## START: Set by rpmautospec ## (rpmautospec version 0.6.0) ## RPMAUTOSPEC: autochangelog ## END: Set by rpmautospec # Conditionals for policy types (all built by default) %bcond targeted 1 %bcond minimum 1 %bcond mls 1 # github repo with selinux-policy sources %global giturl https://github.com/fedora-selinux/selinux-policy %global commit a1230377e79a5b5f9ba6730e04fc6c1a4e454929 %global shortcommit %(c=%{commit}; echo ${c:0:7}) %define distro redhat %define polyinstatiate n %define monolithic n %define POLICYVER 33 %define POLICYCOREUTILSVER 3.4-1 %define CHECKPOLICYVER 3.2 Summary: SELinux policy configuration Name: selinux-policy Version: 41.26 Release: 1%{?dist} License: GPL-2.0-or-later Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz Source1: Makefile.devel Source2: selinux-policy.conf # Tool helps during policy development, to expand system m4 macros to raw allow rules # Git repo: https://github.com/fedora-selinux/macro-expander.git Source3: macro-expander # Include SELinux policy for container from separate container-selinux repo # Git repo: https://github.com/containers/container-selinux.git Source4: container-selinux.tgz # modules enabled in -minimum policy Source16: modules-minimum.lst Source36: selinux-check-proper-disable.service # Script to convert /var/run file context entries to /run Source37: varrun-convert.sh # Configuration files to dnf-protect targeted and/or mls subpackages Source38: selinux-policy-targeted.conf Source39: selinux-policy-mls.conf # Script to convert /usr/sbin file context entries to /usr/bin Source40: binsbin-convert.sh # Provide rpm macros for packages installing SELinux modules Source5: rpm.macros Url: %{giturl} BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 BuildRequires: make BuildRequires: systemd-rpm-macros BuildRequires: groff Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(post): /bin/awk /usr/bin/sha512sum Requires(meta): (rpm-plugin-selinux if rpm-libs) Requires: selinux-policy-any = %{version}-%{release} Provides: selinux-policy-base = %{version}-%{release} Suggests: selinux-policy-targeted %description SELinux core policy package. Originally based off of reference policy, the policy has been adjusted to provide support for Fedora. %files %{!?_licensedir:%global license %%doc} %license COPYING %dir %{_datadir}/selinux %dir %{_datadir}/selinux/packages %dir %{_sysconfdir}/selinux %ghost %config(noreplace) %{_sysconfdir}/selinux/config %ghost %{_sysconfdir}/sysconfig/selinux %{_usr}/lib/tmpfiles.d/selinux-policy.conf %{_rpmconfigdir}/macros.d/macros.selinux-policy %{_unitdir}/selinux-check-proper-disable.service %{_libexecdir}/selinux/binsbin-convert.sh %{_libexecdir}/selinux/varrun-convert.sh %package sandbox Summary: SELinux sandbox policy Requires(pre): selinux-policy-base = %{version}-%{release} Requires(pre): selinux-policy-targeted = %{version}-%{release} %description sandbox SELinux sandbox policy for use with the sandbox utility. %files sandbox %verify(not md5 size mtime) %{_datadir}/selinux/packages/sandbox.pp %post sandbox rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null %{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp 2> /dev/null if %{_sbindir}/selinuxenabled ; then %{_sbindir}/load_policy fi; exit 0 %preun sandbox if [ $1 -eq 0 ] ; then %{_sbindir}/semodule -n -d sandbox 2>/dev/null if %{_sbindir}/selinuxenabled ; then %{_sbindir}/load_policy fi; fi; exit 0 %package devel Summary: SELinux policy development files Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} Requires: m4 checkpolicy >= %{CHECKPOLICYVER} Requires: /usr/bin/make Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER} %description devel SELinux policy development package. This package contains: - interfaces, macros, and patterns for policy development - a policy example - the macro-expander utility and some additional files. %files devel %{_bindir}/macro-expander %dir %{_datadir}/selinux/devel %dir %{_datadir}/selinux/devel/include %{_datadir}/selinux/devel/include/* %exclude %{_datadir}/selinux/devel/include/contrib/container.if %dir %{_datadir}/selinux/devel/html %{_datadir}/selinux/devel/html/*html %{_datadir}/selinux/devel/html/*css %{_datadir}/selinux/devel/Makefile %{_datadir}/selinux/devel/example.* %{_datadir}/selinux/devel/policy.* %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info %post devel %{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null exit 0 %package doc Summary: SELinux policy documentation Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} %description doc SELinux policy documentation package. This package contains manual pages and documentation of the policy modules. %files doc %{_mandir}/man*/* %exclude %{_mandir}/man8/container_selinux.8.gz %doc %{_datadir}/doc/%{name} %define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 %define makeCmds() \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \ install -p -m0644 ./dist/%1/booleans.conf ./policy/booleans.conf \ install -p -m0644 ./dist/%1/users ./policy/users \ %define makeModulesConf() \ install -p -m0644 ./dist/%1/modules.conf ./policy/modules.conf \ %define installCmds() \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \ %make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \ make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \ %{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ install -p -m0644 ./config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ install -p -m0644 ./dist/%1/setrans.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ install -p -m0644 ./dist/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ install -p -m0644 ./dist/booleans.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1 \ rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \ %{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %nil %define fileList() \ %defattr(-,root,root) \ %dir %{_sysconfdir}/selinux/%1 \ %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ %dir %{_sysconfdir}/selinux/%1/logins \ %dir %{_sharedstatedir}/selinux/%1/active \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ %dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ %dir %{_sysconfdir}/selinux/%1/policy/ \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ %{_sysconfdir}/selinux/%1/.policy.sha512 \ %dir %{_sysconfdir}/selinux/%1/contexts \ %config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/x_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ %config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ %config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ %dir %{_sysconfdir}/selinux/%1/contexts/files \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ %{_sysconfdir}/selinux/%1/booleans.subs_dist \ %config %{_sysconfdir}/selinux/%1/contexts/files/media \ %dir %{_sysconfdir}/selinux/%1/contexts/users \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ %dir %{_datadir}/selinux/%1 \ %{_datadir}/selinux/%1/base.lst \ %{_datadir}/selinux/%1/modules.lst \ %{_datadir}/selinux/%1/nonbasemodules.lst \ %dir %{_sharedstatedir}/selinux/%1 \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \ %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \ %ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_binsbin \ %ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_binsbin/cil \ %ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_binsbin/lang_ext \ %ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ %ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil \ %ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/lang_ext \ %nil %define relabel() \ if [ -s %{_sysconfdir}/selinux/config ]; then \ . %{_sysconfdir}/selinux/config &> /dev/null || true; \ fi; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \ rm -f ${FILE_CONTEXT}.pre; \ fi; \ # rebuilding the rpm database still can sometimes result in an incorrect context \ %{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \ # In some scenarios, /usr/bin/httpd is labelled incorrectly after sbin merge. \ # Relabel all files under /usr/bin, in case they got installed before policy \ # was updated and the labels were incorrect. \ %{_sbindir}/restorecon -R /usr/bin /usr/sbin \ if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ continue; \ fi; %define preInstall() \ if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \ for MOD_NAME in ganesha ipa_custodia kdbus; do \ if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \ %{_sbindir}/semodule -n -d $MOD_NAME 2> /dev/null; \ fi; \ done; \ . %{_sysconfdir}/selinux/config; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ fi; \ touch %{_sysconfdir}/selinux/%1/.rebuild; \ if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \ POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \ sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \ checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \ if [ "$sha512" == "$checksha512" ] ; then \ rm %{_sysconfdir}/selinux/%1/.rebuild; \ fi; \ fi; \ fi; %define postInstall() \ if [ -s %{_sysconfdir}/selinux/config ]; then \ . %{_sysconfdir}/selinux/config &> /dev/null || true; \ fi; \ if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \ rm %{_sysconfdir}/selinux/%2/.rebuild; \ fi; \ %{_sbindir}/semodule -B -n -s %2 2> /dev/null; \ [ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \ if [ %1 -eq 1 ]; then \ %{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ else \ %relabel %2 \ fi; %define modulesList() \ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/modules.lst \ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \ %define nonBaseModulesList() \ modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules.lst` \ for i in $modules; do \ if [ $i != "sandbox" ];then \ echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \ fi; \ done; # Make sure the config is consistent with what packages are installed in the system # this covers cases when system is installed with selinux-policy-{mls,minimal} # or selinux-policy-{targeted,mls,minimal} where switched but the machine has not # been rebooted yet. # The macro should be called at the beginning of "post" (to make sure load_policy does not fail) # and in "posttrans" (to make sure that the store is consistent when all package transitions are done) # Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable) # Steps: # * load values from config and its backup # * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so # * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used # * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't %define checkConfigConsistency() \ if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \ . %{_sysconfdir}/selinux/.config_backup; \ else \ BACKUP_SELINUXTYPE=targeted; \ fi; \ if [ -s %{_sysconfdir}/selinux/config ]; then \ . %{_sysconfdir}/selinux/config; \ if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \ if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \ sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \ fi; \ elif [ "%1" = "targeted" ]; then \ if [ "%1" != "$SELINUXTYPE" ]; then \ sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \ fi; \ elif ! ls %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \ if [ "%1" != "$SELINUXTYPE" ]; then \ sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \ fi; \ fi; \ fi; # Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names # of variables inside so that they are easy to use later # This should be done in "pretrans" because config content can change during RPM operations # The macro has to be used in a script slot with "-p " %define backupConfigLua() \ local sysconfdir = rpm.expand("%{_sysconfdir}") \ local config_file = sysconfdir .. "/selinux/config" \ local config_backup = sysconfdir .. "/selinux/.config_backup" \ os.remove(config_backup) \ if posix.stat(config_file) then \ local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \ local content = f:read("*all") \ f:close() \ local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \ local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \ bf:write(backup) \ bf:close() \ end # Remove the local_varrun SELinux module %define removeVarrunModuleLua() \ if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil", "r") then \ os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun") \ end # Remove the local_binsbin SELinux module %define removeBinsbinModuleLua() \ if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_binsbin/cil", "r") then \ os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_binsbin") \ end %build %prep %autosetup -p 1 -n %{name}-%{commit} tar -C policy/modules/contrib -xf %{SOURCE4} %install # Build targeted policy %{__rm} -fR %{buildroot} mkdir -p %{buildroot}%{_sysconfdir}/selinux mkdir -p %{buildroot}%{_sysconfdir}/sysconfig touch %{buildroot}%{_sysconfdir}/selinux/config touch %{buildroot}%{_sysconfdir}/sysconfig/selinux mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ install -p -m0644 %{SOURCE2} %{buildroot}%{_usr}/lib/tmpfiles.d/ mkdir -p %{buildroot}%{_bindir} install -p -m 755 %{SOURCE3} %{buildroot}%{_bindir}/ mkdir -p %{buildroot}%{_libexecdir}/selinux install -p -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux install -p -m 755 %{SOURCE40} %{buildroot}%{_libexecdir}/selinux # Always create policy module package directories mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_datadir}/selinux/packages mkdir -p %{buildroot}%{_sysconfdir}/dnf/protected.d/ # Install devel make clean %if %{with targeted} # Build targeted policy %makeCmds targeted mcs allow %makeModulesConf targeted %installCmds targeted mcs allow # install permissivedomains.cil %{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i \ ./dist/permissivedomains.cil # recreate sandbox.pp rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox %make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp %modulesList targeted %nonBaseModulesList targeted install -p -m 644 %{SOURCE38} %{buildroot}%{_sysconfdir}/dnf/protected.d/ %endif %if %{with minimum} # Build minimum policy %makeCmds minimum mcs allow %makeModulesConf targeted %installCmds minimum mcs allow rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox install -p -m 644 %{SOURCE16} %{buildroot}%{_datadir}/selinux/minimum/modules-enabled.lst %modulesList minimum %nonBaseModulesList minimum %endif %if %{with mls} # Build mls policy %makeCmds mls mls deny %makeModulesConf mls %installCmds mls mls deny %modulesList mls %nonBaseModulesList mls install -p -m 644 %{SOURCE39} %{buildroot}%{_sysconfdir}/dnf/protected.d/ %endif # remove leftovers when save-previous=true (semanage.conf) is used rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers mkdir %{buildroot}%{_datadir}/selinux/devel/ mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include install -p -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/Makefile install -p -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ install -p -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ %{_bindir}/sepolicy manpage -a -p %{buildroot}%{_mandir}/man8/ -w -r %{buildroot} mkdir %{buildroot}%{_datadir}/selinux/devel/html mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d install -p -m 644 %{SOURCE5} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy mkdir -p %{buildroot}%{_unitdir} install -p -m 644 %{SOURCE36} %{buildroot}%{_unitdir} %post %systemd_post selinux-check-proper-disable.service if [ ! -s %{_sysconfdir}/selinux/config ]; then # # New install so we will default to targeted policy # echo " # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. # See also: # https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes # # NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also # fully disable SELinux during boot. If you need a system with SELinux # fully disabled instead of SELinux running with no policy loaded, you # need to pass selinux=0 to the kernel command line. You can use grubby # to persistently set the bootloader to boot with selinux=0: # # grubby --update-kernel ALL --args selinux=0 # # To revert back to SELinux enabled: # # grubby --update-kernel ALL --remove-args selinux # SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted " > %{_sysconfdir}/selinux/config ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || : else . %{_sysconfdir}/selinux/config fi exit 0 %preun %systemd_preun selinux-check-proper-disable.service %postun %systemd_postun selinux-check-proper-disable.service if [ $1 = 0 ]; then %{_sbindir}/setenforce 0 2> /dev/null if [ ! -s %{_sysconfdir}/selinux/config ]; then echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config fi fi exit 0 %if %{with targeted} %package targeted Summary: SELinux targeted policy Provides: selinux-policy-any = %{version}-%{release} Obsoletes: selinux-policy-targeted-sources < 2 Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} Conflicts: audispd-plugins <= 1.7.7-1 Obsoletes: mod_fcgid-selinux <= %{version}-%{release} Obsoletes: cachefilesd-selinux <= 0.10-1 Conflicts: seedit Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12 Conflicts: container-selinux < 2:1.12.1-22 %description targeted SELinux targeted policy package. %pretrans targeted -p %backupConfigLua %removeVarrunModuleLua targeted %removeBinsbinModuleLua targeted %pre targeted %preInstall targeted %post targeted %checkConfigConsistency targeted exit 0 %posttrans targeted %checkConfigConsistency targeted %{_libexecdir}/selinux/varrun-convert.sh targeted %{_libexecdir}/selinux/binsbin-convert.sh targeted %postInstall $1 targeted %{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm /etc/mdevctl.d %{_sbindir}/restorecon -i /usr/sbin/fapolicyd* /usr/sbin/usbguard* %postun targeted if [ $1 = 0 ]; then if [ -s %{_sysconfdir}/selinux/config ]; then source %{_sysconfdir}/selinux/config &> /dev/null || true fi if [ "$SELINUXTYPE" = "targeted" ]; then %{_sbindir}/setenforce 0 2> /dev/null if [ ! -s %{_sysconfdir}/selinux/config ]; then echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config fi fi fi exit 0 %triggerin -- pcre2 %{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB 2> /dev/null exit 0 %triggerin -- fapolicyd-selinux %{_libexecdir}/selinux/binsbin-convert.sh targeted %{_sbindir}/restorecon /usr/sbin/fapolicyd* %triggerin -- usbguard-selinux %{_libexecdir}/selinux/binsbin-convert.sh targeted %{_sbindir}/restorecon /usr/sbin/usbguard* %triggerprein -p -- container-selinux %removeVarrunModuleLua targeted %triggerprein -p -- pcp-selinux %removeVarrunModuleLua targeted %triggerprein -p -- fapolicyd-selinux %removeBinsbinModuleLua targeted %triggerprein -p -- usbguard-selinux %removeBinsbinModuleLua targeted %triggerpostun -- pcp-selinux %{_libexecdir}/selinux/varrun-convert.sh targeted exit 0 %triggerpostun -- container-selinux %{_libexecdir}/selinux/varrun-convert.sh targeted exit 0 %triggerpostun -- fapolicyd-selinux %{_libexecdir}/selinux/binsbin-convert.sh targeted exit 0 %triggerpostun -- usbguard-selinux %{_libexecdir}/selinux/binsbin-convert.sh targeted exit 0 %files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst %config(noreplace) %{_sysconfdir}/dnf/protected.d/selinux-policy-targeted.conf %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u %fileList targeted %verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains %endif %if %{with minimum} %package minimum Summary: SELinux minimum policy Provides: selinux-policy-any = %{version}-%{release} Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} Conflicts: seedit Conflicts: container-selinux <= 1.9.0-9 %description minimum SELinux minimum policy package. %pretrans minimum -p %backupConfigLua %pre minimum %preInstall minimum if [ $1 -ne 1 ]; then %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst fi %post minimum %checkConfigConsistency minimum modules=`cat %{_datadir}/selinux/minimum/modules.lst` basemodules=`cat %{_datadir}/selinux/minimum/base.lst` enabledmodules=`cat %{_datadir}/selinux/minimum/modules-enabled.lst` if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled fi if [ $1 -eq 1 ]; then for p in $modules; do touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done for p in $basemodules $enabledmodules; do rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done %{_sbindir}/semanage import -S minimum -f - << __eof login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ login -m -s unconfined_u -r s0-s0:c0.c1023 root __eof %{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null %{_sbindir}/semodule -B -s minimum 2> /dev/null else instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst` for p in $packages; do touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done for p in $instpackages apache dbus inetd kerberos mta nis; do rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done %{_sbindir}/semodule -B -s minimum 2> /dev/null %relabel minimum fi exit 0 %posttrans minimum %checkConfigConsistency minimum %{_libexecdir}/selinux/varrun-convert.sh minimum %{_libexecdir}/selinux/binsbin-convert.sh minimum %{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm %postun minimum if [ $1 = 0 ]; then if [ -s %{_sysconfdir}/selinux/config ]; then source %{_sysconfdir}/selinux/config &> /dev/null || true fi if [ "$SELINUXTYPE" = "minimum" ]; then %{_sbindir}/setenforce 0 2> /dev/null if [ ! -s %{_sysconfdir}/selinux/config ]; then echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config fi fi fi exit 0 %files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u %fileList minimum %{_datadir}/selinux/minimum/modules-enabled.lst %endif %if %{with mls} %package mls Summary: SELinux MLS policy Provides: selinux-policy-any = %{version}-%{release} Obsoletes: selinux-policy-mls-sources < 2 Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} Conflicts: seedit Conflicts: container-selinux <= 1.9.0-9 %description mls SELinux MLS (Multi Level Security) policy package. %pretrans mls -p %backupConfigLua %pre mls %preInstall mls %post mls %checkConfigConsistency mls exit 0 %posttrans mls %checkConfigConsistency mls %{_libexecdir}/selinux/varrun-convert.sh mls %{_libexecdir}/selinux/binsbin-convert.sh mls %postInstall $1 mls %{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm %postun mls if [ $1 = 0 ]; then if [ -s %{_sysconfdir}/selinux/config ]; then source %{_sysconfdir}/selinux/config &> /dev/null || true fi if [ "$SELINUXTYPE" = "mls" ]; then %{_sbindir}/setenforce 0 2> /dev/null if [ ! -s %{_sysconfdir}/selinux/config ]; then echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config fi fi fi exit 0 %files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst %config(noreplace) %{_sysconfdir}/dnf/protected.d/selinux-policy-mls.conf %config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u %fileList mls %endif %changelog ## START: Generated by rpmautospec * Tue Nov 19 2024 Zdenek Pytela - 41.26-1 - [5/5][sync from 'mysql-selinux'] Add mariadb-backup - [4/5][sync from 'mysql-selinux'] Fix regex to also match '/var/lib/mysql/mysqlx.sock' - [3/5][sync from 'mysql-selinux'] Allow mysqld_t to read and write to the 'memory.pressure' file in cgroup2 - [2/5][sync from 'mysql-selinux'] 2nd attempt to fix rhbz#2186996 rhbz#2221433 rhbz#2245705 - [1/5][sync from 'mysql-selinux'] Allow 'mysqld' to use '/usr/bin/hostname' - Allow systemd-networkd read mount pid files - Update policy for samba-bgqd - Allow chronyd read networkmanager's pid files - Allow staff user connect to generic tcp ports - Allow gnome-remote-desktop dbus chat with policykit - Allow tlp the setpgid process permission - Update the bootupd policy - Allow sysadm_t use the io_uring API - Allow sysadm user dbus chat with virt-dbus - Allow virtqemud_t read virsh_t files - Allow virt_dbus_t connect to virtd_t over a unix stream socket - Allow systemd-tpm2-generator read hardware state information - Allow coreos-installer-generator execute generic programs - Allow coreos-installer domain transition on udev execution - Revert "Allow unconfined_t execute kmod in the kmod domain" - Allow iio-sensor-proxy create and use unix dgram socket - Allow virtstoraged read vm sysctls - Support ssh connections via systemd-ssh-generator - Label all semanage store files in /etc as semanage_store_t - Add file transition for nvidia-modeset * Fri Oct 25 2024 Zdenek Pytela - 41.25-1 - Allow dirsrv-snmp map dirsv_tmpfs_t files - Label /usr/lib/node_modules_22/npm/bin with bin_t - Add policy for /usr/libexec/samba/samba-bgqd - Allow gnome-remote-desktop watch /etc directory - Allow rpcd read network sysctls - Allow journalctl connect to systemd-userdbd over a unix socket - Allow some confined users send to lldpad over a unix dgram socket - Allow lldpad send to unconfined_t over a unix dgram socket - Allow lldpd connect to systemd-machined over a unix socket - Confine the ktls service * Wed Oct 23 2024 Zdenek Pytela - 41.24-1 - Allow dirsrv read network sysctls - Label /run/sssd with sssd_var_run_t - Label /etc/sysctl.d and /run/sysctl.d with system_conf_t - Allow unconfined_t execute kmod in the kmod domain - Allow confined users r/w to screen unix stream socket - Label /root/.screenrc and /root/.tmux.conf with screen_home_t - Allow virtqemud read virtd_t files - Allow ping_t read network sysctls * Mon Oct 21 2024 Zdenek Pytela - 41.23-1 - Allow systemd-homework connect to init over a unix socket - Fix systemd-homed blobs directory permissions - Allow virtqemud read sgx_vepc devices - Allow lldpad create and use netlink_generic_socket * Wed Oct 16 2024 Zdenek Pytela - 41.22-1 - Allow systemd-homework write to init pid socket - Allow init create /var/cache/systemd/home - Confine the pcm service - Allow login_userdomain read thumb tmp files - Update power-profiles-daemon policy - Fix the /etc/mdevctl\.d(/.*)? regexp - Grant rhsmcertd chown capability & userdb access - Allow iio-sensor-proxy the bpf capability - Allow systemd-machined the kill user-namespace capability * Fri Oct 11 2024 Zdenek Pytela - 41.21-1 - Remove the fail2ban module sources - Remove the linuxptp module sources - Remove legacy rules for slrnpull - Remove the aiccu module sources - Remove the bcfg2 module sources - Remove the amtu module sources - Remove the rhev module sources - Remove all file context entries for /bin and /lib - Allow ptp4l the sys_admin capability - Confine power-profiles-daemon - Label /var/cache/systemd/home with systemd_homed_cache_t - Allow login_userdomain connect to systemd-homed over a unix socket - Allow boothd connect to systemd-homed over a unix socket - Allow systemd-homed get attributes of a tmpfs filesystem - Allow abrt-dump-journal-core connect to systemd-homed over a unix socket - Allow aide connect to systemd-homed over a unix socket - Label /dev/hfi1_[0-9]+ devices - Suppress semodule's stderr * Thu Oct 03 2024 Zdenek Pytela - 41.20-1 - Remove the openct module sources - Remove the timidity module sources - Enable the slrn module - Remove i18n_input module sources - Enable the distcc module - Remove the ddcprobe module sources - Remove the timedatex module sources - Remove the djbdns module sources - Confine iio-sensor-proxy - Allow staff user nlmsg_write - Update policy for xdm with confined users - Allow virtnodedev watch mdevctl config dirs - Allow ssh watch home config dirs - Allow ssh map home configs files - Allow ssh read network sysctls - Allow chronyc sendto to chronyd-restricted - Allow cups sys_ptrace capability in the user namespace * Tue Sep 24 2024 Zdenek Pytela - 41.19-1 - Add policy for systemd-homed - Remove fc entry for /usr/bin/pump - Label /usr/bin/noping and /usr/bin/oping with ping_exec_t - Allow accountsd read gnome-initial-setup tmp files - Allow xdm write to gnome-initial-setup fifo files - Allow rngd read and write generic usb devices - Allow qatlib search the content of the kernel debugging filesystem - Allow qatlib connect to systemd-machined over a unix socket * Wed Sep 18 2024 Petr Lautrbach - 41.18-1 - Drop ru man pages - mls/modules.conf - fix typo - Allow unprivileged user watch /run/systemd - Allow boothd connect to kernel over a unix socket * Mon Sep 16 2024 Zdenek Pytela - 41.17-2 - Relabel /etc/mdevctl.d * Thu Sep 12 2024 Petr Lautrbach - 41.17-1 - Clean up and sync securetty_types - Bring config files from dist-git into the source repo - Confine gnome-remote-desktop - Allow virtstoraged execute mount programs in the mount domain - Make mdevctl_conf_t member of the file_type attribute * Fri Sep 06 2024 Zdenek Pytela - 41.16-1 - Label /etc/mdevctl.d with mdevctl_conf_t - Sync users with Fedora targeted users - Update policy for rpc-virtstorage - Allow virtstoraged get attributes of configfs dirs - Fix SELinux policy for sandbox X server to fix 'sandbox -X' command - Update bootupd policy when ESP is not mounted - Allow thumb_t map dri devices - Allow samba use the io_uring API - Allow the sysadm user use the secretmem API - Allow nut-upsmon read systemd-logind session files - Allow sysadm_t to create PF_KEY sockets - Update bootupd policy for the removing-state-file test - Allow coreos-installer-generator manage mdadm_conf_t files * Thu Aug 29 2024 Zdenek Pytela - 41.15-1 - Allow setsebool_t relabel selinux data files - Allow virtqemud relabelfrom virtqemud_var_run_t dirs - Use better escape method for "interface" - Allow init and systemd-logind to inherit fds from sshd - Allow systemd-ssh-generator read sysctl files - Sync modules.conf with Fedora targeted modules - Allow virtqemud relabel user tmp files and socket files - Add missing sys_chroot capability to groupadd policy - Label /run/libvirt/qemu/channel with virtqemud_var_run_t - Allow virtqemud relabelfrom also for file and sock_file - Add virt_create_log() and virt_write_log() interfaces - Call binaries without full path * Mon Aug 12 2024 Zdenek Pytela - 41.14-1 - Update libvirt policy - Add port 80/udp and 443/udp to http_port_t definition - Additional updates stalld policy for bpf usage - Label systemd-pcrextend and systemd-pcrlock properly - Allow coreos_installer_t work with partitions - Revert "Allow coreos-installer-generator work with partitions" - Add policy for systemd-pcrextend - Update policy for systemd-getty-generator - Allow ip command write to ipsec's logs - Allow virt_driver_domain read virtd-lxc files in /proc - Revert "Allow svirt read virtqemud fifo files" - Update virtqemud policy for libguestfs usage - Allow virtproxyd create and use its private tmp files - Allow virtproxyd read network state - Allow virt_driver_domain create and use log files in /var/log - Allow samba-dcerpcd work with ctdb cluster * Tue Aug 06 2024 Zdenek Pytela - 41.13-1 - Allow NetworkManager_dispatcher_t send SIGKILL to plugins - Allow setroubleshootd execute sendmail with a domain transition - Allow key.dns_resolve set attributes on the kernel key ring - Update qatlib policy for v24.02 with new features - Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t - Allow tlp status power services - Allow virtqemud domain transition on passt execution - Allow virt_driver_domain connect to systemd-userdbd over a unix socket - Allow boothd connect to systemd-userdbd over a unix socket - Update policy for awstats scripts - Allow bitlbee execute generic programs in system bin directories - Allow login_userdomain read aliases file - Allow login_userdomain read ipsec config files - Allow login_userdomain read all pid files - Allow rsyslog read systemd-logind session files - Allow libvirt-dbus stream connect to virtlxcd * Wed Jul 31 2024 Zdenek Pytela - 41.12-1 - Update bootupd policy - Allow rhsmcertd read/write access to /dev/papr-sysparm - Label /dev/papr-sysparm and /dev/papr-vpd - Allow abrt-dump-journal-core connect to winbindd - Allow systemd-hostnamed shut down nscd - Allow systemd-pstore send a message to syslogd over a unix domain - Allow postfix_domain map postfix_etc_t files - Allow microcode create /sys/devices/system/cpu/microcode/reload - Allow rhsmcertd read, write, and map ica tmpfs files - Support SGX devices - Allow initrc_t transition to passwd_t - Update fstab and cryptsetup generators policy - Allow xdm_t read and write the dma device - Update stalld policy for bpf usage - Allow systemd_gpt_generator to getattr on DOS directories * Thu Jul 25 2024 Zdenek Pytela - 41.11-1 - Make cgroup_memory_pressure_t a part of the file_type attribute - Allow ssh_t to change role to system_r - Update policy for coreos generators - Allow init_t nnp domain transition to firewalld_t - Label /run/modprobe.d with modules_conf_t - Allow virtnodedevd run udev with a domain transition - Allow virtnodedev_t create and use virtnodedev_lock_t - Allow virtstoraged manage files with virt_content_t type - Allow virtqemud unmount a filesystem with extended attributes - Allow svirt_t connect to unconfined_t over a unix domain socket * Mon Jul 22 2024 Zdenek Pytela - 41.10-1 - Update afterburn file transition policy - Allow systemd_generator read attributes of all filesystems - Allow fstab-generator read and write cryptsetup-generator unit file - Allow cryptsetup-generator read and write fstab-generator unit file - Allow systemd_generator map files in /etc - Allow systemd_generator read init's process state - Allow coreos-installer-generator read sssd public files - Allow coreos-installer-generator work with partitions - Label /etc/mdadm.conf.d with mdadm_conf_t - Confine coreos generators - Label /run/metadata with afterburn_runtime_t - Allow afterburn list ssh home directory - Label samba certificates with samba_cert_t - Label /run/coreos-installer-reboot with coreos_installer_var_run_t - Allow virtqemud read virt-dbus process state - Allow staff user dbus chat with virt-dbus - Allow staff