diff --git a/backport-systemd-allow-all-systemd-services-to-check-selinux-.patch b/backport-systemd-allow-all-systemd-services-to-check-selinux-.patch deleted file mode 100644 index 424b3a33260771bf0ad038f5db80e5bfae32f44a..0000000000000000000000000000000000000000 --- a/backport-systemd-allow-all-systemd-services-to-check-selinux-.patch +++ /dev/null @@ -1,42 +0,0 @@ -From a96ac9ed374cab65f53a26cd39053705569532bc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 28 Oct 2020 09:17:15 +0100 -Subject: [PATCH] systemd: allow all systemd services to check selinux status - -After https://github.com/systemd/systemd/commit/fd5e402fa9 most systemd -services fail to start with: - -Oct 27 13:50:38 workstation-uefi systemd[1]: Starting systemd-hostnamed.service... -Oct 27 13:50:38 workstation-uefi systemd-hostnamed[944]: Failed to open SELinux status page: Permission denied -Oct 27 13:50:38 workstation-uefi systemd[1]: systemd-hostnamed.service: Main process exited, code=exited, status=1/FAILURE - -After disabling dontaudit: - -Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc: denied { read } for pid=1043 comm="systemd-hostnam" name="status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 -Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc: denied { open } for pid=1043 comm="systemd-hostnam" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 -Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc: denied { map } for pid=1043 comm="systemd-hostnam" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 - -As first step, allow all systemd services to check selinux status. -The check for selinux status is called from mac_selinux_init() which -is called in 16 different places, so I don't think it makes sense to -try to list them all. Any code which wants to create a labelled file is -likely to call mac_selinux_init(). ---- - policy/modules/system/systemd.if | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index ff3116142..253396f1c 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -24,6 +24,7 @@ template(`systemd_domain_template',` - kernel_read_system_state($1_t) - - auth_use_nsswitch($1_t) -+ selinux_get_enforce_mode($1_t) - ') - - ###################################### --- -2.23.0 - diff --git a/selinux-policy.spec b/selinux-policy.spec index d3e7fdbc77cea7700b2b8377c7b9c7a14e83c7ea..173736038dd32cf475928c8994288968e0cda4dd 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 66 +Release: 63 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -70,7 +70,6 @@ Patch17: allow-systemd-hostnamed-and-logind-read-policy.patch Patch18: add-firewalld-fc.patch Patch19: add-allow-systemd-timedated-to-unlink-etc-link.patch Patch20: add-avc-for-openEuler-1.patch -Patch21: backport-systemd-allow-all-systemd-services-to-check-selinux-.patch BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc @@ -736,12 +735,6 @@ exit 0 %endif %changelog -Sat Feb 27 2021 luhuaxin <1539327763@qq.com> - 3.14.2-66 -- add allow systemd services to check selinux status - -* Thu Feb 18 2021 sunguoshuai - 3.14.2-65 -- selinux_requires macros shouldn't depends on policycoreutils-python - * Sun Dec 13 2020 luhuaxin <1539327763@qq.com> - 3.14.2-64 - add avc for openEuler