packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update version to 38.6

Browse Source
This commit is contained in:
zgzxx 2023-02-01 16:42:06 +08:00
parent 6ffaf8fb57
commit bd458c8790
134 changed files with 15 additions and 6188 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
backport-Add-bgpd-sys_chroot-capability.patch
View File

@ -1,33 +0,0 @@
From 384a8eeec175cc19f18ae74950cb0d8db0e0ce1b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 23 Sep 2022 18:46:54 +0200
Subject: [PATCH] Add bgpd sys_chroot capability
Addresses the following AVC denial:
type=PROCTITLE msg=audit(09/23/2022 13:39:42.856:6958) : proctitle=/usr/sbin/bgpd -R
type=PATH msg=audit(09/23/2022 13:39:42.856:6958) : item=0 name=/var/empty/bgpd inode=644194 dev=00:1e mode=dir,711 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(09/23/2022 13:39:42.856:6958) : arch=x86_64 syscall=chroot success=no exit=EPERM(Operation not permitted) a0=0x55af72eb04e7 a1=0x7f06fcd615b3 a2=0x0 a3=0x7f06fcd46ac0 items=1 ppid=115054 pid=115055 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bgpd exe=/usr/sbin/bgpd subj=system_u:system_r:zebra_t:s0 key=(null)
type=AVC msg=audit(09/23/2022 13:39:42.856:6958) : avc: denied { sys_chroot } for pid=115055 comm=bgpd capability=sys_chroot scontext=system_u:system_r:zebra_t:s0 tcontext=system_u:system_r:zebra_t:s0 tclass=capability permissive=0
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/contrib/zebra.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
index 91a604150..bae270d59 100644
--- a/policy/modules/contrib/zebra.te
+++ b/policy/modules/contrib/zebra.te
@@ -40,7 +40,7 @@ files_pid_file(zebra_var_run_t)
# Local policy
#
-allow zebra_t self:capability { setgid setuid net_admin net_raw };
+allow zebra_t self:capability { setgid setuid sys_chroot net_admin net_raw };
dontaudit zebra_t self:capability sys_tty_config;
allow zebra_t self:process { signal_perms getcap setcap };
allow zebra_t self:file rw_file_perms;
--
2.27.0

35
backport-Add-numad-the-ipc_owner-capability.patch
View File

@ -1,35 +0,0 @@
From 8cc57cc64467d6e60eac92d6ffc9f9d550e948a2 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 21 Sep 2022 17:20:28 +0200
Subject: [PATCH] Add numad the ipc_owner capability
This permission is required when the cpu allocation in a vm definition contains
<vcpu placement="auto" />
which means cpuset option will be configured by querying numad.
Addresses the following AVC denial:
type=AVC msg=audit(1637903670.950:2626): avc: denied { ipc_owner } for pid=72952 comm="numad" capability=15 scontext=system_u:system_r:numad_t:s0-s0:c0.c1023 tcontext=system_u:system_r:numad_t:s0-s0:c0.c1023 tclass=capability permissive=0
Resolves: rhbz#2026968
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/contrib/numad.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/numad.te b/policy/modules/contrib/numad.te
index cf8f99b02..97f923b25 100644
--- a/policy/modules/contrib/numad.te
+++ b/policy/modules/contrib/numad.te
@@ -23,7 +23,7 @@ files_pid_file(numad_var_run_t)
# numad local policy
#
-allow numad_t self:capability { kill sys_nice sys_ptrace } ;
+allow numad_t self:capability { ipc_owner kill sys_nice sys_ptrace } ;
allow numad_t self:fifo_file rw_fifo_file_perms;
allow numad_t self:msgq create_msgq_perms;
allow numad_t self:msg { send receive };
--
2.27.0

38
backport-Add-permissions-to-manage-lnk_files-into-gnome_manag.patch
View File

@ -1,38 +0,0 @@
From 705fc27141d8aeb736fecdd6a6048f59c55f6d1f Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 27 Jul 2022 18:11:34 +0200
Subject: [PATCH] Add permissions to manage lnk_files into
gnome_manage_home_config
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/705fc27141d8aeb736fecdd6a6048f59c55f6d1f
Conflict: NA
The gnome_manage_home_config() interface contains manage_files_pattern()
call for config_home_t files only, but symlinks can be there, too.
Addresses the following AVC denial:
type=AVC msg=audit(1652884370.574:523): avc: denied { unlink } for pid=45745 comm="systemd-user-ru" name="user" dev="tmpfs" ino=240 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=lnk_file permissive=0
Resolves: rhbz#2088269
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/gnome.if | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index 1d62f2a..f52d635 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -1398,7 +1398,8 @@ interface(`gnome_manage_home_config',`
')
manage_files_pattern($1, config_home_t, config_home_t)
- allow $1 config_home_t:file map;
+ manage_lnk_files_pattern($1, config_home_t, config_home_t)
+ allow $1 config_home_t:file map;
')
#######################################
--
1.8.3.1

45
backport-Add-systemd_getattr_generic_unit_files-interface.patch
View File

@ -1,45 +0,0 @@
From 9010f07e78944ccab50bcf3bf2640f6aad3cc8cb Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 30 Mar 2022 21:29:47 +0200
Subject: [PATCH] Add systemd_getattr_generic_unit_files() interface
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9010f07e78944ccab50bcf3bf2640f6aad3cc8cb
Conflict: NA
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/systemd.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 351438c..5567da7 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1597,6 +1597,24 @@ interface(`systemd_unit_file_filetrans',`
#######################################
## <summary>
+## Get attributes of generic systemd unit files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_getattr_generic_unit_files',`
+ gen_require(`
+ type systemd_unit_file_t;
+ ')
+
+ getattr_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t)
+')
+
+#######################################
+## <summary>
## Create a directory in the /usr/lib/systemd/system directory.
## </summary>
## <param name="domain">
--
1.8.3.1

48
backport-Add-the-corecmd_watch_bin_dirs-interface.patch
View File

@ -1,48 +0,0 @@
From 88072fd293ddd3e83c0625199d6f0561dcad99d7 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 8 Apr 2022 11:48:14 +0200
Subject: [PATCH] Add the corecmd_watch_bin_dirs() interface
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/88072fd293ddd3e83c0625199d6f0561dcad99d7
Conflict: NA
Note the bin_t type is also used as a default type for files
in /usr/libexec and some additional paths.
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/kernel/corecommands.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 70b6b35..d88c5c0 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -201,6 +201,24 @@ interface(`corecmd_dontaudit_write_bin_dirs',`
########################################
## <summary>
+## Watch bin directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_watch_bin_dirs',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir watch_dir_perms;
+')
+
+########################################
+## <summary>
## Get the attributes of files in bin directories.
## </summary>
## <param name="domain">
--
1.8.3.1

46
backport-Add-the-init_append_stream_sockets-interface.patch
View File

@ -1,46 +0,0 @@
From 4536c1c32c0ed377b1c31aab18819dfb1a46b91e Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 1 Apr 2022 19:21:10 +0200
Subject: [PATCH] Add the init_append_stream_sockets() interface
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/4536c1c32c0ed377b1c31aab18819dfb1a46b91e
Conflict: NA
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/init.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 7bd438e..4b3bb59 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -2789,6 +2789,25 @@ interface(`init_rw_stream_sockets',`
allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
')
+########################################
+## <summary>
+## Allow the specified domain to append to
+## init unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_append_stream_sockets',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket append;
+')
+
#######################################
## <summary>
## Allow the specified domain to write to
--
1.8.3.1

31
backport-Add-the-map-permission-to-common_anon_inode_perm-per.patch
View File

@ -1,31 +0,0 @@
From 34264caf221fc43e17aefeeda0d1115eb89655e0 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 7 Feb 2022 18:27:52 +0100
Subject: [PATCH] Add the map permission to common_anon_inode_perm permission
set
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/34264caf221fc43e17aefeeda0d1115eb89655e0
Conflict: NA
Resolves: rhbz#2025714
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/support/obj_perm_sets.spt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 1a2108a..2b84320 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -280,7 +280,7 @@ define(`userfaultfd_anon_inode_perms',`
#
# Anonymous inode files (anon_inode)
#
-define(`userfaultfd_anon_inode_perms',`{ create getattr ioctl read write }')
+define(`userfaultfd_anon_inode_perms',`{ create getattr ioctl map read write }')
########################################
#
--
1.8.3.1

45
backport-Add-the-userdom_prog_run_bpf_userdomain-interface.patch
View File

@ -1,45 +0,0 @@
From aa0d31bad83cf8664e5b415b55022deaa0648552 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 2 Aug 2022 16:31:48 +0200
Subject: [PATCH] Add the userdom_prog_run_bpf_userdomain() interface
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/aa0d31bad83cf8664e5b415b55022deaa0648552
Conflict: NA
The userdom_prog_run_bpf_userdomain() interface was added
to allow the caller domain to run bpftool on the userdomain attribute.
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/userdomain.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index aeb2deb..e14a3c5 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -6809,3 +6809,21 @@ template(`userdom_security_admin_template',`
samhain_run($1, $2)
')
')
+#
+########################################
+## <summary>
+## Allow caller domain to run bpftool on userdomain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_prog_run_bpf_userdomain',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:bpf { map_create map_read map_write prog_load prog_run };
+')
--
1.8.3.1

32
backport-Allow-ModemManager-connect-to-the-unconfined-user-do.patch
View File

@ -1,32 +0,0 @@
From 51422c4a4277924046514a18b67a38b896d698f0 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 28 Jan 2022 17:40:25 +0100
Subject: [PATCH] Allow ModemManager connect to the unconfined user domain
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/51422c4a4277924046514a18b67a38b896d698f0
Conflict: NA
The modemmanager_t domain was allowed to connect to unconfined_t
over a unix domain stream socket.
Resolves: rhbz#1961571
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/modemmanager.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te
index 857ed6b..9a132b2 100644
--- a/policy/modules/contrib/modemmanager.te
+++ b/policy/modules/contrib/modemmanager.te
@@ -82,3 +82,7 @@ optional_policy(`
udev_read_db(modemmanager_t)
udev_manage_pid_files(modemmanager_t)
')
+
+optional_policy(`
+ unconfined_stream_connect(modemmanager_t)
+')
--
1.8.3.1

51
backport-Allow-NetworkManager-talk-with-unconfined-user-over-.patch
View File

@ -1,51 +0,0 @@
From f0cb46186be7437cd78c96271938b3902cec10b7 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 26 Jan 2022 10:54:36 +0100
Subject: [PATCH] Allow NetworkManager talk with unconfined user over unix
domain dgram socket
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/f0cb46186be7437cd78c96271938b3902cec10b7
Conflict: NA
This permission is required for wpa_cli be able to communicate with the
wpa_supplicant service in CLI. The wpa control interface socket file is
open in /run/wpa_supplicant, the client socket in /tmp.
This issue possibly started to appear after unconfined_t was removed from the
unpriv_user_domain attribute with the 4b4eec49a55 ("Removed adding to
attribute unpriv_userdomain from userdom_unpriv_type template") commit.
Addresses the following AVC denial:
type=PROCTITLE msg=audit(01/24/2022 02:56:04.040:501) : proctitle=/usr/sbin/wpa_supplicant -g /run/wpa_supplicant/global -c /etc/wpa_supplicant/wpa_supplicant.conf -u -s
type=PATH msg=audit(01/24/2022 02:56:04.040:501) : item=0 name=/tmp/wpa_ctrl_26793-1 inode=730142 dev=fd:01 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(01/24/2022 02:56:04.040:501) : cwd=/
type=SOCKADDR msg=audit(01/24/2022 02:56:04.040:501) : saddr={ saddr_fam=local path=/tmp/wpa_ctrl_26793-1 }
type=SYSCALL msg=audit(01/24/2022 02:56:04.040:501) : arch=x86_64 syscall=sendto success=yes exit=5 a0=0x5 a1=0x5556370a4860 a2=0x5 a3=0x0 items=1 ppid=1 pid=26219 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(01/24/2022 02:56:04.040:501) : avc: denied { sendto } for pid=26219 comm=wpa_supplicant path=/tmp/wpa_ctrl_26793-1 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
Resolves: rhbz#2044048
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/networkmanager.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 8230910..1a53f51 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -498,6 +498,11 @@ optional_policy(`
openvswitch_stream_connect(NetworkManager_t)
')
+optional_policy(`
+ unconfined_dgram_send(NetworkManager_t)
+')
+
+
tunable_policy(`use_ecryptfs_home_dirs',`
fs_manage_ecryptfs_files(NetworkManager_t)
')
--
1.8.3.1

72
backport-Allow-PID-1-and-dbus-broker-IPC-with-a-systemd-user-.patch
View File

@ -1,72 +0,0 @@
From 6a6fff9f00a02723d3a9c58e892e12a527df8efa Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 16 Nov 2021 20:50:48 +0100
Subject: [PATCH] Allow PID 1 and dbus-broker IPC with a systemd user session
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6a6fff9f00a02723d3a9c58e892e12a527df8efa
Conflict: NA
systemd-stdio-bridge is invoked using systemd-run to connect to a user
bus from a privileged context:
systemd-run -M.host -PGq --wait -pUser=user1 -pPAMName=login systemd-stdio-bridge -punix:path=${XDG_RUNTIME_DIR}/bus
The commands sequence is as follows:
1. dnf invokes rpm
2. a scriptlet is called from rpm
3. the scriptlet calls /usr/lib/systemd/systemd-update-helper
4. systemd-update-helper calls systemctl --user <uid>@ ...
5. in the systemctl binary, sd-bus invokes systemd-run
6. which invokes systemd-stdio-bridge as the user
7. systemctl communicates with the user manager over the bridge
Refer to this commit for more information:
https://github.com/systemd/systemd/pull/17967/commits/1b630835dff
Addresses the following AVC denials:
----
type=AVC msg=audit(11/15/2021 08:56:59.167:1097) : avc: denied { read write } for pid=458 comm=dbus-broker path=socket:[37803] dev="sockfs" ino=37803 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
----
type=AVC msg=audit(11/15/2021 08:56:59.168:1098) : avc: denied { read write } for pid=1 comm=systemd path=socket:[37803] dev="sockfs" ino=37803 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
----
type=PROCTITLE msg=audit(11/15/2021 08:56:59.184:1100) : proctitle=(o-bridge)
type=SYSCALL msg=audit(11/15/2021 08:56:59.184:1100) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x0 a1=TCGETS a2=0x7ffca74d78a0 a3=0x0 items=0 ppid=1 pid=6580 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(o-bridge) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(11/15/2021 08:56:59.184:1100) : avc: denied { ioctl } for pid=6580 comm=(o-bridge) path=socket:[37803] dev="sockfs" ino=37803 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
----
Resolves: rhbz#2023332
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/dbus.te | 4 ++++
policy/modules/system/init.te | 1 +
2 files changed, 5 insertions(+)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index a426d29..76fb3b6 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -236,6 +236,10 @@ optional_policy(`
')
optional_policy(`
+ userdom_rw_stream(system_dbusd_t)
+')
+
+optional_policy(`
virt_list_sandbox_dirs(system_dbusd_t)
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b261f08..22e363a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -872,6 +872,7 @@ optional_policy(`
optional_policy(`
userdom_exec_user_bin_files(init_t)
+ userdom_rw_stream(init_t)
')
########################################
--
1.8.3.1

46
backport-Allow-admin-userdomains-use-socketpair.patch
View File

@ -1,46 +0,0 @@
From fd807226d8aeb7a06e4f94974e116feedebaed59 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 6 Jan 2022 09:26:43 +0100
Subject: [PATCH] Allow admin userdomains use socketpair()
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/fd807226d8aeb7a06e4f94974e116feedebaed59
Conflict: NA
In cockpit, the bridge uses socketpair() to communicate to subprocesses.
For executing administrative commands, "sudo cockpit-bridge" is spawned,
and the permissions to read and write from the socket are required.
Simplified reproducer:
$ python3 -c 'import socket, subprocess; r = socket.socketpair(); p = subprocess.Popen(["sudo", "whoami"], stdout=r[0]); print(p.wait()); print(r[1].recv(100))'
sudo succeeds, but recv() hangs as the data flow is blocked.
This commit addresses the following AVC denial:
type=PROCTITLE msg=audit(01/06/2022 03:07:28.526:5532) : proctitle=sudo whoami
type=EXECVE msg=audit(01/06/2022 03:07:28.526:5532) : argc=2 a0=sudo a1=whoami
type=SYSCALL msg=audit(01/06/2022 03:07:28.526:5532) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f302b08c470 a1=0x7f302b106450 a2=0x7ffe20fef5b8 a3=0xffffffffffffff01 items=2 ppid=567183 pid=567184 auid=admin uid=admin gid=admin euid=root suid=root fsuid=root egid=admin sgid=admin fsgid=admin tty=pts1 ses=6 comm=sudo exe=/usr/bin/sudo subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(01/06/2022 03:07:28.526:5532) : avc: denied { read write } for pid=567184 comm=sudo path=socket:[690408] dev="sockfs" ino=690408 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
Resolves: rhbz#1814569
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/admin/sudo.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 24ede58..4b8f975 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -58,7 +58,7 @@ template(`sudo_role_template',`
allow $1_sudo_t $3:file read_file_perms;;
allow $1_sudo_t $3:key search;
- allow $1_sudo_t $1_t:unix_stream_socket connectto;
+ allow $1_sudo_t $1_t:unix_stream_socket { connectto read write };
# Enter this derived domain from the user domain
domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
--
1.8.3.1

38
backport-Allow-administrative-users-the-bpf-capability.patch
View File

@ -1,38 +0,0 @@
From 0fa3cc8988c28c5da8b6844cdac0d052ec48dc3b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 12 Jan 2022 17:39:33 +0100
Subject: [PATCH] Allow administrative users the bpf capability
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0fa3cc8988c28c5da8b6844cdac0d052ec48dc3b
Conflict: NA
The userdom_admin_user_template() template for creating an
administrative user was updated with the bpf capability so that
e. g. users in the sysadm_r role can run perf.
Addresses the following AVC denial:
type=PROCTITLE msg=audit(01/12/2022 10:45:01.065:855) : proctitle=perf record -o /dev/null echo test
type=SYSCALL msg=audit(01/12/2022 10:45:01.065:855) : arch=x86_64 syscall=bpf success=no exit=ENOENT(No such file or directory) a0=BPF_PROG_GET_NEXT_ID a1=0x7fffd756dba0 a2=0x78 a3=0x3b items=0 ppid=9065 pid=9066 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=7 comm=perf exe=/usr/bin/perf subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(01/12/2022 10:45:01.065:855) : avc: denied { bpf } for pid=9066 comm=perf capability=unknown-capability(39) scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/userdomain.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index cb56d28..eea0894 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1640,6 +1640,8 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
+ allow $1_t self:capability2 bpf;
+
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
--
1.8.3.1

44
backport-Allow-alsa-bind-mixer-controls-to-led-triggers.patch
View File

@ -1,44 +0,0 @@
From 435388f6b50495a6615b811b129ca6d3020f7355 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 10 Feb 2022 11:38:56 +0100
Subject: [PATCH] Allow alsa bind mixer controls to led triggers
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/435388f6b50495a6615b811b129ca6d3020f7355
Conflict: NA
Since v5.13, the kernel has support to bind certain alsa mixer controls
to LED triggers from userspace to control the mute-LEDS found on some
devices (typically embedded inside the keyboard's mute keys).
To allow that, alsa needs to be able to execute "modprobe snd_ctl_led"
and write to /sys/class/sound/ctl-led/speaker/ and .../mic.
Resolves: rhbz#1958210
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/alsa.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index aee9fe8..3f1a7b0 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -82,12 +82,14 @@ corecmd_exec_bin(alsa_t)
dev_getattr_fs(alsa_t)
dev_read_sound(alsa_t)
-dev_read_sysfs(alsa_t)
+dev_rw_sysfs(alsa_t)
dev_read_urand(alsa_t)
dev_write_sound(alsa_t)
files_search_var_lib(alsa_t)
+modutils_domtrans_kmod(alsa_t)
+
term_dontaudit_use_console(alsa_t)
term_dontaudit_use_generic_ptys(alsa_t)
term_dontaudit_use_all_ptys(alsa_t)
--
1.8.3.1

