From ec513c1cb0a48c43f3f1bcd9814b4b5e75679a81 Mon Sep 17 00:00:00 2001 From: gaoyusong Date: Fri, 26 Nov 2021 14:30:32 +0800 Subject: [PATCH] fix CVE-2020-24612 Signed-off-by: gaoyusong --- ...-Add-file-context-for-.config-Yubico.patch | 53 +++++++++++ ...hange-transitions-for-.config-Yubico.patch | 95 +++++++++++++++++++ selinux-policy.spec | 7 +- 3 files changed, 154 insertions(+), 1 deletion(-) create mode 100644 backport-Add-file-context-for-.config-Yubico.patch create mode 100644 backport-Change-transitions-for-.config-Yubico.patch diff --git a/backport-Add-file-context-for-.config-Yubico.patch b/backport-Add-file-context-for-.config-Yubico.patch new file mode 100644 index 0000000..0de4279 --- /dev/null +++ b/backport-Add-file-context-for-.config-Yubico.patch @@ -0,0 +1,53 @@ +From 1363710b88904f29915e39335fef0dfb673a0f70 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 24 Aug 2020 14:29:15 +0200 +Subject: [PATCH] Add file context for ~/.config/Yubico + +Add file context specification for ~/.config/Yubico in addition to +existing ~/.yubico. Update the auth_filetrans_home_content() and +auth_filetrans_admin_home_content() interfaces accordingly. + +Resolves: rhbz#1860888 +Signed-off-by: lujie42 <572084868@qq.com> +--- + policy/modules/system/authlogin.fc | 2 ++ + policy/modules/system/authlogin.if | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc +index 009c156..58551ec 100644 +--- a/policy/modules/system/authlogin.fc ++++ b/policy/modules/system/authlogin.fc +@@ -1,7 +1,9 @@ + HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) ++HOME_DIR/\.config/Yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) + HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) + HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) + /root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) ++/root/\.config/Yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) + /root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) + /root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) + +diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if +index 099166d..90ae5fe 100644 +--- a/policy/modules/system/authlogin.if ++++ b/policy/modules/system/authlogin.if +@@ -2313,6 +2313,7 @@ interface(`auth_filetrans_admin_home_content',` + userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") + userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") + userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico") ++ userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico") + ') + + +@@ -2377,6 +2378,7 @@ interface(`auth_filetrans_home_content',` + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") + userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico") ++ userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico") + ') + + ######################################## +-- +1.8.3.1 + diff --git a/backport-Change-transitions-for-.config-Yubico.patch b/backport-Change-transitions-for-.config-Yubico.patch new file mode 100644 index 0000000..ac63181 --- /dev/null +++ b/backport-Change-transitions-for-.config-Yubico.patch @@ -0,0 +1,95 @@ +From 099ea7b7bd113cac657f98d406c77839cce98859 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 25 Aug 2020 16:33:38 +0200 +Subject: [PATCH] Change transitions for ~/.config/Yubico + +Created the auth_filetrans_auth_home_content() interface which is used +to allow the filename transition in gnome config directory for the +login_pgm and userdomain attributes. + +This commit reverts the transitions introduced in +commit 1363710b88904f29915e39335fef0dfb673a0f70. + +Signed-off-by: lujie42 <572084868@qq.com> +--- + policy/modules/system/authlogin.if | 23 +++++++++++++++++++++-- + policy/modules/system/authlogin.te | 1 + + policy/modules/system/userdomain.te | 2 ++ + 3 files changed, 24 insertions(+), 2 deletions(-) + +diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if +index 90ae5fe..ab68d31 100644 +--- a/policy/modules/system/authlogin.if ++++ b/policy/modules/system/authlogin.if +@@ -2313,7 +2313,6 @@ interface(`auth_filetrans_admin_home_content',` + userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") + userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") + userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico") +- userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico") + ') + + +@@ -2378,7 +2377,27 @@ interface(`auth_filetrans_home_content',` + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") + userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico") +- userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico") ++') ++ ++######################################## ++## ++## Create auth directory in the config home directory ++## with a correct label. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_filetrans_auth_home_content',` ++ gen_require(` ++ type auth_home_t; ++ ') ++ ++ optional_policy(` ++ gnome_config_filetrans($1, auth_home_t, dir, "Yubico") ++ ') + ') + + ######################################## +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index f3870d3..068caed 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -603,6 +603,7 @@ manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t) + manage_files_pattern(login_pgm, auth_home_t, auth_home_t) + auth_filetrans_admin_home_content(login_pgm) + auth_filetrans_home_content(login_pgm) ++auth_filetrans_auth_home_content(login_pgm) + + # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 + kernel_search_network_sysctl(login_pgm) +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 756ac4a..196bcc0 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -147,6 +147,7 @@ dontaudit unpriv_userdomain self:dir setattr; + allow unpriv_userdomain self:file manage_file_perms; + allow unpriv_userdomain self:key manage_key_perms; + ++auth_filetrans_auth_home_content(userdomain) + + files_dontaudit_manage_boot_files(unpriv_userdomain) + +@@ -289,6 +290,7 @@ userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp") + + optional_policy(` + gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") ++ gnome_config_filetrans(userdom_filetrans_type, auth_home_t, dir, "Yubico") + #gnome_admin_home_gconf_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin") + ') + +-- +1.8.3.1 + diff --git a/selinux-policy.spec b/selinux-policy.spec index 0af1424..aa7e01a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 76 +Release: 77 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -113,6 +113,8 @@ Patch6036: backport-iptables.fc-Remove-duplicate-file-context-entries.patch Patch6037: backport-iptables.fc-Add-missing-legacy-entries.patch Patch6038: backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch Patch6039: backport-Allow-systemd-hostnamed-read-udev-runtime-data.patch +Patch6040: backport-Add-file-context-for-.config-Yubico.patch +Patch6041: backport-Change-transitions-for-.config-Yubico.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: add-avc-for-systemd-selinux-page.patch @@ -783,6 +785,9 @@ exit 0 %endif %changelog +* Fri Nov 26 2021 gaoyusong - 3.14.2-77 +- Fix CVE-2020-24612 + * Wed Sep 15 2021 lujie42 <572084868@qq.com> - 3.14.2-76 - set httpd_can_network_connect bool true -- Gitee