packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update selinux-policy-3.14.2 to selinux-policy-35.5-1

Browse Source
This commit is contained in:
lujie42 2022-01-11 20:10:16 +08:00
parent 22388671cb
commit 6ebc7b5b53
68 changed files with 199 additions and 2861 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
access-to-iptables-run-file.patch
View File

@ -1,51 +0,0 @@
From df3d1a93a1126c15fe540a48515c604217f3202e Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Tue, 25 Feb 2020 20:15:44 +0800
Subject: [PATCH] access to iptables run file
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
policy/modules/contrib/firewalld.te | 3 +++
policy/modules/system/iptables.if | 18 ++++++++++++++++++
2 files changed, 21 insertions(+)
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 8b78b37..f1cbf0a 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -139,3 +139,6 @@ optional_policy(`
optional_policy(`
networkmanager_read_state(firewalld_t)
')
+
+# avc for openEuler
+iptables_var_run_file(firewalld_t)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 5e1a4a5..6bdd8cf 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -221,3 +221,21 @@ interface(`iptables_read_var_run',`
allow $1 iptables_var_run_t:dir list_dir_perms;
read_files_pattern($1, iptables_var_run_t, iptables_var_run_t)
')
+
+#####################################
+## <summary>
+## Access to iptables run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`iptables_var_run_file',`
+gen_require(`
+type iptables_var_run_t;
+')
+
+allow $1 iptables_var_run_t:file { lock open read };
+')
--
1.8.3.1

52
add-access-to-faillog-file-for-systemd.patch
View File

@ -1,52 +0,0 @@
From 6b63c0acdb2e2435e4294f2de08dd376db15e4e8 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Tue, 25 Feb 2020 21:02:54 +0800
Subject: [PATCH] add access to faillog file for systemd
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
policy/modules/system/authlogin.if | 19 +++++++++++++++++++
policy/modules/system/init.te | 3 +++
2 files changed, 22 insertions(+)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 728a1c4..6f35819 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -2413,3 +2413,22 @@ interface(`auth_login_manage_key',`
allow $1 login_pgm:key manage_key_perms;
')
+
+########################################
+## <summary>
+## Manage the login failure log for systemd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_faillog',`
+gen_require(`
+type faillog_t;
+')
+
+allow $1 faillog_t:dir { add_name write };
+allow $1 faillog_t:file create;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 035720b..e0d584a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1868,3 +1868,6 @@ optional_policy(`
ccs_read_config(daemon)
')
')
+
+# avc for oprnEuler
+systemd_manage_faillog(init_t)
--
1.8.3.1

25
add-allow-rasdaemon-cap_sys_admin.patch
View File

@ -1,25 +0,0 @@
From 595e1f9fd4e9b5106487da882cf11d2ffdf79255 Mon Sep 17 00:00:00 2001
From: lujie42 <572084868@qq.com>
Date: Fri, 3 Sep 2021 20:22:18 +0800
Subject: [PATCH] add allow rasdaemon cap_sys_admin
Signed-off-by: lujie42 <572084868@qq.com>
---
policy/modules/contrib/rasdaemon.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/rasdaemon.te b/policy/modules/contrib/rasdaemon.te
index f6891a1..e102e63 100644
--- a/policy/modules/contrib/rasdaemon.te
+++ b/policy/modules/contrib/rasdaemon.te
@@ -19,6 +19,7 @@ systemd_unit_file(rasdaemon_unit_file_t)
#
# rasdaemon local policy
#
+allow rasdaemon_t self:capability sys_admin;
allow rasdaemon_t self:fifo_file rw_fifo_file_perms;
allow rasdaemon_t self:unix_stream_socket create_stream_socket_perms;
--
1.8.3.1

31
add-allow-shadow-tool-to-access-sssd-var-lib-file-di.patch
View File

@ -1,31 +0,0 @@
From edba62fdaa8115c0c194ad6d86981e8c9692b8e7 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Thu, 4 Jun 2020 21:11:52 +0800
Subject: [PATCH] add allow shadow tool to access sssd var lib file/dir
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
policy/modules/admin/usermanage.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1977309..b8d51ba 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -666,8 +666,13 @@ optional_policy(`
# avc for openEuler
#sssd_var_lib_dir(groupadd_t)
optional_policy(`
+ sssd_var_lib_dir(groupadd_t)
sssd_var_lib_map_file(groupadd_t)
sssd_var_lib_write_file(groupadd_t)
+ sssd_var_lib_map_file(passwd_t)
+ sssd_var_lib_write_file(passwd_t)
sssd_var_lib_map_file(useradd_t)
sssd_var_lib_write_file(useradd_t)
+ sssd_var_lib_create_file(useradd_t)
+ sssd_var_lib_dir(useradd_t)
')
--
1.8.3.1

110
add-allow-to-be-access-to-sssd-dir-and-file.patch
View File

@ -1,110 +0,0 @@
From e4184b665f1ca1f86fb7554095a73a71ad4a46ef Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Tue, 25 Feb 2020 18:30:13 +0800
Subject: [PATCH] add allow to be access to sssd dir and file
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
policy/modules/admin/usermanage.te | 8 +++++
policy/modules/contrib/sssd.if | 72 ++++++++++++++++++++++++++++++++++++++
2 files changed, 80 insertions(+)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 43fed66..c8580a7 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -663,3 +663,11 @@ optional_policy(`
optional_policy(`
stapserver_manage_lib(useradd_t)
')
+# avc for openEuler
+#sssd_var_lib_dir(groupadd_t)
+optional_policy(`
+ sssd_var_lib_map_file(groupadd_t)
+ sssd_var_lib_write_file(groupadd_t)
+ sssd_var_lib_map_file(useradd_t)
+ sssd_var_lib_write_file(useradd_t)
+')
diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
index 50eee3f..1b61ccd 100644
--- a/policy/modules/contrib/sssd.if
+++ b/policy/modules/contrib/sssd.if
@@ -576,3 +576,75 @@ interface(`sssd_admin',`
allow $1 sssd_unit_file_t:service all_service_perms;
')
+
+########################################
+## <summary>
+## Allow to be access to sssd lib dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow.
+## </summary>
+## </param>
+#
+interface(`sssd_var_lib_dir',`
+gen_require(`
+type sssd_var_lib_t;
+')
+
+allow $1 sssd_var_lib_t:dir { add_name write };
+')
+
+########################################
+## <summary>
+## Allow to map sssd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow.
+## </summary>
+## </param>
+#
+interface(`sssd_var_lib_map_file',`
+gen_require(`
+type sssd_var_lib_t;
+')
+
+allow $1 sssd_var_lib_t:file map;
+')
+
+########################################
+## <summary>
+## Allow to write sssd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow.
+## </summary>
+## </param>
+#
+interface(`sssd_var_lib_write_file',`
+gen_require(`
+type sssd_var_lib_t;
+')
+
+allow $1 sssd_var_lib_t:file write;
+')
+
+########################################
+## <summary>
+## Allow to create sssd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow.
+## </summary>
+## </param>
+#
+interface(`sssd_var_lib_create_file',`
+gen_require(`
+type sssd_var_lib_t;
+')
+
+allow $1 sssd_var_lib_t:file create;
+')
--
1.8.3.1

24
add-avc-for-kmod.patch
View File

@ -1,24 +0,0 @@
From 9cc71f5e435a8cd95c1d186672ebbdb96e711a92 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Thu, 16 Jul 2020 18:45:34 +0800
Subject: [PATCH] add avc for kmod
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
policy/modules/system/modutils.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index add5eca..d512b51 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -259,3 +259,6 @@ ifdef(`distro_gentoo',`
')
')
+# avc for openEuler
+init_nnp_daemon_domain(insmod_t)
+
--
1.8.3.1

30
add-avc-for-systemd-hostnamed-and-systemd-logind.patch
View File

@ -1,30 +0,0 @@
From f5e75734ba636d9a3db9e7fc4a9c7766b5f965aa Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Thu, 16 Jul 2020 19:01:43 +0800
Subject: [PATCH] add avc for systemd-hostnamed and systemd-logind
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
policy/modules/system/systemd.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7cb36c4..72f413c 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -373,6 +373,12 @@ optional_policy(`
xserver_search_xdm_tmp_dirs(systemd_logind_t)
')
+# avc for openEuler
+allow init_t systemd_logind_var_lib_t:dir { create mounton read };
+allow init_t systemd_logind_var_run_t:dir mounton;
+init_nnp_daemon_domain(systemd_hostnamed_t)
+init_nnp_daemon_domain(systemd_logind_t)
+
########################################
#
# systemd_machined local policy
--
1.8.3.1

136
add-avc-for-systemd-journald.patch
View File

@ -1,53 +1,23 @@
From 9865bc70309c32f731d85e18f8ed29af184086cf Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Thu, 16 Jul 2020 18:54:28 +0800
From f984d0f1fa193e7f5fdf8bd8aef92b24550eaec4 Mon Sep 17 00:00:00 2001
From: lujie42 <lujie42@huawei.com>
Date: Tue, 21 Dec 2021 17:19:13 +0800
Subject: [PATCH] add avc for systemd-journald
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
Signed-off-by: lujie42 <lujie42@huawei.com>
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/kernel.if | 17 +++++++++++++++++
policy/modules/system/init.te | 5 ++++-
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 5 +++++
policy/modules/system/logging.if | 18 ++++++++++++++++++
policy/modules/system/logging.te | 3 +++
5 files changed, 60 insertions(+), 1 deletion(-)
3 files changed, 41 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 932b9bd..eb8c5c6 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -7343,3 +7343,21 @@ interface(`dev_filetrans_xserver_named_dev',`
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
')
+
+########################################
+## <summary>
+## Allow to read the kernel messages
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow.
+## </summary>
+## </param>
+#
+interface(`dev_read_kernel_msg',`
+gen_require(`
+type kmsg_device_t;
+')
+
+allow $1 kmsg_device_t:chr_file read;
+')
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 023ee09..a1bb39b 100644
index 62845c1..a2e2750 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -4268,3 +4268,20 @@ interface(`kernel_unlabeled_entry_type',`
allow $1 unlabeled_t:file { mmap_exec_file_perms ioctl lock };
')
@@ -4245,6 +4245,24 @@ interface(`kernel_read_netlink_audit_socket',`
+########################################
+## <summary>
########################################
## <summary>
+## Access to netlink audit socket
+## </summary>
+## <param name="domain">
@ -57,63 +27,63 @@ index 023ee09..a1bb39b 100644
+## </param>
+#
+interface(`kernel_netlink_audit_socket',`
+gen_require(`
+type kernel_t;
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:netlink_audit_socket $2;
+')
+
+allow $1 kernel_t:netlink_audit_socket $2;
+')
+########################################
+## <summary>
## Execute an unlabeled file in the specified domain.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a92f4d8..6bccd0b 100644
index 9a4a0d2..0aea278 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1946,5 +1946,8 @@ optional_policy(`
')
')
@@ -731,6 +731,11 @@ auth_rw_lastlog(init_t)
auth_domtrans_chk_passwd(init_t)
auth_manage_passwd(init_t)
-# avc for oprnEuler
+# avc for openEuler
systemd_manage_faillog(init_t)
+kernel_netlink_audit_socket(init_t, getattr)
+dev_read_kernel_msg(init_t)
+logging_journal(init_t)
+logging_access_journal(init_t)
+dev_read_kmsg(init_t)
+
ifdef(`distro_redhat',`
# it comes from setupr scripts used in systemd unit files
# has been covered by initrc_t
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 408dba0..526a813 100644
index 8092f3e..3452bd2 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1686,3 +1686,21 @@ interface(`logging_dgram_send',`
@@ -1753,6 +1753,24 @@ interface(`logging_mmap_journal',`
allow $1 syslogd_t:unix_dgram_socket sendto;
')
#######################################
## <summary>
+## Access to files in /run/log/journal/ directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_access_journal',`
+ gen_require(`
+ type syslogd_var_run_t;
+ ')
+
+ allow $1 syslogd_var_run_t:file { create rename write };
+')
+
+#######################################
+## <summary>
+## Access to files in /run/log/journal/ directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_journal',`
+gen_require(`
+type syslogd_var_run_t;
+')
+
+allow $1 syslogd_var_run_t:file { create rename write };
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index cdaba23..ddeb00a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -753,3 +753,6 @@ ifdef(`hide_broken_symptoms',`
')
logging_stream_connect_syslog(syslog_client_type)
+
+# avc for openEuler
+init_nnp_daemon_domain(syslogd_t)
## Watch the /run/log/journal directory.
## </summary>
## <param name="domain">
--
1.8.3.1

