sync modification on other branches

2021-03-05 09:56:07 +08:00 · 2021-03-05 09:56:07 +08:00 · 64b450cf99
commit 64b450cf99
parent 0c24e3de8b
4 changed files with 79 additions and 5 deletions
--- a/backport-Allow-dovecot-bind-to-smtp-ports.patch
+++ b/backport-Allow-dovecot-bind-to-smtp-ports.patch
@ -0,0 +1,29 @@
 From f5c688321e04364bdfd030dd1412a7e5a4ecc6b6 Mon Sep 17 00:00:00 2001
 From: Zdenek Pytela <zpytela@redhat.com>
 Date: Tue, 10 Nov 2020 18:04:49 +0100
 Subject: [PATCH] Allow dovecot bind to smtp ports
 When dovecot is configured to listen on submission ports
 (tcp 465 or 587), it requires the name_bind permission to ports
 labeled smtp_port_t.
 Resolves: rhbz#1881884
 ---
 dovecot.te | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
 index 6cf4b72e9..0b140e932 100644
 --- a/policy/modules/contrib/dovecot.te
 +++ b/policy/modules/contrib/dovecot.te
@@ -147,6 +147,7 @@ corenet_tcp_bind_mail_port(dovecot_t)
 corenet_tcp_bind_pop_port(dovecot_t)
 corenet_tcp_bind_lmtp_port(dovecot_t)
 corenet_tcp_bind_sieve_port(dovecot_t)
 +corenet_tcp_bind_smtp_port(dovecot_t)
 corenet_tcp_connect_all_ports(dovecot_t)
 corenet_tcp_connect_postgresql_port(dovecot_t)
 corenet_sendrecv_pop_server_packets(dovecot_t)
 -- 
 2.23.0
--- a/backport-systemd-allow-all-systemd-services-to-check-selinux-.patch
+++ b/backport-systemd-allow-all-systemd-services-to-check-selinux-.patch
@ -0,0 +1,42 @@
 From a96ac9ed374cab65f53a26cd39053705569532bc Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
 Date: Wed, 28 Oct 2020 09:17:15 +0100
 Subject: [PATCH] systemd: allow all systemd services to check selinux status
 After https://github.com/systemd/systemd/commit/fd5e402fa9 most systemd
 services fail to start with:
 Oct 27 13:50:38 workstation-uefi systemd[1]: Starting systemd-hostnamed.service...
 Oct 27 13:50:38 workstation-uefi systemd-hostnamed[944]: Failed to open SELinux status page: Permission denied
 Oct 27 13:50:38 workstation-uefi systemd[1]: systemd-hostnamed.service: Main process exited, code=exited, status=1/FAILURE
 After disabling dontaudit:
 Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc:  denied  { read } for  pid=1043 comm="systemd-hostnam" name="status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
 Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc:  denied  { open } for  pid=1043 comm="systemd-hostnam" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
 Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc:  denied  { map } for  pid=1043 comm="systemd-hostnam" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
 As first step, allow all systemd services to check selinux status.
 The check for selinux status is called from mac_selinux_init() which
 is called in 16 different places, so I don't think it makes sense to
 try to list them all. Any code which wants to create a labelled file is
 likely to call mac_selinux_init().
 ---
 policy/modules/system/systemd.if | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 index ff3116142..253396f1c 100644
 --- a/policy/modules/system/systemd.if
 +++ b/policy/modules/system/systemd.if
@@ -24,6 +24,7 @@ template(`systemd_domain_template',`
     kernel_read_system_state($1_t)
     auth_use_nsswitch($1_t)
 +    selinux_get_enforce_mode($1_t)
 ')
 ######################################
 -- 
 2.23.0
--- a/rpm.macros
+++ b/rpm.macros
@ -38,11 +38,7 @@ BuildRequires: selinux-policy-devel \
 Requires(post): selinux-policy-base >= %{_selinux_policy_version} \
 Requires(post): libselinux-utils \
 Requires(post): policycoreutils \
 %if 0%{?fedora} || 0%{?rhel} > 7\
 Requires(post): policycoreutils-python-utils \
 %else \
 Requires(post): policycoreutils-python \
 %endif \
 %{nil}
 # %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 3.14.2
-Release: 63
+Release: 65
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
@ -70,6 +70,8 @@ Patch17: allow-systemd-hostnamed-and-logind-read-policy.patch
 Patch18: add-firewalld-fc.patch
 Patch19: add-allow-systemd-timedated-to-unlink-etc-link.patch
 Patch20: add-avc-for-openEuler-1.patch
 Patch21: backport-systemd-allow-all-systemd-services-to-check-selinux-.patch
 Patch22: backport-Allow-dovecot-bind-to-smtp-ports.patch
 BuildArch: noarch
 BuildRequires:  python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
@ -735,6 +737,11 @@ exit 0
 %endif
 %changelog
 * Fri Mar 5 2021 luhuaxin <1539327763@qq.com> - 3.14.2-65
 - selinux_requires macro shouldn't depend on policycoreutils-python
 - add avc for allowing systemd services to check selinux status
 - add avc for allowing dovecot to bind smtp port
 * Sun Dec 13 2020 luhuaxin <1539327763@qq.com> - 3.14.2-64
 - add avc for openEuler