+ %global commit d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455

+ Version: 40.13

+ * Mon Feb 12 2024 Zdenek Pytela <zpytela@redhat.com> - 40.13-1

+ - Only allow confined user domains to login locally without unconfined_login

+ - Add userdom_spec_domtrans_confined_admin_users interface

+ - Only allow admindomain to execute shell via ssh with ssh_sysadm_login

+ - Add userdom_spec_domtrans_admin_users interface

+ - Move ssh dyntrans to unconfined inside unconfined_login tunable policy

+ - Update ssh_role_template() for user ssh-agent type

+ - Allow init to inherit system DBus file descriptors

+ - Allow init to inherit fds from syslogd

+ - Allow any domain to inherit fds from rpm-ostree

+ - Update afterburn policy

+ - Allow init_t nnp domain transition to abrtd_t

+ 

+ SHA512 (selinux-policy-d9f4a2b.tar.gz) = 6abfcb82e7187b0c7c4052d6230a25717e6eb783ecc49c07314422bee138a820f3ff21e8993102f4f954fdb238c28fb94c466c1f275993de1c26db271d910a13

+ SHA512 (container-selinux.tgz) = 6a33208ad6b3b55d254b98775ed4d1486efb5f09c144b695a852f14f28277a6ebf1de9aa6e9c579677c738cc1b0d7cff4dbdb8d38fc0602433cdf7ce551a00ed

+ #!/bin/bash

+ ### varrun-convert.sh

+ ### convert legacy filecontext entries containing /var/run to /run

+ ### and load an extra selinux module with the new content

+ ### the script takes a policy name as an argument

+ 

+ # Set DEBUG=yes before running the script to get more verbose output

+ if [ "${DEBUG}" = "yes" ]; then

+   set -x

+ fi

+ 

+ # Look for working files and log in OUTPUTDIR

+ OUTPUTDIR="/run/selinux-policy"

+ LOG="$OUTPUTDIR/log"

+ mkdir -p ${OUTPUTDIR}

+ 

+ if [ -z ${1} ]; then

+   [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG

+   exit

+ fi

+ 

+ FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"

+ if [ ! -f ${FILE_CONTEXTS} ]; then

+   [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG

+   exit

+ fi

+ 

+ SEMODULEOPT="-s ${1}"

+ [ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"

+ 

+ if ! grep -q ^/var/run ${FILE_CONTEXTS}; then

+   [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG

+   exit

+ fi

+ 

+ EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"

+ EXTRA_VARRUN_CIL="/$OUTPUTDIR/extra_varrun.cil"

+ 

+ # Print only /var/run entries

+ grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES}

+ 

+ # Unify whitespace separators

+ sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES}

+ 

+ # Change /var/run to /run

+ sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}

+ 

+ # Exception handling: packages with already duplicate entries

+ sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}

+ sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}

+ sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}

+ 

+ # Change format to cil

+ sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}

+ sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}

+ sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}

+ sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}

+ sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}

+ sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}

+ sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}

+ sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}

+ sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}

+ sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}

+ 

+ # Handle entries with <<none>> which do not match previous regexps

+ sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}

+ 

+ # Wrap each line with an optional block

+ i=1

+ while read line

+ do

+   echo "(optional extra_var_run_${i}"

+   echo "  $line"

+   echo ")"

+   ((i++))

+ done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}

+ 

+ # Load module

+ /usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}

+