diff --git a/backport-Add-bgpd-sys_chroot-capability.patch b/backport-Add-bgpd-sys_chroot-capability.patch deleted file mode 100644 index cd553a6..0000000 --- a/backport-Add-bgpd-sys_chroot-capability.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 384a8eeec175cc19f18ae74950cb0d8db0e0ce1b Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 23 Sep 2022 18:46:54 +0200 -Subject: [PATCH] Add bgpd sys_chroot capability - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(09/23/2022 13:39:42.856:6958) : proctitle=/usr/sbin/bgpd -R -type=PATH msg=audit(09/23/2022 13:39:42.856:6958) : item=0 name=/var/empty/bgpd inode=644194 dev=00:1e mode=dir,711 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(09/23/2022 13:39:42.856:6958) : arch=x86_64 syscall=chroot success=no exit=EPERM(Operation not permitted) a0=0x55af72eb04e7 a1=0x7f06fcd615b3 a2=0x0 a3=0x7f06fcd46ac0 items=1 ppid=115054 pid=115055 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bgpd exe=/usr/sbin/bgpd subj=system_u:system_r:zebra_t:s0 key=(null) -type=AVC msg=audit(09/23/2022 13:39:42.856:6958) : avc: denied { sys_chroot } for pid=115055 comm=bgpd capability=sys_chroot scontext=system_u:system_r:zebra_t:s0 tcontext=system_u:system_r:zebra_t:s0 tclass=capability permissive=0 - -Signed-off-by: lujie42 ---- - policy/modules/contrib/zebra.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te -index 91a604150..bae270d59 100644 ---- a/policy/modules/contrib/zebra.te -+++ b/policy/modules/contrib/zebra.te -@@ -40,7 +40,7 @@ files_pid_file(zebra_var_run_t) - # Local policy - # - --allow zebra_t self:capability { setgid setuid net_admin net_raw }; -+allow zebra_t self:capability { setgid setuid sys_chroot net_admin net_raw }; - dontaudit zebra_t self:capability sys_tty_config; - allow zebra_t self:process { signal_perms getcap setcap }; - allow zebra_t self:file rw_file_perms; --- -2.27.0 - diff --git a/backport-Add-numad-the-ipc_owner-capability.patch b/backport-Add-numad-the-ipc_owner-capability.patch deleted file mode 100644 index 0b2dd98..0000000 --- a/backport-Add-numad-the-ipc_owner-capability.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 8cc57cc64467d6e60eac92d6ffc9f9d550e948a2 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 21 Sep 2022 17:20:28 +0200 -Subject: [PATCH] Add numad the ipc_owner capability - -This permission is required when the cpu allocation in a vm definition contains - -which means cpuset option will be configured by querying numad. - -Addresses the following AVC denial: - -type=AVC msg=audit(1637903670.950:2626): avc: denied { ipc_owner } for pid=72952 comm="numad" capability=15 scontext=system_u:system_r:numad_t:s0-s0:c0.c1023 tcontext=system_u:system_r:numad_t:s0-s0:c0.c1023 tclass=capability permissive=0 - -Resolves: rhbz#2026968 -Signed-off-by: lujie42 ---- - policy/modules/contrib/numad.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/contrib/numad.te b/policy/modules/contrib/numad.te -index cf8f99b02..97f923b25 100644 ---- a/policy/modules/contrib/numad.te -+++ b/policy/modules/contrib/numad.te -@@ -23,7 +23,7 @@ files_pid_file(numad_var_run_t) - # numad local policy - # - --allow numad_t self:capability { kill sys_nice sys_ptrace } ; -+allow numad_t self:capability { ipc_owner kill sys_nice sys_ptrace } ; - allow numad_t self:fifo_file rw_fifo_file_perms; - allow numad_t self:msgq create_msgq_perms; - allow numad_t self:msg { send receive }; --- -2.27.0 - diff --git a/backport-Add-permissions-to-manage-lnk_files-into-gnome_manag.patch b/backport-Add-permissions-to-manage-lnk_files-into-gnome_manag.patch deleted file mode 100644 index c89603b..0000000 --- a/backport-Add-permissions-to-manage-lnk_files-into-gnome_manag.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 705fc27141d8aeb736fecdd6a6048f59c55f6d1f Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 27 Jul 2022 18:11:34 +0200 -Subject: [PATCH] Add permissions to manage lnk_files into - gnome_manage_home_config - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/705fc27141d8aeb736fecdd6a6048f59c55f6d1f -Conflict: NA - -The gnome_manage_home_config() interface contains manage_files_pattern() -call for config_home_t files only, but symlinks can be there, too. - -Addresses the following AVC denial: -type=AVC msg=audit(1652884370.574:523): avc: denied { unlink } for pid=45745 comm="systemd-user-ru" name="user" dev="tmpfs" ino=240 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=lnk_file permissive=0 - -Resolves: rhbz#2088269 -Signed-off-by: lujie54 ---- - policy/modules/contrib/gnome.if | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if -index 1d62f2a..f52d635 100644 ---- a/policy/modules/contrib/gnome.if -+++ b/policy/modules/contrib/gnome.if -@@ -1398,7 +1398,8 @@ interface(`gnome_manage_home_config',` - ') - - manage_files_pattern($1, config_home_t, config_home_t) -- allow $1 config_home_t:file map; -+ manage_lnk_files_pattern($1, config_home_t, config_home_t) -+ allow $1 config_home_t:file map; - ') - - ####################################### --- -1.8.3.1 - diff --git a/backport-Add-systemd_getattr_generic_unit_files-interface.patch b/backport-Add-systemd_getattr_generic_unit_files-interface.patch deleted file mode 100644 index 83b8713..0000000 --- a/backport-Add-systemd_getattr_generic_unit_files-interface.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 9010f07e78944ccab50bcf3bf2640f6aad3cc8cb Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 30 Mar 2022 21:29:47 +0200 -Subject: [PATCH] Add systemd_getattr_generic_unit_files() interface - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9010f07e78944ccab50bcf3bf2640f6aad3cc8cb -Conflict: NA - -Signed-off-by: lujie54 ---- - policy/modules/system/systemd.if | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index 351438c..5567da7 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -1597,6 +1597,24 @@ interface(`systemd_unit_file_filetrans',` - - ####################################### - ## -+## Get attributes of generic systemd unit files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_getattr_generic_unit_files',` -+ gen_require(` -+ type systemd_unit_file_t; -+ ') -+ -+ getattr_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t) -+') -+ -+####################################### -+## - ## Create a directory in the /usr/lib/systemd/system directory. - ## - ## --- -1.8.3.1 - diff --git a/backport-Add-the-corecmd_watch_bin_dirs-interface.patch b/backport-Add-the-corecmd_watch_bin_dirs-interface.patch deleted file mode 100644 index 85aebac..0000000 --- a/backport-Add-the-corecmd_watch_bin_dirs-interface.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 88072fd293ddd3e83c0625199d6f0561dcad99d7 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 8 Apr 2022 11:48:14 +0200 -Subject: [PATCH] Add the corecmd_watch_bin_dirs() interface - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/88072fd293ddd3e83c0625199d6f0561dcad99d7 -Conflict: NA - -Note the bin_t type is also used as a default type for files -in /usr/libexec and some additional paths. - -Signed-off-by: lujie54 ---- - policy/modules/kernel/corecommands.if | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if -index 70b6b35..d88c5c0 100644 ---- a/policy/modules/kernel/corecommands.if -+++ b/policy/modules/kernel/corecommands.if -@@ -201,6 +201,24 @@ interface(`corecmd_dontaudit_write_bin_dirs',` - - ######################################## - ## -+## Watch bin directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corecmd_watch_bin_dirs',` -+ gen_require(` -+ type bin_t; -+ ') -+ -+ allow $1 bin_t:dir watch_dir_perms; -+') -+ -+######################################## -+## - ## Get the attributes of files in bin directories. - ## - ## --- -1.8.3.1 - diff --git a/backport-Add-the-init_append_stream_sockets-interface.patch b/backport-Add-the-init_append_stream_sockets-interface.patch deleted file mode 100644 index 9712df6..0000000 --- a/backport-Add-the-init_append_stream_sockets-interface.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 4536c1c32c0ed377b1c31aab18819dfb1a46b91e Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 1 Apr 2022 19:21:10 +0200 -Subject: [PATCH] Add the init_append_stream_sockets() interface - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/4536c1c32c0ed377b1c31aab18819dfb1a46b91e -Conflict: NA - -Signed-off-by: lujie54 ---- - policy/modules/system/init.if | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 7bd438e..4b3bb59 100644 ---- a/policy/modules/system/init.if -+++ b/policy/modules/system/init.if -@@ -2789,6 +2789,25 @@ interface(`init_rw_stream_sockets',` - allow $1 init_t:unix_stream_socket rw_stream_socket_perms; - ') - -+######################################## -+## -+## Allow the specified domain to append to -+## init unix domain stream sockets. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_append_stream_sockets',` -+ gen_require(` -+ type init_t; -+ ') -+ -+ allow $1 init_t:unix_stream_socket append; -+') -+ - ####################################### - ## - ## Allow the specified domain to write to --- -1.8.3.1 - diff --git a/backport-Add-the-map-permission-to-common_anon_inode_perm-per.patch b/backport-Add-the-map-permission-to-common_anon_inode_perm-per.patch deleted file mode 100644 index 7d4cfba..0000000 --- a/backport-Add-the-map-permission-to-common_anon_inode_perm-per.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 34264caf221fc43e17aefeeda0d1115eb89655e0 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 7 Feb 2022 18:27:52 +0100 -Subject: [PATCH] Add the map permission to common_anon_inode_perm permission - set - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/34264caf221fc43e17aefeeda0d1115eb89655e0 -Conflict: NA - -Resolves: rhbz#2025714 -Signed-off-by: lujie54 ---- - policy/support/obj_perm_sets.spt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index 1a2108a..2b84320 100644 ---- a/policy/support/obj_perm_sets.spt -+++ b/policy/support/obj_perm_sets.spt -@@ -280,7 +280,7 @@ define(`userfaultfd_anon_inode_perms',` - # - # Anonymous inode files (anon_inode) - # --define(`userfaultfd_anon_inode_perms',`{ create getattr ioctl read write }') -+define(`userfaultfd_anon_inode_perms',`{ create getattr ioctl map read write }') - - ######################################## - # --- -1.8.3.1 - diff --git a/backport-Add-the-userdom_prog_run_bpf_userdomain-interface.patch b/backport-Add-the-userdom_prog_run_bpf_userdomain-interface.patch deleted file mode 100644 index b845ac4..0000000 --- a/backport-Add-the-userdom_prog_run_bpf_userdomain-interface.patch +++ /dev/null @@ -1,45 +0,0 @@ -From aa0d31bad83cf8664e5b415b55022deaa0648552 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 2 Aug 2022 16:31:48 +0200 -Subject: [PATCH] Add the userdom_prog_run_bpf_userdomain() interface - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/aa0d31bad83cf8664e5b415b55022deaa0648552 -Conflict: NA - -The userdom_prog_run_bpf_userdomain() interface was added -to allow the caller domain to run bpftool on the userdomain attribute. - -Signed-off-by: lujie54 ---- - policy/modules/system/userdomain.if | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index aeb2deb..e14a3c5 100644 ---- a/policy/modules/system/userdomain.if -+++ b/policy/modules/system/userdomain.if -@@ -6809,3 +6809,21 @@ template(`userdom_security_admin_template',` - samhain_run($1, $2) - ') - ') -+# -+######################################## -+## -+## Allow caller domain to run bpftool on userdomain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_prog_run_bpf_userdomain',` -+ gen_require(` -+ attribute userdomain; -+ ') -+ -+ allow $1 userdomain:bpf { map_create map_read map_write prog_load prog_run }; -+') --- -1.8.3.1 - diff --git a/backport-Allow-ModemManager-connect-to-the-unconfined-user-do.patch b/backport-Allow-ModemManager-connect-to-the-unconfined-user-do.patch deleted file mode 100644 index 20812d8..0000000 --- a/backport-Allow-ModemManager-connect-to-the-unconfined-user-do.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 51422c4a4277924046514a18b67a38b896d698f0 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 28 Jan 2022 17:40:25 +0100 -Subject: [PATCH] Allow ModemManager connect to the unconfined user domain - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/51422c4a4277924046514a18b67a38b896d698f0 -Conflict: NA - -The modemmanager_t domain was allowed to connect to unconfined_t -over a unix domain stream socket. - -Resolves: rhbz#1961571 -Signed-off-by: lujie54 ---- - policy/modules/contrib/modemmanager.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te -index 857ed6b..9a132b2 100644 ---- a/policy/modules/contrib/modemmanager.te -+++ b/policy/modules/contrib/modemmanager.te -@@ -82,3 +82,7 @@ optional_policy(` - udev_read_db(modemmanager_t) - udev_manage_pid_files(modemmanager_t) - ') -+ -+optional_policy(` -+ unconfined_stream_connect(modemmanager_t) -+') --- -1.8.3.1 - diff --git a/backport-Allow-NetworkManager-talk-with-unconfined-user-over-.patch b/backport-Allow-NetworkManager-talk-with-unconfined-user-over-.patch deleted file mode 100644 index 4820413..0000000 --- a/backport-Allow-NetworkManager-talk-with-unconfined-user-over-.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f0cb46186be7437cd78c96271938b3902cec10b7 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 26 Jan 2022 10:54:36 +0100 -Subject: [PATCH] Allow NetworkManager talk with unconfined user over unix - domain dgram socket - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/f0cb46186be7437cd78c96271938b3902cec10b7 -Conflict: NA - -This permission is required for wpa_cli be able to communicate with the -wpa_supplicant service in CLI. The wpa control interface socket file is -open in /run/wpa_supplicant, the client socket in /tmp. - -This issue possibly started to appear after unconfined_t was removed from the -unpriv_user_domain attribute with the 4b4eec49a55 ("Removed adding to -attribute unpriv_userdomain from userdom_unpriv_type template") commit. - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(01/24/2022 02:56:04.040:501) : proctitle=/usr/sbin/wpa_supplicant -g /run/wpa_supplicant/global -c /etc/wpa_supplicant/wpa_supplicant.conf -u -s -type=PATH msg=audit(01/24/2022 02:56:04.040:501) : item=0 name=/tmp/wpa_ctrl_26793-1 inode=730142 dev=fd:01 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=CWD msg=audit(01/24/2022 02:56:04.040:501) : cwd=/ -type=SOCKADDR msg=audit(01/24/2022 02:56:04.040:501) : saddr={ saddr_fam=local path=/tmp/wpa_ctrl_26793-1 } -type=SYSCALL msg=audit(01/24/2022 02:56:04.040:501) : arch=x86_64 syscall=sendto success=yes exit=5 a0=0x5 a1=0x5556370a4860 a2=0x5 a3=0x0 items=1 ppid=1 pid=26219 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant subj=system_u:system_r:NetworkManager_t:s0 key=(null) -type=AVC msg=audit(01/24/2022 02:56:04.040:501) : avc: denied { sendto } for pid=26219 comm=wpa_supplicant path=/tmp/wpa_ctrl_26793-1 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 - -Resolves: rhbz#2044048 -Signed-off-by: lujie54 ---- - policy/modules/contrib/networkmanager.te | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te -index 8230910..1a53f51 100644 ---- a/policy/modules/contrib/networkmanager.te -+++ b/policy/modules/contrib/networkmanager.te -@@ -498,6 +498,11 @@ optional_policy(` - openvswitch_stream_connect(NetworkManager_t) - ') - -+optional_policy(` -+ unconfined_dgram_send(NetworkManager_t) -+') -+ -+ - tunable_policy(`use_ecryptfs_home_dirs',` - fs_manage_ecryptfs_files(NetworkManager_t) - ') --- -1.8.3.1 - diff --git a/backport-Allow-PID-1-and-dbus-broker-IPC-with-a-systemd-user-.patch b/backport-Allow-PID-1-and-dbus-broker-IPC-with-a-systemd-user-.patch deleted file mode 100644 index 34aaf81..0000000 --- a/backport-Allow-PID-1-and-dbus-broker-IPC-with-a-systemd-user-.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 6a6fff9f00a02723d3a9c58e892e12a527df8efa Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 16 Nov 2021 20:50:48 +0100 -Subject: [PATCH] Allow PID 1 and dbus-broker IPC with a systemd user session - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6a6fff9f00a02723d3a9c58e892e12a527df8efa -Conflict: NA - -systemd-stdio-bridge is invoked using systemd-run to connect to a user -bus from a privileged context: -systemd-run -M.host -PGq --wait -pUser=user1 -pPAMName=login systemd-stdio-bridge -punix:path=${XDG_RUNTIME_DIR}/bus - -The commands sequence is as follows: -1. dnf invokes rpm -2. a scriptlet is called from rpm -3. the scriptlet calls /usr/lib/systemd/systemd-update-helper -4. systemd-update-helper calls systemctl --user @ ... -5. in the systemctl binary, sd-bus invokes systemd-run -6. which invokes systemd-stdio-bridge as the user -7. systemctl communicates with the user manager over the bridge - -Refer to this commit for more information: -https://github.com/systemd/systemd/pull/17967/commits/1b630835dff - -Addresses the following AVC denials: ----- -type=AVC msg=audit(11/15/2021 08:56:59.167:1097) : avc: denied { read write } for pid=458 comm=dbus-broker path=socket:[37803] dev="sockfs" ino=37803 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 ----- -type=AVC msg=audit(11/15/2021 08:56:59.168:1098) : avc: denied { read write } for pid=1 comm=systemd path=socket:[37803] dev="sockfs" ino=37803 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 ----- -type=PROCTITLE msg=audit(11/15/2021 08:56:59.184:1100) : proctitle=(o-bridge) -type=SYSCALL msg=audit(11/15/2021 08:56:59.184:1100) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x0 a1=TCGETS a2=0x7ffca74d78a0 a3=0x0 items=0 ppid=1 pid=6580 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(o-bridge) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) -type=AVC msg=audit(11/15/2021 08:56:59.184:1100) : avc: denied { ioctl } for pid=6580 comm=(o-bridge) path=socket:[37803] dev="sockfs" ino=37803 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 ----- - -Resolves: rhbz#2023332 -Signed-off-by: lujie54 ---- - policy/modules/contrib/dbus.te | 4 ++++ - policy/modules/system/init.te | 1 + - 2 files changed, 5 insertions(+) - -diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te -index a426d29..76fb3b6 100644 ---- a/policy/modules/contrib/dbus.te -+++ b/policy/modules/contrib/dbus.te -@@ -236,6 +236,10 @@ optional_policy(` - ') - - optional_policy(` -+ userdom_rw_stream(system_dbusd_t) -+') -+ -+optional_policy(` - virt_list_sandbox_dirs(system_dbusd_t) - ') - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index b261f08..22e363a 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -872,6 +872,7 @@ optional_policy(` - - optional_policy(` - userdom_exec_user_bin_files(init_t) -+ userdom_rw_stream(init_t) - ') - - ######################################## --- -1.8.3.1 - diff --git a/backport-Allow-admin-userdomains-use-socketpair.patch b/backport-Allow-admin-userdomains-use-socketpair.patch deleted file mode 100644 index c457861..0000000 --- a/backport-Allow-admin-userdomains-use-socketpair.patch +++ /dev/null @@ -1,46 +0,0 @@ -From fd807226d8aeb7a06e4f94974e116feedebaed59 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 6 Jan 2022 09:26:43 +0100 -Subject: [PATCH] Allow admin userdomains use socketpair() - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/fd807226d8aeb7a06e4f94974e116feedebaed59 -Conflict: NA - -In cockpit, the bridge uses socketpair() to communicate to subprocesses. -For executing administrative commands, "sudo cockpit-bridge" is spawned, -and the permissions to read and write from the socket are required. - -Simplified reproducer: -$ python3 -c 'import socket, subprocess; r = socket.socketpair(); p = subprocess.Popen(["sudo", "whoami"], stdout=r[0]); print(p.wait()); print(r[1].recv(100))' - -sudo succeeds, but recv() hangs as the data flow is blocked. - -This commit addresses the following AVC denial: - -type=PROCTITLE msg=audit(01/06/2022 03:07:28.526:5532) : proctitle=sudo whoami -type=EXECVE msg=audit(01/06/2022 03:07:28.526:5532) : argc=2 a0=sudo a1=whoami -type=SYSCALL msg=audit(01/06/2022 03:07:28.526:5532) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f302b08c470 a1=0x7f302b106450 a2=0x7ffe20fef5b8 a3=0xffffffffffffff01 items=2 ppid=567183 pid=567184 auid=admin uid=admin gid=admin euid=root suid=root fsuid=root egid=admin sgid=admin fsgid=admin tty=pts1 ses=6 comm=sudo exe=/usr/bin/sudo subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(01/06/2022 03:07:28.526:5532) : avc: denied { read write } for pid=567184 comm=sudo path=socket:[690408] dev="sockfs" ino=690408 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 - -Resolves: rhbz#1814569 -Signed-off-by: lujie54 ---- - policy/modules/admin/sudo.if | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if -index 24ede58..4b8f975 100644 ---- a/policy/modules/admin/sudo.if -+++ b/policy/modules/admin/sudo.if -@@ -58,7 +58,7 @@ template(`sudo_role_template',` - allow $1_sudo_t $3:file read_file_perms;; - allow $1_sudo_t $3:key search; - -- allow $1_sudo_t $1_t:unix_stream_socket connectto; -+ allow $1_sudo_t $1_t:unix_stream_socket { connectto read write }; - - # Enter this derived domain from the user domain - domtrans_pattern($3, sudo_exec_t, $1_sudo_t) --- -1.8.3.1 - diff --git a/backport-Allow-administrative-users-the-bpf-capability.patch b/backport-Allow-administrative-users-the-bpf-capability.patch deleted file mode 100644 index ddf4c2c..0000000 --- a/backport-Allow-administrative-users-the-bpf-capability.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 0fa3cc8988c28c5da8b6844cdac0d052ec48dc3b Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 12 Jan 2022 17:39:33 +0100 -Subject: [PATCH] Allow administrative users the bpf capability - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0fa3cc8988c28c5da8b6844cdac0d052ec48dc3b -Conflict: NA - -The userdom_admin_user_template() template for creating an -administrative user was updated with the bpf capability so that -e. g. users in the sysadm_r role can run perf. -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(01/12/2022 10:45:01.065:855) : proctitle=perf record -o /dev/null echo test -type=SYSCALL msg=audit(01/12/2022 10:45:01.065:855) : arch=x86_64 syscall=bpf success=no exit=ENOENT(No such file or directory) a0=BPF_PROG_GET_NEXT_ID a1=0x7fffd756dba0 a2=0x78 a3=0x3b items=0 ppid=9065 pid=9066 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=7 comm=perf exe=/usr/bin/perf subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(01/12/2022 10:45:01.065:855) : avc: denied { bpf } for pid=9066 comm=perf capability=unknown-capability(39) scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=capability2 permissive=0 - -Signed-off-by: lujie54 ---- - policy/modules/system/userdomain.if | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index cb56d28..eea0894 100644 ---- a/policy/modules/system/userdomain.if -+++ b/policy/modules/system/userdomain.if -@@ -1640,6 +1640,8 @@ template(`userdom_admin_user_template',` - # $1_t local policy - # - -+ allow $1_t self:capability2 bpf; -+ - # Manipulate other users crontab. - allow $1_t self:passwd crontab; - --- -1.8.3.1 - diff --git a/backport-Allow-alsa-bind-mixer-controls-to-led-triggers.patch b/backport-Allow-alsa-bind-mixer-controls-to-led-triggers.patch deleted file mode 100644 index 1897d47..0000000 --- a/backport-Allow-alsa-bind-mixer-controls-to-led-triggers.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 435388f6b50495a6615b811b129ca6d3020f7355 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 10 Feb 2022 11:38:56 +0100 -Subject: [PATCH] Allow alsa bind mixer controls to led triggers - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/435388f6b50495a6615b811b129ca6d3020f7355 -Conflict: NA - -Since v5.13, the kernel has support to bind certain alsa mixer controls -to LED triggers from userspace to control the mute-LEDS found on some -devices (typically embedded inside the keyboard's mute keys). - -To allow that, alsa needs to be able to execute "modprobe snd_ctl_led" -and write to /sys/class/sound/ctl-led/speaker/ and .../mic. - -Resolves: rhbz#1958210 -Signed-off-by: lujie54 ---- - policy/modules/contrib/alsa.te | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te -index aee9fe8..3f1a7b0 100644 ---- a/policy/modules/contrib/alsa.te -+++ b/policy/modules/contrib/alsa.te -@@ -82,12 +82,14 @@ corecmd_exec_bin(alsa_t) - - dev_getattr_fs(alsa_t) - dev_read_sound(alsa_t) --dev_read_sysfs(alsa_t) -+dev_rw_sysfs(alsa_t) - dev_read_urand(alsa_t) - dev_write_sound(alsa_t) - - files_search_var_lib(alsa_t) - -+modutils_domtrans_kmod(alsa_t) -+ - term_dontaudit_use_console(alsa_t) - term_dontaudit_use_generic_ptys(alsa_t) - term_dontaudit_use_all_ptys(alsa_t) --- -1.8.3.1 - diff --git a/backport-Allow-alsactl-set-group-Process-ID-of-a-process.patch b/backport-Allow-alsactl-set-group-Process-ID-of-a-process.patch deleted file mode 100644 index 7614476..0000000 --- a/backport-Allow-alsactl-set-group-Process-ID-of-a-process.patch +++ /dev/null @@ -1,33 +0,0 @@ -From d5b75d954771da98c36fb7af90e24a14fb01c184 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 31 Jan 2022 12:47:23 +0100 -Subject: [PATCH] Allow alsactl set group Process ID of a process - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d5b75d954771da98c36fb7af90e24a14fb01c184 -Conflict: NA - -Addresses the following AVC denial: -type=AVC msg=audit(1624169904.74:1152): avc: denied { setpgid } for pid=115535 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=0 - -Resolves: rhbz#1974051 -Signed-off-by: lujie54 ---- - policy/modules/contrib/alsa.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te -index 97f3815..aee9fe8 100644 ---- a/policy/modules/contrib/alsa.te -+++ b/policy/modules/contrib/alsa.te -@@ -43,7 +43,7 @@ systemd_unit_file(alsa_unit_file_t) - - allow alsa_t self:capability { dac_read_search setgid setuid ipc_owner sys_nice }; - dontaudit alsa_t self:capability { sys_tty_config sys_admin }; --allow alsa_t self:process { getsched setsched signal_perms }; -+allow alsa_t self:process { getsched setpgid setsched signal_perms }; - allow alsa_t self:sem create_sem_perms; - allow alsa_t self:shm create_shm_perms; - allow alsa_t self:unix_stream_socket { accept listen }; --- -1.8.3.1 - diff --git a/backport-Allow-chage-domtrans-to-sssd.patch b/backport-Allow-chage-domtrans-to-sssd.patch deleted file mode 100644 index bf39510..0000000 --- a/backport-Allow-chage-domtrans-to-sssd.patch +++ /dev/null @@ -1,33 +0,0 @@ -From f540263f5ffcf315b970ca6428b2f04ff5c13f59 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 16 Feb 2022 16:57:08 +0100 -Subject: [PATCH] Allow chage domtrans to sssd - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(02/15/2022 16:04:12.036:1591) : proctitle=chage -d 0 user -type=PATH msg=audit(02/15/2022 16:04:12.036:1591) : item=0 name=/usr/sbin/sss_cache inode=8920535 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=CWD msg=audit(02/15/2022 16:04:12.036:1591) : cwd=/root -type=SYSCALL msg=audit(02/15/2022 16:04:12.036:1591) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55a73e1a7250 a1=0x7ffeecce2690 a2=0x7ffeecce2688 a3=0x7f125fce4840 items=1 ppid=104530 pid=104533 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=127 comm=chage exe=/usr/bin/chage subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(02/15/2022 16:04:12.036:1591) : avc: denied { execute } for pid=104533 comm=chage name=sss_cache dev="vda2" ino=8920535 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=0 - -Resolves: rhbz#2054718 ---- - policy/modules/admin/usermanage.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 155fb68..6640310 100644 ---- a/policy/modules/admin/usermanage.te -+++ b/policy/modules/admin/usermanage.te -@@ -422,6 +422,7 @@ optional_policy(` - ') - - optional_policy(` -+ sssd_domtrans(passwd_t) - sssd_manage_lib_files(passwd_t) - sssd_manage_public_files(passwd_t) - sssd_read_pid_files(passwd_t) --- -1.8.3.1 - diff --git a/backport-Allow-chronyd-send-a-message-to-sosreport-over-datag.patch b/backport-Allow-chronyd-send-a-message-to-sosreport-over-datag.patch deleted file mode 100644 index 879146e..0000000 --- a/backport-Allow-chronyd-send-a-message-to-sosreport-over-datag.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 05e940f535497768c2b4a8c37365b5b5156eda75 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 25 Feb 2022 14:16:52 +0100 -Subject: [PATCH] Allow chronyd send a message to sosreport over datagram - socket - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/05e940f535497768c2b4a8c37365b5b5156eda75 -Conflict: NA - -The sosreport_dgram_send() interface was added. - -Signed-off-by: lujie54 ---- - policy/modules/contrib/chronyd.te | 4 ++++ - policy/modules/contrib/sosreport.if | 18 ++++++++++++++++++ - 2 files changed, 22 insertions(+) - -diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te -index 8da80de..142139d 100644 ---- a/policy/modules/contrib/chronyd.te -+++ b/policy/modules/contrib/chronyd.te -@@ -175,6 +175,10 @@ optional_policy(` - rolekit_dgram_send(chronyd_t) - ') - -+optional_policy(` -+ sosreport_dgram_send(chronyd_t) -+') -+ - ######################################## - # - # Local policy -diff --git a/policy/modules/contrib/sosreport.if b/policy/modules/contrib/sosreport.if -index c5fbb7a..44b13a8 100644 ---- a/policy/modules/contrib/sosreport.if -+++ b/policy/modules/contrib/sosreport.if -@@ -166,3 +166,21 @@ interface(`sosreport_dbus_chat',` - allow $1 sosreport_t:dbus send_msg; - allow sosreport_t $1:dbus send_msg; - ') -+ -+######################################## -+## -+## Send a message to sosreport over the datagram socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sosreport_dgram_send',` -+ gen_require(` -+ type sosreport_t; -+ ') -+ -+ allow $1 sosreport_t:unix_dgram_socket sendto; -+') --- -1.8.3.1 - diff --git a/backport-Allow-chronyd-talk-with-unconfined-user-over-unix-do.patch b/backport-Allow-chronyd-talk-with-unconfined-user-over-unix-do.patch deleted file mode 100644 index 21f3a43..0000000 --- a/backport-Allow-chronyd-talk-with-unconfined-user-over-unix-do.patch +++ /dev/null @@ -1,47 +0,0 @@ -From bd3f86ee9fbae47287d63c496ba936348627122b Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 31 Mar 2022 10:55:05 +0200 -Subject: [PATCH] Allow chronyd talk with unconfined user over unix domain - dgram socket - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bd3f86ee9fbae47287d63c496ba936348627122b -Conflict: NA - -This permission is required by applications which use the unix datagram -socket to communicate with chronyd directly, e.g. for monitoring -purposes. The other direction of communication is allowed by a rule for -unconfined_domain_type. - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(03/17/2022 12:11:19.881:312) : proctitle=/usr/sbin/chronyd -type=PATH msg=audit(03/17/2022 12:11:19.881:312) : item=0 name=/run/chrony/chronyc.sock inode=39486 dev=00:18 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:chronyd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=CWD msg=audit(03/17/2022 12:11:19.881:312) : cwd=/ -type=SOCKADDR msg=audit(03/17/2022 12:11:19.881:312) : saddr={ saddr_fam=local path=/run/chrony/chronyc.sock } -type=SYSCALL msg=audit(03/17/2022 12:11:19.881:312) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x8 a1=0x7fffeef72f20 a2=0x0 a3=0x0 items=1 ppid=1 pid=680 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) -type=AVC msg=audit(03/17/2022 12:11:19.881:312) : avc: denied { sendto } for pid=680 comm=chronyd path=/run/chrony/chronyc.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 - -Resolves: rhbz#2065313 -Signed-off-by: lujie54 ---- - policy/modules/contrib/chronyd.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te -index 142139d..342735b 100644 ---- a/policy/modules/contrib/chronyd.te -+++ b/policy/modules/contrib/chronyd.te -@@ -179,6 +179,10 @@ optional_policy(` - sosreport_dgram_send(chronyd_t) - ') - -+optional_policy(` -+ unconfined_dgram_send(chronyd_t) -+') -+ - ######################################## - # - # Local policy --- -1.8.3.1 - diff --git a/backport-Allow-cloud-init-dbus-chat-with-systemd-logind.patch b/backport-Allow-cloud-init-dbus-chat-with-systemd-logind.patch deleted file mode 100644 index da23e26..0000000 --- a/backport-Allow-cloud-init-dbus-chat-with-systemd-logind.