From 67a202caa456cad47b9518a783fa93cc571626e1 Mon Sep 17 00:00:00 2001 From: luhuaxin <1539327763@qq.com> Date: Mon, 31 May 2021 16:38:15 +0800 Subject: [PATCH] backport some upstream patches --- ...Add-dev_lock_all_blk_files-interface.patch | 77 ++++++++++ ...s_send_msg-lvm_rw_var_run-interfaces.patch | 60 ++++++++ ...ew-devices-and-filesystem-interfaces.patch | 102 ++++++++++++ ...olved_write_pid_sock_files-interface.patch | 44 ++++++ ...certmonger-to-use-opencryptoki-servi.patch | 36 +++++ ...to-connect-to-systemd-userdbd-with-a.patch | 33 ++++ ...td-manage-kerberos-host-rcache-files.patch | 29 ++++ ...cpc_t-domain-transition-to-chronyc_t.patch | 30 ++++ ...rt-Allow-domain-stat-proc-filesystem.patch | 27 ++++ ...Allow-domain-stat-the-sys-filesystem.patch | 44 ++++++ ...n-write-to-an-automount-unnamed-pipe.patch | 42 +++++ ...te-to-systemd-resolved-PID-socket-fi.patch | 43 ++++++ ...ansition-from-sshd_t-to-unconfined_t.patch | 30 ++++ ...reate-run-chronyd-dhcp-directory-wit.patch | 35 +++++ ...n_t-get-attributes-of-tmpfs-filesyst.patch | 29 ++++ ...attribute-to-get-attributes-in-proc_.patch | 30 ++++ ..._userdomain-write-inaccessible-nodes.patch | 47 ++++++ ...omain-write-to-systemd-resolved-PID-.patch | 28 ++++ ...ow-nsswitch_domain-read-cgroup-files.patch | 33 ++++ ...omain-to-connect-to-systemd-machined.patch | 61 ++++++++ ...w-passwd-to-get-attributes-in-proc_t.patch | 30 ++++ ...low-stub-resolv.conf-to-be-a-symlink.patch | 66 ++++++++ ...domain-to-read-write-tmpfs-systemd-b.patch | 87 +++++++++++ ...-systemd-logind-dbus-chat-with-fwupd.patch | 29 ++++ ...stemd-logind-manage-init-s-pid-files.patch | 59 +++++++ ...chined-manage-systemd-userdbd-runtim.patch | 59 +++++++ ...solved-manage-its-private-runtime-sy.patch | 27 ++++ ...e_t-and-ping_t-to-bind-generic-nodes.patch | 36 +++++ ..._t-to-node_bind-icmp_sockets-in-node.patch | 31 ++++ ...eate-chronyd_pid_filetrans-interface.patch | 44 ++++++ ...macro-corenet_icmp_bind_generic_node.patch | 44 ++++++ ...e-transition-for-sshd-on-tmp-krb5_0..patch | 26 ++++ ...esolved_read_pid-to-also-read-symlin.patch | 30 ++++ ...oid-directly-referencing-systemd_res.patch | 145 ++++++++++++++++++ selinux-policy.spec | 77 +++++++++- 35 files changed, 1648 insertions(+), 2 deletions(-) create mode 100644 backport-Add-dev_lock_all_blk_files-interface.patch create mode 100644 backport-Add-lvm_dbus_send_msg-lvm_rw_var_run-interfaces.patch create mode 100644 backport-Add-new-devices-and-filesystem-interfaces.patch create mode 100644 backport-Add-systemd_resolved_write_pid_sock_files-interface.patch create mode 100644 backport-Allow-IPsec-and-certmonger-to-use-opencryptoki-servi.patch create mode 100644 backport-Allow-all-users-to-connect-to-systemd-userdbd-with-a.patch create mode 100644 backport-Allow-auditd-manage-kerberos-host-rcache-files.patch create mode 100644 backport-Allow-dhcpc_t-domain-transition-to-chronyc_t.patch create mode 100644 backport-Allow-domain-stat-proc-filesystem.patch create mode 100644 backport-Allow-domain-stat-the-sys-filesystem.patch create mode 100644 backport-Allow-domain-write-to-an-automount-unnamed-pipe.patch create mode 100644 backport-Allow-domain-write-to-systemd-resolved-PID-socket-fi.patch create mode 100644 backport-Allow-dyntransition-from-sshd_t-to-unconfined_t.patch create mode 100644 backport-Allow-initrc_t-create-run-chronyd-dhcp-directory-wit.patch create mode 100644 backport-Allow-local_login_t-get-attributes-of-tmpfs-filesyst.patch create mode 100644 backport-Allow-login_pgm-attribute-to-get-attributes-in-proc_.patch create mode 100644 backport-Allow-login_userdomain-write-inaccessible-nodes.patch create mode 100644 backport-Allow-nsswitch-domain-write-to-systemd-resolved-PID-.patch create mode 100644 backport-Allow-nsswitch_domain-read-cgroup-files.patch create mode 100644 backport-Allow-nsswitch_domain-to-connect-to-systemd-machined.patch create mode 100644 backport-Allow-passwd-to-get-attributes-in-proc_t.patch create mode 100644 backport-Allow-stub-resolv.conf-to-be-a-symlink.patch create mode 100644 backport-Allow-syslogd_t-domain-to-read-write-tmpfs-systemd-b.patch create mode 100644 backport-Allow-systemd-logind-dbus-chat-with-fwupd.patch create mode 100644 backport-Allow-systemd-logind-manage-init-s-pid-files.patch create mode 100644 backport-Allow-systemd-machined-manage-systemd-userdbd-runtim.patch create mode 100644 backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch create mode 100644 backport-Allow-traceroute_t-and-ping_t-to-bind-generic-nodes.patch create mode 100644 backport-Allow-unconfined_t-to-node_bind-icmp_sockets-in-node.patch create mode 100644 backport-Create-chronyd_pid_filetrans-interface.patch create mode 100644 backport-Create-macro-corenet_icmp_bind_generic_node.patch create mode 100644 backport-Define-named-file-transition-for-sshd-on-tmp-krb5_0..patch create mode 100644 backport-Update-systemd_resolved_read_pid-to-also-read-symlin.patch create mode 100644 backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch diff --git a/backport-Add-dev_lock_all_blk_files-interface.patch b/backport-Add-dev_lock_all_blk_files-interface.patch new file mode 100644 index 0000000..48c1da5 --- /dev/null +++ b/backport-Add-dev_lock_all_blk_files-interface.patch @@ -0,0 +1,77 @@ +From 395220122fcd6b93956c758a2a5094487254a89e Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 30 Jul 2020 18:21:16 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/395220122fcd6b93956c758a2a5094487254a89e +Conflict: NA +Subject: [PATCH] Add dev_lock_all_blk_files() interface + +For use in the dev_lock_all_blk_files() interface, create the +lock_blk_files_pattern and lock_blk_file_perms object permissions set. +--- + policy/modules/kernel/devices.if | 20 ++++++++++++++++++++ + policy/support/file_patterns.spt | 5 +++++ + policy/support/obj_perm_sets.spt | 1 + + 3 files changed, 26 insertions(+) + +diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if +index 932b9bd..2a69660 100644 +--- a/policy/modules/kernel/devices.if ++++ b/policy/modules/kernel/devices.if +@@ -1169,6 +1169,26 @@ interface(`dev_getattr_all_blk_files',` + + ######################################## + ## ++## Lock on all block file device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`dev_lock_all_blk_files',` ++ gen_require(` ++ attribute device_node; ++ type device_t; ++ ') ++ ++ lock_blk_files_pattern($1, device_t, device_node) ++') ++ ++######################################## ++## + ## Read on all block file device nodes. + ## + ## +diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt +index 8aa8c36..7e3fccd 100644 +--- a/policy/support/file_patterns.spt ++++ b/policy/support/file_patterns.spt +@@ -408,6 +408,11 @@ define(`setattr_blk_files_pattern',` + allow $1 $3:blk_file setattr_blk_file_perms; + ') + ++define(`lock_blk_files_pattern',` ++ allow $1 $2:dir search_dir_perms; ++ allow $1 $3:blk_file lock_blk_file_perms; ++') ++ + define(`read_blk_files_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:blk_file read_blk_file_perms; +diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt +index 399c448..524c586 100644 +--- a/policy/support/obj_perm_sets.spt ++++ b/policy/support/obj_perm_sets.spt +@@ -233,6 +233,7 @@ define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }') + # + define(`getattr_blk_file_perms',`{ getattr }') + define(`setattr_blk_file_perms',`{ setattr }') ++define(`lock_blk_file_perms',`{ getattr lock }') + define(`read_blk_file_perms',`{ getattr open read lock ioctl }') + define(`append_blk_file_perms',`{ getattr open append lock ioctl }') + define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') +-- +1.8.3.1 + diff --git a/backport-Add-lvm_dbus_send_msg-lvm_rw_var_run-interfaces.patch b/backport-Add-lvm_dbus_send_msg-lvm_rw_var_run-interfaces.patch new file mode 100644 index 0000000..95116c8 --- /dev/null +++ b/backport-Add-lvm_dbus_send_msg-lvm_rw_var_run-interfaces.patch @@ -0,0 +1,60 @@ +From 86c35f41cfe150545db77835cb96bf342f35f44f Mon Sep 17 00:00:00 2001 +From: Tony Asleson +Date: Fri, 11 Sep 2020 11:06:28 -0500 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/86c35f41cfe150545db77835cb96bf342f35f44f +Conflict: NA +Subject: [PATCH] Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces + +Signed-off-by: Tony