33
backport-Allow-alsactl-set-group-Process-ID-of-a-process.patch
View File

@ -1,33 +0,0 @@
From d5b75d954771da98c36fb7af90e24a14fb01c184 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 31 Jan 2022 12:47:23 +0100
Subject: [PATCH] Allow alsactl set group Process ID of a process
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d5b75d954771da98c36fb7af90e24a14fb01c184
Conflict: NA
Addresses the following AVC denial:
type=AVC msg=audit(1624169904.74:1152): avc: denied { setpgid } for pid=115535 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=0
Resolves: rhbz#1974051
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/alsa.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 97f3815..aee9fe8 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -43,7 +43,7 @@ systemd_unit_file(alsa_unit_file_t)
allow alsa_t self:capability { dac_read_search setgid setuid ipc_owner sys_nice };
dontaudit alsa_t self:capability { sys_tty_config sys_admin };
-allow alsa_t self:process { getsched setsched signal_perms };
+allow alsa_t self:process { getsched setpgid setsched signal_perms };
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket { accept listen };
--
1.8.3.1

33
backport-Allow-chage-domtrans-to-sssd.patch
View File

@ -1,33 +0,0 @@
From f540263f5ffcf315b970ca6428b2f04ff5c13f59 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 16 Feb 2022 16:57:08 +0100
Subject: [PATCH] Allow chage domtrans to sssd
Addresses the following AVC denial:
type=PROCTITLE msg=audit(02/15/2022 16:04:12.036:1591) : proctitle=chage -d 0 user
type=PATH msg=audit(02/15/2022 16:04:12.036:1591) : item=0 name=/usr/sbin/sss_cache inode=8920535 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/15/2022 16:04:12.036:1591) : cwd=/root
type=SYSCALL msg=audit(02/15/2022 16:04:12.036:1591) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55a73e1a7250 a1=0x7ffeecce2690 a2=0x7ffeecce2688 a3=0x7f125fce4840 items=1 ppid=104530 pid=104533 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=127 comm=chage exe=/usr/bin/chage subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/15/2022 16:04:12.036:1591) : avc: denied { execute } for pid=104533 comm=chage name=sss_cache dev="vda2" ino=8920535 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=0
Resolves: rhbz#2054718
---
policy/modules/admin/usermanage.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 155fb68..6640310 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -422,6 +422,7 @@ optional_policy(`
')
optional_policy(`
+ sssd_domtrans(passwd_t)
sssd_manage_lib_files(passwd_t)
sssd_manage_public_files(passwd_t)
sssd_read_pid_files(passwd_t)
--
1.8.3.1

61
backport-Allow-chronyd-send-a-message-to-sosreport-over-datag.patch
View File

@ -1,61 +0,0 @@
From 05e940f535497768c2b4a8c37365b5b5156eda75 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 25 Feb 2022 14:16:52 +0100
Subject: [PATCH] Allow chronyd send a message to sosreport over datagram
socket
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/05e940f535497768c2b4a8c37365b5b5156eda75
Conflict: NA
The sosreport_dgram_send() interface was added.
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/chronyd.te | 4 ++++
policy/modules/contrib/sosreport.if | 18 ++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 8da80de..142139d 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -175,6 +175,10 @@ optional_policy(`
rolekit_dgram_send(chronyd_t)
')
+optional_policy(`
+ sosreport_dgram_send(chronyd_t)
+')
+
########################################
#
# Local policy
diff --git a/policy/modules/contrib/sosreport.if b/policy/modules/contrib/sosreport.if
index c5fbb7a..44b13a8 100644
--- a/policy/modules/contrib/sosreport.if
+++ b/policy/modules/contrib/sosreport.if
@@ -166,3 +166,21 @@ interface(`sosreport_dbus_chat',`
allow $1 sosreport_t:dbus send_msg;
allow sosreport_t $1:dbus send_msg;
')
+
+########################################
+## <summary>
+## Send a message to sosreport over the datagram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sosreport_dgram_send',`
+ gen_require(`
+ type sosreport_t;
+ ')
+
+ allow $1 sosreport_t:unix_dgram_socket sendto;
+')
--
1.8.3.1

47
backport-Allow-chronyd-talk-with-unconfined-user-over-unix-do.patch
View File

@ -1,47 +0,0 @@
From bd3f86ee9fbae47287d63c496ba936348627122b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 31 Mar 2022 10:55:05 +0200
Subject: [PATCH] Allow chronyd talk with unconfined user over unix domain
dgram socket
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bd3f86ee9fbae47287d63c496ba936348627122b
Conflict: NA
This permission is required by applications which use the unix datagram
socket to communicate with chronyd directly, e.g. for monitoring
purposes. The other direction of communication is allowed by a rule for
unconfined_domain_type.
Addresses the following AVC denial:
type=PROCTITLE msg=audit(03/17/2022 12:11:19.881:312) : proctitle=/usr/sbin/chronyd
type=PATH msg=audit(03/17/2022 12:11:19.881:312) : item=0 name=/run/chrony/chronyc.sock inode=39486 dev=00:18 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:chronyd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(03/17/2022 12:11:19.881:312) : cwd=/
type=SOCKADDR msg=audit(03/17/2022 12:11:19.881:312) : saddr={ saddr_fam=local path=/run/chrony/chronyc.sock }
type=SYSCALL msg=audit(03/17/2022 12:11:19.881:312) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x8 a1=0x7fffeef72f20 a2=0x0 a3=0x0 items=1 ppid=1 pid=680 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null)
type=AVC msg=audit(03/17/2022 12:11:19.881:312) : avc: denied { sendto } for pid=680 comm=chronyd path=/run/chrony/chronyc.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
Resolves: rhbz#2065313
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/chronyd.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 142139d..342735b 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -179,6 +179,10 @@ optional_policy(`
sosreport_dgram_send(chronyd_t)
')
+optional_policy(`
+ unconfined_dgram_send(chronyd_t)
+')
+
########################################
#
# Local policy
--
1.8.3.1

44
backport-Allow-cloud-init-dbus-chat-with-systemd-logind.patch
View File

@ -1,44 +0,0 @@
From 8ef66bbca8c278a7f9c2c13c792d885324a120e1 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 24 Nov 2021 11:32:40 +0100
Subject: [PATCH] Allow cloud-init dbus chat with systemd-logind
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/8ef66bbca8c278a7f9c2c13c792d885324a120e1
Conflict: NA
When cloud-init executes a user data script to build a new image
template and there are commands using su or sudo, the process goes
through PAM stack for su/sudo which typically includes pam_systemd.
This PAM module calls systemd-logind to create a session for the user.
Then systemd-logind attempts to dbus send the results back to
cloud-init, but SELinux policy did not contain such permissions, which
resulted in 25 seconds delay:
Jan 1 08:00:00 hostname dbus[12345]: [system] Activating via systemd: service name='org.freedesktop.login1' unit='dbus-org.freedesktop.login1.service'
Jan 1 08:00:25 hostname dbus[12345]: [system] Failed to activate service 'org.freedesktop.login1': timed out
Addresses the following AVC denial:
type=USER_AVC msg=audit(1637751660.446:66): pid=652 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.19 spid=723 tpid=1434 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
Resolves: rhbz#2009769
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/cloudform.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/cloudform.te b/policy/modules/contrib/cloudform.te
index 2f19544..80b9cbc 100644
--- a/policy/modules/contrib/cloudform.te
+++ b/policy/modules/contrib/cloudform.te
@@ -105,6 +105,7 @@ miscfiles_read_localization(cloud_init_t)
selinux_validate_context(cloud_init_t)
systemd_dbus_chat_hostnamed(cloud_init_t)
+systemd_dbus_chat_logind(cloud_init_t)
systemd_dbus_chat_timedated(cloud_init_t)
systemd_exec_systemctl(cloud_init_t)
systemd_start_all_services(cloud_init_t)
--
1.8.3.1

46
backport-Allow-confined-sysadmin-to-use-tool-vipw.patch
View File

@ -1,46 +0,0 @@
From 9eec9eea6b6b74d8835928c32467f6edd749ff0e Mon Sep 17 00:00:00 2001
From: Patrik Koncity <pkoncity@redhat.com>
Date: Fri, 4 Feb 2022 12:04:16 +0100
Subject: [PATCH] Allow confined sysadmin to use tool vipw
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9eec9eea6b6b74d8835928c32467f6edd749ff0e
Conflict: NA
Allow confined sysadmin to use vipw and vigr, which edits passwd,
shadow, group, gshadow.. Dontaudit manage files and dir labeled
with admin_home_t. Also vipw need to use sss_cache tool.
Allow domain transition from sysadm_passwd_t to sssd_exec_t.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2049018
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/admin/usermanage.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index a67fcc4..8fdbfbc 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -501,6 +501,8 @@ init_dontaudit_rw_utmp(sysadm_passwd_t)
logging_send_syslog_msg(sysadm_passwd_t)
userdom_use_unpriv_users_fds(sysadm_passwd_t)
+userdom_dontaudit_manage_admin_dir(sysadm_passwd_t)
+userdom_dontaudit_manage_admin_files(sysadm_passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
@@ -509,6 +511,10 @@ optional_policy(`
nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
')
+optional_policy(`
+ sssd_domtrans(sysadm_passwd_t)
+')
+
########################################
#
# Useradd local policy
--
1.8.3.1

62
backport-Allow-dhclient-manage-pid-files-used-by-chronyd.patch
View File

@ -1,62 +0,0 @@
From bf1751a3a139dfb05160330d04f68d4ab89a80f4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 21 Jun 2022 17:45:28 +0200
Subject: [PATCH] Allow dhclient manage pid files used by chronyd
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bf1751a3a139dfb05160330d04f68d4ab89a80f4
Conflict: NA
The chronyd_manage_pid_files() interface was added.
Resolves: rhbz#2093709
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/chronyd.if | 19 +++++++++++++++++++
policy/modules/system/sysnetwork.te | 1 +
2 files changed, 20 insertions(+)
diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
index cad4d31..d2f5504 100644
--- a/policy/modules/contrib/chronyd.if
+++ b/policy/modules/contrib/chronyd.if
@@ -236,6 +236,25 @@ interface(`chronyd_manage_pid',`
manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t)
')
+########################################
+## <summary>
+## Manage pid files used by chronyd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`chronyd_manage_pid_files',`
+ gen_require(`
+ type chronyd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, chronyd_var_run_t, chronyd_var_run_t)
+')
+
######################################
## <summary>
## Create objects in /var/run
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 1bb35d1..41b851f 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -201,6 +201,7 @@ optional_policy(`
chronyd_systemctl(dhcpc_t)
chronyd_domtrans(dhcpc_t)
chronyd_domtrans_chronyc(dhcpc_t)
+ chronyd_manage_pid_files(dhcpc_t)
chronyd_read_keys(dhcpc_t)
')
--
1.8.3.1

37
backport-Allow-dnsmasq-watch-etc-dnsmasq.d-directories.patch
View File

@ -1,37 +0,0 @@
From 359d7cdc59a69c39c9f1d00890002dc7150b918a Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 7 Dec 2021 18:08:01 +0100
Subject: [PATCH] Allow dnsmasq watch /etc/dnsmasq.d directories
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/359d7cdc59a69c39c9f1d00890002dc7150b918a
Conflict: NA
Addresses the following AVC denial:
type=PROCTITLE msg=audit(12/07/2021 09:38:48.124:320) : proctitle=/usr/sbin/dnsmasq
type=PATH msg=audit(12/07/2021 09:38:48.124:320) : item=0 name=/etc/dnsmasq.d inode=29360448 dev=fd:01 mode=dir,755 ouid=root ogid=dnsmasq rdev=00:00 obj=system_u:object_r:dnsmasq_etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(12/07/2021 09:38:48.124:320) : cwd=/
type=SYSCALL msg=audit(12/07/2021 09:38:48.124:320) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x8 a1=0x5586fa914c70 a2=0x88 a3=0x0 items=1 ppid=1 pid=5720 auid=unset uid=dnsmasq gid=dnsmasq euid=dnsmasq suid=dnsmasq fsuid=dnsmasq egid=dnsmasq sgid=dnsmasq fsgid=dnsmasq tty=(none) ses=unset comm=dnsmasq exe=/usr/sbin/dnsmasq subj=system_u:system_r:dnsmasq_t:s0 key=(null)
type=AVC msg=audit(12/07/2021 09:38:48.124:320) : avc: denied { watch } for pid=5720 comm=dnsmasq path=/etc/dnsmasq.d dev="vda1" ino=29360448 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:dnsmasq_etc_t:s0 tclass=dir permissive=0
Resolves: rhbz#2029866
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/dnsmasq.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te
index 0d5c7e4..de7c0c0 100644
--- a/policy/modules/contrib/dnsmasq.te
+++ b/policy/modules/contrib/dnsmasq.te
@@ -52,6 +52,7 @@ allow dnsmasq_t self:rawip_socket create_socket_perms;
read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
list_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+watch_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
--
1.8.3.1

172
backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch
View File

@ -1,172 +0,0 @@
From 6956435a4e3cc5a6f0d311f80b31abddd83d9ae5 Mon Sep 17 00:00:00 2001
From: Patrik Koncity <pkoncity@redhat.com>
Date: Mon, 27 Jun 2022 20:37:44 +0800
Subject: [PATCH] Allow domain transition to sssd_t and role access to sssd
When installing some rpm packages, new users or
groups are added to the system using
the groupadd and useradd tools. Then the sss_cache
file with the bin_t label is run and on this file
groupadd and useradd want to setgid and this
trigger SELinux denials. Label the sss_cache binary
as sssd_exec_t and enabling the transition from
groupadd_t and useradd_t to sssd_t. Sssd policy
allowed setgid on this binary.
Reference:https://github.com/fedora-selinux/selinux-policy/commit/bcc321f1719d252b205edf89f82f578c1c309eb0
Conflict: NA
After previous fix in bugzilla arise a SELinux
error with role. Processes running under
unconfined_r do not have access to sssd_t.
Allow domain transition from rpm_script_t to
sssd_t and allow the rpm_script_roles in the
sssd domain.
Reference:https://github.com/fedora-selinux/selinux-policy/commit/25bdcfdf5821ddba2c47fc4306bc43debc4c0f75
Conflict: NA
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2022690
sssd_run_sssd interface allow execute sssd in the
sssd domain, and allow the specified role
the sssd domain.
Reference:https://github.com/fedora-selinux/selinux-policy/commit/d7ef9cf83cb50b4349cb8277c2cd126c17dc629a
Conflict: NA
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/admin/usermanage.te | 18 ++++++++++--------
policy/modules/contrib/rpm.te | 4 ++++
policy/modules/contrib/sssd.fc | 1 +
policy/modules/contrib/sssd.if | 27 +++++++++++++++++++++++++++
policy/modules/contrib/sssd.te | 3 +++
5 files changed, 45 insertions(+), 8 deletions(-)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 5a857e0..b945e3c 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -300,10 +300,11 @@ optional_policy(`
')
optional_policy(`
- sssd_manage_lib_files(groupadd_t)
- sssd_manage_public_files(groupadd_t)
- sssd_read_pid_files(groupadd_t)
- sssd_signal(groupadd_t)
+ sssd_domtrans(groupadd_t)
+ sssd_manage_lib_files(groupadd_t)
+ sssd_manage_public_files(groupadd_t)
+ sssd_read_pid_files(groupadd_t)
+ sssd_signal(groupadd_t)
')
optional_policy(`
@@ -679,10 +680,11 @@ optional_policy(`
')
optional_policy(`
- sssd_manage_lib_files(useradd_t)
- sssd_manage_public_files(useradd_t)
- sssd_read_pid_files(useradd_t)
- sssd_signal(useradd_t)
+ sssd_domtrans(useradd_t)
+ sssd_manage_lib_files(useradd_t)
+ sssd_manage_public_files(useradd_t)
+ sssd_read_pid_files(useradd_t)
+ sssd_signal(useradd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 9d2f4e6..3f6de12 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -481,6 +481,10 @@ optional_policy(`
')
optional_policy(`
+ sssd_run_sssd(rpm_script_t, rpm_script_roles)
+')
+
+optional_policy(`
tzdata_domtrans(rpm_t)
tzdata_run(rpm_script_t, rpm_script_roles)
')
diff --git a/policy/modules/contrib/sssd.fc b/policy/modules/contrib/sssd.fc
index 2655c75..f51950d 100644
--- a/policy/modules/contrib/sssd.fc
+++ b/policy/modules/contrib/sssd.fc
@@ -3,6 +3,7 @@
/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/sbin/sss_cache -- gen_context(system_u:object_r:sssd_exec_t,s0)
/usr/libexec/sssd/sssd_autofs -- gen_context(system_u:object_r:sssd_exec_t,s0)
/usr/libexec/sssd/sssd_ifp -- gen_context(system_u:object_r:sssd_exec_t,s0)
/usr/libexec/sssd/sssd_nss -- gen_context(system_u:object_r:sssd_exec_t,s0)
diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
index e1ff0d7..6debe08 100644
--- a/policy/modules/contrib/sssd.if
+++ b/policy/modules/contrib/sssd.if
@@ -429,6 +429,33 @@ interface(`sssd_dontaudit_stream_connect',`
########################################
## <summary>
+## Execute sssd in the sssd domain, and
+## allow the specified role the sssd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sssd_run_sssd',`
+ gen_require(`
+ type sssd_t;
+ attribute_role sssd_roles;
+ ')
+
+ sssd_domtrans($1)
+ roleattribute $2 sssd_roles;
+')
+
+########################################
+## <summary>
## Connect to sssd over a unix stream socket in /var/run.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index b510dca..f64472c 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -5,6 +5,8 @@ policy_module(sssd, 1.2.0)
# Declarations
#
+attribute_role sssd_roles;
+
## <desc>
## <p>
## Allow sssd read, view, and write access to kernel keys with kernel_t type
@@ -22,6 +24,7 @@ gen_tunable(sssd_connect_all_unreserved_ports, false)
type sssd_t;
type sssd_exec_t;
init_daemon_domain(sssd_t, sssd_exec_t)
+role sssd_roles types sssd_t;
type sssd_initrc_exec_t;
init_script_file(sssd_initrc_exec_t)
--
1.8.3.1

33
backport-Allow-domain-use-userfaultfd-over-all-domains.patch
View File

@ -1,33 +0,0 @@
From 3befcf9bdea867fca0d980871e251191fe234586 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 22 Jun 2022 21:27:59 +0200
Subject: [PATCH] Allow domain use userfaultfd over all domains
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3befcf9bdea867fca0d980871e251191fe234586
Conflict: NA
Until now, all processes were allowed to use userfaultfd as well other
anon_inodes to get a file descriptor from the same domain.
Since this commit the permissions are allowed between different domains.
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/kernel/domain.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index f1e0bd6..1289b4c 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -121,7 +121,7 @@ neverallow ~{ domain unlabeled_t } *:process *;
# Rules applied to all domains
#
-allow domain self:anon_inode userfaultfd_anon_inode_perms;
+allow domain domain:anon_inode userfaultfd_anon_inode_perms;
# read /proc/(pid|self) entries
allow domain self:dir { list_dir_perms watch_dir_perms };
allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
--
1.8.3.1

39
backport-Allow-domtrans-to-sssd_t-and-role-access-to-sssd.patch
View File

@ -1,39 +0,0 @@
From 25bdcfdf5821ddba2c47fc4306bc43debc4c0f75 Mon Sep 17 00:00:00 2001
From: Patrik Koncity <pkoncity@redhat.com>
Date: Mon, 31 Jan 2022 13:06:49 +0100
Subject: [PATCH] Allow domtrans to sssd_t and role access to sssd
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/25bdcfdf5821ddba2c47fc4306bc43debc4c0f75
Conflict: NA
After previous fix in bugzilla arise a SELinux
error with role. Processes running under
unconfined_r do not have access to sssd_t.
Allow domain transition from rpm_script_t to
sssd_t and allow the rpm_script_roles in the
sssd domain.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2022690
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/rpm.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 0866d95..b09dfe1 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -489,6 +489,10 @@ optional_policy(`
')
optional_policy(`
+ sssd_run_sssd(rpm_script_t, rpm_script_roles)
+')
+
+optional_policy(`
tzdata_domtrans(rpm_t)
tzdata_run(rpm_script_t, rpm_script_roles)
')
--
1.8.3.1