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 8ef66bbca8c278a7f9c2c13c792d885324a120e1 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 24 Nov 2021 11:32:40 +0100 -Subject: [PATCH] Allow cloud-init dbus chat with systemd-logind - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/8ef66bbca8c278a7f9c2c13c792d885324a120e1 -Conflict: NA - -When cloud-init executes a user data script to build a new image -template and there are commands using su or sudo, the process goes -through PAM stack for su/sudo which typically includes pam_systemd. -This PAM module calls systemd-logind to create a session for the user. -Then systemd-logind attempts to dbus send the results back to -cloud-init, but SELinux policy did not contain such permissions, which -resulted in 25 seconds delay: - -Jan 1 08:00:00 hostname dbus[12345]: [system] Activating via systemd: service name='org.freedesktop.login1' unit='dbus-org.freedesktop.login1.service' -Jan 1 08:00:25 hostname dbus[12345]: [system] Failed to activate service 'org.freedesktop.login1': timed out - -Addresses the following AVC denial: - -type=USER_AVC msg=audit(1637751660.446:66): pid=652 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.19 spid=723 tpid=1434 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" - -Resolves: rhbz#2009769 -Signed-off-by: lujie54 ---- - policy/modules/contrib/cloudform.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/cloudform.te b/policy/modules/contrib/cloudform.te -index 2f19544..80b9cbc 100644 ---- a/policy/modules/contrib/cloudform.te -+++ b/policy/modules/contrib/cloudform.te -@@ -105,6 +105,7 @@ miscfiles_read_localization(cloud_init_t) - selinux_validate_context(cloud_init_t) - - systemd_dbus_chat_hostnamed(cloud_init_t) -+systemd_dbus_chat_logind(cloud_init_t) - systemd_dbus_chat_timedated(cloud_init_t) - systemd_exec_systemctl(cloud_init_t) - systemd_start_all_services(cloud_init_t) --- -1.8.3.1 - diff --git a/backport-Allow-confined-sysadmin-to-use-tool-vipw.patch b/backport-Allow-confined-sysadmin-to-use-tool-vipw.patch deleted file mode 100644 index d24e1cc..0000000 --- a/backport-Allow-confined-sysadmin-to-use-tool-vipw.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 9eec9eea6b6b74d8835928c32467f6edd749ff0e Mon Sep 17 00:00:00 2001 -From: Patrik Koncity -Date: Fri, 4 Feb 2022 12:04:16 +0100 -Subject: [PATCH] Allow confined sysadmin to use tool vipw - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9eec9eea6b6b74d8835928c32467f6edd749ff0e -Conflict: NA - -Allow confined sysadmin to use vipw and vigr, which edits passwd, -shadow, group, gshadow.. Dontaudit manage files and dir labeled -with admin_home_t. Also vipw need to use sss_cache tool. -Allow domain transition from sysadm_passwd_t to sssd_exec_t. - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2049018 -Signed-off-by: lujie54 ---- - policy/modules/admin/usermanage.te | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index a67fcc4..8fdbfbc 100644 ---- a/policy/modules/admin/usermanage.te -+++ b/policy/modules/admin/usermanage.te -@@ -501,6 +501,8 @@ init_dontaudit_rw_utmp(sysadm_passwd_t) - logging_send_syslog_msg(sysadm_passwd_t) - - userdom_use_unpriv_users_fds(sysadm_passwd_t) -+userdom_dontaudit_manage_admin_dir(sysadm_passwd_t) -+userdom_dontaudit_manage_admin_files(sysadm_passwd_t) - # user generally runs this from their home directory, so do not audit a search - # on user home dir - userdom_dontaudit_search_user_home_content(sysadm_passwd_t) -@@ -509,6 +511,10 @@ optional_policy(` - nscd_run(sysadm_passwd_t, sysadm_passwd_roles) - ') - -+optional_policy(` -+ sssd_domtrans(sysadm_passwd_t) -+') -+ - ######################################## - # - # Useradd local policy --- -1.8.3.1 - diff --git a/backport-Allow-dhclient-manage-pid-files-used-by-chronyd.patch b/backport-Allow-dhclient-manage-pid-files-used-by-chronyd.patch deleted file mode 100644 index c1d921f..0000000 --- a/backport-Allow-dhclient-manage-pid-files-used-by-chronyd.patch +++ /dev/null @@ -1,62 +0,0 @@ -From bf1751a3a139dfb05160330d04f68d4ab89a80f4 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 21 Jun 2022 17:45:28 +0200 -Subject: [PATCH] Allow dhclient manage pid files used by chronyd - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bf1751a3a139dfb05160330d04f68d4ab89a80f4 -Conflict: NA - -The chronyd_manage_pid_files() interface was added. - -Resolves: rhbz#2093709 -Signed-off-by: lujie54 ---- - policy/modules/contrib/chronyd.if | 19 +++++++++++++++++++ - policy/modules/system/sysnetwork.te | 1 + - 2 files changed, 20 insertions(+) - -diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if -index cad4d31..d2f5504 100644 ---- a/policy/modules/contrib/chronyd.if -+++ b/policy/modules/contrib/chronyd.if -@@ -236,6 +236,25 @@ interface(`chronyd_manage_pid',` - manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t) - ') - -+######################################## -+## -+## Manage pid files used by chronyd -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`chronyd_manage_pid_files',` -+ gen_require(` -+ type chronyd_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ manage_files_pattern($1, chronyd_var_run_t, chronyd_var_run_t) -+') -+ - ###################################### - ## - ## Create objects in /var/run -diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index 1bb35d1..41b851f 100644 ---- a/policy/modules/system/sysnetwork.te -+++ b/policy/modules/system/sysnetwork.te -@@ -201,6 +201,7 @@ optional_policy(` - chronyd_systemctl(dhcpc_t) - chronyd_domtrans(dhcpc_t) - chronyd_domtrans_chronyc(dhcpc_t) -+ chronyd_manage_pid_files(dhcpc_t) - chronyd_read_keys(dhcpc_t) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-dnsmasq-watch-etc-dnsmasq.d-directories.patch b/backport-Allow-dnsmasq-watch-etc-dnsmasq.d-directories.patch deleted file mode 100644 index b374d09..0000000 --- a/backport-Allow-dnsmasq-watch-etc-dnsmasq.d-directories.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 359d7cdc59a69c39c9f1d00890002dc7150b918a Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 7 Dec 2021 18:08:01 +0100 -Subject: [PATCH] Allow dnsmasq watch /etc/dnsmasq.d directories - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/359d7cdc59a69c39c9f1d00890002dc7150b918a -Conflict: NA - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(12/07/2021 09:38:48.124:320) : proctitle=/usr/sbin/dnsmasq -type=PATH msg=audit(12/07/2021 09:38:48.124:320) : item=0 name=/etc/dnsmasq.d inode=29360448 dev=fd:01 mode=dir,755 ouid=root ogid=dnsmasq rdev=00:00 obj=system_u:object_r:dnsmasq_etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=CWD msg=audit(12/07/2021 09:38:48.124:320) : cwd=/ -type=SYSCALL msg=audit(12/07/2021 09:38:48.124:320) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x8 a1=0x5586fa914c70 a2=0x88 a3=0x0 items=1 ppid=1 pid=5720 auid=unset uid=dnsmasq gid=dnsmasq euid=dnsmasq suid=dnsmasq fsuid=dnsmasq egid=dnsmasq sgid=dnsmasq fsgid=dnsmasq tty=(none) ses=unset comm=dnsmasq exe=/usr/sbin/dnsmasq subj=system_u:system_r:dnsmasq_t:s0 key=(null) -type=AVC msg=audit(12/07/2021 09:38:48.124:320) : avc: denied { watch } for pid=5720 comm=dnsmasq path=/etc/dnsmasq.d dev="vda1" ino=29360448 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:dnsmasq_etc_t:s0 tclass=dir permissive=0 - -Resolves: rhbz#2029866 -Signed-off-by: lujie54 ---- - policy/modules/contrib/dnsmasq.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te -index 0d5c7e4..de7c0c0 100644 ---- a/policy/modules/contrib/dnsmasq.te -+++ b/policy/modules/contrib/dnsmasq.te -@@ -52,6 +52,7 @@ allow dnsmasq_t self:rawip_socket create_socket_perms; - - read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) - list_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) -+watch_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) - - manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) - files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) --- -1.8.3.1 - diff --git a/backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch b/backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch deleted file mode 100644 index 7bce3bc..0000000 --- a/backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch +++ /dev/null @@ -1,172 +0,0 @@ -From 6956435a4e3cc5a6f0d311f80b31abddd83d9ae5 Mon Sep 17 00:00:00 2001 -From: Patrik Koncity -Date: Mon, 27 Jun 2022 20:37:44 +0800 -Subject: [PATCH] Allow domain transition to sssd_t and role access to sssd - -When installing some rpm packages, new users or -groups are added to the system using -the groupadd and useradd tools. Then the sss_cache -file with the bin_t label is run and on this file -groupadd and useradd want to setgid and this -trigger SELinux denials. Label the sss_cache binary -as sssd_exec_t and enabling the transition from -groupadd_t and useradd_t to sssd_t. Sssd policy -allowed setgid on this binary. - -Reference:https://github.com/fedora-selinux/selinux-policy/commit/bcc321f1719d252b205edf89f82f578c1c309eb0 -Conflict: NA - -After previous fix in bugzilla arise a SELinux -error with role. Processes running under -unconfined_r do not have access to sssd_t. -Allow domain transition from rpm_script_t to -sssd_t and allow the rpm_script_roles in the -sssd domain. - -Reference:https://github.com/fedora-selinux/selinux-policy/commit/25bdcfdf5821ddba2c47fc4306bc43debc4c0f75 -Conflict: NA - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2022690 - - -sssd_run_sssd interface allow execute sssd in the -sssd domain, and allow the specified role -the sssd domain. - -Reference:https://github.com/fedora-selinux/selinux-policy/commit/d7ef9cf83cb50b4349cb8277c2cd126c17dc629a -Conflict: NA - -Signed-off-by: lujie54 ---- - policy/modules/admin/usermanage.te | 18 ++++++++++-------- - policy/modules/contrib/rpm.te | 4 ++++ - policy/modules/contrib/sssd.fc | 1 + - policy/modules/contrib/sssd.if | 27 +++++++++++++++++++++++++++ - policy/modules/contrib/sssd.te | 3 +++ - 5 files changed, 45 insertions(+), 8 deletions(-) - -diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 5a857e0..b945e3c 100644 ---- a/policy/modules/admin/usermanage.te -+++ b/policy/modules/admin/usermanage.te -@@ -300,10 +300,11 @@ optional_policy(` - ') - - optional_policy(` -- sssd_manage_lib_files(groupadd_t) -- sssd_manage_public_files(groupadd_t) -- sssd_read_pid_files(groupadd_t) -- sssd_signal(groupadd_t) -+ sssd_domtrans(groupadd_t) -+ sssd_manage_lib_files(groupadd_t) -+ sssd_manage_public_files(groupadd_t) -+ sssd_read_pid_files(groupadd_t) -+ sssd_signal(groupadd_t) - ') - - optional_policy(` -@@ -679,10 +680,11 @@ optional_policy(` - ') - - optional_policy(` -- sssd_manage_lib_files(useradd_t) -- sssd_manage_public_files(useradd_t) -- sssd_read_pid_files(useradd_t) -- sssd_signal(useradd_t) -+ sssd_domtrans(useradd_t) -+ sssd_manage_lib_files(useradd_t) -+ sssd_manage_public_files(useradd_t) -+ sssd_read_pid_files(useradd_t) -+ sssd_signal(useradd_t) - ') - - optional_policy(` -diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te -index 9d2f4e6..3f6de12 100644 ---- a/policy/modules/contrib/rpm.te -+++ b/policy/modules/contrib/rpm.te -@@ -481,6 +481,10 @@ optional_policy(` - ') - - optional_policy(` -+ sssd_run_sssd(rpm_script_t, rpm_script_roles) -+') -+ -+optional_policy(` - tzdata_domtrans(rpm_t) - tzdata_run(rpm_script_t, rpm_script_roles) - ') -diff --git a/policy/modules/contrib/sssd.fc b/policy/modules/contrib/sssd.fc -index 2655c75..f51950d 100644 ---- a/policy/modules/contrib/sssd.fc -+++ b/policy/modules/contrib/sssd.fc -@@ -3,6 +3,7 @@ - /etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0) - - /usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0) -+/usr/sbin/sss_cache -- gen_context(system_u:object_r:sssd_exec_t,s0) - /usr/libexec/sssd/sssd_autofs -- gen_context(system_u:object_r:sssd_exec_t,s0) - /usr/libexec/sssd/sssd_ifp -- gen_context(system_u:object_r:sssd_exec_t,s0) - /usr/libexec/sssd/sssd_nss -- gen_context(system_u:object_r:sssd_exec_t,s0) -diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if -index e1ff0d7..6debe08 100644 ---- a/policy/modules/contrib/sssd.if -+++ b/policy/modules/contrib/sssd.if -@@ -429,6 +429,33 @@ interface(`sssd_dontaudit_stream_connect',` - - ######################################## - ## -+## Execute sssd in the sssd domain, and -+## allow the specified role the sssd domain. -+## -+## -+## -+## Domain allowed to transition. -+## -+## -+## -+## -+## Role allowed access. -+## -+## -+## -+# -+interface(`sssd_run_sssd',` -+ gen_require(` -+ type sssd_t; -+ attribute_role sssd_roles; -+ ') -+ -+ sssd_domtrans($1) -+ roleattribute $2 sssd_roles; -+') -+ -+######################################## -+## - ## Connect to sssd over a unix stream socket in /var/run. - ## - ## -diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te -index b510dca..f64472c 100644 ---- a/policy/modules/contrib/sssd.te -+++ b/policy/modules/contrib/sssd.te -@@ -5,6 +5,8 @@ policy_module(sssd, 1.2.0) - # Declarations - # - -+attribute_role sssd_roles; -+ - ## - ##

- ## Allow sssd read, view, and write access to kernel keys with kernel_t type -@@ -22,6 +24,7 @@ gen_tunable(sssd_connect_all_unreserved_ports, false) - type sssd_t; - type sssd_exec_t; - init_daemon_domain(sssd_t, sssd_exec_t) -+role sssd_roles types sssd_t; - - type sssd_initrc_exec_t; - init_script_file(sssd_initrc_exec_t) --- -1.8.3.1 - diff --git a/backport-Allow-domain-use-userfaultfd-over-all-domains.patch b/backport-Allow-domain-use-userfaultfd-over-all-domains.patch deleted file mode 100644 index 1961835..0000000 --- a/backport-Allow-domain-use-userfaultfd-over-all-domains.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 3befcf9bdea867fca0d980871e251191fe234586 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 22 Jun 2022 21:27:59 +0200 -Subject: [PATCH] Allow domain use userfaultfd over all domains - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3befcf9bdea867fca0d980871e251191fe234586 -Conflict: NA - -Until now, all processes were allowed to use userfaultfd as well other -anon_inodes to get a file descriptor from the same domain. -Since this commit the permissions are allowed between different domains. - -Signed-off-by: lujie54 ---- - policy/modules/kernel/domain.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index f1e0bd6..1289b4c 100644 ---- a/policy/modules/kernel/domain.te -+++ b/policy/modules/kernel/domain.te -@@ -121,7 +121,7 @@ neverallow ~{ domain unlabeled_t } *:process *; - # Rules applied to all domains - # - --allow domain self:anon_inode userfaultfd_anon_inode_perms; -+allow domain domain:anon_inode userfaultfd_anon_inode_perms; - # read /proc/(pid|self) entries - allow domain self:dir { list_dir_perms watch_dir_perms }; - allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; --- -1.8.3.1 - diff --git a/backport-Allow-domtrans-to-sssd_t-and-role-access-to-sssd.patch b/backport-Allow-domtrans-to-sssd_t-and-role-access-to-sssd.patch deleted file mode 100644 index 9b38ad1..0000000 --- a/backport-Allow-domtrans-to-sssd_t-and-role-access-to-sssd.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 25bdcfdf5821ddba2c47fc4306bc43debc4c0f75 Mon Sep 17 00:00:00 2001 -From: Patrik Koncity -Date: Mon, 31 Jan 2022 13:06:49 +0100 -Subject: [PATCH] Allow domtrans to sssd_t and role access to sssd - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/25bdcfdf5821ddba2c47fc4306bc43debc4c0f75 -Conflict: NA - -After previous fix in bugzilla arise a SELinux -error with role. Processes running under -unconfined_r do not have access to sssd_t. -Allow domain transition from rpm_script_t to -sssd_t and allow the rpm_script_roles in the -sssd domain. - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2022690 -Signed-off-by: lujie54 ---- - policy/modules/contrib/rpm.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te -index 0866d95..b09dfe1 100644 ---- a/policy/modules/contrib/rpm.te -+++ b/policy/modules/contrib/rpm.te -@@ -489,6 +489,10 @@ optional_policy(` - ') - - optional_policy(` -+ sssd_run_sssd(rpm_script_t, rpm_script_roles) -+') -+ -+optional_policy(` - tzdata_domtrans(rpm_t) - tzdata_run(rpm_script_t, rpm_script_roles) - ') --- -1.8.3.1 - diff --git a/backport-Allow-fcoemon-request-the-kernel-to-load-a-module.patch b/backport-Allow-fcoemon-request-the-kernel-to-load-a-module.patch deleted file mode 100644 index 168136b..0000000 --- a/backport-Allow-fcoemon-request-the-kernel-to-load-a-module.patch +++ /dev/null @@ -1,35 +0,0 @@ -From ed80bcd8541d224ec18de995fb7dbb3c1bd5732c Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 7 Jan 2022 17:35:22 +0100 -Subject: [PATCH] Allow fcoemon request the kernel to load a module - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/ed80bcd8541d224ec18de995fb7dbb3c1bd5732c -Conflict: NA - -Addresses the following AVC denial: - -type=AVC msg=audit(1641434692.558:116): avc: denied { module_request } for pid=2995 comm="fcoemon" kmod="8021q" scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 -type=SYSCALL msg=audit(1641434692.558:116): arch=x86_64 syscall=ioctl success=no exit=ENOPKG a0=8 a1=8982 a2=7ffdd90301c0 a3=7fec871ae3e0 items=0 ppid=1 pid=2995 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fcoemon exe=/usr/sbin/fcoemon subj=s - -Resolves: rhbz#2034463 -Signed-off-by: lujie54 ---- - policy/modules/contrib/fcoe.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/contrib/fcoe.te b/policy/modules/contrib/fcoe.te -index d46768a..18a30e7 100644 ---- a/policy/modules/contrib/fcoe.te -+++ b/policy/modules/contrib/fcoe.te -@@ -34,6 +34,8 @@ manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) - manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) - files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file }) - -+kernel_request_load_module(fcoemon_t) -+ - dev_rw_sysfs(fcoemon_t) - dev_create_sysfs_files(fcoemon_t) - --- -1.8.3.1 - diff --git a/backport-Allow-firewalld-read-the-contents-of-the-sysfs-files.patch b/backport-Allow-firewalld-read-the-contents-of-the-sysfs-files.patch deleted file mode 100644 index 0a429c9..0000000 --- a/backport-Allow-firewalld-read-the-contents-of-the-sysfs-files.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 6c9ef9467ee7e7c9d569a102b05869419409b15e Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 27 Jun 2022 09:17:43 +0200 -Subject: [PATCH] Allow firewalld read the contents of the sysfs filesystem - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6c9ef9467ee7e7c9d569a102b05869419409b15e -Conflict: NA - -Addresses the following AVC denial which is triggered on the firewalld -service start when it tries to read /sys/devices/system/cpu/possible: - -type=AVC msg=audit(1656139734.292:232): avc: denied { read } for pid=1396 comm="firewalld" name="possible" dev="sysfs" ino=46 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 - -Resolves: rhbz#2101062 -Signed-off-by: lujie54 ---- - policy/modules/contrib/firewalld.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te -index 62cb02c..1c2d25e 100644 ---- a/policy/modules/contrib/firewalld.te -+++ b/policy/modules/contrib/firewalld.te -@@ -81,7 +81,7 @@ corecmd_exec_bin(firewalld_t) - corecmd_exec_shell(firewalld_t) - - dev_read_urand(firewalld_t) --dev_search_sysfs(firewalld_t) -+dev_read_sysfs(firewalld_t) - - domain_use_interactive_fds(firewalld_t) - domain_obj_id_change_exemption(firewalld_t) --- -1.8.3.1 - diff --git a/backport-Allow-gssproxy-access-to-various-system-files.patch b/backport-Allow-gssproxy-access-to-various-system-files.patch deleted file mode 100644 index 8d0bbf1..0000000 --- a/backport-Allow-gssproxy-access-to-various-system-files.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 02d90bb3e2fc39d67a7d07cec5ca113bd0a53421 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 10 Jan 2022 17:36:15 +0100 -Subject: [PATCH] Allow gssproxy access to various system files. - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/02d90bb3e2fc39d67a7d07cec5ca113bd0a53421 -Conflict: NA - -gssproxy was allowed to: -- read system state information in /proc -- read from random number generator devices (e.g., /dev/random) -- read hardware state information - -Resolves: rhbz#2026974 -Signed-off-by: lujie54 ---- - policy/modules/contrib/gssproxy.te | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te -index f48457c..aa53de0 100644 ---- a/policy/modules/contrib/gssproxy.te -+++ b/policy/modules/contrib/gssproxy.te -@@ -41,6 +41,7 @@ files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_fil - - kernel_rw_rpc_sysctls(gssproxy_t) - kernel_read_network_state(gssproxy_t) -+kernel_read_system_state(gssproxy_t) - - domain_use_interactive_fds(gssproxy_t) - domain_read_all_domains_state(gssproxy_t) -@@ -51,7 +52,9 @@ fs_getattr_all_fs(gssproxy_t) - - auth_use_nsswitch(gssproxy_t) - -+dev_read_rand(gssproxy_t) - dev_read_urand(gssproxy_t) -+dev_read_sysfs(gssproxy_t) - dev_rw_crypto(gssproxy_t) - - logging_send_syslog_msg(gssproxy_t) --- -1.8.3.1 - diff --git a/backport-Allow-gssproxy-read-and-write-z90crypt-device.patch b/backport-Allow-gssproxy-read-and-write-z90crypt-device.patch deleted file mode 100644 index 9e8d3d9..0000000 --- a/backport-Allow-gssproxy-read-and-write-z90crypt-device.patch +++ /dev/null @@ -1,42 +0,0 @@ -From d0fcb462896c8fb00eaa8f8b3580fffcbefcdf8b Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 10 Jan 2022 17:18:30 +0100 -Subject: [PATCH] Allow gssproxy read and write z90crypt device -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d0fcb462896c8fb00eaa8f8b3580fffcbefcdf8b -Conflict: NA - -This permission is required on s390x systems with the Crypto Express -adapter card. The z90crypt device driver acts as the interface to the -PCI cryptography hardware and performs asynchronous encryption -operations (RSA) as used during the SSL handshake. - -Addresses the following AVC denial: -type=PROCTITLE msg=audit(26.11.2021 17:43:04.211:26) : proctitle=/usr/sbin/gssproxy -D -type=AVC msg=audit(26.11.2021 17:43:04.211:26) : avc: denied { read write } for pid=859 comm=gssproxy name=icastats_0 dev="tmpfs" ino=2 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:ica_tmpfs_t:s0 tclass=file permissive=0 -type=SYSCALL msg=audit(26.11.2021 17:43:04.211:26) : arch=s390x syscall=openat success=no exit=EACCES(Operace zamĂ­tnuta) a0=0xffffffffffffff9c a1=0x3ffdec7c2fb a2=O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC a3=0x180 items=0 ppid=1 pid=859 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gssproxy exe=/usr/sbin/gssproxy subj=system_u:system_r:gssproxy_t:s0 key=(null) - -Resolves: rhbz#2026974 -Signed-off-by: lujie54 ---- - policy/modules/contrib/gssproxy.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te -index 18d08d1..872079f 100644 ---- a/policy/modules/contrib/gssproxy.te -+++ b/policy/modules/contrib/gssproxy.te -@@ -52,6 +52,7 @@ fs_getattr_all_fs(gssproxy_t) - auth_use_nsswitch(gssproxy_t) - - dev_read_urand(gssproxy_t) -+dev_rw_crypto(gssproxy_t) - - logging_send_syslog_msg(gssproxy_t) - --- -1.8.3.1 - diff --git a/backport-Allow-gssproxy-read-write-and-map-ica-tmpfs-files.patch b/backport-Allow-gssproxy-read-write-and-map-ica-tmpfs-files.patch deleted file mode 100644 index 563d07a..0000000 --- a/backport-Allow-gssproxy-read-write-and-map-ica-tmpfs-files.patch +++ /dev/null @@ -1,35 +0,0 @@ -From dc1a9f92b95e7adb963383681b8cab44f1e2a044 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 10 Jan 2022 17:25:03 +0100 -Subject: [PATCH] Allow gssproxy read, write, and map ica tmpfs files - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/dc1a9f92b95e7adb963383681b8cab44f1e2a044 -Conflict: NA - -These permissions are necessary for domains working -with the ICA crypto accelerator. - -Resolves: rhbz#2026974 -Signed-off-by: lujie54 ---- - policy/modules/contrib/gssproxy.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te -index 872079f..f48457c 100644 ---- a/policy/modules/contrib/gssproxy.te -+++ b/policy/modules/contrib/gssproxy.te -@@ -68,6 +68,10 @@ optional_policy(` - ') - - optional_policy(` -+ ica_rw_map_tmpfs_files(gssproxy_t) -+') -+ -+optional_policy(` - ipa_read_lib(gssproxy_t) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-haproxy-get-attributes-of-cgroup-filesystems.patch b/backport-Allow-haproxy-get-attributes-of-cgroup-filesystems.patch deleted file mode 100644 index 1c39206..0000000 --- a/backport-Allow-haproxy-get-attributes-of-cgroup-filesystems.patch +++ /dev/null @@ -1,30 +0,0 @@ -From ab3afa4143e5d84daaa27a11743af3a6eb09c3df Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 23 Dec 2021 10:52:01 +0100 -Subject: [PATCH] Allow haproxy get attributes of cgroup filesystems - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/ab3afa4143e5d84daaa27a11743af3a6eb09c3df -Conflict: NA - -Resolves: rhbz#2035133 -Signed-off-by: lujie54 ---- - policy/modules/contrib/rhcs.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te -index 3d9199e..b143e2b 100644 ---- a/policy/modules/contrib/rhcs.te -+++ b/policy/modules/contrib/rhcs.te -@@ -665,6 +665,8 @@ dev_list_sysfs(haproxy_t) - dev_read_rand(haproxy_t) - dev_read_urand(haproxy_t) - -+fs_getattr_cgroup(haproxy_t) -+ - sysnet_dns_name_resolve(haproxy_t) - - tunable_policy(`haproxy_connect_any',` --- -1.8.3.1 - diff --git a/backport-Allow-haproxy-get-attributes-of-filesystems-with-ext.patch b/backport-Allow-haproxy-get-attributes-of-filesystems-with-ext.patch deleted file mode 100644 index f744ad0..0000000 --- a/backport-Allow-haproxy-get-attributes-of-filesystems-with-ext.patch +++ /dev/null @@ -1,30 +0,0 @@ -From b1497c15f68bf0ceac2b19684582266e717bd079 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 23 Dec 2021 10:53:06 +0100 -Subject: [PATCH] Allow haproxy get attributes of filesystems with extended - attributes - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/b1497c15f68bf0ceac2b19684582266e717bd079 -Conflict: NA - -Resolves: rhbz#2035132 -Signed-off-by: lujie54 ---- - policy/modules/contrib/rhcs.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te -index b143e2b..c6633bb 100644 ---- a/policy/modules/contrib/rhcs.te -+++ b/policy/modules/contrib/rhcs.te -@@ -666,6 +666,7 @@ dev_read_rand(haproxy_t) - dev_read_urand(haproxy_t) - - fs_getattr_cgroup(haproxy_t) -+fs_getattr_xattr_fs(haproxy_t) - - sysnet_dns_name_resolve(haproxy_t) - --- -1.8.3.1 - diff --git a/backport-Allow-httpd-read-network-sysctls.patch b/backport-Allow-httpd-read-network-sysctls.patch deleted file mode 100644 index 3e20727..0000000 --- a/backport-Allow-httpd-read-network-sysctls.patch +++ /dev/null @@ -1,34 +0,0 @@ -From d98fa390807abca9bc1631f2562d0bba46b67bfd Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 5 Sep 2022 15:39:30 +0200 -Subject: [PATCH] Allow httpd read network sysctls - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(09/05/2022 15:03:53.634:444) : proctitle=/usr/bin/caddy run --environ --resume -type=PATH msg=audit(09/05/2022 15:03:53.634:444) : item=0 name=/proc/sys/net/core/somaxconn inode=28391 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(09/05/2022 15:03:53.634:444) : arch=x86_64 syscall=openat success=yes exit=8 a0=AT_FDCWD a1=0xc000098c80 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1856 auid=unset uid=caddy gid=caddy euid=caddy suid=caddy fsuid=caddy egid=caddy sgid=caddy fsgid=caddy tty=(none) ses=unset comm=caddy exe=/usr/bin/caddy subj=system_u:system_r:httpd_t:s0 key=(null) -type=AVC msg=audit(09/05/2022 15:03:53.634:444) : avc: denied { open } for pid=1856 comm=caddy path=/proc/sys/net/core/somaxconn dev="proc" ino=28391 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 -type=AVC msg=audit(09/05/2022 15:03:53.634:444) : avc: denied { read } for pid=1856 comm=caddy name=somaxconn dev="proc" ino=28391 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 - -Resolves: rhbz#2122886 -Signed-off-by: lujie42 ---- - policy/modules/contrib/apache.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te -index 0e4d4bf87..13e72686c 100644 ---- a/policy/modules/contrib/apache.te -+++ b/policy/modules/contrib/apache.te -@@ -597,6 +597,7 @@ manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) - manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) - - kernel_read_kernel_sysctls(httpd_t) -+kernel_read_net_sysctls(httpd_t) - # for modules that want to access /proc/meminfo - kernel_read_system_state(httpd_t) - kernel_read_network_state(httpd_t) --- -2.27.0 - diff --git a/backport-Allow-init-delete-generic-tmp-named-pipes.patch b/backport-Allow-init-delete-generic-tmp-named-pipes.patch deleted file mode 100644 index e0a6919..0000000 --- a/backport-Allow-init-delete-generic-tmp-named-pipes.patch +++ /dev/null @@ -1,64 +0,0 @@ -From da5328319db49846fb698d262c13f06230091bfb Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 28 Jan 2022 19:01:45 +0100 -Subject: [PATCH] Allow init delete generic tmp named pipes - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/da5328319db49846fb698d262c13f06230091bfb -Conflict: NA - -The files_delete_tmp_pipes() interface was added. - -Addresses the following AVC denial: -type=AVC msg=audit(1628676879.222:1003): avc: denied { unlink } for pid=1 comm="systemd" name="controller_log_37116" dev="tmpfs" ino=1235 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=fifo_file permissive=0 - -Resolves: rhbz#1992562 -Signed-off-by: lujie54 ---- - policy/modules/kernel/files.if | 18 ++++++++++++++++++ - policy/modules/system/init.te | 1 + - 2 files changed, 19 insertions(+) - -diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index bca6f15..53e463c 100644 ---- a/policy/modules/kernel/files.if -+++ b/policy/modules/kernel/files.if -@@ -6153,6 +6153,24 @@ interface(`files_delete_tmp_sockets',` - - ######################################## - ##

