From 10eaf03a66b137ecc26a7e8e58c4b8140fdbca46 Mon Sep 17 00:00:00 2001 From: Daan De Meyer Date: Feb 17 2023 13:46:41 +0000 Subject: systemd 252.4-598.7 hyperscale release --- diff --git a/sources b/sources index d0fbd61..ccb9db7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (systemd-hs-252.4.tar.gz) = 81d249262de886492582ee0c2c5ea68e0b5a7ce9c047ccbdd0bb0b028090c9ba9d31e0297d4f550192ffdde88e8f0664752f8e149c86d323a7aa0b3a5ac97c83 -SHA512 (systemd-hs+fb-252.4.tar.gz) = 658eedf146dbcf5e0866145c4524252ff49eb89e98c2f93ad4c5181f10f7ebb8e65f7d4e9a238267f878c3d59baa45c733e965babbcd614a29e6f6818a1343cb +SHA512 (systemd-hs-252.4.tar.gz) = 2200da8d76c1940545d4184389e104b878d7538a320748235e12ecfaca293d7075ba0bd432589eff059740e30066f14ac05757e6a309992cee1978ad3dbba0d2 +SHA512 (systemd-hs+fb-252.4.tar.gz) = ae5462c7263e94b30d4552df6c8e1c5371ce86eda2e8dd78e1a5ec80938d5cd9f79b7611e34487748296958af51a6e7f69042f5f6adff3c75b4b41b1b3b6ec86 diff --git a/systemd.spec b/systemd.spec index ddff14b..9c22a48 100644 --- a/systemd.spec +++ b/systemd.spec @@ -4,9 +4,9 @@ %global stable 1 %if 0%{?facebook} -%global hs_commit 6f34e02bc885d5bf248eac0914e4605380ef82c9 +%global hs_commit 5a240fdebea1f6b24cb9b15cd1e5c19c851ce1fa %else -%global hs_commit ab2623c42b43d997d5ccd1d3f1f7a224b09245d8 +%global hs_commit ebdc7d8d718bc0aa48f18a2517ed209271a319b1 %endif # We ship a .pc file but don't want to have a dep on pkg-config. We @@ -43,7 +43,7 @@ Name: systemd Url: https://pagure.io/centos-sig-hyperscale/systemd %if %{without inplace} Version: 252.4 -Release: 598.6%{?dist} +Release: 598.7%{?dist} %else # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') @@ -85,6 +85,7 @@ Source24: sysusers.generate-pre.sh Source100: Makefile.selinux Source101: systemd_hs.te Source102: systemd_hs.if +Source103: systemd_hs.fc %if 0 GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable @@ -527,7 +528,7 @@ runs properly under an environment with SELinux enabled. %if %{with selinux} mkdir selinux -cp %SOURCE100 %SOURCE101 %SOURCE102 selinux +cp %SOURCE100 %SOURCE101 %SOURCE102 %SOURCE103 selinux %endif %build @@ -1155,6 +1156,10 @@ fi %changelog +* Wed Jan 04 2023 Daan De Meyer - 252.4-598.7 +- Backport udev rules fix +- Fix selinux module + * Wed Jan 04 2023 Daan De Meyer - 252.4-598.6 - Bump release for 252.4 - Sync from rawhide diff --git a/systemd_hs.fc b/systemd_hs.fc new file mode 100644 index 0000000..a76845b --- /dev/null +++ b/systemd_hs.fc @@ -0,0 +1,2 @@ +/usr/lib/systemd/libsystemd-core-.+\.so.* -- system_u:object_r:lib_t:s0 +/usr/lib/systemd/libsystemd-shared-.+\.so.* -- system_u:object_r:lib_t:s0 diff --git a/systemd_hs.te b/systemd_hs.te index ce80487..98347d9 100644 --- a/systemd_hs.te +++ b/systemd_hs.te @@ -2,67 +2,56 @@ policy_module(systemd_hs,0.0.1) # systemd overrides for 247 gen_require(` - type avahi_t; - type cgroup_t; type init_t; type init_var_run_t; - type initrc_t; - class dbus send_msg; - type install_t; type kmsg_device_t; - type policykit_auth_t; - type policykit_t; type proc_kmsg_t; - type rpm_t; - type system_dbusd_t; - type