!240 update version to 40.7

From: @jinlun123123 Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee
2024-01-29 08:26:46 +00:00 · 2024-01-29 08:26:46 +00:00 · 27f6587f0e
commit 27f6587f0e
parent 4f94b5ea93 77c5b8e284
7 changed files with 54 additions and 35 deletions
--- a/Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch
+++ b/Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch
@ -1,4 +1,4 @@
-From 36a7559c14a33b8ae867acaf3a724529ef2aa7ea Mon Sep 17 00:00:00 2001
+From 2a1802c29f4629f06ebd2c8bf1491f98565bf5b1 Mon Sep 17 00:00:00 2001
 From: "GONG, Ruiqi" <gongruiqi1@huawei.com>
 Date: Mon, 20 Mar 2023 20:42:49 +0800
 Subject: [PATCH] Revert "Don't allow kernel_t to execute bin_t/usr_t binaries
@ -7,14 +7,14 @@ Subject: [PATCH] Revert "Don't allow kernel_t to execute bin_t/usr_t binaries
 This reverts commit 18c5559222ea3ca3588c8d32c06cddc41b66f688.

 ---
- policy/modules/kernel/kernel.te | 14 +++-----------
- 1 file changed, 3 insertions(+), 11 deletions(-)
+ policy/modules/kernel/kernel.te | 17 +++--------------
+ 1 file changed, 3 insertions(+), 14 deletions(-)

 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index fc6f5f8..daf0801 100644
+index 7dce828..0c1d125 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
-@@ -351,18 +351,10 @@ selinux_compute_create_context(kernel_t)
+@@ -356,25 +356,14 @@ selinux_compute_create_context(kernel_t)
 term_use_all_terms(kernel_t)
 term_use_ptmx(kernel_t)
 
@ -34,8 +34,15 @@ index fc6f5f8..daf0801 100644
 +# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
 +corecmd_exec_bin(kernel_t)
 
+ # Enable running `/usr/bin/env [u]mount ...` to support ZFS automounting.
+ # See the module/os/linux/zfs/zfs_ctldir.c file in
+ # https://github.com/openzfs/zfs/ for the usermode helper calls.
+-optional_policy(`
+-	mount_domtrans(kernel_generic_helper_t)
+-')
+ 
 domain_use_all_fds(kernel_t)
 domain_signal_all_domains(kernel_t)
 -- 
-2.27.0
+2.33.0

--- a/add-qemu_exec_t-for-stratovirt.patch
+++ b/add-qemu_exec_t-for-stratovirt.patch
@ -1,25 +1,24 @@
-From 601ffc24a1d00f20833eb104913634dedb51b95d Mon Sep 17 00:00:00 2001
-From: root <root@localhost.localdomain>
-Date: Fri, 20 Aug 2021 10:50:31 +0800
+From 3f9a66fb7bb35a101d8be50d8f2fa238af62d11f Mon Sep 17 00:00:00 2001
+From: jinlun <jinlun@huawei.com>
+Date: Tue, 26 Dec 2023 17:18:00 +0800
 Subject: [PATCH] add qemu_exec_t for stratovirt

-Signed-off-by: root <root@localhost.localdomain>
 ---
- policy/modules/contrib/virt.fc | 1 +
+ policy/modules/contrib/virt_supplementary.fc | 1 +
 1 file changed, 1 insertion(+)

-diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
-index d12dac0..c12f009 100644
--- a/policy/modules/contrib/virt.fc
-+++ b/policy/modules/contrib/virt.fc
-@@ -100,6 +100,7 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)?   gen_context(system_u:object_r:svirt_
- /usr/bin/qemu-system-.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
- /usr/bin/qemu-kvm	--	gen_context(system_u:object_r:qemu_exec_t,s0)
- /usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
-+/usr/bin/stratovirt     --      gen_context(system_u:object_r:qemu_exec_t,s0)
+diff --git a/policy/modules/contrib/virt_supplementary.fc b/policy/modules/contrib/virt_supplementary.fc
+index d27441f..5563457 100644
+--- a/policy/modules/contrib/virt_supplementary.fc
+++ b/policy/modules/contrib/virt_supplementary.fc
+@@ -62,6 +62,7 @@ HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:sv
+ /usr/bin/qemu-system-.*                 --      gen_context(system_u:object_r:qemu_exec_t,s0)
+ /usr/bin/qemu-kvm                       --      gen_context(system_u:object_r:qemu_exec_t,s0)
+ /usr/libexec/qemu.*                     --      gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/stratovirt                     --      gen_context(system_u:object_r:qemu_exec_t,s0)
 