35
backport-Allow-fcoemon-request-the-kernel-to-load-a-module.patch
View File

@ -1,35 +0,0 @@
From ed80bcd8541d224ec18de995fb7dbb3c1bd5732c Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 7 Jan 2022 17:35:22 +0100
Subject: [PATCH] Allow fcoemon request the kernel to load a module
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/ed80bcd8541d224ec18de995fb7dbb3c1bd5732c
Conflict: NA
Addresses the following AVC denial:
type=AVC msg=audit(1641434692.558:116): avc: denied { module_request } for pid=2995 comm="fcoemon" kmod="8021q" scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
type=SYSCALL msg=audit(1641434692.558:116): arch=x86_64 syscall=ioctl success=no exit=ENOPKG a0=8 a1=8982 a2=7ffdd90301c0 a3=7fec871ae3e0 items=0 ppid=1 pid=2995 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fcoemon exe=/usr/sbin/fcoemon subj=s
Resolves: rhbz#2034463
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/fcoe.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/fcoe.te b/policy/modules/contrib/fcoe.te
index d46768a..18a30e7 100644
--- a/policy/modules/contrib/fcoe.te
+++ b/policy/modules/contrib/fcoe.te
@@ -34,6 +34,8 @@ manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file })
+kernel_request_load_module(fcoemon_t)
+
dev_rw_sysfs(fcoemon_t)
dev_create_sysfs_files(fcoemon_t)
--
1.8.3.1

35
backport-Allow-firewalld-read-the-contents-of-the-sysfs-files.patch
View File

@ -1,35 +0,0 @@
From 6c9ef9467ee7e7c9d569a102b05869419409b15e Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 27 Jun 2022 09:17:43 +0200
Subject: [PATCH] Allow firewalld read the contents of the sysfs filesystem
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6c9ef9467ee7e7c9d569a102b05869419409b15e
Conflict: NA
Addresses the following AVC denial which is triggered on the firewalld
service start when it tries to read /sys/devices/system/cpu/possible:
type=AVC msg=audit(1656139734.292:232): avc: denied { read } for pid=1396 comm="firewalld" name="possible" dev="sysfs" ino=46 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
Resolves: rhbz#2101062
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/firewalld.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
index 62cb02c..1c2d25e 100644
--- a/policy/modules/contrib/firewalld.te
+++ b/policy/modules/contrib/firewalld.te
@@ -81,7 +81,7 @@ corecmd_exec_bin(firewalld_t)
corecmd_exec_shell(firewalld_t)
dev_read_urand(firewalld_t)
-dev_search_sysfs(firewalld_t)
+dev_read_sysfs(firewalld_t)
domain_use_interactive_fds(firewalld_t)
domain_obj_id_change_exemption(firewalld_t)
--
1.8.3.1

44
backport-Allow-gssproxy-access-to-various-system-files.patch
View File

@ -1,44 +0,0 @@
From 02d90bb3e2fc39d67a7d07cec5ca113bd0a53421 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 10 Jan 2022 17:36:15 +0100
Subject: [PATCH] Allow gssproxy access to various system files.
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/02d90bb3e2fc39d67a7d07cec5ca113bd0a53421
Conflict: NA
gssproxy was allowed to:
- read system state information in /proc
- read from random number generator devices (e.g., /dev/random)
- read hardware state information
Resolves: rhbz#2026974
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/gssproxy.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
index f48457c..aa53de0 100644
--- a/policy/modules/contrib/gssproxy.te
+++ b/policy/modules/contrib/gssproxy.te
@@ -41,6 +41,7 @@ files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_fil
kernel_rw_rpc_sysctls(gssproxy_t)
kernel_read_network_state(gssproxy_t)
+kernel_read_system_state(gssproxy_t)
domain_use_interactive_fds(gssproxy_t)
domain_read_all_domains_state(gssproxy_t)
@@ -51,7 +52,9 @@ fs_getattr_all_fs(gssproxy_t)
auth_use_nsswitch(gssproxy_t)
+dev_read_rand(gssproxy_t)
dev_read_urand(gssproxy_t)
+dev_read_sysfs(gssproxy_t)
dev_rw_crypto(gssproxy_t)
logging_send_syslog_msg(gssproxy_t)
--
1.8.3.1

42
backport-Allow-gssproxy-read-and-write-z90crypt-device.patch
View File

@ -1,42 +0,0 @@
From d0fcb462896c8fb00eaa8f8b3580fffcbefcdf8b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 10 Jan 2022 17:18:30 +0100
Subject: [PATCH] Allow gssproxy read and write z90crypt device
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d0fcb462896c8fb00eaa8f8b3580fffcbefcdf8b
Conflict: NA
This permission is required on s390x systems with the Crypto Express
adapter card. The z90crypt device driver acts as the interface to the
PCI cryptography hardware and performs asynchronous encryption
operations (RSA) as used during the SSL handshake.
Addresses the following AVC denial:
type=PROCTITLE msg=audit(26.11.2021 17:43:04.211:26) : proctitle=/usr/sbin/gssproxy -D
type=AVC msg=audit(26.11.2021 17:43:04.211:26) : avc: denied { read write } for pid=859 comm=gssproxy name=icastats_0 dev="tmpfs" ino=2 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:ica_tmpfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(26.11.2021 17:43:04.211:26) : arch=s390x syscall=openat success=no exit=EACCES(Operace zamítnuta) a0=0xffffffffffffff9c a1=0x3ffdec7c2fb a2=O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC a3=0x180 items=0 ppid=1 pid=859 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gssproxy exe=/usr/sbin/gssproxy subj=system_u:system_r:gssproxy_t:s0 key=(null)
Resolves: rhbz#2026974
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/gssproxy.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
index 18d08d1..872079f 100644
--- a/policy/modules/contrib/gssproxy.te
+++ b/policy/modules/contrib/gssproxy.te
@@ -52,6 +52,7 @@ fs_getattr_all_fs(gssproxy_t)
auth_use_nsswitch(gssproxy_t)
dev_read_urand(gssproxy_t)
+dev_rw_crypto(gssproxy_t)
logging_send_syslog_msg(gssproxy_t)
--
1.8.3.1

35
backport-Allow-gssproxy-read-write-and-map-ica-tmpfs-files.patch
View File

@ -1,35 +0,0 @@
From dc1a9f92b95e7adb963383681b8cab44f1e2a044 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 10 Jan 2022 17:25:03 +0100
Subject: [PATCH] Allow gssproxy read, write, and map ica tmpfs files
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/dc1a9f92b95e7adb963383681b8cab44f1e2a044
Conflict: NA
These permissions are necessary for domains working
with the ICA crypto accelerator.
Resolves: rhbz#2026974
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/gssproxy.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
index 872079f..f48457c 100644
--- a/policy/modules/contrib/gssproxy.te
+++ b/policy/modules/contrib/gssproxy.te
@@ -68,6 +68,10 @@ optional_policy(`
')
optional_policy(`
+ ica_rw_map_tmpfs_files(gssproxy_t)
+')
+
+optional_policy(`
ipa_read_lib(gssproxy_t)
')
--
1.8.3.1

30
backport-Allow-haproxy-get-attributes-of-cgroup-filesystems.patch
View File

@ -1,30 +0,0 @@
From ab3afa4143e5d84daaa27a11743af3a6eb09c3df Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 23 Dec 2021 10:52:01 +0100
Subject: [PATCH] Allow haproxy get attributes of cgroup filesystems
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/ab3afa4143e5d84daaa27a11743af3a6eb09c3df
Conflict: NA
Resolves: rhbz#2035133
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/rhcs.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 3d9199e..b143e2b 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -665,6 +665,8 @@ dev_list_sysfs(haproxy_t)
dev_read_rand(haproxy_t)
dev_read_urand(haproxy_t)
+fs_getattr_cgroup(haproxy_t)
+
sysnet_dns_name_resolve(haproxy_t)
tunable_policy(`haproxy_connect_any',`
--
1.8.3.1

30
backport-Allow-haproxy-get-attributes-of-filesystems-with-ext.patch
View File

@ -1,30 +0,0 @@
From b1497c15f68bf0ceac2b19684582266e717bd079 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 23 Dec 2021 10:53:06 +0100
Subject: [PATCH] Allow haproxy get attributes of filesystems with extended
attributes
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/b1497c15f68bf0ceac2b19684582266e717bd079
Conflict: NA
Resolves: rhbz#2035132
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/rhcs.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index b143e2b..c6633bb 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -666,6 +666,7 @@ dev_read_rand(haproxy_t)
dev_read_urand(haproxy_t)
fs_getattr_cgroup(haproxy_t)
+fs_getattr_xattr_fs(haproxy_t)
sysnet_dns_name_resolve(haproxy_t)
--
1.8.3.1

34
backport-Allow-httpd-read-network-sysctls.patch
View File

@ -1,34 +0,0 @@
From d98fa390807abca9bc1631f2562d0bba46b67bfd Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 5 Sep 2022 15:39:30 +0200
Subject: [PATCH] Allow httpd read network sysctls
Addresses the following AVC denial:
type=PROCTITLE msg=audit(09/05/2022 15:03:53.634:444) : proctitle=/usr/bin/caddy run --environ --resume
type=PATH msg=audit(09/05/2022 15:03:53.634:444) : item=0 name=/proc/sys/net/core/somaxconn inode=28391 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(09/05/2022 15:03:53.634:444) : arch=x86_64 syscall=openat success=yes exit=8 a0=AT_FDCWD a1=0xc000098c80 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1856 auid=unset uid=caddy gid=caddy euid=caddy suid=caddy fsuid=caddy egid=caddy sgid=caddy fsgid=caddy tty=(none) ses=unset comm=caddy exe=/usr/bin/caddy subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(09/05/2022 15:03:53.634:444) : avc: denied { open } for pid=1856 comm=caddy path=/proc/sys/net/core/somaxconn dev="proc" ino=28391 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
type=AVC msg=audit(09/05/2022 15:03:53.634:444) : avc: denied { read } for pid=1856 comm=caddy name=somaxconn dev="proc" ino=28391 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
Resolves: rhbz#2122886
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/contrib/apache.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 0e4d4bf87..13e72686c 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -597,6 +597,7 @@ manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
+kernel_read_net_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
kernel_read_network_state(httpd_t)
--
2.27.0

64
backport-Allow-init-delete-generic-tmp-named-pipes.patch
View File

@ -1,64 +0,0 @@
From da5328319db49846fb698d262c13f06230091bfb Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 28 Jan 2022 19:01:45 +0100
Subject: [PATCH] Allow init delete generic tmp named pipes
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/da5328319db49846fb698d262c13f06230091bfb
Conflict: NA
The files_delete_tmp_pipes() interface was added.
Addresses the following AVC denial:
type=AVC msg=audit(1628676879.222:1003): avc: denied { unlink } for pid=1 comm="systemd" name="controller_log_37116" dev="tmpfs" ino=1235 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=fifo_file permissive=0
Resolves: rhbz#1992562
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/kernel/files.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index bca6f15..53e463c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6153,6 +6153,24 @@ interface(`files_delete_tmp_sockets',`
########################################
## <summary>
+## Delete generic tmp named pipes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_tmp_pipes',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ delete_fifo_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
## Remove entries from the tmp directory.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a81f5da..09a6925 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -648,6 +648,7 @@ files_read_kernel_modules(init_t)
files_map_kernel_modules(init_t)
files_dontaudit_mounton_isid(init_t)
files_delete_tmp_files(init_t)
+files_delete_tmp_pipes(init_t)
files_delete_tmp_sockets(init_t)
fs_getattr_all_fs(init_t)
fs_manage_cgroup_dirs(init_t)
--
1.8.3.1

29
backport-Allow-init-map-its-private-tmp-files.patch
View File

@ -1,29 +0,0 @@
From 74d69e714236347f733e83eb1c623148628d89c6 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 26 Sep 2022 17:59:13 +0200
Subject: [PATCH] Allow init map its private tmp files
Addresses the following AVC denial:
type=AVC msg=audit(11/24/2021 01:50:26.378:167) : avc: denied { map } for pid=1414 comm=cpupower-gui-he path=/var/tmp/ffi6reIpN (deleted) dev="nvme0n1p3" ino=88707980 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file permissive=0
Resolves: rhbz#2026228
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/system/init.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c81f0d0be..fd03f1d03 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -208,6 +208,7 @@ manage_dirs_pattern(init_t, init_tmp_t, init_tmp_t)
manage_lnk_files_pattern(init_t, init_tmp_t, init_tmp_t)
manage_sock_files_pattern(init_t, init_tmp_t, init_tmp_t)
files_tmp_filetrans(init_t, init_tmp_t, { file sock_file })
+allow init_t init_tmp_t:file map;
manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t)
manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
--
2.27.0

63
backport-Allow-init-read-stratis-data-symlinks.patch
View File

@ -1,63 +0,0 @@
From a27476b303259a43324be8533ddba68e7a6dd37e Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 2 Feb 2022 16:21:01 +0100
Subject: [PATCH] Allow init read stratis data symlinks
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/a27476b303259a43324be8533ddba68e7a6dd37e
Conflict: NA
Addresses the following AVC denial:
type=AVC msg=audit(02/02/22 09:39:31.790:2813) : avc: denied { read } for pid=1 comm=systemd name=fs1 dev="devtmpfs" ino=363096 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:stratisd_data_t:s0 tclass=lnk_file permissive=1
Resolves: rhbz#2048514
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/stratisd.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 4 ++++
2 files changed, 22 insertions(+)
diff --git a/policy/modules/contrib/stratisd.if b/policy/modules/contrib/stratisd.if
index de2427e..32e7e66 100644
--- a/policy/modules/contrib/stratisd.if
+++ b/policy/modules/contrib/stratisd.if
@@ -115,3 +115,21 @@ interface(`stratisd_admin',`
systemd_read_fifo_file_passwd_run($1)
')
')
+
+########################################
+## <summary>
+## Read stratisd data symlinks
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`stratisd_data_read_lnk_files',`
+ gen_require(`
+ type stratisd_data_t;
+ ')
+
+ allow $1 stratisd_data_t:lnk_file read_lnk_file_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 09a6925..033f189 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -839,6 +839,10 @@ optional_policy(`
')
optional_policy(`
+ stratisd_data_read_lnk_files(init_t)
+')
+
+optional_policy(`
systemd_filetrans_named_content(init_t)
systemd_write_inhibit_pipes(init_t)
')
--
1.8.3.1

42
backport-Allow-init-read-write-inherited-user-fifo-files.patch
View File

@ -1,42 +0,0 @@
From 95d7034936ed5f2d01ffcf55a52a5d3c3c8a7825 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 21 Sep 2022 13:41:18 +0200
Subject: [PATCH] Allow init read/write inherited user fifo files
This commit backs the usage of "systemd-run --pipe" when standard input,
output, and error of the transient service are inherited from the
systemd-run command itself. The --pipe switch allows systemd-run to be
used within shell pipelines.
Addresses the following AVC denials:
type=AVC msg=audit(09/21/2022 05:24:28.596:328) : avc: denied { write } for pid=1 comm=systemd path=pipe:[16980] dev="pipefs" ino=16980 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0
type=AVC msg=audit(09/21/2022 05:34:12.088:422) : avc: denied { read } for pid=1 comm=systemd path=pipe:[18554] dev="pipefs" ino=18554 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0
type=PROCTITLE msg=audit(09/21/2022 05:36:42.853:427) : proctitle=(grep)
type=SYSCALL msg=audit(09/21/2022 05:36:42.853:427) : arch=x86_64 syscall=ioctl success=no exit=EACCES(Permission denied) a0=0x0 a1=TCGETS a2=0x7ffebe2ae1c0 a3=0x0 items=0 ppid=1 pid=1269 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(grep) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(09/21/2022 05:36:42.853:427) : avc: denied { ioctl } for pid=1269 comm=(grep) path=pipe:[18588] dev="pipefs" ino=18588 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0
Resolves: rhbz#2036829
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/system/init.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 33052c66f..f369aa50e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -413,7 +413,7 @@ userdom_manage_tmp_sockets(init_t)
userdom_delete_user_tmp_files(init_t)
userdom_delete_user_home_content_files(init_t)
userdom_connectto_stream(init_t)
-
+userdom_rw_inherited_user_pipes(init_t)
userdom_transition_login_userdomain(init_t)
userdom_nnp_transition_login_userdomain(init_t)
userdom_noatsecure_login_userdomain(init_t)
--
2.27.0

63
backport-Allow-init-remount-all-file_type-filesystems.patch
View File

@ -1,63 +0,0 @@
From 355731c1c456907fc7097257e50e4c0377f17953 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 7 Sep 2022 09:41:19 +0200
Subject: [PATCH] Allow init remount all file_type filesystems
Addresses the following AVC denial:
type=PROCTITLE msg=audit(1650874039.465:8427): proctitle="(coredump)"
type=PATH msg=audit(1650874039.465:8427): item=0 name="/proc/self/fd/4" inode=256 dev=00:32 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:swapfile_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(1650874039.465:8427): arch=c000003e syscall=165 success=yes exit=0 a0=0 a1=7ffeea790a00 a2=0 a3=1021 items=1 ppid=1 pid=208737 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(coredump)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1650874039.465:8427): avc: denied { remount } for pid=208737 comm="(coredump)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:swapfile_t:s0 tclass=filesystem permissive=1
Resolves: rhbz#2125693
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/kernel/files.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 2bb2908df..165eb4a12 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1947,6 +1947,24 @@ interface(`files_unmount_all_file_type_fs',`
allow $1 file_type:filesystem unmount;
')
+########################################
+## <summary>
+## Remount all filesystems with the type of a file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_remount_all_file_type_fs',`
+ gen_require(`
+ attribute file_type;
+ ')
+
+ allow $1 file_type:filesystem remount;
+')
+
########################################
## <summary>
## Read all non-authentication related
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f369aa50e..c81f0d0be 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -627,6 +627,7 @@ dev_rw_wireless(init_t)
files_search_all(init_t)
files_mounton_all_mountpoints(init_t)
files_unmount_all_file_type_fs(init_t)
+files_remount_all_file_type_fs(init_t)
files_mounton_kernel_symbol_table(init_t)
files_manage_all_pid_dirs(init_t)
files_write_all_pid_sockets(init_t)
--
2.27.0

81
backport-Allow-init-watch-and-watch_reads-user-ttys.patch
View File

@ -1,81 +0,0 @@
From 9e2825e96456f95ba535f3809b23ded5b62dd9a9 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 1 Mar 2022 20:20:25 +0100
Subject: [PATCH] Allow init watch and watch_reads user ttys
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9e2825e96456f95ba535f3809b23ded5b62dd9a9
Conflict: NA
The term_watch_user_ttys() and term_watch_reads_user_ttys()
interfaces were added.
Resolves: rhbz#2058823
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/kernel/terminal.if | 36 ++++++++++++++++++++++++++++++++++++
policy/modules/system/init.te | 2 ++
2 files changed, 38 insertions(+)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index b058850..615d215 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -1824,6 +1824,42 @@ interface(`term_dontaudit_use_all_user_ttys',`
term_dontaudit_use_all_ttys($1)
')
+########################################
+## <summary>
+## Watch user tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_watch_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file watch_chr_file_perms;
+')
+
+########################################
+## <summary>
+## Watch_reads user tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_watch_reads_user_ttys',`
+ gen_require(`
+ type user_tty_device_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file watch_reads_chr_file_perms;
+')
+
####################################
## <summary>
## Getattr on the virtio console.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 033f189..a838cdd 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -377,6 +377,8 @@ term_watch_console_dev(init_t)
term_watch_reads_console_dev(init_t)
term_watch_unallocated_ttys(init_t)
term_watch_reads_unallocated_ttys(init_t)
+term_watch_user_ttys(init_t)
+term_watch_reads_user_ttys(init_t)
# Run init scripts.
init_domtrans_script(init_t)
--
1.8.3.1

30
backport-Allow-ipsec_t-read-write-tpm-devices.patch
View File

@ -1,30 +0,0 @@
From c836064999e34f071b4b411c47b87d544cd8f6d4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 31 Aug 2022 18:58:39 +0200
Subject: [PATCH] Allow ipsec_t read/write tpm devices
Addresses the following AVC denial:
type=AVC msg=audit(1652729361.214:334): avc: denied { getattr } for pid=1642 comm="charon" path="/dev/tpmrm0" dev="devtmpfs" ino=135 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tpm_device_t:s0 tclass=chr_file permissive=0
Resolves: rhbz#2086926
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/system/ipsec.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 43186c0b9..cd432b15f 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -180,6 +180,7 @@ corenet_rw_tun_tap_dev(ipsec_t)
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
dev_read_urand(ipsec_t)
+dev_rw_tpm(ipsec_t)
domain_use_interactive_fds(ipsec_t)
--
2.27.0