system_dbusd_var_run_t; + type proc_security_t; type systemd_hostnamed_t; type systemd_localed_t; type systemd_logind_t; - type systemd_machined_t; type systemd_resolved_t; type systemd_tmpfiles_t; + type systemd_hwdb_t; + type systemd_sysctl_t; type security_t; - type sssd_t; + type tpm_device_t; + type ramfs_t; + type shadow_t; type syslogd_t; - type udev_var_run_t; type user_tmp_t; - type useradd_t; - type xdm_t; + type systemd_machined_t; + type system_dbusd_var_run_t; + type systemd_networkd_t; ') -allow avahi_t init_var_run_t:dir read; +#============= init_t ============== allow init_t kmsg_device_t:chr_file mounton; allow init_t proc_kmsg_t:file { getattr mounton }; -allow init_t system_dbusd_var_run_t:sock_file read; -allow init_t systemd_machined_t:unix_stream_socket connectto; -allow policykit_auth_t init_var_run_t:dir read; -allow policykit_auth_t systemd_machined_t:unix_stream_socket connectto; -allow policykit_t systemd_machined_t:unix_stream_socket connectto; -allow sssd_t cgroup_t:filesystem getattr; -allow syslogd_t user_tmp_t:lnk_file read; -allow system_dbusd_t systemd_machined_t:unix_stream_socket connectto; -allow systemd_hostnamed_t init_var_run_t:dir write; -allow systemd_hostnamed_t init_var_run_t:file { getattr ioctl open read }; -allow systemd_hostnamed_t initrc_t:dbus send_msg; -allow systemd_hostnamed_t install_t:dbus send_msg; -allow systemd_hostnamed_t udev_var_run_t:file getattr; -allow systemd_hostnamed_t udev_var_run_t:file open; -allow systemd_hostnamed_t udev_var_run_t:file read; -allow systemd_logind_t self:netlink_selinux_socket bind; -allow systemd_logind_t self:netlink_selinux_socket create; -allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto; -allow systemd_logind_t user_tmp_t:chr_file unlink; -allow systemd_machined_t init_var_run_t:sock_file create; -allow sssd_t cgroup_t:dir search; -allow sssd_t cgroup_t:filesystem getattr; -allow useradd_t init_var_run_t:dir read; -allow xdm_t systemd_machined_t:unix_stream_socket connectto; +allow init_t ramfs_t:file manage_file_perms; +allow init_t tpm_device_t:chr_file { read write open }; +allow init_t shadow_t:file { read open }; + +#============= systemd_hwdb_t ============== +allow systemd_hwdb_t security_t:file { read open }; +allow systemd_hwdb_t self:netlink_selinux_socket { create bind }; + +#============= systemd_sysctl_t ============== +allow systemd_sysctl_t proc_security_t:file read; + +#============= syslogd_t ============== +allow syslogd_t user_tmp_t:dir search; + +#============= systemd_machined_t ============== +allow systemd_machined_t init_var_run_t:sock_file manage_sock_file_perms; + +#============= systemd_networkd_t ============== +allow systemd_networkd_t system_dbusd_var_run_t:sock_file watch; selinux_use_status_page(init_t) -selinux_use_status_page(rpm_t) selinux_use_status_page(systemd_hostnamed_t) selinux_use_status_page(systemd_localed_t) selinux_use_status_page(systemd_logind_t) selinux_use_status_page(systemd_resolved_t) selinux_use_status_page(systemd_tmpfiles_t) +selinux_use_status_page(systemd_hwdb_t)