!265 Recovering the SELinux Label

From: @Linux_zhang2024 Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee
Recovering the SELinux Label
2024-11-28 03:14:54 +00:00 · 2024-11-27 19:27:56 +08:00 · 2024-11-13 01:56:56 +00:00 · 2024-11-05 11:14:16 +08:00 · 2024-04-12 03:32:53 +00:00 · 2024-04-11 17:17:08 +08:00
15 changed files with 182 additions and 477 deletions
--- a/Add-initial-policy-for-the-usr-sbin-request-key-help.patch
+++ b/Add-initial-policy-for-the-usr-sbin-request-key-help.patch
@ -1,227 +0,0 @@
-From 3a1ae904dba54474a56815ba7fbf3238fcfe5a46 Mon Sep 17 00:00:00 2001
-From: Ondrej Mosnacek <omosnace@redhat.com>
-Date: Mon, 30 Jan 2023 14:46:50 +0100
-Subject: [PATCH 2/5] Add initial policy for the /usr/sbin/request-key helper
-
-The kernel is hard-coded to call /sbin/request-key to handle requests
-for instantiating keys that are not found in the existing keyrings.
-
-Thus, we need to add a domain for this helper and set up a transition
-into that domain from kernel_t.
-
-request-key dispatches the key requests to further helper programs based
-on the configuration in /etc/request-key.d/*.conf and
-/etc/request-key.conf. Currently, the only known used dispatcher is
-/usr/sbin/nfsidmap, which is set up by the nfs-utils package to handle
-requests for the 'id_resolver' key type. This patch adds the minimal
-policy for this helper that is needed for an NFS mount to succeed.
-
-Policy for other request-key helper programs may need to be added in the
-future. An optional mechanism to allow any possible configuration (e.g.
-by setting up a transition over any file to unconfined_service_t) may be
-also desired. For now let's at least make the one known use case work.
-
-Fixes: 1e8688ea6943 ("Don't make kernel_t an unconfined domain")
-Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
- policy/modules.conf                |  7 +++++
- policy/modules/contrib/keyutils.fc |  1 +
- policy/modules/contrib/keyutils.if | 43 ++++++++++++++++++++++++++++++
- policy/modules/contrib/keyutils.te | 11 ++++++++
- policy/modules/contrib/rpc.fc      |  1 +
- policy/modules/contrib/rpc.te      | 32 ++++++++++++++++++++++
- policy/modules/kernel/kernel.if    | 19 +++++++++++++
- policy/modules/kernel/kernel.te    |  4 +++
- 8 files changed, 118 insertions(+)
- create mode 100644 policy/modules/contrib/keyutils.fc
- create mode 100644 policy/modules/contrib/keyutils.if
- create mode 100644 policy/modules/contrib/keyutils.te
-
-diff --git a/policy/modules.conf b/policy/modules.conf
-index 5e0678668..6f63c8cb6 100644
--- a/policy/modules.conf
-+++ b/policy/modules.conf
-@@ -3078,3 +3078,10 @@ rhcd = module
- # wireguard
- #
- wireguard = module
-+
-+# Layer: contrib
-+# Module: keyutils
-+#
-+#  keyutils - Linux Key Management Utilities
-+#
-+keyutils = module
-diff --git a/policy/modules/contrib/keyutils.fc b/policy/modules/contrib/keyutils.fc
-new file mode 100644
-index 000000000..78c5f159f
--- /dev/null
-+++ b/policy/modules/contrib/keyutils.fc
-@@ -0,0 +1 @@
-+/usr/sbin/request-key	--	gen_context(system_u:object_r:keyutils_request_exec_t,s0)
-diff --git a/policy/modules/contrib/keyutils.if b/policy/modules/contrib/keyutils.if
-new file mode 100644
-index 000000000..06daab988
--- /dev/null
-+++ b/policy/modules/contrib/keyutils.if
-@@ -0,0 +1,43 @@
-+## <summary>Linux Key Management Utilities</summary>
-+
-+#######################################
-+## <summary>
-+##	Execute request-key in the keyutils request domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`keyutils_request_domtrans',`
-+	gen_require(`
-+		type keyutils_request_t, keyutils_request_exec_t;
-+	')
-+
-+	domtrans_pattern($1, keyutils_request_exec_t, keyutils_request_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Allows to perform key instantiation callout
-+##	by transitioning to the specified domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The process type entered by request-key.
-+##	</summary>
-+## </param>
-+## <param name="entrypoint">
-+##	<summary>
-+##	The executable type for the entrypoint.
-+##	</summary>
-+## </param>
-+#
-+interface(`keyutils_request_domtrans_to',`
-+	gen_require(`
-+		type keyutils_request_t;
-+	')
-+
-+	domtrans_pattern(keyutils_request_t, $2, $1)
-+')
-diff --git a/policy/modules/contrib/keyutils.te b/policy/modules/contrib/keyutils.te
-new file mode 100644
-index 000000000..2ea1d5e38
--- /dev/null
