir.patch new file mode 100644 index 0000000000000000000000000000000000000000..811812145a7f0d15f8dbb44133e00372b61e3572 --- /dev/null +++ b/add_userman_access_run_dir.patch @@ -0,0 +1,52 @@ +diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te +index e069cb5..43fed66 100644 +--- a/policy/modules/admin/usermanage.te ++++ b/policy/modules/admin/usermanage.te +@@ -250,6 +250,11 @@ files_relabel_etc_files(groupadd_t) + files_read_etc_files(groupadd_t) + files_read_etc_runtime_files(groupadd_t) + files_read_usr_symlinks(groupadd_t) ++files_search_pids(groupadd_t) ++files_create_var_run_dirs(groupadd_t) ++files_delete_all_pids(groupadd_t) ++allow groupadd_t var_run_t:file *; ++allow groupadd_t var_run_t:dir *; + + # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}. + corecmd_exec_bin(groupadd_t) +@@ -366,6 +371,11 @@ files_read_usr_files(passwd_t) + files_search_var(passwd_t) + files_dontaudit_search_pids(passwd_t) + files_relabel_etc_files(passwd_t) ++files_search_pids(passwd_t) ++files_create_var_run_dirs(passwd_t) ++files_delete_all_pids(passwd_t) ++allow passwd_t var_run_t:file *; ++allow passwd_t var_run_t:dir *; + + term_search_ptys(passwd_t) + +@@ -486,6 +496,12 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t) + # on user home dir + userdom_dontaudit_search_user_home_content(sysadm_passwd_t) + ++files_search_pids(sysadm_passwd_t) ++files_create_var_run_dirs(sysadm_passwd_t) ++files_delete_all_pids(sysadm_passwd_t) ++allow sysadm_passwd_t var_run_t:file *; ++allow sysadm_passwd_t var_run_t:dir *; ++ + optional_policy(` + nscd_run(sysadm_passwd_t, sysadm_passwd_roles) + ') +@@ -536,6 +552,10 @@ files_read_etc_runtime_files(useradd_t) + files_manage_etc_files(useradd_t) + files_create_var_lib_dirs(useradd_t) + files_rw_var_lib_dirs(useradd_t) ++files_search_pids(useradd_t) ++files_create_var_run_dirs(useradd_t) ++files_delete_all_pids(useradd_t) ++allow useradd_t var_run_t:file *; + + fs_search_auto_mountpoints(useradd_t) + fs_getattr_xattr_fs(useradd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 979ceed9cd22f28ec20b49a196e4c4d46034a7fe..943a6269895d9ffcc05bf83913f439cc5c44c2a7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 56 +Release: 58 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -63,6 +63,8 @@ Patch10: add-avc-for-systemd-journald.patch Patch11: add-avc-for-systemd-hostnamed-and-systemd-logind.patch Patch12: add-avc-for-systemd.patch Patch13: allow-systemd-to-mount-unlabeled-filesystemd.patch +Patch14: add_userman_access_run_dir.patch +Patch15: add-firewalld-fc.patch BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc @@ -728,6 +730,12 @@ exit 0 %endif %changelog +* Thu Sep 03 2020 Roberto Sassu - 3.14.2-58 +- add patch add-firewalld-fc.patch + +* Fri Aug 28 2020 openEuler Buildteam - 3.14.2-57 +- add add_userman_access_run_dir.patch + * Mon Jul 27 2020 openEuler Buildteam - 3.14.2-56 - update selinux