summaryrefslogtreecommitdiffstats
path: root/patches
diff options
context:
space:
mode:
Diffstat (limited to 'patches')
-rw-r--r--patches/pki-core-selinux-f16.patch23
-rw-r--r--patches/pki-core-selinux-f17.patch35
2 files changed, 58 insertions, 0 deletions
diff --git a/patches/pki-core-selinux-f16.patch b/patches/pki-core-selinux-f16.patch
new file mode 100644
index 000000000..6866033dc
--- /dev/null
+++ b/patches/pki-core-selinux-f16.patch
@@ -0,0 +1,23 @@
+diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if
+index 0709176..9a35184 100644
+--- a/pki/base/selinux/src/pki.if
++++ b/pki/base/selinux/src/pki.if
+@@ -193,7 +193,7 @@ template(`pki_ca_template',`
+ corenet_tcp_connect_ldap_port($1_t)
+
+ # tomcat connects to ephemeral ports on shutdown
+- corenet_tcp_connect_all_unreserved_ports($1_t)
++ corenet_tcp_connect_all_ephemeral_ports($1_t)
+
+ optional_policy(`
+ #This is broken in selinux-policy we need java_exec defined, Will add to policy
+diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te
+index 7f6e657..dab02d4 100644
+--- a/pki/base/selinux/src/pki.te
++++ b/pki/base/selinux/src/pki.te
+@@ -1,4 +1,4 @@
+-policy_module(pki,10.0.2)
++policy_module(pki,10.0.3)
+
+ attribute pki_ca_config;
+ attribute pki_ca_executable;
diff --git a/patches/pki-core-selinux-f17.patch b/patches/pki-core-selinux-f17.patch
new file mode 100644
index 000000000..465c95fe2
--- /dev/null
+++ b/patches/pki-core-selinux-f17.patch
@@ -0,0 +1,35 @@
+diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if
+index 0709176..20dfc17 100644
+--- a/pki/base/selinux/src/pki.if
++++ b/pki/base/selinux/src/pki.if
+@@ -206,6 +206,20 @@ template(`pki_ca_template',`
+ optional_policy(`
+ unconfined_domain($1_script_t)
+ ')
++
++ # tomcat6 init scripts do runuser and touch lockfile
++ allow $1_t self:capability { setuid chown setgid fowner audit_write dac_override };
++ allow $1_t self:netlink_audit_socket { nlmsg_relay create read write };
++ consoletype_exec($1_t)
++ fs_read_hugetlbfs_files($1_t)
++ hostname_exec($1_t)
++ kernel_read_kernel_sysctls($1_t)
++
++ # java (mislabeled as lib_t?) calls build_classpath
++ libs_exec_lib_files($1_t)
++
++ selinux_get_enforce_mode($1_t)
++
+ ')
+
+ ########################################
+diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te
+index 7f6e657..dab02d4 100644
+--- a/pki/base/selinux/src/pki.te
++++ b/pki/base/selinux/src/pki.te
+@@ -1,4 +1,4 @@
+-policy_module(pki,10.0.2)
++policy_module(pki,10.0.3)
+
+ attribute pki_ca_config;
+ attribute pki_ca_executable;
generated by cgit (git 2.34.1) at 2024-11-15 08:08:24 +0000