-+++ b/policy/modules/contrib/keyutils.te
-@@ -0,0 +1,11 @@
-+policy_module(keyutils, 1.0)
-+
-+type keyutils_request_exec_t;
-+files_type(keyutils_request_exec_t)
-+
-+type keyutils_request_t;
-+domain_type(keyutils_request_t)
-+domain_entry_file(keyutils_request_t, keyutils_request_exec_t)
-+
-+kernel_view_key(keyutils_request_t)
-+kernel_read_key(keyutils_request_t)
-diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc
-index 3825ef707..06a6c009c 100644
--- a/policy/modules/contrib/rpc.fc
-+++ b/policy/modules/contrib/rpc.fc
-@@ -32,6 +32,7 @@
- /usr/sbin/rpc\.svcgssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
- /usr/sbin/sm-notify	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
- /usr/sbin/nfsdcld	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
-+/usr/sbin/nfsidmap	--	gen_context(system_u:object_r:nfsidmap_exec_t,s0)
- 
- #
- # /var
-diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
-index f94cfa5d2..c83492a56 100644
--- a/policy/modules/contrib/rpc.te
-+++ b/policy/modules/contrib/rpc.te
-@@ -434,3 +434,35 @@ optional_policy(`
- optional_policy(`
- 	xserver_rw_xdm_tmp_files(gssd_t)
- ')
-+
-+########################################
-+#
-+# nfsidmap policy
-+#
-+
-+type nfsidmap_exec_t;
-+files_type(nfsidmap_exec_t)
-+
-+type nfsidmap_t;
-+domain_type(nfsidmap_t)
-+domain_entry_file(nfsidmap_t, nfsidmap_exec_t)
-+
-+allow nfsidmap_t self:key write;
-+allow nfsidmap_t self:netlink_route_socket r_netlink_socket_perms;
-+
-+kernel_setattr_key(nfsidmap_t)
-+
-+sysnet_read_config(nfsidmap_t)
-+
-+optional_policy(`
-+	auth_read_passwd_file(nfsidmap_t)
-+')
-+
-+optional_policy(`
-+	logging_send_syslog_msg(nfsidmap_t)
-+')
-+
-+optional_policy(`
-+	# /etc/request-key.d/id_resolver.conf
-+	keyutils_request_domtrans_to(nfsidmap_t, nfsidmap_exec_t)
-+')
-diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 166586f66..adb71ed3a 100644
--- a/policy/modules/kernel/kernel.if
-+++ b/policy/modules/kernel/kernel.if
-@@ -579,6 +579,25 @@ interface(`kernel_dontaudit_view_key',`
- 
- 	dontaudit $1 kernel_t:key view;
- ')
-+
-+########################################
-+## <summary>
-+##	Allow to set attributes on the kernel key ring.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`kernel_setattr_key',`
-+	gen_require(`
-+		type kernel_t;
-+	')
-+
-+	allow $1 kernel_t:key setattr;
-+')
-+
- ########################################
- ## <summary>
- ##	Allows caller to read the ring buffer.
-diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index f7ac8cd1f..0a27fa7ae 100644
--- a/policy/modules/kernel/kernel.te
-+++ b/policy/modules/kernel/kernel.te
-@@ -410,6 +410,10 @@ optional_policy(`
- 	kerberos_filetrans_home_content(kernel_t)
- ')
- 
-+optional_policy(`
-+	keyutils_request_domtrans(kernel_t)
-+')
-+
- optional_policy(`
- 	init_dbus_chat(kernel_t)
- 	init_sigchld(kernel_t)
-- 
-2.33.0
-
--- a/Add-journalctl-the-sys_resource-capability.patch
+++ b/Add-journalctl-the-sys_resource-capability.patch
@ -1,35 +0,0 @@
-From 4cb741896c440c80ea18a22ff60d4c36c5b0f95b Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Fri, 3 Feb 2023 17:20:51 +0100
-Subject: [PATCH 4/5] Add journalctl the sys_resource capability
-
-The journalctl command runs in the journalctl_t domain when executed by
-a confined user (user, staff, sysadm). When is invoked with pager,
-prctl() is called to change the process name.
-
-Addresses the following AVC denial:
-
-type=PROCTITLE msg=audit(02/02/2023 12:55:12.623:1405) : proctitle=(pager)
-type=SYSCALL msg=audit(02/02/2023 12:55:12.623:1405) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x8 a2=0x7fd1a3f52000 a3=0x0 items=0 ppid=25495 pid=25516 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=39 comm=(pager) exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null)
-type=AVC msg=audit(02/02/2023 12:55:12.623:1405) : avc:  denied  { sys_resource } for  pid=25516 comm=(pager) capability=sys_resource  scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tclass=capability permissive=1
-
-Resolves: rhbz#2136189
---
- policy/modules/contrib/journalctl.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/journalctl.te b/policy/modules/contrib/journalctl.te
-index 5b4329c80..b22b6a713 100644
--- a/policy/modules/contrib/journalctl.te
-+++ b/policy/modules/contrib/journalctl.te
-@@ -18,6 +18,7 @@ role journalctl_roles types journalctl_t;
- #
- # journalctl local policy