123
add-avc-for-systemd-selinux-page.patch
View File

@ -1,123 +0,0 @@
From 1a6889def34747b606f4e520fbff72fe86f90b0f Mon Sep 17 00:00:00 2001
From: lujie42 <572084868@qq.com>
Date: Tue, 24 Aug 2021 15:38:40 +0800
Subject: [PATCH] add avc for systemd no17479
Signed-off-by: lujie42 <572084868@qq.com>
---
policy/modules/kernel/domain.te | 4 ++--
policy/modules/kernel/selinux.if | 2 +-
policy/modules/system/logging.te | 1 +
policy/modules/system/systemd.if | 7 ++++---
policy/modules/system/systemd.te | 3 +++
5 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 8e52b17..27b112c 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -510,7 +510,7 @@ optional_policy(`
')
optional_policy(`
- systemd_dbus_chat_resolved(domain)
+ systemd_chat_resolved(domain)
systemd_login_status(unconfined_domain_type)
systemd_login_reboot(unconfined_domain_type)
systemd_login_halt(unconfined_domain_type)
@@ -519,7 +519,7 @@ optional_policy(`
systemd_filetrans_named_content(named_filetrans_domain)
systemd_filetrans_named_hostname(named_filetrans_domain)
systemd_filetrans_home_content(named_filetrans_domain)
- systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
+ systemd_dontaudit_write_inherited_logind_sessions_pipes(domain)
')
optional_policy(`
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index ac70efb..a2ab3fc 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -324,7 +324,7 @@ interface(`selinux_get_enforce_mode',`
dev_search_sysfs($1)
selinux_get_fs_mount($1)
allow $1 security_t:dir list_dir_perms;
- allow $1 security_t:file read_file_perms;
+ allow $1 security_t:file mmap_read_file_perms;
allow $1 security_t:lnk_file read_lnk_file_perms;
')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index df4e985..482fe6d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -622,6 +622,7 @@ term_write_unallocated_ttys(syslogd_t)
term_use_generic_ptys(syslogd_t)
init_stream_connect(syslogd_t)
+init_read_pid_files(syslogd_t)
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 514bbd7..6503c87 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2345,8 +2345,8 @@ interface(`systemd_map_resolved_exec_files',`
########################################
## <summary>
-## Send and receive messages from
-## systemd resolved over dbus.
+## Exchange messages with
+## systemd resolved over dbus or varlink.
## </summary>
## <param name="domain">
## <summary>
@@ -2354,13 +2354,14 @@ interface(`systemd_map_resolved_exec_files',`
## </summary>
## </param>
#
-interface(`systemd_dbus_chat_resolved',`
+interface(`systemd_chat_resolved',`
gen_require(`
type systemd_resolved_t;
class dbus send_msg;
')
allow $1 systemd_resolved_t:dbus send_msg;
+ allow $1 systemd_resolved_t:unix_stream_socket connectto;
allow systemd_resolved_t $1:dbus send_msg;
ps_process_pattern(systemd_resolved_t, $1)
')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1e96c31..7849d51 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -13,6 +13,7 @@ attribute systemd_private_tmp_type;
attribute systemd_read_efivarfs_type;
fs_read_efivarfs_files(systemd_read_efivarfs_type)
+read_files_pattern(systemd_read_efivarfs_type, init_var_run_t, init_var_run_t)
systemd_domain_template(systemd_logger)
systemd_domain_template(systemd_logind)
@@ -501,6 +502,7 @@ corenet_tcp_bind_dhcpd_port(systemd_networkd_t)
corenet_udp_bind_dhcpd_port(systemd_networkd_t)
fs_read_xenfs_files(systemd_networkd_t)
+fs_read_nsfs_files(systemd_networkd_t)
dev_read_sysfs(systemd_networkd_t)
dev_write_kmsg(systemd_networkd_t)
@@ -1066,6 +1068,7 @@ allow systemd_resolved_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
--
1.8.3.1

81
add-avc-for-systemd.patch
View File

@ -1,80 +1,25 @@
From 89ae7e3f5493d253cbe42e7950e426cd41433230 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Thu, 16 Jul 2020 19:09:57 +0800
From dd92e4c3df1b07249810fb824bdddd2cee77c7eb Mon Sep 17 00:00:00 2001
From: lujie42 <lujie42@huawei.com>
Date: Tue, 21 Dec 2021 17:34:01 +0800
Subject: [PATCH] add avc for systemd
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
Signed-off-by: lujie42 <lujie42@huawei.com>
---
policy/modules/contrib/dbus.te | 3 +++
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 1 +
policy/modules/system/systemd.te | 4 ++++
4 files changed, 26 insertions(+)
policy/modules/system/init.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 4cf41a5..2e2732d 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -384,6 +384,9 @@ optional_policy(`
xserver_append_xdm_home_files(session_bus_type)
')
+# avc for openEuler
+allow init_t session_dbusd_tmp_t:dir { read remove_name rmdir write };
+allow init_t system_dbusd_var_run_t:sock_file read;
########################################
#
# Unconfined access to this module
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index eb8c5c6..846bb94 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -7361,3 +7361,21 @@ type kmsg_device_t;
allow $1 kmsg_device_t:chr_file read;
')
+
+########################################
+## <summary>
+## Allow to read the clock device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow.
+## </summary>
+## </param>
+#
+interface(`dev_read_clock_device',`
+gen_require(`
+type clock_device_t;
+')
+
+allow $1 clock_device_t:chr_file read;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 6bccd0b..b7a4114 100644
index 0aea278..b1ed998 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1951,3 +1951,4 @@ systemd_manage_faillog(init_t)
@@ -735,6 +735,7 @@ auth_manage_passwd(init_t)
kernel_netlink_audit_socket(init_t, getattr)
dev_read_kernel_msg(init_t)
logging_journal(init_t)
+dev_read_clock_device(init_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 72f413c..0a65c1d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -378,6 +378,10 @@ allow init_t systemd_logind_var_lib_t:dir { create mounton read };
allow init_t systemd_logind_var_run_t:dir mounton;
init_nnp_daemon_domain(systemd_hostnamed_t)
init_nnp_daemon_domain(systemd_logind_t)
+init_nnp_daemon_domain(systemd_coredump_t)
+init_nnp_daemon_domain(systemd_initctl_t)
+init_nnp_daemon_domain(systemd_localed_t)
+init_nnp_daemon_domain(systemd_machined_t)
logging_access_journal(init_t)
dev_read_kmsg(init_t)
+dev_read_realtime_clock(init_t)
########################################
#
ifdef(`distro_redhat',`
# it comes from setupr scripts used in systemd unit files
--
1.8.3.1

34
allow-systemd-hostnamed-and-logind-read-policy.patch
View File

@ -1,34 +0,0 @@
From 8b2179cbe385e4b67ab159ac7eee159a664888e3 Mon Sep 17 00:00:00 2001
From: HuaxinLuGitee <1539327763@qq.com>
Date: Tue, 22 Sep 2020 20:44:36 +0800
Subject: [PATCH] commit 2
---
policy/modules/system/systemd.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7cb36c4..a98d366 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -331,6 +331,8 @@ userdom_manage_user_tmp_chr_files(systemd_logind_t)
xserver_dbus_chat(systemd_logind_t)
+allow systemd_logind_t security_t:file mmap_read_file_perms;
+
optional_policy(`
apache_read_tmp_files(systemd_logind_t)
')
@@ -818,6 +820,8 @@ systemd_read_efivarfs(systemd_hostnamed_t)
userdom_read_all_users_state(systemd_hostnamed_t)
userdom_dbus_send_all_users(systemd_hostnamed_t)
+allow systemd_hostnamed_t security_t:file mmap_read_file_perms;
+
optional_policy(`
dbus_system_bus_client(systemd_hostnamed_t)
dbus_connect_system_bus(systemd_hostnamed_t)
--
1.8.3.1

54
allow-systemd-machined-create-userdbd-runtime-sock-file.patch
View File

@ -1,54 +0,0 @@
From d4a034518393bd1c0277a4dd3e87c8e94b394317 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 11 Aug 2020 12:47:42 +0200
Subject: [PATCH] Allow systemd-machined create userdbd runtime sock files
Create the systemd_create_userdbd_runtime_sock_files() interface.
Resolves: rhbz#1862686
---
policy/modules/system/systemd.if | 18 ++++++++++++++++++
policy/modules/system/systemd.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index c9d2ed7..a6d8bd0 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2374,3 +2374,21 @@ interface(`systemd_userdbd_stream_connect',`
allow $1 systemd_userdbd_t:unix_stream_socket connectto;
')
+
+#######################################
+## <summary>
+## Create a named socket in userdbd runtime directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_create_userdbd_runtime_sock_files',`
+ gen_require(`
+ type systemd_userdbd_runtime_t;
+ ')
+
+ create_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 367758a..806b7d6 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -415,6 +415,7 @@ init_manage_config_transient_files(systemd_machined_t)
logging_dgram_send(systemd_machined_t)
systemd_read_efivarfs(systemd_machined_t)
+systemd_create_userdbd_runtime_sock_files(systemd_machined_t)
userdom_dbus_send_all_users(systemd_machined_t)
--
1.8.3.1

25
allow-systemd-to-mount-unlabeled-filesystemd.patch
View File

@ -1,25 +0,0 @@
From e9b8e0daa3fb3f3b7079ffb6095d9842ccda4554 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Thu, 16 Jul 2020 19:35:21 +0800
Subject: [PATCH] allow systemd to mount unlabeled filesystemd
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
policy/modules/system/init.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b7a4114..d8ca280 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -591,6 +591,7 @@ dev_rw_wireless(init_t)
files_search_all(init_t)
files_mounton_all_mountpoints(init_t)
files_mounton_etc(init_t)
+files_mounton_isid(init_t)
files_unmount_all_file_type_fs(init_t)
files_mounton_kernel_symbol_table(init_t)
files_manage_all_pid_dirs(init_t)
--
1.8.3.1

25
allow-systemd_machined_t-delete-userdbd-runtime-sock.patch
View File

@ -1,25 +0,0 @@
From 99e2285e42bb9d06dbf1322b2990ccee974e1c92 Mon Sep 17 00:00:00 2001
From: HuaxinLuGitee <1539327763@qq.com>
Date: Thu, 17 Sep 2020 14:27:25 +0800
Subject: [PATCH] allow systemd_machined_t delete userdbd runtime sock file
---
policy/modules/system/systemd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7cb36c4..d0127f6 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -189,6 +189,8 @@ systemd_unit_file(systemd_userdbd_unit_file_t)
type systemd_userdbd_runtime_t;
files_pid_file(systemd_userdbd_runtime_t)
+delete_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
+
#######################################
#
# Systemd_logind local policy
--
1.8.3.1

