If policy update removes a module, %postInstall and therefore policy
rebuild - `semodule -B -n ...` was run when old module is still
installed, see
https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#ordering
It resulted to state when the old module is still built in the policy
after update until another `semodule -B` is triggered.
Moving %postInstall to %posttrans should solve this problem
[skip changelog]
Related: RHEL-54303
We support two ways to update the operating system:
- `/usr/bin/rpm` (and `dnf` etc.) where SELinux labels are
computed and written client side
- ostree (and other image-based systems) where SELinux labels
were computed server side.
In the ostree case, I'd like the ability to generate smaller
images that do not even have `rpm` installed.
This hard dependency from `selinux-policy` -> `rpm` is one of
the only main blockers.
RPM supports these "alternative" conditionals, it's easy to do.
Related: RHEL-54303
If an user builds package with `%bcond mls 0` it ended with
RPM build errors:
error: Installed (but unpackaged) file(s) found:
/etc/dnf/protected.d/selinux-policy-mls.conf
Installed (but unpackaged) file(s) found:
/etc/dnf/protected.d/selinux-policy-mls.conf
With this change, dnf procted files for a policy is installed only when
the policy is built.
[skip changelog]
Related: RHEL-54303
Contrib was merged to main repo long time ago.
Makes the build process simpler.
Modules enabled in minimum lives in
%{_datadir}/selinux/minimum/modules.lst now.
Fixes:
RPM build warnings:
File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser
File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser/cil
File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser/hll
File listed twice: /var/lib/selinux/mls/active/modules/100/unprivuser/lang_ext
[skip changelog]
Related: RHEL-54303
rpm-verify reports the following problem:
.M....... g /var/lib/selinux/targeted/active/modules/400/extra_varrun
.M....... g /var/lib/selinux/targeted/active/modules/400/extra_varrun/cil
.M....... g /var/lib/selinux/targeted/active/modules/400/extra_varrun/lang_ext
Related: RHEL-54303
/run/systemd/generator is no longer equivalent to /usr/lib/systemd/system.
It has its own rules in the policy now, so instead
/run/systemd/generator.early and /run/systemd/generator.late
are equivalent to /run/systemd/generator.
Related: RHEL-54303
Instead of plain macros, use `%bcond ...` and `%{with ...}`, which will
allow controlling which policy types to build using the --with/--without
command-line arguments when calling `rpmbuild` or `mock`.
See also:
https://rpm-software-management.github.io/rpm/manual/conditionalbuilds.html
Note that the BUILD_DOC macro is removed without replacement as it's
unused. (The builds of the -doc and -devel subpackages overlap too much
for the macro to be useful, anyway.)
Signed-off-by: Ondrej Mosnáček <omosnacek@gmail.com>
Related: RHEL-54303
As part of https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin, programs
are moved from /usr/sbin/alternatives to /usr/bin/alternatives. Provisions
have been made to create a compat symlink on traditional systems, so that both
paths work and packages that use paths under /usr/sbin do not need to be
rebuilt. Unfortunately, on ostree systems, the compat symlinks are missing, so
using absolute paths causes problems
(https://bodhi.fedoraproject.org/updates/FEDORA-2024-3aafcac6a8).
There is no reason for or benefit from specifying the full path to binaries in
scriptlets because the scriptlets are called with a well-defined $PATH. When
we drop the full path, they work fine no matter where exactly the binary is
installed.
An additional problem with full paths is that they are specified using macros,
and the macro works fine within a package, but they is no guarantee that
different builds of different packages at different times use the same
definition of %_sbindir.
I also changed /bin/echo → echo. The shell builtin is good enough, we don't need
to spawn a separate process.
Related: RHEL-54303
- Update varrun-convert.sh script to check for existing duplicate
entries
- Remove incorrect "local" usage in varrun-convert.sh
- Use /usr/bin/bash in scripts as shebang
Related: RHEL-54303
- Dontaudit subscription manager setfscreate and read file contexts
Resolves: RHEL-58009
- Allow the sysadm user use the secretmem API
Resolves: RHEL-40953
- Allow sudodomain list files in /var
Resolves: RHEL-58068
- Allow gnome-remote-desktop watch /etc directory
Resolves: RHEL-35877
- Allow journalctl connect to systemd-userdbd over a unix socket
Resolves: RHEL-58072
- systemd: allow sys_admin capability for systemd_notify_t
Resolves: RHEL-58072
- Allow some confined users send to lldpad over a unix dgram socket
Resolves: RHEL-61634
- Allow lldpad send to sysadm_t over a unix dgram socket
Resolves: RHEL-61634
- Allow lldpd connect to systemd-machined over a unix socket
Resolves: RHEL-61634
Since libsemanage commit d96f27bf7cb91 ("libsemanage: Preserve file context
and ownership in policy store"), libsemanage tries to preserve file
contexts during SELinux policy rebuild. If the underline fs does not
support any operation used, it prints warnings on stderr. Given that
it's not a fatal error, it's reasonable to suppress them.
Fixes:
$ podman run --pull=newer --rm -ti quay.io/fedora/fedora:rawhide
[root@3a1e072c5559 /]# dnf4 install selinux-policy-targeted
...
Could not set context for /var/lib/selinux/targeted/tmp/modules/100/zosremote/cil: Operation not supported
Could not set context for /var/lib/selinux/targeted/tmp/modules/100/zosremote/hll: Operation not supported
Could not set context for /var/lib/selinux/targeted/tmp/modules/100/zosremote/lang_ext: Operation not supported
...