33
backport-Allow-iptables-list-cgroup-directories.patch
View File

@ -1,33 +0,0 @@
From 72f789dd7c218919a18dd7130d37e92e7a92b994 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 16 Feb 2022 17:40:40 +0100
Subject: [PATCH] Allow iptables list cgroup directories
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/72f789dd7c218919a18dd7130d37e92e7a92b994
Conflict: NA
Addresses the following AVC denial:
[ 1591.423033] audit: type=1400 audit(1632734301.322:867): avc: denied { ioctl } for pid=11021 comm="iptables" path="/sys/fs/cgroup" dev="tmpfs" ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0
Resolves: rhbz#2008097
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/iptables.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 495ee29..3374bff 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -51,6 +51,8 @@ files_manage_system_conf_files(iptables_t)
files_etc_filetrans_system_conf(iptables_t)
files_etc_filetrans(iptables_t, system_conf_t, dir)
+fs_list_cgroup_dirs(iptables_t)
+
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
--
1.8.3.1

29
backport-Allow-iscsid-the-sys_ptrace-userns-capability.patch
View File

@ -1,29 +0,0 @@
From db12459fc6360763f7358adff0026577f2d51261 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 31 May 2022 19:51:21 +0200
Subject: [PATCH] Allow iscsid the sys_ptrace userns capability
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/db12459fc6360763f7358adff0026577f2d51261
Conflict: NA
Resolves: rhbz#2086871
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/iscsi.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te
index 76a7607..5bcf209 100644
--- a/policy/modules/contrib/iscsi.te
+++ b/policy/modules/contrib/iscsi.te
@@ -36,6 +36,7 @@ files_pid_file(iscsi_var_run_t)
#
allow iscsid_t self:capability { dac_read_search ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource };
+allow iscsid_t self:cap_userns sys_ptrace;
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { accept connectto listen };
--
1.8.3.1

42
backport-Allow-keepalived-setsched-and-sys_nice.patch
View File

@ -1,42 +0,0 @@
From 7342ec730a9702ec4ba42d6b57c56bc3be82e12b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 12 Apr 2022 19:00:54 +0200
Subject: [PATCH] Allow keepalived setsched and sys_nice
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/7342ec730a9702ec4ba42d6b57c56bc3be82e12b
Conflict: NA
These permissions are particularly required on high load systems
when a keepalived child process may request to use more cpu resouces.
Addresses the following AVC denial:
type=PROCTITLE msg=audit(04/12/22 05:56:21.085:38) : proctitle=/usr/sbin/keepalived -D
type=SYSCALL msg=audit(04/12/22 05:56:21.085:38) : arch=x86_64 syscall=sched_setscheduler success=no exit=EPERM(Operation not permitted) a0=0x41c a1=SCHED_RR|SCHED_RESET_ON_FORK a2=0x7fff2554107c a3=0x0 items=0 ppid=1051 pid=1052 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null)
type=AVC msg=audit(04/12/22 05:56:21.085:38) : avc: denied { setsched } for pid=1052 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process permissive=1
type=AVC msg=audit(04/12/22 05:56:21.085:38) : avc: denied { sys_nice } for pid=1052 comm=keepalived capability=sys_nice scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=capability permissive=1
Resolves: rhbz#2008033
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/keepalived.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te
index 831ada9..89bc0d6 100644
--- a/policy/modules/contrib/keepalived.te
+++ b/policy/modules/contrib/keepalived.te
@@ -37,8 +37,8 @@ files_tmpfs_file(keepalived_tmpfs_t)
# keepalived local policy
#
-allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_ptrace };
-allow keepalived_t self:process { signal_perms getpgid setpgid };
+allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_nice sys_ptrace };
+allow keepalived_t self:process { signal_perms getpgid setpgid setsched };
allow keepalived_t self:icmp_socket create_socket_perms;
allow keepalived_t self:netlink_socket create_socket_perms;
allow keepalived_t self:netlink_generic_socket create_socket_perms;
--
1.8.3.1

36
backport-Allow-kpropd-get-attributes-of-cgroup-filesystems.patch
View File

@ -1,36 +0,0 @@
From 747521e0f639f1aec372e87cd2e0cbed13d9416b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 13 Jan 2022 10:15:43 +0100
Subject: [PATCH] Allow kpropd get attributes of cgroup filesystems
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/747521e0f639f1aec372e87cd2e0cbed13d9416b
Conflict: NA
Addresses the following AVC denial:
type=PROCTITLE msg=audit(01/12/2022 17:58:09.626:7104) : proctitle=/usr/sbin/kpropd
type=PATH msg=audit(01/12/2022 17:58:09.626:7104) : item=0 name=/sys/fs/cgroup/ inode=1 dev=00:1b mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(01/12/2022 17:58:09.626:7104) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x7f78a1e413ae a1=0x7ffd080f54c0 a2=0x7f78a2137260 a3=0x0 items=1 ppid=1 pid=132239 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kpropd exe=/usr/sbin/kpropd subj=system_u:system_r:kpropd_t:s0 key=(null)
type=AVC msg=audit(01/12/2022 17:58:09.626:7104) : avc: denied { getattr } for pid=132239 comm=kpropd name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:kpropd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/kerberos.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index 4289d79..b4d3c3e 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -385,6 +385,8 @@ dev_read_urand(kpropd_t)
files_search_tmp(kpropd_t)
+fs_getattr_cgroup(kpropd_t)
+
selinux_validate_context(kpropd_t)
auth_use_nsswitch(kpropd_t)
--
1.8.3.1

33
backport-Allow-launch-xenstored-read-filesystem-sysctls.patch
View File

@ -1,33 +0,0 @@
From 81ab7c124eea5b9227589286c69e08f3bbd3fe5e Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 5 Aug 2022 21:13:32 +0200
Subject: [PATCH] Allow launch-xenstored read filesystem sysctls
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/81ab7c124eea5b9227589286c69e08f3bbd3fe5e
Conflict: NA
Addresses the following AVC denial:
Aug 02 13:10:18 doppelganger.flyn.org audit[949]: AVC avc: denied { search } for pid=949 comm="launch-xenstore" name="fs" dev="proc" ino=15591 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=1
Resolves: rhbz#2114498
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/xen.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index c4bee9b..bbda603 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -450,6 +450,8 @@ files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t, { file dir sock_file }
stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t)
+kernel_read_fs_sysctls(xenstored_t)
+
auth_use_nsswitch(xenstored_t)
can_exec(xenstored_t, xenstored_exec_t)
--
1.8.3.1

45
backport-Allow-lldpd-connect-to-snmpd-with-a-unix-domain-stre.patch
View File

@ -1,45 +0,0 @@
From e7f00c5591082ab84c055ba250b361eefa19eb0d Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 3 Jan 2022 12:27:28 +0100
Subject: [PATCH] Allow lldpd connect to snmpd with a unix domain stream socket
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/e7f00c5591082ab84c055ba250b361eefa19eb0d
Conflict: NA
If the lldpd service is configured to enable the SNMP subagent
(using the -x option), the lldpd process tries to connect to snmpd's
agentx. By default, the /var/agentx/master socket file is used.
Addresses the following AVC denial:
type=PROCTITLE msg=audit(01/03/22 06:21:57.359:417) : proctitle=/usr/sbin/lldpd -x
type=PATH msg=audit(01/03/22 06:21:57.359:417) : item=0 name=/var/agentx/master nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(01/03/22 06:21:57.359:417) : cwd=/
type=SOCKADDR msg=audit(01/03/22 06:21:57.359:417) : saddr={ saddr_fam=local path=/var/agentx/master }
type=SYSCALL msg=audit(01/03/22 06:21:57.359:417) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x6 a1=0x5586e8de9980 a2=0x6e a3=0x0 items=1 ppid=1 pid=12595 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null)
type=AVC msg=audit(01/03/22 06:21:57.359:417) : avc: denied { search } for pid=12595 comm=lldpd name=agentx dev="vda1" ino=2034987 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir permissive=0
Resolves: rhbz#1991029
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/lldpad.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te
index cccbc09..075893c 100644
--- a/policy/modules/contrib/lldpad.te
+++ b/policy/modules/contrib/lldpad.te
@@ -83,6 +83,10 @@ optional_policy(`
')
optional_policy(`
+ snmp_stream_connect(lldpad_t)
+')
+
+optional_policy(`
sysnet_read_config(lldpad_t)
')
--
1.8.3.1

56
backport-Allow-lldpd-use-an-snmp-subagent-over-a-tcp-socket.patch
View File

@ -1,56 +0,0 @@
From c0b38cf988df48613209e48007eefd748480d52f Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 2 Dec 2021 10:55:46 +0100
Subject: [PATCH] Allow lldpd use an snmp subagent over a tcp socket
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/c0b38cf988df48613209e48007eefd748480d52f
Conflict: NA
When lldpd enables an snmp subagent for a tcp socket instead of udp:
LLDPD_OPTIONS="-i -k -X tcp:127.0.0.1:705"
the following permissions are required:
- allow lldpd create and use tcp socket
- name_connect to the agentx_port_t port
Addresses the following AVC denials:
type=PROCTITLE msg=audit(12/02/21 06:16:32.721:425) : proctitle=/usr/sbin/lldpd -i -k -X tcp:127.0.0.1:705
type=SYSCALL msg=audit(12/02/21 06:16:32.721:425) : arch=x86_64 syscall=socket success=yes exit=17 a0=inet a1=SOCK_STREAM a2=ip a3=0x0 items=0 ppid=129230 pid=129232 auid=unset uid=lldpd gid=lldpd euid=lldpd suid=lldpd fsuid=lldpd egid=lldpd sgid=lldpd fsgid=lldpd tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null)
type=AVC msg=audit(12/02/21 06:16:32.721:425) : avc: denied { create } for pid=129232 comm=lldpd scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:lldpad_t:s0 tclass=tcp_socket permissive=1
type=PROCTITLE msg=audit(12/02/21 06:16:32.721:426) : proctitle=/usr/sbin/lldpd -i -k -X tcp:127.0.0.1:705
type=SYSCALL msg=audit(12/02/21 06:16:32.721:426) : arch=x86_64 syscall=connect success=no exit=ECONNREFUSED(Connection refused) a0=0x11 a1=0x7ffff0e22c30 a2=0x10 a3=0x0 items=0 ppid=129230 pid=129232 auid=unset uid=lldpd gid=lldpd euid=lldpd suid=lldpd fsuid=lldpd egid=lldpd sgid=lldpd fsgid=lldpd tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null)
type=AVC msg=audit(12/02/21 06:16:32.721:426) : avc: denied { name_connect } for pid=129232 comm=lldpd dest=705 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:agentx_port_t:s0 tclass=tcp_socket permissive=1
type=AVC msg=audit(12/02/21 06:16:32.721:426) : avc: denied { connect } for pid=129232 comm=lldpd scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:lldpad_t:s0 tclass=tcp_socket permissive=1
Resolves: rhbz#2028379
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/lldpad.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te
index 000fafb..cccbc09 100644
--- a/policy/modules/contrib/lldpad.te
+++ b/policy/modules/contrib/lldpad.te
@@ -32,6 +32,7 @@ allow lldpad_t self:fifo_file rw_fifo_file_perms;
allow lldpad_t self:unix_stream_socket { accept connectto listen };
allow lldpad_t self:netlink_route_socket create_netlink_socket_perms;
allow lldpad_t self:packet_socket create_socket_perms;
+allow lldpad_t self:tcp_socket create_socket_perms;
allow lldpad_t self:udp_socket create_socket_perms;
manage_files_pattern(lldpad_t, lldpad_tmpfs_t, lldpad_tmpfs_t)
@@ -54,6 +55,8 @@ auth_read_passwd(lldpad_t)
corecmd_exec_bin(lldpad_t)
+corenet_tcp_connect_agentx_port(lldpad_t)
+
dev_read_sysfs(lldpad_t)
fs_getattr_tmpfs(lldpad_t)
--
1.8.3.1

39
backport-Allow-login_userdomain-check-status-of-mount-units.patch
View File

@ -1,39 +0,0 @@
From 68f9e4a144df544adc7fa733a64ac505f8189373 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 10 Aug 2022 17:08:03 +0200
Subject: [PATCH] Allow login_userdomain check status of mount units
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/68f9e4a144df544adc7fa733a64ac505f8189373
Conflict: NA
Allow systemd user manager running in the context of the logged user
check status of mount units:
systemctl --user status/show run-user-ID.mount
Addresses the following AVC denial:
Jul 28 11:26:24 hostname systemd[1483]: selinux: avc: denied { status } for auid=1000 uid=1000 gid=1000 path="/proc/self/mountinfo" cmdline="/usr/bin/gnome-shell" function="mac_selinux_filter" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0
Resolves: rhbz#2111834
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/userdomain.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 3ac8c12..5576a97 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -372,6 +372,8 @@ optional_policy(`
############################################################
# login_userdomain local policy
+allow login_userdomain self:service status;
+
corenet_tcp_bind_xmsg_port(login_userdomain)
create_blk_files_pattern(login_userdomain, user_tmp_t, user_tmp_t )
--
1.8.3.1

72
backport-Allow-login_userdomain-create-session_dbusd-tmp-sock.patch
View File

@ -1,72 +0,0 @@
From 7c18d0afc7f6b93319902dc1e5305fe66a060019 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 13 Jan 2022 19:17:31 +0100
Subject: [PATCH] Allow login_userdomain create session_dbusd tmp socket files
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/7c18d0afc7f6b93319902dc1e5305fe66a060019
Conflict: NA
The dbus_create_session_tmp_sock_files() interface was added.
Addresses the following AVC denial:
type=PROCTITLE msg=audit(13.1.2022 18:56:38.180:8372) : proctitle=(systemd)
type=PATH msg=audit(13.1.2022 18:56:38.180:8372) : item=1 name=/run/user/1001/bus inode=40 dev=00:3f mode=socket,666 ouid=staff ogid=staff rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(13.1.2022 18:56:38.180:8372) : item=0 name=/run/user/1001/ inode=1 dev=00:3f mode=dir,700 ouid=staff ogid=staff rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SOCKADDR msg=audit(13.1.2022 18:56:38.180:8372) : saddr={ saddr_fam=local path=/run/user/1001/bus }
type=SYSCALL msg=audit(13.1.2022 18:56:38.180:8372) : arch=x86_64 syscall=bind success=yes exit=0 a0=0xc a1=0x562410fef860 a2=0x15 a3=0x0 items=2 ppid=1 pid=24940 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=23 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(13.1.2022 18:56:38.180:8372) : avc: denied { create } for pid=24940 comm=systemd name=bus scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=1
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/dbus.if | 18 ++++++++++++++++++
policy/modules/system/userdomain.te | 4 ++++
2 files changed, 22 insertions(+)
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index e04af61..deb6f10 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -901,6 +901,24 @@ interface(`dbus_delete_session_tmp_sock_files',`
########################################
## <summary>
+## Create session_dbusd tmp socket files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_create_session_tmp_sock_files',`
+ gen_require(`
+ type session_dbusd_tmp_t;
+ ')
+
+ create_sock_files_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
+')
+
+########################################
+## <summary>
## Allow systemctl dbus services
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index b936a81..9f778ee 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -404,6 +404,10 @@ optional_policy(`
')
optional_policy(`
+ dbus_create_session_tmp_sock_files(login_userdomain)
+')
+
+optional_policy(`
gnome_watch_generic_data_home_dirs(login_userdomain)
gnome_watch_home_config_dirs(login_userdomain)
gnome_watch_home_config_files(login_userdomain)
--
1.8.3.1

34
backport-Allow-login_userdomain-map-var-lib-directories.patch
View File

@ -1,34 +0,0 @@
From 2a15cfd1d0705acd84d18f3cdc669cc24ed7492f Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 9 Feb 2022 21:59:23 +0100
Subject: [PATCH] Allow login_userdomain map /var/lib/directories
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/2a15cfd1d0705acd84d18f3cdc669cc24ed7492f
Conflict: NA
Addresses the following AVC denial:
type=PROCTITLE msg=audit(02/09/22 21:26:39.579:1065) : proctitle=/usr/bin/gnome-software --gapplication-service
type=MMAP msg=audit(02/09/22 21:26:39.579:1065) : fd=57 flags=MAP_PRIVATE
type=SYSCALL msg=audit(02/09/22 21:26:39.579:1065) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x16630 a2=PROT_READ a3=MAP_PRIVATE items=0 ppid=1560 pid=2148 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=pool-org.gnome. exe=/usr/bin/gnome-software subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/09/22 21:26:39.579:1065) : avc: denied { map } for pid=2148 comm=pool-org.gnome. path=/var/lib/flatpak/repo/objects/2f/e0503898de4e28a3382ba6d7ecdc0376cabaea9e838991464eb821c46b7ff3.dirtree dev="vda2" ino=387029 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/userdomain.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 32d69b4..69b460f 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -386,6 +386,7 @@ tunable_policy(`deny_bluetooth',`',`
dev_watch_generic_dirs(login_userdomain)
+files_map_var_lib_files(login_userdomain)
files_watch_etc_dirs(login_userdomain)
files_watch_etc_files(login_userdomain)
files_watch_system_conf_dirs(login_userdomain)
--
1.8.3.1

40
backport-Allow-login_userdomain-open-read-map-system-journal.patch
View File

@ -1,40 +0,0 @@
From 4d93e16f67ad41d2f72071f965c780b587303846 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 26 Nov 2021 17:28:14 +0100
Subject: [PATCH] Allow login_userdomain open/read/map system journal
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/4d93e16f67ad41d2f72071f965c780b587303846
Conflict: NA
Addresses the following AVC denial:
type=PROCTITLE msg=audit(27.10.2021 15:45:16.341:455) : proctitle=systemctl status user@1001
type=AVC msg=audit(27.10.2021 15:45:16.341:455) : avc: denied { read } for pid=4764 comm=systemctl name=system.journal dev="tmpfs" ino=429 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(27.10.2021 15:45:16.341:455) : avc: denied { open } for pid=4764 comm=systemctl path=/run/log/journal/edb15570307f47dd805feee9003d4e08/system.journal dev="tmpfs" ino=429 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(27.10.2021 15:45:16.341:455) : arch=x86_64 syscall=openat success=yes exit=6 a0=0xffffff9c a1=0x7fff96d6e1c0 a2=O_RDONLY|O_NONBLOCK|O_CLOEXEC a3=0x0 items=0 ppid=4739 pid=4764 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=pts1 ses=10 comm=systemctl exe=/usr/bin/systemctl subj=user_u:user_r:user_t:s0 key=(null)
Resolves: rhbz#2017838
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/userdomain.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 6a959c5..b936a81 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -410,6 +410,11 @@ optional_policy(`
')
optional_policy(`
+ logging_mmap_journal(login_userdomain)
+ logging_read_syslog_pid(login_userdomain)
+')
+
+optional_policy(`
pkcs_tmpfs_named_filetrans(login_userdomain)
')
--
1.8.3.1

35
backport-Allow-login_userdomain-read-systemd-runtime-files.patch
View File

@ -1,35 +0,0 @@
From 63ada8c2bf2277a228524228f5ffcac8e0aed86a Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 9 Feb 2022 21:30:24 +0100
Subject: [PATCH] Allow login_userdomain read systemd runtime files
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/63ada8c2bf2277a228524228f5ffcac8e0aed86a
Conflict: NA
Addresses the following AVC denial:
type=PROCTITLE msg=audit(02/09/22 21:25:30.080:274) : proctitle=/usr/lib/systemd/systemd --user
type=PATH msg=audit(02/09/22 21:25:30.080:274) : item=0 name=/run/systemd/user/session.slice.d/99-uresourced.conf inode=1336 dev=00:1a mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/09/22 21:25:30.080:274) : cwd=/
type=SYSCALL msg=audit(02/09/22 21:25:30.080:274) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55d1df498fa0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1465 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/09/22 21:25:30.080:274) : avc: denied { read } for pid=1465 comm=systemd name=99-uresourced.conf dev="tmpfs" ino=1336 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/userdomain.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index bcb3043..f1f68f7 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -406,6 +406,7 @@ mount_watch_reads_pid_files(login_userdomain)
optional_policy(`
init_mmap_read_var_lib_files(login_userdomain)
+ init_read_pid_files(login_userdomain)
')
optional_policy(`
--
1.8.3.1