Asleson +--- + policy/modules/system/lvm.if | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if +index fbbb39e..7f3903a 100644 +--- a/policy/modules/system/lvm.if ++++ b/policy/modules/system/lvm.if +@@ -452,4 +452,40 @@ interface(`lvm_manage_lock',` + ') + + ++######################################## ++## ++## Allow dbus send for lvm dbus API (only send needed) ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_dbus_send_msg',` ++ gen_require(` ++ type lvm_t; ++ class dbus send_msg; ++ ') ++ allow $1 lvm_t:dbus send_msg; + ++') ++ ++######################################## ++## ++## Allow lvm hints file access ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`lvm_rw_var_run',` ++ gen_require(` ++ type lvm_t; ++ type lvm_var_run_t; ++ ') ++ allow $1 lvm_var_run_t:file { rw_file_perms }; ++ ++') +-- +1.8.3.1 + diff --git a/backport-Add-new-devices-and-filesystem-interfaces.patch b/backport-Add-new-devices-and-filesystem-interfaces.patch new file mode 100644 index 0000000..a557251 --- /dev/null +++ b/backport-Add-new-devices-and-filesystem-interfaces.patch @@ -0,0 +1,102 @@ +From e6506d8ed109fe85ae9236a62c17f68a8eeedb8f Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 4 Sep 2020 12:28:24 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/e6506d8ed109fe85ae9236a62c17f68a8eeedb8f +Conflict: NA +Subject: [PATCH] Add new devices and filesystem interfaces + +Add dev_remount_sysfs_fs(), fs_all_mount_fs_perms_xattr_fs(), +fs_all_mount_fs_perms_tmpfs() interfaces. +--- + policy/modules/kernel/devices.if | 18 ++++++++++++++++++ + policy/modules/kernel/filesystem.if | 38 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 56 insertions(+) + +diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if +index 2a69660..61fedbb 100644 +--- a/policy/modules/kernel/devices.if ++++ b/policy/modules/kernel/devices.if +@@ -4832,6 +4832,24 @@ interface(`dev_unmount_sysfs_fs',` + + ######################################## + ## ++## Remount sysfs filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_remount_sysfs_fs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ allow $1 sysfs_t:filesystem remount; ++') ++ ++######################################## ++## + ## Search the sysfs directories. + ## + ## +diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if +index 17a9f08..d3f24d2 100644 +--- a/policy/modules/kernel/filesystem.if ++++ b/policy/modules/kernel/filesystem.if +@@ -169,6 +169,26 @@ interface(`fs_unmount_xattr_fs',` + + ######################################## + ## ++## Mount, remount, unmount a persistent filesystem which ++## has extended attributes, such as ++## ext3, JFS, or XFS. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_all_mount_fs_perms_xattr_fs',` ++ gen_require(` ++ type fs_t; ++ ') ++ ++ allow $1 fs_t:filesystem mount_fs_perms; ++') ++ ++######################################## ++## + ## Get the attributes of persistent + ## filesystems which have extended + ## attributes, such as ext3, JFS, or XFS. +@@ -5206,6 +5226,24 @@ interface(`fs_unmount_tmpfs',` + + ######################################## + ## ++## Mount, remount, unmount a tmpfs filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_all_mount_fs_perms_tmpfs',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ allow $1 tmpfs_t:filesystem mount_fs_perms; ++') ++ ++######################################## ++## + ## Mount on tmpfs directories. + ## + ## +-- +1.8.3.1 + diff --git a/backport-Add-systemd_resolved_write_pid_sock_files-interface.patch b/backport-Add-systemd_resolved_write_pid_sock_files-interface.patch new file mode 100644 index 0000000..62c5d19 --- /dev/null +++ b/backport-Add-systemd_resolved_write_pid_sock_files-interface.patch @@ -0,0 +1,44 @@ +From 33837787642166330b1400133de2023aa931f236 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 10 Dec 2020 00:15:37 +0100 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/33837787642166330b1400133de2023aa931f236 +Conflict: NA +Subject: [PATCH] Add systemd_resolved_write_pid_sock_files() interface + +--- + policy/modules/system/systemd.if | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index ffed76c..26d4927 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -318,6 +318,25 @@ interface(`systemd_resolved_read_pid',` + + ###################################### + ## ++## Write to systemd_resolved PID socket files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_resolved_write_pid_sock_files',` ++ gen_require(` ++ type systemd_resolved_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ write_sock_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) ++') ++ ++###################################### ++## + ## Read systemd_login PID files. + ## + ## +-- +1.8.3.1 + diff --git a/backport-Allow-IPsec-and-certmonger-to-use-opencryptoki-servi.patch b/backport-Allow-IPsec-and-certmonger-to-use-opencryptoki-servi.patch new file mode 100644 index 0000000..cd4f833 --- /dev/null +++ b/backport-Allow-IPsec-and-certmonger-to-use-opencryptoki-servi.patch @@ -0,0 +1,36 @@ +From 6cc668244e41677470f5e97ab0f680436ac61652 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 26 Apr 2021 22:39:43 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/6cc668244e41677470f5e97ab0f680436ac61652 +Conflict: NA +Subject: [PATCH] Allow IPsec and certmonger to use opencryptoki services + +Add to certmonger and ipsec policy interface pkcs_use_opencryptoki(), +which allow use opencryptoki. Opencryptoki implements PKCS#11 +standard. + +The original commit has been split in 2 parts, this is the part for ipsec. + +Resolves: rhbz#1952311 +--- + policy/modules/system/ipsec.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te +index 7e99f16..9d679cb 100644 +--- a/policy/modules/system/ipsec.te ++++ b/policy/modules/system/ipsec.te +@@ -247,6 +247,10 @@ optional_policy(` + ') + ') + ++optional_policy(` ++ pkcs_use_opencryptoki(ipsec_t) ++') ++ + ######################################## + # + # ipsec_mgmt Local policy +-- +1.8.3.1 + diff --git a/backport-Allow-all-users-to-connect-to-systemd-userdbd-with-a.patch b/backport-Allow-all-users-to-connect-to-systemd-userdbd-with-a.patch new file mode 100644 index 0000000..81abf32 --- /dev/null +++ b/backport-Allow-all-users-to-connect-to-systemd-userdbd-with-a.patch @@ -0,0 +1,33 @@ +From 5e9918310dccf6d6dd1da52c19ce2a2927d0a96e Mon Sep 17 00:00:00 2001 +From: Richard Filo +Date: Mon, 24 Aug 2020 10:55:10 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/5e9918310dccf6d6dd1da52c19ce2a2927d0a96e +Conflict: NA +Subject: [PATCH] Allow all users to connect to systemd-userdbd with a unix + socket + +Add interface systemd_userdbd_stream_connect() to allow communication using userdb sockets. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1835630 +--- + policy/modules/system/userdomain.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 89b4867..756ac4a 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -209,6 +209,10 @@ optional_policy(` + xserver_filetrans_home_content(userdomain) + ') + ++optional_policy(` ++ systemd_userdbd_stream_connect(userdomain) ++') ++ + # rules for types which can read home certs + allow userdom_home_reader_certs_type home_cert_t:dir list_dir_perms; + read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t) +-- +1.8.3.1 + diff --git a/backport-Allow-auditd-manage-kerberos-host-rcache-files.patch b/backport-Allow-auditd-manage-kerberos-host-rcache-files.patch new file mode 100644 index 0000000..8ac7cdd --- /dev/null +++ b/backport-Allow-auditd-manage-kerberos-host-rcache-files.patch @@ -0,0 +1,29 @@ +From af31e95e95b62fce1e495df73d817f8a533a2190 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 28 Jul 2020 19:41:56 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/af31e95e95b62fce1e495df73d817f8a533a2190 +Conflict: NA +Subject: [PATCH] Allow auditd manage kerberos host rcache files + +--- + policy/modules/system/logging.