add avc for openEuler

2020-06-04 20:48:55 +08:00 · 2020-06-04 20:48:55 +08:00 · 8ad71f4dc6
commit 8ad71f4dc6
parent 899b6a7957
7 changed files with 198 additions and 2 deletions
--- a/add-allow-shadow-tool-to-access-sssd-var-lib-file-di.patch
+++ b/add-allow-shadow-tool-to-access-sssd-var-lib-file-di.patch
@ -0,0 +1,31 @@
+From edba62fdaa8115c0c194ad6d86981e8c9692b8e7 Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Thu, 4 Jun 2020 21:11:52 +0800
+Subject: [PATCH] add allow shadow tool to access sssd var lib file/dir
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/admin/usermanage.te | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
+index 1977309..b8d51ba 100644
+--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
+@@ -666,8 +666,13 @@ optional_policy(`
+ # avc for openEuler
+ #sssd_var_lib_dir(groupadd_t)
+ optional_policy(`
+   sssd_var_lib_dir(groupadd_t)
+ 	sssd_var_lib_map_file(groupadd_t)
+    sssd_var_lib_write_file(groupadd_t)
+   sssd_var_lib_map_file(passwd_t)
+   sssd_var_lib_write_file(passwd_t)
+    sssd_var_lib_map_file(useradd_t)
+    sssd_var_lib_write_file(useradd_t)
+   sssd_var_lib_create_file(useradd_t)
+   sssd_var_lib_dir(useradd_t)
+ ')
+-- 
+1.8.3.1
+
--- a/add-map-to-zerp-device-at-dev_rw_zero-interface.patch
+++ b/add-map-to-zerp-device-at-dev_rw_zero-interface.patch
@ -0,0 +1,25 @@
+From 9c9bbde91da9f0a90ae7e70d71638ec9c2d207da Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Thu, 4 Jun 2020 20:25:12 +0800
+Subject: [PATCH] add map to zerp device at dev_rw_zero interface
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/kernel/devices.if | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
+index c3659c7..65c21e1 100644
+--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
+@@ -6094,6 +6094,7 @@ interface(`dev_rw_zero',`
+ 	')
+ 
+ 	rw_chr_files_pattern($1, device_t, zero_device_t)
+	allow $1 zero_device_t:chr_file map;
+ ')
+ 
+ ########################################
+-- 
+1.8.3.1
+
--- a/allow-ipmievd-to-read-the-process-state-proc-pid-of-.patch
+++ b/allow-ipmievd-to-read-the-process-state-proc-pid-of-.patch
@ -0,0 +1,26 @@
+From d366d95268da066ab3e1655593010856ecead2d6 Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Thu, 4 Jun 2020 20:22:30 +0800
+Subject: [PATCH] allow ipmievd to read the process state (/proc/pid) of init
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/contrib/ipmievd.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/contrib/ipmievd.te b/policy/modules/contrib/ipmievd.te
+index d36f842..2c727c3 100644
+--- a/policy/modules/contrib/ipmievd.te
+++ b/policy/modules/contrib/ipmievd.te
+@@ -46,6 +46,8 @@ dev_read_sysfs(ipmievd_t)
+ files_read_kernel_modules(ipmievd_t)
+ files_map_kernel_modules(ipmievd_t)
+ 
+init_read_state(ipmievd_t)
+
+ logging_send_syslog_msg(ipmievd_t)
+ 
+ miscfiles_read_certs(ipmievd_t)
+-- 
+1.8.3.1
+
--- a/allow-systemd-to-mount-unlabeled-filesystemd.patch
+++ b/allow-systemd-to-mount-unlabeled-filesystemd.patch
@ -0,0 +1,25 @@
+From 79198658c50f0747b4ea8636db7e349bbd6f3571 Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Thu, 4 Jun 2020 20:27:15 +0800
+Subject: [PATCH] allow systemd to mount unlabeled filesystemd
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/system/init.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index 8de5b08..e3e8b37 100644
+--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
+@@ -282,6 +282,7 @@ files_dontaudit_mounton_modules_object(init_t)
+ files_manage_mnt_dirs(init_t)
+ files_manage_mnt_files(init_t)
+ files_mounton_etc(init_t)
+files_mounton_isid(init_t)
+ 
+ fs_list_inotifyfs(init_t)
+ # cjp: this may be related to /dev/log
+-- 
+1.8.3.1
+
--- a/fix-selinux-label-for-hostname-digest-list.patch
+++ b/fix-selinux-label-for-hostname-digest-list.patch
@ -0,0 +1,25 @@
+From 7d436dc2f9498bc77d55cbd1da0be8233bdc190e Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Thu, 4 Jun 2020 20:31:18 +0800
+Subject: [PATCH] fix selinux label for hostname digest list
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/system/systemd.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
+index cfafbfa..bb5e759 100644
+--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
+@@ -3,6 +3,7 @@ HOME_DIR/\.config/systemd/user(/.*)?		gen_context(system_u:object_r:systemd_unit
+ /root/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
+ 
+ /etc/.*hostname.*			--		gen_context(system_u:object_r:hostname_etc_t,s0)
+/etc/[^/]*hostname.*                    --              gen_context(system_u:object_r:hostname_etc_t,s0)
+ /etc/machine-info		--		gen_context(system_u:object_r:hostname_etc_t,s0)
+ /etc/udev/.*hwdb.*	--	gen_context(system_u:object_r:systemd_hwdb_etc_t,s0)
+ 
+-- 
+1.8.3.1
+
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 3.14.2
-Release: 53
+Release: 54
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/