38
backport-Allow-login_userdomain-watch-accountsd-lib-directori.patch
View File

@ -1,38 +0,0 @@
From 0ed8e5127011aa4a75f57c250b5cc89b71949179 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 13 Jan 2022 22:57:07 +0100
Subject: [PATCH] Allow login_userdomain watch accountsd lib directories
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0ed8e5127011aa4a75f57c250b5cc89b71949179
Conflict: NA
Addresses the following AVC denial:
type=PROCTITLE msg=audit(3.1.2022 08:48:10.041:403) : proctitle=/usr/bin/plasmashell --no-respawn
type=PATH msg=audit(3.1.2022 08:48:10.041:403) : item=0 name=/var/lib/AccountsService/icons inode=102167247 dev=fd:00 mode=dir,775 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:accountsd_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(3.1.2022 08:48:10.041:403) : arch=x86_64 syscall=inotify_add_watch success=yes exit=16 a0=0xd a1=0x556d0da251b8 a2=0x2000fc6 a3=0x7f74d2859329 items=1 ppid=1775 pid=1944 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=plasmashell exe=/usr/bin/plasmashell subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(3.1.2022 08:48:10.041:403) : avc: denied { watch } for pid=1944 comm=plasmashell path=/var/lib/AccountsService/icons dev="dm-0" ino=102167247 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:accountsd_var_lib_t:s0 tclass=dir permissive=1
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/userdomain.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 86617c3..465e0a3 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -409,6 +409,10 @@ optional_policy(`
')
optional_policy(`
+ accountsd_watch_lib(login_userdomain)
+')
+
+optional_policy(`
dbus_create_session_tmp_sock_files(login_userdomain)
')
--
1.8.3.1

35
backport-Allow-login_userdomain-watch-generic-directories-in-.patch
View File

@ -1,35 +0,0 @@
From 7821ccab9e2f62f5d4ac8f2ea8ef45d12f4bb7a2 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 13 Jan 2022 22:38:29 +0100
Subject: [PATCH] Allow login_userdomain watch generic directories in /tmp
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/7821ccab9e2f62f5d4ac8f2ea8ef45d12f4bb7a2
Conflict: NA
Addresses the following AVC denial:
type=PROCTITLE msg=audit(13.1.2022 21:50:49.647:21417) : proctitle=/usr/lib64/firefox/firefox --sm-client-id 10cddccc67000160673165200000017210015
type=PATH msg=audit(13.1.2022 21:50:49.647:21417) : item=0 name=/tmp inode=1 dev=00:25 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(13.1.2022 21:50:49.647:21417) : arch=x86_64 syscall=inotify_add_watch success=yes exit=21 a0=0x50 a1=0x7fee2f76f1d0 a2=0x1002fce a3=0xdaddb2ff3800000 items=1 ppid=1775 pid=1088343 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=GeckoMain exe=/usr/lib64/firefox/firefox subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(13.1.2022 21:50:49.647:21417) : avc: denied { watch } for pid=1088343 comm=GeckoMain path=/tmp dev="tmpfs" ino=1 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/userdomain.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 9f778ee..cc2d309 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -389,6 +389,7 @@ dev_watch_generic_dirs(login_userdomain)
files_watch_etc_dirs(login_userdomain)
files_watch_usr_dirs(login_userdomain)
files_watch_var_lib_dirs(login_userdomain)
+files_watch_generic_tmp_dirs(login_userdomain)
fs_create_cgroup_files(login_userdomain)
fs_watch_cgroup_files(login_userdomain)
--
1.8.3.1

37
backport-Allow-login_userdomain-watch-library-and-fonts-dirs.patch
View File

@ -1,37 +0,0 @@
From 6d6afe09b0fd44f074e545d9642b0cc66264486e Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 9 Feb 2022 21:54:36 +0100
Subject: [PATCH] Allow login_userdomain watch library and fonts dirs
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6d6afe09b0fd44f074e545d9642b0cc66264486e
Conflict: NA
Addresses the following AVC denial:
type=PROCTITLE msg=audit(02/09/22 21:48:51.576:15952) : proctitle=/usr/bin/gnome-software --gapplication-service
type=PATH msg=audit(02/09/22 21:48:51.576:15952) : item=0 name=/usr/lib64/gnome-software/plugins-16 inode=31777 dev=00:20 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/09/22 21:48:51.576:15952) : cwd=/home/staff
type=SYSCALL msg=audit(02/09/22 21:48:51.576:15952) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x560c414dd770 a2=0x1002fce a3=0x7ffd82509080 items=1 ppid=1560 pid=2148 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=gmain exe=/usr/bin/gnome-software subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/09/22 21:48:51.576:15952) : avc: denied { watch } for pid=2148 comm=gmain path=/usr/lib64/gnome-software/plugins-16 dev="vda2" ino=31777 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/userdomain.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index a833ada..32d69b4 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -398,6 +398,9 @@ files_watch_generic_tmp_dirs(login_userdomain)
fs_create_cgroup_files(login_userdomain)
fs_watch_cgroup_files(login_userdomain)
+libs_watch_lib_dirs(login_userdomain)
+
+miscfiles_watch_fonts_dirs(login_userdomain)
miscfiles_watch_localization_dirs(login_userdomain)
miscfiles_watch_localization_symlinks(login_userdomain)
--
1.8.3.1

74
backport-Allow-login_userdomain-watch-localization-directorie.patch
View File

@ -1,74 +0,0 @@
From 04abf1566f6fbd1b87f3d55fa9c09ec59a982b4a Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 13 Jan 2022 22:53:08 +0100
Subject: [PATCH] Allow login_userdomain watch localization directories
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/04abf1566f6fbd1b87f3d55fa9c09ec59a982b4a
Conflict: NA
The miscfiles_watch_localization_dirs() interface was added.
Addresses the following AVC denial:
type=PROCTITLE msg=audit(3.1.2022 08:51:36.215:442) : proctitle=/opt/google/chrome/chrome --enable-crashpad
type=PATH msg=audit(3.1.2022 08:51:36.215:442) : item=0 name=/etc/../usr/share/zoneinfo inode=67574433 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:locale_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(3.1.2022 08:51:36.215:442) : cwd=/home/username
type=SYSCALL msg=audit(3.1.2022 08:51:36.215:442) : arch=x86_64 syscall=inotify_add_watch success=yes exit=10 a0=0x18 a1=0xd0a02b08b20 a2=0x10003cc a3=0x0 items=1 ppid=1944 pid=4906 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=ThreadPoolSingl exe=/opt/google/chrome/chrome subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(3.1.2022 08:51:36.215:442) : avc: denied { watch } for pid=4906 comm=ThreadPoolSingl path=/usr/share/zoneinfo dev="dm-0" ino=67574433 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/miscfiles.if | 24 ++++++++++++++++++++++++
policy/modules/system/userdomain.te | 1 +
2 files changed, 25 insertions(+)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index b63a391..e7f73d8 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -557,6 +557,30 @@ interface(`miscfiles_read_localization',`
########################################
## <summary>
+## Allow process to watch localization directories.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to watch localization directories
+## (e.g. /usr/share/zoneinfo/) for changes.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_watch_localization_dirs',`
+ gen_require(`
+ type locale_t;
+ ')
+
+ watch_dirs_pattern($1, locale_t, locale_t)
+')
+
+########################################
+## <summary>
## Allow process to watch localization files.
## </summary>
## <desc>
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 824af18..86617c3 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -397,6 +397,7 @@ files_watch_generic_tmp_dirs(login_userdomain)
fs_create_cgroup_files(login_userdomain)
fs_watch_cgroup_files(login_userdomain)
+miscfiles_watch_localization_dirs(login_userdomain)
miscfiles_watch_localization_symlinks(login_userdomain)
mount_watch_pid_dirs(login_userdomain)
--
1.8.3.1

69
backport-Allow-login_userdomain-watch-system-configuration-di.patch
View File

@ -1,69 +0,0 @@
From bf059ebda558a7735cfdcfb874ecc8bfc2622cb1 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 9 Feb 2022 21:52:01 +0100
Subject: [PATCH] Allow login_userdomain watch system configuration dirs
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bf059ebda558a7735cfdcfb874ecc8bfc2622cb1
Conflict: NA
The files_watch_system_conf_dirs() interface was added.
Addresses the following AVC denial:
type=PROCTITLE msg=audit(02/09/22 21:28:19.577:2173) : proctitle=/usr/bin/gnome-software --gapplication-service
type=PATH msg=audit(02/09/22 21:28:19.577:2173) : item=0 name=/etc/yum.repos.d inode=432 dev=00:20 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_conf_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/09/22 21:28:19.577:2173) : cwd=/home/staff
type=SYSCALL msg=audit(02/09/22 21:28:19.577:2173) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x560c414ea860 a2=0x1002fce a3=0x7ffd82509080 items=1 ppid=1560 pid=2148 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=gmain exe=/usr/bin/gnome-software subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/09/22 21:28:19.577:2173) : avc: denied { watch } for pid=2148 comm=gmain path=/etc/yum.repos.d dev="vda2" ino=432 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=dir permissive=0
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/kernel/files.if | 19 +++++++++++++++++++
policy/modules/system/userdomain.te | 1 +
2 files changed, 20 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 53e463c..b375a7e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5720,6 +5720,25 @@ interface(`files_read_system_conf_files',`
read_lnk_files_pattern($1, etc_t, system_conf_t)
')
+#######################################
+## <summary>
+## Watch manageable system configuration dirs in /etc
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_watch_system_conf_dirs',`
+ gen_require(`
+ type etc_t, system_conf_t;
+ ')
+
+ files_search_etc($1)
+ watch_dirs_pattern($1, system_conf_t, system_conf_t)
+')
+
######################################
## <summary>
## Manage manageable system configuration files in /etc.
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index f1f68f7..a833ada 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -388,6 +388,7 @@ dev_watch_generic_dirs(login_userdomain)
files_watch_etc_dirs(login_userdomain)
files_watch_etc_files(login_userdomain)
+files_watch_system_conf_dirs(login_userdomain)
files_watch_usr_dirs(login_userdomain)
files_watch_usr_files(login_userdomain)
files_watch_var_lib_dirs(login_userdomain)
--
1.8.3.1

35
backport-Allow-login_userdomain-watch-systemd-logind-PID-dire.patch
View File

@ -1,35 +0,0 @@
From f519626b841561d71f7ef751b446a598871477bf Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 14 Jan 2022 17:13:08 +0100
Subject: [PATCH] Allow login_userdomain watch systemd-logind PID directories
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/f519626b841561d71f7ef751b446a598871477bf
Conflict: NA
Addresses the following AVC denial:
type=PROCTITLE msg=audit(3.1.2022 08:48:02.005:392) : proctitle=/usr/bin/wireplumber
type=PATH msg=audit(3.1.2022 08:48:02.005:392) : item=0 name=/run/systemd/seats/ inode=72 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_logind_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(3.1.2022 08:48:02.005:392) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0x11 a1=0x7f214c69d027 a2=0x280 a3=0x0 items=1 ppid=1775 pid=2305 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=wireplumber exe=/usr/bin/wireplumber subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(3.1.2022 08:48:02.005:392) : avc: denied { watch } for pid=2305 comm=wireplumber path=/run/systemd/seats dev="tmpfs" ino=72 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=dir permissive=1
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/userdomain.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 465e0a3..5643687 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -432,6 +432,7 @@ optional_policy(`
')
optional_policy(`
+ systemd_login_watch_pid_dirs(login_userdomain)
systemd_login_watch_session_dirs(login_userdomain)
')
--
1.8.3.1

35
backport-Allow-login_userdomain-watch-systemd-machined-PID-di.patch
View File

@ -1,35 +0,0 @@
From b909895c58d7709343e59e24f115d5ede1f46944 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 14 Jan 2022 17:16:43 +0100
Subject: [PATCH] Allow login_userdomain watch systemd-machined PID directories
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/b909895c58d7709343e59e24f115d5ede1f46944
Conflict: NA
Addresses the following AVC denial:
-
type=PROCTITLE msg=audit(3.1.2022 08:48:02.005:393) : proctitle=/usr/bin/wireplumber
type=PATH msg=audit(3.1.2022 08:48:02.005:393) : item=0 name=/run/systemd/machines/ inode=75 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_machined_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(3.1.2022 08:48:02.005:393) : arch=x86_64 syscall=inotify_add_watch success=yes exit=4 a0=0x11 a1=0x7f214c69d052 a2=0x280 a3=0x0 items=1 ppid=1775 pid=2305 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=wireplumber exe=/usr/bin/wireplumber subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(3.1.2022 08:48:02.005:393) : avc: denied { watch } for pid=2305 comm=wireplumber path=/run/systemd/machines dev="tmpfs" ino=75 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_machined_var_run_t:s0 tclass=dir permissive=1
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/userdomain.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 5643687..573ad14 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -434,6 +434,7 @@ optional_policy(`
optional_policy(`
systemd_login_watch_pid_dirs(login_userdomain)
systemd_login_watch_session_dirs(login_userdomain)
+ systemd_machined_watch_pid_dirs(login_userdomain)
')
############################################################
--
1.8.3.1

133
backport-Allow-login_userdomain-watch-various-directories.patch
View File

@ -1,133 +0,0 @@
From 36df7e2855b03c57fd7b3a1ac0d4939fd54a8673 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 9 Sep 2022 09:33:18 +0200
Subject: [PATCH] Allow login_userdomain watch various directories
The inotify_add_watch(2) syscalls are called by plasmashell and some
other processes (chrome, desk-portal, dolphin, kwallet, logout-greeter, systemsettings).
Addresses the following AVC denials examples:
type=PROCTITLE msg=audit(17.8.2022 22:14:39.050:315) : proctitle=/usr/bin/plasmashell --no-respawn
type=PATH msg=audit(17.8.2022 22:14:39.050:315) : item=0 name=/ inode=128 dev=fd:00 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(17.8.2022 22:14:39.050:315) : arch=x86_64 syscall=inotify_add_watch success=yes exit=6 a0=0x9 a1=0x559ff6613b98 a2=0x2000fc6 a3=0x559ff663b226 items=1 ppid=1610 pid=1824 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=plasmashell exe=/usr/bin/plasmashell subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(17.8.2022 22:14:39.050:315) : avc: denied { watch } for pid=1824 comm=plasmashell path=/ dev="dm-0" ino=128 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
type=PROCTITLE msg=audit(22.8.2022 18:35:47.341:4615) : proctitle=/usr/bin/dolphin /run/media/username/0893-C004
type=PATH msg=audit(22.8.2022 18:35:47.341:4615) : item=0 name=/run/media/username/342cbc31-ca2a-4f65-bf60-59f2f3dfdce8 inode=2 dev=08:02 mode=dir,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(22.8.2022 18:35:47.341:4615) : arch=x86_64 syscall=inotify_add_watch success=yes exit=7 a0=0x9 a1=0x55da0ceca788 a2=0x2000fc6 a3=0x55da0d0e6fd6 items=1 ppid=1610 pid=481970 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=dolphin exe=/usr/bin/dolphin subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(22.8.2022 18:35:47.341:4615) : avc: denied { watch } for pid=481970 comm=dolphin path=/run/media/username/342cbc31-ca2a-4f65-bf60-59f2f3dfdce8 dev="sda2" ino=2 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
The rpc_watch_exports() and kernel_watch_unlabeled_dirs() interfaces
were added.
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/contrib/rpc.if | 19 +++++++++++++++++++
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/userdomain.te | 13 +++++++++++++
3 files changed, 50 insertions(+)
diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
index 0c6410612..b234bca58 100644
--- a/policy/modules/contrib/rpc.if
+++ b/policy/modules/contrib/rpc.if
@@ -150,6 +150,25 @@ interface(`rpc_manage_exports',`
manage_files_pattern($1, exports_t, exports_t)
')
+########################################
+## <summary>
+## Watch nfs file exports
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpc_watch_exports',`
+ gen_require(`
+ type exports_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 exports_t:file watch_file_perms;
+')
+
########################################
## <summary>
## Execute domain in nfsd domain.
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 8ffd4988f..f669f866c 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2842,6 +2842,24 @@ interface(`kernel_rw_unlabeled_files',`
allow $1 unlabeled_t:file rw_file_perms;
')
+########################################
+## <summary>
+## Watch unlabeled directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_watch_unlabeled_dirs',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:dir watch_dir_perms;
+')
+
########################################
## <summary>
## Do not audit attempts by caller to get the
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 5576a97cb..1cf86a09e 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -386,12 +386,19 @@ tunable_policy(`deny_bluetooth',`',`
allow login_userdomain self:bluetooth_socket rw_stream_socket_perms;
')
+kernel_watch_unlabeled_dirs(login_userdomain)
+
+auth_watch_passwd(login_userdomain)
+
+corecmd_watch_bin_dirs(login_userdomain)
+
dev_watch_generic_dirs(login_userdomain)
files_map_var_lib_files(login_userdomain)
files_read_var_lib_symlinks(login_userdomain)
files_watch_etc_dirs(login_userdomain)
files_watch_etc_files(login_userdomain)
+files_watch_root_dirs(login_userdomain)
files_watch_system_conf_dirs(login_userdomain)
files_watch_usr_dirs(login_userdomain)
files_watch_usr_files(login_userdomain)
@@ -441,10 +448,16 @@ optional_policy(`
pkcs_tmpfs_named_filetrans(login_userdomain)
')
+optional_policy(`
+ rpc_watch_exports(login_userdomain)
+')
+
+
optional_policy(`
systemd_login_watch_pid_dirs(login_userdomain)
systemd_login_watch_session_dirs(login_userdomain)
systemd_machined_watch_pid_dirs(login_userdomain)
+ systemd_resolved_watch_pid_dirs(login_userdomain)
')
############################################################
--
2.27.0

49
backport-Allow-login_userdomain-watch-various-files-and-dirs.patch
View File

@ -1,49 +0,0 @@
From 0675ab63c83c96dd65d9793c5ff2835253329bba Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 13 Jan 2022 22:43:33 +0100
Subject: [PATCH] Allow login_userdomain watch various files and dirs
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0675ab63c83c96dd65d9793c5ff2835253329bba
Conflict: NA
Addresses the following AVC denials:
type=PROCTITLE msg=audit(3.1.2022 14:44:22.064:986) : proctitle=/usr/libexec/kscreenlocker_greet --graceTime 75000 --ksldfd 46
type=PATH msg=audit(3.1.2022 14:44:22.064:986) : item=0 name=/etc/fstab inode=100663543 dev=fd:00 mode=file,664 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(3.1.2022 14:44:22.064:986) : arch=x86_64 syscall=inotify_add_watch success=yes exit=2 a0=0x18 a1=0x56518e638958 a2=0xcc6 a3=0x56518e6392d0 items=1 ppid=1881 pid=45075 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=kscreenlocker_g exe=/usr/libexec/kscreenlocker_greet subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(3.1.2022 14:44:22.064:986) : avc: denied { watch } for pid=45075 comm=kscreenlocker_g path=/etc/fstab dev="dm-0" ino=100663543 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=PROCTITLE msg=audit(3.1.2022 14:44:22.064:987) : proctitle=/usr/libexec/kscreenlocker_greet --graceTime 75000 --ksldfd 46
type=PATH msg=audit(3.1.2022 14:44:22.064:987) : item=0 name=/var/run inode=1 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(3.1.2022 14:44:22.064:987) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0x1a a1=0x7f74ecdfae35 a2=0x100 a3=0x0 items=1 ppid=1881 pid=45075 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=kscreenlocker_g exe=/usr/libexec/kscreenlocker_greet subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(3.1.2022 14:44:22.064:987) : avc: denied { watch } for pid=45075 comm=kscreenlocker_g path=/run dev="tmpfs" ino=1 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
type=PROCTITLE msg=audit(3.1.2022 14:44:22.213:989) : proctitle=/usr/libexec/kscreenlocker_greet --graceTime 75000 --ksldfd 46
type=PATH msg=audit(3.1.2022 14:44:22.213:989) : item=0 name=/usr/share/plasma/desktoptheme/breeze-dark/metadata.desktop inode=1684078 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(3.1.2022 14:44:22.213:989) : arch=x86_64 syscall=inotify_add_watch success=yes exit=5 a0=0xf a1=0x7f74d8001438 a2=0x2000fc6 a3=0x7f74f2f73329 items=1 ppid=1881 pid=45075 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=kscreenlocker_g exe=/usr/libexec/kscreenlocker_greet subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(3.1.2022 14:44:22.213:989) : avc: denied { watch } for pid=45075 comm=kscreenlocker_g path=/usr/share/plasma/desktoptheme/breeze-dark/metadata.desktop dev="dm-0" ino=1684078 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/userdomain.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index cc2d309..824af18 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -387,8 +387,11 @@ tunable_policy(`deny_bluetooth',`',`
dev_watch_generic_dirs(login_userdomain)
files_watch_etc_dirs(login_userdomain)
+files_watch_etc_files(login_userdomain)
files_watch_usr_dirs(login_userdomain)
+files_watch_usr_files(login_userdomain)
files_watch_var_lib_dirs(login_userdomain)
+files_watch_var_run_dirs(login_userdomain)
files_watch_generic_tmp_dirs(login_userdomain)
fs_create_cgroup_files(login_userdomain)
--
1.8.3.1