77
backport-Add-dev_lock_all_blk_files-interface.patch
View File

@ -1,77 +0,0 @@
From 395220122fcd6b93956c758a2a5094487254a89e Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 30 Jul 2020 18:21:16 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/395220122fcd6b93956c758a2a5094487254a89e
Conflict: NA
Subject: [PATCH] Add dev_lock_all_blk_files() interface
For use in the dev_lock_all_blk_files() interface, create the
lock_blk_files_pattern and lock_blk_file_perms object permissions set.
---
policy/modules/kernel/devices.if | 20 ++++++++++++++++++++
policy/support/file_patterns.spt | 5 +++++
policy/support/obj_perm_sets.spt | 1 +
3 files changed, 26 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 932b9bd..2a69660 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1169,6 +1169,26 @@ interface(`dev_getattr_all_blk_files',`
########################################
## <summary>
+## Lock on all block file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_lock_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ type device_t;
+ ')
+
+ lock_blk_files_pattern($1, device_t, device_node)
+')
+
+########################################
+## <summary>
## Read on all block file device nodes.
## </summary>
## <param name="domain">
diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
index 8aa8c36..7e3fccd 100644
--- a/policy/support/file_patterns.spt
+++ b/policy/support/file_patterns.spt
@@ -408,6 +408,11 @@ define(`setattr_blk_files_pattern',`
allow $1 $3:blk_file setattr_blk_file_perms;
')
+define(`lock_blk_files_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:blk_file lock_blk_file_perms;
+')
+
define(`read_blk_files_pattern',`
allow $1 $2:dir search_dir_perms;
allow $1 $3:blk_file read_blk_file_perms;
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 399c448..524c586 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -233,6 +233,7 @@ define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_blk_file_perms',`{ getattr }')
define(`setattr_blk_file_perms',`{ setattr }')
+define(`lock_blk_file_perms',`{ getattr lock }')
define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
--
1.8.3.1

53
backport-Add-file-context-for-.config-Yubico.patch
View File

@ -1,53 +0,0 @@
From 1363710b88904f29915e39335fef0dfb673a0f70 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 24 Aug 2020 14:29:15 +0200
Subject: [PATCH] Add file context for ~/.config/Yubico
Add file context specification for ~/.config/Yubico in addition to
existing ~/.yubico. Update the auth_filetrans_home_content() and
auth_filetrans_admin_home_content() interfaces accordingly.
Resolves: rhbz#1860888
Signed-off-by: lujie42 <572084868@qq.com>
---
policy/modules/system/authlogin.fc | 2 ++
policy/modules/system/authlogin.if | 2 ++
2 files changed, 4 insertions(+)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 009c156..58551ec 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,7 +1,9 @@
HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
+HOME_DIR/\.config/Yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
/root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.config/Yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0)
/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
/root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 099166d..90ae5fe 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -2313,6 +2313,7 @@ interface(`auth_filetrans_admin_home_content',`
userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
+ userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico")
')
@@ -2377,6 +2378,7 @@ interface(`auth_filetrans_home_content',`
userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
+ userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico")
')
########################################
--
1.8.3.1

60
backport-Add-lvm_dbus_send_msg-lvm_rw_var_run-interfaces.patch
View File

@ -1,60 +0,0 @@
From 86c35f41cfe150545db77835cb96bf342f35f44f Mon Sep 17 00:00:00 2001
From: Tony Asleson <tasleson@redhat.com>
Date: Fri, 11 Sep 2020 11:06:28 -0500
Reference: https://github.com/fedora-selinux/selinux-policy/commit/86c35f41cfe150545db77835cb96bf342f35f44f
Conflict: NA
Subject: [PATCH] Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces
Signed-off-by: Tony Asleson <tasleson@redhat.com>
---
policy/modules/system/lvm.if | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index fbbb39e..7f3903a 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -452,4 +452,40 @@ interface(`lvm_manage_lock',`
')
+########################################
+## <summary>
+## Allow dbus send for lvm dbus API (only send needed)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_dbus_send_msg',`
+ gen_require(`
+ type lvm_t;
+ class dbus send_msg;
+ ')
+ allow $1 lvm_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Allow lvm hints file access
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_rw_var_run',`
+ gen_require(`
+ type lvm_t;
+ type lvm_var_run_t;
+ ')
+ allow $1 lvm_var_run_t:file { rw_file_perms };
+
+')
--
1.8.3.1

102
backport-Add-new-devices-and-filesystem-interfaces.patch
View File

@ -1,102 +0,0 @@
From e6506d8ed109fe85ae9236a62c17f68a8eeedb8f Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 4 Sep 2020 12:28:24 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/e6506d8ed109fe85ae9236a62c17f68a8eeedb8f
Conflict: NA
Subject: [PATCH] Add new devices and filesystem interfaces
Add dev_remount_sysfs_fs(), fs_all_mount_fs_perms_xattr_fs(),
fs_all_mount_fs_perms_tmpfs() interfaces.
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/filesystem.if | 38 +++++++++++++++++++++++++++++++++++++
2 files changed, 56 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 2a69660..61fedbb 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4832,6 +4832,24 @@ interface(`dev_unmount_sysfs_fs',`
########################################
## <summary>
+## Remount sysfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_remount_sysfs_fs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem remount;
+')
+
+########################################
+## <summary>
## Search the sysfs directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 17a9f08..d3f24d2 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -169,6 +169,26 @@ interface(`fs_unmount_xattr_fs',`
########################################
## <summary>
+## Mount, remount, unmount a persistent filesystem which
+## has extended attributes, such as
+## ext3, JFS, or XFS.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_all_mount_fs_perms_xattr_fs',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem mount_fs_perms;
+')
+
+########################################
+## <summary>
## Get the attributes of persistent
## filesystems which have extended
## attributes, such as ext3, JFS, or XFS.
@@ -5206,6 +5226,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
+## Mount, remount, unmount a tmpfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_all_mount_fs_perms_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:filesystem mount_fs_perms;
+')
+
+########################################
+## <summary>
## Mount on tmpfs directories.
## </summary>
## <param name="domain">
--
1.8.3.1

44
backport-Add-systemd_resolved_write_pid_sock_files-interface.patch
View File

@ -1,44 +0,0 @@
From 33837787642166330b1400133de2023aa931f236 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 10 Dec 2020 00:15:37 +0100
Reference: https://github.com/fedora-selinux/selinux-policy/commit/33837787642166330b1400133de2023aa931f236
Conflict: NA
Subject: [PATCH] Add systemd_resolved_write_pid_sock_files() interface
---
policy/modules/system/systemd.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index ffed76c..26d4927 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -318,6 +318,25 @@ interface(`systemd_resolved_read_pid',`
######################################
## <summary>
+## Write to systemd_resolved PID socket files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_resolved_write_pid_sock_files',`
+ gen_require(`
+ type systemd_resolved_var_run_t;
+ ')
+
+ files_search_pids($1)
+ write_sock_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+')
+
+######################################
+## <summary>
## Read systemd_login PID files.
## </summary>
## <param name="domain">
--
1.8.3.1

36
backport-Allow-IPsec-and-certmonger-to-use-opencryptoki-servi.patch
View File

@ -1,36 +0,0 @@
From 6cc668244e41677470f5e97ab0f680436ac61652 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 26 Apr 2021 22:39:43 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/6cc668244e41677470f5e97ab0f680436ac61652
Conflict: NA
Subject: [PATCH] Allow IPsec and certmonger to use opencryptoki services
Add to certmonger and ipsec policy interface pkcs_use_opencryptoki(),
which allow use opencryptoki. Opencryptoki implements PKCS#11
standard.
The original commit has been split in 2 parts, this is the part for ipsec.
Resolves: rhbz#1952311
---
policy/modules/system/ipsec.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 7e99f16..9d679cb 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -247,6 +247,10 @@ optional_policy(`
')
')
+optional_policy(`
+ pkcs_use_opencryptoki(ipsec_t)
+')
+
########################################
#
# ipsec_mgmt Local policy
--
1.8.3.1

33
backport-Allow-all-users-to-connect-to-systemd-userdbd-with-a.patch
View File

@ -1,33 +0,0 @@
From 5e9918310dccf6d6dd1da52c19ce2a2927d0a96e Mon Sep 17 00:00:00 2001
From: Richard Filo <rfilo@redhat.com>
Date: Mon, 24 Aug 2020 10:55:10 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/5e9918310dccf6d6dd1da52c19ce2a2927d0a96e
Conflict: NA
Subject: [PATCH] Allow all users to connect to systemd-userdbd with a unix
socket
Add interface systemd_userdbd_stream_connect() to allow communication using userdb sockets.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1835630
---
policy/modules/system/userdomain.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 89b4867..756ac4a 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -209,6 +209,10 @@ optional_policy(`
xserver_filetrans_home_content(userdomain)
')
+optional_policy(`
+ systemd_userdbd_stream_connect(userdomain)
+')
+
# rules for types which can read home certs
allow userdom_home_reader_certs_type home_cert_t:dir list_dir_perms;
read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t)
--
1.8.3.1

29
backport-Allow-auditd-manage-kerberos-host-rcache-files.patch
View File

@ -1,29 +0,0 @@
From af31e95e95b62fce1e495df73d817f8a533a2190 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 28 Jul 2020 19:41:56 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/af31e95e95b62fce1e495df73d817f8a533a2190
Conflict: NA
Subject: [PATCH] Allow auditd manage kerberos host rcache files
---
policy/modules/system/logging.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index cdaba23..db0b849 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -256,6 +256,10 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
+ kerberos_manage_host_rcache(auditd_t)
+')
+
+optional_policy(`
mta_send_mail(auditd_t)
')
--
1.8.3.1

30
backport-Allow-dhcpc_t-domain-transition-to-chronyc_t.patch
View File

@ -1,30 +0,0 @@
From 32aa3f5509900563632fec1a1536c84da50553ed Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 1 Apr 2021 17:36:08 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/32aa3f5509900563632fec1a1536c84da50553ed
Conflict: NA
Subject: [PATCH] Allow dhcpc_t domain transition to chronyc_t
This permission is required when dhclient-script executes
the chrony.sh script from /etc/dhcp/dhclient.d.
Resolves: rhbz#1897388
---
policy/modules/system/sysnetwork.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index fb0a0c8..70eaf92 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -198,6 +198,7 @@ optional_policy(`
chronyd_initrc_domtrans(dhcpc_t)
chronyd_systemctl(dhcpc_t)
chronyd_domtrans(dhcpc_t)
+ chronyd_domtrans_chronyc(dhcpc_t)
chronyd_read_keys(dhcpc_t)
')
--
1.8.3.1

27
backport-Allow-domain-stat-proc-filesystem.patch
View File

@ -1,27 +0,0 @@
From d58c107591c0f99ee8003221296f998ad75d8148 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 4 Jan 2021 19:50:49 +0100
Reference: https://github.com/fedora-selinux/selinux-policy/commit/d58c107591c0f99ee8003221296f998ad75d8148
Conflict: NA
Subject: [PATCH] Allow domain stat /proc filesystem
Resolves: rhbz#1892401
---
policy/modules/kernel/domain.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index c77a6fe..dff8caa 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -129,6 +129,7 @@ allow domain self:fifo_file rw_fifo_file_perms;
allow domain self:sem create_sem_perms;
allow domain self:shm create_shm_perms;
+kernel_getattr_proc(domain)
kernel_read_proc_symlinks(domain)
kernel_read_crypto_sysctls(domain)
kernel_read_vm_overcommit_sysctls(domain)
--
1.8.3.1