use watch /run/systemd - Allow systemd_generator to write kmsg * Sat Jul 20 2024 Fedora Release Engineering - 41.9-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild * Tue Jul 16 2024 Zdenek Pytela - 41.9-1 - Allow virtqemud connect to sanlock over a unix stream socket - Allow virtqemud relabel virt_var_run_t directories - Allow svirt_tcg_t read vm sysctls - Allow virtnodedevd connect to systemd-userdbd over a unix socket - Allow svirt read virtqemud fifo files - Allow svirt attach_queue to a virtqemud tun_socket - Allow virtqemud run ssh client with a transition - Allow virt_dbus_t connect to virtqemud_t over a unix stream socket - Update keyutils policy - Allow sshd_keygen_t connect to userdbd over a unix stream socket - Allow postfix-smtpd read mysql config files - Allow locate stream connect to systemd-userdbd - Allow the staff user use wireshark - Allow updatedb connect to userdbd over a unix stream socket - Allow gpg_t set attributes of public-keys.d - Allow gpg_t get attributes of login_userdomain stream - Allow systemd_getty_generator_t read /proc/1/environ - Allow systemd_getty_generator_t to read and write to tty_device_t * Thu Jul 11 2024 Petr Lautrbach 41.8-4 - Move %%postInstall to %%posttrans - Use `Requires(meta): (rpm-plugin-selinux if rpm-libs)` - Drop obsolete modules from config - Install dnf protected files only when policy is built * Thu Jul 11 2024 Zbigniew Jędrzejewski-Szmek - 41.8-3 - Relabel files under /usr/bin to fix stale context after sbin merge * Wed Jul 10 2024 Petr Lautrbach 41.8-2 - Merge -base and -contrib * Wed Jul 10 2024 Zdenek Pytela - 41.8-1 - Drop publicfile module - Remove permissive domain for systemd_nsresourced_t - Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t - Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t - Allow to create and delete socket files created by rhsm.service - Allow virtnetworkd exec shell when virt_hooks_unconfined is on - Allow unconfined_service_t transition to passwd_t - Support /var is empty - Allow abrt-dump-journal read all non_security socket files - Allow timemaster write to sysfs files - Dontaudit domain write cgroup files - Label /usr/lib/node_modules/npm/bin with bin_t - Allow ip the setexec permission - Allow systemd-networkd write files in /var/lib/systemd/network - Fix typo in systemd_nsresourced_prog_run_bpf() * Fri Jun 28 2024 Zdenek Pytela - 41.7-1 - Confine libvirt-dbus - Allow virtqemud the kill capability in user namespace - Allow rshim get options of the netlink class for KOBJECT_UEVENT family - Allow dhcpcd the kill capability - Allow systemd-networkd list /var/lib/systemd/network - Allow sysadm_t run systemd-nsresourced bpf programs - Update policy for systemd generators interactions - Allow create memory.pressure files with cgroup_memory_pressure_t - Add support for libvirt hooks * Wed Jun 19 2024 Zdenek Pytela - 41.6-1 - Allow certmonger read and write tpm devices - Allow all domains to connect to systemd-nsresourced over a unix socket - Allow systemd-machined read the vsock device - Update policy for systemd generators - Allow ptp4l_t request that the kernel load a kernel module - Allow sbd to trace processes in user namespace - Allow request-key execute scripts - Update policy for haproxyd * Tue Jun 18 2024 Zdenek Pytela - 41.5-1 - Update policy for systemd-nsresourced - Correct sbin-related file context entries * Mon Jun 17 2024 Zdenek Pytela - 41.4-1 - Allow login_userdomain execute systemd-tmpfiles in the caller domain - Allow virt_driver_domain read files labeled unconfined_t - Allow virt_driver_domain dbus chat with policykit - Allow virtqemud manage nfs files when virt_use_nfs boolean is on - Add rules for interactions between generators - Label memory.pressure files with cgroup_memory_pressure_t - Revert "Allow some systemd services write to cgroup files" - Update policy for systemd-nsresourced - Label /usr/bin/ntfsck with fsadm_exec_t - Allow systemd_fstab_generator_t read tmpfs files - Update policy for systemd-nsresourced - Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin - Remove a few lines duplicated between {dkim,milter}.fc - Alias /bin → /usr/bin and remove redundant paths - Drop duplicate line for /usr/sbin/unix_chkpwd - Drop duplicate paths for /usr/sbin * Tue Jun 11 2024 Zdenek Pytela - 41.3-1 - Update systemd-generator policy - Remove permissive domain for bootupd_t - Remove permissive domain for coreos_installer_t - Remove permissive domain for afterburn_t - Add the sap module to modules.conf - Move unconfined_domain(sap_unconfined_t) to an optional block - Create the sap module - Allow systemd-coredumpd sys_admin and sys_resource capabilities - Allow systemd-coredump read nsfs files - Allow generators auto file transition only for plain files - Allow systemd-hwdb write to the kernel messages device - Escape "interface" as a file name in a virt filetrans pattern - Allow gnome-software work for login_userdomain - Allow systemd-machined manage runtime sockets - Revert "Allow systemd-machined manage runtime sockets" * Fri Jun 07 2024 Zdenek Pytela - 41.2-1 - Allow postfix_domain connect to postgresql over a unix socket - Dontaudit systemd-coredump sys_admin capability - Allow all domains read and write z90crypt device - Allow tpm2 generator setfscreate - Allow systemd (PID 1) manage systemd conf files - Allow pulseaudio map its runtime files - Update policy for getty-generator - Allow systemd-hwdb send messages to kernel unix datagram sockets - Allow systemd-machined manage runtime sockets * Mon Jun 03 2024 Zdenek Pytela - 41.1-1 - Allow fstab-generator create unit file symlinks - Update policy for cryptsetup-generator - Update policy for fstab-generator - Allow virtqemud read vm sysctls - Allow collectd to trace processes in user namespace - Allow bootupd search efivarfs dirs - Add policy for systemd-mountfsd - Add policy for systemd-nsresourced - Update policy generators - Add policy for anaconda-generator - Update policy for fstab and gpt generators - Add policy for kdump-dep-generator * Thu May 30 2024 Zdenek Pytela - 40.21-1 - Add policy for a generic generator - Add policy for tpm2 generator - Add policy for ssh-generator - Add policy for second batch of generators - Update policy for systemd generators - ci: Adjust Cockpit test plans * Sun May 19 2024 Zdenek Pytela - 40.20-1 - Allow journald read systemd config files and directories - Allow systemd_domain read systemd_conf_t dirs - Fix bad Python regexp escapes - Allow fido services connect to postgres database * Fri May 17 2024 Zdenek Pytela - 40.19-1 - Allow postfix smtpd map aliases file - Ensure dbus communication is allowed bidirectionally - Label systemd configuration files with systemd_conf_t - Label /run/systemd/machine with systemd_machined_var_run_t - Allow systemd-hostnamed read the vsock device - Allow sysadm execute dmidecode using sudo - Allow sudodomain list files in /var - Allow setroubleshootd get attributes of all sysctls - Allow various services read and write z90crypt device - Allow nfsidmap connect to systemd-homed - Allow sandbox_x_client_t dbus chat with accountsd - Allow system_cronjob_t dbus chat with avahi_t - Allow staff_t the io_uring sqpoll permission - Allow staff_t use the io_uring API - Add support for secretmem anon inode * Thu May 16 2024 Adam Williamson - 40.18-3 - Correct some errors in the RPM macro changes from -2 * Mon May 06 2024 Zdenek Pytela - 40.18-2 - Update rpm configuration for the /var/run equivalency change * Mon May 06 2024 Zdenek Pytela - 40.18-1 - Allow virtqemud read vfio devices - Allow virtqemud get attributes of a tmpfs filesystem - Allow svirt_t read vm sysctls - Allow virtqemud create and unlink files in /etc/libvirt/ - Allow virtqemud get attributes of cifs files - Allow virtqemud get attributes of filesystems with extended attributes - Allow virtqemud get attributes of NFS filesystems - Allow virt_domain read and write usb devices conditionally - Allow virtstoraged use the io_uring API - Allow virtstoraged execute lvm programs in the lvm domain - Allow virtnodevd_t map /var/lib files - Allow svirt_tcg_t map svirt_image_t files - Allow abrt-dump-journal-core connect to systemd-homed - Allow abrt-dump-journal-core connect to systemd-machined - Allow sssd create and use io_uring - Allow selinux-relabel-generator create units dir - Allow dbus-broker read/write inherited user ttys * Thu Apr 25 2024 Zdenek Pytela - 40.17-1 - Define transitions for /run/libvirt/common and /run/libvirt/qemu - Allow systemd-sleep read raw disk data - Allow numad to trace processes in user namespace - Allow abrt-dump-journal-core connect to systemd-userdbd - Allow plymouthd read efivarfs files - Update the auth_dontaudit_read_passwd_file() interface - Label /dev/mmcblk0rpmb character device with removable_device_t - fix hibernate on btrfs swapfile (F40) - Allow nut to statfs() - Allow system dbusd service status systemd services - Allow systemd-timedated get the timemaster service status * Tue Apr 09 2024 Zdenek Pytela - 40.16-1 - Allow keyutils-dns-resolver connect to the system log service - Allow qemu-ga read vm sysctls - postfix: allow qmgr to delete mails in bounce/ directory - policy: support pidfs - Confine selinux-autorelabel-generator.sh - Allow logwatch_mail_t read/write to init over a unix stream socket - Allow logwatch read logind sessions files - files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it - files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it - Allow NetworkManager the sys_ptrace capability in user namespace - dontaudit execmem for modemmanager - Allow dhcpcd use unix_stream_socket - Allow dhcpc read /run/netns files * Fri Mar 15 2024 Zdenek Pytela - 40.15-1 - Update mmap_rw_file_perms to include the lock permission - Allow plymouthd log during shutdown - Add logging_watch_all_log_dirs() and logging_watch_all_log_files() - Allow journalctl_t read filesystem sysctls - Allow cgred_t to get attributes of cgroup filesystems - Allow wdmd read hardware state information - Allow wdmd list the contents of the sysfs directories - Allow linuxptp configure phc2sys and chronyd over a unix domain socket - Allow sulogin relabel tty1 - Dontaudit sulogin the checkpoint_restore capability - Modify sudo_role_template() to allow getpgid - Remove incorrect "local" usage in varrun-convert.sh * Thu Mar 07 2024 Zdenek Pytela - 40.14-2 - Update varrun-convert.sh script to check for existing duplicate entries * Mon Feb 26 2024 Zdenek Pytela - 40.14-1 - Allow userdomain get attributes of files on an nsfs filesystem - Allow opafm create NFS files and directories - Allow virtqemud create and unlink files in /etc/libvirt/ - Allow virtqemud domain transition on swtpm execution - Add the swtpm.if interface file for interactions with other domains - Allow samba to have dac_override capability - systemd: allow sys_admin capability for systemd_notify_t - systemd: allow systemd_notify_t to send data to kernel_t datagram sockets - Allow thumb_t to watch and watch_reads mount_var_run_t - Allow krb5kdc_t map krb5kdc_principal_t files - Allow unprivileged confined user dbus chat with setroubleshoot - Allow login_userdomain map files in /var - Allow wireguard work with firewall-cmd - Differentiate between staff and sysadm when executing crontab with sudo - Add crontab_admin_domtrans interface - Allow abrt_t nnp domain transition to abrt_handle_event_t - Allow xdm_t to watch and watch_reads mount_var_run_t - Dontaudit subscription manager setfscreate and read file contexts - Don't audit crontab_domain write attempts to user home - Transition from sudodomains to crontab_t when executing crontab_exec_t - Add crontab_domtrans interface - Fix label of pseudoterminals created from sudodomain - Allow utempter_t use ptmx - Dontaudit rpmdb attempts to connect to sssd over a unix stream socket - Allow admin user read/write on fixed_disk_device_t * Mon Feb 12 2024 Zdenek Pytela - 40.13-1 - Only allow confined user domains to login locally without unconfined_login - Add userdom_spec_domtrans_confined_admin_users interface - Only allow admindomain to execute shell via ssh with ssh_sysadm_login - Add userdom_spec_domtrans_admin_users interface - Move ssh dyntrans to unconfined inside unconfined_login tunable policy - Update ssh_role_template() for user ssh-agent type - Allow init to inherit system DBus file descriptors - Allow init to inherit fds from syslogd - Allow any domain to inherit fds from rpm-ostree - Update afterburn policy - Allow init_t nnp domain transition to abrtd_t * Tue Feb 06 2024 Zdenek Pytela - 40.12-1 - Rename all /var/lock file context entries to /run/lock - Rename all /var/run file context entries to /run - Invert the "/var/run = /run" equivalency * Mon Feb 05 2024 Zdenek Pytela - 40.11-1 - Replace init domtrans rule for confined users to allow exec init - Update dbus_role_template() to allow user service status - Allow polkit status all systemd services - Allow setroubleshootd create and use inherited io_uring - Allow load_policy read and write generic ptys - Allow gpg manage rpm cache - Allow login_userdomain name_bind to howl and xmsg udp ports - Allow rules for confined users logged in plasma - Label /dev/iommu with iommu_device_t - Remove duplicate file context entries in /run - Dontaudit getty and plymouth the checkpoint_restore capability - Allow su domains write login records - Revert "Allow su domains write login records" - Allow login_userdomain