refpolicy: update to latest rev

* d05a0d068 networkmanager: Watch systemd directories for nm-session-monitor. * 3a60340e9 systemd: allow systemd-hostnamed and systemd-rfkill to get attributes of nsfs inodes * ccbf1d66f fixup! Allow to specify module version * d664ebbaa Allow to specify module version * 1c8a95dbc Fix mislabeling of /etc/shadow * ec2b2befd locallogin: allow sulogin_t unconfined domtrans * 450522052 use init_use_script_ptys for knotc in initscript * 79dda56d3 locallogin: dontaudit sulogin_t checkpoint_restore * 4b3b8e7ce lldpad: Configure FW-LLDP on i40e NICs. * ed9d87976 Revert "Merge pull request #867 from PPN-SD/upd-knot-sel" * e053fced8 files, init: filetrans /run/machine-id etc_runtime_t * c5a76add7 firewalld: fix firewalld_t firewalld_tmpfs_t exec * 8a4043060 firewalld: fix lib_t Python cache denial auditing * bcb8e1d4d unconfined: fix oddjob security_compute_sid * ec8a5080a Permit init_t to start a detached screen session * b025e0ec4 Add setcap to knotd / add knotc_initrc_domtrans * 231960371 chronyd: fix dac_read_search denials Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
author: Yi Zhao <yi.zhao@windriver.com> 2025-04-02 10:06:11 +0800
committer: Yi Zhao <yi.zhao@windriver.com> 2025-04-02 15:15:58 +0800
commit: b60fb46e68d821d4e94766cdf8e34fdb18a22150 (patch)
tree: 249ce9f623ec2b171458599686b1c1905ab4ac76
parent: 5ce36d63ef4a6c5d01527dbb2d71301e3e107260 (diff)
download: meta-selinux-b60fb46e68d821d4e94766cdf8e34fdb18a22150.tar.gz
2 files changed, 6 insertions, 22 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0041-systemd-allow-systemd-tmpfiles-to-read-bin_t-symlink.patch b/recipes-security/refpolicy/refpolicy/0041-systemd-allow-systemd-tmpfiles-to-read-bin_t-symlink.patch
index f3833a4..47209ea 100644
--- a/recipes-security/refpolicy/refpolicy/0041-systemd-allow-systemd-tmpfiles-to-read-bin_t-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy/0041-systemd-allow-systemd-tmpfiles-to-read-bin_t-symlink.patch
@@ -1,4 +1,4 @@
-From a39879ca482b525ae2b48bf8708615c923df0575 Mon Sep 17 00:00:00 2001
+From f3f3623bf112dee989cae09a5b9842c78655f220 Mon Sep 17 00:00:00 2001
 From: Yi Zhao <yi.zhao@windriver.com>
 Date: Tue, 18 Feb 2025 15:26:19 +0800
 Subject: [PATCH] systemd: allow systemd-tmpfiles to read bin_t symlink
@@ -19,8 +19,8 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 policy/modules/kernel/corecommands.fc |  1 +
 policy/modules/kernel/corecommands.if | 18 ++++++++++++++++++
 policy/modules/system/systemd.if      |  1 +
- policy/modules/system/systemd.te      |  5 +++++
+ policy/modules/system/systemd.te      |  3 +++
- 4 files changed, 25 insertions(+)
+ 4 files changed, 23 insertions(+)
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
 index 65178ba32..c7e3d2dae 100644
@@ -73,26 +73,10 @@ index 99318a3c2..7654d1076 100644
        domtrans_pattern($1_systemd_t, systemd_tmpfiles_exec_t, $1_systemd_tmpfiles_t)
        read_files_pattern($1_systemd_t, $1_systemd_tmpfiles_t, $1_systemd_tmpfiles_t)
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
-index 23f7a6027..c605d58de 100644
+index 64f13e247..c605d58de 100644
 --- a/policy/modules/system/systemd.te
 +++ b/policy/modules/system/systemd.te
-@@ -817,6 +817,7 @@ files_read_etc_files(systemd_hostnamed_t)
+@@ -1932,6 +1932,9 @@ kernel_getattr_proc(systemd_tmpfiles_t)
- files_read_etc_runtime_files(systemd_hostnamed_t)
- 
- fs_getattr_all_fs(systemd_hostnamed_t)
-+fs_getattr_nsfs_files(systemd_hostnamed_t)
- 
- init_delete_runtime_files(systemd_hostnamed_t)
- init_read_runtime_files(systemd_hostnamed_t)
-@@ -1705,6 +1706,7 @@ manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_
- init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir)
- 
- fs_getattr_all_fs(systemd_rfkill_t)
-+fs_getattr_nsfs_files(systemd_rfkill_t)
- 
- kernel_getattr_proc(systemd_rfkill_t)
- kernel_read_kernel_sysctls(systemd_rfkill_t)
-@@ -1930,6 +1932,9 @@ kernel_getattr_proc(systemd_tmpfiles_t)
 kernel_read_kernel_sysctls(systemd_tmpfiles_t)
 kernel_read_network_state(systemd_tmpfiles_t)
 
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index 94b3379..a4ffd5c 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -2,7 +2,7 @@ PV = "2.20250213+git"
 SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy"
-SRCREV_refpolicy = "badb91ce49e20449b1a73cd98dc9250b622ed369"
+SRCREV_refpolicy = "ffc9c4e16cef451bf1d1a1de44bb738aa342c69d"
 UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"
author	Yi Zhao <yi.zhao@windriver.com>	2025-04-02 10:06:11 +0800
committer	Yi Zhao <yi.zhao@windriver.com>	2025-04-02 15:15:58 +0800
commit	b60fb46e68d821d4e94766cdf8e34fdb18a22150 (patch)
tree	249ce9f623ec2b171458599686b1c1905ab4ac76
parent	5ce36d63ef4a6c5d01527dbb2d71301e3e107260 (diff)
download	meta-selinux-b60fb46e68d821d4e94766cdf8e34fdb18a22150.tar.gz