- #
-+allow journalctl_t self:capability sys_resource;
- allow journalctl_t self:process { fork setrlimit signal_perms };
- 
- allow journalctl_t self:fifo_file manage_fifo_file_perms;
-- 
-2.33.0
-
--- a/Additional-support-for-rpmdb_migrate.patch
+++ b/Additional-support-for-rpmdb_migrate.patch
@ -1,64 +0,0 @@
-From 47fe7d4c98809fcda9dfc8f1fab24cb6f765332c Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Tue, 31 Jan 2023 19:12:39 +0100
-Subject: [PATCH 1/5] Additional support for rpmdb_migrate
-
-Since the 3a99b00da4 ("Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t")
-commit, selinux-policy supports the rpmdb-migrate.service which is
-executed after the first boot to a newer Fedora release to migrate the
-rpm database from /var/lib/rpm to /usr/lib/sysimage/rpm.
-Additional permissions started to be required recently.
-
-Resolves: rhbz#2164752
---
- policy/modules/contrib/rpm.te | 21 ++++++++++++++-------
- 1 file changed, 14 insertions(+), 7 deletions(-)
-
-diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
-index 247f1fa7a..cf5539abb 100644
--- a/policy/modules/contrib/rpm.te
-+++ b/policy/modules/contrib/rpm.te
-@@ -260,26 +260,33 @@ optional_policy(`
- # rpmdb local policy
- #
- 
-allow rpmdb_t rpm_var_lib_t:file map;
-allow rpmdb_t rpmdb_tmp_t:file map;
-+can_exec(rpmdb_t, rpm_exec_t)
- 
- manage_dirs_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
- manage_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
-files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir)
-files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir)
-+read_lnk_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
-+allow rpmdb_t rpm_var_lib_t:file map;
- 
- manage_dirs_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t)
- manage_files_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t)
- files_tmp_filetrans(rpmdb_t, rpmdb_tmp_t, { file dir })
-+allow rpmdb_t rpmdb_tmp_t:file map;
- 
-term_use_all_inherited_terms(rpmdb_t)
-
-auth_dontaudit_read_passwd(rpmdb_t)
-+corecmd_exec_bin(rpmdb_t)
-+corecmd_exec_shell(rpmdb_t)
- 
- files_rw_inherited_non_security_files(rpmdb_t)
-+files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir)
-+files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir)
- 
- sysnet_dontaudit_read_config(rpmdb_t)
- 
-+term_use_all_inherited_terms(rpmdb_t)
-+
-+optional_policy(`
-+	auth_dontaudit_read_passwd(rpmdb_t)
-+')
-+
- optional_policy(`
- 	miscfiles_read_generic_certs(rpmdb_t)
- ')
-- 
-2.33.0
-
--- a/Allow-certmonger-read-the-contents-of-the-sysfs-file.patch
+++ b/Allow-certmonger-read-the-contents-of-the-sysfs-file.patch
@ -1,31 +0,0 @@
-From 6651eeac26984ceb7416cb4639891bd59e30c4de Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Tue, 7 Feb 2023 11:04:09 +0100
-Subject: [PATCH 5/5] Allow certmonger read the contents of the sysfs
- filesystem
-
-Addresses the following AVC denial:
-
-type=PROCTITLE msg=audit(02/07/2023 04:22:50.618:3929) : proctitle=/usr/bin/python3 -I /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
-type=PATH msg=audit(02/07/2023 04:22:50.618:3929) : item=0 name=/sys/devices/system/cpu/possible inode=42 dev=00:15 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
-type=SYSCALL msg=audit(02/07/2023 04:22:50.618:3929) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f9dcfbc79d8 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=25147 pid=25176 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dogtag-ipa-ca-r exe=/usr/bin/python3.11 subj=system_u:system_r:certmonger_t:s0 key=(null)
-type=AVC msg=audit(02/07/2023 04:22:50.618:3929) : avc:  denied  { open } for  pid=25176 comm=dogtag-ipa-ca-r path=/sys/devices/system/cpu/possible dev="sysfs" ino=42 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
---
- policy/modules/contrib/certmonger.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te
-index e721254ae..c72f05b44 100644
--- a/policy/modules/contrib/certmonger.te
-+++ b/policy/modules/contrib/certmonger.te
-@@ -82,6 +82,7 @@ corecmd_exec_shell(certmonger_t)
- 
- dev_read_rand(certmonger_t)
- dev_read_urand(certmonger_t)
-+dev_read_sysfs(certmonger_t)
- 
- domain_use_interactive_fds(certmonger_t)
- 
-- 
-2.33.0
-
--- a/Allow-login_pgm-setcap-permission.patch
+++ b/Allow-login_pgm-setcap-permission.patch
@ -1,42 +0,0 @@
-From 704e79751a2219a7a1e647084be6dbf04e679bf6 Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Fri, 3 Mar 2023 12:22:12 +0100