46
backport-Allow-login_userdomain-write-to-boltd-named-pipes.patch
View File

@ -1,46 +0,0 @@
From 7d20b237ff092cd615045ff25a3d0c9c741f145d Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 9 Sep 2022 17:22:52 +0200
Subject: [PATCH] Allow login_userdomain write to boltd named pipes
Addresses the following AVC denial:
type=PROCTITLE msg=audit(5.9.2022 23:01:30.921:15103) : proctitle=systemd-stdio-bridge -punix:path=/run/user/1000/bus
type=PATH msg=audit(5.9.2022 23:01:30.921:15103) : item=0 name= inode=32185282 dev=00:08 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(5.9.2022 23:01:30.921:15103) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x0 a1=0x7f7a005b7093 a2=0x7fff374a7080 a3=0x1000 items=1 ppid=1 pid=1870519 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=10 comm=systemd-stdio-b exe=/usr/bin/systemd-stdio-bridge subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(5.9.2022 23:01:30.921:15103) : avc: denied { getattr } for pid=1870519 comm=systemd-stdio-b path=socket:[32185282] dev="sockfs" ino=32185282 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/contrib/rpm.if | 2 +-
policy/modules/system/userdomain.te | 3 +++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if
index c6833ba7d..ec09e164d 100644
--- a/policy/modules/contrib/rpm.if
+++ b/policy/modules/contrib/rpm.if
@@ -993,5 +993,5 @@ interface(`rpm_script_rw_stream_sockets',`
type rpm_script_t;
')
- allow $1 rpm_script_t:unix_stream_socket { read write };
+ allow $1 rpm_script_t:unix_stream_socket { rw_socket_perms };
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 1cf86a09e..bdccda7ea 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -452,6 +452,9 @@ optional_policy(`
rpc_watch_exports(login_userdomain)
')
+optional_policy(`
+ rpm_script_rw_stream_sockets(login_userdomain)
+')
optional_policy(`
systemd_login_watch_pid_dirs(login_userdomain)
--
2.27.0

37
backport-Allow-login_userdomain-write-to-session_dbusd-tmp-so.patch
View File

@ -1,37 +0,0 @@
From d0f957291c4282f74b675e476ccd64d074178e7b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 18 Jan 2022 08:54:45 +0100
Subject: [PATCH] Allow login_userdomain write to session_dbusd tmp socket
files
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d0f957291c4282f74b675e476ccd64d074178e7b
Conflict: NA
Addresses the following AVC denial:
type=PROCTITLE msg=audit(01/17/2022 18:06:43.240:4086) : proctitle=/usr/lib/systemd/systemd --user
type=PATH msg=audit(01/17/2022 18:06:43.240:4086) : item=0 name=/proc/self/fd/27 inode=15 dev=00:34 mode=socket,666 ouid=user31979 ogid=user31979 rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(01/17/2022 18:06:43.240:4086) : cwd=/
type=SYSCALL msg=audit(01/17/2022 18:06:43.240:4086) : arch=x86_64 syscall=utimensat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffd627865d0 a2=0x0 a3=0x0 items=1 ppid=1 pid=97102 auid=user31979 uid=user31979 gid=user31979 euid=user31979 suid=user31979 fsuid=user31979 egid=user31979 sgid=user31979 fsgid=user31979 tty=(none) ses=19 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(01/17/2022 18:06:43.240:4086) : avc: denied { write } for pid=97102 comm=systemd name=bus dev="tmpfs" ino=15 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/userdomain.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 573ad14..33557e4 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -414,6 +414,7 @@ optional_policy(`
optional_policy(`
dbus_create_session_tmp_sock_files(login_userdomain)
+ dbus_write_session_tmp_sock_files(login_userdomain)
')
optional_policy(`
--
1.8.3.1

40
backport-Allow-openvswitch-fsetid-capability.patch
View File

@ -1,40 +0,0 @@
From e7afdeddde3b9bc8419032fe753e404947a5f2e9 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 8 Aug 2022 16:53:05 +0200
Subject: [PATCH] Allow openvswitch fsetid capability
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/e7afdeddde3b9bc8419032fe753e404947a5f2e9
Conflict: NA
Working directories used by openvswitch are handled in
/usr/share/openvswitch/scripts/ovs-lib using the install command
with explicit permission mode settings.
Addresses the following AVC denial:
type=PROCTITLE msg=audit(08/08/2022 10:51:16.059:173) : proctitle=install -d -m 755 -o openvswitch -g hugetlbfs /var/run/openvswitch
type=PATH msg=audit(08/08/2022 10:51:16.059:173) : item=0 name=(null) inode=972 dev=00:1a mode=dir,700 ouid=openvswitch ogid=hugetlbfs rdev=00:00 obj=system_u:object_r:openvswitch_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(08/08/2022 10:51:16.059:173) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0x3 a1=0755 a2=0x0 a3=0x1000 items=1 ppid=579 pid=660 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=install exe=/usr/bin/install subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(08/08/2022 10:51:16.059:173) : avc: denied { fsetid } for pid=660 comm=install capability=fsetid scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0
Resolves: rhbz#2103487
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/openvswitch.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te
index 95acc29..ed4a73d 100644
--- a/policy/modules/contrib/openvswitch.te
+++ b/policy/modules/contrib/openvswitch.te
@@ -35,7 +35,7 @@ systemd_unit_file(openvswitch_unit_file_t)
# openvswitch local policy
#
-allow openvswitch_t self:capability { dac_override dac_read_search fowner net_broadcast net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill };
+allow openvswitch_t self:capability { dac_override dac_read_search fowner fsetid net_broadcast net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill };
allow openvswitch_t self:capability2 block_suspend;
allow openvswitch_t self:process { fork setsched setrlimit signal setcap };
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
--
1.8.3.1

68
backport-Allow-openvswitch-search-tracefs-dirs.patch
View File

@ -1,68 +0,0 @@
From bae18addf147f786b24a7d2fabdaf50629bf2565 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 8 Aug 2022 13:13:35 +0200
Subject: [PATCH] Allow openvswitch search tracefs dirs
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bae18addf147f786b24a7d2fabdaf50629bf2565
Conflict: NA
Addresses the following AVC denial:
type=PROCTITLE msg=audit(08/08/2022 05:46:18.724:169) : proctitle=modprobe openvswitch
type=KERN_MODULE msg=audit(08/08/2022 05:46:18.724:169) : name=openvswitch
type=SYSCALL msg=audit(08/08/2022 05:46:18.724:169) : arch=x86_64 syscall=init_module success=yes exit=0 a0=0x5630bbc2d8a0 a1=0xbde36 a2=0x5630b96f9cd2 a3=0x5 items=0 ppid=676 pid=680 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:openvswitch_t:s0 key=(null)
type=AVC msg=audit(08/08/2022 05:46:18.724:169) : avc: denied { search } for pid=680 comm=modprobe name=events dev="tracefs" ino=69 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
The fs_search_tracefs_dirs() interface was added.
Resolves: rhbz#2103487
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/openvswitch.te | 1 +
policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te
index 3092492..9ed1587 100644
--- a/policy/modules/contrib/openvswitch.te
+++ b/policy/modules/contrib/openvswitch.te
@@ -109,6 +109,7 @@ fs_getattr_all_fs(openvswitch_t)
fs_search_cgroup_dirs(openvswitch_t)
fs_manage_hugetlbfs_files(openvswitch_t)
fs_manage_hugetlbfs_dirs(openvswitch_t)
+fs_search_tracefs_dirs(openvswitch_t)
auth_use_nsswitch(openvswitch_t)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 90b8393..34de37d 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -6924,6 +6924,24 @@ interface(`fs_rw_onload_sockets',`
########################################
## <summary>
+## Search tracefs_t directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_tracefs_dirs',`
+ gen_require(`
+ type tracefs_t;
+ ')
+
+ search_dirs_pattern($1, tracefs_t, tracefs_t)
+')
+
+########################################
+## <summary>
## Read and write tracefs_t files
## </summary>
## <param name="domain">
--
1.8.3.1

44
backport-Allow-openvswitch-use-its-private-tmpfs-files-and-di.patch
View File

@ -1,44 +0,0 @@
From 33b66b726be702dd0cdc26521381d7ba33e2bf84 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 8 Aug 2022 16:52:19 +0200
Subject: [PATCH] Allow openvswitch use its private tmpfs files and dirs
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/33b66b726be702dd0cdc26521381d7ba33e2bf84
Conflict: NA
Addresses the following AVC denial:
Jul 29 19:58:32.669000 localhost audit[985]: AVC avc: denied { write } for pid=985 comm="ovsdb-server" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
Resolves: rhbz#1988164
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/openvswitch.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te
index 9ed1587..95acc29 100644
--- a/policy/modules/contrib/openvswitch.te
+++ b/policy/modules/contrib/openvswitch.te
@@ -21,6 +21,9 @@ logging_log_file(openvswitch_log_t)
type openvswitch_tmp_t;
files_tmp_file(openvswitch_tmp_t)
+type openvswitch_tmpfs_t;
+files_tmpfs_file(openvswitch_tmpfs_t)
+
type openvswitch_var_run_t;
files_pid_file(openvswitch_var_run_t)
@@ -68,6 +71,9 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
manage_sock_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir sock_file })
+manage_dirs_pattern(openvswitch_t, openvswitch_tmpfs_t, openvswitch_tmpfs_t)
+fs_tmpfs_filetrans(openvswitch_t, openvswitch_tmpfs_t, dir)
+
manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
--
1.8.3.1

77
backport-Allow-pcp-pmcd-search-tracefs-and-acct_data-dirs.patch
View File

@ -1,77 +0,0 @@
From b821da04f48bfc97b4e214df7e17326df0c5ed7a Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Tue, 6 Sep 2022 15:19:59 +0200
Subject: [PATCH] Allow pcp pmcd search tracefs and acct_data dirs
Allow Performance Metrics Domain Agent (PMDA) search accesses on the directory /sys/kernel/tracing.
Addresses the following AVC denial:
type=AVC msg=audit(1642589553.515:244): avc: denied { search } for pid=2039 comm="pmdakvm" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
Resolves: bz#2041845
Allow pmdaproc search accesses on the directory /var/account.
Add interface to allow search process accounting data.
Addresses the following AVC denial:
type=AVC msg=audit(1642589553.499:243): avc: denied { search } for pid=2036 comm="pmdaproc" name="account" dev="sdf1" ino=9175045 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:acct_data_t:s0 tclass=dir permissive=0
Resolves: bz#2041843
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/contrib/acct.if | 18 ++++++++++++++++++
policy/modules/contrib/pcp.te | 5 +++++
2 files changed, 23 insertions(+)
diff --git a/policy/modules/contrib/acct.if b/policy/modules/contrib/acct.if
index bc4038b45..86dcc1d5f 100644
--- a/policy/modules/contrib/acct.if
+++ b/policy/modules/contrib/acct.if
@@ -60,6 +60,24 @@ interface(`acct_exec_data',`
can_exec($1, acct_data_t)
')
+########################################
+## <summary>
+## Search process accounting data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`acct_search_data',`
+ gen_require(`
+ type acct_data_t;
+ ')
+
+ search_dirs_pattern($1, acct_data_t, acct_data_t)
+')
+
########################################
## <summary>
## Create, read, write, and delete
diff --git a/policy/modules/contrib/pcp.te b/policy/modules/contrib/pcp.te
index 66200d46f..920456afc 100644
--- a/policy/modules/contrib/pcp.te
+++ b/policy/modules/contrib/pcp.te
@@ -146,6 +146,7 @@ fs_getattr_all_dirs(pcp_pmcd_t)
fs_list_cgroup_dirs(pcp_pmcd_t)
fs_read_cgroup_files(pcp_pmcd_t)
fs_read_nfsd_files(pcp_pmcd_t)
+fs_search_tracefs_dirs(pcp_pmcd_t)
init_read_utmp(pcp_pmcd_t)
@@ -159,6 +160,10 @@ storage_raw_read_fixed_disk(pcp_pmcd_t)
userdom_read_user_tmp_files(pcp_pmcd_t)
userdom_manage_unpriv_user_semaphores(pcp_pmcd_t)
+optional_policy(`
+ acct_search_data(pcp_pmcd_t)
+')
+
optional_policy(`
cron_read_pid_files(pcp_pmcd_t)
')
--
2.27.0

29
backport-Allow-pcscd-the-sys_ptrace-userns-capability.patch
View File

@ -1,29 +0,0 @@
From dd7761e72c40b6d826a760ea9167ca17dec8c546 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 8 Apr 2022 14:10:08 +0200
Subject: [PATCH] Allow pcscd the sys_ptrace userns capability
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/dd7761e72c40b6d826a760ea9167ca17dec8c546
Conflict: NA
Resolves: rhbz#2073169
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/pcscd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index 1fdd845..d0d83da 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -24,6 +24,7 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
allow pcscd_t self:capability { dac_read_search fsetid };
dontaudit pcscd_t self:capability { sys_admin };
allow pcscd_t self:capability2 { wake_alarm };
+allow pcscd_t self:cap_userns sys_ptrace;
allow pcscd_t self:process { signal signull };
dontaudit pcscd_t self:process setsched;
allow pcscd_t self:fifo_file rw_fifo_file_perms;
--
1.8.3.1

32
backport-Allow-pmdalinux-read-files-on-an-nfsd-filesystem.patch
View File

@ -1,32 +0,0 @@
From 57b29111318880eb60e2fed57b7117e87b6ece24 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 8 Aug 2022 17:46:46 +0200
Subject: [PATCH] Allow pmdalinux read files on an nfsd filesystem
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/57b29111318880eb60e2fed57b7117e87b6ece24
Conflict: NA
Addresses the following AVC denial:
type=AVC msg=audit(1659885488.520:327): avc: denied { search } for pid=1394 comm="pmdalinux" name="/" dev="nfsd" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir permissive=1
Resolves: rhbz#2116153
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/pcp.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/pcp.te b/policy/modules/contrib/pcp.te
index c10717d..66200d4 100644
--- a/policy/modules/contrib/pcp.te
+++ b/policy/modules/contrib/pcp.te
@@ -145,6 +145,7 @@ fs_getattr_all_fs(pcp_pmcd_t)
fs_getattr_all_dirs(pcp_pmcd_t)
fs_list_cgroup_dirs(pcp_pmcd_t)
fs_read_cgroup_files(pcp_pmcd_t)
+fs_read_nfsd_files(pcp_pmcd_t)
init_read_utmp(pcp_pmcd_t)
--
1.8.3.1

35
backport-Allow-pmie-read-network-state-information-and-networ.patch
View File

@ -1,35 +0,0 @@
From 3b46ee3ddbcc41a754d824bc4411a8c022e17390 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 2 Aug 2022 16:45:44 +0200
Subject: [PATCH] Allow pmie read network state information and network sysctls
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3b46ee3ddbcc41a754d824bc4411a8c022e17390
Conflict: NA
Addresses the following AVC denial:
type=PROCTITLE msg=audit(08/02/2022 11:34:16.597:12831) : proctitle=/usr/bin/pmie -b -F -P -l /var/log/pcp/pmie/ip-172-31-24-64.us-east-2.compute.internal/pmie.log -c config.default
type=PATH msg=audit(08/02/2022 11:34:16.597:12831) : item=0 name=/proc/net/if_inet6 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(08/02/2022 11:34:16.597:12831) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7f4aa35486d5 a1=F_OK a2=0x0 a3=0x8 items=1 ppid=1 pid=284086 auid=unset uid=pcp gid=pcp euid=pcp suid=pcp fsuid=pcp egid=pcp sgid=pcp fsgid=pcp tty=(none) ses=unset comm=pmie exe=/usr/bin/pmie subj=system_u:system_r:pcp_pmie_t:s0 key=(null)
type=AVC msg=audit(08/02/2022 11:34:16.597:12831) : avc: denied { read } for pid=284086 comm=pmie name=net dev="proc" ino=4026531845 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=0
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/pcp.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/pcp.te b/policy/modules/contrib/pcp.te
index f1c2804..c10717d 100644
--- a/policy/modules/contrib/pcp.te
+++ b/policy/modules/contrib/pcp.te
@@ -230,6 +230,8 @@ allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
allow pcp_pmie_t pcp_pmcd_t:process signal;
+kernel_read_net_sysctls(pcp_pmie_t)
+kernel_read_network_state(pcp_pmie_t)
kernel_read_system_state(pcp_pmie_t)
kernel_dontaudit_request_load_module(pcp_pmie_t)
--
1.8.3.1

33
backport-Allow-pppd-create-a-file-in-the-locks-directory.patch
View File

@ -1,33 +0,0 @@
From 699f4dcf2a9b39a02427bd859c91c625e11998a6 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 8 Apr 2022 15:50:13 +0200
Subject: [PATCH] Allow pppd create a file in the locks directory
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/699f4dcf2a9b39a02427bd859c91c625e11998a6
Conflict: NA
So far, a rule for creating a private lock dir was defined in the
policy. Since this commit there is also a rule for a plain file.
Resolves: rhbz#2022902
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/ppp.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te
index c2da84b..9b08134 100644
--- a/policy/modules/contrib/ppp.te
+++ b/policy/modules/contrib/ppp.te
@@ -106,7 +106,7 @@ manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t)
-files_lock_filetrans(pppd_t, pppd_lock_t, dir)
+files_lock_filetrans(pppd_t, pppd_lock_t, { dir file })
files_search_locks(pppd_t)
manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t)
--
1.8.3.1

29
backport-Allow-redis-get-attributes-of-filesystems-with-exten.patch
View File

@ -1,29 +0,0 @@
From dbb20e7f9fb98fc322d925b66da0abc7258957cf Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 9 Nov 2021 18:35:11 +0100
Subject: [PATCH] Allow redis get attributes of filesystems with extended
attributes
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/dbb20e7f9fb98fc322d925b66da0abc7258957cf
Conflict: NA
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/redis.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index 093f28d..fb6a3dc 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -99,6 +99,7 @@ tunable_policy(`redis_enable_notify',`
corecmd_exec_shell(redis_t)
fs_getattr_tmpfs(redis_t)
+ fs_getattr_xattr_fs(redis_t)
')
optional_policy(`
--
1.8.3.1

29
backport-Allow-rhsmcertd-get-attributes-of-tmpfs_t-filesystem.patch
View File

@ -1,29 +0,0 @@
From 174740ce047312bb8e3ca19b3ee95766f0dc55b4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 7 Dec 2021 15:17:15 +0100
Subject: [PATCH] Allow rhsmcertd get attributes of tmpfs_t filesystems
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/174740ce047312bb8e3ca19b3ee95766f0dc55b4
Conflict: NA
Resolves: rhbz#2015820
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/rhsmcertd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/rhsmcertd.te b/policy/modules/contrib/rhsmcertd.te
index abd3227..7ebff7b 100644
--- a/policy/modules/contrib/rhsmcertd.te
+++ b/policy/modules/contrib/rhsmcertd.te
@@ -101,6 +101,7 @@ files_create_boot_flag(rhsmcertd_t)
files_dontaudit_write_all_mountpoints(rhsmcertd_t)
fs_dontaudit_write_configfs_dirs(rhsmcertd_t)
+fs_getattr_tmpfs(rhsmcertd_t)
fs_read_xenfs_files(rhsmcertd_t)
auth_map_passwd(rhsmcertd_t)
--
1.8.3.1

36
backport-Allow-rngd-drop-privileges-via-setuid-setgid-setcap.patch
View File

@ -1,36 +0,0 @@
From 62d5fd70550ba0f6564c5240c369c421b1415eb9 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 3 Mar 2022 16:57:41 +0100
Subject: [PATCH] Allow rngd drop privileges via setuid/setgid/setcap
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/62d5fd70550ba0f6564c5240c369c421b1415eb9
Conflict: NA
The rngd service starts as root to be able to access some resources
like /dev/hwrng, then it drops capabilities and changes ruid/euid/suid
and rgid/egid/sgid.
Resolves: rhbz#2058914
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/rngd.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
index 316d210..ca8c996 100644
--- a/policy/modules/contrib/rngd.te
+++ b/policy/modules/contrib/rngd.te
@@ -30,8 +30,8 @@ files_pid_file(rngd_var_run_t)
# Local policy
#
-allow rngd_t self:capability { ipc_lock sys_admin };
-allow rngd_t self:process { setsched signal };
+allow rngd_t self:capability { ipc_lock setgid setuid sys_admin };
+allow rngd_t self:process { setcap setsched signal };
allow rngd_t self:fifo_file rw_fifo_file_perms;
allow rngd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow rngd_t self:unix_stream_socket { accept listen };
--
1.8.3.1

