Compare commits

..

1 Commits
c10-beta ... c8

Author SHA1 Message Date
c10a7f5072 import UBI selinux-policy-3.14.3-139.el8_10.1 2024-12-17 03:43:26 +00:00
31 changed files with 16179 additions and 2268 deletions

5
.gitignore vendored
View File

@ -1,2 +1,3 @@
container-selinux.tgz SOURCES/container-selinux.tgz
selinux-policy-6112821.tar.gz SOURCES/selinux-policy-contrib-aadacd8.tar.gz
SOURCES/selinux-policy-fa87f85.tar.gz

3
.selinux-policy.metadata Normal file
View File

@ -0,0 +1,3 @@
34a078fbec0190b407d64c1664aaa0887204ba2e SOURCES/container-selinux.tgz
470eeffd45f8dd003edb6ddbff4104e573b6c08d SOURCES/selinux-policy-contrib-aadacd8.tar.gz
91c17cd38073aba5562898449fe3b4f2bbffac8e SOURCES/selinux-policy-fa87f85.tar.gz

View File

@ -22,4 +22,3 @@ unconfined_chrome_sandbox_transition=true
unconfined_mozilla_plugin_transition=true unconfined_mozilla_plugin_transition=true
xguest_exec_content = true xguest_exec_content = true
mozilla_plugin_can_network_connect = true mozilla_plugin_can_network_connect = true
use_virtualbox = true

View File

@ -1,8 +1,7 @@
/var/run /run /run /var/run
/var/lock /run/lock /run/lock /var/lock
/run/systemd/system /usr/lib/systemd/system /run/systemd/system /usr/lib/systemd/system
/run/systemd/generator /usr/lib/systemd/system /run/systemd/generator /usr/lib/systemd/system
/run/systemd/generator.early /usr/lib/systemd/system
/run/systemd/generator.late /usr/lib/systemd/system /run/systemd/generator.late /usr/lib/systemd/system
/lib /usr/lib /lib /usr/lib
/lib64 /usr/lib /lib64 /usr/lib
@ -13,12 +12,9 @@
/var/lib/xguest/home /home /var/lib/xguest/home /home
/var/named/chroot/usr/lib64 /usr/lib /var/named/chroot/usr/lib64 /usr/lib
/var/named/chroot/lib64 /usr/lib /var/named/chroot/lib64 /usr/lib
/var/named/chroot/var /var
/home-inst /home /home-inst /home
/home/home-inst /home /home/home-inst /home
/var/roothome /root /var/roothome /root
/sbin /usr/sbin /sbin /usr/sbin
/sysroot/tmp /tmp /sysroot/tmp /tmp
/var/usrlocal /usr/local /var/usrlocal /usr/local
/var/mnt /mnt
/bin /usr/bin

View File

@ -691,13 +691,6 @@ logwatch = module
# #
lpd = module lpd = module
# Layer: services
# Module: lsm
#
# lsm policy
#
lsm = module
# Layer: services # Layer: services
# Module: mailman # Module: mailman
# #

View File

@ -391,3 +391,10 @@ udev = module
# The unconfined domain. # The unconfined domain.
# #
unconfined = module unconfined = module
# Layer: system
# Module: kdbus
#
# Policy for kdbus.
#
kdbus = module