-Subject: [PATCH] Allow login_pgm setcap permission
-
-There is a pam_cap module as a part of the libcap package. When a
-capability is added to the login process using pam_cap, the setcap
-permission is required.
-
-Example setup:
-
- echo "cap_dac_read_search exampleuser" > /etc/security/capability.conf
- echo "auth required pam_cap.so" >> /etc/pam.d/postlogin
-
-Addresses the following AVC denial:
-
-type=PROCTITLE msg=audit(03/03/2023 06:30:19.302:505) : proctitle=sshd: exampleuser [priv]
-type=SYSCALL msg=audit(03/03/2023 06:30:19.302:505) : arch=x86_64 syscall=capset success=no exit=EACCES(Permission denied) a0=0x55b8338dc6f4 a1=0x55b8338dc6fc a2=0x55b8338dc6fc a3=0x55b83388d010 items=0 ppid=1350 pid=1357 auid=exampleuser uid=root gid=exampleuser euid=root suid=root fsuid=root egid=exampleuser sgid=exampleuser fsgid=exampleuser tty=(none) ses=7 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
-type=AVC msg=audit(03/03/2023 06:30:19.302:505) : avc:  denied  { setcap } for  pid=1357 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0
-
-Resolves: rhbz#2172541
-Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
---
- policy/modules/system/authlogin.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index feabf67ab..2c3628a31 100644
--- a/policy/modules/system/authlogin.te
-+++ b/policy/modules/system/authlogin.te
-@@ -593,7 +593,7 @@ allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms;
- allow login_pgm self:netlink_selinux_socket create_socket_perms; 
- allow login_pgm self:capability ipc_lock;
- dontaudit login_pgm self:capability net_admin;
-allow login_pgm self:process setkeycreate;
-+allow login_pgm self:process { setcap setkeycreate };
- allow login_pgm self:key manage_key_perms;
- userdom_manage_all_users_keys(login_pgm)
- allow login_pgm nsswitch_domain:key manage_key_perms;
-- 
-2.33.0
-
--- a/Allow-nm-dispatcher-plugins-read-generic-files-in-pr.patch
+++ b/Allow-nm-dispatcher-plugins-read-generic-files-in-pr.patch
@ -1,35 +0,0 @@
-From 908adc1066c5df1e7d3b3a08f336a218b57c1dc2 Mon Sep 17 00:00:00 2001
-From: Zdenek Pytela <zpytela@redhat.com>
-Date: Fri, 3 Feb 2023 18:15:19 +0100
-Subject: [PATCH 3/5] Allow nm-dispatcher plugins read generic files in /proc
-
-It turns out the systemctl command needs to read /proc/cpuinfo at
-the aarch64 architecture, so the permission was allowed for the
-networkmanager_dispatcher_plugin attribute.
-
-The commit addresses the following AVC denial:
-type=PROCTITLE msg=audit(26.1.2023 15:30:09.970:47) : proctitle=/bin/systemctl --no-block reload iscsi.service
-type=SYSCALL msg=audit(26.1.2023 15:30:09.970:47) : arch=aarch64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0xffff9b8f5170 a2=O_RDONLY a3=0x0 items=0 ppid=1186 pid=1188 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 key=(null)
-type=AVC msg=audit(26.1.2023 15:30:09.970:47) : avc:  denied  { open } for  pid=1188 comm=systemctl path=/proc/cpuinfo dev="proc" ino=4026531987 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
-type=AVC msg=audit(26.1.2023 15:30:09.970:47) : avc:  denied  { read } for  pid=1188 comm=systemctl name=cpuinfo dev="proc" ino=4026531987 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1
-
-Resolves: rhbz#2164845
---
- policy/modules/contrib/networkmanager.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
-index 0e3218929..ef77fdb32 100644
--- a/policy/modules/contrib/networkmanager.te
-+++ b/policy/modules/contrib/networkmanager.te
-@@ -584,6 +584,7 @@ manage_files_pattern(NetworkManager_dispatcher_console_t, NetworkManager_dispatc
- 
- read_files_pattern(NetworkManager_dispatcher_dnssec_t, NetworkManager_etc_t, NetworkManager_etc_rw_t)
- 
-+kernel_read_proc_files(networkmanager_dispatcher_plugin)
- kernel_request_load_module(NetworkManager_dispatcher_ddclient_t)
- 
- auth_read_passwd(networkmanager_dispatcher_plugin)
-- 
-2.33.0
-
--- a/Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch
+++ b/Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch
@ -1,19 +1,20 @@
-From 36a7559c14a33b8ae867acaf3a724529ef2aa7ea Mon Sep 17 00:00:00 2001
+From 2a1802c29f4629f06ebd2c8bf1491f98565bf5b1 Mon Sep 17 00:00:00 2001
 From: "GONG, Ruiqi" <gongruiqi1@huawei.com>
 Date: Mon, 20 Mar 2023 20:42:49 +0800
 Subject: [PATCH] Revert "Don't allow kernel_t to execute bin_t/usr_t binaries
 without a transition"