36
backport-Allow-rpmdb-create-directory-in-usr-lib-sysimage.patch
View File

@ -1,36 +0,0 @@
From d99577b16e8be3de46528fa81133efd2dd40b7c5 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 14 Mar 2022 12:51:49 +0100
Subject: [PATCH] Allow rpmdb create directory in /usr/lib/sysimage
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d99577b16e8be3de46528fa81133efd2dd40b7c5
Conflict: NA
With the 5f69c12c67d (Support /usr/lib/sysimage/rpm as the rpmdb path)
commit, the policy supports relocation of the rpmdb path to
/usr/lib/sysimage/rpm. The rpm-rebuilddb command needs to have a file
transition defined for the new path, too, which also needs to be without
a directory name as the new directory is created as
/usr/lib/sysimage/rpmrebuilddb.PID.
Resolves: rhbz#2061141
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/rpm.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index b09dfe1..247f1fa 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -265,6 +265,7 @@ allow rpmdb_t rpmdb_tmp_t:file map;
manage_dirs_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
manage_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
+files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir)
files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir)
manage_dirs_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t)
--
1.8.3.1

39
backport-Allow-rpmdb-read-admin-home-config-files.patch
View File

@ -1,39 +0,0 @@
From f402b06808835ad1a8aa393739efff1e40eaf8e8 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 16 Nov 2021 22:37:25 +0100
Subject: [PATCH] Allow rpmdb read admin home config files
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/f402b06808835ad1a8aa393739efff1e40eaf8e8
Conflict: NA
Addresses the following AVC denial:
type=PROCTITLE msg=audit(11/16/2021 16:31:45.105:1455) : proctitle=/usr/bin/rpmdb --rebuilddb
type=PATH msg=audit(11/16/2021 16:31:45.105:1455) : item=0 name=/root/.rpmmacros inode=110039 dev=00:1f mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/16/2021 16:31:45.105:1455) : cwd=/root
type=SYSCALL msg=audit(11/16/2021 16:31:45.105:1455) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x560b2126e2a0 a2=O_RDONLY a3=0x0 items=1 ppid=40819 pid=59445 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=20 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/16/2021 16:31:45.105:1455) : avc: denied { open } for pid=59445 comm=rpmdb path=/root/.rpmmacros dev="sda2" ino=110039 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1
Resolves: rhbz#2023163
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/rpm.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 9d2f4e6..f01d07c 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -279,6 +279,10 @@ files_rw_inherited_non_security_files(rpmdb_t)
sysnet_dontaudit_read_config(rpmdb_t)
+optional_policy(`
+ userdom_read_admin_home_files(rpmdb_t)
+')
+
########################################
#
# rpm-script Local policy
--
1.8.3.1

39
backport-Allow-rpmdb-read-generic-SSL-certificates.patch
View File

@ -1,39 +0,0 @@
From c1d7b1ba04a91894032b88bec9d9e76b27678a3d Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 16 Nov 2021 22:42:02 +0100
Subject: [PATCH] Allow rpmdb read generic SSL certificates
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/c1d7b1ba04a91894032b88bec9d9e76b27678a3d
Conflict: NA
Addresses the following AVC denials:
type=PROCTITLE msg=audit(11/16/2021 16:29:00.780:1008) : proctitle=/usr/bin/rpmdb --rebuilddb
type=PATH msg=audit(11/16/2021 16:29:00.780:1008) : item=0 name=/etc/pki/tls/openssl.cnf inode=145355 dev=fc:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cert_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/16/2021 16:29:00.780:1008) : cwd=/mnt/testarea/test
type=SYSCALL msg=audit(11/16/2021 16:29:00.780:1008) : arch=x86_64 syscall=openat success=yes exit=10 a0=0xffffff9c a1=0x5579d5c35320 a2=O_RDONLY a3=0x0 items=1 ppid=1344 pid=4427 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/16/2021 16:29:00.780:1008) : avc: denied { open } for pid=4427 comm=rpmdb path=/etc/pki/tls/openssl.cnf dev="vda1" ino=145355 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(11/16/2021 16:29:00.780:1008) : avc: denied { search } for pid=4427 comm=rpmdb name=pki dev="vda1" ino=136481 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/rpm.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index f01d07c..0866d95 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -280,6 +280,10 @@ files_rw_inherited_non_security_files(rpmdb_t)
sysnet_dontaudit_read_config(rpmdb_t)
optional_policy(`
+ miscfiles_read_generic_certs(rpmdb_t)
+')
+
+optional_policy(`
userdom_read_admin_home_files(rpmdb_t)
')
--
1.8.3.1

35
backport-Allow-sanlock-get-attributes-of-filesystems-with-ext.patch
View File

@ -1,35 +0,0 @@
From 5269978ad17fff8988f94a2327fa750e5d70c14d Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 2 Feb 2022 11:29:39 +0100
Subject: [PATCH] Allow sanlock get attributes of filesystems with extended
attributes
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/5269978ad17fff8988f94a2327fa750e5d70c14d
Conflict: NA
Addresses the following AVC denial:
type=PROCTITLE msg=audit(01/28/2022 09:41:01.094:1832) : proctitle=/usr/sbin/sanlock daemon
type=AVC msg=audit(01/28/2022 09:41:01.094:1832) : avc: denied { getattr } for pid=37165 comm=sanlock name=/ dev="dm-3" ino=128 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0
type=SYSCALL msg=audit(01/28/2022 09:41:01.094:1832) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x7fdade30b49d a1=0x7ffeeeb41a70 a2=0x49 a3=0x1000 items=0 ppid=1 pid=37165 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null)
Resolves: rhbz#2047811
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/sanlock.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te
index 04bd655..914062b 100644
--- a/policy/modules/contrib/sanlock.te
+++ b/policy/modules/contrib/sanlock.te
@@ -96,6 +96,7 @@ domain_use_interactive_fds(sanlock_t)
files_read_mnt_symlinks(sanlock_t)
fs_getattr_cgroup(sanlock_t)
+fs_getattr_xattr_fs(sanlock_t)
fs_rw_cephfs_files(sanlock_t)
storage_raw_rw_fixed_disk(sanlock_t)
--
1.8.3.1

82
backport-Allow-services-execute-systemd-notify.patch
View File

@ -1,82 +0,0 @@
From 051d2d7821542cb9dd4555f97a684c28a1861d1a Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 9 Aug 2022 15:25:45 +0200
Subject: [PATCH] Allow services execute systemd-notify
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/051d2d7821542cb9dd4555f97a684c28a1861d1a
Conflict: NA
With the ea76c5e8b58 ("Allow some domains use sd_notify()") commit,
daemon and unconfined_service_t were allowed permissions required
to use the sd_notify() API. This commit allows to the same callers
the permissions to execute systemd-notify in the caller domain.
Aug 02 13:10:18 hostname audit[956]: AVC avc: denied { execute_no_trans } for pid=956 comm="launch-xenstore" path="/usr/bin/systemd-notify" dev="sda4" ino=4200844 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1
Resolves: rhbz#2114498
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/init.te | 1 +
policy/modules/system/systemd.if | 18 ++++++++++++++++++
policy/modules/system/unconfined.te | 4 ++++
3 files changed, 23 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index e4bc96f..33052c6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1955,6 +1955,7 @@ allow initrc_domain systemprocess:process transition;
optional_policy(`
systemd_getattr_unit_dirs(daemon)
systemd_getattr_unit_dirs(systemprocess)
+ systemd_exec_notify(daemon)
')
optional_policy(`
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 51b966a..61f5476 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -998,6 +998,24 @@ interface(`systemd_timedated_manage_lib_dirs',`
########################################
## <summary>
+## Execute systemd-notify in the caller domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_exec_notify',`
+ gen_require(`
+ type systemd_notify_exec_t;
+ ')
+
+ can_exec($1, systemd_notify_exec_t)
+')
+
+########################################
+## <summary>
## Execute a domain transition to run systemd_notify.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 4da1290..e6f86cf 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -35,6 +35,10 @@ optional_policy(`
')
optional_policy(`
+ systemd_exec_notify(unconfined_service_t)
+')
+
+optional_policy(`
virt_transition_svirt(unconfined_service_t, system_r)
')
--
1.8.3.1

36
backport-Allow-smbcontrol-read-the-network-state-information.patch
View File

@ -1,36 +0,0 @@
From 72bf03e76b3dd93ee4d29b573574cc394c74220b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 7 Jan 2022 18:24:37 +0100
Subject: [PATCH] Allow smbcontrol read the network state information
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/72bf03e76b3dd93ee4d29b573574cc394c74220b
Conflict: NA
Addresses the following AVC denial:
type=PROCTITLE msg=audit(12/15/2021 14:56:51.308:2289) : proctitle=smbcontrol winbind ping
type=AVC msg=audit(12/15/2021 14:56:51.308:2289) : avc: denied { read } for pid=39355 comm=smbcontrol name=unix dev="proc" ino=4026532055 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(12/15/2021 14:56:51.308:2289) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7fffd5d76250 a1=R_OK a2=0x8 a3=0x562d2bf87764 items=0 ppid=36929 pid=39355 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=9 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
Resolves: rhbz#2038157
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/samba.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index cb89bcf..daf5349 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -743,6 +743,8 @@ samba_read_config(smbcontrol_t)
samba_search_var(smbcontrol_t)
samba_read_winbind_pid(smbcontrol_t)
+kernel_read_network_state(smbcontrol_t)
+
domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
--
1.8.3.1

40
backport-Allow-smbcontrol-use-additional-socket-types.patch
View File

@ -1,40 +0,0 @@
From 0269eebb529eef5288b4b6dd1c62604dbd230230 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 23 Nov 2021 14:32:54 +0100
Subject: [PATCH] Allow smbcontrol use additional socket types
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0269eebb529eef5288b4b6dd1c62604dbd230230
Conflict: NA
In order to set debug level, smbcontrol was allowed to:
- create and use udp socket
- create and use netlink route sockets, read route configuration state
AVC denials example:
type=PROCTITLE msg=audit(11/23/2021 08:19:05.790:553) : proctitle=smbcontrol all debug 100
type=SYSCALL msg=audit(11/23/2021 08:19:05.790:553) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=ip a3=0x7fbb520a88b8 items=0 ppid=1060 pid=2372 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/23/2021 08:19:05.790:553) : avc: denied { create } for pid=2372 comm=smbcontrol scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=0
Resolves: rhbz#2025931
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/samba.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 72322f5..cb89bcf 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -718,6 +718,8 @@ allow smbcontrol_t self:capability2 block_suspend;
allow smbcontrol_t self:process { signal signull };
# internal communication is often done using fifo and unix sockets.
allow smbcontrol_t self:fifo_file rw_file_perms;
+allow smbcontrol_t self:netlink_route_socket r_netlink_socket_perms;
+allow smbcontrol_t self:udp_socket create_socket_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t self:unix_dgram_socket create_socket_perms;
--
1.8.3.1

100
backport-Allow-some-domains-use-sd_notify.patch
View File

@ -1,100 +0,0 @@
From 033c1ffb7c25c218f35ac5053d7f3a482c7df6af Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 14 Jul 2022 10:30:12 +0200
Subject: [PATCH] Allow some domains use sd_notify()
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/033c1ffb7c25c218f35ac5053d7f3a482c7df6af
Conflict: NA
sd_notify() and a few similar systemd library functions may be called by
a service to notify the service manager about state changes. It can be
used to send arbitrary information. Most importantly, it can be used for
start-up completion notification.
With this commit, all types in the daemon and login_userdomain
attributes and unconfined_service_t can connect to init (PID 1) and
init can write back to the fifo_file created by the domain.
Resolves: rhbz#1903305
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/init.if | 21 +++++++++++++++++++++
policy/modules/system/init.te | 2 ++
policy/modules/system/unconfined.te | 2 ++
policy/modules/system/userdomain.te | 2 ++
4 files changed, 27 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4b3bb59..c07649b 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3000,6 +3000,27 @@ interface(`init_rw_tcp_sockets',`
allow $1 init_t:tcp_socket { read write getattr };
')
+#######################################
+## <summary>
+## Use sd_notify
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_use_notify',`
+ gen_require(`
+ type init_t, init_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
+ allow $1 init_var_run_t:sock_file read_sock_file_perms;
+ allow init_t $1:fifo_file write_fifo_file_perms;
+')
+
########################################
## <summary>
## Get the system status information from init
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 073ce2c..e4bc96f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1335,6 +1335,8 @@ ifdef(`distro_suse',`
domain_dontaudit_use_interactive_fds(daemon)
+init_use_notify(daemon)
+
userdom_dontaudit_list_admin_dir(daemon)
userdom_dontaudit_search_user_tmp(daemon)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index ed03aad..4da1290 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -20,6 +20,8 @@ role unconfined_r types unconfined_service_t;
corecmd_bin_entry_type(unconfined_service_t)
corecmd_shell_entry_type(unconfined_service_t)
+init_use_notify(unconfined_service_t)
+
optional_policy(`
rpm_transition_script(unconfined_service_t, system_r)
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 3ac8c12..0980247 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -400,6 +400,8 @@ files_watch_generic_tmp_dirs(login_userdomain)
fs_create_cgroup_files(login_userdomain)
fs_watch_cgroup_files(login_userdomain)
+init_use_notify(login_userdomain)
+
libs_watch_lib_dirs(login_userdomain)
miscfiles_watch_fonts_dirs(login_userdomain)
--
1.8.3.1

93
backport-Allow-sosreport-dbus-chat-abrt-systemd-timedatex.patch
View File

@ -1,93 +0,0 @@
From 37dbb1e7b5944a1cceb2009f8bbb4897150fd1ef Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Tue, 22 Feb 2022 09:48:33 +0100
Subject: [PATCH] Allow sosreport dbus chat abrt systemd timedatex
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/37dbb1e7b5944a1cceb2009f8bbb4897150fd1ef
Conflict: NA
Create sosreport dbus chat interface.
Allow abrt, systemd and timedatex to dbus chat sosreport
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/abrt.te | 1 +
policy/modules/contrib/sosreport.if | 20 ++++++++++++++++++++
policy/modules/contrib/timedatex.te | 5 ++++-
policy/modules/system/systemd.te | 4 ++++
4 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index a68c7fd..02a12df 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -350,6 +350,7 @@ optional_policy(`
#')
optional_policy(`
+ sosreport_dbus_chat(abrt_t)
sosreport_domtrans(abrt_t)
sosreport_read_tmp_files(abrt_t)
sosreport_delete_tmp_files(abrt_t)
diff --git a/policy/modules/contrib/sosreport.if b/policy/modules/contrib/sosreport.if
index f6db7a7..c5fbb7a 100644
--- a/policy/modules/contrib/sosreport.if
+++ b/policy/modules/contrib/sosreport.if
@@ -146,3 +146,23 @@ interface(`sosreport_signull',`
allow $1 sosreport_t:process signull;
')
+########################################
+## <summary>
+## Send and receive messages from
+## sosreport over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sosreport_dbus_chat',`
+ gen_require(`
+ type sosreport_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 sosreport_t:dbus send_msg;
+ allow sosreport_t $1:dbus send_msg;
+')
diff --git a/policy/modules/contrib/timedatex.te b/policy/modules/contrib/timedatex.te
index 3a2e4db..6a640fa 100644
--- a/policy/modules/contrib/timedatex.te
+++ b/policy/modules/contrib/timedatex.te
@@ -64,6 +64,9 @@ optional_policy(`
')
optional_policy(`
- userdom_dbus_send_all_users(timedatex_t)
+ sosreport_dbus_chat(timedatex_t)
')
+optional_policy(`
+ userdom_dbus_send_all_users(timedatex_t)
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 476e2d3..97cc111 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -545,6 +545,10 @@ optional_policy(`
')
optional_policy(`
+ sosreport_dbus_chat(systemd_networkd_t)
+')
+
+optional_policy(`
udev_read_db(systemd_networkd_t)
')
--
1.8.3.1

30
backport-Allow-ssh-client-read-kerberos-homedir-config-files.patch
View File

@ -1,30 +0,0 @@
From b7cd8535f926e9f6e38499714f0d97b12b77dde6 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 22 Aug 2022 12:25:09 +0200
Subject: [PATCH] Allow ssh client read kerberos homedir config files
Addresses the following AVC denial:
type=PATH msg=audit(22.8.2022 10:09:52.495:4019) : item=0 name=/home/user/.k5identity inode=15144919 dev=fd:03 mode=file,664 ouid=user ogid=user rdev=00:00 obj=staff_u:object_r:krb5_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(22.8.2022 10:09:52.495:4019) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x564acca009b0 a2=O_RDONLY a3=0x0 items=1 ppid=78842 pid=439750 auid=user uid=user gid=user euid=user suid=user fsuid=user egid=user sgid=user fsgid=user tty=pts12 ses=3 comm=ssh exe=/usr/bin/ssh subj=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(22.8.2022 10:09:52.495:4019) : avc: denied { open } for pid=439750 comm=ssh path=/home/user/.k5identity dev="dm-3" ino=15144919 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:krb5_home_t:s0 tclass=file permissive=1
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/services/ssh.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index bf988b7f2..15b611e46 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -246,6 +246,7 @@ optional_policy(`
')
optional_policy(`
+ kerberos_read_home_content(ssh_t)
kerberos_read_keytab(ssh_t)
')
--
2.27.0

34
backport-Allow-sshd-read-filesystem-sysctl-files.patch
View File

@ -1,34 +0,0 @@
From 84dd4309ad6d644edea2c3cf448f516f4e008c04 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 11 Jan 2022 15:17:27 +0100
Subject: [PATCH] Allow sshd read filesystem sysctl files
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/84dd4309ad6d644edea2c3cf448f516f4e008c04
Conflict: NA
This permissions is required when "nofile unlimited" is configured
in the system resources limits for a user.
echo "testuser hard nofile unlimited" >> /etc/security/limits.d/testuser.conf
Resolves: rhbz#2036585
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/services/ssh.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 10126e7..bf988b7 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -303,6 +303,7 @@ allow sshd_t sshd_keytab_t:file read_file_perms;
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)
+kernel_read_fs_sysctls(sshd_t)
kernel_read_net_sysctls(sshd_t)
files_search_all(sshd_t)
--
1.8.3.1

65
backport-Allow-sss-daemons-read-write-unnamed-pipes-of-cloud-.patch
View File

@ -1,65 +0,0 @@
From 3478cb66bc08866173e82fa070c160c0c03513bd Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 30 Sep 2022 16:08:55 +0200
Subject: [PATCH] Allow sss daemons read/write unnamed pipes of cloud-init
The cloudform_rw_pipes() interface was added.
Addresses the following AVC denials:
[ 10.779755] fedora audit[812]: AVC avc: denied { read } for pid=812 comm="sss_cache" path="pipe:[18908]" dev="pipefs" ino=18908 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0
[ 10.779916] fedora audit[812]: AVC avc: denied { write } for pid=812 comm="sss_cache" path="pipe:[18909]" dev="pipefs" ino=18909 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0
Resolves: rhbz#2073265
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/contrib/cloudform.if | 18 ++++++++++++++++++
policy/modules/contrib/sssd.te | 4 ++++
2 files changed, 22 insertions(+)
diff --git a/policy/modules/contrib/cloudform.if b/policy/modules/contrib/cloudform.if
index 55fe0d668..4a17c4872 100644
--- a/policy/modules/contrib/cloudform.if
+++ b/policy/modules/contrib/cloudform.if
@@ -41,6 +41,24 @@ interface(`cloudform_init_domtrans',`
domtrans_pattern($1, cloud_init_exec_t, cloud_init_t)
')
+########################################
+## <summary>
+## Read and write unnamed cloud-init pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cloudform_rw_pipes',`
+ gen_require(`
+ type cloud_init_t;
+ ')
+
+ allow $1 cloud_init_t:fifo_file rw_fifo_file_perms;
+')
+
######################################
## <summary>
## Execute mongod in the caller domain.
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index f5c7d980d..90d04fd91 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -185,6 +185,10 @@ optional_policy(`
bind_read_cache(sssd_t)
')
+optional_policy(`
+ cloudform_rw_pipes(sssd_t)
+')
+
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
--
2.27.0

