mirror of
https://github.com/flatcar/scripts.git
synced 2026-05-04 11:51:14 +02:00
sec-policy/selinux-base-policy: sync with Gentoo
Commit-Ref: ea4cd1f216
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
This commit is contained in:
Mathieu Tortuyaux
parent
ac520d6588
commit
6b7c24719b
@ -1,4 +0,0 @@
|
||||
DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3
|
||||
DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff
|
||||
DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7
|
||||
DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc
|
||||
@ -1,11 +0,0 @@
|
||||
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
|
||||
index dbd39cf8f..563559ca7 100644
|
||||
--- refpolicy/policy/modules/system/init.te
|
||||
+++ refpolicy/policy/modules/system/init.te
|
||||
@@ -1503,3 +1503,6 @@ optional_policy(`
|
||||
userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
|
||||
userdom_dontaudit_write_user_tmp_files(systemprocess)
|
||||
')
|
||||
+
|
||||
+require { type unconfined_t; }
|
||||
+allow init_t unconfined_t:file exec_file_perms;
|
||||
@ -1,13 +0,0 @@
|
||||
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
|
||||
index 109980e79..d5c4a5d95 100644
|
||||
--- refpolicy/policy/modules/system/locallogin.te
|
||||
+++ refpolicy/policy/modules/system/locallogin.te
|
||||
@@ -34,7 +34,7 @@ role system_r types sulogin_t;
|
||||
|
||||
allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
|
||||
dontaudit local_login_t self:capability net_admin;
|
||||
-allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
|
||||
+allow local_login_t self:process { setpgid getcap setcap setexec setrlimit setsched };
|
||||
allow local_login_t self:fd use;
|
||||
allow local_login_t self:fifo_file rw_fifo_file_perms;
|
||||
allow local_login_t self:sock_file read_sock_file_perms;
|
||||
@ -1,18 +0,0 @@
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 7d713540d..d6cbc654d 100644
|
||||
--- refpolicy/policy/modules/system/logging.te
|
||||
+++ refpolicy/policy/modules/system/logging.te
|
||||
@@ -516,11 +516,13 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
|
||||
userdom_dontaudit_search_user_home_dirs(syslogd_t)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
+ require { type kernel_t; }
|
||||
# for systemd-journal
|
||||
allow syslogd_t self:netlink_audit_socket connected_socket_perms;
|
||||
allow syslogd_t self:capability2 audit_read;
|
||||
allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
|
||||
allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
|
||||
+ allow syslogd_t kernel_t:netlink_audit_socket getattr;
|
||||
|
||||
# remove /run/log/journal when switching to permanent storage
|
||||
allow syslogd_t var_log_t:dir rmdir;
|
||||
@ -1,19 +0,0 @@
|
||||
diff -u -r refpolicy/policy/modules/admin/netutils.te refpolicy/policy/modules/admin/netutils.te
|
||||
--- refpolicy/policy/modules/admin/netutils.te 2022-01-12 14:28:26.850809330 -0000
|
||||
+++ refpolicy/policy/modules/admin/netutils.te 2022-01-12 14:29:50.323880882 -0000
|
||||
@@ -117,6 +117,7 @@
|
||||
corenet_raw_sendrecv_generic_node(ping_t)
|
||||
corenet_tcp_sendrecv_generic_node(ping_t)
|
||||
corenet_raw_bind_generic_node(ping_t)
|
||||
+corenet_icmp_bind_generic_node(ping_t)
|
||||
|
||||
dev_read_urand(ping_t)
|
||||
|
||||
@@ -189,6 +190,7 @@
|
||||
corenet_tcp_connect_all_ports(traceroute_t)
|
||||
corenet_sendrecv_all_client_packets(traceroute_t)
|
||||
corenet_sendrecv_traceroute_server_packets(traceroute_t)
|
||||