-+## Delete generic tmp named pipes -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_delete_tmp_pipes',` -+ gen_require(` -+ type tmp_t; -+ ') -+ -+ delete_fifo_files_pattern($1, tmp_t, tmp_t) -+') -+ -+######################################## -+## - ## Remove entries from the tmp directory. - ## - ## -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index a81f5da..09a6925 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -648,6 +648,7 @@ files_read_kernel_modules(init_t) - files_map_kernel_modules(init_t) - files_dontaudit_mounton_isid(init_t) - files_delete_tmp_files(init_t) -+files_delete_tmp_pipes(init_t) - files_delete_tmp_sockets(init_t) - fs_getattr_all_fs(init_t) - fs_manage_cgroup_dirs(init_t) --- -1.8.3.1 - diff --git a/backport-Allow-init-map-its-private-tmp-files.patch b/backport-Allow-init-map-its-private-tmp-files.patch deleted file mode 100644 index 351bd77..0000000 --- a/backport-Allow-init-map-its-private-tmp-files.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 74d69e714236347f733e83eb1c623148628d89c6 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 26 Sep 2022 17:59:13 +0200 -Subject: [PATCH] Allow init map its private tmp files - -Addresses the following AVC denial: -type=AVC msg=audit(11/24/2021 01:50:26.378:167) : avc: denied { map } for pid=1414 comm=cpupower-gui-he path=/var/tmp/ffi6reIpN (deleted) dev="nvme0n1p3" ino=88707980 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file permissive=0 - -Resolves: rhbz#2026228 -Signed-off-by: lujie42 ---- - policy/modules/system/init.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index c81f0d0be..fd03f1d03 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -208,6 +208,7 @@ manage_dirs_pattern(init_t, init_tmp_t, init_tmp_t) - manage_lnk_files_pattern(init_t, init_tmp_t, init_tmp_t) - manage_sock_files_pattern(init_t, init_tmp_t, init_tmp_t) - files_tmp_filetrans(init_t, init_tmp_t, { file sock_file }) -+allow init_t init_tmp_t:file map; - - manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t) - manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t) --- -2.27.0 - diff --git a/backport-Allow-init-read-stratis-data-symlinks.patch b/backport-Allow-init-read-stratis-data-symlinks.patch deleted file mode 100644 index bae0bda..0000000 --- a/backport-Allow-init-read-stratis-data-symlinks.patch +++ /dev/null @@ -1,63 +0,0 @@ -From a27476b303259a43324be8533ddba68e7a6dd37e Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 2 Feb 2022 16:21:01 +0100 -Subject: [PATCH] Allow init read stratis data symlinks - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/a27476b303259a43324be8533ddba68e7a6dd37e -Conflict: NA - -Addresses the following AVC denial: - -type=AVC msg=audit(02/02/22 09:39:31.790:2813) : avc: denied { read } for pid=1 comm=systemd name=fs1 dev="devtmpfs" ino=363096 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:stratisd_data_t:s0 tclass=lnk_file permissive=1 - -Resolves: rhbz#2048514 -Signed-off-by: lujie54 ---- - policy/modules/contrib/stratisd.if | 18 ++++++++++++++++++ - policy/modules/system/init.te | 4 ++++ - 2 files changed, 22 insertions(+) - -diff --git a/policy/modules/contrib/stratisd.if b/policy/modules/contrib/stratisd.if -index de2427e..32e7e66 100644 ---- a/policy/modules/contrib/stratisd.if -+++ b/policy/modules/contrib/stratisd.if -@@ -115,3 +115,21 @@ interface(`stratisd_admin',` - systemd_read_fifo_file_passwd_run($1) - ') - ') -+ -+######################################## -+## -+## Read stratisd data symlinks -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`stratisd_data_read_lnk_files',` -+ gen_require(` -+ type stratisd_data_t; -+ ') -+ -+ allow $1 stratisd_data_t:lnk_file read_lnk_file_perms; -+') -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 09a6925..033f189 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -839,6 +839,10 @@ optional_policy(` - ') - - optional_policy(` -+ stratisd_data_read_lnk_files(init_t) -+') -+ -+optional_policy(` - systemd_filetrans_named_content(init_t) - systemd_write_inhibit_pipes(init_t) - ') --- -1.8.3.1 - diff --git a/backport-Allow-init-read-write-inherited-user-fifo-files.patch b/backport-Allow-init-read-write-inherited-user-fifo-files.patch deleted file mode 100644 index a00414a..0000000 --- a/backport-Allow-init-read-write-inherited-user-fifo-files.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 95d7034936ed5f2d01ffcf55a52a5d3c3c8a7825 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 21 Sep 2022 13:41:18 +0200 -Subject: [PATCH] Allow init read/write inherited user fifo files - -This commit backs the usage of "systemd-run --pipe" when standard input, -output, and error of the transient service are inherited from the -systemd-run command itself. The --pipe switch allows systemd-run to be -used within shell pipelines. - -Addresses the following AVC denials: - -type=AVC msg=audit(09/21/2022 05:24:28.596:328) : avc: denied { write } for pid=1 comm=systemd path=pipe:[16980] dev="pipefs" ino=16980 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0 - -type=AVC msg=audit(09/21/2022 05:34:12.088:422) : avc: denied { read } for pid=1 comm=systemd path=pipe:[18554] dev="pipefs" ino=18554 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0 - -type=PROCTITLE msg=audit(09/21/2022 05:36:42.853:427) : proctitle=(grep) -type=SYSCALL msg=audit(09/21/2022 05:36:42.853:427) : arch=x86_64 syscall=ioctl success=no exit=EACCES(Permission denied) a0=0x0 a1=TCGETS a2=0x7ffebe2ae1c0 a3=0x0 items=0 ppid=1 pid=1269 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(grep) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) -type=AVC msg=audit(09/21/2022 05:36:42.853:427) : avc: denied { ioctl } for pid=1269 comm=(grep) path=pipe:[18588] dev="pipefs" ino=18588 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0 - -Resolves: rhbz#2036829 -Signed-off-by: lujie42 ---- - policy/modules/system/init.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 33052c66f..f369aa50e 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -413,7 +413,7 @@ userdom_manage_tmp_sockets(init_t) - userdom_delete_user_tmp_files(init_t) - userdom_delete_user_home_content_files(init_t) - userdom_connectto_stream(init_t) -- -+userdom_rw_inherited_user_pipes(init_t) - userdom_transition_login_userdomain(init_t) - userdom_nnp_transition_login_userdomain(init_t) - userdom_noatsecure_login_userdomain(init_t) --- -2.27.0 - diff --git a/backport-Allow-init-remount-all-file_type-filesystems.patch b/backport-Allow-init-remount-all-file_type-filesystems.patch deleted file mode 100644 index 5b2d345..0000000 --- a/backport-Allow-init-remount-all-file_type-filesystems.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 355731c1c456907fc7097257e50e4c0377f17953 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 7 Sep 2022 09:41:19 +0200 -Subject: [PATCH] Allow init remount all file_type filesystems - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(1650874039.465:8427): proctitle="(coredump)" -type=PATH msg=audit(1650874039.465:8427): item=0 name="/proc/self/fd/4" inode=256 dev=00:32 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:swapfile_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(1650874039.465:8427): arch=c000003e syscall=165 success=yes exit=0 a0=0 a1=7ffeea790a00 a2=0 a3=1021 items=1 ppid=1 pid=208737 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(coredump)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) -type=AVC msg=audit(1650874039.465:8427): avc: denied { remount } for pid=208737 comm="(coredump)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:swapfile_t:s0 tclass=filesystem permissive=1 - -Resolves: rhbz#2125693 -Signed-off-by: lujie42 ---- - policy/modules/kernel/files.if | 18 ++++++++++++++++++ - policy/modules/system/init.te | 1 + - 2 files changed, 19 insertions(+) - -diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 2bb2908df..165eb4a12 100644 ---- a/policy/modules/kernel/files.if -+++ b/policy/modules/kernel/files.if -@@ -1947,6 +1947,24 @@ interface(`files_unmount_all_file_type_fs',` - allow $1 file_type:filesystem unmount; - ') - -+######################################## -+## -+## Remount all filesystems with the type of a file. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_remount_all_file_type_fs',` -+ gen_require(` -+ attribute file_type; -+ ') -+ -+ allow $1 file_type:filesystem remount; -+') -+ - ######################################## - ## - ## Read all non-authentication related -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index f369aa50e..c81f0d0be 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -627,6 +627,7 @@ dev_rw_wireless(init_t) - files_search_all(init_t) - files_mounton_all_mountpoints(init_t) - files_unmount_all_file_type_fs(init_t) -+files_remount_all_file_type_fs(init_t) - files_mounton_kernel_symbol_table(init_t) - files_manage_all_pid_dirs(init_t) - files_write_all_pid_sockets(init_t) --- -2.27.0 - diff --git a/backport-Allow-init-watch-and-watch_reads-user-ttys.patch b/backport-Allow-init-watch-and-watch_reads-user-ttys.patch deleted file mode 100644 index 9393f5b..0000000 --- a/backport-Allow-init-watch-and-watch_reads-user-ttys.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 9e2825e96456f95ba535f3809b23ded5b62dd9a9 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 1 Mar 2022 20:20:25 +0100 -Subject: [PATCH] Allow init watch and watch_reads user ttys - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9e2825e96456f95ba535f3809b23ded5b62dd9a9 -Conflict: NA - -The term_watch_user_ttys() and term_watch_reads_user_ttys() -interfaces were added. - -Resolves: rhbz#2058823 -Signed-off-by: lujie54 ---- - policy/modules/kernel/terminal.if | 36 ++++++++++++++++++++++++++++++++++++ - policy/modules/system/init.te | 2 ++ - 2 files changed, 38 insertions(+) - -diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if -index b058850..615d215 100644 ---- a/policy/modules/kernel/terminal.if -+++ b/policy/modules/kernel/terminal.if -@@ -1824,6 +1824,42 @@ interface(`term_dontaudit_use_all_user_ttys',` - term_dontaudit_use_all_ttys($1) - ') - -+######################################## -+## -+## Watch user tty device nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`term_watch_user_ttys',` -+ gen_require(` -+ type user_tty_device_t; -+ ') -+ -+ allow $1 user_tty_device_t:chr_file watch_chr_file_perms; -+') -+ -+######################################## -+## -+## Watch_reads user tty device nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`term_watch_reads_user_ttys',` -+ gen_require(` -+ type user_tty_device_t; -+ ') -+ -+ allow $1 user_tty_device_t:chr_file watch_reads_chr_file_perms; -+') -+ - #################################### - ## - ## Getattr on the virtio console. -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 033f189..a838cdd 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -377,6 +377,8 @@ term_watch_console_dev(init_t) - term_watch_reads_console_dev(init_t) - term_watch_unallocated_ttys(init_t) - term_watch_reads_unallocated_ttys(init_t) -+term_watch_user_ttys(init_t) -+term_watch_reads_user_ttys(init_t) - - # Run init scripts. - init_domtrans_script(init_t) --- -1.8.3.1 - diff --git a/backport-Allow-ipsec_t-read-write-tpm-devices.patch b/backport-Allow-ipsec_t-read-write-tpm-devices.patch deleted file mode 100644 index db22f0f..0000000 --- a/backport-Allow-ipsec_t-read-write-tpm-devices.patch +++ /dev/null @@ -1,30 +0,0 @@ -From c836064999e34f071b4b411c47b87d544cd8f6d4 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 31 Aug 2022 18:58:39 +0200 -Subject: [PATCH] Allow ipsec_t read/write tpm devices - -Addresses the following AVC denial: - -type=AVC msg=audit(1652729361.214:334): avc: denied { getattr } for pid=1642 comm="charon" path="/dev/tpmrm0" dev="devtmpfs" ino=135 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tpm_device_t:s0 tclass=chr_file permissive=0 - -Resolves: rhbz#2086926 -Signed-off-by: lujie42 ---- - policy/modules/system/ipsec.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 43186c0b9..cd432b15f 100644 ---- a/policy/modules/system/ipsec.te -+++ b/policy/modules/system/ipsec.te -@@ -180,6 +180,7 @@ corenet_rw_tun_tap_dev(ipsec_t) - dev_read_sysfs(ipsec_t) - dev_read_rand(ipsec_t) - dev_read_urand(ipsec_t) -+dev_rw_tpm(ipsec_t) - - domain_use_interactive_fds(ipsec_t) - --- -2.27.0 - diff --git a/backport-Allow-iptables-list-cgroup-directories.patch b/backport-Allow-iptables-list-cgroup-directories.patch deleted file mode 100644 index f057eb4..0000000 --- a/backport-Allow-iptables-list-cgroup-directories.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 72f789dd7c218919a18dd7130d37e92e7a92b994 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 16 Feb 2022 17:40:40 +0100 -Subject: [PATCH] Allow iptables list cgroup directories - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/72f789dd7c218919a18dd7130d37e92e7a92b994 -Conflict: NA - -Addresses the following AVC denial: -[ 1591.423033] audit: type=1400 audit(1632734301.322:867): avc: denied { ioctl } for pid=11021 comm="iptables" path="/sys/fs/cgroup" dev="tmpfs" ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 - -Resolves: rhbz#2008097 -Signed-off-by: lujie54 ---- - policy/modules/system/iptables.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te -index 495ee29..3374bff 100644 ---- a/policy/modules/system/iptables.te -+++ b/policy/modules/system/iptables.te -@@ -51,6 +51,8 @@ files_manage_system_conf_files(iptables_t) - files_etc_filetrans_system_conf(iptables_t) - files_etc_filetrans(iptables_t, system_conf_t, dir) - -+fs_list_cgroup_dirs(iptables_t) -+ - manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) - files_pid_filetrans(iptables_t, iptables_var_run_t, file) - --- -1.8.3.1 - diff --git a/backport-Allow-iscsid-the-sys_ptrace-userns-capability.patch b/backport-Allow-iscsid-the-sys_ptrace-userns-capability.patch deleted file mode 100644 index ab40405..0000000 --- a/backport-Allow-iscsid-the-sys_ptrace-userns-capability.patch +++ /dev/null @@ -1,29 +0,0 @@ -From db12459fc6360763f7358adff0026577f2d51261 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 31 May 2022 19:51:21 +0200 -Subject: [PATCH] Allow iscsid the sys_ptrace userns capability - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/db12459fc6360763f7358adff0026577f2d51261 -Conflict: NA - -Resolves: rhbz#2086871 -Signed-off-by: lujie54 ---- - policy/modules/contrib/iscsi.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te -index 76a7607..5bcf209 100644 ---- a/policy/modules/contrib/iscsi.te -+++ b/policy/modules/contrib/iscsi.te -@@ -36,6 +36,7 @@ files_pid_file(iscsi_var_run_t) - # - - allow iscsid_t self:capability { dac_read_search ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource }; -+allow iscsid_t self:cap_userns sys_ptrace; - allow iscsid_t self:process { setrlimit setsched signal }; - allow iscsid_t self:fifo_file rw_fifo_file_perms; - allow iscsid_t self:unix_stream_socket { accept connectto listen }; --- -1.8.3.1 - diff --git a/backport-Allow-keepalived-setsched-and-sys_nice.patch b/backport-Allow-keepalived-setsched-and-sys_nice.patch deleted file mode 100644 index 665569a..0000000 --- a/backport-Allow-keepalived-setsched-and-sys_nice.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 7342ec730a9702ec4ba42d6b57c56bc3be82e12b Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 12 Apr 2022 19:00:54 +0200 -Subject: [PATCH] Allow keepalived setsched and sys_nice - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/7342ec730a9702ec4ba42d6b57c56bc3be82e12b -Conflict: NA - -These permissions are particularly required on high load systems -when a keepalived child process may request to use more cpu resouces. - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(04/12/22 05:56:21.085:38) : proctitle=/usr/sbin/keepalived -D -type=SYSCALL msg=audit(04/12/22 05:56:21.085:38) : arch=x86_64 syscall=sched_setscheduler success=no exit=EPERM(Operation not permitted) a0=0x41c a1=SCHED_RR|SCHED_RESET_ON_FORK a2=0x7fff2554107c a3=0x0 items=0 ppid=1051 pid=1052 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) -type=AVC msg=audit(04/12/22 05:56:21.085:38) : avc: denied { setsched } for pid=1052 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process permissive=1 -type=AVC msg=audit(04/12/22 05:56:21.085:38) : avc: denied { sys_nice } for pid=1052 comm=keepalived capability=sys_nice scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=capability permissive=1 - -Resolves: rhbz#2008033 -Signed-off-by: lujie54 ---- - policy/modules/contrib/keepalived.te | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te -index 831ada9..89bc0d6 100644 ---- a/policy/modules/contrib/keepalived.te -+++ b/policy/modules/contrib/keepalived.te -@@ -37,8 +37,8 @@ files_tmpfs_file(keepalived_tmpfs_t) - # keepalived local policy - # - --allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_ptrace }; --allow keepalived_t self:process { signal_perms getpgid setpgid }; -+allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_nice sys_ptrace }; -+allow keepalived_t self:process { signal_perms getpgid setpgid setsched }; - allow keepalived_t self:icmp_socket create_socket_perms; - allow keepalived_t self:netlink_socket create_socket_perms; - allow keepalived_t self:netlink_generic_socket create_socket_perms; --- -1.8.3.1 - diff --git a/backport-Allow-kpropd-get-attributes-of-cgroup-filesystems.patch b/backport-Allow-kpropd-get-attributes-of-cgroup-filesystems.patch deleted file mode 100644 index 1fffb34..0000000 --- a/backport-Allow-kpropd-get-attributes-of-cgroup-filesystems.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 747521e0f639f1aec372e87cd2e0cbed13d9416b Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 13 Jan 2022 10:15:43 +0100 -Subject: [PATCH] Allow kpropd get attributes of cgroup filesystems - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/747521e0f639f1aec372e87cd2e0cbed13d9416b -Conflict: NA - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(01/12/2022 17:58:09.626:7104) : proctitle=/usr/sbin/kpropd -type=PATH msg=audit(01/12/2022 17:58:09.626:7104) : item=0 name=/sys/fs/cgroup/ inode=1 dev=00:1b mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(01/12/2022 17:58:09.626:7104) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x7f78a1e413ae a1=0x7ffd080f54c0 a2=0x7f78a2137260 a3=0x0 items=1 ppid=1 pid=132239 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kpropd exe=/usr/sbin/kpropd subj=system_u:system_r:kpropd_t:s0 key=(null) -type=AVC msg=audit(01/12/2022 17:58:09.626:7104) : avc: denied { getattr } for pid=132239 comm=kpropd name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:kpropd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0 - -Signed-off-by: lujie54 ---- - policy/modules/contrib/kerberos.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te -index 4289d79..b4d3c3e 100644 ---- a/policy/modules/contrib/kerberos.te -+++ b/policy/modules/contrib/kerberos.te -@@ -385,6 +385,8 @@ dev_read_urand(kpropd_t) - - files_search_tmp(kpropd_t) - -+fs_getattr_cgroup(kpropd_t) -+ - selinux_validate_context(kpropd_t) - - auth_use_nsswitch(kpropd_t) --- -1.8.3.1 - diff --git a/backport-Allow-launch-xenstored-read-filesystem-sysctls.patch b/backport-Allow-launch-xenstored-read-filesystem-sysctls.patch deleted file mode 100644 index f9d5e90..0000000 --- a/backport-Allow-launch-xenstored-read-filesystem-sysctls.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 81ab7c124eea5b9227589286c69e08f3bbd3fe5e Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 5 Aug 2022 21:13:32 +0200 -Subject: [PATCH] Allow launch-xenstored read filesystem sysctls - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/81ab7c124eea5b9227589286c69e08f3bbd3fe5e -Conflict: NA - -Addresses the following AVC denial: -Aug 02 13:10:18 doppelganger.flyn.org audit[949]: AVC avc: denied { search } for pid=949 comm="launch-xenstore" name="fs" dev="proc" ino=15591 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=1 - -Resolves: rhbz#2114498 -Signed-off-by: lujie54 ---- - policy/modules/contrib/xen.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te -index c4bee9b..bbda603 100644 ---- a/policy/modules/contrib/xen.te -+++ b/policy/modules/contrib/xen.te -@@ -450,6 +450,8 @@ files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t, { file dir sock_file } - - stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t) - -+kernel_read_fs_sysctls(xenstored_t) -+ - auth_use_nsswitch(xenstored_t) - - can_exec(xenstored_t, xenstored_exec_t) --- -1.8.3.1 - diff --git a/backport-Allow-lldpd-connect-to-snmpd-with-a-unix-domain-stre.patch b/backport-Allow-lldpd-connect-to-snmpd-with-a-unix-domain-stre.patch deleted file mode 100644 index eae7e93..0000000 --- a/backport-Allow-lldpd-connect-to-snmpd-with-a-unix-domain-stre.patch +++ /dev/null @@ -1,45 +0,0 @@ -From e7f00c5591082ab84c055ba250b361eefa19eb0d Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 3 Jan 2022 12:27:28 +0100 -Subject: [PATCH] Allow lldpd connect to snmpd with a unix domain stream socket - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/e7f00c5591082ab84c055ba250b361eefa19eb0d -Conflict: NA - -If the lldpd service is configured to enable the SNMP subagent -(using the -x option), the lldpd process tries to connect to snmpd's -agentx. By default, the /var/agentx/master socket file is used. - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(01/03/22 06:21:57.359:417) : proctitle=/usr/sbin/lldpd -x -type=PATH msg=audit(01/03/22 06:21:57.359:417) : item=0 name=/var/agentx/master nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=CWD msg=audit(01/03/22 06:21:57.359:417) : cwd=/ -type=SOCKADDR msg=audit(01/03/22 06:21:57.359:417) : saddr={ saddr_fam=local path=/var/agentx/master } -type=SYSCALL msg=audit(01/03/22 06:21:57.359:417) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x6 a1=0x5586e8de9980 a2=0x6e a3=0x0 items=1 ppid=1 pid=12595 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null) -type=AVC msg=audit(01/03/22 06:21:57.359:417) : avc: denied { search } for pid=12595 comm=lldpd name=agentx dev="vda1" ino=2034987 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir permissive=0 - -Resolves: rhbz#1991029 -Signed-off-by: lujie54 ---- - policy/modules/contrib/lldpad.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te -index cccbc09..075893c 100644 ---- a/policy/modules/contrib/lldpad.te -+++ b/policy/modules/contrib/lldpad.te -@@ -83,6 +83,10 @@ optional_policy(` - ') - - optional_policy(` -+ snmp_stream_connect(lldpad_t) -+') -+ -+optional_policy(` - sysnet_read_config(lldpad_t) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-lldpd-use-an-snmp-subagent-over-a-tcp-socket.patch b/backport-Allow-lldpd-use-an-snmp-subagent-over-a-tcp-socket.patch deleted file mode 100644 index 5ba229b..0000000 --- a/backport-Allow-lldpd-use-an-snmp-subagent-over-a-tcp-socket.patch +++ /dev/null @@ -1,56 +0,0 @@ -From c0b38cf988df48613209e48007eefd748480d52f Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 2 Dec 2021 10:55:46 +0100 -Subject: [PATCH] Allow lldpd use an snmp subagent over a tcp socket - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/c0b38cf988df48613209e48007eefd748480d52f -Conflict: NA - -When lldpd enables an snmp subagent for a tcp socket instead of udp: -LLDPD_OPTIONS="-i -k -X tcp:127.0.0.1:705" - -the following permissions are required: -- allow lldpd create and use tcp socket -- name_connect to the agentx_port_t port - -Addresses the following AVC denials: - -type=PROCTITLE msg=audit(12/02/21 06:16:32.721:425) : proctitle=/usr/sbin/lldpd -i -k -X tcp:127.0.0.1:705 -type=SYSCALL msg=audit(12/02/21 06:16:32.721:425) : arch=x86_64 syscall=socket success=yes exit=17 a0=inet a1=SOCK_STREAM a2=ip a3=0x0 items=0 ppid=129230 pid=129232 auid=unset uid=lldpd gid=lldpd euid=lldpd suid=lldpd fsuid=lldpd egid=lldpd sgid=lldpd fsgid=lldpd tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null) -type=AVC msg=audit(12/02/21 06:16:32.721:425) : avc: denied { create } for pid=129232 comm=lldpd scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:lldpad_t:s0 tclass=tcp_socket permissive=1 - -type=PROCTITLE msg=audit(12/02/21 06:16:32.721:426) : proctitle=/usr/sbin/lldpd -i -k -X tcp:127.0.0.1:705 -type=SYSCALL msg=audit(12/02/21 06:16:32.721:426) : arch=x86_64 syscall=connect success=no exit=ECONNREFUSED(Connection refused) a0=0x11 a1=0x7ffff0e22c30 a2=0x10 a3=0x0 items=0 ppid=129230 pid=129232 auid=unset uid=lldpd gid=lldpd euid=lldpd suid=lldpd fsuid=lldpd egid=lldpd sgid=lldpd fsgid=lldpd tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null) -type=AVC msg=audit(12/02/21 06:16:32.721:426) : avc: denied { name_connect } for pid=129232 comm=lldpd dest=705 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:agentx_port_t:s0 tclass=tcp_socket permissive=1 -type=AVC msg=audit(12/02/21 06:16:32.721:426) : avc: denied { connect } for pid=129232 comm=lldpd scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:lldpad_t:s0 tclass=tcp_socket permissive=1 - -Resolves: rhbz#2028379 -Signed-off-by: lujie54 ---- - policy/modules/contrib/lldpad.te | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te -index 000fafb..cccbc09 100644 ---- a/policy/modules/contrib/lldpad.te -+++ b/policy/modules/contrib/lldpad.te -@@ -32,6 +32,7 @@ allow lldpad_t self:fifo_file rw_fifo_file_perms; - allow lldpad_t self:unix_stream_socket { accept connectto listen }; - allow lldpad_t self:netlink_route_socket create_netlink_socket_perms; - allow lldpad_t self:packet_socket create_socket_perms; -+allow lldpad_t self:tcp_socket create_socket_perms; - allow lldpad_t self:udp_socket create_socket_perms; - - manage_files_pattern(lldpad_t, lldpad_tmpfs_t, lldpad_tmpfs_t) -@@ -54,6 +55,8 @@ auth_read_passwd(lldpad_t) - - corecmd_exec_bin(lldpad_t) - -+corenet_tcp_connect_agentx_port(lldpad_t) -+ - dev_read_sysfs(lldpad_t) - - fs_getattr_tmpfs(lldpad_t) --- -1.8.3.1 - diff --git a/backport-Allow-login_userdomain-check-status-of-mount-units.patch b/backport-Allow-login_userdomain-check-status-of-mount-units.patch deleted file mode 100644 index 7f58afe..0000000 --- a/backport-Allow-login_userdomain-check-status-of-mount-units.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 68f9e4a144df544adc7fa733a64ac505f8189373 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 10 Aug 2022 17:08:03 +0200 -Subject: [PATCH] Allow login_userdomain check status of mount units - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/68f9e4a144df544adc7fa733a64ac505f8189373 -Conflict: NA - -Allow systemd user manager running in the context of the logged user -check status of mount units: - -systemctl --user status/show run-user-ID.mount - -Addresses the following AVC denial: - -Jul 28 11:26:24 hostname systemd[1483]: selinux: avc: denied { status } for auid=1000 uid=1000 gid=1000 path="/proc/self/mountinfo" cmdline="/usr/bin/gnome-shell" function="mac_selinux_filter" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0 - -Resolves: rhbz#2111834 -Signed-off-by: lujie54 ---- - policy/modules/system/userdomain.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 3ac8c12..5576a97 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -372,6 +372,8 @@ optional_policy(` - ############################################################ - # login_userdomain local policy - -+allow login_userdomain self:service status; -+ - corenet_tcp_bind_xmsg_port(login_userdomain) - - create_blk_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) --- -1.8.3.1 - diff --git a/backport-Allow-login_userdomain-create-session_dbusd-tmp-sock.patch b/backport-Allow-login_userdomain-create-session_dbusd-tmp-sock.patch deleted file mode 100644 index af4950b..0000000 --- a/backport-Allow-login_userdomain-create-session_dbusd-tmp-sock.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 7c18d0afc7f6b93319902dc1e5305fe66a060019 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 13 Jan 2022 19:17:31 +0100 -Subject: [PATCH] Allow login_userdomain create session_dbusd tmp socket files - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/7c18d0afc7f6b93319902dc1e5305fe66a060019 -Conflict: NA - -The dbus_create_session_tmp_sock_files() interface was added. - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(13.1.2022 18:56:38.180:8372) : proctitle=(systemd) -type=PATH msg=audit(13.1.2022 18:56:38.180:8372) : item=1 name=/run/user/1001/bus inode=40 dev=00:3f mode=socket,666 ouid=staff ogid=staff rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=PATH msg=audit(13.1.2022 18:56:38.180:8372) : item=0 name=/run/user/1001/ inode=1 dev=00:3f mode=dir,700 ouid=staff ogid=staff rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SOCKADDR msg=audit(13.1.2022 18:56:38.180:8372) : saddr={ saddr_fam=local path=/run/user/1001/bus } -type=SYSCALL msg=audit(13.1.2022 18:56:38.180:8372) : arch=x86_64 syscall=bind success=yes exit=0 a0=0xc a1=0x562410fef860 a2=0x15 a3=0x0 items=2 ppid=1 pid=24940 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=23 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(13.1.2022 18:56:38.180:8372) : avc: denied { create } for pid=24940 comm=systemd name=bus scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=1 - -Signed-off-by: lujie54 ---- - policy/modules/contrib/dbus.if | 18 ++++++++++++++++++ - policy/modules/system/userdomain.te | 4 ++++ - 2 files changed, 22 insertions(+) - -diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if -index e04af61..deb6f10 100644 ---- a/policy/modules/contrib/dbus.if -+++ b/policy/modules/contrib/dbus.if -@@ -901,6 +901,24 @@ interface(`dbus_delete_session_tmp_sock_files',` - - ######################################## - ## -+## Create session_dbusd tmp socket files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dbus_create_session_tmp_sock_files',` -+ gen_require(` -+ type session_dbusd_tmp_t; -+ ') -+ -+ create_sock_files_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t) -+') -+ -+######################################## -+## - ## Allow systemctl dbus services - ## - ## -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index b936a81..9f778ee 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -404,6 +404,10 @@ optional_policy(` - ') - - optional_policy(` -+ dbus_create_session_tmp_sock_files(login_userdomain) -+') -+ -+optional_policy(` - gnome_watch_generic_data_home_dirs(login_userdomain) - gnome_watch_home_config_dirs(login_userdomain) - gnome_watch_home_config_files(login_userdomain) --- -1.8.3.1 - diff --git a/backport-Allow-login_userdomain-map-var-lib-directories.patch b/backport-Allow-login_userdomain-map-var-lib-directories.patch deleted file mode 100644 index d983844..0000000 --- a/backport-Allow-login_userdomain-map-var-lib-directories.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 2a15cfd1d0705acd84d18f3cdc669cc24ed7492f Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 9 Feb 2022 21:59:23 +0100 -Subject: [PATCH] Allow login_userdomain map /var/lib/directories - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/2a15cfd1d0705acd84d18f3cdc669cc24ed7492f -Conflict: NA - -Addresses the following AVC denial: -type=PROCTITLE msg=audit(02/09/22 21:26:39.579:1065) : proctitle=/usr/bin/gnome-software --gapplication-service -type=MMAP msg=audit(02/09/22 21:26:39.579:1065) : fd=57 flags=MAP_PRIVATE -type=SYSCALL msg=audit(02/09/22 21:26:39.579:1065) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x16630 a2=PROT_READ a3=MAP_PRIVATE items=0 ppid=1560 pid=2148 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=pool-org.gnome. exe=/usr/bin/gnome-software subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(02/09/22 21:26:39.579:1065) : avc: denied { map } for pid=2148 comm=pool-org.gnome. path=/var/lib/flatpak/repo/objects/2f/e0503898de4e28a3382ba6d7ecdc0376cabaea9e838991464eb821c46b7ff3.dirtree dev="vda2" ino=387029 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 - -Signed-off-by: lujie54 ---- - policy/modules/system/userdomain.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 32d69b4..69b460f 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -386,6 +386,7 @@ tunable_policy(`deny_bluetooth',`',` - - dev_watch_generic_dirs(login_userdomain) - -+files_map_var_lib_files(login_userdomain) - files_watch_etc_dirs(login_userdomain) - files_watch_etc_files(login_userdomain) - files_watch_system_conf_dirs(login_userdomain) --- -1.8.3.1 - diff --git a/backport-Allow-login_userdomain-open-read-map-system-journal.patch b/backport-Allow-login_userdomain-open-read-map-system-journal.patch deleted file mode 100644 index 1c9926a..0000000 --- a/backport-Allow-login_userdomain-open-read-map-system-journal.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 4d93e16f67ad41d2f72071f965c780b587303846 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 26 Nov 2021 17:28:14 +0100 -Subject: [PATCH] Allow login_userdomain open/read/map system journal - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/4d93e16f67ad41d2f72071f965c780b587303846 -Conflict: NA - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(27.10.2021 15:45:16.341:455) : proctitle=systemctl status user@1001 -type=AVC msg=audit(27.10.2021 15:45:16.341:455) : avc: denied { read } for pid=4764 comm=systemctl name=system.journal dev="tmpfs" ino=429 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1 -type=AVC msg=audit(27.10.2021 15:45:16.341:455) : avc: denied { open } for pid=4764 comm=systemctl path=/run/log/journal/edb15570307f47dd805feee9003d4e08/system.journal dev="tmpfs" ino=429 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1 -type=SYSCALL msg=audit(27.10.2021 15:45:16.341:455) : arch=x86_64 syscall=openat success=yes exit=6 a0=0xffffff9c a1=0x7fff96d6e1c0 a2=O_RDONLY|O_NONBLOCK|O_CLOEXEC a3=0x0 items=0 ppid=4739 pid=4764 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=pts1 ses=10 comm=systemctl exe=/usr/bin/systemctl subj=user_u:user_r:user_t:s0 key=(null) - -Resolves: rhbz#2017838 -Signed-off-by: lujie54 ---- - policy/modules/system/userdomain.te | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 6a959c5..b936a81 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -410,6 +410,11 @@ optional_policy(` - ') - - optional_policy(` -+ logging_mmap_journal(login_userdomain) -+ logging_read_syslog_pid(login_userdomain) -+') -+ -+optional_policy(` - pkcs_tmpfs_named_filetrans(login_userdomain) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-login_userdomain-read-systemd-runtime-files.patch b/backport-Allow-login_userdomain-read-systemd-runtime-files.patch deleted file mode 100644 index ed00b83..0000000 --- a/backport-Allow-login_userdomain-read-systemd-runtime-files.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 63ada8c2bf2277a228524228f5ffcac8e0aed86a Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 9 Feb 2022 21:30:24 +0100 -Subject: [PATCH] Allow login_userdomain read systemd runtime files - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/63ada8c2bf2277a228524228f5ffcac8e0aed86a -Conflict: NA - -Addresses the following AVC denial: -type=PROCTITLE msg=audit(02/09/22 21:25:30.080:274) : proctitle=/usr/lib/systemd/systemd --user -type=PATH msg=audit(02/09/22 21:25:30.080:274) : item=0 name=/run/systemd/user/session.slice.d/99-uresourced.conf inode=1336 dev=00:1a mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=CWD msg=audit(02/09/22 21:25:30.080:274) : cwd=/ -type=SYSCALL msg=audit(02/09/22 21:25:30.080:274) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55d1df498fa0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1465 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(02/09/22 21:25:30.080:274) : avc: denied { read } for pid=1465 comm=systemd name=99-uresourced.conf dev="tmpfs" ino=1336 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0 - -Signed-off-by: lujie54 ---- - policy/modules/system/userdomain.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index bcb3043..f1f68f7 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -406,6 +406,7 @@ mount_watch_reads_pid_files(login_userdomain) - - optional_policy(` - init_mmap_read_var_lib_files(login_userdomain) -+ init_read_pid_files(login_userdomain) - ') - - optional_policy(` --- -1.8.3.1 - diff --git a/backport-Allow-login_userdomain-watch-accountsd-lib-directori.patch b/backport-Allow-login_userdomain-watch-accountsd-lib-directori.patch deleted file mode 100644 index 0c7f85a..0000000 --- a/backport-Allow-login_userdomain-watch-accountsd-lib-directori.