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index cdaba23..db0b849 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -256,6 +256,10 @@ ifdef(`distro_ubuntu',` + ') + + optional_policy(` ++ kerberos_manage_host_rcache(auditd_t) ++') ++ ++optional_policy(` + mta_send_mail(auditd_t) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-dhcpc_t-domain-transition-to-chronyc_t.patch b/backport-Allow-dhcpc_t-domain-transition-to-chronyc_t.patch new file mode 100644 index 0000000..79aa9ee --- /dev/null +++ b/backport-Allow-dhcpc_t-domain-transition-to-chronyc_t.patch @@ -0,0 +1,30 @@ +From 32aa3f5509900563632fec1a1536c84da50553ed Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 1 Apr 2021 17:36:08 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/32aa3f5509900563632fec1a1536c84da50553ed +Conflict: NA +Subject: [PATCH] Allow dhcpc_t domain transition to chronyc_t + +This permission is required when dhclient-script executes +the chrony.sh script from /etc/dhcp/dhclient.d. + +Resolves: rhbz#1897388 +--- + policy/modules/system/sysnetwork.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te +index fb0a0c8..70eaf92 100644 +--- a/policy/modules/system/sysnetwork.te ++++ b/policy/modules/system/sysnetwork.te +@@ -198,6 +198,7 @@ optional_policy(` + chronyd_initrc_domtrans(dhcpc_t) + chronyd_systemctl(dhcpc_t) + chronyd_domtrans(dhcpc_t) ++ chronyd_domtrans_chronyc(dhcpc_t) + chronyd_read_keys(dhcpc_t) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-domain-stat-proc-filesystem.patch b/backport-Allow-domain-stat-proc-filesystem.patch new file mode 100644 index 0000000..61c2ee7 --- /dev/null +++ b/backport-Allow-domain-stat-proc-filesystem.patch @@ -0,0 +1,27 @@ +From d58c107591c0f99ee8003221296f998ad75d8148 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 4 Jan 2021 19:50:49 +0100 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/d58c107591c0f99ee8003221296f998ad75d8148 +Conflict: NA +Subject: [PATCH] Allow domain stat /proc filesystem + +Resolves: rhbz#1892401 +--- + policy/modules/kernel/domain.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te +index c77a6fe..dff8caa 100644 +--- a/policy/modules/kernel/domain.te ++++ b/policy/modules/kernel/domain.te +@@ -129,6 +129,7 @@ allow domain self:fifo_file rw_fifo_file_perms; + allow domain self:sem create_sem_perms; + allow domain self:shm create_shm_perms; + ++kernel_getattr_proc(domain) + kernel_read_proc_symlinks(domain) + kernel_read_crypto_sysctls(domain) + kernel_read_vm_overcommit_sysctls(domain) +-- +1.8.3.1 + diff --git a/backport-Allow-domain-stat-the-sys-filesystem.patch b/backport-Allow-domain-stat-the-sys-filesystem.patch new file mode 100644 index 0000000..a7c56f4 --- /dev/null +++ b/backport-Allow-domain-stat-the-sys-filesystem.patch @@ -0,0 +1,44 @@ +From 506809cbed4f682a030f29b6ee00d79b1570448f Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 19 Feb 2021 21:38:42 +0100 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/506809cbed4f682a030f29b6ee00d79b1570448f +Conflict: NA +Subject: [PATCH] Allow domain stat the /sys filesystem + +Checking for the availability of the /sys filesystem is requested +by all services that want to read hardware state information. +As such, adding this permission would semantically fit into the +dev_read_sysfs() interface to allow the getattr permission for each +domain calling this interface. This would, however, add about 300 new +rules into the policy, so the permission is allowed for the domain +attribute instead not to affect performance much. It seems safe allow +it for all domains. + +Example of such services are rngd, pcscd, usbmuxd. + +Resolves: rhbz#1928572 +Resolves: rhbz#1928611 +Resolves: rhbz#1930992 +--- + policy/modules/kernel/domain.te | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te +index 2ab7a49..8e52b17 100644 +--- a/policy/modules/kernel/domain.te ++++ b/policy/modules/kernel/domain.te +@@ -150,6 +150,11 @@ dev_rw_null(domain) + dev_rw_zero(domain) + term_use_controlling_term(domain) + ++# Allow all domains stat /sys. It is needed by services reading hardware ++# state information, but there is no harm to allow it to all domains in general. ++ ++dev_getattr_sysfs_fs(domain) ++ + # Allow all domains to read /dev/urandom. It is needed by all apps/services + # linked to libgcrypt. There is no harm to allow it by default. + dev_read_urand(domain) +-- +1.8.3.1 + diff --git a/backport-Allow-domain-write-to-an-automount-unnamed-pipe.patch b/backport-Allow-domain-write-to-an-automount-unnamed-pipe.patch new file mode 100644 index 0000000..935b54a --- /dev/null +++ b/backport-Allow-domain-write-to-an-automount-unnamed-pipe.patch @@ -0,0 +1,42 @@ +From 93e95ff085a9877e5ab981db18b2ba37409b3cb2 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 24 Sep 2020 13:12:54 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/93e95ff085a9877e5ab981db18b2ba37409b3cb2 +Conflict: NA +Subject: [PATCH] Allow domain write to an automount unnamed pipe + +With the kernel commit 13c164b1a186 ("autofs: switch to kernel_write"), +an additional LSM permission check is done when a process tries to +access a directory on an autofs volume, which has not been mounted yet, +and it results in a write operation to the automount pipe. + +This commit allows any domain write to the unnamed pipe kernel uses to +communicate with automount to service the directory access request and +should be considered a temporary workaround until a different +implementation in kernel is found. + +Resolves: rhbz#1874338 +--- + policy/modules/kernel/domain.te | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te +index b883be0..c77a6fe 100644 +--- a/policy/modules/kernel/domain.te ++++ b/policy/modules/kernel/domain.te +@@ -570,6 +570,12 @@ optional_policy(` + ') + + optional_policy(` ++ # A workaround to handle additional permissions check ++ # introduced as an involuntary result of a kernel change ++ automount_write_pipes(domain) ++') ++ ++optional_policy(` + sosreport_append_tmp_files(domain) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-domain-write-to-systemd-resolved-PID-socket-fi.patch b/backport-Allow-domain-write-to-systemd-resolved-PID-socket-fi.patch new file mode 100644 index 0000000..850dc10 --- /dev/null +++ b/backport-Allow-domain-write-to-systemd-resolved-PID-socket-fi.patch @@ -0,0 +1,43 @@ +From 7bcba980168b70a4164a1ec768ea56e723ed390b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 25 Jan 2021 22:08:16 +0100 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/7bcba980168b70a4164a1ec768ea56e723ed390b +Conflict: NA +Subject: [PATCH] Allow domain write to systemd-resolved PID socket files + +Previously, the permission was allowed for the nsswitch_domain +attribute which turned out not to be sufficient. + +Resolves: rhbz#1900175 +--- + policy/modules/kernel/domain.te | 1 + + policy/modules/system/authlogin.te | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te +index dff8caa..2ab7a49 100644 +--- a/policy/modules/kernel/domain.te ++++ b/policy/modules/kernel/domain.te +@@ -510,6 +510,7 @@ optional_policy(` + systemd_login_reboot(unconfined_domain_type) + systemd_login_halt(unconfined_domain_type) + systemd_login_undefined(unconfined_domain_type) ++ systemd_resolved_write_pid_sock_files(domain) + systemd_filetrans_named_content(named_filetrans_domain) + systemd_filetrans_named_hostname(named_filetrans_domain) + systemd_filetrans_home_content(named_filetrans_domain) +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index 576ec5f..068caed 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -562,7 +562,6 @@ optional_policy(` + ') + + optional_policy(` +- systemd_resolved_write_pid_sock_files(nsswitch_domain) + systemd_userdbd_stream_connect(nsswitch_domain) + systemd_machined_stream_connect(nsswitch_domain) + ') +-- +1.8.3.1 + diff --git a/backport-Allow-dyntransition-from-sshd_t-to-unconfined_t.patch b/backport-Allow-dyntransition-from-sshd_t-to-unconfined_t.patch new file mode 100644 index 0000000..08484d6 --- /dev/null +++ b/backport-Allow-dyntransition-from-sshd_t-to-unconfined_t.patch @@ -0,0 +1,30 @@ +From 3a9a9a5de73cadfd9629967c3e9b105b3cfc48e0 Mon Sep 17 00:00:00 2001 +From: Patrik Koncity +Date: Wed, 9 Sep 2020 12:09:09 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/3a9a9a5de73cadfd9629967c3e9b105b3cfc48e0 +Conflict: NA +Subject: [PATCH] Allow dyntransition from sshd_t to unconfined_t + +Removing attribute in previous commit affected connecting via ssh to unconfined user. +Missed dyntransition from sshd domain to unconfined domain. +Added ssh_dyntransition_to() interface. +--- + policy/modules/roles/unconfineduser.