44
backport-Allow-domain-stat-the-sys-filesystem.patch
View File

@ -1,44 +0,0 @@
From 506809cbed4f682a030f29b6ee00d79b1570448f Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 19 Feb 2021 21:38:42 +0100
Reference: https://github.com/fedora-selinux/selinux-policy/commit/506809cbed4f682a030f29b6ee00d79b1570448f
Conflict: NA
Subject: [PATCH] Allow domain stat the /sys filesystem
Checking for the availability of the /sys filesystem is requested
by all services that want to read hardware state information.
As such, adding this permission would semantically fit into the
dev_read_sysfs() interface to allow the getattr permission for each
domain calling this interface. This would, however, add about 300 new
rules into the policy, so the permission is allowed for the domain
attribute instead not to affect performance much. It seems safe allow
it for all domains.
Example of such services are rngd, pcscd, usbmuxd.
Resolves: rhbz#1928572
Resolves: rhbz#1928611
Resolves: rhbz#1930992
---
policy/modules/kernel/domain.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 2ab7a49..8e52b17 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -150,6 +150,11 @@ dev_rw_null(domain)
dev_rw_zero(domain)
term_use_controlling_term(domain)
+# Allow all domains stat /sys. It is needed by services reading hardware
+# state information, but there is no harm to allow it to all domains in general.
+
+dev_getattr_sysfs_fs(domain)
+
# Allow all domains to read /dev/urandom. It is needed by all apps/services
# linked to libgcrypt. There is no harm to allow it by default.
dev_read_urand(domain)
--
1.8.3.1

42
backport-Allow-domain-write-to-an-automount-unnamed-pipe.patch
View File

@ -1,42 +0,0 @@
From 93e95ff085a9877e5ab981db18b2ba37409b3cb2 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 24 Sep 2020 13:12:54 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/93e95ff085a9877e5ab981db18b2ba37409b3cb2
Conflict: NA
Subject: [PATCH] Allow domain write to an automount unnamed pipe
With the kernel commit 13c164b1a186 ("autofs: switch to kernel_write"),
an additional LSM permission check is done when a process tries to
access a directory on an autofs volume, which has not been mounted yet,
and it results in a write operation to the automount pipe.
This commit allows any domain write to the unnamed pipe kernel uses to
communicate with automount to service the directory access request and
should be considered a temporary workaround until a different
implementation in kernel is found.
Resolves: rhbz#1874338
---
policy/modules/kernel/domain.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index b883be0..c77a6fe 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -570,6 +570,12 @@ optional_policy(`
')
optional_policy(`
+ # A workaround to handle additional permissions check
+ # introduced as an involuntary result of a kernel change
+ automount_write_pipes(domain)
+')
+
+optional_policy(`
sosreport_append_tmp_files(domain)
')
--
1.8.3.1

43
backport-Allow-domain-write-to-systemd-resolved-PID-socket-fi.patch
View File

@ -1,43 +0,0 @@
From 7bcba980168b70a4164a1ec768ea56e723ed390b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 25 Jan 2021 22:08:16 +0100
Reference: https://github.com/fedora-selinux/selinux-policy/commit/7bcba980168b70a4164a1ec768ea56e723ed390b
Conflict: NA
Subject: [PATCH] Allow domain write to systemd-resolved PID socket files
Previously, the permission was allowed for the nsswitch_domain
attribute which turned out not to be sufficient.
Resolves: rhbz#1900175
---
policy/modules/kernel/domain.te | 1 +
policy/modules/system/authlogin.te | 1 -
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index dff8caa..2ab7a49 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -510,6 +510,7 @@ optional_policy(`
systemd_login_reboot(unconfined_domain_type)
systemd_login_halt(unconfined_domain_type)
systemd_login_undefined(unconfined_domain_type)
+ systemd_resolved_write_pid_sock_files(domain)
systemd_filetrans_named_content(named_filetrans_domain)
systemd_filetrans_named_hostname(named_filetrans_domain)
systemd_filetrans_home_content(named_filetrans_domain)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 576ec5f..068caed 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -562,7 +562,6 @@ optional_policy(`
')
optional_policy(`
- systemd_resolved_write_pid_sock_files(nsswitch_domain)
systemd_userdbd_stream_connect(nsswitch_domain)
systemd_machined_stream_connect(nsswitch_domain)
')
--
1.8.3.1

29
backport-Allow-dovecot-bind-to-smtp-ports.patch
View File

@ -1,29 +0,0 @@
From f5c688321e04364bdfd030dd1412a7e5a4ecc6b6 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 10 Nov 2020 18:04:49 +0100
Subject: [PATCH] Allow dovecot bind to smtp ports
When dovecot is configured to listen on submission ports
(tcp 465 or 587), it requires the name_bind permission to ports
labeled smtp_port_t.
Resolves: rhbz#1881884
---
dovecot.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
index 6cf4b72e9..0b140e932 100644
--- a/policy/modules/contrib/dovecot.te
+++ b/policy/modules/contrib/dovecot.te
@@ -147,6 +147,7 @@ corenet_tcp_bind_mail_port(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
corenet_tcp_bind_lmtp_port(dovecot_t)
corenet_tcp_bind_sieve_port(dovecot_t)
+corenet_tcp_bind_smtp_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
corenet_sendrecv_pop_server_packets(dovecot_t)
--
2.23.0

30
backport-Allow-dyntransition-from-sshd_t-to-unconfined_t.patch
View File

@ -1,30 +0,0 @@
From 3a9a9a5de73cadfd9629967c3e9b105b3cfc48e0 Mon Sep 17 00:00:00 2001
From: Patrik Koncity <pkoncity@redhat.com>
Date: Wed, 9 Sep 2020 12:09:09 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/3a9a9a5de73cadfd9629967c3e9b105b3cfc48e0
Conflict: NA
Subject: [PATCH] Allow dyntransition from sshd_t to unconfined_t
Removing attribute in previous commit affected connecting via ssh to unconfined user.
Missed dyntransition from sshd domain to unconfined domain.
Added ssh_dyntransition_to() interface.
---
policy/modules/roles/unconfineduser.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index ca8947b..4ab04b3 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -91,6 +91,8 @@ logging_send_syslog_msg(unconfined_t)
systemd_config_all_services(unconfined_t)
+ssh_dyntransition_to(unconfined_t)
+
unconfined_domain_noaudit(unconfined_t)
domain_named_filetrans(unconfined_t)
domain_transition_all(unconfined_t)
--
1.8.3.1

35
backport-Allow-initrc_t-create-run-chronyd-dhcp-directory-wit.patch
View File

@ -1,35 +0,0 @@
From bad3809a314f6e6d1199e2201eb0c4fefbc8766a Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 14 Oct 2020 22:45:29 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/bad3809a314f6e6d1199e2201eb0c4fefbc8766a
Conflict: NA
Subject: [PATCH] Allow initrc_t create /run/chronyd-dhcp directory with a
transition
Chronyd is required to read preferred sources files stored in
/run/chronyd-dhcp to be able to get correct time settings
from the dhcp server and have them applied.
Resolves: rhbz#1880948
---
policy/modules/system/init.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 50b655b..f72a8ef 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1210,6 +1210,10 @@ ifdef(`distro_redhat',`
')
optional_policy(`
+ chronyd_pid_filetrans(initrc_t)
+ ')
+
+ optional_policy(`
cyrus_write_data(initrc_t)
')
--
1.8.3.1

26
backport-Allow-kdump_t-net_admin-capability.patch
View File

@ -1,26 +0,0 @@
From 027923e5647f7f0d1ecbaa7fc4d03cbd193a1424 Mon Sep 17 00:00:00 2001
From: LuLuLu <1539327763@qq.com>
Date: Tue, 25 May 2021 20:06:29 +0800
Subject: [PATCH] Allow kdump_t net_admin capability
When reboot with kexec, kdump_t process needs net_admin capability to run ifdown.
---
policy/modules/contrib/kdump.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te
index a253134..7e73c65 100644
--- a/policy/modules/contrib/kdump.te
+++ b/policy/modules/contrib/kdump.te
@@ -41,7 +41,7 @@ files_tmp_file(kdumpctl_tmp_t)
# kdump local policy
#
-allow kdump_t self:capability { sys_admin sys_boot dac_read_search };
+allow kdump_t self:capability { sys_admin sys_boot dac_read_search net_admin };
#allow kdump_t self:capability2 compromise_kernel;
allow kdump_t self:udp_socket create_socket_perms;
--
1.8.3.1

29
backport-Allow-local_login_t-get-attributes-of-tmpfs-filesyst.patch
View File

@ -1,29 +0,0 @@
From 4f44d3028edb3cda2b2c1d1fc7858b481d866b94 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 19 Mar 2021 16:55:32 +0100
Reference: https://github.com/fedora-selinux/selinux-policy/commit/4f44d3028edb3cda2b2c1d1fc7858b481d866b94
Conflict: NA
Subject: [PATCH] Allow local_login_t get attributes of tmpfs filesystems
This permission is required when the system booted with cgroups v1.
Resolves: rhbz#1894759
---
policy/modules/system/locallogin.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 10fa85d..e1e5649 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -113,6 +113,7 @@ files_create_home_dir(local_login_t)
fs_search_auto_mountpoints(local_login_t)
fs_getattr_cgroup(local_login_t)
+fs_getattr_tmpfs(local_login_t)
storage_dontaudit_getattr_fixed_disk_dev(local_login_t)
storage_dontaudit_setattr_fixed_disk_dev(local_login_t)
--
1.8.3.1

30
backport-Allow-login_pgm-attribute-to-get-attributes-in-proc_.patch
View File

@ -1,30 +0,0 @@
From f2d77890bfcbe5b514c6205f288eeb73fe2225af Mon Sep 17 00:00:00 2001
From: Patrik Koncity <pkoncity@redhat.com>
Date: Fri, 21 Aug 2020 15:48:27 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/f2d77890bfcbe5b514c6205f288eeb73fe2225af
Conflict: NA
Subject: [PATCH] Allow login_pgm attribute to get attributes in proc_t
Allow login_pgm attribute, which contain domain like local_login_t
and cockpit_session_t, get attributes on filesystem /proc.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1853730
---
policy/modules/system/authlogin.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 6043c45..f3870d3 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -607,6 +607,7 @@ auth_filetrans_home_content(login_pgm)
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_search_network_sysctl(login_pgm)
kernel_rw_afs_state(login_pgm)
+kernel_getattr_proc(login_pgm)
tunable_policy(`authlogin_radius',`
corenet_udp_bind_all_unreserved_ports(login_pgm)
--
1.8.3.1

47
backport-Allow-login_userdomain-write-inaccessible-nodes.patch
View File

@ -1,47 +0,0 @@
From ed68ca8f488ca36b74b6146f3008a89072ffdcc9 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 5 Mar 2021 18:05:58 +0100
Reference: https://github.com/fedora-selinux/selinux-policy/commit/ed68ca8f488ca36b74b6146f3008a89072ffdcc9
Conflict: NA
Subject: [PATCH] Allow login_userdomain write inaccessible nodes
The permissions for creating blk_file, chr_file, fifo_file, sock_file
and regular file were added for systemd to create inaccessible nodes
in /run/user/*/systemd/inaccessible.
Addresses the following denial:
type=PATH msg=audit(22.2.2021 09:15:47.751:332) : item=1
name=/run/user/1000/systemd/inaccessible/chr inode=8 dev=00:29
mode=character,000 ouid=user ogid=user rdev=00:00
obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none
cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=AVC msg=audit(22.2.2021 09:15:47.751:332) : avc: denied { create }
for pid=1714 comm=systemd name=chr scontext=user_u:user_r:user_t:s0-s0:c0.c1023
tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1
---
policy/modules/system/userdomain.te | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 196bcc0..94c5ff6 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -370,6 +370,14 @@ optional_policy(`
')
############################################################
+# login_userdomain local policy
+
+create_blk_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
+create_chr_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
+create_fifo_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
+create_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
+create_sock_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
+
# Local Policy Confined Admin
#
gen_require(`
--
1.8.3.1