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 0ed8e5127011aa4a75f57c250b5cc89b71949179 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 13 Jan 2022 22:57:07 +0100 -Subject: [PATCH] Allow login_userdomain watch accountsd lib directories - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0ed8e5127011aa4a75f57c250b5cc89b71949179 -Conflict: NA - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(3.1.2022 08:48:10.041:403) : proctitle=/usr/bin/plasmashell --no-respawn -type=PATH msg=audit(3.1.2022 08:48:10.041:403) : item=0 name=/var/lib/AccountsService/icons inode=102167247 dev=fd:00 mode=dir,775 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:accountsd_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(3.1.2022 08:48:10.041:403) : arch=x86_64 syscall=inotify_add_watch success=yes exit=16 a0=0xd a1=0x556d0da251b8 a2=0x2000fc6 a3=0x7f74d2859329 items=1 ppid=1775 pid=1944 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=plasmashell exe=/usr/bin/plasmashell subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(3.1.2022 08:48:10.041:403) : avc: denied { watch } for pid=1944 comm=plasmashell path=/var/lib/AccountsService/icons dev="dm-0" ino=102167247 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:accountsd_var_lib_t:s0 tclass=dir permissive=1 - -Signed-off-by: lujie54 ---- - policy/modules/system/userdomain.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 86617c3..465e0a3 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -409,6 +409,10 @@ optional_policy(` - ') - - optional_policy(` -+ accountsd_watch_lib(login_userdomain) -+') -+ -+optional_policy(` - dbus_create_session_tmp_sock_files(login_userdomain) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-login_userdomain-watch-generic-directories-in-.patch b/backport-Allow-login_userdomain-watch-generic-directories-in-.patch deleted file mode 100644 index 4780c6f..0000000 --- a/backport-Allow-login_userdomain-watch-generic-directories-in-.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 7821ccab9e2f62f5d4ac8f2ea8ef45d12f4bb7a2 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 13 Jan 2022 22:38:29 +0100 -Subject: [PATCH] Allow login_userdomain watch generic directories in /tmp - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/7821ccab9e2f62f5d4ac8f2ea8ef45d12f4bb7a2 -Conflict: NA - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(13.1.2022 21:50:49.647:21417) : proctitle=/usr/lib64/firefox/firefox --sm-client-id 10cddccc67000160673165200000017210015 -type=PATH msg=audit(13.1.2022 21:50:49.647:21417) : item=0 name=/tmp inode=1 dev=00:25 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(13.1.2022 21:50:49.647:21417) : arch=x86_64 syscall=inotify_add_watch success=yes exit=21 a0=0x50 a1=0x7fee2f76f1d0 a2=0x1002fce a3=0xdaddb2ff3800000 items=1 ppid=1775 pid=1088343 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=GeckoMain exe=/usr/lib64/firefox/firefox subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(13.1.2022 21:50:49.647:21417) : avc: denied { watch } for pid=1088343 comm=GeckoMain path=/tmp dev="tmpfs" ino=1 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 - -Signed-off-by: lujie54 ---- - policy/modules/system/userdomain.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 9f778ee..cc2d309 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -389,6 +389,7 @@ dev_watch_generic_dirs(login_userdomain) - files_watch_etc_dirs(login_userdomain) - files_watch_usr_dirs(login_userdomain) - files_watch_var_lib_dirs(login_userdomain) -+files_watch_generic_tmp_dirs(login_userdomain) - - fs_create_cgroup_files(login_userdomain) - fs_watch_cgroup_files(login_userdomain) --- -1.8.3.1 - diff --git a/backport-Allow-login_userdomain-watch-library-and-fonts-dirs.patch b/backport-Allow-login_userdomain-watch-library-and-fonts-dirs.patch deleted file mode 100644 index 0690ab3..0000000 --- a/backport-Allow-login_userdomain-watch-library-and-fonts-dirs.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 6d6afe09b0fd44f074e545d9642b0cc66264486e Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 9 Feb 2022 21:54:36 +0100 -Subject: [PATCH] Allow login_userdomain watch library and fonts dirs - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6d6afe09b0fd44f074e545d9642b0cc66264486e -Conflict: NA - -Addresses the following AVC denial: -type=PROCTITLE msg=audit(02/09/22 21:48:51.576:15952) : proctitle=/usr/bin/gnome-software --gapplication-service -type=PATH msg=audit(02/09/22 21:48:51.576:15952) : item=0 name=/usr/lib64/gnome-software/plugins-16 inode=31777 dev=00:20 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=CWD msg=audit(02/09/22 21:48:51.576:15952) : cwd=/home/staff -type=SYSCALL msg=audit(02/09/22 21:48:51.576:15952) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x560c414dd770 a2=0x1002fce a3=0x7ffd82509080 items=1 ppid=1560 pid=2148 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=gmain exe=/usr/bin/gnome-software subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(02/09/22 21:48:51.576:15952) : avc: denied { watch } for pid=2148 comm=gmain path=/usr/lib64/gnome-software/plugins-16 dev="vda2" ino=31777 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0 - -Signed-off-by: lujie54 ---- - policy/modules/system/userdomain.te | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index a833ada..32d69b4 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -398,6 +398,9 @@ files_watch_generic_tmp_dirs(login_userdomain) - fs_create_cgroup_files(login_userdomain) - fs_watch_cgroup_files(login_userdomain) - -+libs_watch_lib_dirs(login_userdomain) -+ -+miscfiles_watch_fonts_dirs(login_userdomain) - miscfiles_watch_localization_dirs(login_userdomain) - miscfiles_watch_localization_symlinks(login_userdomain) - --- -1.8.3.1 - diff --git a/backport-Allow-login_userdomain-watch-localization-directorie.patch b/backport-Allow-login_userdomain-watch-localization-directorie.patch deleted file mode 100644 index 95e1c57..0000000 --- a/backport-Allow-login_userdomain-watch-localization-directorie.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 04abf1566f6fbd1b87f3d55fa9c09ec59a982b4a Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 13 Jan 2022 22:53:08 +0100 -Subject: [PATCH] Allow login_userdomain watch localization directories - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/04abf1566f6fbd1b87f3d55fa9c09ec59a982b4a -Conflict: NA - -The miscfiles_watch_localization_dirs() interface was added. - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(3.1.2022 08:51:36.215:442) : proctitle=/opt/google/chrome/chrome --enable-crashpad -type=PATH msg=audit(3.1.2022 08:51:36.215:442) : item=0 name=/etc/../usr/share/zoneinfo inode=67574433 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:locale_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=CWD msg=audit(3.1.2022 08:51:36.215:442) : cwd=/home/username -type=SYSCALL msg=audit(3.1.2022 08:51:36.215:442) : arch=x86_64 syscall=inotify_add_watch success=yes exit=10 a0=0x18 a1=0xd0a02b08b20 a2=0x10003cc a3=0x0 items=1 ppid=1944 pid=4906 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=ThreadPoolSingl exe=/opt/google/chrome/chrome subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(3.1.2022 08:51:36.215:442) : avc: denied { watch } for pid=4906 comm=ThreadPoolSingl path=/usr/share/zoneinfo dev="dm-0" ino=67574433 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1 - -Signed-off-by: lujie54 ---- - policy/modules/system/miscfiles.if | 24 ++++++++++++++++++++++++ - policy/modules/system/userdomain.te | 1 + - 2 files changed, 25 insertions(+) - -diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if -index b63a391..e7f73d8 100644 ---- a/policy/modules/system/miscfiles.if -+++ b/policy/modules/system/miscfiles.if -@@ -557,6 +557,30 @@ interface(`miscfiles_read_localization',` - - ######################################## - ## -+## Allow process to watch localization directories. -+## -+## -+##

-+## Allow the specified domain to watch localization directories -+## (e.g. /usr/share/zoneinfo/) for changes. -+##

-+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`miscfiles_watch_localization_dirs',` -+ gen_require(` -+ type locale_t; -+ ') -+ -+ watch_dirs_pattern($1, locale_t, locale_t) -+') -+ -+######################################## -+## - ## Allow process to watch localization files. - ## - ## -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 824af18..86617c3 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -397,6 +397,7 @@ files_watch_generic_tmp_dirs(login_userdomain) - fs_create_cgroup_files(login_userdomain) - fs_watch_cgroup_files(login_userdomain) - -+miscfiles_watch_localization_dirs(login_userdomain) - miscfiles_watch_localization_symlinks(login_userdomain) - - mount_watch_pid_dirs(login_userdomain) --- -1.8.3.1 - diff --git a/backport-Allow-login_userdomain-watch-system-configuration-di.patch b/backport-Allow-login_userdomain-watch-system-configuration-di.patch deleted file mode 100644 index 09c7a3c..0000000 --- a/backport-Allow-login_userdomain-watch-system-configuration-di.patch +++ /dev/null @@ -1,69 +0,0 @@ -From bf059ebda558a7735cfdcfb874ecc8bfc2622cb1 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 9 Feb 2022 21:52:01 +0100 -Subject: [PATCH] Allow login_userdomain watch system configuration dirs - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bf059ebda558a7735cfdcfb874ecc8bfc2622cb1 -Conflict: NA - -The files_watch_system_conf_dirs() interface was added. - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(02/09/22 21:28:19.577:2173) : proctitle=/usr/bin/gnome-software --gapplication-service -type=PATH msg=audit(02/09/22 21:28:19.577:2173) : item=0 name=/etc/yum.repos.d inode=432 dev=00:20 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_conf_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=CWD msg=audit(02/09/22 21:28:19.577:2173) : cwd=/home/staff -type=SYSCALL msg=audit(02/09/22 21:28:19.577:2173) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x560c414ea860 a2=0x1002fce a3=0x7ffd82509080 items=1 ppid=1560 pid=2148 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=gmain exe=/usr/bin/gnome-software subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(02/09/22 21:28:19.577:2173) : avc: denied { watch } for pid=2148 comm=gmain path=/etc/yum.repos.d dev="vda2" ino=432 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=dir permissive=0 - -Signed-off-by: lujie54 ---- - policy/modules/kernel/files.if | 19 +++++++++++++++++++ - policy/modules/system/userdomain.te | 1 + - 2 files changed, 20 insertions(+) - -diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index 53e463c..b375a7e 100644 ---- a/policy/modules/kernel/files.if -+++ b/policy/modules/kernel/files.if -@@ -5720,6 +5720,25 @@ interface(`files_read_system_conf_files',` - read_lnk_files_pattern($1, etc_t, system_conf_t) - ') - -+####################################### -+## -+## Watch manageable system configuration dirs in /etc -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_watch_system_conf_dirs',` -+ gen_require(` -+ type etc_t, system_conf_t; -+ ') -+ -+ files_search_etc($1) -+ watch_dirs_pattern($1, system_conf_t, system_conf_t) -+') -+ - ###################################### - ## - ## Manage manageable system configuration files in /etc. -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index f1f68f7..a833ada 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -388,6 +388,7 @@ dev_watch_generic_dirs(login_userdomain) - - files_watch_etc_dirs(login_userdomain) - files_watch_etc_files(login_userdomain) -+files_watch_system_conf_dirs(login_userdomain) - files_watch_usr_dirs(login_userdomain) - files_watch_usr_files(login_userdomain) - files_watch_var_lib_dirs(login_userdomain) --- -1.8.3.1 - diff --git a/backport-Allow-login_userdomain-watch-systemd-logind-PID-dire.patch b/backport-Allow-login_userdomain-watch-systemd-logind-PID-dire.patch deleted file mode 100644 index 36b972d..0000000 --- a/backport-Allow-login_userdomain-watch-systemd-logind-PID-dire.patch +++ /dev/null @@ -1,35 +0,0 @@ -From f519626b841561d71f7ef751b446a598871477bf Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 14 Jan 2022 17:13:08 +0100 -Subject: [PATCH] Allow login_userdomain watch systemd-logind PID directories - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/f519626b841561d71f7ef751b446a598871477bf -Conflict: NA - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(3.1.2022 08:48:02.005:392) : proctitle=/usr/bin/wireplumber -type=PATH msg=audit(3.1.2022 08:48:02.005:392) : item=0 name=/run/systemd/seats/ inode=72 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_logind_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(3.1.2022 08:48:02.005:392) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0x11 a1=0x7f214c69d027 a2=0x280 a3=0x0 items=1 ppid=1775 pid=2305 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=wireplumber exe=/usr/bin/wireplumber subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(3.1.2022 08:48:02.005:392) : avc: denied { watch } for pid=2305 comm=wireplumber path=/run/systemd/seats dev="tmpfs" ino=72 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=dir permissive=1 - -Signed-off-by: lujie54 ---- - policy/modules/system/userdomain.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 465e0a3..5643687 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -432,6 +432,7 @@ optional_policy(` - ') - - optional_policy(` -+ systemd_login_watch_pid_dirs(login_userdomain) - systemd_login_watch_session_dirs(login_userdomain) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-login_userdomain-watch-systemd-machined-PID-di.patch b/backport-Allow-login_userdomain-watch-systemd-machined-PID-di.patch deleted file mode 100644 index f9d7442..0000000 --- a/backport-Allow-login_userdomain-watch-systemd-machined-PID-di.patch +++ /dev/null @@ -1,35 +0,0 @@ -From b909895c58d7709343e59e24f115d5ede1f46944 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 14 Jan 2022 17:16:43 +0100 -Subject: [PATCH] Allow login_userdomain watch systemd-machined PID directories - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/b909895c58d7709343e59e24f115d5ede1f46944 -Conflict: NA - -Addresses the following AVC denial: -- -type=PROCTITLE msg=audit(3.1.2022 08:48:02.005:393) : proctitle=/usr/bin/wireplumber -type=PATH msg=audit(3.1.2022 08:48:02.005:393) : item=0 name=/run/systemd/machines/ inode=75 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_machined_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(3.1.2022 08:48:02.005:393) : arch=x86_64 syscall=inotify_add_watch success=yes exit=4 a0=0x11 a1=0x7f214c69d052 a2=0x280 a3=0x0 items=1 ppid=1775 pid=2305 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=wireplumber exe=/usr/bin/wireplumber subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(3.1.2022 08:48:02.005:393) : avc: denied { watch } for pid=2305 comm=wireplumber path=/run/systemd/machines dev="tmpfs" ino=75 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_machined_var_run_t:s0 tclass=dir permissive=1 - -Signed-off-by: lujie54 ---- - policy/modules/system/userdomain.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 5643687..573ad14 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -434,6 +434,7 @@ optional_policy(` - optional_policy(` - systemd_login_watch_pid_dirs(login_userdomain) - systemd_login_watch_session_dirs(login_userdomain) -+ systemd_machined_watch_pid_dirs(login_userdomain) - ') - - ############################################################ --- -1.8.3.1 - diff --git a/backport-Allow-login_userdomain-watch-various-directories.patch b/backport-Allow-login_userdomain-watch-various-directories.patch deleted file mode 100644 index 7418325..0000000 --- a/backport-Allow-login_userdomain-watch-various-directories.patch +++ /dev/null @@ -1,133 +0,0 @@ -From 36df7e2855b03c57fd7b3a1ac0d4939fd54a8673 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 9 Sep 2022 09:33:18 +0200 -Subject: [PATCH] Allow login_userdomain watch various directories - -The inotify_add_watch(2) syscalls are called by plasmashell and some -other processes (chrome, desk-portal, dolphin, kwallet, logout-greeter, systemsettings). - -Addresses the following AVC denials examples: - -type=PROCTITLE msg=audit(17.8.2022 22:14:39.050:315) : proctitle=/usr/bin/plasmashell --no-respawn -type=PATH msg=audit(17.8.2022 22:14:39.050:315) : item=0 name=/ inode=128 dev=fd:00 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(17.8.2022 22:14:39.050:315) : arch=x86_64 syscall=inotify_add_watch success=yes exit=6 a0=0x9 a1=0x559ff6613b98 a2=0x2000fc6 a3=0x559ff663b226 items=1 ppid=1610 pid=1824 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=plasmashell exe=/usr/bin/plasmashell subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(17.8.2022 22:14:39.050:315) : avc: denied { watch } for pid=1824 comm=plasmashell path=/ dev="dm-0" ino=128 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 - -type=PROCTITLE msg=audit(22.8.2022 18:35:47.341:4615) : proctitle=/usr/bin/dolphin /run/media/username/0893-C004 -type=PATH msg=audit(22.8.2022 18:35:47.341:4615) : item=0 name=/run/media/username/342cbc31-ca2a-4f65-bf60-59f2f3dfdce8 inode=2 dev=08:02 mode=dir,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(22.8.2022 18:35:47.341:4615) : arch=x86_64 syscall=inotify_add_watch success=yes exit=7 a0=0x9 a1=0x55da0ceca788 a2=0x2000fc6 a3=0x55da0d0e6fd6 items=1 ppid=1610 pid=481970 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=dolphin exe=/usr/bin/dolphin subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(22.8.2022 18:35:47.341:4615) : avc: denied { watch } for pid=481970 comm=dolphin path=/run/media/username/342cbc31-ca2a-4f65-bf60-59f2f3dfdce8 dev="sda2" ino=2 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 - -The rpc_watch_exports() and kernel_watch_unlabeled_dirs() interfaces -were added. - -Signed-off-by: lujie42 ---- - policy/modules/contrib/rpc.if | 19 +++++++++++++++++++ - policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ - policy/modules/system/userdomain.te | 13 +++++++++++++ - 3 files changed, 50 insertions(+) - -diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if -index 0c6410612..b234bca58 100644 ---- a/policy/modules/contrib/rpc.if -+++ b/policy/modules/contrib/rpc.if -@@ -150,6 +150,25 @@ interface(`rpc_manage_exports',` - manage_files_pattern($1, exports_t, exports_t) - ') - -+######################################## -+## -+## Watch nfs file exports -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpc_watch_exports',` -+ gen_require(` -+ type exports_t; -+ ') -+ -+ files_search_etc($1) -+ allow $1 exports_t:file watch_file_perms; -+') -+ - ######################################## - ## - ## Execute domain in nfsd domain. -diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 8ffd4988f..f669f866c 100644 ---- a/policy/modules/kernel/kernel.if -+++ b/policy/modules/kernel/kernel.if -@@ -2842,6 +2842,24 @@ interface(`kernel_rw_unlabeled_files',` - allow $1 unlabeled_t:file rw_file_perms; - ') - -+######################################## -+## -+## Watch unlabeled directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_watch_unlabeled_dirs',` -+ gen_require(` -+ type unlabeled_t; -+ ') -+ -+ allow $1 unlabeled_t:dir watch_dir_perms; -+') -+ - ######################################## - ## - ## Do not audit attempts by caller to get the -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 5576a97cb..1cf86a09e 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -386,12 +386,19 @@ tunable_policy(`deny_bluetooth',`',` - allow login_userdomain self:bluetooth_socket rw_stream_socket_perms; - ') - -+kernel_watch_unlabeled_dirs(login_userdomain) -+ -+auth_watch_passwd(login_userdomain) -+ -+corecmd_watch_bin_dirs(login_userdomain) -+ - dev_watch_generic_dirs(login_userdomain) - - files_map_var_lib_files(login_userdomain) - files_read_var_lib_symlinks(login_userdomain) - files_watch_etc_dirs(login_userdomain) - files_watch_etc_files(login_userdomain) -+files_watch_root_dirs(login_userdomain) - files_watch_system_conf_dirs(login_userdomain) - files_watch_usr_dirs(login_userdomain) - files_watch_usr_files(login_userdomain) -@@ -441,10 +448,16 @@ optional_policy(` - pkcs_tmpfs_named_filetrans(login_userdomain) - ') - -+optional_policy(` -+ rpc_watch_exports(login_userdomain) -+') -+ -+ - optional_policy(` - systemd_login_watch_pid_dirs(login_userdomain) - systemd_login_watch_session_dirs(login_userdomain) - systemd_machined_watch_pid_dirs(login_userdomain) -+ systemd_resolved_watch_pid_dirs(login_userdomain) - ') - - ############################################################ --- -2.27.0 - diff --git a/backport-Allow-login_userdomain-watch-various-files-and-dirs.patch b/backport-Allow-login_userdomain-watch-various-files-and-dirs.patch deleted file mode 100644 index 3b5801b..0000000 --- a/backport-Allow-login_userdomain-watch-various-files-and-dirs.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 0675ab63c83c96dd65d9793c5ff2835253329bba Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 13 Jan 2022 22:43:33 +0100 -Subject: [PATCH] Allow login_userdomain watch various files and dirs - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0675ab63c83c96dd65d9793c5ff2835253329bba -Conflict: NA - -Addresses the following AVC denials: - -type=PROCTITLE msg=audit(3.1.2022 14:44:22.064:986) : proctitle=/usr/libexec/kscreenlocker_greet --graceTime 75000 --ksldfd 46 -type=PATH msg=audit(3.1.2022 14:44:22.064:986) : item=0 name=/etc/fstab inode=100663543 dev=fd:00 mode=file,664 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(3.1.2022 14:44:22.064:986) : arch=x86_64 syscall=inotify_add_watch success=yes exit=2 a0=0x18 a1=0x56518e638958 a2=0xcc6 a3=0x56518e6392d0 items=1 ppid=1881 pid=45075 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=kscreenlocker_g exe=/usr/libexec/kscreenlocker_greet subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(3.1.2022 14:44:22.064:986) : avc: denied { watch } for pid=45075 comm=kscreenlocker_g path=/etc/fstab dev="dm-0" ino=100663543 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 - -type=PROCTITLE msg=audit(3.1.2022 14:44:22.064:987) : proctitle=/usr/libexec/kscreenlocker_greet --graceTime 75000 --ksldfd 46 -type=PATH msg=audit(3.1.2022 14:44:22.064:987) : item=0 name=/var/run inode=1 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(3.1.2022 14:44:22.064:987) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0x1a a1=0x7f74ecdfae35 a2=0x100 a3=0x0 items=1 ppid=1881 pid=45075 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=kscreenlocker_g exe=/usr/libexec/kscreenlocker_greet subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(3.1.2022 14:44:22.064:987) : avc: denied { watch } for pid=45075 comm=kscreenlocker_g path=/run dev="tmpfs" ino=1 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 - -type=PROCTITLE msg=audit(3.1.2022 14:44:22.213:989) : proctitle=/usr/libexec/kscreenlocker_greet --graceTime 75000 --ksldfd 46 -type=PATH msg=audit(3.1.2022 14:44:22.213:989) : item=0 name=/usr/share/plasma/desktoptheme/breeze-dark/metadata.desktop inode=1684078 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(3.1.2022 14:44:22.213:989) : arch=x86_64 syscall=inotify_add_watch success=yes exit=5 a0=0xf a1=0x7f74d8001438 a2=0x2000fc6 a3=0x7f74f2f73329 items=1 ppid=1881 pid=45075 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=kscreenlocker_g exe=/usr/libexec/kscreenlocker_greet subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(3.1.2022 14:44:22.213:989) : avc: denied { watch } for pid=45075 comm=kscreenlocker_g path=/usr/share/plasma/desktoptheme/breeze-dark/metadata.desktop dev="dm-0" ino=1684078 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 - -Signed-off-by: lujie54 ---- - policy/modules/system/userdomain.te | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index cc2d309..824af18 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -387,8 +387,11 @@ tunable_policy(`deny_bluetooth',`',` - dev_watch_generic_dirs(login_userdomain) - - files_watch_etc_dirs(login_userdomain) -+files_watch_etc_files(login_userdomain) - files_watch_usr_dirs(login_userdomain) -+files_watch_usr_files(login_userdomain) - files_watch_var_lib_dirs(login_userdomain) -+files_watch_var_run_dirs(login_userdomain) - files_watch_generic_tmp_dirs(login_userdomain) - - fs_create_cgroup_files(login_userdomain) --- -1.8.3.1 - diff --git a/backport-Allow-login_userdomain-write-to-boltd-named-pipes.patch b/backport-Allow-login_userdomain-write-to-boltd-named-pipes.patch deleted file mode 100644 index f186189..0000000 --- a/backport-Allow-login_userdomain-write-to-boltd-named-pipes.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 7d20b237ff092cd615045ff25a3d0c9c741f145d Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 9 Sep 2022 17:22:52 +0200 -Subject: [PATCH] Allow login_userdomain write to boltd named pipes - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(5.9.2022 23:01:30.921:15103) : proctitle=systemd-stdio-bridge -punix:path=/run/user/1000/bus -type=PATH msg=audit(5.9.2022 23:01:30.921:15103) : item=0 name= inode=32185282 dev=00:08 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(5.9.2022 23:01:30.921:15103) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x0 a1=0x7f7a005b7093 a2=0x7fff374a7080 a3=0x1000 items=1 ppid=1 pid=1870519 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=10 comm=systemd-stdio-b exe=/usr/bin/systemd-stdio-bridge subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(5.9.2022 23:01:30.921:15103) : avc: denied { getattr } for pid=1870519 comm=systemd-stdio-b path=socket:[32185282] dev="sockfs" ino=32185282 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 - -Signed-off-by: lujie42 ---- - policy/modules/contrib/rpm.if | 2 +- - policy/modules/system/userdomain.te | 3 +++ - 2 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if -index c6833ba7d..ec09e164d 100644 ---- a/policy/modules/contrib/rpm.if -+++ b/policy/modules/contrib/rpm.if -@@ -993,5 +993,5 @@ interface(`rpm_script_rw_stream_sockets',` - type rpm_script_t; - ') - -- allow $1 rpm_script_t:unix_stream_socket { read write }; -+ allow $1 rpm_script_t:unix_stream_socket { rw_socket_perms }; - ') -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 1cf86a09e..bdccda7ea 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -452,6 +452,9 @@ optional_policy(` - rpc_watch_exports(login_userdomain) - ') - -+optional_policy(` -+ rpm_script_rw_stream_sockets(login_userdomain) -+') - - optional_policy(` - systemd_login_watch_pid_dirs(login_userdomain) --- -2.27.0 - diff --git a/backport-Allow-login_userdomain-write-to-session_dbusd-tmp-so.patch b/backport-Allow-login_userdomain-write-to-session_dbusd-tmp-so.patch deleted file mode 100644 index cece1c9..0000000 --- a/backport-Allow-login_userdomain-write-to-session_dbusd-tmp-so.patch +++ /dev/null @@ -1,37 +0,0 @@ -From d0f957291c4282f74b675e476ccd64d074178e7b Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 18 Jan 2022 08:54:45 +0100 -Subject: [PATCH] Allow login_userdomain write to session_dbusd tmp socket - files - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d0f957291c4282f74b675e476ccd64d074178e7b -Conflict: NA - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(01/17/2022 18:06:43.240:4086) : proctitle=/usr/lib/systemd/systemd --user -type=PATH msg=audit(01/17/2022 18:06:43.240:4086) : item=0 name=/proc/self/fd/27 inode=15 dev=00:34 mode=socket,666 ouid=user31979 ogid=user31979 rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=CWD msg=audit(01/17/2022 18:06:43.240:4086) : cwd=/ -type=SYSCALL msg=audit(01/17/2022 18:06:43.240:4086) : arch=x86_64 syscall=utimensat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffd627865d0 a2=0x0 a3=0x0 items=1 ppid=1 pid=97102 auid=user31979 uid=user31979 gid=user31979 euid=user31979 suid=user31979 fsuid=user31979 egid=user31979 sgid=user31979 fsgid=user31979 tty=(none) ses=19 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(01/17/2022 18:06:43.240:4086) : avc: denied { write } for pid=97102 comm=systemd name=bus dev="tmpfs" ino=15 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0 - -Signed-off-by: lujie54 ---- - policy/modules/system/userdomain.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 573ad14..33557e4 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -414,6 +414,7 @@ optional_policy(` - - optional_policy(` - dbus_create_session_tmp_sock_files(login_userdomain) -+ dbus_write_session_tmp_sock_files(login_userdomain) - ') - - optional_policy(` --- -1.8.3.1 - diff --git a/backport-Allow-openvswitch-fsetid-capability.patch b/backport-Allow-openvswitch-fsetid-capability.patch deleted file mode 100644 index b1aef32..0000000 --- a/backport-Allow-openvswitch-fsetid-capability.patch +++ /dev/null @@ -1,40 +0,0 @@ -From e7afdeddde3b9bc8419032fe753e404947a5f2e9 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 8 Aug 2022 16:53:05 +0200 -Subject: [PATCH] Allow openvswitch fsetid capability - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/e7afdeddde3b9bc8419032fe753e404947a5f2e9 -Conflict: NA - -Working directories used by openvswitch are handled in -/usr/share/openvswitch/scripts/ovs-lib using the install command -with explicit permission mode settings. - -Addresses the following AVC denial: -type=PROCTITLE msg=audit(08/08/2022 10:51:16.059:173) : proctitle=install -d -m 755 -o openvswitch -g hugetlbfs /var/run/openvswitch -type=PATH msg=audit(08/08/2022 10:51:16.059:173) : item=0 name=(null) inode=972 dev=00:1a mode=dir,700 ouid=openvswitch ogid=hugetlbfs rdev=00:00 obj=system_u:object_r:openvswitch_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(08/08/2022 10:51:16.059:173) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0x3 a1=0755 a2=0x0 a3=0x1000 items=1 ppid=579 pid=660 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=install exe=/usr/bin/install subj=system_u:system_r:openvswitch_t:s0 key=(null) -type=AVC msg=audit(08/08/2022 10:51:16.059:173) : avc: denied { fsetid } for pid=660 comm=install capability=fsetid scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0 - -Resolves: rhbz#2103487 -Signed-off-by: lujie54 ---- - policy/modules/contrib/openvswitch.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te -index 95acc29..ed4a73d 100644 ---- a/policy/modules/contrib/openvswitch.te -+++ b/policy/modules/contrib/openvswitch.te -@@ -35,7 +35,7 @@ systemd_unit_file(openvswitch_unit_file_t) - # openvswitch local policy - # - --allow openvswitch_t self:capability { dac_override dac_read_search fowner net_broadcast net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill }; -+allow openvswitch_t self:capability { dac_override dac_read_search fowner fsetid net_broadcast net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill }; - allow openvswitch_t self:capability2 block_suspend; - allow openvswitch_t self:process { fork setsched setrlimit signal setcap }; - allow openvswitch_t self:fifo_file rw_fifo_file_perms; --- -1.8.3.1 - diff --git a/backport-Allow-openvswitch-search-tracefs-dirs.patch b/backport-Allow-openvswitch-search-tracefs-dirs.patch deleted file mode 100644 index b5cfe3a..0000000 --- a/backport-Allow-openvswitch-search-tracefs-dirs.patch +++ /dev/null @@ -1,68 +0,0 @@ -From bae18addf147f786b24a7d2fabdaf50629bf2565 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 8 Aug 2022 13:13:35 +0200 -Subject: [PATCH] Allow openvswitch search tracefs dirs - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bae18addf147f786b24a7d2fabdaf50629bf2565 -Conflict: NA - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(08/08/2022 05:46:18.724:169) : proctitle=modprobe openvswitch -type=KERN_MODULE msg=audit(08/08/2022 05:46:18.724:169) : name=openvswitch -type=SYSCALL msg=audit(08/08/2022 05:46:18.724:169) : arch=x86_64 syscall=init_module success=yes exit=0 a0=0x5630bbc2d8a0 a1=0xbde36 a2=0x5630b96f9cd2 a3=0x5 items=0 ppid=676 pid=680 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:openvswitch_t:s0 key=(null) -type=AVC msg=audit(08/08/2022 05:46:18.724:169) : avc: denied { search } for pid=680 comm=modprobe name=events dev="tracefs" ino=69 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 - -The fs_search_tracefs_dirs() interface was added. - -Resolves: rhbz#2103487 -Signed-off-by: lujie54 ---- - policy/modules/contrib/openvswitch.te | 1 + - policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++ - 2 files changed, 19 insertions(+) - -diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te -index 3092492..9ed1587 100644 ---- a/policy/modules/contrib/openvswitch.te -+++ b/policy/modules/contrib/openvswitch.te -@@ -109,6 +109,7 @@ fs_getattr_all_fs(openvswitch_t) - fs_search_cgroup_dirs(openvswitch_t) - fs_manage_hugetlbfs_files(openvswitch_t) - fs_manage_hugetlbfs_dirs(openvswitch_t) -+fs_search_tracefs_dirs(openvswitch_t) - - auth_use_nsswitch(openvswitch_t) - -diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 90b8393..34de37d 100644 ---- a/policy/modules/kernel/filesystem.if -+++ b/policy/modules/kernel/filesystem.if -@@ -6924,6 +6924,24 @@ interface(`fs_rw_onload_sockets',` - - ######################################## - ## -+## Search tracefs_t directories -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_search_tracefs_dirs',` -+ gen_require(` -+ type tracefs_t; -+ ') -+ -+ search_dirs_pattern($1, tracefs_t, tracefs_t) -+') -+ -+######################################## -+## - ## Read and write tracefs_t files - ## - ## --- -1.8.3.1 - diff --git a/backport-Allow-openvswitch-use-its-private-tmpfs-files-and-di.patch b/backport-Allow-openvswitch-use-its-private-tmpfs-files-and-di.patch deleted file mode 100644 index 7ab1664..0000000 --- a/backport-Allow-openvswitch-use-its-private-tmpfs-files-and-di.