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te +index ca8947b..4ab04b3 100644 +--- a/policy/modules/roles/unconfineduser.te ++++ b/policy/modules/roles/unconfineduser.te +@@ -91,6 +91,8 @@ logging_send_syslog_msg(unconfined_t) + + systemd_config_all_services(unconfined_t) + ++ssh_dyntransition_to(unconfined_t) ++ + unconfined_domain_noaudit(unconfined_t) + domain_named_filetrans(unconfined_t) + domain_transition_all(unconfined_t) +-- +1.8.3.1 + diff --git a/backport-Allow-initrc_t-create-run-chronyd-dhcp-directory-wit.patch b/backport-Allow-initrc_t-create-run-chronyd-dhcp-directory-wit.patch new file mode 100644 index 0000000..36916e2 --- /dev/null +++ b/backport-Allow-initrc_t-create-run-chronyd-dhcp-directory-wit.patch @@ -0,0 +1,35 @@ +From bad3809a314f6e6d1199e2201eb0c4fefbc8766a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 14 Oct 2020 22:45:29 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/bad3809a314f6e6d1199e2201eb0c4fefbc8766a +Conflict: NA +Subject: [PATCH] Allow initrc_t create /run/chronyd-dhcp directory with a + transition + +Chronyd is required to read preferred sources files stored in +/run/chronyd-dhcp to be able to get correct time settings +from the dhcp server and have them applied. + +Resolves: rhbz#1880948 +--- + policy/modules/system/init.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 50b655b..f72a8ef 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -1210,6 +1210,10 @@ ifdef(`distro_redhat',` + ') + + optional_policy(` ++ chronyd_pid_filetrans(initrc_t) ++ ') ++ ++ optional_policy(` + cyrus_write_data(initrc_t) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-local_login_t-get-attributes-of-tmpfs-filesyst.patch b/backport-Allow-local_login_t-get-attributes-of-tmpfs-filesyst.patch new file mode 100644 index 0000000..4290b02 --- /dev/null +++ b/backport-Allow-local_login_t-get-attributes-of-tmpfs-filesyst.patch @@ -0,0 +1,29 @@ +From 4f44d3028edb3cda2b2c1d1fc7858b481d866b94 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 19 Mar 2021 16:55:32 +0100 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/4f44d3028edb3cda2b2c1d1fc7858b481d866b94 +Conflict: NA +Subject: [PATCH] Allow local_login_t get attributes of tmpfs filesystems + +This permission is required when the system booted with cgroups v1. + +Resolves: rhbz#1894759 +--- + policy/modules/system/locallogin.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index 10fa85d..e1e5649 100644 +--- a/policy/modules/system/locallogin.te ++++ b/policy/modules/system/locallogin.te +@@ -113,6 +113,7 @@ files_create_home_dir(local_login_t) + + fs_search_auto_mountpoints(local_login_t) + fs_getattr_cgroup(local_login_t) ++fs_getattr_tmpfs(local_login_t) + + storage_dontaudit_getattr_fixed_disk_dev(local_login_t) + storage_dontaudit_setattr_fixed_disk_dev(local_login_t) +-- +1.8.3.1 + diff --git a/backport-Allow-login_pgm-attribute-to-get-attributes-in-proc_.patch b/backport-Allow-login_pgm-attribute-to-get-attributes-in-proc_.patch new file mode 100644 index 0000000..414ee24 --- /dev/null +++ b/backport-Allow-login_pgm-attribute-to-get-attributes-in-proc_.patch @@ -0,0 +1,30 @@ +From f2d77890bfcbe5b514c6205f288eeb73fe2225af Mon Sep 17 00:00:00 2001 +From: Patrik Koncity +Date: Fri, 21 Aug 2020 15:48:27 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/f2d77890bfcbe5b514c6205f288eeb73fe2225af +Conflict: NA +Subject: [PATCH] Allow login_pgm attribute to get attributes in proc_t + +Allow login_pgm attribute, which contain domain like local_login_t +and cockpit_session_t, get attributes on filesystem /proc. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1853730 +--- + policy/modules/system/authlogin.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index 6043c45..f3870d3 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -607,6 +607,7 @@ auth_filetrans_home_content(login_pgm) + # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 + kernel_search_network_sysctl(login_pgm) + kernel_rw_afs_state(login_pgm) ++kernel_getattr_proc(login_pgm) + + tunable_policy(`authlogin_radius',` + corenet_udp_bind_all_unreserved_ports(login_pgm) +-- +1.8.3.1 + diff --git a/backport-Allow-login_userdomain-write-inaccessible-nodes.patch b/backport-Allow-login_userdomain-write-inaccessible-nodes.patch new file mode 100644 index 0000000..92f5a5b --- /dev/null +++ b/backport-Allow-login_userdomain-write-inaccessible-nodes.patch @@ -0,0 +1,47 @@ +From ed68ca8f488ca36b74b6146f3008a89072ffdcc9 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 5 Mar 2021 18:05:58 +0100 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/ed68ca8f488ca36b74b6146f3008a89072ffdcc9 +Conflict: NA +Subject: [PATCH] Allow login_userdomain write inaccessible nodes + +The permissions for creating blk_file, chr_file, fifo_file, sock_file +and regular file were added for systemd to create inaccessible nodes +in /run/user/*/systemd/inaccessible. + +Addresses the following denial: + +type=PATH msg=audit(22.2.2021 09:15:47.751:332) : item=1 +name=/run/user/1000/systemd/inaccessible/chr inode=8 dev=00:29 +mode=character,000 ouid=user ogid=user rdev=00:00 +obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none +cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=AVC msg=audit(22.2.2021 09:15:47.751:332) : avc: denied { create } +for pid=1714 comm=systemd name=chr scontext=user_u:user_r:user_t:s0-s0:c0.c1023 +tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 +--- + policy/modules/system/userdomain.te | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 196bcc0..94c5ff6 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -370,6 +370,14 @@ optional_policy(` + ') + + ############################################################ ++# login_userdomain local policy ++ ++create_blk_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) ++create_chr_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) ++create_fifo_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) ++create_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) ++create_sock_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) ++ + # Local Policy Confined Admin + # + gen_require(` +-- +1.8.3.1 + diff --git a/backport-Allow-nsswitch-domain-write-to-systemd-resolved-PID-.patch b/backport-Allow-nsswitch-domain-write-to-systemd-resolved-PID-.patch new file mode 100644 index 0000000..763d6e4 --- /dev/null +++ b/backport-Allow-nsswitch-domain-write-to-systemd-resolved-PID-.patch @@ -0,0 +1,28 @@ +From a3ec0f513ede0204be0e793b9e4f19214e9ce063 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 10 Dec 2020 00:17:57 +0100 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/a3ec0f513ede0204be0e793b9e4f19214e9ce063 +Conflict: NA +Subject: [PATCH] Allow nsswitch-domain write to systemd-resolved PID socket + files + +Resolves: rhbz#1900143 +--- + policy/modules/system/authlogin.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index 068caed..576ec5f 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -562,6 +562,7 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_resolved_write_pid_sock_files(nsswitch_domain) + systemd_userdbd_stream_connect(nsswitch_domain) + systemd_machined_stream_connect(nsswitch_domain) + ') +-- +1.8.3.1 + diff --git a/backport-Allow-nsswitch_domain-read-cgroup-files.patch b/backport-Allow-nsswitch_domain-read-cgroup-files.patch new file mode 100644 index 0000000..4dd3ab1 --- /dev/null +++ b/backport-Allow-nsswitch_domain-read-cgroup-files.patch @@ -0,0 +1,33 @@ +From d7924a942d84c255fb9d85f262fd68a9e08c2433 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 30 Mar 2021 20:54:17 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/d7924a942d84c255fb9d85f262fd68a9e08c2433 +Conflict: NA +Subject: [PATCH] Allow nsswitch_domain read cgroup files + +This permission is required when the systemd nss module is used +in nsswitch.conf for users or groups. The module checks whether +the current process is running in the root cgroup, or if rather +cgroup namespaces are in place. + +Resolves: rhbz#1895061 +--- + policy/modules/system/authlogin.