 This reverts commit 18c5559222ea3ca3588c8d32c06cddc41b66f688.
+
 ---
- policy/modules/kernel/kernel.te | 12 +++---------
- 1 file changed, 3 insertions(+), 9 deletions(-)
+ policy/modules/kernel/kernel.te | 17 +++--------------
+ 1 file changed, 3 insertions(+), 14 deletions(-)

 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index f7ac8cd1f..2df33b0ac 100644
+index 7dce828..0c1d125 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
-@@ -347,16 +347,10 @@ selinux_compute_create_context(kernel_t)
+@@ -356,25 +356,14 @@ selinux_compute_create_context(kernel_t)
 term_use_all_terms(kernel_t)
 term_use_ptmx(kernel_t)
 
@ -28,10 +29,20 @@ index f7ac8cd1f..2df33b0ac 100644
 -role system_r types kernel_generic_helper_t;
 -corecmd_bin_entry_type(kernel_generic_helper_t)
 -corecmd_bin_domtrans(kernel_t, kernel_generic_helper_t)
+-
+-allow kernel_generic_helper_t kernel_t:fifo_file read_inherited_fifo_file_perms;
 +# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
 +corecmd_exec_bin(kernel_t)
 
+ # Enable running `/usr/bin/env [u]mount ...` to support ZFS automounting.
+ # See the module/os/linux/zfs/zfs_ctldir.c file in
+ # https://github.com/openzfs/zfs/ for the usermode helper calls.
+-optional_policy(`
+-	mount_domtrans(kernel_generic_helper_t)
+-')
+ 
 domain_use_all_fds(kernel_t)
 domain_signal_all_domains(kernel_t)
 -- 
-2.25.1
+2.33.0
+
--- a/add-qemu_exec_t-for-stratovirt.patch
+++ b/add-qemu_exec_t-for-stratovirt.patch
@ -1,25 +1,24 @@
-From 601ffc24a1d00f20833eb104913634dedb51b95d Mon Sep 17 00:00:00 2001
-From: root <root@localhost.localdomain>
-Date: Fri, 20 Aug 2021 10:50:31 +0800
+From 3f9a66fb7bb35a101d8be50d8f2fa238af62d11f Mon Sep 17 00:00:00 2001
+From: jinlun <jinlun@huawei.com>
+Date: Tue, 26 Dec 2023 17:18:00 +0800
 Subject: [PATCH] add qemu_exec_t for stratovirt