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 33b66b726be702dd0cdc26521381d7ba33e2bf84 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 8 Aug 2022 16:52:19 +0200 -Subject: [PATCH] Allow openvswitch use its private tmpfs files and dirs - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/33b66b726be702dd0cdc26521381d7ba33e2bf84 -Conflict: NA - -Addresses the following AVC denial: -Jul 29 19:58:32.669000 localhost audit[985]: AVC avc: denied { write } for pid=985 comm="ovsdb-server" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 - -Resolves: rhbz#1988164 -Signed-off-by: lujie54 ---- - policy/modules/contrib/openvswitch.te | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te -index 9ed1587..95acc29 100644 ---- a/policy/modules/contrib/openvswitch.te -+++ b/policy/modules/contrib/openvswitch.te -@@ -21,6 +21,9 @@ logging_log_file(openvswitch_log_t) - type openvswitch_tmp_t; - files_tmp_file(openvswitch_tmp_t) - -+type openvswitch_tmpfs_t; -+files_tmpfs_file(openvswitch_tmpfs_t) -+ - type openvswitch_var_run_t; - files_pid_file(openvswitch_var_run_t) - -@@ -68,6 +71,9 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) - manage_sock_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) - files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir sock_file }) - -+manage_dirs_pattern(openvswitch_t, openvswitch_tmpfs_t, openvswitch_tmpfs_t) -+fs_tmpfs_filetrans(openvswitch_t, openvswitch_tmpfs_t, dir) -+ - manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) - manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) - manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) --- -1.8.3.1 - diff --git a/backport-Allow-pcp-pmcd-search-tracefs-and-acct_data-dirs.patch b/backport-Allow-pcp-pmcd-search-tracefs-and-acct_data-dirs.patch deleted file mode 100644 index 54e8077..0000000 --- a/backport-Allow-pcp-pmcd-search-tracefs-and-acct_data-dirs.patch +++ /dev/null @@ -1,77 +0,0 @@ -From b821da04f48bfc97b4e214df7e17326df0c5ed7a Mon Sep 17 00:00:00 2001 -From: Nikola Knazekova -Date: Tue, 6 Sep 2022 15:19:59 +0200 -Subject: [PATCH] Allow pcp pmcd search tracefs and acct_data dirs - -Allow Performance Metrics Domain Agent (PMDA) search accesses on the directory /sys/kernel/tracing. -Addresses the following AVC denial: -type=AVC msg=audit(1642589553.515:244): avc: denied { search } for pid=2039 comm="pmdakvm" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 -Resolves: bz#2041845 - -Allow pmdaproc search accesses on the directory /var/account. -Add interface to allow search process accounting data. -Addresses the following AVC denial: -type=AVC msg=audit(1642589553.499:243): avc: denied { search } for pid=2036 comm="pmdaproc" name="account" dev="sdf1" ino=9175045 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:acct_data_t:s0 tclass=dir permissive=0 -Resolves: bz#2041843 - -Signed-off-by: lujie42 ---- - policy/modules/contrib/acct.if | 18 ++++++++++++++++++ - policy/modules/contrib/pcp.te | 5 +++++ - 2 files changed, 23 insertions(+) - -diff --git a/policy/modules/contrib/acct.if b/policy/modules/contrib/acct.if -index bc4038b45..86dcc1d5f 100644 ---- a/policy/modules/contrib/acct.if -+++ b/policy/modules/contrib/acct.if -@@ -60,6 +60,24 @@ interface(`acct_exec_data',` - can_exec($1, acct_data_t) - ') - -+######################################## -+## -+## Search process accounting data. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`acct_search_data',` -+ gen_require(` -+ type acct_data_t; -+ ') -+ -+ search_dirs_pattern($1, acct_data_t, acct_data_t) -+') -+ - ######################################## - ## - ## Create, read, write, and delete -diff --git a/policy/modules/contrib/pcp.te b/policy/modules/contrib/pcp.te -index 66200d46f..920456afc 100644 ---- a/policy/modules/contrib/pcp.te -+++ b/policy/modules/contrib/pcp.te -@@ -146,6 +146,7 @@ fs_getattr_all_dirs(pcp_pmcd_t) - fs_list_cgroup_dirs(pcp_pmcd_t) - fs_read_cgroup_files(pcp_pmcd_t) - fs_read_nfsd_files(pcp_pmcd_t) -+fs_search_tracefs_dirs(pcp_pmcd_t) - - init_read_utmp(pcp_pmcd_t) - -@@ -159,6 +160,10 @@ storage_raw_read_fixed_disk(pcp_pmcd_t) - userdom_read_user_tmp_files(pcp_pmcd_t) - userdom_manage_unpriv_user_semaphores(pcp_pmcd_t) - -+optional_policy(` -+ acct_search_data(pcp_pmcd_t) -+') -+ - optional_policy(` - cron_read_pid_files(pcp_pmcd_t) - ') --- -2.27.0 - diff --git a/backport-Allow-pcscd-the-sys_ptrace-userns-capability.patch b/backport-Allow-pcscd-the-sys_ptrace-userns-capability.patch deleted file mode 100644 index 8e3ebb5..0000000 --- a/backport-Allow-pcscd-the-sys_ptrace-userns-capability.patch +++ /dev/null @@ -1,29 +0,0 @@ -From dd7761e72c40b6d826a760ea9167ca17dec8c546 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 8 Apr 2022 14:10:08 +0200 -Subject: [PATCH] Allow pcscd the sys_ptrace userns capability - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/dd7761e72c40b6d826a760ea9167ca17dec8c546 -Conflict: NA - -Resolves: rhbz#2073169 -Signed-off-by: lujie54 ---- - policy/modules/contrib/pcscd.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te -index 1fdd845..d0d83da 100644 ---- a/policy/modules/contrib/pcscd.te -+++ b/policy/modules/contrib/pcscd.te -@@ -24,6 +24,7 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") - allow pcscd_t self:capability { dac_read_search fsetid }; - dontaudit pcscd_t self:capability { sys_admin }; - allow pcscd_t self:capability2 { wake_alarm }; -+allow pcscd_t self:cap_userns sys_ptrace; - allow pcscd_t self:process { signal signull }; - dontaudit pcscd_t self:process setsched; - allow pcscd_t self:fifo_file rw_fifo_file_perms; --- -1.8.3.1 - diff --git a/backport-Allow-pmdalinux-read-files-on-an-nfsd-filesystem.patch b/backport-Allow-pmdalinux-read-files-on-an-nfsd-filesystem.patch deleted file mode 100644 index 11b8049..0000000 --- a/backport-Allow-pmdalinux-read-files-on-an-nfsd-filesystem.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 57b29111318880eb60e2fed57b7117e87b6ece24 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 8 Aug 2022 17:46:46 +0200 -Subject: [PATCH] Allow pmdalinux read files on an nfsd filesystem - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/57b29111318880eb60e2fed57b7117e87b6ece24 -Conflict: NA - -Addresses the following AVC denial: -type=AVC msg=audit(1659885488.520:327): avc: denied { search } for pid=1394 comm="pmdalinux" name="/" dev="nfsd" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir permissive=1 - -Resolves: rhbz#2116153 -Signed-off-by: lujie54 ---- - policy/modules/contrib/pcp.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/pcp.te b/policy/modules/contrib/pcp.te -index c10717d..66200d4 100644 ---- a/policy/modules/contrib/pcp.te -+++ b/policy/modules/contrib/pcp.te -@@ -145,6 +145,7 @@ fs_getattr_all_fs(pcp_pmcd_t) - fs_getattr_all_dirs(pcp_pmcd_t) - fs_list_cgroup_dirs(pcp_pmcd_t) - fs_read_cgroup_files(pcp_pmcd_t) -+fs_read_nfsd_files(pcp_pmcd_t) - - init_read_utmp(pcp_pmcd_t) - --- -1.8.3.1 - diff --git a/backport-Allow-pmie-read-network-state-information-and-networ.patch b/backport-Allow-pmie-read-network-state-information-and-networ.patch deleted file mode 100644 index fc3f10f..0000000 --- a/backport-Allow-pmie-read-network-state-information-and-networ.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 3b46ee3ddbcc41a754d824bc4411a8c022e17390 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 2 Aug 2022 16:45:44 +0200 -Subject: [PATCH] Allow pmie read network state information and network sysctls - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3b46ee3ddbcc41a754d824bc4411a8c022e17390 -Conflict: NA - -Addresses the following AVC denial: -type=PROCTITLE msg=audit(08/02/2022 11:34:16.597:12831) : proctitle=/usr/bin/pmie -b -F -P -l /var/log/pcp/pmie/ip-172-31-24-64.us-east-2.compute.internal/pmie.log -c config.default -type=PATH msg=audit(08/02/2022 11:34:16.597:12831) : item=0 name=/proc/net/if_inet6 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(08/02/2022 11:34:16.597:12831) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7f4aa35486d5 a1=F_OK a2=0x0 a3=0x8 items=1 ppid=1 pid=284086 auid=unset uid=pcp gid=pcp euid=pcp suid=pcp fsuid=pcp egid=pcp sgid=pcp fsgid=pcp tty=(none) ses=unset comm=pmie exe=/usr/bin/pmie subj=system_u:system_r:pcp_pmie_t:s0 key=(null) -type=AVC msg=audit(08/02/2022 11:34:16.597:12831) : avc: denied { read } for pid=284086 comm=pmie name=net dev="proc" ino=4026531845 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=0 - -Signed-off-by: lujie54 ---- - policy/modules/contrib/pcp.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/contrib/pcp.te b/policy/modules/contrib/pcp.te -index f1c2804..c10717d 100644 ---- a/policy/modules/contrib/pcp.te -+++ b/policy/modules/contrib/pcp.te -@@ -230,6 +230,8 @@ allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto; - - allow pcp_pmie_t pcp_pmcd_t:process signal; - -+kernel_read_net_sysctls(pcp_pmie_t) -+kernel_read_network_state(pcp_pmie_t) - kernel_read_system_state(pcp_pmie_t) - kernel_dontaudit_request_load_module(pcp_pmie_t) - --- -1.8.3.1 - diff --git a/backport-Allow-pppd-create-a-file-in-the-locks-directory.patch b/backport-Allow-pppd-create-a-file-in-the-locks-directory.patch deleted file mode 100644 index 172ec74..0000000 --- a/backport-Allow-pppd-create-a-file-in-the-locks-directory.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 699f4dcf2a9b39a02427bd859c91c625e11998a6 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 8 Apr 2022 15:50:13 +0200 -Subject: [PATCH] Allow pppd create a file in the locks directory - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/699f4dcf2a9b39a02427bd859c91c625e11998a6 -Conflict: NA - -So far, a rule for creating a private lock dir was defined in the -policy. Since this commit there is also a rule for a plain file. - -Resolves: rhbz#2022902 -Signed-off-by: lujie54 ---- - policy/modules/contrib/ppp.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te -index c2da84b..9b08134 100644 ---- a/policy/modules/contrib/ppp.te -+++ b/policy/modules/contrib/ppp.te -@@ -106,7 +106,7 @@ manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t) - filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) - - manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t) --files_lock_filetrans(pppd_t, pppd_lock_t, dir) -+files_lock_filetrans(pppd_t, pppd_lock_t, { dir file }) - files_search_locks(pppd_t) - - manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t) --- -1.8.3.1 - diff --git a/backport-Allow-redis-get-attributes-of-filesystems-with-exten.patch b/backport-Allow-redis-get-attributes-of-filesystems-with-exten.patch deleted file mode 100644 index 7b4e21d..0000000 --- a/backport-Allow-redis-get-attributes-of-filesystems-with-exten.patch +++ /dev/null @@ -1,29 +0,0 @@ -From dbb20e7f9fb98fc322d925b66da0abc7258957cf Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 9 Nov 2021 18:35:11 +0100 -Subject: [PATCH] Allow redis get attributes of filesystems with extended - attributes - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/dbb20e7f9fb98fc322d925b66da0abc7258957cf -Conflict: NA - -Signed-off-by: lujie54 ---- - policy/modules/contrib/redis.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te -index 093f28d..fb6a3dc 100644 ---- a/policy/modules/contrib/redis.te -+++ b/policy/modules/contrib/redis.te -@@ -99,6 +99,7 @@ tunable_policy(`redis_enable_notify',` - corecmd_exec_shell(redis_t) - - fs_getattr_tmpfs(redis_t) -+ fs_getattr_xattr_fs(redis_t) - ') - - optional_policy(` --- -1.8.3.1 - diff --git a/backport-Allow-rhsmcertd-get-attributes-of-tmpfs_t-filesystem.patch b/backport-Allow-rhsmcertd-get-attributes-of-tmpfs_t-filesystem.patch deleted file mode 100644 index c064187..0000000 --- a/backport-Allow-rhsmcertd-get-attributes-of-tmpfs_t-filesystem.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 174740ce047312bb8e3ca19b3ee95766f0dc55b4 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 7 Dec 2021 15:17:15 +0100 -Subject: [PATCH] Allow rhsmcertd get attributes of tmpfs_t filesystems - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/174740ce047312bb8e3ca19b3ee95766f0dc55b4 -Conflict: NA - -Resolves: rhbz#2015820 -Signed-off-by: lujie54 ---- - policy/modules/contrib/rhsmcertd.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/rhsmcertd.te b/policy/modules/contrib/rhsmcertd.te -index abd3227..7ebff7b 100644 ---- a/policy/modules/contrib/rhsmcertd.te -+++ b/policy/modules/contrib/rhsmcertd.te -@@ -101,6 +101,7 @@ files_create_boot_flag(rhsmcertd_t) - files_dontaudit_write_all_mountpoints(rhsmcertd_t) - - fs_dontaudit_write_configfs_dirs(rhsmcertd_t) -+fs_getattr_tmpfs(rhsmcertd_t) - fs_read_xenfs_files(rhsmcertd_t) - - auth_map_passwd(rhsmcertd_t) --- -1.8.3.1 - diff --git a/backport-Allow-rngd-drop-privileges-via-setuid-setgid-setcap.patch b/backport-Allow-rngd-drop-privileges-via-setuid-setgid-setcap.patch deleted file mode 100644 index 064cee2..0000000 --- a/backport-Allow-rngd-drop-privileges-via-setuid-setgid-setcap.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 62d5fd70550ba0f6564c5240c369c421b1415eb9 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 3 Mar 2022 16:57:41 +0100 -Subject: [PATCH] Allow rngd drop privileges via setuid/setgid/setcap - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/62d5fd70550ba0f6564c5240c369c421b1415eb9 -Conflict: NA - -The rngd service starts as root to be able to access some resources -like /dev/hwrng, then it drops capabilities and changes ruid/euid/suid -and rgid/egid/sgid. - -Resolves: rhbz#2058914 -Signed-off-by: lujie54 ---- - policy/modules/contrib/rngd.te | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te -index 316d210..ca8c996 100644 ---- a/policy/modules/contrib/rngd.te -+++ b/policy/modules/contrib/rngd.te -@@ -30,8 +30,8 @@ files_pid_file(rngd_var_run_t) - # Local policy - # - --allow rngd_t self:capability { ipc_lock sys_admin }; --allow rngd_t self:process { setsched signal }; -+allow rngd_t self:capability { ipc_lock setgid setuid sys_admin }; -+allow rngd_t self:process { setcap setsched signal }; - allow rngd_t self:fifo_file rw_fifo_file_perms; - allow rngd_t self:netlink_kobject_uevent_socket create_socket_perms; - allow rngd_t self:unix_stream_socket { accept listen }; --- -1.8.3.1 - diff --git a/backport-Allow-rpmdb-create-directory-in-usr-lib-sysimage.patch b/backport-Allow-rpmdb-create-directory-in-usr-lib-sysimage.patch deleted file mode 100644 index e147d8e..0000000 --- a/backport-Allow-rpmdb-create-directory-in-usr-lib-sysimage.patch +++ /dev/null @@ -1,36 +0,0 @@ -From d99577b16e8be3de46528fa81133efd2dd40b7c5 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 14 Mar 2022 12:51:49 +0100 -Subject: [PATCH] Allow rpmdb create directory in /usr/lib/sysimage - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d99577b16e8be3de46528fa81133efd2dd40b7c5 -Conflict: NA - -With the 5f69c12c67d (Support /usr/lib/sysimage/rpm as the rpmdb path) -commit, the policy supports relocation of the rpmdb path to -/usr/lib/sysimage/rpm. The rpm-rebuilddb command needs to have a file -transition defined for the new path, too, which also needs to be without -a directory name as the new directory is created as -/usr/lib/sysimage/rpmrebuilddb.PID. - -Resolves: rhbz#2061141 -Signed-off-by: lujie54 ---- - policy/modules/contrib/rpm.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te -index b09dfe1..247f1fa 100644 ---- a/policy/modules/contrib/rpm.te -+++ b/policy/modules/contrib/rpm.te -@@ -265,6 +265,7 @@ allow rpmdb_t rpmdb_tmp_t:file map; - - manage_dirs_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t) - manage_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t) -+files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir) - files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir) - - manage_dirs_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t) --- -1.8.3.1 - diff --git a/backport-Allow-rpmdb-read-admin-home-config-files.patch b/backport-Allow-rpmdb-read-admin-home-config-files.patch deleted file mode 100644 index 80a1d6c..0000000 --- a/backport-Allow-rpmdb-read-admin-home-config-files.patch +++ /dev/null @@ -1,39 +0,0 @@ -From f402b06808835ad1a8aa393739efff1e40eaf8e8 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 16 Nov 2021 22:37:25 +0100 -Subject: [PATCH] Allow rpmdb read admin home config files - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/f402b06808835ad1a8aa393739efff1e40eaf8e8 -Conflict: NA - -Addresses the following AVC denial: -type=PROCTITLE msg=audit(11/16/2021 16:31:45.105:1455) : proctitle=/usr/bin/rpmdb --rebuilddb -type=PATH msg=audit(11/16/2021 16:31:45.105:1455) : item=0 name=/root/.rpmmacros inode=110039 dev=00:1f mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=CWD msg=audit(11/16/2021 16:31:45.105:1455) : cwd=/root -type=SYSCALL msg=audit(11/16/2021 16:31:45.105:1455) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x560b2126e2a0 a2=O_RDONLY a3=0x0 items=1 ppid=40819 pid=59445 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=20 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(11/16/2021 16:31:45.105:1455) : avc: denied { open } for pid=59445 comm=rpmdb path=/root/.rpmmacros dev="sda2" ino=110039 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1 - -Resolves: rhbz#2023163 -Signed-off-by: lujie54 ---- - policy/modules/contrib/rpm.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te -index 9d2f4e6..f01d07c 100644 ---- a/policy/modules/contrib/rpm.te -+++ b/policy/modules/contrib/rpm.te -@@ -279,6 +279,10 @@ files_rw_inherited_non_security_files(rpmdb_t) - - sysnet_dontaudit_read_config(rpmdb_t) - -+optional_policy(` -+ userdom_read_admin_home_files(rpmdb_t) -+') -+ - ######################################## - # - # rpm-script Local policy --- -1.8.3.1 - diff --git a/backport-Allow-rpmdb-read-generic-SSL-certificates.patch b/backport-Allow-rpmdb-read-generic-SSL-certificates.patch deleted file mode 100644 index b4f040e..0000000 --- a/backport-Allow-rpmdb-read-generic-SSL-certificates.patch +++ /dev/null @@ -1,39 +0,0 @@ -From c1d7b1ba04a91894032b88bec9d9e76b27678a3d Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 16 Nov 2021 22:42:02 +0100 -Subject: [PATCH] Allow rpmdb read generic SSL certificates - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/c1d7b1ba04a91894032b88bec9d9e76b27678a3d -Conflict: NA - -Addresses the following AVC denials: -type=PROCTITLE msg=audit(11/16/2021 16:29:00.780:1008) : proctitle=/usr/bin/rpmdb --rebuilddb -type=PATH msg=audit(11/16/2021 16:29:00.780:1008) : item=0 name=/etc/pki/tls/openssl.cnf inode=145355 dev=fc:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cert_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=CWD msg=audit(11/16/2021 16:29:00.780:1008) : cwd=/mnt/testarea/test -type=SYSCALL msg=audit(11/16/2021 16:29:00.780:1008) : arch=x86_64 syscall=openat success=yes exit=10 a0=0xffffff9c a1=0x5579d5c35320 a2=O_RDONLY a3=0x0 items=1 ppid=1344 pid=4427 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(11/16/2021 16:29:00.780:1008) : avc: denied { open } for pid=4427 comm=rpmdb path=/etc/pki/tls/openssl.cnf dev="vda1" ino=145355 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 -type=AVC msg=audit(11/16/2021 16:29:00.780:1008) : avc: denied { search } for pid=4427 comm=rpmdb name=pki dev="vda1" ino=136481 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1 - -Signed-off-by: lujie54 ---- - policy/modules/contrib/rpm.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te -index f01d07c..0866d95 100644 ---- a/policy/modules/contrib/rpm.te -+++ b/policy/modules/contrib/rpm.te -@@ -280,6 +280,10 @@ files_rw_inherited_non_security_files(rpmdb_t) - sysnet_dontaudit_read_config(rpmdb_t) - - optional_policy(` -+ miscfiles_read_generic_certs(rpmdb_t) -+') -+ -+optional_policy(` - userdom_read_admin_home_files(rpmdb_t) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-sanlock-get-attributes-of-filesystems-with-ext.patch b/backport-Allow-sanlock-get-attributes-of-filesystems-with-ext.patch deleted file mode 100644 index bef1ace..0000000 --- a/backport-Allow-sanlock-get-attributes-of-filesystems-with-ext.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 5269978ad17fff8988f94a2327fa750e5d70c14d Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 2 Feb 2022 11:29:39 +0100 -Subject: [PATCH] Allow sanlock get attributes of filesystems with extended - attributes - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/5269978ad17fff8988f94a2327fa750e5d70c14d -Conflict: NA - -Addresses the following AVC denial: -type=PROCTITLE msg=audit(01/28/2022 09:41:01.094:1832) : proctitle=/usr/sbin/sanlock daemon -type=AVC msg=audit(01/28/2022 09:41:01.094:1832) : avc: denied { getattr } for pid=37165 comm=sanlock name=/ dev="dm-3" ino=128 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 -type=SYSCALL msg=audit(01/28/2022 09:41:01.094:1832) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x7fdade30b49d a1=0x7ffeeeb41a70 a2=0x49 a3=0x1000 items=0 ppid=1 pid=37165 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) - -Resolves: rhbz#2047811 -Signed-off-by: lujie54 ---- - policy/modules/contrib/sanlock.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te -index 04bd655..914062b 100644 ---- a/policy/modules/contrib/sanlock.te -+++ b/policy/modules/contrib/sanlock.te -@@ -96,6 +96,7 @@ domain_use_interactive_fds(sanlock_t) - files_read_mnt_symlinks(sanlock_t) - - fs_getattr_cgroup(sanlock_t) -+fs_getattr_xattr_fs(sanlock_t) - fs_rw_cephfs_files(sanlock_t) - - storage_raw_rw_fixed_disk(sanlock_t) --- -1.8.3.1 - diff --git a/backport-Allow-services-execute-systemd-notify.patch b/backport-Allow-services-execute-systemd-notify.patch deleted file mode 100644 index 0d42e65..0000000 --- a/backport-Allow-services-execute-systemd-notify.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 051d2d7821542cb9dd4555f97a684c28a1861d1a Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 9 Aug 2022 15:25:45 +0200 -Subject: [PATCH] Allow services execute systemd-notify - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/051d2d7821542cb9dd4555f97a684c28a1861d1a -Conflict: NA - -With the ea76c5e8b58 ("Allow some domains use sd_notify()") commit, -daemon and unconfined_service_t were allowed permissions required -to use the sd_notify() API. This commit allows to the same callers -the permissions to execute systemd-notify in the caller domain. - -Aug 02 13:10:18 hostname audit[956]: AVC avc: denied { execute_no_trans } for pid=956 comm="launch-xenstore" path="/usr/bin/systemd-notify" dev="sda4" ino=4200844 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1 - -Resolves: rhbz#2114498 -Signed-off-by: lujie54 ---- - policy/modules/system/init.te | 1 + - policy/modules/system/systemd.if | 18 ++++++++++++++++++ - policy/modules/system/unconfined.te | 4 ++++ - 3 files changed, 23 insertions(+) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index e4bc96f..33052c6 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -1955,6 +1955,7 @@ allow initrc_domain systemprocess:process transition; - optional_policy(` - systemd_getattr_unit_dirs(daemon) - systemd_getattr_unit_dirs(systemprocess) -+ systemd_exec_notify(daemon) - ') - - optional_policy(` -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index 51b966a..61f5476 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -998,6 +998,24 @@ interface(`systemd_timedated_manage_lib_dirs',` - - ######################################## - ## -+## Execute systemd-notify in the caller domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_exec_notify',` -+ gen_require(` -+ type systemd_notify_exec_t; -+ ') -+ -+ can_exec($1, systemd_notify_exec_t) -+') -+ -+######################################## -+## - ## Execute a domain transition to run systemd_notify. - ## - ## -diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index 4da1290..e6f86cf 100644 ---- a/policy/modules/system/unconfined.te -+++ b/policy/modules/system/unconfined.te -@@ -35,6 +35,10 @@ optional_policy(` - ') - - optional_policy(` -+ systemd_exec_notify(unconfined_service_t) -+') -+ -+optional_policy(` - virt_transition_svirt(unconfined_service_t, system_r) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-smbcontrol-read-the-network-state-information.patch b/backport-Allow-smbcontrol-read-the-network-state-information.patch deleted file mode 100644 index 3e7b13a..0000000 --- a/backport-Allow-smbcontrol-read-the-network-state-information.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 72bf03e76b3dd93ee4d29b573574cc394c74220b Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 7 Jan 2022 18:24:37 +0100 -Subject: [PATCH] Allow smbcontrol read the network state information - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/72bf03e76b3dd93ee4d29b573574cc394c74220b -Conflict: NA - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(12/15/2021 14:56:51.308:2289) : proctitle=smbcontrol winbind ping -type=AVC msg=audit(12/15/2021 14:56:51.308:2289) : avc: denied { read } for pid=39355 comm=smbcontrol name=unix dev="proc" ino=4026532055 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 -type=SYSCALL msg=audit(12/15/2021 14:56:51.308:2289) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7fffd5d76250 a1=R_OK a2=0x8 a3=0x562d2bf87764 items=0 ppid=36929 pid=39355 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=9 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null) - -Resolves: rhbz#2038157 -Signed-off-by: lujie54 ---- - policy/modules/contrib/samba.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te -index cb89bcf..daf5349 100644 ---- a/policy/modules/contrib/samba.te -+++ b/policy/modules/contrib/samba.te -@@ -743,6 +743,8 @@ samba_read_config(smbcontrol_t) - samba_search_var(smbcontrol_t) - samba_read_winbind_pid(smbcontrol_t) - -+kernel_read_network_state(smbcontrol_t) -+ - domain_use_interactive_fds(smbcontrol_t) - - dev_read_urand(smbcontrol_t) --- -1.8.3.1 - diff --git a/backport-Allow-smbcontrol-use-additional-socket-types.patch b/backport-Allow-smbcontrol-use-additional-socket-types.patch deleted file mode 100644 index 892ebb3..0000000 --- a/backport-Allow-smbcontrol-use-additional-socket-types.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 0269eebb529eef5288b4b6dd1c62604dbd230230 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 23 Nov 2021 14:32:54 +0100 -Subject: [PATCH] Allow smbcontrol use additional socket types - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0269eebb529eef5288b4b6dd1c62604dbd230230 -Conflict: NA - -In order to set debug level, smbcontrol was allowed to: -- create and use udp socket -- create and use netlink route sockets, read route configuration state - -AVC denials example: - -type=PROCTITLE msg=audit(11/23/2021 08:19:05.790:553) : proctitle=smbcontrol all debug 100 -type=SYSCALL msg=audit(11/23/2021 08:19:05.790:553) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=ip a3=0x7fbb520a88b8 items=0 ppid=1060 pid=2372 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(11/23/2021 08:19:05.790:553) : avc: denied { create } for pid=2372 comm=smbcontrol scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=0 - -Resolves: rhbz#2025931 -Signed-off-by: lujie54 ---- - policy/modules/contrib/samba.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te -index 72322f5..cb89bcf 100644 ---- a/policy/modules/contrib/samba.te -+++ b/policy/modules/contrib/samba.te -@@ -718,6 +718,8 @@ allow smbcontrol_t self:capability2 block_suspend; - allow smbcontrol_t self:process { signal signull }; - # internal communication is often done using fifo and unix sockets. - allow smbcontrol_t self:fifo_file rw_file_perms; -+allow smbcontrol_t self:netlink_route_socket r_netlink_socket_perms; -+allow smbcontrol_t self:udp_socket create_socket_perms; - allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; - allow smbcontrol_t self:unix_dgram_socket create_socket_perms; - --- -1.8.3.1 - diff --git a/backport-Allow-some-domains-use-sd_notify.patch b/backport-Allow-some-domains-use-sd_notify.patch deleted file mode 100644 index 0d1ad4d..0000000 --- a/backport-Allow-some-domains-use-sd_notify.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 033c1ffb7c25c218f35ac5053d7f3a482c7df6af Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 14 Jul 2022 10:30:12 +0200 -Subject: [PATCH] Allow some domains use sd_notify() - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/033c1ffb7c25c218f35ac5053d7f3a482c7df6af -Conflict: NA - -sd_notify() and a few similar systemd library functions may be called by -a service to notify the service manager about state changes. It can be -used to send arbitrary information. Most importantly, it can be used for -start-up completion notification. - -With this commit, all types in the daemon and login_userdomain -attributes and unconfined_service_t can connect to init (PID 1) and -init can write back to the fifo_file created by the domain. - -Resolves: rhbz#1903305 -Signed-off-by: lujie54 ---- - policy/modules/system/init.if | 21 +++++++++++++++++++++ - policy/modules/system/init.te | 2 ++ - policy/modules/system/unconfined.te | 2 ++ - policy/modules/system/userdomain.te | 2 ++ - 4 files changed, 27 insertions(+) - -diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 4b3bb59..c07649b 100644 ---- a/policy/modules/system/init.if -+++ b/policy/modules/system/init.if -@@ -3000,6 +3000,27 @@ interface(`init_rw_tcp_sockets',` - allow $1 init_t:tcp_socket { read write getattr }; - ') - -+####################################### -+## -+## Use sd_notify -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_use_notify',` -+ gen_require(` -+ type init_t, init_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) -+ allow $1 init_var_run_t:sock_file read_sock_file_perms; -+ allow init_t $1:fifo_file write_fifo_file_perms; -+') -+ - ######################################## - ## - ## Get the system status information from init -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 073ce2c..e4bc96f 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -1335,6 +1335,8 @@ ifdef(`distro_suse',` - - domain_dontaudit_use_interactive_fds(daemon) - -+init_use_notify(daemon) -+ - userdom_dontaudit_list_admin_dir(daemon) - userdom_dontaudit_search_user_tmp(daemon) - -diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te -index ed03aad..4da1290 100644 ---- a/policy/modules/system/unconfined.te -+++ b/policy/modules/system/unconfined.te -@@ -20,6 +20,8 @@ role unconfined_r types unconfined_service_t; - corecmd_bin_entry_type(unconfined_service_t) - corecmd_shell_entry_type(unconfined_service_t) - -+init_use_notify(unconfined_service_t) -+ - optional_policy(` - rpm_transition_script(unconfined_service_t, system_r) - ') -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 3ac8c12..0980247 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -400,6 +400,8 @@ files_watch_generic_tmp_dirs(login_userdomain) - fs_create_cgroup_files(login_userdomain) - fs_watch_cgroup_files(login_userdomain) - -+init_use_notify(login_userdomain) -+ - libs_watch_lib_dirs(login_userdomain) - - miscfiles_watch_fonts_dirs(login_userdomain) --- -1.8.3.1 - diff --git a/backport-Allow-sosreport-dbus-chat-abrt-systemd-timedatex.patch b/backport-Allow-sosreport-dbus-chat-abrt-systemd-timedatex.patch deleted file mode 100644 index 4fc7295..0000000 --- a/backport-Allow-sosreport-dbus-chat-abrt-systemd-timedatex.