Could not set context for /etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin: Operation not supported
Could not set context for /etc/selinux/targeted/policy/policy.33: Operation not supported
Could not set context for /etc/selinux/targeted/seusers: Operation not supported
[skip changelog]
Resolves: RHEL-59192
- Allow virtnodedevd run udev with a domain transition
Resolves: RHEL-39890
- Allow virtnodedev_t create and use virtnodedev_lock_t
Resolves: RHEL-39890
- Allow svirt attach_queue to a virtqemud tun_socket
Resolves: RHEL-44312
- Label /run/systemd/machine with systemd_machined_var_run_t
Resolves: RHEL-49567
There is no EPEL repo for RHEL-10 or CentOS stream 10. It makes
no sense to run tests which require this repo, because they would
fail. Once the EPEL repo becomes available, the part of filter
can be removed.
- Allow to create and delete socket files created by rhsm.service
Resolves: RHEL-40857
- Allow svirt read virtqemud fifo files
Resolves: RHEL-40350
- Allow virt_dbus_t connect to virtqemud_t over a unix stream socket
Resolves: RHEL-37822
- Allow virtqemud read virt-dbus process state
Resolves: RHEL-37822
- Allow virtqemud run ssh client with a transition
Resolves: RHEL-43215
- Allow virtnetworkd exec shell when virt_hooks_unconfined is on
Resolves: RHEL-41168
- Allow NetworkManager the sys_ptrace capability in user namespace
Resolves: RHEL-46717
- Update keyutils policy
Resolves: RHEL-38920
- Allow ip the setexec permission
Resolves: RHEL-41182
- Allow postfix smtpd map aliases file
- Ensure dbus communication is allowed bidirectionally
- Label systemd configuration files with systemd_conf_t
- Label /run/systemd/machine with systemd_machined_var_run_t
- Allow systemd-hostnamed read the vsock device
- Allow sysadm execute dmidecode using sudo
- Allow sudodomain list files in /var
- Allow setroubleshootd get attributes of all sysctls
- Allow various services read and write z90crypt device
- Allow nfsidmap connect to systemd-homed
- Allow sandbox_x_client_t dbus chat with accountsd
- Allow system_cronjob_t dbus chat with avahi_t
- Allow staff_t the io_uring sqpoll permission
- Allow staff_t use the io_uring API
- Add support for secretmem anon inode
- Backport /var/run change related improvements
The commands should always end || : , because by policy we should
ensure RPM scriptlets always exit 0:
https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
Also, rm is in _bindir, not _sbindir.
This seems to have caused a failed test for an nbdkit update:
https://openqa.fedoraproject.org/tests/2628713#
the live image build failed because of a scriptlet error that
seems to be caused by this:
INFO:anaconda.modules.payloads.payload.dnf.transaction_progress:Configuring (running scriptlet for): nbdkit-selinux-1.39.6-1.fc41.noarch 1715870254 02561380439e4e22473970fa46db331b277dc254650fdcb96130a056cadaf02f
INFO:dnf.rpm:/var/tmp/rpm-tmp.ycmrWv: line 10: /usr/sbin/rm: No such file or directory
warning: %post(nbdkit-selinux-1.39.6-1.fc41.noarch) scriptlet failed, exit status 1
ERROR:dnf.rpm:Error in POSTIN scriptlet in rpm package nbdkit-selinux
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Various updating and installing scenarios are now supported:
- using rpm triggers for other packages in selinux-policy
- inside the selinux_modules_install and selinux_modules_uninstall
rpm macros when selinux subpackages are being built
- Only allow confined user domains to login locally without unconfined_login
- Add userdom_spec_domtrans_confined_admin_users interface
- Only allow admindomain to execute shell via ssh with ssh_sysadm_login
- Add userdom_spec_domtrans_admin_users interface
- Move ssh dyntrans to unconfined inside unconfined_login tunable policy
- Update ssh_role_template() for user ssh-agent type
- Allow init to inherit system DBus file descriptors
- Allow init to inherit fds from syslogd
- Allow any domain to inherit fds from rpm-ostree
- Update afterburn policy
- Allow init_t nnp domain transition to abrtd_t
- Replace init domtrans rule for confined users to allow exec init
- Update dbus_role_template() to allow user service status
- Allow polkit status all systemd services
- Allow setroubleshootd create and use inherited io_uring
- Allow load_policy read and write generic ptys
- Allow gpg manage rpm cache
- Allow login_userdomain name_bind to howl and xmsg udp ports
- Allow rules for confined users logged in plasma
- Label /dev/iommu with iommu_device_t
- Remove duplicate file context entries in /run
- Dontaudit getty and plymouth the checkpoint_restore capability
- Allow su domains write login records
- Revert "Allow su domains write login records"
- Allow login_userdomain delete session dbusd tmp socket files
- Allow unix dgram sendto between exim processes
- Allow su domains write login records
- Allow smbd_t to watch user_home_dir_t if samba_enable_home_dirs is on
- Allow systemd-sleep set attributes of efivarfs files
- Allow samba-dcerpcd read public files
- Allow spamd_update_t the sys_ptrace capability in user namespace
- Allow bluetooth devices work with alsa
- Allow alsa get attributes filesystems with extended attributes