+corenet_icmp_bind_generic_node(traceroute_t)
|
||||
|
||||
dev_read_rand(traceroute_t)
|
||||
dev_read_urand(traceroute_t)
|
||||
@ -1,22 +0,0 @@
|
||||
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
|
||||
index 60060c35c..8d9f5b7a6 100644
|
||||
--- refpolicy/policy/modules/services/ssh.fc
|
||||
+++ refpolicy/policy/modules/services/ssh.fc
|
||||
@@ -6,7 +6,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
||||
/usr/bin/ssh -- gen_context(system_u:object_r:ssh_exec_t,s0)
|
||||
/usr/bin/ssh-agent -- gen_context(system_u:object_r:ssh_agent_exec_t,s0)
|
||||
/usr/bin/ssh-keygen -- gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
|
||||
-/usr/bin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
|
||||
+/usr/bin/sshd -- gen_context(system_u:object_r:unconfined_t,s0)
|
||||
|
||||
/usr/lib/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
|
||||
/usr/lib/ssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
|
||||
@@ -17,7 +17,7 @@ HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
|
||||
|
||||
/usr/libexec/openssh/ssh-keysign -- gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
|
||||
|
||||
-/usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0)
|
||||
+/usr/sbin/sshd -- gen_context(system_u:object_r:unconfined_t,s0)
|
||||
|
||||
/run/sshd(/.*)? gen_context(system_u:object_r:sshd_runtime_t,s0)
|
||||
/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_runtime_t,s0)
|
||||
@ -1,11 +0,0 @@
|
||||
index 7c60eda2c..736187b7a 100644
|
||||
--- refpolicy/policy/modules/kernel/kernel.te
|
||||
+++ refpolicy/policy/modules/kernel/kernel.te
|
||||
@@ -191,6 +191,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
|
||||
type unlabeled_t;
|
||||
kernel_rootfs_mountpoint(unlabeled_t)
|
||||
fs_associate(unlabeled_t)
|
||||
+fs_associate_tmpfs(unlabeled_t)
|
||||
sid file gen_context(system_u:object_r:unlabeled_t,s0)
|
||||
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
|
||||
neverallow * unlabeled_t:file entrypoint;
|
||||
3
sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/Manifest
vendored
Normal file
3
sdk_container/src/third_party/portage-stable/sec-policy/selinux-base-policy/Manifest
vendored
Normal file
@ -0,0 +1,3 @@
|
||||
DIST patchbundle-selinux-base-policy-2.20221101-r3.tar.bz2 444710 BLAKE2B e33cc01a8be5a354e022be1e8bf242883b09b15ead0673f859819f5e668f18773a16527f2e608878e6976695dcb2890c55658e77877e93c716ae0b2dd2ed5a9b SHA512 52e60b22346903a6fead95c9fb348fa1d4037b7dcd3e5781248a7dfc426c8c3fced258fd22762c779a5f436d8be21eaed5425ed36ff99c267daae5e1cb9c8e7f
|
||||
DIST patchbundle-selinux-base-policy-2.20221101-r4.tar.bz2 457886 BLAKE2B 1e085f9f1739e0640c5eafa70db4c7ec19bca887c682ca2312a457fa57ee3eb176d0c8f16c2f84a1a026669b1240be3ff69066bd825c92fad75dcd2c13739f6c SHA512 da3ba1f076c04746719698aedb3aad48eb7c8a09df95c314b36f7a052538a07d893be413f35f4c34b01c1bf967ebe35ff32c2cea0722fe74a6e089a9d6aa47a6
|
||||
DIST refpolicy-2.20221101.tar.bz2 583183 BLAKE2B 783d8af40fd77d7ddb848dba32e91921dd7c1380c094c45b719ada7b15f91aacbb52b410ffa6341f2f705ecbc9674b8570bd4867ce998e944fa0054ffd8bdf74 SHA512 29e5a29d90f714018c88fead2d5006ea90338fb5b7a1e4e98cb2e588c96cd861871d32176f6cc6f7c4e864ce5acae1aeed85d4c706ce2da8168986535baaf3a6
|
||||
@ -1,5 +1,5 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
|
||||
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
|
||||
<pkgmetadata>
|
||||
<maintainer type="project">
|
||||
<email>selinux@gentoo.org</email>
|
||||
@ -1,4 +1,4 @@
|
||||
# Copyright 1999-2021 Gentoo Authors
|