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 37dbb1e7b5944a1cceb2009f8bbb4897150fd1ef Mon Sep 17 00:00:00 2001 -From: Nikola Knazekova -Date: Tue, 22 Feb 2022 09:48:33 +0100 -Subject: [PATCH] Allow sosreport dbus chat abrt systemd timedatex - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/37dbb1e7b5944a1cceb2009f8bbb4897150fd1ef -Conflict: NA - -Create sosreport dbus chat interface. - -Allow abrt, systemd and timedatex to dbus chat sosreport - -Signed-off-by: lujie54 ---- - policy/modules/contrib/abrt.te | 1 + - policy/modules/contrib/sosreport.if | 20 ++++++++++++++++++++ - policy/modules/contrib/timedatex.te | 5 ++++- - policy/modules/system/systemd.te | 4 ++++ - 4 files changed, 29 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te -index a68c7fd..02a12df 100644 ---- a/policy/modules/contrib/abrt.te -+++ b/policy/modules/contrib/abrt.te -@@ -350,6 +350,7 @@ optional_policy(` - #') - - optional_policy(` -+ sosreport_dbus_chat(abrt_t) - sosreport_domtrans(abrt_t) - sosreport_read_tmp_files(abrt_t) - sosreport_delete_tmp_files(abrt_t) -diff --git a/policy/modules/contrib/sosreport.if b/policy/modules/contrib/sosreport.if -index f6db7a7..c5fbb7a 100644 ---- a/policy/modules/contrib/sosreport.if -+++ b/policy/modules/contrib/sosreport.if -@@ -146,3 +146,23 @@ interface(`sosreport_signull',` - allow $1 sosreport_t:process signull; - ') - -+######################################## -+## -+## Send and receive messages from -+## sosreport over dbus. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sosreport_dbus_chat',` -+ gen_require(` -+ type sosreport_t; -+ class dbus send_msg; -+ ') -+ -+ allow $1 sosreport_t:dbus send_msg; -+ allow sosreport_t $1:dbus send_msg; -+') -diff --git a/policy/modules/contrib/timedatex.te b/policy/modules/contrib/timedatex.te -index 3a2e4db..6a640fa 100644 ---- a/policy/modules/contrib/timedatex.te -+++ b/policy/modules/contrib/timedatex.te -@@ -64,6 +64,9 @@ optional_policy(` - ') - - optional_policy(` -- userdom_dbus_send_all_users(timedatex_t) -+ sosreport_dbus_chat(timedatex_t) - ') - -+optional_policy(` -+ userdom_dbus_send_all_users(timedatex_t) -+') -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 476e2d3..97cc111 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -545,6 +545,10 @@ optional_policy(` - ') - - optional_policy(` -+ sosreport_dbus_chat(systemd_networkd_t) -+') -+ -+optional_policy(` - udev_read_db(systemd_networkd_t) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-ssh-client-read-kerberos-homedir-config-files.patch b/backport-Allow-ssh-client-read-kerberos-homedir-config-files.patch deleted file mode 100644 index 91f4716..0000000 --- a/backport-Allow-ssh-client-read-kerberos-homedir-config-files.patch +++ /dev/null @@ -1,30 +0,0 @@ -From b7cd8535f926e9f6e38499714f0d97b12b77dde6 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 22 Aug 2022 12:25:09 +0200 -Subject: [PATCH] Allow ssh client read kerberos homedir config files - -Addresses the following AVC denial: -type=PATH msg=audit(22.8.2022 10:09:52.495:4019) : item=0 name=/home/user/.k5identity inode=15144919 dev=fd:03 mode=file,664 ouid=user ogid=user rdev=00:00 obj=staff_u:object_r:krb5_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(22.8.2022 10:09:52.495:4019) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x564acca009b0 a2=O_RDONLY a3=0x0 items=1 ppid=78842 pid=439750 auid=user uid=user gid=user euid=user suid=user fsuid=user egid=user sgid=user fsgid=user tty=pts12 ses=3 comm=ssh exe=/usr/bin/ssh subj=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(22.8.2022 10:09:52.495:4019) : avc: denied { open } for pid=439750 comm=ssh path=/home/user/.k5identity dev="dm-3" ino=15144919 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:krb5_home_t:s0 tclass=file permissive=1 - -Signed-off-by: lujie42 ---- - policy/modules/services/ssh.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index bf988b7f2..15b611e46 100644 ---- a/policy/modules/services/ssh.te -+++ b/policy/modules/services/ssh.te -@@ -246,6 +246,7 @@ optional_policy(` - ') - - optional_policy(` -+ kerberos_read_home_content(ssh_t) - kerberos_read_keytab(ssh_t) - ') - --- -2.27.0 - diff --git a/backport-Allow-sshd-read-filesystem-sysctl-files.patch b/backport-Allow-sshd-read-filesystem-sysctl-files.patch deleted file mode 100644 index 74a56c8..0000000 --- a/backport-Allow-sshd-read-filesystem-sysctl-files.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 84dd4309ad6d644edea2c3cf448f516f4e008c04 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 11 Jan 2022 15:17:27 +0100 -Subject: [PATCH] Allow sshd read filesystem sysctl files - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/84dd4309ad6d644edea2c3cf448f516f4e008c04 -Conflict: NA - -This permissions is required when "nofile unlimited" is configured -in the system resources limits for a user. - -echo "testuser hard nofile unlimited" >> /etc/security/limits.d/testuser.conf - -Resolves: rhbz#2036585 -Signed-off-by: lujie54 ---- - policy/modules/services/ssh.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 10126e7..bf988b7 100644 ---- a/policy/modules/services/ssh.te -+++ b/policy/modules/services/ssh.te -@@ -303,6 +303,7 @@ allow sshd_t sshd_keytab_t:file read_file_perms; - - kernel_search_key(sshd_t) - kernel_link_key(sshd_t) -+kernel_read_fs_sysctls(sshd_t) - kernel_read_net_sysctls(sshd_t) - - files_search_all(sshd_t) --- -1.8.3.1 - diff --git a/backport-Allow-sss-daemons-read-write-unnamed-pipes-of-cloud-.patch b/backport-Allow-sss-daemons-read-write-unnamed-pipes-of-cloud-.patch deleted file mode 100644 index 7e69dcc..0000000 --- a/backport-Allow-sss-daemons-read-write-unnamed-pipes-of-cloud-.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 3478cb66bc08866173e82fa070c160c0c03513bd Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 30 Sep 2022 16:08:55 +0200 -Subject: [PATCH] Allow sss daemons read/write unnamed pipes of cloud-init - -The cloudform_rw_pipes() interface was added. - -Addresses the following AVC denials: -[ 10.779755] fedora audit[812]: AVC avc: denied { read } for pid=812 comm="sss_cache" path="pipe:[18908]" dev="pipefs" ino=18908 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 -[ 10.779916] fedora audit[812]: AVC avc: denied { write } for pid=812 comm="sss_cache" path="pipe:[18909]" dev="pipefs" ino=18909 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 - -Resolves: rhbz#2073265 -Signed-off-by: lujie42 ---- - policy/modules/contrib/cloudform.if | 18 ++++++++++++++++++ - policy/modules/contrib/sssd.te | 4 ++++ - 2 files changed, 22 insertions(+) - -diff --git a/policy/modules/contrib/cloudform.if b/policy/modules/contrib/cloudform.if -index 55fe0d668..4a17c4872 100644 ---- a/policy/modules/contrib/cloudform.if -+++ b/policy/modules/contrib/cloudform.if -@@ -41,6 +41,24 @@ interface(`cloudform_init_domtrans',` - domtrans_pattern($1, cloud_init_exec_t, cloud_init_t) - ') - -+######################################## -+## -+## Read and write unnamed cloud-init pipes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`cloudform_rw_pipes',` -+ gen_require(` -+ type cloud_init_t; -+ ') -+ -+ allow $1 cloud_init_t:fifo_file rw_fifo_file_perms; -+') -+ - ###################################### - ## - ## Execute mongod in the caller domain. -diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te -index f5c7d980d..90d04fd91 100644 ---- a/policy/modules/contrib/sssd.te -+++ b/policy/modules/contrib/sssd.te -@@ -185,6 +185,10 @@ optional_policy(` - bind_read_cache(sssd_t) - ') - -+optional_policy(` -+ cloudform_rw_pipes(sssd_t) -+') -+ - optional_policy(` - dbus_system_bus_client(sssd_t) - dbus_connect_system_bus(sssd_t) --- -2.27.0 - diff --git a/backport-Allow-sssd-domtrans-to-pkcs_slotd_t.patch b/backport-Allow-sssd-domtrans-to-pkcs_slotd_t.patch deleted file mode 100644 index 6cee523..0000000 --- a/backport-Allow-sssd-domtrans-to-pkcs_slotd_t.patch +++ /dev/null @@ -1,75 +0,0 @@ -From b22b33e612363001d74e283e53b04192a51f7c5f Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 14 Apr 2022 19:31:18 +0200 -Subject: [PATCH] Allow sssd domtrans to pkcs_slotd_t - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/b22b33e612363001d74e283e53b04192a51f7c5f -Conflict: NA - -When sssd is configured to use smart cards login, any authentication -(e.g. sudo) will raise this AVC meaning smart card login was prevented -from working: - -type=AVC msg=audit(1620803381.118:24793): avc: denied { getattr } for pid=667312 comm="p11_child" path="/usr/sbin/pkcsslotd" dev="dm-1" ino=1581455 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_exec_t:s0 tclass=file permissive=0 - -Sudo uses pam to authenticate a user. In pam stack, there is the sssd -pam module which talks through some IPC to sssd's p11_child. -This sssd's p11_child loads through p11-kit every pkcs11 module -installed in the system, which includes the opencryptoki pkcs11 module. -Opencryptoki pkcs11 module talks through some IPC to pkcsslotd daemon, -handling the communication with HW devices or soft tokens. - -The pkcs_domtrans() interface was added. - -Resolves: rhbz#1959705 -Signed-off-by: lujie54 ---- - policy/modules/contrib/pkcs.if | 19 +++++++++++++++++++ - policy/modules/contrib/sssd.te | 1 + - 2 files changed, 20 insertions(+) - -diff --git a/policy/modules/contrib/pkcs.if b/policy/modules/contrib/pkcs.if -index 423d061..eb97d23 100644 ---- a/policy/modules/contrib/pkcs.if -+++ b/policy/modules/contrib/pkcs.if -@@ -118,6 +118,25 @@ interface(`pkcs_getattr_exec_files',` - - ######################################## - ## -+## Transition to pkcs_slotd -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`pkcs_domtrans',` -+ gen_require(` -+ type pkcs_slotd_t, pkcs_slotd_exec_t; -+ ') -+ -+ corecmd_search_bin($1) -+ domtrans_pattern($1, pkcs_slotd_exec_t, pkcs_slotd_t) -+') -+ -+######################################## -+## - ## Create specific objects in the tmpfs directories - ## with a private type. - ## -diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te -index 80c0b62..f5c7d98 100644 ---- a/policy/modules/contrib/sssd.te -+++ b/policy/modules/contrib/sssd.te -@@ -221,6 +221,7 @@ optional_policy(` - ') - - optional_policy(` -+ pkcs_domtrans(sssd_t) - pkcs_read_lock(sssd_t) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-sssd_kcm-read-and-write-z90crypt-device.patch b/backport-Allow-sssd_kcm-read-and-write-z90crypt-device.patch deleted file mode 100644 index 62cabe4..0000000 --- a/backport-Allow-sssd_kcm-read-and-write-z90crypt-device.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 80e7516c09c41c989176947265df41e39e94a31a Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 10 Jan 2022 17:15:56 +0100 -Subject: [PATCH] Allow sssd_kcm read and write z90crypt device -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/80e7516c09c41c989176947265df41e39e94a31a -Conflict: NA - -This permission is required on s390x systems with the Crypto Express -adapter card. The z90crypt device driver acts as the interface to the -PCI cryptography hardware and performs asynchronous encryption -operations (RSA) as used during the SSL handshake. - -Addresses the following AVC denial: -PROCTITLE msg=audit(26.11.2021 17:43:18.641:78) : proctitle=/usr/libexec/sssd/sssd_kcm --uid 0 --gid 0 --logger=files -type=AVC msg=audit(26.11.2021 17:43:18.641:78) : avc: denied { read write } for pid=1724 comm=sssd_kcm name=z90crypt dev="devtmpfs" ino=111 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=0 -type=SYSCALL msg=audit(26.11.2021 17:43:18.641:78) : arch=s390x syscall=openat success=no exit=EACCES(Operace zamítnuta) a0=0xffffffffffffff9c a1=0x3ffa56906e6 a2=O_RDWR a3=0x0 items=0 ppid=1 pid=1724 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_kcm exe=/usr/libexec/sssd/sssd_kcm subj=system_u:system_r:sssd_t:s0 key=(null) - -Resolves: rhbz#2026974 -Signed-off-by: lujie54 ---- - policy/modules/contrib/sssd.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te -index b510dca..e5c8673 100644 ---- a/policy/modules/contrib/sssd.te -+++ b/policy/modules/contrib/sssd.te -@@ -106,6 +106,7 @@ corecmd_exec_bin(sssd_t) - - dev_read_urand(sssd_t) - dev_read_sysfs(sssd_t) -+dev_rw_crypto(sssd_t) - - domain_read_all_domains_state(sssd_t) - domain_obj_id_change_exemption(sssd_t) --- -1.8.3.1 - diff --git a/backport-Allow-staff_u-and-user_u-users-write-to-bolt-pipe.patch b/backport-Allow-staff_u-and-user_u-users-write-to-bolt-pipe.patch deleted file mode 100644 index 02d78db..0000000 --- a/backport-Allow-staff_u-and-user_u-users-write-to-bolt-pipe.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 5adbc14b634b60c5bd779fb22c5bf4a674a83020 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 9 Sep 2022 17:21:10 +0200 -Subject: [PATCH] Allow staff_u and user_u users write to bolt pipe - -Addresses the following AVC denial: -- -type=PROCTITLE msg=audit(6.9.2022 07:26:55.355:15479) : proctitle=boltctl power -type=SYSCALL msg=audit(6.9.2022 07:26:55.355:15479) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x5 a1=0x7f341adfd940 a2=MSG_CMSG_CLOEXEC a3=0x7fff30353080 items=0 ppid=1832290 pid=1905598 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=pts18 ses=3 comm=gdbus exe=/usr/bin/boltctl subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(6.9.2022 07:26:55.355:15479) : avc: denied { write } for pid=1905598 comm=gdbus path=/run/boltd/power/1.guard.fifo dev="tmpfs" ino=95970 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boltd_var_run_t:s0 tclass=fifo_file permissive=1 - -Signed-off-by: lujie42 ---- - policy/modules/roles/staff.te | 4 ++++ - policy/modules/roles/unprivuser.te | 4 ++++ - 2 files changed, 8 insertions(+) - -diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index a573eba03..907710baf 100644 ---- a/policy/modules/roles/staff.te -+++ b/policy/modules/roles/staff.te -@@ -103,6 +103,10 @@ optional_policy(` - blueman_dbus_chat(staff_t) - ') - -+optional_policy(` -+ boltd_write_var_run_pipes(staff_t) -+') -+ - optional_policy(` - kdumpgui_dbus_chat(staff_t) - ') -diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index 56a8be217..a4781914e 100644 ---- a/policy/modules/roles/unprivuser.te -+++ b/policy/modules/roles/unprivuser.te -@@ -66,6 +66,10 @@ optional_policy(` - bluetooth_role(user_r, user_t) - ') - -+optional_policy(` -+ boltd_write_var_run_pipes(user_t) -+') -+ - optional_policy(` - colord_dbus_chat(user_t) - ') --- -2.27.0 - diff --git a/backport-Allow-sudodomain-send-a-null-signal-to-sshd-processe.patch b/backport-Allow-sudodomain-send-a-null-signal-to-sshd-processe.patch deleted file mode 100644 index 82f4200..0000000 --- a/backport-Allow-sudodomain-send-a-null-signal-to-sshd-processe.patch +++ /dev/null @@ -1,37 +0,0 @@ -From c5082c2dc80dbbd549ca9a246ef97ef6cf20a277 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 18 Nov 2021 19:29:01 +0100 -Subject: [PATCH] Allow sudodomain send a null signal to sshd processes - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/c5082c2dc80dbbd549ca9a246ef97ef6cf20a277 -Conflict: NA - -This denial appears when maxlogins is specified in PAM limits configuration: -type=PROCTITLE msg=audit(11/18/21 13:22:44.231:774) : proctitle=sudo -u staff echo -type=SYSCALL msg=audit(11/18/21 13:22:44.231:774) : arch=x86_64 syscall=kill success=no exit=EACCES(Permission denied) a0=0x1a2c a1=SIG0 a2=0x4 a3=0x7ffd93c089cf items=0 ppid=6747 pid=6748 auid=staff uid=root gid=staff euid=root suid=root fsuid=root egid=staff sgid=staff fsgid=staff tty=(none) ses=16 comm=sudo exe=/usr/bin/sudo subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(11/18/21 13:22:44.231:774) : avc: denied { signull } for pid=6748 comm=sudo scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0 - -Resolves: rhbz#1966945 -Signed-off-by: lujie54 ---- - policy/modules/admin/sudo.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te -index b281028..333b465 100644 ---- a/policy/modules/admin/sudo.te -+++ b/policy/modules/admin/sudo.te -@@ -129,6 +129,10 @@ optional_policy(` - ') - - optional_policy(` -+ ssh_signull(sudodomain) -+') -+ -+optional_policy(` - systemd_write_inherited_logind_sessions_pipes(sudodomain) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-sudodomains-execute-passwd-in-the-passwd-domai.patch b/backport-Allow-sudodomains-execute-passwd-in-the-passwd-domai.patch deleted file mode 100644 index 6bad72a..0000000 --- a/backport-Allow-sudodomains-execute-passwd-in-the-passwd-domai.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 3b826a9f34d86388fde3a07a9dcfeccdc762bafe Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 20 Dec 2021 11:47:29 +0100 -Subject: [PATCH] Allow sudodomains execute passwd in the passwd domain - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3b826a9f34d86388fde3a07a9dcfeccdc762bafe -Conflict: NA - -When an unprivileged user in the sysadm_r role executes passwd -through sudo, it transitions into sysadm_sudo_t domain by default. -With this commit, the process transitions back to sysadm_t. - -Resolves: rhbz#1943572 -Signed-off-by: lujie54 ---- - policy/modules/admin/sudo.if | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if -index e79eef7..356b150 100644 ---- a/policy/modules/admin/sudo.if -+++ b/policy/modules/admin/sudo.if -@@ -98,6 +98,9 @@ template(`sudo_role_template',` - kerberos_read_config($1_sudo_t) - ') - -+ optional_policy(` -+ usermanage_domtrans_passwd($1_sudo_t) -+ ') - ') - - ######################################## --- -1.8.3.1 - diff --git a/backport-Allow-svnserve-send-mail-from-the-system.patch b/backport-Allow-svnserve-send-mail-from-the-system.patch deleted file mode 100644 index 4719d45..0000000 --- a/backport-Allow-svnserve-send-mail-from-the-system.patch +++ /dev/null @@ -1,41 +0,0 @@ -From c43df4f0131a7870beef94eb9c5a5fb048379566 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 24 Nov 2021 16:13:35 +0100 -Subject: [PATCH] Allow svnserve send mail from the system - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/c43df4f0131a7870beef94eb9c5a5fb048379566 -Conflict: NA - -If a svn hook needs to send an e-mail, the service needs to be allowed -to execute an MTA program. In this commit, the mta_send_mail() interface -call for svnserve_t was added to allow permissions to execute types from -the mta_exec_type attribute which currently is: -- courier_exec_t -- exim_exec_t -- postfix_postdrop_t -- sendmail_exec_t - -Resolves: rhbz#2004843 -Signed-off-by: lujie54 ---- - policy/modules/contrib/svnserve.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/contrib/svnserve.te b/policy/modules/contrib/svnserve.te -index 874e7c2..c603551 100644 ---- a/policy/modules/contrib/svnserve.te -+++ b/policy/modules/contrib/svnserve.te -@@ -90,6 +90,10 @@ optional_policy(` - ') - - optional_policy(` -+ mta_send_mail(svnserve_t) -+') -+ -+optional_policy(` - sasl_connect(svnserve_t) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-sysadm-execute-sysadmctl-in-sysadm_t-domain-us.patch b/backport-Allow-sysadm-execute-sysadmctl-in-sysadm_t-domain-us.patch deleted file mode 100644 index c180a6d..0000000 --- a/backport-Allow-sysadm-execute-sysadmctl-in-sysadm_t-domain-us.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 8879c209b0916931aab95d733fc7f4b52b99258b Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 22 Dec 2021 13:06:33 +0100 -Subject: [PATCH] Allow sysadm execute sysadmctl in sysadm_t domain using sudo - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/8879c209b0916931aab95d733fc7f4b52b99258b -Conflict: NA - -When an unprivileged user in the sysadm_r role executes systemctl -through sudo, it transitions into sysadm_sudo_t domain by default. -With this commit, the process transitions back to sysadm_t. - -The systemd_domtrans_systemctl() interface was added. - -Resolves: rhbz#2013749 -Signed-off-by: lujie54 ---- - policy/modules/admin/sudo.if | 5 +++++ - policy/modules/system/systemd.if | 23 +++++++++++++++++++++++ - 2 files changed, 28 insertions(+) - -diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if -index f6df896..24ede58 100644 ---- a/policy/modules/admin/sudo.if -+++ b/policy/modules/admin/sudo.if -@@ -101,6 +101,11 @@ template(`sudo_role_template',` - ') - - optional_policy(` -+ systemd_domtrans_systemctl($1_sudo_t, $3) -+ systemd_systemctl_entrypoint($3) -+ ') -+ -+ optional_policy(` - userdom_write_user_tmp_sockets($1_sudo_t) - ') - -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index ec58e33..351438c 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -128,6 +128,29 @@ interface(`systemd_systemctl_entrypoint',` - - ####################################### - ## -+## Execute systemctl in the specified domain -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Domain to transition to. -+## -+## -+# -+interface(`systemd_domtrans_systemctl',` -+ gen_require(` -+ type systemd_systemctl_exec_t; -+ ') -+ -+ domain_auto_transition_pattern($1, systemd_systemctl_exec_t, $2) -+') -+ -+####################################### -+## - ## Create a file type used for systemd unit files. - ## - ## --- -1.8.3.1 - diff --git a/backport-Allow-sysadm_passwd_t-to-relabel-passwd-and-group-fi.patch b/backport-Allow-sysadm_passwd_t-to-relabel-passwd-and-group-fi.patch deleted file mode 100644 index 77e2495..0000000 --- a/backport-Allow-sysadm_passwd_t-to-relabel-passwd-and-group-fi.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 369f900039cff9443e86fdf7254ba8b11dc6adb5 Mon Sep 17 00:00:00 2001 -From: Patrik Koncity -Date: Thu, 10 Feb 2022 11:46:13 +0100 -Subject: [PATCH] Allow sysadm_passwd_t to relabel passwd and group files - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/369f900039cff9443e86fdf7254ba8b11dc6adb5 -Conflict: NA - -Vigr mechanism of editing group and passwd -files work on principle of recreating the current -file with new changes. Due to this mechanism is -need to again relabel file with selinux label. -Creating interface allowing relabel to the passwd_file_t -type. Allow relabeling for sysadm_passwd_t domain. -Allow dac_override permission for sysadm_passwd_t type. - -Signed-off-by: lujie54 ---- - policy/modules/admin/usermanage.te | 3 ++- - policy/modules/system/authlogin.if | 20 ++++++++++++++++++++ - 2 files changed, 22 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 8fdbfbc..155fb68 100644 ---- a/policy/modules/admin/usermanage.te -+++ b/policy/modules/admin/usermanage.te -@@ -433,7 +433,7 @@ optional_policy(` - # Password admin local policy - # - --allow sysadm_passwd_t self:capability { chown dac_read_search fsetid setuid setgid sys_resource }; -+allow sysadm_passwd_t self:capability { chown dac_override dac_read_search fsetid setuid setgid sys_resource }; - allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow sysadm_passwd_t self:process { setrlimit setfscreate }; - allow sysadm_passwd_t self:fd use; -@@ -478,6 +478,7 @@ term_getattr_all_ptys(sysadm_passwd_t) - auth_manage_passwd(sysadm_passwd_t) - auth_manage_shadow(sysadm_passwd_t) - auth_relabel_shadow(sysadm_passwd_t) -+auth_relabelto_passwd_files(sysadm_passwd_t) - auth_etc_filetrans_shadow(sysadm_passwd_t) - auth_use_nsswitch(sysadm_passwd_t) - -diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index ad55205..b5b3702 100644 ---- a/policy/modules/system/authlogin.if -+++ b/policy/modules/system/authlogin.if -@@ -851,6 +851,26 @@ interface(`auth_relabel_shadow',` - - ####################################### - ## -+## Relabel to the -+## password file type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_relabelto_passwd_files',` -+ gen_require(` -+ type passwd_file_t; -+ ') -+ -+ files_search_etc($1) -+ allow $1 passwd_file_t:file relabelto; -+') -+ -+####################################### -+## - ## Append to the login failure log. - ## - ## --- -1.8.3.1 - diff --git a/backport-Allow-sysadm_t-start-and-stop-transient-services.patch b/backport-Allow-sysadm_t-start-and-stop-transient-services.patch deleted file mode 100644 index c2ce37c..0000000 --- a/backport-Allow-sysadm_t-start-and-stop-transient-services.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 489674d8ad8253a18cf88425f2fe3dbf265d03a1 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 17 Jan 2022 12:44:10 +0100 -Subject: [PATCH] Allow sysadm_t start and stop transient services - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/489674d8ad8253a18cf88425f2fe3dbf265d03a1 -Conflict: NA - -Addresses the following AVC denial: - -type=USER_AVC msg=audit(01/07/2022 03:27:48.362:345) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=unset uid=root gid=root cmdline="" scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=1 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' # Date: Mon Jan 17 12:44:10 2022 +0100 - -Resolves: rhbz#2031065 -Signed-off-by: lujie54 ---- - policy/modules/roles/sysadm.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index fae8028..d9e11b6 100644 ---- a/policy/modules/roles/sysadm.te -+++ b/policy/modules/roles/sysadm.te -@@ -81,6 +81,8 @@ init_exec(sysadm_t) - init_exec_script_files(sysadm_t) - init_dbus_chat(sysadm_t) - init_script_role_transition(sysadm_r) -+init_start(sysadm_t) -+init_stop(sysadm_t) - init_status(sysadm_t) - init_reboot(sysadm_t) - init_halt(sysadm_t) --- -1.8.3.1 - diff --git a/backport-Allow-sysadm_t-to-run-bpftool-on-the-userdomain-attr.patch b/backport-Allow-sysadm_t-to-run-bpftool-on-the-userdomain-attr.patch deleted file mode 100644 index 6eb260b..0000000 --- a/backport-Allow-sysadm_t-to-run-bpftool-on-the-userdomain-attr.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 3578a24d63f5901469482950f40bcb757d695baf Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 2 Aug 2022 16:42:58 +0200 -Subject: [PATCH] Allow sysadm_t to run bpftool on the userdomain attribute - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3578a24d63f5901469482950f40bcb757d695baf -Conflict: NA - -Addresses the following AVC denial: -type=PROCTITLE msg=audit(08/02/2022 11:36:12.251:13079) : proctitle=perf record -o /dev/null echo test -type=SYSCALL msg=audit(08/02/2022 11:36:12.251:13079) : arch=x86_64 syscall=bpf success=no exit=EACCES(Permission denied) a0=BPF_PROG_GET_FD_BY_ID a1=0x7ffda3e17100 a2=0x90 a3=0x55bd94ea10a0 items=0 ppid=291258 pid=291259 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=141 comm=perf exe=/usr/bin/perf subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(08/02/2022 11:36:12.251:13079) : avc: denied { prog_run } for pid=291259 comm=perf scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=bpf permissive=0 - -Signed-off-by: lujie54 ---- - policy/modules/roles/sysadm.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te -index d9e11b6..ed1b86f 100644 ---- a/policy/modules/roles/sysadm.te -+++ b/policy/modules/roles/sysadm.te -@@ -109,6 +109,8 @@ userdom_exec_admin_home_files(sysadm_t) - userdom_manage_admin_files(sysadm_t) - userdom_manage_admin_dirs(sysadm_t) - -+userdom_prog_run_bpf_userdomain(sysadm_t) -+ - corenet_ib_access_unlabeled_pkeys(sysadm_t) - corenet_ib_manage_subnet_unlabeled_endports(sysadm_t) - corenet_tcp_bind_all_rpc_ports(sysadm_t) --- -1.8.3.1 - diff --git a/backport-Allow-system-dbus-daemon-watch-generic-directories-i.patch b/backport-Allow-system-dbus-daemon-watch-generic-directories-i.patch deleted file mode 100644 index 3088d57..0000000 --- a/backport-Allow-system-dbus-daemon-watch-generic-directories-i.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 9935be1702ce951d1582e80ae8d747183ed34a5e Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 8 Apr 2022 14:02:48 +0200 -Subject: [PATCH] Allow system dbus daemon watch generic directories in - /var/lib - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9935be1702ce951d1582e80ae8d747183ed34a5e -Conflict: NA - -Resolves: rhbz#1928365 -Signed-off-by: lujie54 ---- - policy/modules/contrib/dbus.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te -index 76fb3b6..ced5149 100644 ---- a/policy/modules/contrib/dbus.te -+++ b/policy/modules/contrib/dbus.te -@@ -107,6 +107,7 @@ dev_rw_inherited_dri(system_dbusd_t) - files_read_var_lib_symlinks(system_dbusd_t) - files_rw_inherited_non_security_files(system_dbusd_t) - files_watch_usr_dirs(system_dbusd_t) -+files_watch_var_lib_dirs(system_dbusd_t) - - fs_getattr_all_fs(system_dbusd_t) - fs_search_auto_mountpoints(system_dbusd_t) --- -1.8.3.1 - diff --git a/backport-Allow-systemd-coredump-read-and-write-usermodehelper.patch b/backport-Allow-systemd-coredump-read-and-write-usermodehelper.patch deleted file mode 100644 index 54a0a2b..0000000 --- a/backport-Allow-systemd-coredump-read-and-write-usermodehelper.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 9ca08c39af36079809e9247957d86e86009a3e6a Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 13 Jan 2022 19:23:19 +0100 -Subject: [PATCH] Allow systemd-coredump read and write usermodehelper state - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9ca08c39af36079809e9247957d86e86009a3e6a -Conflict: NA - -When systemd (PID1) crashes, it freezes and systemd services cannot be -started, so coredump handling with systemd-coredump will not work -either. As frozen systemd does not collect zombies any longer, it looks -reasonable to avoid spawning further processes as much as possible. - -Therefore systemd-coredump will write "|/bin/false" to the -kernel.core_pattern kernel tunable when it detects that it was PID 1 -that had crashed to disable coredumping. - -Resolves: rhbz#1982961 -Signed-off-by: lujie54 ---- - policy/modules/system/systemd.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index edd4354..5a78a8c 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1055,6 +1055,8 @@ manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_cor - mmap_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t) - init_var_lib_filetrans(systemd_coredump_t, systemd_coredump_var_lib_t, dir, "coredump") - -+kernel_rw_usermodehelper_state(systemd_coredump_t) -+ - dev_write_kmsg(systemd_coredump_t) - - # To read info about the crashed process from /proc --- -1.8.3.1 - diff --git a/backport-Allow-systemd-coredump-userns-capabilities-and-root-.patch b/backport-Allow-systemd-coredump-userns-capabilities-and-root-.patch deleted file mode 100644 index 03045c8..0000000 --- a/backport-Allow-systemd-coredump-userns-capabilities-and-root-.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 4ed22744f5a99c1f2b997b915b340de7abe8d15d Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 13 Jan 2022 21:08:14 +0100 -Subject: [PATCH] Allow systemd-coredump userns capabilities and root mounton - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/4ed22744f5a99c1f2b997b915b340de7abe8d15d -Conflict: NA - -systemd-coredump forks a child process to perform core file analysis -(comm=(sd-parse-elf)), and before doing the actual analysis, it sets -up a sandbox using mount and user namespaces. - -Refer to https://github.com/systemd/systemd/commit/61aea456c1 -for the systemd upstream change. - -Resolves: rhbz#2031356 -Signed-off-by: lujie54 ---- - policy/modules/system/systemd.te | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 5a78a8c..ea2b27e 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1040,7 +1040,7 @@ systemd_read_efivarfs(systemd_sysctl_t) - # setgid setuid - to set own credentials to match the dumped process credentials - # setpcap - to drop capabilities - allow systemd_coredump_t self:capability { dac_read_search net_admin setgid setpcap setuid sys_ptrace }; --allow systemd_coredump_t self:cap_userns sys_ptrace; -+allow systemd_coredump_t self:cap_userns { dac_read_search dac_override sys_admin sys_ptrace }; - - # To set its capability set - allow systemd_coredump_t self:process setcap; -@@ -1067,6 +1067,8 @@ domain_read_all_domains_state(systemd_coredump_t) - files_read_non_security_files(systemd_coredump_t) - files_map_non_security_files(systemd_coredump_t) - -+files_mounton_rootfs(systemd_coredump_t) -+ - fs_getattr_nsfs_files(systemd_coredump_t) - - optional_policy(` --- -1.8.3.1 - diff --git a/backport-Allow-systemd-gpt-auto-generator-create-and-use-netl.patch b/backport-Allow-systemd-gpt-auto-generator-create-and-use-netl.patch deleted file mode 100644 index 12c6c2f..0000000 --- a/backport-Allow-systemd-gpt-auto-generator-create-and-use-netl.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 8398b1833c1168ac30ef8e13db39f50c187503cb Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 14 Apr 2022 18:37:38 +0200 -Subject: [PATCH] Allow systemd-gpt-auto-generator create and use - netlink_kobject_uevent_socket - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/8398b1833c1168ac30ef8e13db39f50c187503cb -Conflict: NA - -Addresses the following AVC denial: -type=AVC msg=audit(1649951765.765:599): avc: denied { create } for pid=35143 comm="systemd-gpt-aut" scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=netlink_kobject_uevent_socket permissive=0 - -Resolves: rhbz#2075589 -Signed-off-by: lujie54 ---- - policy/modules/system/systemd.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 8fe3eb9..a9308b8 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1106,6 +1106,7 @@ systemd_read_efivarfs(systemd_hwdb_t) - # - - allow systemd_gpt_generator_t self:capability sys_rawio; -+allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms; - - dev_read_sysfs(systemd_gpt_generator_t) - dev_write_kmsg(systemd_gpt_generator_t) --- -1.8.3.1 - diff --git a/backport-Allow-systemd-gpt-auto-generator-to-check-for-empty-.patch b/backport-Allow-systemd-gpt-auto-generator-to-check-for-empty-.patch deleted file mode 100644 index ac1636c..0000000 --- a/backport-Allow-systemd-gpt-auto-generator-to-check-for-empty-.