View File

@ -292,6 +292,13 @@ cfengine = module
# #
cgroup = module cgroup = module
# Layer: contrib
# Module: cgdcbxd
#
# cgdcbxd policy
#
cgdcbxd = module
# Layer: apps # Layer: apps
# Module: chrome # Module: chrome
# #
@ -342,6 +349,13 @@ cmirrord = module
# #
cobbler = module cobbler = module
# Layer: contrib
# Module: cockpit
#
# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines.
#
cockpit = module
# Layer: services # Layer: services
# Module: collectd # Module: collectd
# #
@ -706,13 +720,6 @@ git = module
# #
glance = module glance = module
# Layer: contrib
# Module: glusterd
#
# policy for glusterd service
#
glusterd = module
# Layer: apps # Layer: apps
# Module: gnome # Module: gnome
# #
@ -1998,7 +2005,7 @@ timidity = off
tmpreaper = module tmpreaper = module
# Layer: contrib # Layer: contrib
# Module: glusterd # Module: tomcat
# #
# policy for tomcat service # policy for tomcat service
# #
@ -2650,135 +2657,9 @@ rrdcached = module
# #
stratisd = module stratisd = module
# Layer: contrib
# Module: ica
#
# ica
#
ica = module
# Layer: contrib
# Module: fedoratp
#
# fedoratp
#
fedoratp = module
# Layer: contrib # Layer: contrib
# Module: insights_client # Module: insights_client
# #
# insights_client # insights_client
# #
insights_client = module insights_client = module
# Layer: contrib
# Module: stalld
#
# stalld
#
stalld = module
# Layer: contrib
# Module: rhcd
#
# rhcd
#
rhcd = module
# Layer: contrib
# Module: wireguard
#
# wireguard
#
wireguard = module
# Layer: contrib
# Module: mptcpd
#
# mptcpd
#
mptcpd = module
# Layer: contrib
# Module: rshim
#
# rshim
#
rshim = module
# Layer: contrib
# Module: keyutils
#
# keyutils
#
keyutils = module
# Layer: contrib
# Module: cifsutils
#
# cifsutils - Utilities for managing CIFS mounts
#
cifsutils = module
# Layer: contrib
# Module: boothd
#
# boothd - Booth cluster ticket manager
#
boothd = module
# Layer: contrib
# Module: kafs
#
# kafs - Tools for kAFS
#
kafs = module
# Layer: contrib
# Module: bootupd
#
# bootupd - bootloader update daemon
#
bootupd = module
# Layer: contrib
# Module: fdo
#
# fdo - fido device onboard protocol for IoT devices
#
fdo = module
# Layer: contrib
# Module: qatlib
#
# qatlib - Intel QuickAssist technology library and resources management
#
qatlib = module
# Layer: services
# Module: virt_supplementary
#
# non-libvirt virtualization libraries
#
virt_supplementary = module
# Layer: contrib
# Module: nvme_stas
#
# nvme_stas
#
nvme_stas = module
# Layer: contrib
# Module: coreos_installer
#
# coreos_installer
#
coreos_installer = module
# Layer: contrib
# Module: afterburn
#
# afterburn
#
afterburn = module

View File

@ -32,6 +32,7 @@
# %selinux_requires # %selinux_requires
%selinux_requires \ %selinux_requires \
Requires: selinux-policy >= %{_selinux_policy_version} \ Requires: selinux-policy >= %{_selinux_policy_version} \
BuildRequires: git \
BuildRequires: pkgconfig(systemd) \ BuildRequires: pkgconfig(systemd) \
BuildRequires: selinux-policy \ BuildRequires: selinux-policy \
BuildRequires: selinux-policy-devel \ BuildRequires: selinux-policy-devel \
@ -47,62 +48,48 @@ Requires(post): policycoreutils-python \
# %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]... # %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
%selinux_modules_install("s:p:") \ %selinux_modules_install("s:p:") \
if [ -e /etc/selinux/config ]; then \ . /etc/selinux/config \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \ _policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \ if [ -z "${_policytype}" ]; then \
_policytype="targeted" \ _policytype="targeted" \
fi \ fi \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
%{_bindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \ %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* \
%{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
%{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
fi \ fi \
%{nil} %{nil}
# %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]... # %selinux_modules_uninstall [-s <policytype>] [-p <modulepriority>] module [module]...
%selinux_modules_uninstall("s:p:") \ %selinux_modules_uninstall("s:p:") \
if [ -e /etc/selinux/config ]; then \ . /etc/selinux/config \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \ _policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \ if [ -z "${_policytype}" ]; then \
_policytype="targeted" \ _policytype="targeted" \
fi \ fi \
if [ $1 -eq 0 ]; then \ if [ $1 -eq 0 ]; then \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
%{_bindir}/rm -rf %{_sharedstatedir}/selinux/${_policytype}/active/modules/400/extra_varrun || : \
%{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \ %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \
%{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \
%{_libexecdir}/selinux/varrun-convert.sh ${_policytype} || : \
fi \ fi \
fi \ fi \
%{nil} %{nil}
# %selinux_relabel_pre [-s <policytype>] # %selinux_relabel_pre [-s <policytype>]
%selinux_relabel_pre("s:") \ %selinux_relabel_pre("s:") \
if %{_sbindir}/selinuxenabled; then \ . /etc/selinux/config \
if [ -e /etc/selinux/config ]; then \ _policytype=%{-s*} \
. /etc/selinux/config \ if [ -z "${_policytype}" ]; then \
fi \ _policytype="targeted" \
_policytype=%{-s*} \ fi \
if [ -z "${_policytype}" ]; then \ if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
_policytype="targeted" \ [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
fi \
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
[ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \
fi \
fi \ fi \
%{nil} %{nil}
# %selinux_relabel_post [-s <policytype>] # %selinux_relabel_post [-s <policytype>]
%selinux_relabel_post("s:") \ %selinux_relabel_post("s:") \
if [ -e /etc/selinux/config ]; then \ . /etc/selinux/config \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \ _policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \ if [ -z "${_policytype}" ]; then \
_policytype="targeted" \ _policytype="targeted" \
@ -117,9 +104,7 @@ fi \
# %selinux_set_booleans [-s <policytype>] boolean [boolean]... # %selinux_set_booleans [-s <policytype>] boolean [boolean]...
%selinux_set_booleans("s:") \ %selinux_set_booleans("s:") \
if [ -e /etc/selinux/config ]; then \ . /etc/selinux/config \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \ _policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \ if [ -z "${_policytype}" ]; then \
_policytype="targeted" \ _policytype="targeted" \
@ -158,9 +143,7 @@ fi \
# %selinux_unset_booleans [-s <policytype>] boolean [boolean]... # %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
%selinux_unset_booleans("s:") \ %selinux_unset_booleans("s:") \
if [ -e /etc/selinux/config ]; then \ . /etc/selinux/config \
. /etc/selinux/config \
fi \
_policytype=%{-s*} \ _policytype=%{-s*} \
if [ -z "${_policytype}" ]; then \ if [ -z "${_policytype}" ]; then \
_policytype="targeted" \ _policytype="targeted" \

