diff --git a/cjdns.selinux.patch b/cjdns.selinux.patch index 77d3052..b274924 100644 --- a/cjdns.selinux.patch +++ b/cjdns.selinux.patch @@ -1,17 +1,18 @@ diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te ---- ./contrib/selinux/cjdns.te.selinux 2018-01-30 19:04:59.000000000 -0500 -+++ ./contrib/selinux/cjdns.te 2018-03-05 01:15:40.302169785 -0500 -@@ -7,8 +7,8 @@ require { +--- ./contrib/selinux/cjdns.te.selinux 2019-05-02 04:02:32.000000000 -0400 ++++ ./contrib/selinux/cjdns.te 2019-08-15 22:23:18.807845457 -0400 +@@ -7,8 +7,9 @@ require { type port_t; type unreserved_port_t; type tmp_t; - type kernel_t; type passwd_file_t; + type net_conf_t; ++ type sssd_var_lib_t; } type cjdns_t; -@@ -17,24 +17,24 @@ init_daemon_domain(cjdns_t,cjdns_exec_t) +@@ -17,24 +18,26 @@ init_daemon_domain(cjdns_t,cjdns_exec_t) #============= cjdns_t ============== # Let master process run further restricted subprocess @@ -23,6 +24,8 @@ diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te -allow cjdns_t kernel_t:system module_request; # translate username to uid allow cjdns_t passwd_file_t:file { read getattr open }; ++# should not need sssd to lookup uid for local uid ++dontaudit cjdns_t sssd_var_lib_t:dir search; +# translate host names +allow cjdns_t net_conf_t:file { read getattr open }; diff --git a/cjdns.spec b/cjdns.spec index 03f5fe2..a03922c 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -80,7 +80,7 @@ Name: cjdns # major version is cjdns protocol version: Version: 20.3 -Release: 6%{?dist} +Release: 7%{?dist} Summary: The privacy-friendly network without borders # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC # cnacl is unused except when use_embedded is true @@ -635,6 +635,9 @@ fi %{_bindir}/graphStats %changelog +* Thu Aug 15 2019 Stuart Gathman - 20.3-7 +- Don't audit /var/lib/sss access + * Tue Aug 06 2019 Stuart Gathman - 20.3-6 - Much simpler solution to removing sysctl calls :-)