diff --git a/0002-catchall-Discourage-creating-custom-policy-modules.patch b/0002-catchall-Discourage-creating-custom-policy-modules.patch new file mode 100644 index 0000000..a3f28a1 --- /dev/null +++ b/0002-catchall-Discourage-creating-custom-policy-modules.patch @@ -0,0 +1,36 @@ +From 8ad7f4c5528fbbc52a3d391c702102c6fe262d83 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 9 Jun 2026 17:27:36 +0200 +Subject: [PATCH] catchall: Discourage creating custom policy modules + +Update the plugin text to discourage creating custom policy modules by +explaining the lack of support and potential security implications. +--- + src/catchall.py | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/catchall.py b/src/catchall.py +index 052d6d8..7e4a8fa 100644 +--- a/src/catchall.py ++++ b/src/catchall.py +@@ -54,9 +54,14 @@ class plugin(Plugin): + return _('If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on $TARGET_CLASS labeled $TARGET_TYPE by default.') + return _('If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on the $TARGET_BASE_PATH $TARGET_CLASS by default.') + +- then_text = _('You should report this as a bug.\nYou can generate a local policy module to allow this access.') +- do_text = _("""Allow this access for now by executing: +-# ausearch -c '$SOURCE' --raw | audit2allow -M my-$MODULE_NAME ++ then_text = _(''' ++ You should report this as a bug.\n ++ If you are certain this access is legitimate and not an intrusion attempt, you ++ can generate a local policy module to allow it. ++ Custom policy modules are not supported as they may weaken the system policy and expose the system to security vulnerabilities. ++ ''') ++ ++ do_text = _("""# ausearch -c '$SOURCE' --raw | audit2allow -M my-$MODULE_NAME + # semodule -X 300 -i my-$MODULE_NAME.pp""") + + def __init__(self): +-- +2.53.0 + diff --git a/setroubleshoot-plugins.spec b/setroubleshoot-plugins.spec index f22f539..87af8d1 100644 --- a/setroubleshoot-plugins.spec +++ b/setroubleshoot-plugins.spec @@ -6,13 +6,14 @@ Summary: Analysis plugins for use with setroubleshoot Name: setroubleshoot-plugins Version: 3.3.15 -Release: 2%{?dist} +Release: 3%{?dist} License: GPL-2.0-or-later URL: https://gitlab.com/setroubleshoot/plugins Source0: https://gitlab.com/-/project/24478430/uploads/1d856bff1c9fb16a8c6fc877d7fe91ca/setroubleshoot-plugins-3.3.15.tar.gz # git format-patch -N setroubleshoot-plugins- # for j in 00*patch; do printf "Patch: %s\n" $j; done Patch: 0001-Split-multi-command-fix_cmds-into-lists.patch +Patch: 0002-catchall-Discourage-creating-custom-policy-modules.patch BuildArch: noarch # gcc is needed only for ./configure @@ -50,6 +51,9 @@ rm -rf %{buildroot} %{_datadir}/setroubleshoot/plugins %changelog +* Thu Jun 18 2026 Vit Mojzis - 3.3.15-3 +- catchall: Discourage creating custom policy modules (RHEL-80549) + * Thu May 07 2026 Vit Mojzis - 3.3.15-2 - Split multi-command fix_cmds into lists (RHEL-155206)