-Signed-off-by: root <root@localhost.localdomain>
 ---
- policy/modules/contrib/virt.fc | 1 +
+ policy/modules/contrib/virt_supplementary.fc | 1 +
 1 file changed, 1 insertion(+)

-diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
-index d12dac0..c12f009 100644
--- a/policy/modules/contrib/virt.fc
-+++ b/policy/modules/contrib/virt.fc
-@@ -100,6 +100,7 @@ HOME_DIR/\.local/share/libvirt/boot(/.*)?   gen_context(system_u:object_r:svirt_
- /usr/bin/qemu-system-.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
- /usr/bin/qemu-kvm	--	gen_context(system_u:object_r:qemu_exec_t,s0)
- /usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
-+/usr/bin/stratovirt     --      gen_context(system_u:object_r:qemu_exec_t,s0)
+diff --git a/policy/modules/contrib/virt_supplementary.fc b/policy/modules/contrib/virt_supplementary.fc
+index d27441f..5563457 100644
+--- a/policy/modules/contrib/virt_supplementary.fc
+++ b/policy/modules/contrib/virt_supplementary.fc
+@@ -62,6 +62,7 @@ HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:sv
+ /usr/bin/qemu-system-.*                 --      gen_context(system_u:object_r:qemu_exec_t,s0)
+ /usr/bin/qemu-kvm                       --      gen_context(system_u:object_r:qemu_exec_t,s0)
+ /usr/libexec/qemu.*                     --      gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/stratovirt                     --      gen_context(system_u:object_r:qemu_exec_t,s0)
 
- /etc/qemu-ga/fsfreeze-hook.d(/.*)?      gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
- /usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)?  gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
+ # support for QEMU-GA
+ /etc/qemu-ga/fsfreeze-hook\.d(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
 -- 
-2.30.0
+2.27.0

--- a/allow-init_t-create-fifo-file-in-net_conf-dir.patch
+++ b/allow-init_t-create-fifo-file-in-net_conf-dir.patch
@ -1,6 +1,6 @@
-From b00033d4825cfc3ae9787c94ffa7e5408acf9a4b Mon Sep 17 00:00:00 2001
-From: Huaxin Lu <luhuaxin1@huawei.com>
-Date: Sun, 29 Jan 2023 00:36:01 +0800
+From ebfc55113be3be3a298a14e767712cc5e16a50c3 Mon Sep 17 00:00:00 2001
+From: jinlun <jinlun@huawei.com>
+Date: Thu, 28 Dec 2023 19:17:52 +0800
 Subject: [PATCH] allow init_t create fifo file in net_conf dir

 Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
@ -9,17 +9,17 @@ Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
 1 file changed, 1 insertion(+)

 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8b84aa1..15b57a7 100644
+index 4f2ce88..5fc8fed 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
-@@ -872,6 +872,7 @@ optional_policy(`
- 
+@@ -879,6 +879,7 @@ optional_policy(`
 optional_policy(`
     sysnet_filetrans_cloud_net_conf(init_t)
+     sysnet_manage_config_pipes(init_t)
 +    manage_fifo_files_pattern(init_t, net_conf_t, net_conf_t)
 ')
 