||||
# Copyright 1999-2022 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI="7"
|
||||
@ -12,7 +12,7 @@ if [[ ${PV} == 9999* ]]; then
|
||||
else
|
||||
SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
|
||||
https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2"
|
||||
KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
|
||||
KEYWORDS="amd64 arm arm64 ~mips x86"
|
||||
fi
|
||||
|
||||
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
|
||||
@ -28,6 +28,7 @@ BDEPEND="
|
||||
sys-devel/m4"
|
||||
|
||||
MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg"
|
||||
DEL_MODS="hotplug"
|
||||
LICENSE="GPL-2"
|
||||
SLOT="0"
|
||||
S="${WORKDIR}/"
|
||||
@ -56,8 +57,12 @@ src_prepare() {
|
||||
|
||||
# Collect only those files needed for this particular module
|
||||
for i in ${MODS}; do
|
||||
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
|
||||
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
|
||||
modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.te) $modfiles"
|
||||
modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.fc) $modfiles"
|
||||
done
|
||||
|
||||
for i in ${DEL_MODS}; do
|
||||
[[ "${MODS}" != *${i}* ]] || die "Duplicate module in MODS and DEL_MODS: ${i}"
|
||||
done
|
||||
|
||||
for i in ${POLICY_TYPES}; do
|
||||
@ -72,7 +77,7 @@ src_prepare() {
|
||||
|
||||
src_compile() {
|
||||
for i in ${POLICY_TYPES}; do
|
||||
emake NAME=$i SHAREDIR="${ROOT}"/usr/share/selinux -C "${S}"/${i}
|
||||
emake NAME=$i SHAREDIR="${SYSROOT%/}/usr/share/selinux" -C "${S}"/${i}
|
||||
done
|
||||
}
|
||||
|
||||
@ -111,6 +116,13 @@ pkg_postinst() {
|
||||
cd "${ROOT}/usr/share/selinux/${i}"
|
||||
|
||||
semodule ${root_opts} -s ${i} ${COMMAND}
|
||||
|
||||
for mod in ${DEL_MODS}; do
|
||||
if semodule ${root_opts} -s ${i} -l | grep -q "\b${mod}\b"; then
|
||||
einfo "Removing obsolete ${i} ${mod} policy package"
|
||||
semodule ${root_opts} -s ${i} -r ${mod}
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
# Don't relabel when cross compiling
|
||||
@ -1,4 +1,4 @@
|
||||
# Copyright 1999-2021 Gentoo Authors
|
||||
# Copyright 1999-2023 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI="7"
|
||||
@ -11,8 +11,8 @@ if [[ ${PV} == 9999* ]]; then
|
||||
inherit git-r3
|
||||
else
|
||||
SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
|
||||
https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PV}-r2.tar.bz2"
|
||||
KEYWORDS="amd64 -arm ~arm64 ~mips x86"
|
||||
https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2"
|
||||
KEYWORDS="amd64 arm arm64 ~mips x86"
|
||||
fi
|
||||
|
||||
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
|
||||
@ -27,26 +27,12 @@ BDEPEND="
|
||||
sys-apps/checkpolicy
|
||||
sys-devel/m4"
|
||||
|
||||
MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg"
|
||||
MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg"
|
||||
DEL_MODS="hotplug"
|
||||
LICENSE="GPL-2"
|
||||
SLOT="0"
|
||||
S="${WORKDIR}/"
|
||||
|
||||
# flatcar changes: apply a couple of
|
||||
# patches on the current policies
|
||||
PATCHES=(
|
||||
"${FILESDIR}/sshd.patch"
|
||||
"${FILESDIR}/init.patch"
|
||||
"${FILESDIR}/locallogin.patch"
|
||||
"${FILESDIR}/logging.patch"
|
||||
# this patch is required to prevent `torcx-generator`
|
||||
# to fail if SELinux is enforced in early boot.
|
||||
# It can be removed once we drop torcx support.
|
||||
"${FILESDIR}/unlabeled.patch"
|
||||
# This is to allow pings from some IP address.
|
||||
"${FILESDIR}/ping.patch"
|
||||
)
