diff --git a/SOURCES/systemd-247-policy.patch b/SOURCES/systemd-247-policy.patch new file mode 100644 index 0000000..a54fe41 --- /dev/null +++ b/SOURCES/systemd-247-policy.patch @@ -0,0 +1,35 @@ +diff -Naur a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +--- a/policy/modules/kernel/kernel.te 2021-02-22 04:12:28.000000000 -0800 ++++ b/policy/modules/kernel/kernel.te 2021-02-26 14:21:22.974162725 -0800 +@@ -93,7 +93,6 @@ + type proc_kmsg_t, proc_type; + fs_associate(proc_kmsg_t) + genfscon proc /kmsg gen_context(system_u:object_r:proc_kmsg_t,mls_systemhigh) +-neverallow ~{ can_receive_kernel_messages kern_unconfined } proc_kmsg_t:file ~getattr; + + # /proc kcore: inaccessible + type proc_kcore_t, proc_type; +diff -Naur a/policy/modules/system/init.te b/policy/modules/system/init.te +--- a/policy/modules/system/init.te 2021-02-22 04:12:28.000000000 -0800 ++++ b/policy/modules/system/init.te 2021-02-26 15:53:09.464114056 -0800 +@@ -1920,3 +1920,7 @@ + ccs_read_config(daemon) + ') + ') ++ ++# systemd 247 ++allow init_t kmsg_device_t:chr_file mounton; ++allow init_t proc_kmsg_t:file { getattr mounton }; +diff -Naur a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +--- a/policy/modules/system/systemd.te 2021-02-22 04:12:28.000000000 -0800 ++++ b/policy/modules/system/systemd.te 2021-02-26 15:18:43.051196124 -0800 +@@ -1232,3 +1232,9 @@ + dev_write_kmsg(systemd_sleep_t) + + fstools_rw_swap_files(systemd_sleep_t) ++ ++# systemd 247 ++allow systemd_logind_t self:netlink_selinux_socket create; ++allow systemd_logind_t self:netlink_selinux_socket bind; ++allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto; ++allow systemd_machined_t init_var_run_t:sock_file create; diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec index fc9caf0..7eee723 100644 --- a/SPECS/selinux-policy.spec +++ b/SPECS/selinux-policy.spec @@ -29,7 +29,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.3 -Release: 65%{?dist} +Release: 66%{?dist} License: GPLv2+ Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz Source29: %{git1}/archive/%{commit1}/%{name}-contrib-%{shortcommit1}.tar.gz @@ -72,6 +72,8 @@ Source35: container-selinux.tgz # Provide rpm macros for packages installing SELinux modules Source102: rpm.macros +Patch0: systemd-247-policy.patch + Url: %{git0} BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 @@ -348,7 +350,7 @@ mkdir -p %{buildroot}/%{_libexecdir}/selinux/ \ %setup -n %{name}-contrib-%{commit1} -q -b 29 tar -xf %{SOURCE35} contrib_path=`pwd` -%setup -n %{name}-%{commit0} -q +%autosetup -n %{name}-%{commit0} -p1 refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib @@ -715,6 +717,9 @@ exit 0 %endif %changelog +* Fri Feb 26 2021 Davide Cavalca 3.14.3-66 +- Add policy tweaks for to make systemd 247 work in enforcing mode + * Mon Feb 22 2021 Zdenek Pytela - 3.14.3-65 - Relabel /usr/sbin/charon-systemd as ipsec_exec_t Resolves: rhbz#1889542