- /etc/qemu-ga/fsfreeze-hook.d(/.*)?      gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
- /usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)?  gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
+ # support for QEMU-GA
+ /etc/qemu-ga/fsfreeze-hook\.d(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
 -- 
-2.30.0
+2.27.0

--- a/allow-init_t-create-fifo-file-in-net_conf-dir.patch
+++ b/allow-init_t-create-fifo-file-in-net_conf-dir.patch
@ -1,6 +1,6 @@
-From b00033d4825cfc3ae9787c94ffa7e5408acf9a4b Mon Sep 17 00:00:00 2001
-From: Huaxin Lu <luhuaxin1@huawei.com>
-Date: Sun, 29 Jan 2023 00:36:01 +0800
+From ebfc55113be3be3a298a14e767712cc5e16a50c3 Mon Sep 17 00:00:00 2001
+From: jinlun <jinlun@huawei.com>
+Date: Thu, 28 Dec 2023 19:17:52 +0800
 Subject: [PATCH] allow init_t create fifo file in net_conf dir

 Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
@ -9,17 +9,17 @@ Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
 1 file changed, 1 insertion(+)

 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8b84aa1..15b57a7 100644
+index 4f2ce88..5fc8fed 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -872,6 +872,7 @@ optional_policy(`
- 
+@@ -879,6 +879,7 @@ optional_policy(`
 optional_policy(`
     sysnet_filetrans_cloud_net_conf(init_t)
+     sysnet_manage_config_pipes(init_t)
 +    manage_fifo_files_pattern(init_t, net_conf_t, net_conf_t)
 ')
 
 optional_policy(`
 -- 
-2.33.0
+2.27.0

--- a/fix-selinux-label-for-hostname-digest-list.patch
+++ b/fix-selinux-label-for-hostname-digest-list.patch
@ -15,9 +15,9 @@ index cfafbfa..bb5e759 100644
@@ -3,6 +3,7 @@ HOME_DIR/\.config/systemd/user(/.*)?		gen_context(system_u:object_r:systemd_unit
 /root/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 
- /etc/.*hostname.*			--		gen_context(system_u:object_r:hostname_etc_t,s0)
-+/etc/[^/]*hostname.*                    --              gen_context(system_u:object_r:hostname_etc_t,s0)
- /etc/machine-info		--		gen_context(system_u:object_r:hostname_etc_t,s0)
+ /etc/.*hostname.*	--	gen_context(system_u:object_r:hostname_etc_t,s0)
+/etc/[^/]*hostname.*	--	gen_context(system_u:object_r:hostname_etc_t,s0)
+ /etc/machine-info	--	gen_context(system_u:object_r:hostname_etc_t,s0)
 /etc/udev/.*hwdb.*	--	gen_context(system_u:object_r:systemd_hwdb_etc_t,s0)
 
 -- 
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -11,12 +11,12 @@

 Summary: SELinux policy configuration
 Name:    selinux-policy
-Version: 38.21
+Version: 40.7
 Release: 1
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/

-Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v38.21.tar.gz
+Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v40.7.tar.gz

 # Tool helps during policy development, to expand system m4 macros to raw allow rules
 # Git repo: https://github.com/fedora-selinux/macro-expander.git
@ -742,6 +742,19 @@ exit 0
 %endif

 %changelog
+* Thu Dec 28 2023 jinlun<jinlun@huawei.com> - 40.7-1
+- update version to 40.7
+  - Allow chronyd-restricted read chronyd key files
+  - Allow systemd-sleep set attributes of efivarfs files
+  - Make name_zone_t and named_var_run_t a part of the mountpoint attribute
+  - Update cifs interfaces to include fs_search_auto_mountpoints()
+  - Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
+  - Add map_read map_write to kernel_prog_run_bpf
+  - Add policy for nvme-stas
+  - Make new virt drivers permissive
+  - Allow named and ndc use the io_uring api
+  - Allow sssd send SIGKILL to passket_child running in ipa_otpd_t
+
 * Fri Jul 21 2023 jinlun<jinlun@huawei.com> - 38.21-1
 - update version to 38.21

--- a/v38.21.tar.gz
+++ b/v38.21.tar.gz
--- a/v40.7.tar.gz
+++ b/v40.7.tar.gz