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index 068caed..0e54d0a 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -465,6 +465,8 @@ files_list_var_lib(nsswitch_domain) + # read /etc/nsswitch.conf + files_read_etc_files(nsswitch_domain) + ++fs_read_cgroup_files(nsswitch_domain) ++ + init_stream_connectto(nsswitch_domain) + + sysnet_dns_name_resolve(nsswitch_domain) +-- +1.8.3.1 + diff --git a/backport-Allow-nsswitch_domain-to-connect-to-systemd-machined.patch b/backport-Allow-nsswitch_domain-to-connect-to-systemd-machined.patch new file mode 100644 index 0000000..91e53e7 --- /dev/null +++ b/backport-Allow-nsswitch_domain-to-connect-to-systemd-machined.patch @@ -0,0 +1,61 @@ +From 6fe205674f9cd1face5e2cf1aeb90d265ef89ba8 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 12 Aug 2020 12:09:21 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/6fe205674f9cd1face5e2cf1aeb90d265ef89ba8 +Conflict: NA +Subject: [PATCH] Allow nsswitch_domain to connect to systemd-machined using a + unix socket + +Create the systemd_machined_stream_connect() interface. + +Resolves: rhbz#1865748 +--- + policy/modules/system/authlogin.te | 1 + + policy/modules/system/systemd.if | 19 +++++++++++++++++++ + 2 files changed, 20 insertions(+) + +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index 25d1691..6043c45 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -563,6 +563,7 @@ optional_policy(` + + optional_policy(` + systemd_userdbd_stream_connect(nsswitch_domain) ++ systemd_machined_stream_connect(nsswitch_domain) + ') + + optional_policy(` +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index a6d8bd0..dbc8fc9 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -2001,6 +2001,25 @@ interface(`systemd_machined_rw_devpts_chr_files',` + + ######################################## + ## ++## Allow the specified domain to connect to ++## systemd_machined with a unix socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_machined_stream_connect',` ++ gen_require(` ++ type systemd_machined_t; ++ ') ++ ++ allow $1 systemd_machined_t:unix_stream_socket connectto; ++') ++ ++######################################## ++## + ## Send and receive messages from + ## systemd machined over dbus. + ## +-- +1.8.3.1 + diff --git a/backport-Allow-passwd-to-get-attributes-in-proc_t.patch b/backport-Allow-passwd-to-get-attributes-in-proc_t.patch new file mode 100644 index 0000000..2f4b10f --- /dev/null +++ b/backport-Allow-passwd-to-get-attributes-in-proc_t.patch @@ -0,0 +1,30 @@ +From 44a5636ce1fb9d8d306fe49b821b84114ab28746 Mon Sep 17 00:00:00 2001 +From: Patrik Koncity +Date: Fri, 21 Aug 2020 15:47:20 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/44a5636ce1fb9d8d306fe49b821b84114ab28746 +Conflict: NA +Subject: [PATCH] Allow passwd to get attributes in proc_t + +Add interface kernel_getattr_proc() to passwd policy. +This macro allow paswd get attributes on filesystem /proc. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1858738 +--- + policy/modules/admin/usermanage.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te +index 262f01e..16b43b6 100644 +--- a/policy/modules/admin/usermanage.te ++++ b/policy/modules/admin/usermanage.te +@@ -332,6 +332,7 @@ allow passwd_t crack_db_t:dir list_dir_perms; + read_files_pattern(passwd_t, crack_db_t, crack_db_t) + + kernel_read_kernel_sysctls(passwd_t) ++kernel_getattr_proc(passwd_t) + + # for SSP + dev_read_urand(passwd_t) +-- +1.8.3.1 + diff --git a/backport-Allow-stub-resolv.conf-to-be-a-symlink.patch b/backport-Allow-stub-resolv.conf-to-be-a-symlink.patch new file mode 100644 index 0000000..81ef773 --- /dev/null +++ b/backport-Allow-stub-resolv.conf-to-be-a-symlink.patch @@ -0,0 +1,66 @@ +From 82e42900ad8027abed98f0b5d7a0969223fa4a7b Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Fri, 11 Dec 2020 17:21:14 +0100 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/82e42900ad8027abed98f0b5d7a0969223fa4a7b +Conflict: NA +Subject: [PATCH] Allow stub-resolv.conf to be a symlink + +It turns out that under certain configurations, +/var/run/systemd/resolve/stub-resolv.conf can be a symlink instead of a +regular file (see [1]). In such case, domains such as NetworkManager_t +and chronyd_t need to be able to read it, which is denied since the +symlink ends up being labeled as systemd_resolved_var_run_t. + +So make sure that such symlink is also labeled net_conf_t and extend +sysnet_read_config() to allow also reading symlinks. + +NOTE: Further unification/simplification of /etc network config symlinks +would now be possible (basically reverting f1505fca7063 ("Label +/etc/resolv.conf as net_conf_t only if it is a plain file")), but that +leads down to a deeper rabbit hole, so it's not addressed here. + +[1] https://src.fedoraproject.org/rpms/selinux-policy/pull-request/135#comment-62439 + +Signed-off-by: Ondrej Mosnacek +--- + policy/modules/system/sysnetwork.fc | 2 +- + policy/modules/system/sysnetwork.if | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc +index 27eb98b..de92927 100644 +--- a/policy/modules/system/sysnetwork.fc ++++ b/policy/modules/system/sysnetwork.fc +@@ -38,7 +38,7 @@ ifdef(`distro_redhat',` + /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) + /var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) + /var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) +-/var/run/systemd/resolve/stub-resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) ++/var/run/systemd/resolve/stub-resolv\.conf gen_context(system_u:object_r:net_conf_t,s0) + ') + /var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) + +diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if +index d7b696b..25e6b13 100644 +--- a/policy/modules/system/sysnetwork.if ++++ b/policy/modules/system/sysnetwork.if +@@ -456,6 +456,7 @@ interface(`sysnet_read_config',` + allow $1 net_conf_t:dir list_dir_perms; + allow $1 net_conf_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, net_conf_t, net_conf_t) ++ read_lnk_files_pattern($1, net_conf_t, net_conf_t) + ') + ') + +@@ -1144,7 +1145,7 @@ interface(`sysnet_filetrans_systemd_resolved',` + optional_policy(` + systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf") + systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") +- systemd_resolved_pid_filetrans($1, net_conf_t, file, "stub-resolv.conf") ++ systemd_resolved_pid_filetrans($1, net_conf_t, { file lnk_file }, "stub-resolv.conf") + ') + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-syslogd_t-domain-to-read-write-tmpfs-systemd-b.patch b/backport-Allow-syslogd_t-domain-to-read-write-tmpfs-systemd-b.patch new file mode 100644 index 0000000..5bd11bc --- /dev/null +++ b/backport-Allow-syslogd_t-domain-to-read-write-tmpfs-systemd-b.patch @@ -0,0 +1,87 @@ +From 204a23cf3da322e59c1b7af2e5cd62c835b91c2a Mon Sep 17 00:00:00 2001 +From: Richard Filo +Date: Thu, 20 Aug 2020 22:25:28 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/204a23cf3da322e59c1b7af2e5cd62c835b91c2a +Conflict: NA +Subject: [PATCH] Allow syslogd_t domain to read/write tmpfs systemd-bootchart + files + +Create the two interfaces to allow mapping and r/w permisions. +Add this two interfaces to the policy for domain syslogd_t. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1838163 + +The one way how can the systemd-journald get a log data from any services is by socket /run/systemd/journal/socket. But when the message is bigger than max size of datagram, it must be done differently. It is by filedescriptor, which is connected to the datagram and in the file to which the file descriptor refers are the log data that were not sent. The file is created by memfd_create() syscall and in kernel the file is implemented as tmpfs. + +That means any service can communicate in this way. +--- + policy/modules/system/logging.te | 5 +++++ + policy/modules/system/systemd.if | 36 ++++++++++++++++++++++++++++++++++++ + 2 files changed, 41 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index db0b849..8f6286d 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -720,6 +720,11 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_rw_bootchart_tmpfs_files(syslogd_t) ++ systemd_map_bootchart_tmpfs_files(syslogd_t) ++') ++ ++optional_policy(` + daemontools_search_svc_dir(syslogd_t) + ') + +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index dbc8fc9..ff31161 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -2096,6 +2096,42 @@ interface(`systemd_rw_coredump_tmpfs_files',` + + ######################################## + ## ++## Mmap to systemd-bootchart temporary file system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_map_bootchart_tmpfs_files',` ++ gen_require(` ++ type systemd_bootchart_tmpfs_t; ++ ') ++ ++ allow $1 systemd_bootchart_tmpfs_t:file map; ++') ++ ++######################################## ++## ++## Read and write to systemd-bootchart temporary file system. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_rw_bootchart_tmpfs_files',` ++ gen_require(` ++ type systemd_bootchart_tmpfs_t; ++ ') ++ ++ allow $1 systemd_bootchart_tmpfs_t:file rw_file_perms; ++') ++ ++######################################## ++## + ## Allow process to read hwdb config file. + ## + ## +-- +1.8.3.1 + diff --git a/backport-Allow-systemd-logind-dbus-chat-with-fwupd.patch b/backport-Allow-systemd-logind-dbus-chat-with-fwupd.patch new file mode 100644 index 0000000..b1d903a --- /dev/null +++ b/backport-Allow-systemd-logind-dbus-chat-with-fwupd.patch @@ -0,0 +1,29 @@ +From 5867b09c03641f8a270863952a67cff61c3cc8e4 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 24 Jul 2020 21:28:43 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/5867b09c03641f8a270863952a67cff61c3cc8e4 +Conflict: NA +Subject: [PATCH] Allow systemd-logind dbus chat with fwupd + +--- + policy/modules/system/systemd.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 7cb36c4..367758a 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -353,6 +353,10 @@ optional_policy(` + ') + + optional_policy(` ++ fwupd_dbus_chat(systemd_logind_t) ++') ++ ++optional_policy(` + # we label /run/user/$USER/dconf as config_home_t + gnome_manage_home_config_dirs(systemd_logind_t) + gnome_manage_home_config(systemd_logind_t) +-- +1.8.3.1 + diff --git a/backport-Allow-systemd-logind-manage-init-s-pid-files.patch b/backport-Allow-systemd-logind-manage-init-s-pid-files.patch new file mode 100644 index 0000000..2bdca26 --- /dev/null +++ b/backport-Allow-systemd-logind-manage-init-s-pid-files.patch @@ -0,0 +1,59 @@ +From 099b9776b76a31cdf8281e06f9cc27946b26cf9f Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 7 Dec 2020 22:15:18 +0100 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/099b9776b76a31cdf8281e06f9cc27946b26cf9f +Conflict: NA +Subject: [PATCH] Allow systemd-logind manage init's pid files + +Added init_manage_pid_files() interface. + +Resolves: rhbz#1856399 +--- + policy/modules/system/init.if | 18 ++++++++++++++++++ + policy/modules/system/systemd.te | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if +index 629af26..4674755 100644 +--- a/policy/modules/system/init.if ++++ b/policy/modules/system/init.if +@@ -2838,6 +2838,24 @@ interface(`init_read_pid_files',` + + ######################################## + ## ++## Manage init pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_manage_pid_files',` ++ gen_require(` ++ type init_var_run_t; ++ ') ++ ++ manage_files_pattern($1, init_var_run_t, init_var_run_t) ++') ++ ++######################################## ++## + ## Read init unnamed pipes. + ## + ## +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 24cf02e..332d716 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -297,6 +297,7 @@ init_signal_script(systemd_logind_t) + init_getattr_script_status_files(systemd_logind_t) + init_read_utmp(systemd_logind_t) + init_config_transient_files(systemd_logind_t) ++init_manage_pid_files(systemd_logind_t) + + getty_systemctl(systemd_logind_t) + +-- +1.8.3.1 + diff --git a/backport-Allow-systemd-machined-manage-systemd-userdbd-runtim.patch b/backport-Allow-systemd-machined-manage-systemd-userdbd-runtim.patch new file mode 100644 index 0000000..390a484 --- /dev/null +++ b/backport-Allow-systemd-machined-manage-systemd-userdbd-runtim.patch @@ -0,0 +1,59 @@ +From 9b31818705c564f94c46366ef83efa4951ffa64a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 12 Jan 2021 18:36:07 +0100 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/9b31818705c564f94c46366ef83efa4951ffa64a +Conflict: NA +Subject: [PATCH] Allow systemd-machined manage systemd-userdbd runtime sockets + +Add the systemd_manage_userdbd_runtime_sock_files() interface +and remove systemd_create_userdbd_runtime_sock_files() +which is not used any longer. + +Resolves: rhbz#1891182 +--- + policy/modules/system/systemd.if | 6 +++--- + policy/modules/system/systemd.te | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index d10ae16..67479ce 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -2486,7 +2486,7 @@ interface(`systemd_userdbd_stream_connect',` + + ####################################### + ## +-## Create a named socket in userdbd runtime directory ++## Manage named sockets in userdbd runtime directory + ## + ## + ## +@@ -2494,10 +2494,10 @@ interface(`systemd_userdbd_stream_connect',` + ## + ## + # +-interface(`systemd_create_userdbd_runtime_sock_files',` ++interface(`systemd_manage_userdbd_runtime_sock_files',` + gen_require(` + type systemd_userdbd_runtime_t; + ') + +- create_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) ++ manage_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) + ') +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index c806b29..3eb12be 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -416,7 +416,7 @@ init_manage_config_transient_files(systemd_machined_t) + logging_dgram_send(systemd_machined_t) + + systemd_read_efivarfs(systemd_machined_t) +-systemd_create_userdbd_runtime_sock_files(systemd_machined_t) ++systemd_manage_userdbd_runtime_sock_files(systemd_machined_t) + + userdom_dbus_send_all_users(systemd_machined_t) + +-- +1.8.3.1 + diff --git a/backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch b/backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch new file mode 100644 index 0000000..5d563f4 --- /dev/null +++ b/backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch @@ -0,0 +1,27 @@ +From 17fe432dfcf5b3e3b4d6185cfdab6489135045e8 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 8 Dec 2020 15:53:05 +0100 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/17fe432dfcf5b3e3b4d6185cfdab6489135045e8 +Conflict: NA +Subject: [PATCH] Allow systemd-resolved manage its private runtime symlinks + +Resolves: rhbz#1896796 +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 806b7d6..24cf02e 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1047,6 +1047,7 @@ allow systemd_resolved_t self:unix_dgram_socket create_socket_perms; + + manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) + manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) ++manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) + init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir) + + list_dirs_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) +-- +1.8.3.1 + diff --git a/backport-Allow-traceroute_t-and-ping_t-to-bind-generic-nodes.patch b/backport-Allow-traceroute_t-and-ping_t-to-bind-generic-nodes.patch new file mode 100644 index 0000000..461078e --- /dev/null +++ b/backport-Allow-traceroute_t-and-ping_t-to-bind-generic-nodes.patch @@ -0,0 +1,36 @@ +From 1aa9e5609375815103d2445df1746cb90a02b55a Mon Sep 17 00:00:00 2001 +From: Patrik Koncity +Date: Tue, 11 Aug 2020 14:19:29 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/1aa9e5609375815103d2445df1746cb90a02b55a +Conflict: NA +Subject: [PATCH] Allow traceroute_t and ping_t to bind generic nodes. + +Use newly created macro corenet_icmp_bind_generic_node() for ping_t and traceroute_t. +This macro allowing bind generic nodes in node_t domain. +--- + policy/modules/admin/netutils.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te +index f835af5..5793fe9 100644 +--- a/policy/modules/admin/netutils.te ++++ b/policy/modules/admin/netutils.te +@@ -140,6 +140,7 @@ corenet_raw_sendrecv_generic_node(ping_t) + corenet_tcp_sendrecv_generic_node(ping_t) + corenet_raw_bind_generic_node(ping_t) + corenet_tcp_sendrecv_all_ports(ping_t) ++corenet_icmp_bind_generic_node(ping_t) + + fs_dontaudit_getattr_xattr_fs(ping_t) + fs_dontaudit_rw_anon_inodefs_files(ping_t) +@@ -245,6 +246,7 @@ corenet_tcp_connect_all_ports(traceroute_t) + corenet_sendrecv_all_client_packets(traceroute_t) + corenet_sendrecv_traceroute_server_packets(traceroute_t) + corenet_sctp_bind_generic_node(traceroute_t) ++corenet_icmp_bind_generic_node(traceroute_t) + + corecmd_exec_bin(traceroute_t) + +-- +1.8.3.1 + diff --git a/backport-Allow-unconfined_t-to-node_bind-icmp_sockets-in-node.patch b/backport-Allow-unconfined_t-to-node_bind-icmp_sockets-in-node.patch new file mode 100644 index 0000000..c8e9d7d --- /dev/null +++ b/backport-Allow-unconfined_t-to-node_bind-icmp_sockets-in-node.patch @@ -0,0 +1,31 @@ +From e4f9c9f4f4c5af851410fde006f6589c0bf7f863 Mon Sep 17 00:00:00 2001 +From: Patrik Koncity +Date: Wed, 5 Aug 2020 17:26:20 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/e4f9c9f4f4c5af851410fde006f6589c0bf7f863 +Conflict: NA +Subject: [PATCH] Allow unconfined_t to node_bind icmp_sockets in node_t domain + +When uncofined user run ping or traceroute, this process get label unconfined_t. +Allow to ping or traceroute, which run as unconfined_t, to node_bind icmp_sockets in node_t domain. + +Bugzila: https://bugzilla.redhat.com/show_bug.cgi?id=1848929#c0 +--- + policy/modules/kernel/corenetwork.te.