View File

@ -25,7 +25,7 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
# permit any access to such users, then remove this entry. # permit any access to such users, then remove this entry.
# #
gen_user(user_u, user, user_r, s0, s0) gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# #
@ -36,4 +36,3 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# not in the sysadm_r. # not in the sysadm_r.
# #
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

View File

@ -25,7 +25,7 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
# permit any access to such users, then remove this entry. # permit any access to such users, then remove this entry.
# #
gen_user(user_u, user, user_r, s0, s0) gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(staff_u, user, staff_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# #
@ -36,5 +36,3 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# not in the sysadm_r. # not in the sysadm_r.
# #
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(guest_u, user, guest_r, s0, s0)
gen_user(xguest_u, user, xguest_r, s0, s0)

View File

@ -25,7 +25,7 @@ gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
# permit any access to such users, then remove this entry. # permit any access to such users, then remove this entry.
# #
gen_user(user_u, user, user_r, s0, s0) gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(staff_u, user, staff_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# #
@ -36,6 +36,3 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# not in the sysadm_r. # not in the sysadm_r.
# #
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(guest_u, user, guest_r, s0, s0)
gen_user(xguest_u, user, xguest_r, s0, s0)

16132
SPECS/selinux-policy.spec Normal file

File diff suppressed because it is too large Load Diff

View File

@ -1,15 +0,0 @@
[Unit]
Description=Check that SELinux is not disabled the unsafe way
ConditionKernelCommandLine=!selinux=0
After=sysinit.target
[Service]
Type=oneshot
EnvironmentFile=/etc/selinux/config
ExecCondition=test "$SELINUX" = disabled
ExecStart=/usr/bin/echo 'SELINUX=disabled in /etc/selinux/config, but no selinux=0 on kernel command line - SELinux may not be fully disabled. Please update bootloader configuration to pass selinux=0 to kernel at boot.'
StandardOutput=journal+console
SyslogLevel=warning
[Install]
WantedBy=multi-user.target

File diff suppressed because it is too large Load Diff

View File

@ -1,2 +0,0 @@
SHA512 (container-selinux.tgz) = 482e9d3a48c09c679539d2f9039a647d69ee1c9dd4dbef26a25d3dd350137cfe51ac8695685ae0078bc75c38d41a2e4a2554064a9111083f07ffe32aa3044d9e
SHA512 (selinux-policy-6112821.tar.gz) = 209217ec7e38a8d5fc43dc708e30cc88fe3c7fd4d3f6101784ca99f953bc001663165b4156695edbd491dca1aeaefe0317dcf59e059bce10e2ed4639391c34e0

View File

@ -1,80 +0,0 @@
#!/bin/bash
### varrun-convert.sh
### convert legacy filecontext entries containing /var/run to /run
### and load an extra selinux module with the new content
### the script takes a policy name as an argument
# Set DEBUG=yes before running the script to get more verbose output
if [ "${DEBUG}" = "yes" ]; then
set -x
fi
# Look for working files and log in OUTPUTDIR
OUTPUTDIR="/run/selinux-policy"
LOG="$OUTPUTDIR/log"
mkdir -p ${OUTPUTDIR}
if [ -z ${1} ]; then
[ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
exit
fi
FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
if [ ! -f ${FILE_CONTEXTS} ]; then
[ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
exit
fi
SEMODULEOPT="-s ${1}"
[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
[ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
exit
fi
EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
EXTRA_VARRUN_CIL="/$OUTPUTDIR/extra_varrun.cil"
# Print only /var/run entries
grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES}
# Unify whitespace separators
sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES}
# Change /var/run to /run
sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
# Exception handling: packages with already duplicate entries
sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
# Change format to cil
sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
# Handle entries with <<none>> which do not match previous regexps
sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
# Wrap each line with an optional block
i=1
while read line
do
echo "(optional extra_var_run_${i}"
echo " $line"
echo ")"
((i++))
done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
# Load module
/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}