@ -67,7 +67,12 @@ Patch16: add-avc-for-systemd-journald.patch
 Patch17: add-avc-for-systemd-hostnamed-and-systemd-logind.patch
 Patch18: add-allowed-avc-for-systemd-1.patch
 Patch19: add-allow-to-be-access-to-sssd-dir-and-file.patch  
-Patch20: add-allow-passwd-to-write-sssd-var-lib.patch
+Patch20: add-allow-shadow-tool-to-access-sssd-var-lib-file-di.patch
+Patch21: add-map-to-zerp-device-at-dev_rw_zero-interface.patch
+Patch22: allow-ipmievd-to-read-the-process-state-proc-pid-of-.patch
+Patch23: allow-systemd-to-mount-unlabeled-filesystemd.patch
+Patch24: fix-selinux-label-for-hostname-digest-list.patch
+Patch25: solve-shutdown-permission-denied-caused-by-dracut.patch

 BuildArch: noarch
 BuildRequires:  python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
@ -664,6 +669,13 @@ exit 0
 %endif

 %changelog
+* Thu Jun 4 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-54
+- add map to zerp device at dev_rw_zero interface;
+  allow ipmievd to read the process state (/proc/pid) of init;
+  allow systemd to mount unlabeled filesystemd;
+  fix selinux label for hostname digest list;
+  solve shutdown permission denied caused by dracut
+
 * Sat May 30 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.14.2-53
 - allow passwd to map and write sssd var lib

--- a/solve-shutdown-permission-denied-caused-by-dracut.patch
+++ b/solve-shutdown-permission-denied-caused-by-dracut.patch
@ -0,0 +1,52 @@
+From f14eec646bb7aaef59c4e5a9fa37be21e9797964 Mon Sep 17 00:00:00 2001
+From: guoxiaoqi <guoxiaoqi2@huawei.com>
+Date: Thu, 4 Jun 2020 20:41:46 +0800
+Subject: [PATCH] solve shutdown permission denied caused by dracut
+
+Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
+---
+ policy/modules/system/init.te  | 2 ++
+ policy/modules/system/lvm.te   | 1 +
+ policy/modules/system/mount.te | 1 +
+ 3 files changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index e3e8b37..73cccdc 100644
+--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
+@@ -215,6 +215,8 @@ dev_filetrans(init_t, initctl_t, fifo_file)
+ # Modify utmp.
+ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+ 
+allow init_t root_t:dir create;
+
+ kernel_read_system_state(init_t)
+ kernel_share_state(init_t)
+ kernel_stream_connect(init_t)
+diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
+index 99babc9..77fb8f7 100644
+--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
+@@ -323,6 +323,7 @@ init_use_fds(lvm_t)
+ init_dontaudit_getattr_initctl(lvm_t)
+ init_use_script_ptys(lvm_t)
+ init_read_script_state(lvm_t)
+init_nnp_daemon_domain(lvm_t)
+ 
+ logging_send_syslog_msg(lvm_t)
+ logging_stream_connect_syslog(lvm_t)
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 816066d..e884bf5 100644
+--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
+@@ -186,6 +186,7 @@ init_use_script_ptys(mount_t)
+ init_dontaudit_getattr_initctl(mount_t)
+ init_stream_connect_script(mount_t)
+ init_rw_script_stream_sockets(mount_t)
+init_nnp_daemon_domain(mount_t)
+ 
+ logging_send_syslog_msg(mount_t)
+ 
+-- 
+1.8.3.1
+