delete session dbusd tmp socket files - Allow unix dgram sendto between exim processes - Allow su domains write login records - Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on * Wed Jan 24 2024 Zdenek Pytela - 40.10-1 - Allow chronyd-restricted read chronyd key files - Allow conntrackd_t to use bpf capability2 - Allow systemd-networkd manage its runtime socket files - Allow init_t nnp domain transition to colord_t - Allow polkit status systemd services - nova: Fix duplicate declarations - Allow httpd work with PrivateTmp - Add interfaces for watching and reading ifconfig_var_run_t - Allow collectd read raw fixed disk device - Allow collectd read udev pid files - Set correct label on /etc/pki/pki-tomcat/kra - Allow systemd domains watch system dbus pid socket files - Allow certmonger read network sysctls - Allow mdadm list stratisd data directories - Allow syslog to run unconfined scripts conditionally - Allow syslogd_t nnp_transition to syslogd_unconfined_script_t - Allow qatlib set attributes of vfio device files * Tue Jan 09 2024 Zdenek Pytela - 40.9-1 - Allow systemd-sleep set attributes of efivarfs files - Allow samba-dcerpcd read public files - Allow spamd_update_t the sys_ptrace capability in user namespace - Allow bluetooth devices work with alsa - Allow alsa get attributes filesystems with extended attributes * Tue Jan 02 2024 Yaakov Selkowitz - 40.8-2 - Limit %%selinux_requires to version, not release * Thu Dec 21 2023 Zdenek Pytela - 40.8-1 - Allow hypervkvp_t write access to NetworkManager_etc_rw_t - Add interface for write-only access to NetworkManager rw conf - Allow systemd-sleep send a message to syslog over a unix dgram socket - Allow init create and use netlink netfilter socket - Allow qatlib load kernel modules - Allow qatlib run lspci - Allow qatlib manage its private runtime socket files - Allow qatlib read/write vfio devices - Label /etc/redis.conf with redis_conf_t - Remove the lockdown-class rules from the policy - Allow init read all non-security socket files - Replace redundant dnsmasq pattern macros - Remove unneeded symlink perms in dnsmasq.if - Add additions to dnsmasq interface - Allow nvme_stas_t create and use netlink kobject uevent socket - Allow collectd connect to statsd port - Allow keepalived_t to use sys_ptrace of cap_userns - Allow dovecot_auth_t connect to postgresql using UNIX socket * Wed Dec 13 2023 Zdenek Pytela - 40.7-1 - Make named_zone_t and named_var_run_t a part of the mountpoint attribute - Allow sysadm execute traceroute in sysadm_t domain using sudo - Allow sysadm execute tcpdump in sysadm_t domain using sudo - Allow opafm search nfs directories - Add support for syslogd unconfined scripts - Allow gpsd use /dev/gnss devices - Allow gpg read rpm cache - Allow virtqemud additional permissions - Allow virtqemud manage its private lock files - Allow virtqemud use the io_uring api - Allow ddclient send e-mail notifications - Allow postfix_master_t map postfix data files - Allow init create and use vsock sockets - Allow thumb_t append to init unix domain stream sockets - Label /dev/vas with vas_device_t - Change domain_kernel_load_modules boolean to true - Create interface selinux_watch_config and add it to SELinux users * Tue Nov 28 2023 Zdenek Pytela - 40.6-1 - Add afterburn to modules-targeted-contrib.conf - Update cifs interfaces to include fs_search_auto_mountpoints() - Allow sudodomain read var auth files - Allow spamd_update_t read hardware state information - Allow virtnetworkd domain transition on tc command execution - Allow sendmail MTA connect to sendmail LDA - Allow auditd read all domains process state - Allow rsync read network sysctls - Add dhcpcd bpf capability to run bpf programs - Dontaudit systemd-hwdb dac_override capability - Allow systemd-sleep create efivarfs files * Tue Nov 14 2023 Zdenek Pytela - 40.5-1 - Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on - Allow graphical applications work in Wayland - Allow kdump work with PrivateTmp - Allow dovecot-auth work with PrivateTmp - Allow nfsd get attributes of all filesystems - Allow unconfined_domain_type use io_uring cmd on domain - ci: Only run Rawhide revdeps tests on the rawhide branch - Label /var/run/auditd.state as auditd_var_run_t - Allow fido-device-onboard (FDO) read the crack database - Allow ip an explicit domain transition to other domains - Label /usr/libexec/selinux/selinux-autorelabel with semanage_exec_t - Allow winbind_rpcd_t processes access when samba_export_all_* is on - Enable NetworkManager and dhclient to use initramfs-configured DHCP connection - Allow ntp to bind and connect to ntske port. - Allow system_mail_t manage exim spool files and dirs - Dontaudit keepalived setattr on keepalived_unconfined_script_exec_t - Label /run/pcsd.socket with cluster_var_run_t - ci: Run cockpit tests in PRs * Thu Oct 19 2023 Zdenek Pytela - 40.4-1 - Add map_read map_write to kernel_prog_run_bpf - Allow systemd-fstab-generator read all symlinks - Allow systemd-fstab-generator the dac_override capability - Allow rpcbind read network sysctls - Support using systemd containers - Allow sysadm_t to connect to iscsid using a unix domain stream socket - Add policy for coreos installer - Add coreos_installer to modules-targeted-contrib.conf * Tue Oct 17 2023 Zdenek Pytela - 40.3-1 - Add policy for nvme-stas - Confine systemd fstab,sysv,rc-local - Label /etc/aliases.lmdb with etc_aliases_t - Create policy for afterburn - Add nvme_stas to modules-targeted-contrib.conf - Add plans/tests.fmf * Tue Oct 10 2023 Zdenek Pytela - 40.2-1 - Add the virt_supplementary module to modules-targeted-contrib.conf - Make new virt drivers permissive - Split virt policy, introduce virt_supplementary module - Allow apcupsd cgi scripts read /sys - Merge pull request #1893 from WOnder93/more-early-boot-overlay-fixes - Allow kernel_t to manage and relabel all files - Add missing optional_policy() to files_relabel_all_files() * Tue Oct 03 2023 Zdenek Pytela - 40.1-1 - Allow named and ndc use the io_uring api - Deprecate common_anon_inode_perms usage - Improve default file context(None) of /var/lib/authselect/backups - Allow udev_t to search all directories with a filesystem type - Implement proper anon_inode support - Allow targetd write to the syslog pid sock_file - Add ipa_pki_retrieve_key_exec() interface - Allow kdumpctl_t to list all directories with a filesystem type - Allow udev additional permissions - Allow udev load kernel module - Allow sysadm_t to mmap modules_object_t files - Add the unconfined_read_files() and unconfined_list_dirs() interfaces - Set default file context of HOME_DIR/tmp/.* to <> - Allow kernel_generic_helper_t to execute mount(1) ## END: Generated by rpmautospec