Fix CVE-2020-24612

2021-10-08 11:35:33 +08:00 · 2021-10-08 11:35:33 +08:00 · df3c36d34c
commit df3c36d34c
parent b0507f843a
3 changed files with 154 additions and 1 deletions
--- a/backport-Add-file-context-for-.config-Yubico.patch
+++ b/backport-Add-file-context-for-.config-Yubico.patch
@ -0,0 +1,53 @@
+From 1363710b88904f29915e39335fef0dfb673a0f70 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 24 Aug 2020 14:29:15 +0200
+Subject: [PATCH] Add file context for ~/.config/Yubico
+
+Add file context specification for ~/.config/Yubico in addition to
+existing ~/.yubico. Update the auth_filetrans_home_content() and
+auth_filetrans_admin_home_content() interfaces accordingly.
+
+Resolves: rhbz#1860888
+Signed-off-by: lujie42 <572084868@qq.com>
+---
+ policy/modules/system/authlogin.fc | 2 ++
+ policy/modules/system/authlogin.if | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
+index 009c156..58551ec 100644
+--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
+@@ -1,7 +1,9 @@
+ HOME_DIR/\.yubico(/.*)?				    gen_context(system_u:object_r:auth_home_t,s0)
+HOME_DIR/\.config/Yubico(/.*)?			    gen_context(system_u:object_r:auth_home_t,s0)
+ HOME_DIR/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
+ HOME_DIR/\.google_authenticator~		gen_context(system_u:object_r:auth_home_t,s0)
+ /root/\.yubico(/.*)?                    gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.config/Yubico(/.*)?		gen_context(system_u:object_r:auth_home_t,s0)
+ /root/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
+ /root/\.google_authenticator~			gen_context(system_u:object_r:auth_home_t,s0)
+ 
+diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
+index 099166d..90ae5fe 100644
+--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
+@@ -2313,6 +2313,7 @@ interface(`auth_filetrans_admin_home_content',`
+ 	userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
+ 	userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
+ 	userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
+	userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico")
+ ')
+ 
+ 
+@@ -2377,6 +2378,7 @@ interface(`auth_filetrans_home_content',`
+ 	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
+ 	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
+ 	userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
+	userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico")
+ ')
+ 
+ ########################################
+-- 
+1.8.3.1
+
--- a/backport-Change-transitions-for-.config-Yubico.patch
+++ b/backport-Change-transitions-for-.config-Yubico.patch
@ -0,0 +1,95 @@
+From 099ea7b7bd113cac657f98d406c77839cce98859 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 25 Aug 2020 16:33:38 +0200
+Subject: [PATCH] Change transitions for ~/.config/Yubico
+
+Created the auth_filetrans_auth_home_content() interface which is used
+to allow the filename transition in gnome config directory for the
+login_pgm and userdomain attributes.
+
+This commit reverts the transitions introduced in
+commit 1363710b88904f29915e39335fef0dfb673a0f70.
+
+Signed-off-by: lujie42 <572084868@qq.com>
+---
+ policy/modules/system/authlogin.if  | 23 +++++++++++++++++++++--
+ policy/modules/system/authlogin.te  |  1 +
+ policy/modules/system/userdomain.te |  2 ++
+ 3 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
+index 90ae5fe..ab68d31 100644
+--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
+@@ -2313,7 +2313,6 @@ interface(`auth_filetrans_admin_home_content',`
+ 	userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
+ 	userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
+ 	userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
+-	userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico")
+ ')
+ 
+ 
+@@ -2378,7 +2377,27 @@ interface(`auth_filetrans_home_content',`
+ 	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
+ 	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
+ 	userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
+-	userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico")
+')
+
+########################################
+## <summary>
+##	Create auth directory in the config home directory
+##	with a correct label.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_filetrans_auth_home_content',`
+	gen_require(`
+		type auth_home_t;
+	')
+
+	optional_policy(`
+		gnome_config_filetrans($1, auth_home_t, dir, "Yubico")
+	')
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index f3870d3..068caed 100644
+--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
+@@ -603,6 +603,7 @@ manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
+ manage_files_pattern(login_pgm, auth_home_t, auth_home_t)
+ auth_filetrans_admin_home_content(login_pgm)
+ auth_filetrans_home_content(login_pgm)
+auth_filetrans_auth_home_content(login_pgm)
+ 
+ # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
+ kernel_search_network_sysctl(login_pgm)
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 756ac4a..196bcc0 100644
+--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
+@@ -147,6 +147,7 @@ dontaudit unpriv_userdomain self:dir setattr;
+ allow unpriv_userdomain self:file manage_file_perms;
+ allow unpriv_userdomain self:key manage_key_perms;
+ 
+auth_filetrans_auth_home_content(userdomain)
+ 
+ files_dontaudit_manage_boot_files(unpriv_userdomain)
+ 
+@@ -289,6 +290,7 @@ userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp")
+ 
+ optional_policy(`
+ 	gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
+	gnome_config_filetrans(userdom_filetrans_type, auth_home_t, dir, "Yubico")
+ 	#gnome_admin_home_gconf_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin")
+ ')
+ 
+-- 
+1.8.3.1
+
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 3.14.2
-Release: 76
+Release: 77
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/

@ -113,6 +113,8 @@ Patch6036: backport-iptables.fc-Remove-duplicate-file-context-entries.patch
 Patch6037: backport-iptables.fc-Add-missing-legacy-entries.patch
 Patch6038: backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch
 Patch6039: backport-Allow-systemd-hostnamed-read-udev-runtime-data.patch
+Patch6040: backport-Add-file-context-for-.config-Yubico.patch
+Patch6041: backport-Change-transitions-for-.config-Yubico.patch

 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: add-avc-for-systemd-selinux-page.patch
@ -783,6 +785,9 @@ exit 0
 %endif

 %changelog
+* Fri Oct 8 2021 lujie42 <lujie42@huawei.com> -3.14.2-77
+- Fix CVE-2020-24612
+
 * Wed Sep 22 2021 lujie42 <572084868@qq.com> -3.14.2-76
 - Set httpd_can_network_connect bool true