28
backport-Allow-nsswitch-domain-write-to-systemd-resolved-PID-.patch
View File

@ -1,28 +0,0 @@
From a3ec0f513ede0204be0e793b9e4f19214e9ce063 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 10 Dec 2020 00:17:57 +0100
Reference: https://github.com/fedora-selinux/selinux-policy/commit/a3ec0f513ede0204be0e793b9e4f19214e9ce063
Conflict: NA
Subject: [PATCH] Allow nsswitch-domain write to systemd-resolved PID socket
files
Resolves: rhbz#1900143
---
policy/modules/system/authlogin.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 068caed..576ec5f 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -562,6 +562,7 @@ optional_policy(`
')
optional_policy(`
+ systemd_resolved_write_pid_sock_files(nsswitch_domain)
systemd_userdbd_stream_connect(nsswitch_domain)
systemd_machined_stream_connect(nsswitch_domain)
')
--
1.8.3.1

33
backport-Allow-nsswitch_domain-read-cgroup-files.patch
View File

@ -1,33 +0,0 @@
From d7924a942d84c255fb9d85f262fd68a9e08c2433 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 30 Mar 2021 20:54:17 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/d7924a942d84c255fb9d85f262fd68a9e08c2433
Conflict: NA
Subject: [PATCH] Allow nsswitch_domain read cgroup files
This permission is required when the systemd nss module is used
in nsswitch.conf for users or groups. The module checks whether
the current process is running in the root cgroup, or if rather
cgroup namespaces are in place.
Resolves: rhbz#1895061
---
policy/modules/system/authlogin.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 068caed..0e54d0a 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -465,6 +465,8 @@ files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
files_read_etc_files(nsswitch_domain)
+fs_read_cgroup_files(nsswitch_domain)
+
init_stream_connectto(nsswitch_domain)
sysnet_dns_name_resolve(nsswitch_domain)
--
1.8.3.1

61
backport-Allow-nsswitch_domain-to-connect-to-systemd-machined.patch
View File

@ -1,61 +0,0 @@
From 6fe205674f9cd1face5e2cf1aeb90d265ef89ba8 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 12 Aug 2020 12:09:21 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/6fe205674f9cd1face5e2cf1aeb90d265ef89ba8
Conflict: NA
Subject: [PATCH] Allow nsswitch_domain to connect to systemd-machined using a
unix socket
Create the systemd_machined_stream_connect() interface.
Resolves: rhbz#1865748
---
policy/modules/system/authlogin.te | 1 +
policy/modules/system/systemd.if | 19 +++++++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 25d1691..6043c45 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -563,6 +563,7 @@ optional_policy(`
optional_policy(`
systemd_userdbd_stream_connect(nsswitch_domain)
+ systemd_machined_stream_connect(nsswitch_domain)
')
optional_policy(`
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index a6d8bd0..dbc8fc9 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2001,6 +2001,25 @@ interface(`systemd_machined_rw_devpts_chr_files',`
########################################
## <summary>
+## Allow the specified domain to connect to
+## systemd_machined with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_machined_stream_connect',`
+ gen_require(`
+ type systemd_machined_t;
+ ')
+
+ allow $1 systemd_machined_t:unix_stream_socket connectto;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## systemd machined over dbus.
## </summary>
--
1.8.3.1

30
backport-Allow-passwd-to-get-attributes-in-proc_t.patch
View File

@ -1,30 +0,0 @@
From 44a5636ce1fb9d8d306fe49b821b84114ab28746 Mon Sep 17 00:00:00 2001
From: Patrik Koncity <pkoncity@redhat.com>
Date: Fri, 21 Aug 2020 15:47:20 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/44a5636ce1fb9d8d306fe49b821b84114ab28746
Conflict: NA
Subject: [PATCH] Allow passwd to get attributes in proc_t
Add interface kernel_getattr_proc() to passwd policy.
This macro allow paswd get attributes on filesystem /proc.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1858738
---
policy/modules/admin/usermanage.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 262f01e..16b43b6 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -332,6 +332,7 @@ allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
kernel_read_kernel_sysctls(passwd_t)
+kernel_getattr_proc(passwd_t)
# for SSP
dev_read_urand(passwd_t)
--
1.8.3.1

66
backport-Allow-stub-resolv.conf-to-be-a-symlink.patch
View File

@ -1,66 +0,0 @@
From 82e42900ad8027abed98f0b5d7a0969223fa4a7b Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Fri, 11 Dec 2020 17:21:14 +0100
Reference: https://github.com/fedora-selinux/selinux-policy/commit/82e42900ad8027abed98f0b5d7a0969223fa4a7b
Conflict: NA
Subject: [PATCH] Allow stub-resolv.conf to be a symlink
It turns out that under certain configurations,
/var/run/systemd/resolve/stub-resolv.conf can be a symlink instead of a
regular file (see [1]). In such case, domains such as NetworkManager_t
and chronyd_t need to be able to read it, which is denied since the
symlink ends up being labeled as systemd_resolved_var_run_t.
So make sure that such symlink is also labeled net_conf_t and extend
sysnet_read_config() to allow also reading symlinks.
NOTE: Further unification/simplification of /etc network config symlinks
would now be possible (basically reverting f1505fca7063 ("Label
/etc/resolv.conf as net_conf_t only if it is a plain file")), but that
leads down to a deeper rabbit hole, so it's not addressed here.
[1] https://src.fedoraproject.org/rpms/selinux-policy/pull-request/135#comment-62439
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policy/modules/system/sysnetwork.fc | 2 +-
policy/modules/system/sysnetwork.if | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 27eb98b..de92927 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -38,7 +38,7 @@ ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
/var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
/var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
-/var/run/systemd/resolve/stub-resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/systemd/resolve/stub-resolv\.conf gen_context(system_u:object_r:net_conf_t,s0)
')
/var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index d7b696b..25e6b13 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -456,6 +456,7 @@ interface(`sysnet_read_config',`
allow $1 net_conf_t:dir list_dir_perms;
allow $1 net_conf_t:lnk_file read_lnk_file_perms;
read_files_pattern($1, net_conf_t, net_conf_t)
+ read_lnk_files_pattern($1, net_conf_t, net_conf_t)
')
')
@@ -1144,7 +1145,7 @@ interface(`sysnet_filetrans_systemd_resolved',`
optional_policy(`
systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf")
systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
- systemd_resolved_pid_filetrans($1, net_conf_t, file, "stub-resolv.conf")
+ systemd_resolved_pid_filetrans($1, net_conf_t, { file lnk_file }, "stub-resolv.conf")
')
')
--
1.8.3.1

87
backport-Allow-syslogd_t-domain-to-read-write-tmpfs-systemd-b.patch
View File

@ -1,87 +0,0 @@
From 204a23cf3da322e59c1b7af2e5cd62c835b91c2a Mon Sep 17 00:00:00 2001
From: Richard Filo <rfilo@redhat.com>
Date: Thu, 20 Aug 2020 22:25:28 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/204a23cf3da322e59c1b7af2e5cd62c835b91c2a
Conflict: NA
Subject: [PATCH] Allow syslogd_t domain to read/write tmpfs systemd-bootchart
files
Create the two interfaces to allow mapping and r/w permisions.
Add this two interfaces to the policy for domain syslogd_t.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1838163
The one way how can the systemd-journald get a log data from any services is by socket /run/systemd/journal/socket. But when the message is bigger than max size of datagram, it must be done differently. It is by filedescriptor, which is connected to the datagram and in the file to which the file descriptor refers are the log data that were not sent. The file is created by memfd_create() syscall and in kernel the file is implemented as tmpfs.
That means any service can communicate in this way.
---
policy/modules/system/logging.te | 5 +++++
policy/modules/system/systemd.if | 36 ++++++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index db0b849..8f6286d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -720,6 +720,11 @@ optional_policy(`
')
optional_policy(`
+ systemd_rw_bootchart_tmpfs_files(syslogd_t)
+ systemd_map_bootchart_tmpfs_files(syslogd_t)
+')
+
+optional_policy(`
daemontools_search_svc_dir(syslogd_t)
')
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index dbc8fc9..ff31161 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2096,6 +2096,42 @@ interface(`systemd_rw_coredump_tmpfs_files',`
########################################
## <summary>
+## Mmap to systemd-bootchart temporary file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_map_bootchart_tmpfs_files',`
+ gen_require(`
+ type systemd_bootchart_tmpfs_t;
+ ')
+
+ allow $1 systemd_bootchart_tmpfs_t:file map;
+')
+
+########################################
+## <summary>
+## Read and write to systemd-bootchart temporary file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_rw_bootchart_tmpfs_files',`
+ gen_require(`
+ type systemd_bootchart_tmpfs_t;
+ ')
+
+ allow $1 systemd_bootchart_tmpfs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
## Allow process to read hwdb config file.
## </summary>
## <param name="domain">
--
1.8.3.1

38
backport-Allow-systemd-hostnamed-read-udev-runtime-data.patch
View File

@ -1,38 +0,0 @@
From b65f4fd6426b7abb3fa9d73a1e7b8c12092696c6 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 23 Feb 2021 17:51:37 +0100
Subject: [PATCH] Allow systemd-hostnamed read udev runtime data
Required since systemd-248-rc1:
systemd-hostnamed now exports the "HardwareVendor" and "HardwareModel"
D-Bus properties, which are supposed to contain a pair of cleaned up,
human readable strings describing the system's vendor and model. It's
typically sourced from the firmware's DMI tables, but may be augmented
from a new hwdb database. hostnamectl shows this in the status output.
https://github.com/systemd/systemd/blob/v248-rc1/NEWS
Resolves: rhbz#1931959
Signed-off-by: lujie42 <572084868@qq.com>
---
policy/modules/system/systemd.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index adbbd37..abfe2d4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -849,6 +849,10 @@ optional_policy(`
dbus_connect_system_bus(systemd_hostnamed_t)
')
+optional_policy(`
+ udev_read_pid_files(systemd_hostnamed_t)
+')
+
#######################################
#
# rfkill policy
--
1.8.3.1

29
backport-Allow-systemd-logind-dbus-chat-with-fwupd.patch
View File

@ -1,29 +0,0 @@
From 5867b09c03641f8a270863952a67cff61c3cc8e4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 24 Jul 2020 21:28:43 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/5867b09c03641f8a270863952a67cff61c3cc8e4
Conflict: NA
Subject: [PATCH] Allow systemd-logind dbus chat with fwupd
---
policy/modules/system/systemd.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7cb36c4..367758a 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -353,6 +353,10 @@ optional_policy(`
')
optional_policy(`
+ fwupd_dbus_chat(systemd_logind_t)
+')
+
+optional_policy(`
# we label /run/user/$USER/dconf as config_home_t
gnome_manage_home_config_dirs(systemd_logind_t)
gnome_manage_home_config(systemd_logind_t)
--
1.8.3.1

59
backport-Allow-systemd-logind-manage-init-s-pid-files.patch
View File

@ -1,59 +0,0 @@
From 099b9776b76a31cdf8281e06f9cc27946b26cf9f Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 7 Dec 2020 22:15:18 +0100
Reference: https://github.com/fedora-selinux/selinux-policy/commit/099b9776b76a31cdf8281e06f9cc27946b26cf9f
Conflict: NA
Subject: [PATCH] Allow systemd-logind manage init's pid files
Added init_manage_pid_files() interface.
Resolves: rhbz#1856399
---
policy/modules/system/init.if | 18 ++++++++++++++++++
policy/modules/system/systemd.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 629af26..4674755 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -2838,6 +2838,24 @@ interface(`init_read_pid_files',`
########################################
## <summary>
+## Manage init pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_manage_pid_files',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ manage_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+########################################
+## <summary>
## Read init unnamed pipes.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 24cf02e..332d716 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -297,6 +297,7 @@ init_signal_script(systemd_logind_t)
init_getattr_script_status_files(systemd_logind_t)
init_read_utmp(systemd_logind_t)
init_config_transient_files(systemd_logind_t)
+init_manage_pid_files(systemd_logind_t)
getty_systemctl(systemd_logind_t)
--
1.8.3.1