 optional_policy(`
 -- 
-2.33.0
+2.27.0

--- a/backport-Add-support-for-secretmem-anon-inode.patch
+++ b/backport-Add-support-for-secretmem-anon-inode.patch
@ -0,0 +1,102 @@
+From 41c4218e835a068335f05c1cf41268a0db64aab5 Mon Sep 17 00:00:00 2001
+From: Juraj Marcin <jmarcin@redhat.com>
+Date: Tue, 30 Apr 2024 18:46:19 +0200
+Subject: [PATCH] Add support for secretmem anon inode
+
+Commit 65b9e0bdceb7e6adbe308f9a591b103cba6986ef implements proper
+support for anon inodes, however it does not implement support for
+secretmem anon inode.
+
+This patch adds type transition, so [secretmem] anon inode is always
+created with secretmem_t type. It also adds an interface allowing create
+permission on secretmem_t and allows unconfined_domain_type to use it.
+
+Addresses the following AVCs:
+type=PROCTITLE msg=audit(03/27/2024 02:54:00.035:4382) : proctitle=stress-ng-resources [run]
+type=SYSCALL msg=audit(03/27/2024 02:54:00.035:4382) : arch=x86_64 syscall=memfd_secret success=no exit=EACCES(Permission denied) a0=0x0 a1=0x0 a2=0x0 a3=0x0 items=0 ppid=2072 pid=5294 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=stress-ng-resou exe=/usr/bin/stress-ng subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(03/27/2024 02:54:00.035:4382) : avc:  denied  { create } for  pid=5294 comm=stress-ng-resou anonclass=[secretmem] scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=anon_inode permissive=0
+
+Resolves: rhbz#2270895
+---
+ policy/modules/kernel/domain.te |  2 ++
+ policy/modules/kernel/kernel.if | 34 +++++++++++++++++++++++++++++++++
+ policy/modules/kernel/kernel.te |  1 +
+ 3 files changed, 37 insertions(+)
+
+diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
+index 78db683f7..37c698e47 100644
+--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
+@@ -131,6 +131,7 @@ allow domain self:shm create_shm_perms;
+ 
+ kernel_userfaultfd_domtrans(domain)
+ kernel_io_uring_domtrans(domain)
+kernel_secretmem_domtrans(domain)
+ 
+ kernel_getattr_proc(domain)
+ kernel_read_proc_symlinks(domain)
+@@ -305,6 +306,7 @@ allow unconfined_domain_type domain:perf_event rw_inherited_perf_event_perms;
+ kernel_manage_perf_event(unconfined_domain_type)
+ kernel_userfaultfd_use(unconfined_domain_type)
+ kernel_io_uring_use(unconfined_domain_type)
+kernel_secretmem_use(unconfined_domain_type)
+ 
+ corenet_filetrans_all_named_dev(named_filetrans_domain)
+ 
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index d439f1db2..016ffaaed 100644
+--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
+@@ -4610,3 +4610,37 @@ interface(`kernel_io_uring_use',`
+ 	kernel_io_uring_use_inherited($1)
+ 	allow $1 io_uring_t:anon_inode create;
+ ')
+
+########################################
+## <summary>
+##	Set up type transition for secretmem anon inodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to receive the type transition.
+##	</summary>
+## </param>
+#
+interface(`kernel_secretmem_domtrans',`
+	gen_require(`
+		type secretmem_t;
+	')
+	type_transition $1 self:anon_inode secretmem_t "[secretmem]";
+')
+
+########################################
+## <summary>
+##	Allow the domain to use the secretmem API.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_secretmem_use',`
+	gen_require(`
+		type secretmem_t;
+	')
+	allow $1 secretmem_t:anon_inode create;
+')
+diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
+index d4ca28c70..519f004f4 100644
+--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
+@@ -237,6 +237,7 @@ neverallow * unlabeled_t:file entrypoint;
+ # anon_inode types
+ type userfaultfd_t;
+ type io_uring_t;
+type secretmem_t;
+ 
+ # These initial sids are no longer used, and can be removed:
+ sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+-- 
+2.33.0
+
--- a/fix-selinux-label-for-hostname-digest-list.patch
+++ b/fix-selinux-label-for-hostname-digest-list.patch
@ -15,9 +15,9 @@ index cfafbfa..bb5e759 100644
@@ -3,6 +3,7 @@ HOME_DIR/\.config/systemd/user(/.*)?		gen_context(system_u:object_r:systemd_unit
 /root/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_home_t,s0)
 
- /etc/.*hostname.*			--		gen_context(system_u:object_r:hostname_etc_t,s0)
-+/etc/[^/]*hostname.*                    --              gen_context(system_u:object_r:hostname_etc_t,s0)
- /etc/machine-info		--		gen_context(system_u:object_r:hostname_etc_t,s0)
+ /etc/.*hostname.*	--	gen_context(system_u:object_r:hostname_etc_t,s0)
+/etc/[^/]*hostname.*	--	gen_context(system_u:object_r:hostname_etc_t,s0)
+ /etc/machine-info	--	gen_context(system_u:object_r:hostname_etc_t,s0)
 /etc/udev/.*hwdb.*	--	gen_context(system_u:object_r:systemd_hwdb_etc_t,s0)
 
 -- 
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@ -2663,3 +2663,10 @@ ica = module
 # fedoratp
 #
 fedoratp = module
+
+# Layer: services
+# Module: virt_supplementary
+#
+# non-libvirt virtualization libraries
+#
+virt_supplementary = module
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -11,12 +11,12 @@

 Summary: SELinux policy configuration
 Name:    selinux-policy
-Version: 38.6
-Release: 5
+Version: 40.7
+Release: 4
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/

-Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v38.6.tar.gz
+Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v40.7.tar.gz