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 8304d9b80b3cb22e429d2113cf81dca07d306dd7 Mon Sep 17 00:00:00 2001 -From: Quintin Hill -Date: Fri, 2 Sep 2022 16:44:37 +0100 -Subject: [PATCH] Allow systemd-gpt-auto-generator to check for empty dirs - -systemd-gpt-auto-generator wants to check that certain subdirectories of / are empty before generating mount units for them this is not permitted by policy. - -Addresses: -systemd-gpt-auto-generator[388]: Cannot check if "/home" is empty: Permission denied -kernel: audit: type=1400 audit(1662118200.418:80): avc: denied { read } for pid=388 comm="systemd-gpt-aut" name="home" dev="sda2" ino=3180 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir permissive=0 -audit[388]: AVC avc: denied { read } for pid=388 comm="systemd-gpt-aut" name="var" dev="sda2" ino=362569 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0 -systemd-gpt-auto-generator[388]: Cannot check if "/var" is empty: Permission denied - -Resolves: rhbz#2123765 -Signed-off-by: lujie42 ---- - policy/modules/system/systemd.te | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index a9308b8cc..028820491 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1112,6 +1112,11 @@ dev_read_sysfs(systemd_gpt_generator_t) - dev_write_kmsg(systemd_gpt_generator_t) - dev_read_rand(systemd_gpt_generator_t) - -+files_list_boot(systemd_gpt_generator_t) -+files_list_home(systemd_gpt_generator_t) -+files_list_tmp(systemd_gpt_generator_t) -+files_list_usr(systemd_gpt_generator_t) -+files_list_var(systemd_gpt_generator_t) - - fstools_exec(systemd_gpt_generator_t) - --- -2.27.0 - diff --git a/backport-Allow-systemd-io-bridge-ioctl-rpm_script_t.patch b/backport-Allow-systemd-io-bridge-ioctl-rpm_script_t.patch deleted file mode 100644 index cd27dc6..0000000 --- a/backport-Allow-systemd-io-bridge-ioctl-rpm_script_t.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 3ecf12ffdad26ee5c6361a7c1e82ba507abdc04f Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 13 Jan 2022 22:12:03 +0100 -Subject: [PATCH] Allow systemd-io-bridge ioctl rpm_script_t -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3ecf12ffdad26ee5c6361a7c1e82ba507abdc04f -Conflict: NA - -The permission to allow systemd-io-bridge ioctl rpm_script_t -with a unix domain stream socket was added to the policy. -It may be required when rpm packages are updated. - -Addresses the following AVC denial: -type=PROCTITLE msg=audit(3.1.2022 01:17:50.921:486) : proctitle=(o-bridge) -type=SYSCALL msg=audit(3.1.2022 01:17:50.921:486) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Pro toto zařízení nevhodné ioctl) a0=0x0 a1=TCGETS a2=0x7ffe8195d1e0 a3=0x7f9ea8a35ca0 items=0 ppid=1 pid=2846 auid=sddm uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=(o-bridge) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) -type=AVC msg=audit(3.1.2022 01:17:50.921:486) : avc: denied { ioctl } for pid=2846 comm=(o-bridge) path=socket:[43260] dev="sockfs" ino=43260 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 - -Resolves: rhbz#2024489 -Signed-off-by: lujie54 ---- - policy/modules/contrib/rpm.if | 18 ++++++++++++++++++ - policy/modules/system/init.te | 1 + - 2 files changed, 19 insertions(+) - -diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if -index db809c6..190f3e2 100644 ---- a/policy/modules/contrib/rpm.if -+++ b/policy/modules/contrib/rpm.if -@@ -957,3 +957,21 @@ interface(`rpm_admin',` - - rpm_run($1, $2) - ') -+ -+## -+## Allow the specified domain to ioctl rpm_script_t -+## with a unix domain stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpm_script_ioctl_stream_sockets',` -+ gen_require(` -+ type rpm_script_t; -+ ') -+ -+ allow $1 rpm_script_t:unix_stream_socket ioctl; -+') -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 0de5f4a..a81f5da 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -516,6 +516,7 @@ optional_policy(` - - optional_policy(` - rpm_read_db(init_t) -+ rpm_script_ioctl_stream_sockets(init_t) - ') - - optional_policy(` --- -1.8.3.1 - diff --git a/backport-Allow-systemd-logind-dbus-chat-with-sosreport.patch b/backport-Allow-systemd-logind-dbus-chat-with-sosreport.patch deleted file mode 100644 index 83a2ecc..0000000 --- a/backport-Allow-systemd-logind-dbus-chat-with-sosreport.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 676fdceecce7f6e31c7ffdd9ecebb579fb7e4fb6 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 24 Feb 2022 12:29:52 +0100 -Subject: [PATCH] Allow systemd-logind dbus chat with sosreport - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/676fdceecce7f6e31c7ffdd9ecebb579fb7e4fb6 -Conflict: NA - -Signed-off-by: lujie54 ---- - policy/modules/system/systemd.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 3eabe11..8d96c4b 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -404,6 +404,10 @@ optional_policy(` - ') - - optional_policy(` -+ sosreport_dbus_chat(systemd_logind_t) -+') -+ -+optional_policy(` - # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file - xserver_search_xdm_tmp_dirs(systemd_logind_t) - ') --- -1.8.3.1 - diff --git a/backport-Allow-systemd-logind-delete-session_dbusd-tmp-socket.patch b/backport-Allow-systemd-logind-delete-session_dbusd-tmp-socket.patch deleted file mode 100644 index 09546b0..0000000 --- a/backport-Allow-systemd-logind-delete-session_dbusd-tmp-socket.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 13c9a34e3e717785cf37706a964294733f6c5b00 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 13 Jan 2022 19:09:13 +0100 -Subject: [PATCH] Allow systemd-logind delete session_dbusd tmp socket files - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/13c9a34e3e717785cf37706a964294733f6c5b00 -Conflict: NA - -The dbus_delete_session_tmp_sock_files() interface was added. - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(13.1.2022 18:57:09.055:9086) : proctitle=/usr/lib/systemd/systemd-user-runtime-dir stop 100 -1 -type=PATH msg=audit(13.1.2022 18:57:09.055:9086) : item=1 name=bus inode=40 dev=00:3f mode=socket,666 ouid=staff ogi -d=staff rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_ -fver=0 cap_frootid=0 -type=PATH msg=audit(13.1.2022 18:57:09.055:9086) : item=0 name=/ inode=1 dev=00:3f mode=dir,700 ouid=staff ogid=staf -f rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_froo -tid=0 -type=SYSCALL msg=audit(13.1.2022 18:57:09.055:9086) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0x3 a1=0x56 -0b86610d9b a2=0x0 a3=0x78 items=2 ppid=1 pid=26510 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid= -root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-ru exe=/usr/lib/systemd/systemd-user-runtime-dir su -bj=system_u:system_r:systemd_logind_t:s0 key=(null) -type=AVC msg=audit(13.1.2022 18:57:09.055:9086) : avc: denied { unlink } for pid=26510 comm=systemd-user-ru name= -bus dev="tmpfs" ino=40 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=staff_u:object_r:session_dbusd_tmp_t: -s0 tclass=sock_file permissive=1 - -Resolves: rhbz#2039671 -Signed-off-by: lujie54 ---- - policy/modules/contrib/dbus.if | 36 ++++++++++++++++++++++++++++++++++++ - policy/modules/system/systemd.te | 1 + - 2 files changed, 37 insertions(+) - -diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if -index 6f923ad..70e7bcd 100644 ---- a/policy/modules/contrib/dbus.if -+++ b/policy/modules/contrib/dbus.if -@@ -863,6 +863,42 @@ interface(`dbus_manage_session_tmp_dirs',` - manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t) - ') - -+###################################### -+## -+## Write to session_dbusd tmp socket files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dbus_write_session_tmp_sock_files',` -+ gen_require(` -+ type session_dbusd_tmp_t; -+ ') -+ -+ write_sock_files_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t) -+') -+ -+######################################## -+## -+## Delete session_dbusd tmp socket files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dbus_delete_session_tmp_sock_files',` -+ gen_require(` -+ type session_dbusd_tmp_t; -+ ') -+ -+ delete_sock_files_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t) -+') -+ - ######################################## - ## - ## Allow systemctl dbus services -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index a62f1fe..2b54d0b 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -363,6 +363,7 @@ optional_policy(` - optional_policy(` - dbus_connect_system_bus(systemd_logind_t) - dbus_system_bus_client(systemd_logind_t) -+ dbus_delete_session_tmp_sock_files(systemd_logind_t) - dbus_manage_session_tmp_dirs(systemd_logind_t) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-systemd-networkd-create-and-use-netlink-netfil.patch b/backport-Allow-systemd-networkd-create-and-use-netlink-netfil.patch deleted file mode 100644 index 25080c3..0000000 --- a/backport-Allow-systemd-networkd-create-and-use-netlink-netfil.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 2bd78f27bb7a806bf89070c31e4f813b61f1155e Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 14 Feb 2022 10:51:06 +0100 -Subject: [PATCH] Allow systemd-networkd create and use netlink netfilter - socket - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/2bd78f27bb7a806bf89070c31e4f813b61f1155e -Conflict: NA - -Resolves: rhbz#2054006 -Signed-off-by: lujie54 ---- - policy/modules/system/systemd.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 2d8db7e..476e2d3 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -490,6 +490,7 @@ allow systemd_networkd_t self:process { getcap setcap }; - - allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms; - allow systemd_networkd_t self:netlink_generic_socket create_socket_perms; -+allow systemd_networkd_t self:netlink_netfilter_socket create_socket_perms; - allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; - allow systemd_networkd_t self:unix_dgram_socket create_socket_perms; - allow systemd_networkd_t self:packet_socket create_socket_perms; --- -1.8.3.1 - diff --git a/backport-Allow-systemd-read-unlabeled-symbolic-links.patch b/backport-Allow-systemd-read-unlabeled-symbolic-links.patch deleted file mode 100644 index c6994cb..0000000 --- a/backport-Allow-systemd-read-unlabeled-symbolic-links.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 07b06a7f6cb1f41b92de5d29d21ac89c4d362457 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 7 Dec 2021 17:15:44 +0100 -Subject: [PATCH] Allow systemd read unlabeled symbolic links - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/07b06a7f6cb1f41b92de5d29d21ac89c4d362457 -Conflict: NA - -On a system boot systemd starts to launch services in the current target. -When it attempts to access a symbolic link which is critical for systemd -to continue and the symlink is unlabeled, the autorelabel target cannot -be reached to start relabeling and fix the unlabeled files. -This scenario applies to /etc/localtime when it was changed in SELinux -disabled mode. - -Since this commit, systemd is allowed the read access to symbolic links -with the unlabeled_t type. - -Resolves: rhbz#2021835 -Signed-off-by: lujie54 ---- - policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ - policy/modules/system/init.te | 1 + - 2 files changed, 19 insertions(+) - -diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 62845c1..1b684f5 100644 ---- a/policy/modules/kernel/kernel.if -+++ b/policy/modules/kernel/kernel.if -@@ -2922,6 +2922,24 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_files',` - - ######################################## - ## -+## Read unlabeled symbolic links. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_read_unlabeled_lnk_files',` -+ gen_require(` -+ type unlabeled_t; -+ ') -+ -+ allow $1 unlabeled_t:lnk_file read_lnk_file_perms; -+') -+ -+######################################## -+## - ## Read and write unlabeled block device nodes. - ## - ## -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 22e363a..0de5f4a 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -588,6 +588,7 @@ tunable_policy(`deny_bluetooth',`',` - ') - - kernel_list_unlabeled(init_t) -+kernel_read_unlabeled_lnk_files(init_t) - kernel_read_network_state(init_t) - kernel_rw_all_sysctls(init_t) - kernel_rw_security_state(init_t) --- -1.8.3.1 - diff --git a/backport-Allow-systemd-services-watch-dbusd-pid-directory-and.patch b/backport-Allow-systemd-services-watch-dbusd-pid-directory-and.patch deleted file mode 100644 index ecc8390..0000000 --- a/backport-Allow-systemd-services-watch-dbusd-pid-directory-and.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 569208d534e1a53d75b187ec44ecda856ee6139c Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 26 Jan 2022 14:41:59 +0100 -Subject: [PATCH] Allow systemd services watch dbusd pid directory and its - parents - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/569208d534e1a53d75b187ec44ecda856ee6139c -Conflict: NA - -The following services were allowed to watch /run/dbus and all its -parents: -- systemd-hostnamed -- systemd-machined -- systemd-networkd -- systemd-resolved -- systemd-timesyncd and systemd-timedated - -These permissions are required when the services start earlier than -dbus-broker manages to establish the socket communication, e. g. after - - $ systemctl disable NetworkManager && systemctl enable systemd-networkd - -The dbus_watch_pid_dir_path() interface was added. The redundant -dbus_watch_pid_dirs() calls were removed. - -Resolves: rhbz#2031668 -Signed-off-by: lujie54 ---- - policy/modules/contrib/dbus.if | 21 +++++++++++++++++++++ - policy/modules/system/systemd.te | 7 +++++-- - 2 files changed, 26 insertions(+), 2 deletions(-) - -diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if -index deb6f10..7ec03b1 100644 ---- a/policy/modules/contrib/dbus.if -+++ b/policy/modules/contrib/dbus.if -@@ -606,6 +606,27 @@ interface(`dbus_watch_pid_dirs',` - - ######################################## - ## -+## Watch system dbusd pid directory and all its parents -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dbus_watch_pid_dir_path',` -+ gen_require(` -+ type system_dbusd_var_run_t; -+ ') -+ -+ files_watch_root_dirs($1) -+ files_watch_var_run_dirs($1) -+ files_search_pids($1) -+ allow $1 system_dbusd_var_run_t:dir watch_dir_perms; -+') -+ -+######################################## -+## - ## Read and write system dbus tmp socket files. - ## - ## -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index ea2b27e..2d8db7e 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -458,6 +458,7 @@ getty_start_services(systemd_machined_t) - optional_policy(` - dbus_connect_system_bus(systemd_machined_t) - dbus_system_bus_client(systemd_machined_t) -+ dbus_watch_pid_dir_path(systemd_machined_t) - ') - - optional_policy(` -@@ -536,6 +537,7 @@ init_named_pid_filetrans(systemd_logind_t, systemd_networkd_var_run_t, dir, "net - optional_policy(` - dbus_system_bus_client(systemd_networkd_t) - dbus_connect_system_bus(systemd_networkd_t) -+ dbus_watch_pid_dir_path(systemd_networkd_t) - dbus_read_pid_files(systemd_networkd_t) - dbus_read_pid_sock_files(systemd_networkd_t) - systemd_dbus_chat_logind(systemd_networkd_t) -@@ -862,6 +864,7 @@ userdom_dbus_send_all_users(systemd_hostnamed_t) - optional_policy(` - dbus_system_bus_client(systemd_hostnamed_t) - dbus_connect_system_bus(systemd_hostnamed_t) -+ dbus_watch_pid_dir_path(systemd_hostnamed_t) - ') - - optional_policy(` -@@ -978,7 +981,7 @@ optional_policy(` - dbus_system_bus_client(systemd_timedated_t) - dbus_connect_system_bus(systemd_timedated_t) - dbus_read_pid_sock_files(systemd_timedated_t) -- dbus_watch_pid_dirs(systemd_timedated_t) -+ dbus_watch_pid_dir_path(systemd_timedated_t) - dbus_watch_pid_sock_files(systemd_timedated_t) - ') - -@@ -1168,8 +1171,8 @@ optional_policy(` - dbus_connect_system_bus(systemd_resolved_t) - dbus_read_pid_files(systemd_resolved_t) - dbus_read_pid_sock_files(systemd_resolved_t) -+ dbus_watch_pid_dir_path(systemd_resolved_t) - dbus_watch_pid_sock_files(systemd_resolved_t) -- dbus_watch_pid_dirs(systemd_resolved_t) - systemd_dbus_chat_logind(systemd_resolved_t) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-systemd-sysctl-read-the-security-state-informa.patch b/backport-Allow-systemd-sysctl-read-the-security-state-informa.patch deleted file mode 100644 index bdbfdec..0000000 --- a/backport-Allow-systemd-sysctl-read-the-security-state-informa.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 6d9183e183a32e3ff2caadaa4942f56aa82abe91 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 21 Feb 2022 12:55:00 +0100 -Subject: [PATCH] Allow systemd-sysctl read the security state information - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6d9183e183a32e3ff2caadaa4942f56aa82abe91 -Conflict: NA - -Addresses the following AVC denial: -Feb 19 14:19:22 audit[641]: AVC avc: denied { read } for pid=641 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=400 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 -Feb 19 14:19:22 audit[641]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffd162b13d0 a2=80102 a3=0 items=0 ppid=1 pid=641 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) -Feb 19 14:19:22 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-sysctl" - -Resolves: rhbz#2056207 -Signed-off-by: lujie54 ---- - policy/modules/system/systemd.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 97cc111..3eabe11 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1024,6 +1024,7 @@ allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms; - kernel_dgram_send(systemd_sysctl_t) - kernel_request_load_module(systemd_sysctl_t) - kernel_rw_all_sysctls(systemd_sysctl_t) -+kernel_read_security_state(systemd_sysctl_t) - kernel_write_security_state(systemd_sysctl_t) - - files_read_system_conf_files(systemd_sysctl_t) --- -1.8.3.1 - diff --git a/backport-Allow-systemd-watch-and-watch_reads-user-ptys.patch b/backport-Allow-systemd-watch-and-watch_reads-user-ptys.patch deleted file mode 100644 index b9faabc..0000000 --- a/backport-Allow-systemd-watch-and-watch_reads-user-ptys.patch +++ /dev/null @@ -1,92 +0,0 @@ -From d3e2a2c32da4229c1c27840560074585b7762844 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 13 May 2022 19:02:56 +0200 -Subject: [PATCH] Allow systemd watch and watch_reads user ptys - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d3e2a2c32da4229c1c27840560074585b7762844 -Conflict: NA - -This permission is required for "systemd-run --shell" to work. - -The following AVC denial was addressed: - -type=PROCTITLE msg=audit(05/13/2022 10:57:19.765:435) : proctitle=(bash) -type=PATH msg=audit(05/13/2022 10:57:19.765:435) : item=0 name=/dev/pts/1 inode=4 dev=00:19 mode=character,620 ouid=root ogid=tty rdev=88:01 obj=unconfined_u:object_r:user_devpts_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=CWD msg=audit(05/13/2022 10:57:19.765:435) : cwd=/ -type=SYSCALL msg=audit(05/13/2022 10:57:19.765:435) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x55e39a4fe560 a2=0x18 a3=0x0 items=1 ppid=1 pid=1109 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(bash) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) -type=AVC msg=audit(05/13/2022 10:57:19.765:435) : avc: denied { watch watch_reads } for pid=1109 comm=(bash) path=/dev/pts/1 dev="devpts" ino=4 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0 - -The following interfaces were added: -- userdom_watch_user_ptys -- userdom_watch_reads_user_ptys - -Resolves: rhbz#1980241 -Signed-off-by: lujie54 ---- - policy/modules/system/init.te | 2 ++ - policy/modules/system/userdomain.if | 36 ++++++++++++++++++++++++++++++++++++ - 2 files changed, 38 insertions(+) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index a838cdd..f772288 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -419,6 +419,8 @@ userdom_nnp_transition_login_userdomain(init_t) - userdom_noatsecure_login_userdomain(init_t) - userdom_sigchld_login_userdomain(init_t) - userdom_use_user_ptys(init_t) -+userdom_watch_user_ptys(init_t) -+userdom_watch_reads_user_ptys(init_t) - - allow init_t self:process setsched; - -diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index b16984d..aeb2deb 100644 ---- a/policy/modules/system/userdomain.if -+++ b/policy/modules/system/userdomain.if -@@ -3989,6 +3989,42 @@ interface(`userdom_use_user_ptys',` - - ######################################## - ## -+## Watch a user pty. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_watch_user_ptys',` -+ gen_require(` -+ type user_devpts_t; -+ ') -+ -+ allow $1 user_devpts_t:chr_file watch_chr_file_perms; -+') -+ -+######################################## -+## -+## Watch_reads a user pty. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_watch_reads_user_ptys',` -+ gen_require(` -+ type user_devpts_t; -+ ') -+ -+ allow $1 user_devpts_t:chr_file watch_reads_chr_file_perms; -+') -+ -+######################################## -+## - ## Read and write a inherited user domain pty. - ## - ## --- -1.8.3.1 - diff --git a/backport-Allow-timedatex-dbus-chat-with-xdm.patch b/backport-Allow-timedatex-dbus-chat-with-xdm.patch deleted file mode 100644 index 691a74d..0000000 --- a/backport-Allow-timedatex-dbus-chat-with-xdm.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 40a8223b142eb3ed9d63869b5dc447b0ede4ebf3 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 28 Jan 2022 17:04:07 +0100 -Subject: [PATCH] Allow timedatex dbus chat with xdm - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/40a8223b142eb3ed9d63869b5dc447b0ede4ebf3 -Conflict: NA - -Addresses the following USER_AVC denial: - -type=USER_AVC msg=audit(1642064568.655:164): pid=942 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetTimezone dest=:1.201 spid=6469 tpid=6505 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus" - -Resolves: rhbz#2040214 -Signed-off-by: lujie54 ---- - policy/modules/contrib/timedatex.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/contrib/timedatex.te b/policy/modules/contrib/timedatex.te -index 003c4c3..3a2e4db 100644 ---- a/policy/modules/contrib/timedatex.te -+++ b/policy/modules/contrib/timedatex.te -@@ -57,6 +57,10 @@ optional_policy(` - init_dbus_chat(timedatex_t) - - policykit_dbus_chat(timedatex_t) -+ -+ optional_policy(` -+ xserver_dbus_chat_xdm(timedatex_t) -+ ') - ') - - optional_policy(` --- -1.8.3.1 - diff --git a/backport-Allow-tlp-dbus-chat-with-NetworkManager.patch b/backport-Allow-tlp-dbus-chat-with-NetworkManager.patch deleted file mode 100644 index d31f758..0000000 --- a/backport-Allow-tlp-dbus-chat-with-NetworkManager.patch +++ /dev/null @@ -1,35 +0,0 @@ -From e8ff8cb50ada4155ec179b016729df1b78fb55c8 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 5 Nov 2021 17:52:02 +0100 -Subject: [PATCH] Allow tlp dbus-chat with NetworkManager - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/e8ff8cb50ada4155ec179b016729df1b78fb55c8 -Conflict: NA - -Addresses the following AVC denial: -type=USER_AVC msg=audit(05/11/21 09:11:56.868:303) : pid=1076 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' - -Resolves: rhbz#2013439 -Signed-off-by: lujie54 ---- - policy/modules/contrib/tlp.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/contrib/tlp.te b/policy/modules/contrib/tlp.te -index 35432f1..b9491ee 100644 ---- a/policy/modules/contrib/tlp.te -+++ b/policy/modules/contrib/tlp.te -@@ -88,6 +88,10 @@ optional_policy(` - ') - - optional_policy(` -+ networkmanager_dbus_chat(tlp_t) -+') -+ -+optional_policy(` - sssd_read_public_files(tlp_t) - sssd_stream_connect(tlp_t) - ') --- -1.8.3.1 - diff --git a/backport-Allow-tlp-read-its-systemd-unit.patch b/backport-Allow-tlp-read-its-systemd-unit.patch deleted file mode 100644 index 6a751d8..0000000 --- a/backport-Allow-tlp-read-its-systemd-unit.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 6f8f2fbdaa248e9d8967456b79888b4484ca9ad7 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 10 Jan 2022 21:51:47 +0100 -Subject: [PATCH] Allow tlp read its systemd unit - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6f8f2fbdaa248e9d8967456b79888b4484ca9ad7 -Conflict: NA - -A tlp script executes systemctl to get status of the tlp service unit. - -Resolves: rhbz#2013451 -Signed-off-by: lujie54 ---- - policy/modules/contrib/tlp.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/contrib/tlp.te b/policy/modules/contrib/tlp.te -index b9491ee..e2de3b2 100644 ---- a/policy/modules/contrib/tlp.te -+++ b/policy/modules/contrib/tlp.te -@@ -28,6 +28,8 @@ allow tlp_t self:udp_socket create_socket_perms; - allow tlp_t self:unix_dgram_socket create_socket_perms; - allow tlp_t self:netlink_generic_socket create_socket_perms; - -+allow tlp_t tlp_unit_file_t:file read_file_perms; -+ - manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t) - manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t) - files_pid_filetrans(tlp_t, tlp_var_run_t, { dir file }) --- -1.8.3.1 - diff --git a/backport-Allow-tumblerd-write-to-session_dbusd-tmp-socket-fil.patch b/backport-Allow-tumblerd-write-to-session_dbusd-tmp-socket-fil.patch deleted file mode 100644 index 1758858..0000000 --- a/backport-Allow-tumblerd-write-to-session_dbusd-tmp-socket-fil.patch +++ /dev/null @@ -1,32 +0,0 @@ -From d9bf0729b58d4e3c0c66015961013c1cb64c4a24 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 20 Jan 2022 17:15:18 +0100 -Subject: [PATCH] Allow tumblerd write to session_dbusd tmp socket files - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d9bf0729b58d4e3c0c66015961013c1cb64c4a24 -Conflict: NA - -Addresses the following AVC denial: -type=AVC msg=audit(1642635456.954:3314): avc: denied { write } for pid=104519 comm="tumblerd" name="bus" dev="tmpfs" ino=40 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0 - -Resolves: rhbz#2042696 -Signed-off-by: lujie54 ---- - policy/modules/contrib/thumb.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/thumb.te b/policy/modules/contrib/thumb.te -index 0444a36..27eb72c 100644 ---- a/policy/modules/contrib/thumb.te -+++ b/policy/modules/contrib/thumb.te -@@ -146,6 +146,7 @@ optional_policy(` - dbus_stream_connect_session_bus(thumb_t) - dbus_chat_session_bus(thumb_t) - dbus_system_bus_client(thumb_t) -+ dbus_write_session_tmp_sock_files(thumb_t) - ') - - optional_policy(` --- -1.8.3.1 - diff --git a/backport-Allow-userdomain-read-symlinks-in-var-lib.patch b/backport-Allow-userdomain-read-symlinks-in-var-lib.patch deleted file mode 100644 index 03543fe..0000000 --- a/backport-Allow-userdomain-read-symlinks-in-var-lib.patch +++ /dev/null @@ -1,36 +0,0 @@ -From dc983b88ad1043c43de1cc19d579debcd10a778d Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 15 Feb 2022 11:44:23 +0100 -Subject: [PATCH] Allow userdomain read symlinks in /var/lib - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/dc983b88ad1043c43de1cc19d579debcd10a778d -Conflict: NA - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(02/15/22 11:39:56.020:247) : proctitle=/usr/bin/gnome-software --gapplication-service -type=PATH msg=audit(02/15/22 11:39:56.020:247) : item=0 name=/var/lib/flatpak/appstream/flathub/x86_64/active/appstream.xml.gz nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=CWD msg=audit(02/15/22 11:39:56.020:247) : cwd=/home/user -type=SYSCALL msg=audit(02/15/22 11:39:56.020:247) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7fb66c6f8da0 a1=F_OK a2=0x0 a3=0x20 items=1 ppid=1460 pid=2035 auid=user uid=user gid=user euid=user suid=user fsuid=user egid=user sgid=user fsgid=user tty=(none) ses=3 comm=pool-org.gnome. exe=/usr/bin/gnome-software subj=user_u:user_r:user_t:s0 key=(null) -type=AVC msg=audit(02/15/22 11:39:56.020:247) : avc: denied { read } for pid=2035 comm=pool-org.gnome. name=active dev="vda2" ino=387091 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0 - -Signed-off-by: lujie54 ---- - policy/modules/system/userdomain.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 69b460f..3ac8c12 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -387,6 +387,7 @@ tunable_policy(`deny_bluetooth',`',` - dev_watch_generic_dirs(login_userdomain) - - files_map_var_lib_files(login_userdomain) -+files_read_var_lib_symlinks(login_userdomain) - files_watch_etc_dirs(login_userdomain) - files_watch_etc_files(login_userdomain) - files_watch_system_conf_dirs(login_userdomain) --- -1.8.3.1 - diff --git a/backport-Allow-userdomains-use-pam_ssh_agent_auth-for-passwor.patch b/backport-Allow-userdomains-use-pam_ssh_agent_auth-for-passwor.patch deleted file mode 100644 index 66361fe..0000000 --- a/backport-Allow-userdomains-use-pam_ssh_agent_auth-for-passwor.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 901ac5314982f5600ef11691969b9af89aeba772 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 20 Dec 2021 14:21:33 +0100 -Subject: [PATCH] Allow userdomains use pam_ssh_agent_auth for passwordless - sudo - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/901ac5314982f5600ef11691969b9af89aeba772 -Conflict: NA - -The pam_ssh_agent_auth module can be used for granting permissions based -on SSH agent requests. When configured for using in the sudo pam module, -it requires permissions for sudodomain to use the user socket file and -stream connect to its corresponding userdomain. - -Resolves: rhbz#1917879 -Signed-off-by: lujie54 ---- - policy/modules/admin/sudo.if | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if -index 356b150..f6df896 100644 ---- a/policy/modules/admin/sudo.if -+++ b/policy/modules/admin/sudo.if -@@ -58,6 +58,8 @@ template(`sudo_role_template',` - allow $1_sudo_t $3:file read_file_perms;; - allow $1_sudo_t $3:key search; - -+ allow $1_sudo_t $1_t:unix_stream_socket connectto; -+ - # Enter this derived domain from the user domain - domtrans_pattern($3, sudo_exec_t, $1_sudo_t) - -@@ -99,6 +101,10 @@ template(`sudo_role_template',` - ') - - optional_policy(` -+ userdom_write_user_tmp_sockets($1_sudo_t) -+ ') -+ -+ optional_policy(` - usermanage_domtrans_passwd($1_sudo_t) - ') - ') --- -1.8.3.1 - diff --git a/backport-Allow-utempter-append-to-login_userdomain-stream.patch b/backport-Allow-utempter-append-to-login_userdomain-stream.patch deleted file mode 100644 index 5d1dcb8..0000000 --- a/backport-Allow-utempter-append-to-login_userdomain-stream.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 1c0959233b2d061dffb8e6d34b4f49d664d68af9 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 9 Sep 2022 17:38:35 +0200 -Subject: [PATCH] Allow utempter append to login_userdomain stream - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(23.8.2022 11:20:02.949:5147) : proctitle=/usr/libexec/utempter/utempter add :0 -type=PATH msg=audit(23.8.2022 11:20:02.949:5147) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=33828998 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=PATH msg=audit(23.8.2022 11:20:02.949:5147) : item=0 name=/usr/libexec/utempter/utempter inode=35940312 dev=fd:00 mode=file,sgid,711 ouid=root ogid=utmp rdev=00:00 obj=system_u:object_r:utempter_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=EXECVE msg=audit(23.8.2022 11:20:02.949:5147) : argc=3 a0=/usr/libexec/utempter/utempter a1=add a2=:0 -type=SYSCALL msg=audit(23.8.2022 11:20:02.949:5147) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x559ff13c4220 a1=0x559ff13c5170 a2=0x7ffc47314488 a3=0x8 items=2 ppid=544463 pid=544464 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=utmp sgid=utmp fsgid=utmp tty=pts17 ses=3 comm=utempter exe=/usr/libexec/utempter/utempter subj=staff_u:staff_r:utempter_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(23.8.2022 11:20:02.949:5147) : avc: denied { append } for pid=544464 comm=utempter path=socket:[935095] dev="sockfs" ino=935095 scontext=staff_u:staff_r:utempter_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 - -Signed-off-by: lujie42 ---- - policy/modules/system/authlogin.te | 1 + - policy/modules/system/userdomain.if | 18 ++++++++++++++++++ - 2 files changed, 19 insertions(+) - -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 1885fa699..feabf67ab 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -423,6 +423,7 @@ domain_use_interactive_fds(utempter_t) - - logging_search_logs(utempter_t) - -+userdom_append_stream_userdomain(utempter_t) - userdom_use_inherited_user_terminals(utempter_t) - # Allow utemper to write to /tmp/.xses-* - userdom_write_user_tmp_files(utempter_t) -diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index e14a3c58f..43192ae29 100644 ---- a/policy/modules/system/userdomain.if -+++ b/policy/modules/system/userdomain.if -@@ -6637,6 +6637,24 @@ interface(`userdom_login_userdomain',` - typeattribute $1 login_userdomain; - ') - -+######################################## -+## -+## Append to login_userdomain stream. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`userdom_append_stream_userdomain',` -+ gen_require(` -+ attribute login_userdomain; -+ ') -+ -+ allow $1 login_userdomain:unix_stream_socket { getattr append }; -+') -+ - ######################################## - ## - ## Do not audit attempts to check the --- -2.27.0 - diff --git a/backport-Allow-virt_domain-map-vhost-devices.patch b/backport-Allow-virt_domain-map-vhost-devices.patch deleted file mode 100644 index 76a8c2f..0000000 --- a/backport-Allow-virt_domain-map-vhost-devices.