59
backport-Allow-systemd-machined-manage-systemd-userdbd-runtim.patch
View File

@ -1,59 +0,0 @@
From 9b31818705c564f94c46366ef83efa4951ffa64a Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 12 Jan 2021 18:36:07 +0100
Reference: https://github.com/fedora-selinux/selinux-policy/commit/9b31818705c564f94c46366ef83efa4951ffa64a
Conflict: NA
Subject: [PATCH] Allow systemd-machined manage systemd-userdbd runtime sockets
Add the systemd_manage_userdbd_runtime_sock_files() interface
and remove systemd_create_userdbd_runtime_sock_files()
which is not used any longer.
Resolves: rhbz#1891182
---
policy/modules/system/systemd.if | 6 +++---
policy/modules/system/systemd.te | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index d10ae16..67479ce 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2486,7 +2486,7 @@ interface(`systemd_userdbd_stream_connect',`
#######################################
## <summary>
-## Create a named socket in userdbd runtime directory
+## Manage named sockets in userdbd runtime directory
## </summary>
## <param name="domain">
## <summary>
@@ -2494,10 +2494,10 @@ interface(`systemd_userdbd_stream_connect',`
## </summary>
## </param>
#
-interface(`systemd_create_userdbd_runtime_sock_files',`
+interface(`systemd_manage_userdbd_runtime_sock_files',`
gen_require(`
type systemd_userdbd_runtime_t;
')
- create_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
+ manage_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index c806b29..3eb12be 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -416,7 +416,7 @@ init_manage_config_transient_files(systemd_machined_t)
logging_dgram_send(systemd_machined_t)
systemd_read_efivarfs(systemd_machined_t)
-systemd_create_userdbd_runtime_sock_files(systemd_machined_t)
+systemd_manage_userdbd_runtime_sock_files(systemd_machined_t)
userdom_dbus_send_all_users(systemd_machined_t)
--
1.8.3.1

27
backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch
View File

@ -1,27 +0,0 @@
From 17fe432dfcf5b3e3b4d6185cfdab6489135045e8 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 8 Dec 2020 15:53:05 +0100
Reference: https://github.com/fedora-selinux/selinux-policy/commit/17fe432dfcf5b3e3b4d6185cfdab6489135045e8
Conflict: NA
Subject: [PATCH] Allow systemd-resolved manage its private runtime symlinks
Resolves: rhbz#1896796
---
policy/modules/system/systemd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 806b7d6..24cf02e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1047,6 +1047,7 @@ allow systemd_resolved_t self:unix_dgram_socket create_socket_perms;
manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
list_dirs_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
--
1.8.3.1

36
backport-Allow-traceroute_t-and-ping_t-to-bind-generic-nodes.patch
View File

@ -1,36 +0,0 @@
From 1aa9e5609375815103d2445df1746cb90a02b55a Mon Sep 17 00:00:00 2001
From: Patrik Koncity <pkoncity@redhat.com>
Date: Tue, 11 Aug 2020 14:19:29 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/1aa9e5609375815103d2445df1746cb90a02b55a
Conflict: NA
Subject: [PATCH] Allow traceroute_t and ping_t to bind generic nodes.
Use newly created macro corenet_icmp_bind_generic_node() for ping_t and traceroute_t.
This macro allowing bind generic nodes in node_t domain.
---
policy/modules/admin/netutils.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index f835af5..5793fe9 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -140,6 +140,7 @@ corenet_raw_sendrecv_generic_node(ping_t)
corenet_tcp_sendrecv_generic_node(ping_t)
corenet_raw_bind_generic_node(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
+corenet_icmp_bind_generic_node(ping_t)
fs_dontaudit_getattr_xattr_fs(ping_t)
fs_dontaudit_rw_anon_inodefs_files(ping_t)
@@ -245,6 +246,7 @@ corenet_tcp_connect_all_ports(traceroute_t)
corenet_sendrecv_all_client_packets(traceroute_t)
corenet_sendrecv_traceroute_server_packets(traceroute_t)
corenet_sctp_bind_generic_node(traceroute_t)
+corenet_icmp_bind_generic_node(traceroute_t)
corecmd_exec_bin(traceroute_t)
--
1.8.3.1

31
backport-Allow-unconfined_t-to-node_bind-icmp_sockets-in-node.patch
View File

@ -1,31 +0,0 @@
From e4f9c9f4f4c5af851410fde006f6589c0bf7f863 Mon Sep 17 00:00:00 2001
From: Patrik Koncity <pkoncity@redhat.com>
Date: Wed, 5 Aug 2020 17:26:20 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/e4f9c9f4f4c5af851410fde006f6589c0bf7f863
Conflict: NA
Subject: [PATCH] Allow unconfined_t to node_bind icmp_sockets in node_t domain
When uncofined user run ping or traceroute, this process get label unconfined_t.
Allow to ping or traceroute, which run as unconfined_t, to node_bind icmp_sockets in node_t domain.
Bugzila: https://bugzilla.redhat.com/show_bug.cgi?id=1848929#c0
---
policy/modules/kernel/corenetwork.te.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index c317449..b718ab0 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -465,7 +465,7 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket sctp_socket} name_bind;
-allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
+allow corenet_unconfined_type node_type:{ dccp_socket icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
# Infiniband
corenet_ib_access_all_pkeys(corenet_unconfined_type)
--
1.8.3.1

95
backport-Change-transitions-for-.config-Yubico.patch
View File

@ -1,95 +0,0 @@
From 099ea7b7bd113cac657f98d406c77839cce98859 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 25 Aug 2020 16:33:38 +0200
Subject: [PATCH] Change transitions for ~/.config/Yubico
Created the auth_filetrans_auth_home_content() interface which is used
to allow the filename transition in gnome config directory for the
login_pgm and userdomain attributes.
This commit reverts the transitions introduced in
commit 1363710b88904f29915e39335fef0dfb673a0f70.
Signed-off-by: lujie42 <572084868@qq.com>
---
policy/modules/system/authlogin.if | 23 +++++++++++++++++++++--
policy/modules/system/authlogin.te | 1 +
policy/modules/system/userdomain.te | 2 ++
3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 90ae5fe..ab68d31 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -2313,7 +2313,6 @@ interface(`auth_filetrans_admin_home_content',`
userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
- userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico")
')
@@ -2378,7 +2377,27 @@ interface(`auth_filetrans_home_content',`
userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
- userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico")
+')
+
+########################################
+## <summary>
+## Create auth directory in the config home directory
+## with a correct label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_filetrans_auth_home_content',`
+ gen_require(`
+ type auth_home_t;
+ ')
+
+ optional_policy(`
+ gnome_config_filetrans($1, auth_home_t, dir, "Yubico")
+ ')
')
########################################
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index f3870d3..068caed 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -603,6 +603,7 @@ manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
manage_files_pattern(login_pgm, auth_home_t, auth_home_t)
auth_filetrans_admin_home_content(login_pgm)
auth_filetrans_home_content(login_pgm)
+auth_filetrans_auth_home_content(login_pgm)
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_search_network_sysctl(login_pgm)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 756ac4a..196bcc0 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -147,6 +147,7 @@ dontaudit unpriv_userdomain self:dir setattr;
allow unpriv_userdomain self:file manage_file_perms;
allow unpriv_userdomain self:key manage_key_perms;
+auth_filetrans_auth_home_content(userdomain)
files_dontaudit_manage_boot_files(unpriv_userdomain)
@@ -289,6 +290,7 @@ userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp")
optional_policy(`
gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
+ gnome_config_filetrans(userdom_filetrans_type, auth_home_t, dir, "Yubico")
#gnome_admin_home_gconf_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin")
')
--
1.8.3.1

44
backport-Create-chronyd_pid_filetrans-interface.patch
View File

@ -1,44 +0,0 @@
From 25d2a5c01c34d72c20f5d219227ad87897411967 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 14 Oct 2020 22:41:52 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/25d2a5c01c34d72c20f5d219227ad87897411967
Conflict: NA
Subject: [PATCH] Create chronyd_pid_filetrans() interface
---
policy/modules/contrib/chronyd.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
index c1b1b71..3d47264 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -236,6 +236,25 @@ interface(`chronyd_manage_pid',`
manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t)
')
+######################################
+## <summary>
+## Create objects in /var/run
+## with chronyd runtime private file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_pid_filetrans',`
+ gen_require(`
+ type chronyd_var_run_t;
+ ')
+
+ files_pid_filetrans($1, chronyd_var_run_t, dir, "chrony-dhcp")
+')
+
####################################
## <summary>
## All of the rules required to
--
1.8.3.1

44
backport-Create-macro-corenet_icmp_bind_generic_node.patch
View File

@ -1,44 +0,0 @@
From 65c1a66265908f3d5a39fa201d6b6f9f2a2981a4 Mon Sep 17 00:00:00 2001
From: Patrik Koncity <pkoncity@redhat.com>
Date: Tue, 11 Aug 2020 13:51:55 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/65c1a66265908f3d5a39fa201d6b6f9f2a2981a4
Conflict: NA
Subject: [PATCH] Create macro corenet_icmp_bind_generic_node()
This macro allowing bind ICMP sockets to generic nodes in node_t domain.
---
policy/modules/kernel/corenetwork.if.in | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 1ed5283..1858e41 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -863,6 +863,24 @@ interface(`corenet_sctp_bind_generic_node',`
########################################
## <summary>
+## Bind ICMP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_icmp_bind_generic_node',`
+ gen_require(`
+ type node_t;
+ ')
+
+ allow $1 node_t:icmp_socket node_bind;
+')
+
+########################################
+## <summary>
## Bind TCP sockets to generic nodes.
## </summary>
## <desc>
--
1.8.3.1

26
backport-Define-named-file-transition-for-sshd-on-tmp-krb5_0..patch
View File

@ -1,26 +0,0 @@
From 5d5feca5ce10b7b4f45c44431c8c258685eeef61 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 11 Aug 2020 22:15:55 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/5d5feca5ce10b7b4f45c44431c8c258685eeef61
Conflict: NA
Subject: [PATCH] Define named file transition for sshd on /tmp/krb5_0.rcache2
---
policy/modules/services/ssh.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 7b09f29..b06cc76 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -380,6 +380,7 @@ optional_policy(`
optional_policy(`
kerberos_read_keytab(sshd_t)
+ kerberos_tmp_filetrans_host_rcache(sshd_t, "krb5_0.rcache2")
kerberos_use(sshd_t)
kerberos_write_kadmind_tmp_files(sshd_t)
')
--
1.8.3.1

30
backport-Update-systemd_resolved_read_pid-to-also-read-symlin.patch
View File

@ -1,30 +0,0 @@
From ade23054745c5a738abc8760dfc425f8bf916944 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 8 Dec 2020 16:05:22 +0100
Reference: https://github.com/fedora-selinux/selinux-policy/commit/ade23054745c5a738abc8760dfc425f8bf916944
Conflict: NA
Subject: [PATCH] Update systemd_resolved_read_pid() to also read symlinks
In the systemd_resolved_read_pid() interface, list and read permissions
were allowed for directories and plain files. However, symlinks also can
be in the same directory. This commit adds read permissions for the
lnk_file class.
---
policy/modules/system/systemd.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index ff31161..ffed76c 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -313,6 +313,7 @@ interface(`systemd_resolved_read_pid',`
files_search_pids($1)
list_dirs_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+ read_lnk_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
')
######################################
--
1.8.3.1