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in +index c317449..b718ab0 100644 +--- a/policy/modules/kernel/corenetwork.te.in ++++ b/policy/modules/kernel/corenetwork.te.in +@@ -465,7 +465,7 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; + + # Bind to any network address. + allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket sctp_socket} name_bind; +-allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind; ++allow corenet_unconfined_type node_type:{ dccp_socket icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind; + + # Infiniband + corenet_ib_access_all_pkeys(corenet_unconfined_type) +-- +1.8.3.1 + diff --git a/backport-Create-chronyd_pid_filetrans-interface.patch b/backport-Create-chronyd_pid_filetrans-interface.patch new file mode 100644 index 0000000..6b092a8 --- /dev/null +++ b/backport-Create-chronyd_pid_filetrans-interface.patch @@ -0,0 +1,44 @@ +From 25d2a5c01c34d72c20f5d219227ad87897411967 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 14 Oct 2020 22:41:52 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/25d2a5c01c34d72c20f5d219227ad87897411967 +Conflict: NA +Subject: [PATCH] Create chronyd_pid_filetrans() interface + +--- + policy/modules/contrib/chronyd.if | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if +index c1b1b71..3d47264 100644 +--- a/policy/modules/contrib/chronyd.if ++++ b/policy/modules/contrib/chronyd.if +@@ -236,6 +236,25 @@ interface(`chronyd_manage_pid',` + manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t) + ') + ++###################################### ++## ++## Create objects in /var/run ++## with chronyd runtime private file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`chronyd_pid_filetrans',` ++ gen_require(` ++ type chronyd_var_run_t; ++ ') ++ ++ files_pid_filetrans($1, chronyd_var_run_t, dir, "chrony-dhcp") ++') ++ + #################################### + ## + ## All of the rules required to +-- +1.8.3.1 + diff --git a/backport-Create-macro-corenet_icmp_bind_generic_node.patch b/backport-Create-macro-corenet_icmp_bind_generic_node.patch new file mode 100644 index 0000000..0bdaac6 --- /dev/null +++ b/backport-Create-macro-corenet_icmp_bind_generic_node.patch @@ -0,0 +1,44 @@ +From 65c1a66265908f3d5a39fa201d6b6f9f2a2981a4 Mon Sep 17 00:00:00 2001 +From: Patrik Koncity +Date: Tue, 11 Aug 2020 13:51:55 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/65c1a66265908f3d5a39fa201d6b6f9f2a2981a4 +Conflict: NA +Subject: [PATCH] Create macro corenet_icmp_bind_generic_node() + +This macro allowing bind ICMP sockets to generic nodes in node_t domain. +--- + policy/modules/kernel/corenetwork.if.in | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in +index 1ed5283..1858e41 100644 +--- a/policy/modules/kernel/corenetwork.if.in ++++ b/policy/modules/kernel/corenetwork.if.in +@@ -863,6 +863,24 @@ interface(`corenet_sctp_bind_generic_node',` + + ######################################## + ## ++## Bind ICMP sockets to generic nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_icmp_bind_generic_node',` ++ gen_require(` ++ type node_t; ++ ') ++ ++ allow $1 node_t:icmp_socket node_bind; ++') ++ ++######################################## ++## + ## Bind TCP sockets to generic nodes. + ## + ## +-- +1.8.3.1 + diff --git a/backport-Define-named-file-transition-for-sshd-on-tmp-krb5_0..patch b/backport-Define-named-file-transition-for-sshd-on-tmp-krb5_0..patch new file mode 100644 index 0000000..430035b --- /dev/null +++ b/backport-Define-named-file-transition-for-sshd-on-tmp-krb5_0..patch @@ -0,0 +1,26 @@ +From 5d5feca5ce10b7b4f45c44431c8c258685eeef61 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 11 Aug 2020 22:15:55 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/5d5feca5ce10b7b4f45c44431c8c258685eeef61 +Conflict: NA +Subject: [PATCH] Define named file transition for sshd on /tmp/krb5_0.rcache2 + +--- + policy/modules/services/ssh.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te +index 7b09f29..b06cc76 100644 +--- a/policy/modules/services/ssh.te ++++ b/policy/modules/services/ssh.te +@@ -380,6 +380,7 @@ optional_policy(` + + optional_policy(` + kerberos_read_keytab(sshd_t) ++ kerberos_tmp_filetrans_host_rcache(sshd_t, "krb5_0.rcache2") + kerberos_use(sshd_t) + kerberos_write_kadmind_tmp_files(sshd_t) + ') +-- +1.8.3.1 + diff --git a/backport-Update-systemd_resolved_read_pid-to-also-read-symlin.patch b/backport-Update-systemd_resolved_read_pid-to-also-read-symlin.patch new file mode 100644 index 0000000..46edcbd --- /dev/null +++ b/backport-Update-systemd_resolved_read_pid-to-also-read-symlin.patch @@ -0,0 +1,30 @@ +From ade23054745c5a738abc8760dfc425f8bf916944 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 8 Dec 2020 16:05:22 +0100 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/ade23054745c5a738abc8760dfc425f8bf916944 +Conflict: NA +Subject: [PATCH] Update systemd_resolved_read_pid() to also read symlinks + +In the systemd_resolved_read_pid() interface, list and read permissions +were allowed for directories and plain files. However, symlinks also can +be in the same directory. This commit adds read permissions for the +lnk_file class. +--- + policy/modules/system/systemd.if | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index ff31161..ffed76c 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -313,6 +313,7 @@ interface(`systemd_resolved_read_pid',` + files_search_pids($1) + list_dirs_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) + read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) ++ read_lnk_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) + ') + + ###################################### +-- +1.8.3.1 + diff --git a/backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch b/backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch new file mode 100644 index 0000000..1a8adbb --- /dev/null +++ b/backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch @@ -0,0 +1,145 @@ +From bc79683118e529a8325fd229840915efe30c3f48 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Mon, 3 Aug 2020 14:49:31 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/bc79683118e529a8325fd229840915efe30c3f48 +Conflict: NA +Subject: [PATCH] sysnetwork.if: avoid directly referencing + systemd_resolved_var_run_t + +Instead create a systemd_resolved_pid_filetrans() interface in +systemd.if and use that. Also used a unified interface for adding these +transitions in sysnet_filetrans_named_content() and directly in the +systemd module. + +Signed-off-by: Ondrej Mosnacek +--- + policy/modules/system/sysnetwork.if | 36 +++++++++++++++++++++++++++--------- + policy/modules/system/systemd.if | 34 ++++++++++++++++++++++++++++++++++ + policy/modules/system/systemd.te | 4 +--- + 3 files changed, 62 insertions(+), 12 deletions(-) + +diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if +index 10172d6..d7b696b 100644 +--- a/policy/modules/system/sysnetwork.if ++++ b/policy/modules/system/sysnetwork.if +@@ -1127,6 +1127,29 @@ interface(`sysnet_role_transition_dhcpc',` + + ######################################## + ## ++## Set up filename transitions for systemd-resolved network ++## configuration content. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_filetrans_systemd_resolved',` ++ gen_require(` ++ type net_conf_t; ++ ') ++ ++ optional_policy(` ++ systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf") ++ systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") ++ systemd_resolved_pid_filetrans($1, net_conf_t, file, "stub-resolv.conf") ++ ') ++') ++ ++######################################## ++## + ## Transition to sysnet named content + ## + ## +@@ -1138,7 +1161,6 @@ interface(`sysnet_role_transition_dhcpc',` + interface(`sysnet_filetrans_named_content',` + gen_require(` + type net_conf_t; +- type systemd_resolved_var_run_t; + ') + + files_etc_filetrans($1, net_conf_t, file, "resolv.conf") +@@ -1160,15 +1182,11 @@ interface(`sysnet_filetrans_named_content',` + init_pid_filetrans($1, net_conf_t, dir, "network") + + optional_policy(` +- networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf") +- networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") +- ') ++ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf") ++ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") ++ ') + +- optional_policy(` +- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf") +- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf.tmp") +- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "stub-resolv.conf") +- ') ++ sysnet_filetrans_systemd_resolved($1) + ') + + ######################################## +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index 26d4927..d10ae16 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -335,6 +335,40 @@ interface(`systemd_resolved_write_pid_sock_files',` + write_sock_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) + ') + ++######################################## ++## ++## Create objects in /var/run/systemd/resolve with a private ++## type using a type_transition. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Private file type. ++## ++## ++## ++## ++## Object classes to be created. ++## ++## ++## ++## ++## The name of the object being created. ++## ++## ++# ++interface(`systemd_resolved_pid_filetrans',` ++ gen_require(` ++ type systemd_resolved_var_run_t; ++ ') ++ ++ filetrans_pattern($1, systemd_resolved_var_run_t, $2, $3, $4) ++') ++ + ###################################### + ## + ## Read systemd_login PID files. +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 332d716..c806b29 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1071,9 +1071,7 @@ dev_write_kmsg(systemd_resolved_t) + dev_read_sysfs(systemd_resolved_t) + + sysnet_manage_config(systemd_resolved_t) +-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf") +-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "stub-resolv.conf") +-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf.tmp") ++sysnet_filetrans_systemd_resolved(systemd_resolved_t) + + systemd_read_efivarfs(systemd_resolved_t) + +-- +1.8.3.1 + diff --git a/selinux-policy.spec b/selinux-policy.spec index 1f011d7..21bd1a2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 67 +Release: 68 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -73,7 +73,42 @@ Patch20: add-avc-for-openEuler-1.patch Patch21: backport-systemd-allow-all-systemd-services-to-check-selinux-.patch Patch22: backport-Allow-dovecot-bind-to-smtp-ports.patch Patch23: allow-rpcbind-to-bind-all-port.patch -patch24: backport-Allow-kdump_t-net_admin-capability.patch + +Patch6000: backport-Allow-kdump_t-net_admin-capability.patch +Patch6001: backport-Allow-systemd-logind-dbus-chat-with-fwupd.patch +Patch6002: backport-Allow-auditd-manage-kerberos-host-rcache-files.patch +Patch6003: backport-Add-dev_lock_all_blk_files-interface.patch +Patch6005: backport-Define-named-file-transition-for-sshd-on-tmp-krb5_0..patch +Patch6006: backport-Allow-nsswitch_domain-to-connect-to-systemd-machined.patch +Patch6007: backport-Allow-unconfined_t-to-node_bind-icmp_sockets-in-node.patch +Patch6008: backport-Create-macro-corenet_icmp_bind_generic_node.patch +Patch6009: backport-Allow-traceroute_t-and-ping_t-to-bind-generic-nodes.patch +Patch6010: backport-Allow-passwd-to-get-attributes-in-proc_t.patch +Patch6011: backport-Allow-login_pgm-attribute-to-get-attributes-in-proc_.patch +Patch6012: backport-Allow-syslogd_t-domain-to-read-write-tmpfs-systemd-b.patch +Patch6013: backport-Allow-all-users-to-connect-to-systemd-userdbd-with-a.patch +Patch6014: backport-Add-new-devices-and-filesystem-interfaces.patch +Patch6015: backport-Add-lvm_dbus_send_msg-lvm_rw_var_run-interfaces.patch +Patch6016: backport-Allow-domain-write-to-an-automount-unnamed-pipe.patch +Patch6017: backport-Allow-dyntransition-from-sshd_t-to-unconfined_t.patch +Patch6018: backport-Allow-initrc_t-create-run-chronyd-dhcp-directory-wit.patch +Patch6019: backport-Update-systemd_resolved_read_pid-to-also-read-symlin.patch +Patch6020: backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch +Patch6021: backport-Allow-systemd-logind-manage-init-s-pid-files.patch +Patch6022: backport-Add-systemd_resolved_write_pid_sock_files-interface.patch +Patch6023: backport-Allow-nsswitch-domain-write-to-systemd-resolved-PID-.patch +Patch6024: backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch +Patch6025: backport-Allow-stub-resolv.conf-to-be-a-symlink.patch +Patch6026: backport-Allow-domain-stat-proc-filesystem.patch +Patch6027: backport-Allow-domain-write-to-systemd-resolved-PID-socket-fi.patch +Patch6028: backport-Allow-systemd-machined-manage-systemd-userdbd-runtim.patch +Patch6029: backport-Allow-domain-stat-the-sys-filesystem.patch +Patch6030: backport-Allow-login_userdomain-write-inaccessible-nodes.patch +Patch6031: backport-Allow-local_login_t-get-attributes-of-tmpfs-filesyst.patch +Patch6032: backport-Allow-dhcpc_t-domain-transition-to-chronyc_t.patch +Patch6033: backport-Allow-nsswitch_domain-read-cgroup-files.patch +Patch6034: backport-Allow-IPsec-and-certmonger-to-use-opencryptoki-servi.patch +Patch6035: backport-Create-chronyd_pid_filetrans-interface.patch BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc @@ -739,6 +774,44 @@ exit 0 %endif %changelog +* Mon May 31 2021 luhuaxin <1539327763@qq.com> - 3.14.2-68 +- backport some upstream patches + backport-Allow-systemd-logind-dbus-chat-with-fwupd.patch + backport-Allow-auditd-manage-kerberos-host-rcache-files.patch + backport-Add-dev_lock_all_blk_files-interface.patch + backport-Allow-systemd-machined-create-userdbd-runtime-sock-f.patch + backport-Define-named-file-transition-for-sshd-on-tmp-krb5_0..patch + backport-Allow-nsswitch_domain-to-connect-to-systemd-machined.patch + backport-Allow-unconfined_t-to-node_bind-icmp_sockets-in-node.patch + backport-Create-macro-corenet_icmp_bind_generic_node.patch + backport-Allow-traceroute_t-and-ping_t-to-bind-generic-nodes.patch + backport-Allow-passwd-to-get-attributes-in-proc_t.patch + backport-Allow-login_pgm-attribute-to-get-attributes-in-proc_.patch + backport-Allow-syslogd_t-domain-to-read-write-tmpfs-systemd-b.patch + backport-Allow-all-users-to-connect-to-systemd-userdbd-with-a.patch + backport-Add-new-devices-and-filesystem-interfaces.patch + backport-Add-lvm_dbus_send_msg-lvm_rw_var_run-interfaces.patch + backport-Allow-domain-write-to-an-automount-unnamed-pipe.patch + backport-Allow-dyntransition-from-sshd_t-to-unconfined_t.patch + backport-Allow-initrc_t-create-run-chronyd-dhcp-directory-wit.patch + backport-Update-systemd_resolved_read_pid-to-also-read-symlin.patch + backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch + backport-Allow-systemd-logind-manage-init-s-pid-files.patch + backport-Add-systemd_resolved_write_pid_sock_files-interface.patch + backport-Allow-nsswitch-domain-write-to-systemd-resolved-PID-.patch + backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch + backport-Allow-stub-resolv.conf-to-be-a-symlink.patch + backport-Allow-domain-stat-proc-filesystem.patch + backport-Allow-domain-write-to-systemd-resolved-PID-socket-fi.patch + backport-Allow-systemd-machined-manage-systemd-userdbd-runtim.patch + backport-Allow-domain-stat-the-sys-filesystem.patch + backport-Allow-login_userdomain-write-inaccessible-nodes.patch + backport-Allow-local_login_t-get-attributes-of-tmpfs-filesyst.patch + backport-Allow-dhcpc_t-domain-transition-to-chronyc_t.patch + backport-Allow-nsswitch_domain-read-cgroup-files.patch + backport-Allow-IPsec-and-certmonger-to-use-opencryptoki-servi.patch + backport-Create-chronyd_pid_filetrans-interface.patch + * Sat May 29 2021 luhuaxin <1539327763@qq.com> - 3.14.2-67 - allow kdump_t net_admin capability -- Gitee