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 7a512a8dcaa5b522c6bf3f558fa251b6a77bccf0 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 7 Jan 2022 18:17:12 +0100 -Subject: [PATCH] Allow virt_domain map vhost devices - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/7a512a8dcaa5b522c6bf3f558fa251b6a77bccf0 -Conflict: NA - -The dev_map_vhost() interface was added. - -This commit addresses the following AVC denial: - -type=PROCTITLE msg=audit(12/26/2021 22:21:14.465:1513) : proctitle=/usr/libexec/qemu-kvm -name guest=r9,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"raw","file":"/ -type=AVC msg=audit(12/26/2021 22:21:14.465:1513) : avc: denied { map } for pid=31328 comm=CPU 0/KVM path=/dev/vhost-vdpa-0 dev="devtmpfs" ino=876 scontext=system_u:system_r:svirt_t:s0:c135,c969 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file permissive=0 -type=SYSCALL msg=audit(12/26/2021 22:21:14.465:1513) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x1000 a2=PROT_WRITE a3=MAP_SHARED items=0 ppid=1 pid=31328 auid=unset uid=unknown(107) gid=unknown(107) euid=unknown(107) suid=unknown(107) fsuid=unknown(107) egid=unknown(107) sgid=unknown(107) fsgid=unknown(107) tty=(none) ses=unset comm=CPU 0/KVM exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c135,c969 key=(null) - -Resolves: rhbz#2035702 -Signed-off-by: lujie54 ---- - policy/modules/contrib/virt.te | 1 + - policy/modules/kernel/devices.if | 18 ++++++++++++++++++ - 2 files changed, 19 insertions(+) - -diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te -index b14222b..340056b 100644 ---- a/policy/modules/contrib/virt.te -+++ b/policy/modules/contrib/virt.te -@@ -969,6 +969,7 @@ dev_rw_infiniband_dev(virt_domain) - dev_rw_dri(virt_domain) - dev_rw_tpm(virt_domain) - dev_rw_xserver_misc(virt_domain) -+dev_map_vhost(virt_domain) - - domain_use_interactive_fds(virt_domain) - -diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index f7f8e98..51d9ab4 100644 ---- a/policy/modules/kernel/devices.if -+++ b/policy/modules/kernel/devices.if -@@ -5964,6 +5964,24 @@ interface(`dev_rw_inherited_vhost',` - - ######################################## - ## -+## Allow map the vhost devices -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_map_vhost',` -+ gen_require(` -+ type device_t, vhost_device_t; -+ ') -+ -+ allow $1 vhost_device_t:chr_file map; -+') -+ -+######################################## -+## - ## Read and write VMWare devices. - ## - ## --- -1.8.3.1 - diff --git a/backport-Allow-xdm-read-the-kernel-key-ring.patch b/backport-Allow-xdm-read-the-kernel-key-ring.patch deleted file mode 100644 index 2022b02..0000000 --- a/backport-Allow-xdm-read-the-kernel-key-ring.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 400c278dc20c89d2b85a351c9a6567d3fb348a01 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 10 Aug 2022 17:26:03 +0200 -Subject: [PATCH] Allow xdm read the kernel key ring - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/400c278dc20c89d2b85a351c9a6567d3fb348a01 -Conflict: NA - -The kernel_read_key() interface was added. - -Addresses the following AVC denial: -type=PROCTITLE msg=audit(28.7.2022 13:38:34.889:250) : proctitle=gdm-session-worker [pam/gdm-autologin] -type=SYSCALL msg=audit(28.7.2022 13:38:34.889:250) : arch=x86_64 syscall=keyctl success=yes exit=10 a0=0xb a1=0x1276ecec a2=0x0 a3=0x0 items=0 ppid=1417 pid=1455 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(28.7.2022 13:38:34.889:250) : avc: denied { read } for pid=1455 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 - -Resolves: rhbz#2111834 -Signed-off-by: lujie54 ---- - policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ - policy/modules/services/xserver.te | 1 + - 2 files changed, 19 insertions(+) - -diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 6828750..8ffd498 100644 ---- a/policy/modules/kernel/kernel.if -+++ b/policy/modules/kernel/kernel.if -@@ -510,6 +510,24 @@ interface(`kernel_rw_key',` - - ######################################## - ## -+## Allow read the kernel key ring. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_read_key',` -+ gen_require(` -+ type kernel_t; -+ ') -+ -+ allow $1 kernel_t:key read; -+') -+ -+######################################## -+## - ## Allow view the kernel key ring. - ## - ## -diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te -index cc215b8..6638ed9 100644 ---- a/policy/modules/services/xserver.te -+++ b/policy/modules/services/xserver.te -@@ -566,6 +566,7 @@ kernel_read_net_sysctls(xdm_t) - kernel_read_network_state(xdm_t) - kernel_request_load_module(xdm_t) - kernel_stream_connect(xdm_t) -+kernel_read_key(xdm_t) - kernel_view_key(xdm_t) - - corecmd_exec_shell(xdm_t) --- -1.8.3.1 - diff --git a/backport-Allow-xenstored-change-its-hard-resource-limits.patch b/backport-Allow-xenstored-change-its-hard-resource-limits.patch deleted file mode 100644 index 3509bc1..0000000 --- a/backport-Allow-xenstored-change-its-hard-resource-limits.patch +++ /dev/null @@ -1,32 +0,0 @@ -From ad912918e04aefd676e3a2772d7252a978652695 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 26 Sep 2022 15:00:49 +0200 -Subject: [PATCH] Allow xenstored change its hard resource limits - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(09/23/2022 14:49:28.646:155) : proctitle=prlimit --nofile=1073741816 /usr/sbin/xenstored --pid-file /var/run/xen/xenstored.pid -type=SYSCALL msg=audit(09/23/2022 14:49:28.646:155) : arch=x86_64 syscall=prlimit64 success=no exit=EACCES(Permission denied) a0=0x0 a1=0x7 a2=0x55fa676e15b0 a3=0x0 items=0 ppid=532 pid=536 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=prlimit exe=/usr/bin/prlimit subj=system_u:system_r:xenstored_t:s0 key=(null) -type=AVC msg=audit(09/23/2022 14:49:28.646:155) : avc: denied { setrlimit } for pid=536 comm=prlimit scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:system_r:xenstored_t:s0 tclass=process permissive=0 - -Resolves: rhbz#2125693 -Signed-off-by: lujie42 ---- - policy/modules/contrib/xen.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te -index bbda6032b..6e1e83b4d 100644 ---- a/policy/modules/contrib/xen.te -+++ b/policy/modules/contrib/xen.te -@@ -423,6 +423,7 @@ optional_policy(` - # - - allow xenstored_t self:capability { dac_read_search ipc_lock sys_resource }; -+allow xenstored_t self:process setrlimit; - allow xenstored_t self:unix_stream_socket create_stream_socket_perms; - allow xenstored_t self:unix_dgram_socket create_socket_perms; - --- -2.27.0 - diff --git a/backport-Do-not-allow-login_userdomain-use-sd_notify.patch b/backport-Do-not-allow-login_userdomain-use-sd_notify.patch deleted file mode 100644 index 722bb1f..0000000 --- a/backport-Do-not-allow-login_userdomain-use-sd_notify.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 722bd1fc180b12193c2d551c82eda101f26c098f Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 8 Aug 2022 17:35:10 +0200 -Subject: [PATCH] Do not allow login_userdomain use sd_notify() - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/722bd1fc180b12193c2d551c82eda101f26c098f -Conflict: NA - -This commit partially reverts the ea76c5e8b586 ("Allow some domains use -sd_notify()") commit. While any systemd service should be allowed to -use sd_notify, which includes unconfined_service_t, login userdomains -should only talk to user service manager which runs in the respective -userdomain. - -Signed-off-by: lujie54 ---- - policy/modules/system/userdomain.te | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 0980247..3ac8c12 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -400,8 +400,6 @@ files_watch_generic_tmp_dirs(login_userdomain) - fs_create_cgroup_files(login_userdomain) - fs_watch_cgroup_files(login_userdomain) - --init_use_notify(login_userdomain) -- - libs_watch_lib_dirs(login_userdomain) - - miscfiles_watch_fonts_dirs(login_userdomain) --- -1.8.3.1 - diff --git a/backport-Ensure-that-run-systemd-are-properly-labeled.patch b/backport-Ensure-that-run-systemd-are-properly-labeled.patch deleted file mode 100644 index e8b4c8e..0000000 --- a/backport-Ensure-that-run-systemd-are-properly-labeled.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 5c05ced263586a9e7e92a045ab7b8e4454d6f4ff Mon Sep 17 00:00:00 2001 -From: Demi Marie Obenour -Date: Tue, 30 Nov 2021 18:50:55 -0500 -Subject: [PATCH] Ensure that `/run/systemd/*` are properly labeled - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/5c05ced263586a9e7e92a045ab7b8e4454d6f4ff -Conflict: NA - -`/run/systemd/generator.{early,late}` were not covered by the type_transition rules. - -Signed-off-by: lujie54 ---- - policy/modules/system/init.if | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index ced08f3..7bd438e 100644 ---- a/policy/modules/system/init.if -+++ b/policy/modules/system/init.if -@@ -3288,7 +3288,7 @@ interface(`init_filetrans_named_content',` - type initrc_var_run_t; - type machineid_t; - type initctl_t; -- type systemd_unit_file_t; -+ type systemd_unit_file_t; - ') - - files_pid_filetrans($1, initrc_var_run_t, file, "utmp") -@@ -3296,6 +3296,8 @@ interface(`init_filetrans_named_content',` - files_etc_filetrans($1, machineid_t, file, "machine-id" ) - files_pid_filetrans($1, initctl_t, fifo_file, "fifo" ) - init_pid_filetrans($1, systemd_unit_file_t, dir, "generator") -+ init_pid_filetrans($1, systemd_unit_file_t, dir, "generator.early") -+ init_pid_filetrans($1, systemd_unit_file_t, dir, "generator.late") - init_pid_filetrans($1, systemd_unit_file_t, dir, "system") - ') - --- -1.8.3.1 - diff --git a/backport-Label-var-run-ecblp0-pipe-with-cupsd_var_run_t.patch b/backport-Label-var-run-ecblp0-pipe-with-cupsd_var_run_t.patch deleted file mode 100644 index be5c577..0000000 --- a/backport-Label-var-run-ecblp0-pipe-with-cupsd_var_run_t.patch +++ /dev/null @@ -1,34 +0,0 @@ -From a203bc37147e4480375faebc76021e7548790c70 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 14 Mar 2022 14:20:15 +0100 -Subject: [PATCH] Label /var/run/ecblp0 pipe with cupsd_var_run_t - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/a203bc37147e4480375faebc76021e7548790c70 -Conflict: NA - -With the edce3e31ec2 (Label /var/run/ecblp0 as cupsd_var_run_t) commit, -default file context for /var/run/ecblp0 was defined for a plain file -instead of a named pipe which is actually used by epson drivers. - -Resolves: rhbz#2061427 -Signed-off-by: lujie54 ---- - policy/modules/contrib/cups.fc | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/contrib/cups.fc b/policy/modules/contrib/cups.fc -index f09217f..467eb7e 100644 ---- a/policy/modules/contrib/cups.fc -+++ b/policy/modules/contrib/cups.fc -@@ -70,7 +70,7 @@ - /var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) - /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh) - /var/run/hplip(/.*) gen_context(system_u:object_r:cupsd_var_run_t,s0) --/var/run/ecblp0 -- gen_context(system_u:object_r:cupsd_var_run_t,s0) -+/var/run/ecblp0 -p gen_context(system_u:object_r:cupsd_var_run_t,s0) - /var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0) - /var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0) - /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) --- -1.8.3.1 - diff --git a/backport-Support-using-systemd-update-helper-in-rpm-scriptlet.patch b/backport-Support-using-systemd-update-helper-in-rpm-scriptlet.patch deleted file mode 100644 index 0dd67a1..0000000 --- a/backport-Support-using-systemd-update-helper-in-rpm-scriptlet.patch +++ /dev/null @@ -1,90 +0,0 @@ -From f5b0c2d2f6ed3f4039129eb7c76b91f6cf819498 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 8 Jul 2022 15:20:59 +0200 -Subject: [PATCH] Support using systemd-update-helper in rpm scriptlets - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/f5b0c2d2f6ed3f4039129eb7c76b91f6cf819498 -Conflict: NA - -Addresses the following AVC denials, dontaudited by default: -type=AVC msg=audit(07/08/2022 15:03:18.969:819) : avc: denied { read write } for pid=1 comm=systemd path=socket:[47621] dev="sockfs" ino=47621 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 - -type=PROCTITLE msg=audit(07/08/2022 15:06:59.478:968) : proctitle=dbus-broker --log 4 --controller 9 --machine-id 31c23619ce0349e999f66291729cc4f6 --max-bytes 536870912 --max-fds 4096 --max-matc -type=SYSCALL msg=audit(07/08/2022 15:06:59.478:968) : arch=x86_64 syscall=recvmsg success=yes exit=720 a0=0x10 a1=0x7ffe701a5890 a2=MSG_DONTWAIT|MSG_CMSG_CLOEXEC a3=0xffffffff items=0 ppid=561 pid=567 auid=unset uid=dbus gid=dbus euid=dbus suid=dbus fsuid=dbus egid=dbus sgid=dbus fsgid=dbus tty=(none) ses=unset comm=dbus-broker exe=/usr/bin/dbus-broker subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(07/08/2022 15:06:59.478:968) : avc: denied { read write } for pid=567 comm=dbus-broker path=socket:[51281] dev="sockfs" ino=51281 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 - -The rpm_script_rw_stream_sockets() interface was added. - -Resolves: rhbz#2100528 -Signed-off-by: lujie54 ---- - policy/modules/contrib/dbus.te | 4 ++++ - policy/modules/contrib/rpm.if | 20 ++++++++++++++++++++ - policy/modules/system/init.te | 1 + - 3 files changed, 25 insertions(+) - -diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te -index ced5149..a0f5679 100644 ---- a/policy/modules/contrib/dbus.te -+++ b/policy/modules/contrib/dbus.te -@@ -215,6 +215,10 @@ optional_policy(` - ') - - optional_policy(` -+ rpm_script_rw_stream_sockets(system_dbusd_t) -+') -+ -+optional_policy(` - snapper_read_inherited_pipe(system_dbusd_t) - ') - -diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if -index 190f3e2..c6833ba 100644 ---- a/policy/modules/contrib/rpm.if -+++ b/policy/modules/contrib/rpm.if -@@ -958,6 +958,7 @@ interface(`rpm_admin',` - rpm_run($1, $2) - ') - -+####################################### - ## - ## Allow the specified domain to ioctl rpm_script_t - ## with a unix domain stream socket. -@@ -975,3 +976,22 @@ interface(`rpm_script_ioctl_stream_sockets',` - - allow $1 rpm_script_t:unix_stream_socket ioctl; - ') -+ -+####################################### -+## -+## Allow the specified domain read and write to rpm_script_t -+## over a unix domain stream socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`rpm_script_rw_stream_sockets',` -+ gen_require(` -+ type rpm_script_t; -+ ') -+ -+ allow $1 rpm_script_t:unix_stream_socket { read write }; -+') -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index f772288..f12a937 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -521,6 +521,7 @@ optional_policy(` - optional_policy(` - rpm_read_db(init_t) - rpm_script_ioctl_stream_sockets(init_t) -+ rpm_script_rw_stream_sockets(init_t) - ') - - optional_policy(` --- -1.8.3.1 - diff --git a/backport-Update-chronyd_pid_filetrans-to-allow-create-dirs.patch b/backport-Update-chronyd_pid_filetrans-to-allow-create-dirs.patch deleted file mode 100644 index 4db1dcf..0000000 --- a/backport-Update-chronyd_pid_filetrans-to-allow-create-dirs.patch +++ /dev/null @@ -1,31 +0,0 @@ -From d251c0553ecc432f0aa8a6769e76795902b9ebcd Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 8 Feb 2022 18:33:51 +0100 -Subject: [PATCH] Update chronyd_pid_filetrans() to allow create dirs - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d251c0553ecc432f0aa8a6769e76795902b9ebcd -Conflict: NA - -The chronyd_pid_filetrans() interface was updated so that the caller -domain is now allowed to create the /run/chrony-dhcp directory. - -Signed-off-by: lujie54 ---- - policy/modules/contrib/chronyd.if | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if -index 3d47264..cad4d31 100644 ---- a/policy/modules/contrib/chronyd.if -+++ b/policy/modules/contrib/chronyd.if -@@ -252,6 +252,7 @@ interface(`chronyd_pid_filetrans',` - type chronyd_var_run_t; - ') - -+ create_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t) - files_pid_filetrans($1, chronyd_var_run_t, dir, "chrony-dhcp") - ') - --- -1.8.3.1 - diff --git a/backport-Update-userdom_exec_user_tmp_files-with-an-entrypoin.patch b/backport-Update-userdom_exec_user_tmp_files-with-an-entrypoin.patch deleted file mode 100644 index 75d0dca..0000000 --- a/backport-Update-userdom_exec_user_tmp_files-with-an-entrypoin.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 84f1d7c3fe6113effd8eedc2a6602c72fd5d482c Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 18 Nov 2021 19:08:05 +0100 -Subject: [PATCH] Update userdom_exec_user_tmp_files() with an entrypoint rule - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/84f1d7c3fe6113effd8eedc2a6602c72fd5d482c -Conflict: NA - -The userdom_exec_user_tmp_files() interface contains rules -to allow execution of user temporary files, but there were no rules -containing the executable type as entrypoint. - -Resolves: rhbz#1966945 -Signed-off-by: lujie54 ---- - policy/modules/system/userdomain.if | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if -index d5a4094..cb56d28 100644 ---- a/policy/modules/system/userdomain.if -+++ b/policy/modules/system/userdomain.if -@@ -556,6 +556,7 @@ interface(`userdom_exec_user_tmp_files',` - type user_tmp_t; - ') - -+ allow $1 user_tmp_t:file entrypoint; - exec_files_pattern($1, user_tmp_t, user_tmp_t) - dontaudit $1 user_tmp_t:sock_file execute; - files_search_tmp($1) --- -1.8.3.1 - diff --git a/backport-blueman-mechanism-can-read-.local-lib-python-site-pa.patch b/backport-blueman-mechanism-can-read-.local-lib-python-site-pa.patch deleted file mode 100644 index 3b6dfc0..0000000 --- a/backport-blueman-mechanism-can-read-.local-lib-python-site-pa.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 284df66be2e1432333b8134606b30fd76c877123 Mon Sep 17 00:00:00 2001 -From: Milos Malik -Date: Wed, 7 Sep 2022 09:57:13 +0200 -Subject: [PATCH] blueman-mechanism can read ~/.local/lib/python*/site-packages - directory - -If the ~/.local/lib/python*/site-packages/ directory exists in root's -home directory then the blueman-mechanism service tries to read that -directory during its start. - -The blueman-mechanism program is written in Python and I believe that -Python is trying to find locally installed python modules. - -In order to avoid these SELinux denials, SELinux policy should allow -the access. - -Resolves: BZ#2027044 -Signed-off-by: lujie42 ---- - policy/modules/contrib/blueman.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/contrib/blueman.te b/policy/modules/contrib/blueman.te -index 4389ad441..305c5270c 100644 ---- a/policy/modules/contrib/blueman.te -+++ b/policy/modules/contrib/blueman.te -@@ -93,7 +93,7 @@ optional_policy(` - ') - - optional_policy(` -- gnome_search_gconf(blueman_t) -+ gnome_search_gconf_data_dir(blueman_t) - ') - - optional_policy(` --- -2.27.0 - diff --git a/backport-filesystem-add-fs_use_trans-for-ramfs.patch b/backport-filesystem-add-fs_use_trans-for-ramfs.patch deleted file mode 100644 index 5680fc4..0000000 --- a/backport-filesystem-add-fs_use_trans-for-ramfs.patch +++ /dev/null @@ -1,42 +0,0 @@ -From a7697467e082ffd4f68a9e03539db3578b5f34d5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Wed, 27 Oct 2021 21:18:27 +0200 -Subject: [PATCH] filesystem: add fs_use_trans for ramfs -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/a7697467e082ffd4f68a9e03539db3578b5f34d5 -Conflict: NA - -Enable extended attributes for inodes on ramfs filesystems, similar to -tmpfs filesystems. - -For example systemd uses ramfs for service credentials[1], and xattr -support is needed for per service based labeling[2]. - -[1]: https://www.freedesktop.org/software/systemd/man/systemd-creds.html -[2]: https://github.com/systemd/systemd/pull/21158 - -Signed-off-by: Christian Göttsche -Signed-off-by: lujie54 ---- - policy/modules/kernel/filesystem.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index 1941da1..6a2ad8c 100644 ---- a/policy/modules/kernel/filesystem.te -+++ b/policy/modules/kernel/filesystem.te -@@ -178,7 +178,7 @@ genfscon pstore / gen_context(system_u:object_r:pstore_t,s0) - type ramfs_t; - fs_type(ramfs_t) - files_mountpoint(ramfs_t) --genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0) -+fs_use_trans ramfs gen_context(system_u:object_r:ramfs_t,s0); - - type romfs_t; - fs_type(romfs_t) --- -1.8.3.1 - diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 16c50db..fdbdce0 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -342,13 +342,6 @@ cmirrord = module # cobbler = module -# Layer: contrib -# Module: cockpit -# -# cockpit - Cockpit runs in a browser and can manage your network of GNU/Linux machines. -# -cockpit = module - # Layer: services # Module: collectd # @@ -2381,13 +2374,6 @@ minissdpd = module # freeipmi = module -# Layer: contrib -# Module: freeipmi -# -# ipa policy module contain SELinux policies for IPA services -# -ipa = module - # Layer: contrib # Module: mirrormanager # diff --git a/selinux-policy-02b35cf.tar.gz b/selinux-policy-02b35cf.tar.gz deleted file mode 100644 index f66b9a8..0000000 Binary files a/selinux-policy-02b35cf.tar.gz and /dev/null differ diff --git a/selinux-policy.spec b/selinux-policy.spec index 86b0428..fd66cef 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -6,17 +6,17 @@ %define BUILD_MINIMUM 1 %define BUILD_MLS 1 %define POLICYVER 33 -%define POLICYCOREUTILSVER 3.2 +%define POLICYCOREUTILSVER 3.4 %define CHECKPOLICYVER 3.2 Summary: SELinux policy configuration Name: selinux-policy -Version: 35.5 -Release: 17 +Version: 38.6 +Release: 1 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ -Source0: https://github.com/fedora-selinux/selinux-policy/archive/02b35cff10d8743e075379c062f565f2bb97c032/selinux-policy-02b35cf.tar.gz +Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v38.6.tar.gz # Tool helps during policy development, to expand system m4 macros to raw allow rules # Git repo: https://github.com/fedora-selinux/macro-expander.git @@ -64,134 +64,6 @@ Patch8: allow-rpcbind-to-bind-all-port.patch Patch9: add-avc-for-systemd-journald.patch Patch10: add-avc-for-systemd.patch -Patch6000: backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch -Patch6001: backport-Allow-chage-domtrans-to-sssd.patch -Patch6002: backport-Allow-domtrans-to-sssd_t-and-role-access-to-sssd.patch -Patch6003: backport-Allow-tlp-dbus-chat-with-NetworkManager.patch -Patch6004: backport-Allow-redis-get-attributes-of-filesystems-with-exten.patch -Patch6005: backport-Allow-rpmdb-read-admin-home-config-files.patch -Patch6006: backport-Allow-rpmdb-read-generic-SSL-certificates.patch -Patch6007: backport-Allow-PID-1-and-dbus-broker-IPC-with-a-systemd-user-.patch -Patch6008: backport-Allow-sudodomain-send-a-null-signal-to-sshd-processe.patch -Patch6009: backport-Update-userdom_exec_user_tmp_files-with-an-entrypoin.patch -Patch6010: backport-Allow-svnserve-send-mail-from-the-system.patch -Patch6011: backport-Allow-cloud-init-dbus-chat-with-systemd-logind.patch -Patch6012: backport-Allow-smbcontrol-use-additional-socket-types.patch -Patch6013: backport-Allow-login_userdomain-open-read-map-system-journal.patch -Patch6014: backport-Allow-lldpd-use-an-snmp-subagent-over-a-tcp-socket.patch -Patch6015: backport-Allow-rhsmcertd-get-attributes-of-tmpfs_t-filesystem.patch -Patch6016: backport-Allow-dnsmasq-watch-etc-dnsmasq.d-directories.patch -Patch6017: backport-Allow-systemd-read-unlabeled-symbolic-links.patch -Patch6018: backport-Allow-sudodomains-execute-passwd-in-the-passwd-domai.patch -Patch6019: backport-Allow-userdomains-use-pam_ssh_agent_auth-for-passwor.patch -Patch6020: backport-Allow-sysadm-execute-sysadmctl-in-sysadm_t-domain-us.patch -Patch6021: backport-Allow-haproxy-get-attributes-of-cgroup-filesystems.patch -Patch6022: backport-Allow-haproxy-get-attributes-of-filesystems-with-ext.patch -Patch6023: backport-Allow-lldpd-connect-to-snmpd-with-a-unix-domain-stre.patch -Patch6024: backport-Allow-admin-userdomains-use-socketpair.patch -Patch6025: backport-Ensure-that-run-systemd-are-properly-labeled.patch -Patch6026: backport-Allow-fcoemon-request-the-kernel-to-load-a-module.patch -Patch6027: backport-Allow-virt_domain-map-vhost-devices.patch -Patch6028: backport-Allow-smbcontrol-read-the-network-state-information.patch -Patch6029: backport-Allow-sssd_kcm-read-and-write-z90crypt-device.patch -Patch6030: backport-Allow-gssproxy-read-and-write-z90crypt-device.patch -Patch6031: backport-Allow-gssproxy-read-write-and-map-ica-tmpfs-files.patch -Patch6032: backport-Allow-gssproxy-access-to-various-system-files.patch -Patch6033: backport-Allow-tlp-read-its-systemd-unit.patch -Patch6034: backport-Allow-sshd-read-filesystem-sysctl-files.patch -Patch6035: backport-Allow-sysadm_t-start-and-stop-transient-services.patch -Patch6036: backport-Allow-administrative-users-the-bpf-capability.patch -Patch6037: backport-Allow-kpropd-get-attributes-of-cgroup-filesystems.patch -Patch6038: backport-Allow-systemd-logind-delete-session_dbusd-tmp-socket.patch -Patch6039: backport-Allow-login_userdomain-create-session_dbusd-tmp-sock.patch -Patch6040: backport-Allow-systemd-coredump-read-and-write-usermodehelper.patch -Patch6041: backport-Allow-systemd-coredump-userns-capabilities-and-root-.patch -Patch6042: backport-Allow-systemd-io-bridge-ioctl-rpm_script_t.patch -Patch6043: backport-Allow-login_userdomain-watch-generic-directories-in-.patch -Patch6044: backport-Allow-login_userdomain-watch-various-files-and-dirs.patch -Patch6045: backport-Allow-login_userdomain-watch-localization-directorie.patch -Patch6046: backport-Allow-login_userdomain-watch-accountsd-lib-directori.patch -Patch6047: backport-Allow-login_userdomain-watch-systemd-logind-PID-dire.patch -Patch6048: backport-Allow-login_userdomain-watch-systemd-machined-PID-di.patch -Patch6049: backport-Allow-login_userdomain-write-to-session_dbusd-tmp-so.patch -Patch6050: backport-Allow-tumblerd-write-to-session_dbusd-tmp-socket-fil.patch -Patch6051: backport-Allow-NetworkManager-talk-with-unconfined-user-over-.patch -Patch6052: backport-Allow-timedatex-dbus-chat-with-xdm.patch -Patch6053: backport-Allow-init-delete-generic-tmp-named-pipes.patch -Patch6054: backport-Allow-alsa-bind-mixer-controls-to-led-triggers.patch -Patch6055: backport-Allow-ModemManager-connect-to-the-unconfined-user-do.patch -Patch6056: backport-Allow-systemd-services-watch-dbusd-pid-directory-and.patch -Patch6057: backport-Allow-init-read-stratis-data-symlinks.patch -Patch6058: backport-Allow-sanlock-get-attributes-of-filesystems-with-ext.patch -Patch6059: backport-Add-the-map-permission-to-common_anon_inode_perm-per.patch -Patch6060: backport-Update-chronyd_pid_filetrans-to-allow-create-dirs.patch -Patch6061: backport-Allow-alsactl-set-group-Process-ID-of-a-process.patch -Patch6062: backport-Allow-login_userdomain-read-systemd-runtime-files.patch -Patch6063: backport-Allow-login_userdomain-watch-system-configuration-di.patch -Patch6064: backport-Allow-login_userdomain-watch-library-and-fonts-dirs.patch -Patch6065: backport-Allow-login_userdomain-map-var-lib-directories.patch -Patch6066: backport-Allow-confined-sysadmin-to-use-tool-vipw.patch -Patch6067: backport-Allow-sysadm_passwd_t-to-relabel-passwd-and-group-fi.patch -Patch6068: backport-Allow-systemd-networkd-create-and-use-netlink-netfil.patch -Patch6069: backport-Allow-iptables-list-cgroup-directories.patch -Patch6070: backport-filesystem-add-fs_use_trans-for-ramfs.patch -Patch6071: backport-Allow-userdomain-read-symlinks-in-var-lib.patch -Patch6072: backport-Allow-systemd-sysctl-read-the-security-state-informa.patch -Patch6073: backport-Allow-sosreport-dbus-chat-abrt-systemd-timedatex.patch -Patch6074: backport-Allow-chronyd-send-a-message-to-sosreport-over-datag.patch -Patch6075: backport-Allow-systemd-logind-dbus-chat-with-sosreport.patch -Patch6076: backport-Allow-init-watch-and-watch_reads-user-ttys.patch -Patch6077: backport-Allow-rngd-drop-privileges-via-setuid-setgid-setcap.patch -Patch6078: backport-Allow-rpmdb-create-directory-in-usr-lib-sysimage.patch -Patch6079: backport-Label-var-run-ecblp0-pipe-with-cupsd_var_run_t.patch -Patch6080: backport-Add-systemd_getattr_generic_unit_files-interface.patch -Patch6081: backport-Allow-chronyd-talk-with-unconfined-user-over-unix-do.patch -Patch6082: backport-Add-the-init_append_stream_sockets-interface.patch -Patch6083: backport-Add-the-corecmd_watch_bin_dirs-interface.patch -Patch6084: backport-Allow-pcscd-the-sys_ptrace-userns-capability.patch -Patch6085: backport-Allow-system-dbus-daemon-watch-generic-directories-i.patch -Patch6086: backport-Allow-pppd-create-a-file-in-the-locks-directory.patch -Patch6087: backport-Allow-keepalived-setsched-and-sys_nice.patch -Patch6088: backport-Allow-sssd-domtrans-to-pkcs_slotd_t.patch -Patch6089: backport-Allow-systemd-gpt-auto-generator-create-and-use-netl.patch -Patch6090: backport-Support-using-systemd-update-helper-in-rpm-scriptlet.patch -Patch6091: backport-Allow-systemd-watch-and-watch_reads-user-ptys.patch -Patch6092: backport-Allow-iscsid-the-sys_ptrace-userns-capability.patch -Patch6093: backport-Allow-firewalld-read-the-contents-of-the-sysfs-files.patch -Patch6094: backport-Allow-domain-use-userfaultfd-over-all-domains.patch -Patch6095: backport-Add-permissions-to-manage-lnk_files-into-gnome_manag.patch -Patch6096: backport-Allow-dhclient-manage-pid-files-used-by-chronyd.patch -Patch6097: backport-Add-the-userdom_prog_run_bpf_userdomain-interface.patch -Patch6098: backport-Allow-sysadm_t-to-run-bpftool-on-the-userdomain-attr.patch -Patch6099: backport-Allow-pmie-read-network-state-information-and-networ.patch -Patch6100: backport-Allow-pmdalinux-read-files-on-an-nfsd-filesystem.patch -Patch6101: backport-Allow-some-domains-use-sd_notify.patch -Patch6102: backport-Do-not-allow-login_userdomain-use-sd_notify.patch -Patch6103: backport-Allow-services-execute-systemd-notify.patch -Patch6104: backport-Allow-openvswitch-search-tracefs-dirs.patch -Patch6105: backport-Allow-openvswitch-use-its-private-tmpfs-files-and-di.patch -Patch6106: backport-Allow-openvswitch-fsetid-capability.patch -Patch6107: backport-Allow-launch-xenstored-read-filesystem-sysctls.patch -Patch6108: backport-Allow-login_userdomain-check-status-of-mount-units.patch -Patch6109: backport-Allow-xdm-read-the-kernel-key-ring.patch -Patch6110: backport-Allow-ssh-client-read-kerberos-homedir-config-files.patch -Patch6111: backport-Allow-ipsec_t-read-write-tpm-devices.patch -Patch6112: backport-Allow-httpd-read-network-sysctls.patch -Patch6113: backport-Allow-pcp-pmcd-search-tracefs-and-acct_data-dirs.patch -Patch6114: backport-Allow-systemd-gpt-auto-generator-to-check-for-empty-.patch -Patch6115: backport-Allow-login_userdomain-watch-various-directories.patch -Patch6116: backport-Allow-staff_u-and-user_u-users-write-to-bolt-pipe.patch -Patch6117: backport-Allow-login_userdomain-write-to-boltd-named-pipes.patch -Patch6118: backport-Allow-utempter-append-to-login_userdomain-stream.patch -Patch6119: backport-blueman-mechanism-can-read-.local-lib-python-site-pa.patch -Patch6120: backport-Allow-init-read-write-inherited-user-fifo-files.patch -Patch6121: backport-Add-numad-the-ipc_owner-capability.patch -Patch6122: backport-Add-bgpd-sys_chroot-capability.patch -Patch6123: backport-Allow-init-remount-all-file_type-filesystems.patch -Patch6124: backport-Allow-xenstored-change-its-hard-resource-limits.patch -Patch6125: backport-Allow-init-map-its-private-tmp-files.patch -Patch6126: backport-Allow-sss-daemons-read-write-unnamed-pipes-of-cloud-.patch - Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch Patch9002: Add-permission-open-to-files_read_inherited_tmp_file.patch @@ -313,6 +185,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \ %nil %define relabel() \ @@ -424,7 +297,7 @@ end %build %prep -%setup -n %{name}-02b35cff10d8743e075379c062f565f2bb97c032 -q +%setup -n %{name}-%{version} -q tar -C policy/modules/contrib -xf %{SOURCE35} %autopatch -p1 @@ -866,6 +739,9 @@ exit 0 %endif %changelog +* Wed Feb 1 2023 zhangguangzhi - 38.6-1 +- update version to 38.6 + * Thu Dec 29 2022 lixiao - 35.5-17 - add rule for hostnamed to rpmscript dbus chat diff --git a/users-minimum b/users-minimum index 8207eed..72cbbe0 100644 --- a/users-minimum +++ b/users-minimum @@ -36,3 +36,4 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user,unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/users-mls b/users-mls index 05d2671..8fad9ea 100644 --- a/users-mls +++ b/users-mls @@ -36,3 +36,5 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/users-targeted b/users-targeted index 8207eed..a875306 100644 --- a/users-targeted +++ b/users-targeted @@ -36,3 +36,6 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/v38.6.tar.gz b/v38.6.tar.gz new file mode 100644 index 0000000..8bde637 Binary files /dev/null and b/v38.6.tar.gz differ