39
backport-iptables.fc-Add-missing-legacy-entries.patch
View File

@ -1,39 +0,0 @@
From feefaa074e75466aa75c29f17a3d83ac6ce004f0 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Thu, 18 Feb 2021 10:00:12 +0100
Subject: [PATCH] iptables.fc: Add missing legacy entries
The iptables, arptables, and ebtables stack is being deprecated in favor
of nftables. For now, netfilter reimplementations of these tools are
available for backwards compatibility, but have a diffferent filename
now (the main location is now a symlink). Add file context entries for
arptables and ebtables; iptables is already covered by the wildcard
rule.
This change fixed several ebtables-related denials for me.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policy/modules/system/iptables.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 2c19023..9fb2e34 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -13,10 +13,12 @@
/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/arptables-legacy -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ebtables-legacy -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
--
1.8.3.1

40
backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch
View File

@ -1,40 +0,0 @@
From dfbaf8f3be6470e0964df8c1b5ae9717f85a4675 Mon Sep 17 00:00:00 2001
From: LuLuLu <1539327763@qq.com>
Date: Fri, 11 Jun 2021 11:25:18 +0800
Subject: [PATCH] iptables.fc: Add missing legacy-restore and legacy-save
entries
/usr/sbin/ebtables-restore and /usr/sbin/ebtables-save are miss labeled now. Each of them is a link file that can link to two differenet files.
For /usr/sbin/ebtables-restore on fc 34:
Remove iptables-nft and install ebtables-legacy:
lrwxrwxrwx. 1 root root 34 Apr 23 06:56 /sbin/ebtables-restore -> /etc/alternatives/ebtables-restore
lrwxrwxrwx. 1 root root 33 Jun 10 20:31 /etc/alternatives/ebtables-restore -> /usr/sbin/ebtables-legacy-restore
Remove ebtables-legacy and install iptables-nft:
lrwxrwxrwx. 1 root root 34 Apr 23 06:56 /sbin/ebtables-restore -> /etc/alternatives/ebtables-restore
lrwxrwxrwx. 1 root root 30 Jun 10 20:35 /etc/alternatives/ebtables-restore -> /usr/sbin/ebtables-nft-restore
lrwxrwxrwx. 1 root root 17 Jan 28 08:48 /usr/sbin/ebtables-nft-restore -> xtables-nft-multi
/sbin/ebtables-save is similar. But the label of /usr/sbin/ebtables-legacy-restore and /usr/sbin/ebtables-legacy-save is lack.
---
policy/modules/system/iptables.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 9fb2e34..e8ee5c0 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -19,6 +19,8 @@
/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ebtables-legacy -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ebtables-legacy-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ebtables-legacy-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
--
1.8.3.1

49
backport-iptables.fc-Remove-duplicate-file-context-entries.patch
View File

@ -1,49 +0,0 @@
From c33aa1f2bdb74f689bd54565e363fa67f3aa148f Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Thu, 18 Feb 2021 09:50:50 +0100
Subject: [PATCH] iptables.fc: Remove duplicate file context entries
There is an quivalency rule /sbin -> /usr/sbin so these are redundant.
A few entries were missing in the /usr/sbin block - add them to avoid
regressions.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policy/modules/system/iptables.fc | 20 ++------------------
1 file changed, 2 insertions(+), 18 deletions(-)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index d8161fc..639a59b 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -12,25 +12,9 @@
/usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/xtables-legacy-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/xtables-nft-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-
/usr/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
--
1.8.3.1

145
backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch
View File

@ -1,145 +0,0 @@
From bc79683118e529a8325fd229840915efe30c3f48 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 3 Aug 2020 14:49:31 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/bc79683118e529a8325fd229840915efe30c3f48
Conflict: NA
Subject: [PATCH] sysnetwork.if: avoid directly referencing
systemd_resolved_var_run_t
Instead create a systemd_resolved_pid_filetrans() interface in
systemd.if and use that. Also used a unified interface for adding these
transitions in sysnet_filetrans_named_content() and directly in the
systemd module.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policy/modules/system/sysnetwork.if | 36 +++++++++++++++++++++++++++---------
policy/modules/system/systemd.if | 34 ++++++++++++++++++++++++++++++++++
policy/modules/system/systemd.te | 4 +---
3 files changed, 62 insertions(+), 12 deletions(-)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 10172d6..d7b696b 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -1127,6 +1127,29 @@ interface(`sysnet_role_transition_dhcpc',`
########################################
## <summary>
+## Set up filename transitions for systemd-resolved network
+## configuration content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_filetrans_systemd_resolved',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ optional_policy(`
+ systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf")
+ systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+ systemd_resolved_pid_filetrans($1, net_conf_t, file, "stub-resolv.conf")
+ ')
+')
+
+########################################
+## <summary>
## Transition to sysnet named content
## </summary>
## <param name="domain">
@@ -1138,7 +1161,6 @@ interface(`sysnet_role_transition_dhcpc',`
interface(`sysnet_filetrans_named_content',`
gen_require(`
type net_conf_t;
- type systemd_resolved_var_run_t;
')
files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
@@ -1160,15 +1182,11 @@ interface(`sysnet_filetrans_named_content',`
init_pid_filetrans($1, net_conf_t, dir, "network")
optional_policy(`
- networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
- networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
- ')
+ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
+ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+ ')
- optional_policy(`
- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf")
- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf.tmp")
- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "stub-resolv.conf")
- ')
+ sysnet_filetrans_systemd_resolved($1)
')
########################################
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 26d4927..d10ae16 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -335,6 +335,40 @@ interface(`systemd_resolved_write_pid_sock_files',`
write_sock_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
')
+########################################
+## <summary>
+## Create objects in /var/run/systemd/resolve with a private
+## type using a type_transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Object classes to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`systemd_resolved_pid_filetrans',`
+ gen_require(`
+ type systemd_resolved_var_run_t;
+ ')
+
+ filetrans_pattern($1, systemd_resolved_var_run_t, $2, $3, $4)
+')
+
######################################
## <summary>
## Read systemd_login PID files.
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 332d716..c806b29 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1071,9 +1071,7 @@ dev_write_kmsg(systemd_resolved_t)
dev_read_sysfs(systemd_resolved_t)
sysnet_manage_config(systemd_resolved_t)
-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf")
-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "stub-resolv.conf")
-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf.tmp")
+sysnet_filetrans_systemd_resolved(systemd_resolved_t)
systemd_read_efivarfs(systemd_resolved_t)
--
1.8.3.1

42
backport-systemd-allow-all-systemd-services-to-check-selinux-.patch
View File

@ -1,42 +0,0 @@
From a96ac9ed374cab65f53a26cd39053705569532bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 28 Oct 2020 09:17:15 +0100
Subject: [PATCH] systemd: allow all systemd services to check selinux status
After https://github.com/systemd/systemd/commit/fd5e402fa9 most systemd
services fail to start with:
Oct 27 13:50:38 workstation-uefi systemd[1]: Starting systemd-hostnamed.service...
Oct 27 13:50:38 workstation-uefi systemd-hostnamed[944]: Failed to open SELinux status page: Permission denied
Oct 27 13:50:38 workstation-uefi systemd[1]: systemd-hostnamed.service: Main process exited, code=exited, status=1/FAILURE
After disabling dontaudit:
Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc: denied { read } for pid=1043 comm="systemd-hostnam" name="status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc: denied { open } for pid=1043 comm="systemd-hostnam" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc: denied { map } for pid=1043 comm="systemd-hostnam" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
As first step, allow all systemd services to check selinux status.
The check for selinux status is called from mac_selinux_init() which
is called in 16 different places, so I don't think it makes sense to
try to list them all. Any code which wants to create a labelled file is
likely to call mac_selinux_init().
---
policy/modules/system/systemd.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index ff3116142..253396f1c 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -24,6 +24,7 @@ template(`systemd_domain_template',`
kernel_read_system_state($1_t)
auth_use_nsswitch($1_t)
+ selinux_get_enforce_mode($1_t)
')
######################################
--
2.23.0

BIN
container-selinux.tgz
View File

Binary file not shown.

1
file_contexts.subs_dist
View File

@ -19,3 +19,4 @@
/sbin /usr/sbin
/sysroot/tmp /tmp
/var/usrlocal /usr/local
/var/mnt /mnt

81
macro-expander Normal file
View File

@ -0,0 +1,81 @@
#!/bin/bash
function usage {
echo "Usage: $0 [ -c | -t [ -M ] ] <macro>"
echo "Options:
-c generate CIL output
-t generate standard policy source format (.te) allow rules - this is default
-M generate complete module .te output
"
}
function cleanup {
rm -rf $TEMP_STORE
}
while getopts "chMt" opt; do
case $opt in
c) GENCIL=1
;;
t) GENTE=1
;;
M) GENTEMODULE=1
;;
h) usage
exit 0
;;
\?) usage
exit 1
;;
esac
done
shift $((OPTIND-1))
SELINUX_MACRO=$1
if [ -z "$SELINUX_MACRO" ]
then
exit 1
fi
TEMP_STORE="$(mktemp -d)"
cd $TEMP_STORE || exit 1
IFS="("
set $1
SELINUX_DOMAIN="${2::-1}"
echo -e "policy_module(expander, 1.0.0) \n" \
"gen_require(\`\n" \
"type $SELINUX_DOMAIN ; \n" \
"')" > expander.te
echo "$SELINUX_MACRO" >> expander.te
make -f /usr/share/selinux/devel/Makefile tmp/all_interfaces.conf &> /dev/null
if [ "x$GENCIL" = "x1" ]; then
make -f /usr/share/selinux/devel/Makefile expander.pp &> /dev/null
MAKE_RESULT=$?
if [ $MAKE_RESULT -ne 2 ]
then
/usr/libexec/selinux/hll/pp < $TEMP_STORE/expander.pp > $TEMP_STORE/expander.cil 2> /dev/null
grep -v "cil_gen_require" $TEMP_STORE/expander.cil | sort -u
fi
fi
if [ "$GENTE" = "1" ] || [ "x$GENCIL" != "x1" ]; then
m4 -D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/loadable_module.spt tmp/all_interfaces.conf expander.te > expander.tmp 2> /dev/null
if [ "x$GENTEMODULE" = "x1" ]; then
# sed '/^#.*$/d;/^\s*$/d;/^\s*class .*/d;/^\s*category .*/d;s/^\s*//' expander.tmp
sed '/^#.*$/d;/^\s*$/d;/^\s*category .*/d;s/^\s*//' expander.tmp
else
grep '^\s*allow' expander.tmp | sed 's/^\s*//'
fi
fi
cd - > /dev/null || exit 1
cleanup

7
modules-targeted-base.conf
View File

@ -391,10 +391,3 @@ udev = module
# The unconfined domain.
#
unconfined = module
# Layer: system
# Module: kdbus
#
# Policy for kdbus.
#
kdbus = module

14
modules-targeted-contrib.conf
View File

@ -2663,3 +2663,17 @@ rrdcached = module
# stratisd
#
stratisd = module
# Layer: contrib
# Module: ica
#
# ica
#
ica = module
# Layer: contrib
# Module: fedoratp
#
# fedoratp
#
fedoratp = module

4
rpm.macros
View File

@ -38,7 +38,11 @@ BuildRequires: selinux-policy-devel \
Requires(post): selinux-policy-base >= %{_selinux_policy_version} \
Requires(post): libselinux-utils \
Requires(post): policycoreutils \
%if 0%{?fedora} || 0%{?rhel} > 7\
Requires(post): policycoreutils-python-utils \
%else \
Requires(post): policycoreutils-python \
%endif \
%{nil}
# %selinux_modules_install [-s <policytype>] [-p <modulepriority>] module [module]...

BIN
selinux-policy-02b35cf.tar.gz Normal file
View File

Binary file not shown.

BIN
selinux-policy-9c84d68.tar.gz
View File

Binary file not shown.

BIN
selinux-policy-contrib-27225b9.tar.gz
View File

Binary file not shown.