|
||||
|
||||
# Code entirely copied from selinux-eclass (cannot inherit due to dependency on
|
||||
# itself), when reworked reinclude it. Only postinstall (where -b base.pp is
|
||||
# added) needs to remain then.
|
||||
@ -67,13 +53,16 @@ src_prepare() {
|
||||
eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
|
||||
fi
|
||||
|
||||
eapply -p0 "${PATCHES[@]}"
|
||||
eapply_user
|
||||
|
||||
# Collect only those files needed for this particular module
|
||||
for i in ${MODS}; do
|
||||
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
|
||||
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
|
||||
modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.te) $modfiles"
|
||||
modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.fc) $modfiles"
|
||||
done
|
||||
|
||||
for i in ${DEL_MODS}; do
|
||||
[[ "${MODS}" != *${i}* ]] || die "Duplicate module in MODS and DEL_MODS: ${i}"
|
||||
done
|
||||
|
||||
for i in ${POLICY_TYPES}; do
|
||||
@ -88,7 +77,7 @@ src_prepare() {
|
||||
|
||||
src_compile() {
|
||||
for i in ${POLICY_TYPES}; do
|
||||
emake NAME=$i SHAREDIR="${ROOT}"/usr/share/selinux -C "${S}"/${i}
|
||||
emake NAME=$i SHAREDIR="${SYSROOT%/}/usr/share/selinux" -C "${S}"/${i}
|
||||
done
|
||||
}
|
||||
|
||||
@ -127,6 +116,13 @@ pkg_postinst() {
|
||||
cd "${ROOT}/usr/share/selinux/${i}"
|
||||
|
||||
semodule ${root_opts} -s ${i} ${COMMAND}
|
||||
|
||||
for mod in ${DEL_MODS}; do
|
||||
if semodule ${root_opts} -s ${i} -l | grep -q "\b${mod}\b"; then
|
||||
einfo "Removing obsolete ${i} ${mod} policy package"
|
||||
semodule ${root_opts} -s ${i} -r ${mod}
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
# Don't relabel when cross compiling
|
||||
@ -1,4 +1,4 @@
|
||||
# Copyright 1999-2021 Gentoo Authors
|
||||
# Copyright 1999-2022 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI="7"
|
||||
@ -12,7 +12,7 @@ if [[ ${PV} == 9999* ]]; then
|
||||
else
|
||||
SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
|
||||
https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2"
|
||||
KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
|
||||
KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86"
|
||||
fi
|
||||
|
||||
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
|
||||
@ -28,6 +28,7 @@ BDEPEND="
|
||||
sys-devel/m4"
|
||||
|
||||
MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg"
|
||||
DEL_MODS="hotplug"
|
||||
LICENSE="GPL-2"
|
||||
SLOT="0"
|
||||
S="${WORKDIR}/"
|
||||
@ -56,8 +57,12 @@ src_prepare() {
|
||||
|
||||
# Collect only those files needed for this particular module
|
||||
for i in ${MODS}; do
|
||||
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
|
||||
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
|
||||
modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.te) $modfiles"
|
||||
modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.fc) $modfiles"
|
||||
done
|
||||
|
||||
for i in ${DEL_MODS}; do
|
||||
[[ "${MODS}" != *${i}* ]] || die "Duplicate module in MODS and DEL_MODS: ${i}"
|
||||
done
|
||||
|
||||
for i in ${POLICY_TYPES}; do
|
||||
@ -72,7 +77,7 @@ src_prepare() {
|
||||
|
||||
src_compile() {
|
||||
for i in ${POLICY_TYPES}; do
|
||||
emake NAME=$i SHAREDIR="${ROOT}"/usr/share/selinux -C "${S}"/${i}
|
||||
emake NAME=$i SHAREDIR="${SYSROOT%/}/usr/share/selinux" -C "${S}"/${i}
|
||||
done
|
||||
}
|
||||
|
||||
@ -111,6 +116,13 @@ pkg_postinst() {
|
||||
cd "${ROOT}/usr/share/selinux/${i}"
|
||||
|
||||
semodule ${root_opts} -s ${i} ${COMMAND}
|
||||
|
||||
for mod in ${DEL_MODS}; do
|
||||
if semodule ${root_opts} -s ${i} -l | grep -q "\b${mod}\b"; then
|
||||
einfo "Removing obsolete ${i} ${mod} policy package"
|
||||
semodule ${root_opts} -s ${i} -r ${mod}
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
# Don't relabel when cross compiling
|
||||
Loading…
x
Reference in New Issue
Block a user