75
backport-Allow-sssd-domtrans-to-pkcs_slotd_t.patch
View File

@ -1,75 +0,0 @@
From b22b33e612363001d74e283e53b04192a51f7c5f Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 14 Apr 2022 19:31:18 +0200
Subject: [PATCH] Allow sssd domtrans to pkcs_slotd_t
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/b22b33e612363001d74e283e53b04192a51f7c5f
Conflict: NA
When sssd is configured to use smart cards login, any authentication
(e.g. sudo) will raise this AVC meaning smart card login was prevented
from working:
type=AVC msg=audit(1620803381.118:24793): avc: denied { getattr } for pid=667312 comm="p11_child" path="/usr/sbin/pkcsslotd" dev="dm-1" ino=1581455 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_exec_t:s0 tclass=file permissive=0
Sudo uses pam to authenticate a user. In pam stack, there is the sssd
pam module which talks through some IPC to sssd's p11_child.
This sssd's p11_child loads through p11-kit every pkcs11 module
installed in the system, which includes the opencryptoki pkcs11 module.
Opencryptoki pkcs11 module talks through some IPC to pkcsslotd daemon,
handling the communication with HW devices or soft tokens.
The pkcs_domtrans() interface was added.
Resolves: rhbz#1959705
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/pkcs.if | 19 +++++++++++++++++++
policy/modules/contrib/sssd.te | 1 +
2 files changed, 20 insertions(+)
diff --git a/policy/modules/contrib/pkcs.if b/policy/modules/contrib/pkcs.if
index 423d061..eb97d23 100644
--- a/policy/modules/contrib/pkcs.if
+++ b/policy/modules/contrib/pkcs.if
@@ -118,6 +118,25 @@ interface(`pkcs_getattr_exec_files',`
########################################
## <summary>
+## Transition to pkcs_slotd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pkcs_domtrans',`
+ gen_require(`
+ type pkcs_slotd_t, pkcs_slotd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pkcs_slotd_exec_t, pkcs_slotd_t)
+')
+
+########################################
+## <summary>
## Create specific objects in the tmpfs directories
## with a private type.
## </summary>
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index 80c0b62..f5c7d98 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -221,6 +221,7 @@ optional_policy(`
')
optional_policy(`
+ pkcs_domtrans(sssd_t)
pkcs_read_lock(sssd_t)
')
--
1.8.3.1

42
backport-Allow-sssd_kcm-read-and-write-z90crypt-device.patch
View File

@ -1,42 +0,0 @@
From 80e7516c09c41c989176947265df41e39e94a31a Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 10 Jan 2022 17:15:56 +0100
Subject: [PATCH] Allow sssd_kcm read and write z90crypt device
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/80e7516c09c41c989176947265df41e39e94a31a
Conflict: NA
This permission is required on s390x systems with the Crypto Express
adapter card. The z90crypt device driver acts as the interface to the
PCI cryptography hardware and performs asynchronous encryption
operations (RSA) as used during the SSL handshake.
Addresses the following AVC denial:
PROCTITLE msg=audit(26.11.2021 17:43:18.641:78) : proctitle=/usr/libexec/sssd/sssd_kcm --uid 0 --gid 0 --logger=files
type=AVC msg=audit(26.11.2021 17:43:18.641:78) : avc: denied { read write } for pid=1724 comm=sssd_kcm name=z90crypt dev="devtmpfs" ino=111 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=0
type=SYSCALL msg=audit(26.11.2021 17:43:18.641:78) : arch=s390x syscall=openat success=no exit=EACCES(Operace zamítnuta) a0=0xffffffffffffff9c a1=0x3ffa56906e6 a2=O_RDWR a3=0x0 items=0 ppid=1 pid=1724 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_kcm exe=/usr/libexec/sssd/sssd_kcm subj=system_u:system_r:sssd_t:s0 key=(null)
Resolves: rhbz#2026974
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/sssd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index b510dca..e5c8673 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -106,6 +106,7 @@ corecmd_exec_bin(sssd_t)
dev_read_urand(sssd_t)
dev_read_sysfs(sssd_t)
+dev_rw_crypto(sssd_t)
domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
--
1.8.3.1

50
backport-Allow-staff_u-and-user_u-users-write-to-bolt-pipe.patch
View File

@ -1,50 +0,0 @@
From 5adbc14b634b60c5bd779fb22c5bf4a674a83020 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 9 Sep 2022 17:21:10 +0200
Subject: [PATCH] Allow staff_u and user_u users write to bolt pipe
Addresses the following AVC denial:
-
type=PROCTITLE msg=audit(6.9.2022 07:26:55.355:15479) : proctitle=boltctl power
type=SYSCALL msg=audit(6.9.2022 07:26:55.355:15479) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x5 a1=0x7f341adfd940 a2=MSG_CMSG_CLOEXEC a3=0x7fff30353080 items=0 ppid=1832290 pid=1905598 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=pts18 ses=3 comm=gdbus exe=/usr/bin/boltctl subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(6.9.2022 07:26:55.355:15479) : avc: denied { write } for pid=1905598 comm=gdbus path=/run/boltd/power/1.guard.fifo dev="tmpfs" ino=95970 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boltd_var_run_t:s0 tclass=fifo_file permissive=1
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/roles/staff.te | 4 ++++
policy/modules/roles/unprivuser.te | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index a573eba03..907710baf 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -103,6 +103,10 @@ optional_policy(`
blueman_dbus_chat(staff_t)
')
+optional_policy(`
+ boltd_write_var_run_pipes(staff_t)
+')
+
optional_policy(`
kdumpgui_dbus_chat(staff_t)
')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 56a8be217..a4781914e 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -66,6 +66,10 @@ optional_policy(`
bluetooth_role(user_r, user_t)
')
+optional_policy(`
+ boltd_write_var_run_pipes(user_t)
+')
+
optional_policy(`
colord_dbus_chat(user_t)
')
--
2.27.0

37
backport-Allow-sudodomain-send-a-null-signal-to-sshd-processe.patch
View File

@ -1,37 +0,0 @@
From c5082c2dc80dbbd549ca9a246ef97ef6cf20a277 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 18 Nov 2021 19:29:01 +0100
Subject: [PATCH] Allow sudodomain send a null signal to sshd processes
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/c5082c2dc80dbbd549ca9a246ef97ef6cf20a277
Conflict: NA
This denial appears when maxlogins is specified in PAM limits configuration:
type=PROCTITLE msg=audit(11/18/21 13:22:44.231:774) : proctitle=sudo -u staff echo
type=SYSCALL msg=audit(11/18/21 13:22:44.231:774) : arch=x86_64 syscall=kill success=no exit=EACCES(Permission denied) a0=0x1a2c a1=SIG0 a2=0x4 a3=0x7ffd93c089cf items=0 ppid=6747 pid=6748 auid=staff uid=root gid=staff euid=root suid=root fsuid=root egid=staff sgid=staff fsgid=staff tty=(none) ses=16 comm=sudo exe=/usr/bin/sudo subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/18/21 13:22:44.231:774) : avc: denied { signull } for pid=6748 comm=sudo scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0
Resolves: rhbz#1966945
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/admin/sudo.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index b281028..333b465 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -129,6 +129,10 @@ optional_policy(`
')
optional_policy(`
+ ssh_signull(sudodomain)
+')
+
+optional_policy(`
systemd_write_inherited_logind_sessions_pipes(sudodomain)
')
--
1.8.3.1

35
backport-Allow-sudodomains-execute-passwd-in-the-passwd-domai.patch
View File

@ -1,35 +0,0 @@
From 3b826a9f34d86388fde3a07a9dcfeccdc762bafe Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 20 Dec 2021 11:47:29 +0100
Subject: [PATCH] Allow sudodomains execute passwd in the passwd domain
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3b826a9f34d86388fde3a07a9dcfeccdc762bafe
Conflict: NA
When an unprivileged user in the sysadm_r role executes passwd
through sudo, it transitions into sysadm_sudo_t domain by default.
With this commit, the process transitions back to sysadm_t.
Resolves: rhbz#1943572
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/admin/sudo.if | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index e79eef7..356b150 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -98,6 +98,9 @@ template(`sudo_role_template',`
kerberos_read_config($1_sudo_t)
')
+ optional_policy(`
+ usermanage_domtrans_passwd($1_sudo_t)
+ ')
')
########################################
--
1.8.3.1

41
backport-Allow-svnserve-send-mail-from-the-system.patch
View File

@ -1,41 +0,0 @@
From c43df4f0131a7870beef94eb9c5a5fb048379566 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 24 Nov 2021 16:13:35 +0100
Subject: [PATCH] Allow svnserve send mail from the system
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/c43df4f0131a7870beef94eb9c5a5fb048379566
Conflict: NA
If a svn hook needs to send an e-mail, the service needs to be allowed
to execute an MTA program. In this commit, the mta_send_mail() interface
call for svnserve_t was added to allow permissions to execute types from
the mta_exec_type attribute which currently is:
- courier_exec_t
- exim_exec_t
- postfix_postdrop_t
- sendmail_exec_t
Resolves: rhbz#2004843
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/svnserve.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/svnserve.te b/policy/modules/contrib/svnserve.te
index 874e7c2..c603551 100644
--- a/policy/modules/contrib/svnserve.te
+++ b/policy/modules/contrib/svnserve.te
@@ -90,6 +90,10 @@ optional_policy(`
')
optional_policy(`
+ mta_send_mail(svnserve_t)
+')
+
+optional_policy(`
sasl_connect(svnserve_t)
')
--
1.8.3.1

74
backport-Allow-sysadm-execute-sysadmctl-in-sysadm_t-domain-us.patch
View File

@ -1,74 +0,0 @@
From 8879c209b0916931aab95d733fc7f4b52b99258b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 22 Dec 2021 13:06:33 +0100
Subject: [PATCH] Allow sysadm execute sysadmctl in sysadm_t domain using sudo
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/8879c209b0916931aab95d733fc7f4b52b99258b
Conflict: NA
When an unprivileged user in the sysadm_r role executes systemctl
through sudo, it transitions into sysadm_sudo_t domain by default.
With this commit, the process transitions back to sysadm_t.
The systemd_domtrans_systemctl() interface was added.
Resolves: rhbz#2013749
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/admin/sudo.if | 5 +++++
policy/modules/system/systemd.if | 23 +++++++++++++++++++++++
2 files changed, 28 insertions(+)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index f6df896..24ede58 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -101,6 +101,11 @@ template(`sudo_role_template',`
')
optional_policy(`
+ systemd_domtrans_systemctl($1_sudo_t, $3)
+ systemd_systemctl_entrypoint($3)
+ ')
+
+ optional_policy(`
userdom_write_user_tmp_sockets($1_sudo_t)
')
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index ec58e33..351438c 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -128,6 +128,29 @@ interface(`systemd_systemctl_entrypoint',`
#######################################
## <summary>
+## Execute systemctl in the specified domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="target_domain">
+## <summary>
+## Domain to transition to.
+## </summary>
+## </param>
+#
+interface(`systemd_domtrans_systemctl',`
+ gen_require(`
+ type systemd_systemctl_exec_t;
+ ')
+
+ domain_auto_transition_pattern($1, systemd_systemctl_exec_t, $2)
+')
+
+#######################################
+## <summary>
## Create a file type used for systemd unit files.
## </summary>
## <param name="script_file">
--
1.8.3.1

77
backport-Allow-sysadm_passwd_t-to-relabel-passwd-and-group-fi.patch
View File

@ -1,77 +0,0 @@
From 369f900039cff9443e86fdf7254ba8b11dc6adb5 Mon Sep 17 00:00:00 2001
From: Patrik Koncity <pkoncity@redhat.com>
Date: Thu, 10 Feb 2022 11:46:13 +0100
Subject: [PATCH] Allow sysadm_passwd_t to relabel passwd and group files
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/369f900039cff9443e86fdf7254ba8b11dc6adb5
Conflict: NA
Vigr mechanism of editing group and passwd
files work on principle of recreating the current
file with new changes. Due to this mechanism is
need to again relabel file with selinux label.
Creating interface allowing relabel to the passwd_file_t
type. Allow relabeling for sysadm_passwd_t domain.
Allow dac_override permission for sysadm_passwd_t type.
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/admin/usermanage.te | 3 ++-
policy/modules/system/authlogin.if | 20 ++++++++++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 8fdbfbc..155fb68 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -433,7 +433,7 @@ optional_policy(`
# Password admin local policy
#
-allow sysadm_passwd_t self:capability { chown dac_read_search fsetid setuid setgid sys_resource };
+allow sysadm_passwd_t self:capability { chown dac_override dac_read_search fsetid setuid setgid sys_resource };
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sysadm_passwd_t self:process { setrlimit setfscreate };
allow sysadm_passwd_t self:fd use;
@@ -478,6 +478,7 @@ term_getattr_all_ptys(sysadm_passwd_t)
auth_manage_passwd(sysadm_passwd_t)
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
+auth_relabelto_passwd_files(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
auth_use_nsswitch(sysadm_passwd_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index ad55205..b5b3702 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -851,6 +851,26 @@ interface(`auth_relabel_shadow',`
#######################################
## <summary>
+## Relabel to the
+## password file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_relabelto_passwd_files',`
+ gen_require(`
+ type passwd_file_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 passwd_file_t:file relabelto;
+')
+
+#######################################
+## <summary>
## Append to the login failure log.
## </summary>
## <param name="domain">
--
1.8.3.1

34
backport-Allow-sysadm_t-start-and-stop-transient-services.patch
View File

@ -1,34 +0,0 @@
From 489674d8ad8253a18cf88425f2fe3dbf265d03a1 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 17 Jan 2022 12:44:10 +0100
Subject: [PATCH] Allow sysadm_t start and stop transient services
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/489674d8ad8253a18cf88425f2fe3dbf265d03a1
Conflict: NA
Addresses the following AVC denial:
type=USER_AVC msg=audit(01/07/2022 03:27:48.362:345) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=unset uid=root gid=root cmdline="" scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=1 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' # Date: Mon Jan 17 12:44:10 2022 +0100
Resolves: rhbz#2031065
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/roles/sysadm.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index fae8028..d9e11b6 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -81,6 +81,8 @@ init_exec(sysadm_t)
init_exec_script_files(sysadm_t)
init_dbus_chat(sysadm_t)
init_script_role_transition(sysadm_r)
+init_start(sysadm_t)
+init_stop(sysadm_t)
init_status(sysadm_t)
init_reboot(sysadm_t)
init_halt(sysadm_t)
--
1.8.3.1

34
backport-Allow-sysadm_t-to-run-bpftool-on-the-userdomain-attr.patch
View File

@ -1,34 +0,0 @@
From 3578a24d63f5901469482950f40bcb757d695baf Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 2 Aug 2022 16:42:58 +0200
Subject: [PATCH] Allow sysadm_t to run bpftool on the userdomain attribute
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3578a24d63f5901469482950f40bcb757d695baf
Conflict: NA
Addresses the following AVC denial:
type=PROCTITLE msg=audit(08/02/2022 11:36:12.251:13079) : proctitle=perf record -o /dev/null echo test
type=SYSCALL msg=audit(08/02/2022 11:36:12.251:13079) : arch=x86_64 syscall=bpf success=no exit=EACCES(Permission denied) a0=BPF_PROG_GET_FD_BY_ID a1=0x7ffda3e17100 a2=0x90 a3=0x55bd94ea10a0 items=0 ppid=291258 pid=291259 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=141 comm=perf exe=/usr/bin/perf subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(08/02/2022 11:36:12.251:13079) : avc: denied { prog_run } for pid=291259 comm=perf scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=bpf permissive=0
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/roles/sysadm.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index d9e11b6..ed1b86f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -109,6 +109,8 @@ userdom_exec_admin_home_files(sysadm_t)
userdom_manage_admin_files(sysadm_t)
userdom_manage_admin_dirs(sysadm_t)
+userdom_prog_run_bpf_userdomain(sysadm_t)
+
corenet_ib_access_unlabeled_pkeys(sysadm_t)
corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
corenet_tcp_bind_all_rpc_ports(sysadm_t)
--
1.8.3.1

30
backport-Allow-system-dbus-daemon-watch-generic-directories-i.patch
View File

@ -1,30 +0,0 @@
From 9935be1702ce951d1582e80ae8d747183ed34a5e Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 8 Apr 2022 14:02:48 +0200
Subject: [PATCH] Allow system dbus daemon watch generic directories in
/var/lib
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9935be1702ce951d1582e80ae8d747183ed34a5e
Conflict: NA
Resolves: rhbz#1928365
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/dbus.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 76fb3b6..ced5149 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -107,6 +107,7 @@ dev_rw_inherited_dri(system_dbusd_t)
files_read_var_lib_symlinks(system_dbusd_t)
files_rw_inherited_non_security_files(system_dbusd_t)
files_watch_usr_dirs(system_dbusd_t)
+files_watch_var_lib_dirs(system_dbusd_t)
fs_getattr_all_fs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
--
1.8.3.1

39
backport-Allow-systemd-coredump-read-and-write-usermodehelper.patch
View File

@ -1,39 +0,0 @@
From 9ca08c39af36079809e9247957d86e86009a3e6a Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 13 Jan 2022 19:23:19 +0100
Subject: [PATCH] Allow systemd-coredump read and write usermodehelper state
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9ca08c39af36079809e9247957d86e86009a3e6a
Conflict: NA
When systemd (PID1) crashes, it freezes and systemd services cannot be
started, so coredump handling with systemd-coredump will not work
either. As frozen systemd does not collect zombies any longer, it looks
reasonable to avoid spawning further processes as much as possible.
Therefore systemd-coredump will write "|/bin/false" to the
kernel.core_pattern kernel tunable when it detects that it was PID 1
that had crashed to disable coredumping.
Resolves: rhbz#1982961
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/systemd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index edd4354..5a78a8c 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1055,6 +1055,8 @@ manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_cor
mmap_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
init_var_lib_filetrans(systemd_coredump_t, systemd_coredump_var_lib_t, dir, "coredump")
+kernel_rw_usermodehelper_state(systemd_coredump_t)
+
dev_write_kmsg(systemd_coredump_t)
# To read info about the crashed process from /proc
--
1.8.3.1

46
backport-Allow-systemd-coredump-userns-capabilities-and-root-.patch
View File

@ -1,46 +0,0 @@
From 4ed22744f5a99c1f2b997b915b340de7abe8d15d Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 13 Jan 2022 21:08:14 +0100
Subject: [PATCH] Allow systemd-coredump userns capabilities and root mounton
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/4ed22744f5a99c1f2b997b915b340de7abe8d15d
Conflict: NA
systemd-coredump forks a child process to perform core file analysis
(comm=(sd-parse-elf)), and before doing the actual analysis, it sets
up a sandbox using mount and user namespaces.
Refer to https://github.com/systemd/systemd/commit/61aea456c1
for the systemd upstream change.
Resolves: rhbz#2031356
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/systemd.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5a78a8c..ea2b27e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1040,7 +1040,7 @@ systemd_read_efivarfs(systemd_sysctl_t)
# setgid setuid - to set own credentials to match the dumped process credentials
# setpcap - to drop capabilities
allow systemd_coredump_t self:capability { dac_read_search net_admin setgid setpcap setuid sys_ptrace };
-allow systemd_coredump_t self:cap_userns sys_ptrace;
+allow systemd_coredump_t self:cap_userns { dac_read_search dac_override sys_admin sys_ptrace };
# To set its capability set
allow systemd_coredump_t self:process setcap;
@@ -1067,6 +1067,8 @@ domain_read_all_domains_state(systemd_coredump_t)
files_read_non_security_files(systemd_coredump_t)
files_map_non_security_files(systemd_coredump_t)
+files_mounton_rootfs(systemd_coredump_t)
+
fs_getattr_nsfs_files(systemd_coredump_t)
optional_policy(`
--
1.8.3.1

33
backport-Allow-systemd-gpt-auto-generator-create-and-use-netl.patch
View File

@ -1,33 +0,0 @@
From 8398b1833c1168ac30ef8e13db39f50c187503cb Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 14 Apr 2022 18:37:38 +0200
Subject: [PATCH] Allow systemd-gpt-auto-generator create and use
netlink_kobject_uevent_socket
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/8398b1833c1168ac30ef8e13db39f50c187503cb
Conflict: NA
Addresses the following AVC denial:
type=AVC msg=audit(1649951765.765:599): avc: denied { create } for pid=35143 comm="systemd-gpt-aut" scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=netlink_kobject_uevent_socket permissive=0
Resolves: rhbz#2075589
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/systemd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 8fe3eb9..a9308b8 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1106,6 +1106,7 @@ systemd_read_efivarfs(systemd_hwdb_t)
#
allow systemd_gpt_generator_t self:capability sys_rawio;
+allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms;
dev_read_sysfs(systemd_gpt_generator_t)
dev_write_kmsg(systemd_gpt_generator_t)
--
1.8.3.1

Some files were not shown because too many files have changed in this diff Show More