 # Tool helps during policy development, to expand system m4 macros to raw allow rules
 # Git repo: https://github.com/fedora-selinux/macro-expander.git
@ -63,12 +63,7 @@ Patch7:  add-avc-for-os-1.patch
 Patch8:  allow-rpcbind-to-bind-all-port.patch
 Patch9:  add-avc-for-systemd-journald.patch
 Patch10: add-avc-for-systemd.patch
-Patch11: Allow-login_pgm-setcap-permission.patch
-Patch12: Additional-support-for-rpmdb_migrate.patch
-Patch13: Add-initial-policy-for-the-usr-sbin-request-key-help.patch
-Patch14: Allow-nm-dispatcher-plugins-read-generic-files-in-pr.patch
-Patch15: Add-journalctl-the-sys_resource-capability.patch
-Patch16: Allow-certmonger-read-the-contents-of-the-sysfs-file.patch
+Patch11: backport-Add-support-for-secretmem-anon-inode.patch

 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@ -206,7 +201,7 @@ if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.p
     %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
     rm -f ${FILE_CONTEXT}.pre; \
 fi; \
-%{_sbindir}/restorecon -R /var/lib/rpm \
+%{_sbindir}/restorecon -R /var/lib/rpm /usr/bin /usr/lib /usr/lib64 /usr/sbin \
 if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
    continue; \
 fi;
@ -748,6 +743,31 @@ exit 0
 %endif

 %changelog
+* Wed Nov 27 2024 Linux_zhang <zhangruifang@h-partners.com> - 40.7-4
+- Recovering the SELinux Label
+
+* Tue Nov 05 2024 Linux_zhang <zhangruifang@h-partners.com> - 40.7-3 
+- Add support for secretmem anon inode
+
+* Thu Apr 11 2024 jinlun<jinlun@huawei.com> - 40.7-2
+- update modules-targeted-contrib.conf
+
+* Thu Dec 28 2023 jinlun<jinlun@huawei.com> - 40.7-1
+- update version to 40.7
+  - Allow chronyd-restricted read chronyd key files
+  - Allow systemd-sleep set attributes of efivarfs files
+  - Make name_zone_t and named_var_run_t a part of the mountpoint attribute
+  - Update cifs interfaces to include fs_search_auto_mountpoints()
+  - Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
+  - Add map_read map_write to kernel_prog_run_bpf
+  - Add policy for nvme-stas
+  - Make new virt drivers permissive
+  - Allow named and ndc use the io_uring api
+  - Allow sssd send SIGKILL to passket_child running in ipa_otpd_t
+
+* Fri Jul 21 2023 jinlun<jinlun@huawei.com> - 38.21-1
+- update version to 38.21
+
 * Wed May 31 2023 luhuaxin<luhuaxin1@huawei.com> - 38.6-5
 - backport some upstream patches

--- a/v38.6.tar.gz
+++ b/v38.6.tar.gz
--- a/v40.7.tar.gz
+++ b/v40.7.tar.gz
Author	SHA1	Message	Date
openeuler-ci-bot	7333bcafce	!265 Recovering the SELinux Label From: @Linux_zhang2024 Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee	2024-11-28 03:14:54 +00:00
Linux_zhang	83350518b1	Recovering the SELinux Label	2024-11-27 19:27:56 +08:00
openeuler-ci-bot	5b9f77f4d5	!256 Add support for secretmem anon inode From: @Linux_zhang2024 Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee	2024-11-13 01:56:56 +00:00
Linux_zhang	318a8c7f84	Add support for secretmem anon inode	2024-11-05 11:14:16 +08:00
openeuler-ci-bot	50ad53f567	!249 update modules-targeted-contrib.conf From: @jinlun123123 Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee	2024-04-12 03:32:53 +00:00
jinlun	81b001bdf4	update modules-targeted-contrib.conf	2024-04-11 17:17:08 +08:00
openeuler-ci-bot	27f6587f0e	!240 update version to 40.7 From: @jinlun123123 Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee	2024-01-29 08:26:46 +00:00
jinlun	77c5b8e284	update version to 40.7	2024-01-29 16:00:19 +08:00
openeuler-ci-bot	4f94b5ea93	!224 selinux-policy:update version to 38.21 From: @jinlun123123 Reviewed-by: @HuaxinLuGitee Signed-off-by: @HuaxinLuGitee	2023-07-22 03:45:54 +00:00
jinlun	ccec791b8a	selinux-policy:update version to 38.21	2023-07-21 10:16:55 +08:00