116
selinux-policy.spec
View File

@ -5,19 +5,22 @@
%define BUILD_TARGETED 1
%define BUILD_MINIMUM 1
%define BUILD_MLS 1
%define POLICYVER 32
%define POLICYCOREUTILSVER 3.0-5
%define CHECKPOLICYVER 3.0
%define POLICYVER 33
%define POLICYCOREUTILSVER 3.2
%define CHECKPOLICYVER 3.2
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.14.2
Release: 77
Version: 35.5
Release: 1
License: GPLv2+
URL: https://github.com/fedora-selinux/selinux-policy/
Source0: https://github.com/fedora-selinux/selinux-policy/archive/9c84d687e0fef5d8e4e25273bd25f58c28a7c67c/selinux-policy-9c84d68.tar.gz
Source1: https://github.com/fedora-selinux/selinux-policy-contrib/archive/27225b9de42be65760194536680c9d596f1a1895/selinux-policy-contrib-27225b9.tar.gz
Source0: https://github.com/fedora-selinux/selinux-policy/archive/02b35cff10d8743e075379c062f565f2bb97c032/selinux-policy-02b35cf.tar.gz
# Tool helps during policy development, to expand system m4 macros to raw allow rules
# Git repo: https://github.com/fedora-selinux/macro-expander.git
Source1: macro-expander
# We obtain Source2~Source24 from https://src.fedoraproject.org/rpms/selinux-policy/tree/master
Source2: modules-targeted-base.conf
@ -50,75 +53,20 @@ Source24: rpm.macros
Source35: container-selinux.tgz
Patch0: Allow-local_login-to-be-access-to-var-run-files-and-.patch
Patch1: access-to-iptables-run-file.patch
Patch2: add-access-to-faillog-file-for-systemd.patch
Patch3: add-allow-to-be-access-to-sssd-dir-and-file.patch
Patch4: add-allow-shadow-tool-to-access-sssd-var-lib-file-di.patch
Patch5: fix-selinux-label-for-hostname-digest-list.patch
Patch6: solve-shutdown-permission-denied-caused-by-dracut.patch
Patch7: add-allow-for-ldconfig-to-map-libsudo_util-so.patch
Patch8: add-avc-for-kmod.patch
Patch9: allow-ipmievd-to-read-the-process-state-proc-pid-of-.patch
Patch10: add-avc-for-systemd-journald.patch
Patch11: add-avc-for-systemd-hostnamed-and-systemd-logind.patch
Patch12: add-avc-for-systemd.patch
Patch13: allow-systemd-to-mount-unlabeled-filesystemd.patch
Patch14: add_userman_access_run_dir.patch
Patch15: allow-systemd-machined-create-userdbd-runtime-sock-file.patch
Patch16: allow-systemd_machined_t-delete-userdbd-runtime-sock.patch
Patch17: allow-systemd-hostnamed-and-logind-read-policy.patch
Patch18: add-firewalld-fc.patch
Patch19: add-allow-systemd-timedated-to-unlink-etc-link.patch
Patch20: add-avc-for-openEuler-1.patch
Patch21: backport-systemd-allow-all-systemd-services-to-check-selinux-.patch
Patch22: backport-Allow-dovecot-bind-to-smtp-ports.patch
Patch23: allow-rpcbind-to-bind-all-port.patch
Patch1: fix-selinux-label-for-hostname-digest-list.patch
Patch2: add-allow-for-ldconfig-to-map-libsudo_util-so.patch
Patch3: allow-ipmievd-to-read-the-process-state-proc-pid-of-.patch
Patch4: add_userman_access_run_dir.patch
Patch5: add-firewalld-fc.patch
Patch6: add-allow-systemd-timedated-to-unlink-etc-link.patch
Patch7: add-avc-for-openEuler-1.patch
Patch8: allow-rpcbind-to-bind-all-port.patch
Patch9: add-avc-for-systemd-journald.patch
Patch10: add-avc-for-systemd.patch
Patch6000: backport-Allow-kdump_t-net_admin-capability.patch
Patch6001: backport-Allow-systemd-logind-dbus-chat-with-fwupd.patch
Patch6002: backport-Allow-auditd-manage-kerberos-host-rcache-files.patch
Patch6003: backport-Add-dev_lock_all_blk_files-interface.patch
Patch6005: backport-Define-named-file-transition-for-sshd-on-tmp-krb5_0..patch
Patch6006: backport-Allow-nsswitch_domain-to-connect-to-systemd-machined.patch
Patch6007: backport-Allow-unconfined_t-to-node_bind-icmp_sockets-in-node.patch
Patch6008: backport-Create-macro-corenet_icmp_bind_generic_node.patch
Patch6009: backport-Allow-traceroute_t-and-ping_t-to-bind-generic-nodes.patch
Patch6010: backport-Allow-passwd-to-get-attributes-in-proc_t.patch
Patch6011: backport-Allow-login_pgm-attribute-to-get-attributes-in-proc_.patch
Patch6012: backport-Allow-syslogd_t-domain-to-read-write-tmpfs-systemd-b.patch
Patch6013: backport-Allow-all-users-to-connect-to-systemd-userdbd-with-a.patch
Patch6014: backport-Add-new-devices-and-filesystem-interfaces.patch
Patch6015: backport-Add-lvm_dbus_send_msg-lvm_rw_var_run-interfaces.patch
Patch6016: backport-Allow-domain-write-to-an-automount-unnamed-pipe.patch
Patch6017: backport-Allow-dyntransition-from-sshd_t-to-unconfined_t.patch
Patch6018: backport-Allow-initrc_t-create-run-chronyd-dhcp-directory-wit.patch
Patch6019: backport-Update-systemd_resolved_read_pid-to-also-read-symlin.patch
Patch6020: backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch
Patch6021: backport-Allow-systemd-logind-manage-init-s-pid-files.patch
Patch6022: backport-Add-systemd_resolved_write_pid_sock_files-interface.patch
Patch6023: backport-Allow-nsswitch-domain-write-to-systemd-resolved-PID-.patch
Patch6024: backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch
Patch6025: backport-Allow-stub-resolv.conf-to-be-a-symlink.patch
Patch6026: backport-Allow-domain-stat-proc-filesystem.patch
Patch6027: backport-Allow-domain-write-to-systemd-resolved-PID-socket-fi.patch
Patch6028: backport-Allow-systemd-machined-manage-systemd-userdbd-runtim.patch
Patch6029: backport-Allow-domain-stat-the-sys-filesystem.patch
Patch6030: backport-Allow-login_userdomain-write-inaccessible-nodes.patch
Patch6031: backport-Allow-local_login_t-get-attributes-of-tmpfs-filesyst.patch
Patch6032: backport-Allow-dhcpc_t-domain-transition-to-chronyc_t.patch
Patch6033: backport-Allow-nsswitch_domain-read-cgroup-files.patch
Patch6034: backport-Allow-IPsec-and-certmonger-to-use-opencryptoki-servi.patch
Patch6035: backport-Create-chronyd_pid_filetrans-interface.patch
Patch6036: backport-iptables.fc-Remove-duplicate-file-context-entries.patch
Patch6037: backport-iptables.fc-Add-missing-legacy-entries.patch
Patch6038: backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch
Patch6039: backport-Allow-systemd-hostnamed-read-udev-runtime-data.patch
Patch6040: backport-Add-file-context-for-.config-Yubico.patch
Patch6041: backport-Change-transitions-for-.config-Yubico.patch
#Patch6000: backport-Allow-kdump_t-net_admin-capability.patch
Patch9000: add-qemu_exec_t-for-stratovirt.patch
Patch9001: add-avc-for-systemd-selinux-page.patch
Patch9002: add-allow-rasdaemon-cap_sys_admin.patch
BuildArch: noarch
BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
@ -243,13 +191,14 @@ if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.p
%{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
rm -f ${FILE_CONTEXT}.pre; \
fi; \
%{_sbindir}/restorecon -R /var/lib/rpm \
if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
continue; \
fi;
%define preInstall() \
if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
for MOD_NAME in ganesha ipa_custodia; do \
for MOD_NAME in ganesha ipa_custodia kdbus; do \
if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \
%{_sbindir}/semodule -n -d $MOD_NAME; \
fi; \
@ -342,13 +291,8 @@ end
%build
%prep
%setup -n %{name}-contrib-27225b9de42be65760194536680c9d596f1a1895 -q -b 1
tar -xf %{SOURCE35}
contrib_path=`pwd`
%setup -n %{name}-9c84d687e0fef5d8e4e25273bd25f58c28a7c67c -q
refpolicy_path=`pwd`
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
%setup -n %{name}-02b35cff10d8743e075379c062f565f2bb97c032 -q
tar -C policy/modules/contrib -xf %{SOURCE35}
%autopatch -p1
@ -365,6 +309,8 @@ touch %{buildroot}%{_sysconfdir}/selinux/config
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
cp %{SOURCE21} %{buildroot}%{_usr}/lib/tmpfiles.d/
mkdir -p %{buildroot}%{_bindir}
install -m 755 %{SOURCE1} %{buildroot}%{_bindir}/
mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
@ -509,6 +455,7 @@ selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null
exit 0
%files devel
%{_bindir}/macro-expander
%dir %{_usr}/share/selinux/devel
%dir %{_usr}/share/selinux/devel/include
%{_usr}/share/selinux/devel/include/*
@ -785,6 +732,9 @@ exit 0
%endif
%changelog
* Tue Jan 11 2022 lujie42 <lujie42@huawei.com> - 35.5-1
- update selinux-policy-3.14.2 to selinux-policy-35.5-1
* Fri Oct 8 2021 lujie42 <lujie42@huawei.com> -3.14.2-77
- Fix CVE-2020-24612
@ -853,7 +803,7 @@ exit 0
* Sat May 29 2021 luhuaxin <1539327763@qq.com> - 3.14.2-67
- allow kdump_t net_admin capability
* Thu Mar 27 2021 luhuaxin <1539327763@qq.com> - 3.14.2-66
* Sat Mar 27 2021 luhuaxin <1539327763@qq.com> - 3.14.2-66
- allow rpcbind to bind all port
* Fri Mar 5 2021 luhuaxin <1539327763@qq.com> - 3.14.2-65
@ -873,7 +823,7 @@ exit 0
* Thu Sep 24 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-61
- add add-firewalld-fc.patch
* Thu Sep 22 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-60
* Tue Sep 22 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-60
- add allow-systemd-hostnamed-and-logind-read-policy.patch
* Thu Sep 17 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-59

52
solve-shutdown-permission-denied-caused-by-dracut.patch
View File

@ -1,52 +0,0 @@
From f14eec646bb7aaef59c4e5a9fa37be21e9797964 Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Thu, 4 Jun 2020 20:41:46 +0800
Subject: [PATCH] solve shutdown permission denied caused by dracut
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
policy/modules/system/init.te | 2 ++
policy/modules/system/lvm.te | 1 +
policy/modules/system/mount.te | 1 +
3 files changed, 4 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index e3e8b37..73cccdc 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -215,6 +215,8 @@ dev_filetrans(init_t, initctl_t, fifo_file)
# Modify utmp.
allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+allow init_t root_t:dir create;
+
kernel_read_system_state(init_t)
kernel_share_state(init_t)
kernel_stream_connect(init_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 99babc9..77fb8f7 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -323,6 +323,7 @@ init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
+init_nnp_daemon_domain(lvm_t)
logging_send_syslog_msg(lvm_t)
logging_stream_connect_syslog(lvm_t)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 816066d..e884bf5 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -186,6 +186,7 @@ init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
init_stream_connect_script(mount_t)
init_rw_script_stream_sockets(mount_t)
+init_nnp_daemon_domain(mount_t)
logging_send_syslog_msg(mount_t)
--
1.8.3.1