!215 Don't allow kernel_t to execute bin_t/usr_t binaries without a transition

From: @jinlun123123 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

Policy-for-restoring-kernel_t.patch

@@ -0,0 +1,27 @@
+From 89d0eb2654943472f2ce33bcaa04be015985d5d8 Mon Sep 17 00:00:00 2001
+From: jinlun <jinlun@huawei.com>
+Date: Tue, 21 Mar 2023 10:15:04 +0800
+Subject: [PATCH] Policy for restoring kernel_t
+
+---
+ policy/modules/kernel/kernel.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index 2df33b0..a7bf2c8 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -504,6 +504,10 @@ optional_policy(`
+ 	init_read_utmp(kernel_systemctl_t)
+ ')
+ 
++optional_policy(`
++	unconfined_domain_noaudit(kernel_t)
++')
++
+ optional_policy(`
+ 	virt_filetrans_home_content(kernel_t)
+ ')
+-- 
+2.27.0
+

Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch

@@ -0,0 +1,37 @@
+From 36a7559c14a33b8ae867acaf3a724529ef2aa7ea Mon Sep 17 00:00:00 2001
+From: "GONG, Ruiqi" <gongruiqi1@huawei.com>
+Date: Mon, 20 Mar 2023 20:42:49 +0800
+Subject: [PATCH] Revert "Don't allow kernel_t to execute bin_t/usr_t binaries
+ without a transition"
+
+This reverts commit 18c5559222ea3ca3588c8d32c06cddc41b66f688.
+---
+ policy/modules/kernel/kernel.te | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index f7ac8cd1f..2df33b0ac 100644
+--- a/policy/modules/kernel/kernel.te
++++ b/policy/modules/kernel/kernel.te
+@@ -347,16 +347,10 @@ selinux_compute_create_context(kernel_t)
+ term_use_all_terms(kernel_t)
+ term_use_ptmx(kernel_t)
+ 
++corecmd_exec_shell(kernel_t)
+ corecmd_list_bin(kernel_t)
+-
+-# /proc/sys/kernel/modprobe is set to /bin/true if not using modules,
+-# thus allow a transition into a minimal helper domain through generic bin
+-# types.
+-type kernel_generic_helper_t;
+-domain_type(kernel_generic_helper_t)
+-role system_r types kernel_generic_helper_t;
+-corecmd_bin_entry_type(kernel_generic_helper_t)
+-corecmd_bin_domtrans(kernel_t, kernel_generic_helper_t)
++# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
++corecmd_exec_bin(kernel_t)
+ 
+ domain_use_all_fds(kernel_t)
+ domain_signal_all_domains(kernel_t)
+-- 
+2.25.1

selinux-policy.spec

@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 38.6
-Release: 2
+Release: 3
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -71,9 +71,11 @@ Patch9003: allow-httpd-to-put-files-in-httpd-config-dir.patch
 Patch9004: allow-map-postfix_master_t.patch
 Patch9005: add-rule-for-hostnamed-to-rpmscript-dbus-chat.patch
 Patch9006: allow-init_t-create-fifo-file-in-net_conf-dir.patch 
+Patch9007: Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch
+Patch9008: Policy-for-restoring-kernel_t.patch
 
 BuildArch: noarch
-BuildRequires:  python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
+BuildRequires:  python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc procps-ng
 Requires(pre):  policycoreutils >= %{POLICYCOREUTILSVER}
 Requires(post): /bin/awk /usr/bin/sha512sum
 Requires: rpm-plugin-selinux
@@ -740,6 +742,9 @@ exit 0
 %endif
 
 %changelog
+* Mon Mar 20 2023 jinlun<jinlun@huawei.com> - 38.6-3
+- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition
+
 * Mon Feb 6 2023 luhuaxin<luhuaxin1@huawei.com> - 38.6-2
 - allow init_t create fifo file in net_conf dir