diff --git a/access-to-iptables-run-file.patch b/access-to-iptables-run-file.patch deleted file mode 100644 index 0bcd2e61203486e07520ff5b2bc64b4cebda4b78..0000000000000000000000000000000000000000 --- a/access-to-iptables-run-file.patch +++ /dev/null @@ -1,51 +0,0 @@ -From df3d1a93a1126c15fe540a48515c604217f3202e Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Tue, 25 Feb 2020 20:15:44 +0800 -Subject: [PATCH] access to iptables run file - -Signed-off-by: guoxiaoqi ---- - policy/modules/contrib/firewalld.te | 3 +++ - policy/modules/system/iptables.if | 18 ++++++++++++++++++ - 2 files changed, 21 insertions(+) - -diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te -index 8b78b37..f1cbf0a 100644 ---- a/policy/modules/contrib/firewalld.te -+++ b/policy/modules/contrib/firewalld.te -@@ -139,3 +139,6 @@ optional_policy(` - optional_policy(` - networkmanager_read_state(firewalld_t) - ') -+ -+# avc for openEuler -+iptables_var_run_file(firewalld_t) -diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if -index 5e1a4a5..6bdd8cf 100644 ---- a/policy/modules/system/iptables.if -+++ b/policy/modules/system/iptables.if -@@ -221,3 +221,21 @@ interface(`iptables_read_var_run',` - allow $1 iptables_var_run_t:dir list_dir_perms; - read_files_pattern($1, iptables_var_run_t, iptables_var_run_t) - ') -+ -+##################################### -+## -+## Access to iptables run files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`iptables_var_run_file',` -+gen_require(` -+type iptables_var_run_t; -+') -+ -+allow $1 iptables_var_run_t:file { lock open read }; -+') --- -1.8.3.1 - diff --git a/add-access-to-faillog-file-for-systemd.patch b/add-access-to-faillog-file-for-systemd.patch deleted file mode 100644 index 4692fa42ef481e5804edd4de117d370b476a1eab..0000000000000000000000000000000000000000 --- a/add-access-to-faillog-file-for-systemd.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 6b63c0acdb2e2435e4294f2de08dd376db15e4e8 Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Tue, 25 Feb 2020 21:02:54 +0800 -Subject: [PATCH] add access to faillog file for systemd - -Signed-off-by: guoxiaoqi ---- - policy/modules/system/authlogin.if | 19 +++++++++++++++++++ - policy/modules/system/init.te | 3 +++ - 2 files changed, 22 insertions(+) - -diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 728a1c4..6f35819 100644 ---- a/policy/modules/system/authlogin.if -+++ b/policy/modules/system/authlogin.if -@@ -2413,3 +2413,22 @@ interface(`auth_login_manage_key',` - - allow $1 login_pgm:key manage_key_perms; - ') -+ -+######################################## -+## -+## Manage the login failure log for systemd. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_manage_faillog',` -+gen_require(` -+type faillog_t; -+') -+ -+allow $1 faillog_t:dir { add_name write }; -+allow $1 faillog_t:file create; -+') -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 035720b..e0d584a 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -1868,3 +1868,6 @@ optional_policy(` - ccs_read_config(daemon) - ') - ') -+ -+# avc for oprnEuler -+systemd_manage_faillog(init_t) --- -1.8.3.1 - diff --git a/add-allow-rasdaemon-cap_sys_admin.patch b/add-allow-rasdaemon-cap_sys_admin.patch deleted file mode 100644 index d54679e8a9c9f6b6e986ead558183d82e44236d1..0000000000000000000000000000000000000000 --- a/add-allow-rasdaemon-cap_sys_admin.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 595e1f9fd4e9b5106487da882cf11d2ffdf79255 Mon Sep 17 00:00:00 2001 -From: lujie42 <572084868@qq.com> -Date: Fri, 3 Sep 2021 20:22:18 +0800 -Subject: [PATCH] add allow rasdaemon cap_sys_admin - -Signed-off-by: lujie42 <572084868@qq.com> ---- - policy/modules/contrib/rasdaemon.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/rasdaemon.te b/policy/modules/contrib/rasdaemon.te -index f6891a1..e102e63 100644 ---- a/policy/modules/contrib/rasdaemon.te -+++ b/policy/modules/contrib/rasdaemon.te -@@ -19,6 +19,7 @@ systemd_unit_file(rasdaemon_unit_file_t) - # - # rasdaemon local policy - # -+allow rasdaemon_t self:capability sys_admin; - allow rasdaemon_t self:fifo_file rw_fifo_file_perms; - allow rasdaemon_t self:unix_stream_socket create_stream_socket_perms; - --- -1.8.3.1 - diff --git a/add-allow-shadow-tool-to-access-sssd-var-lib-file-di.patch b/add-allow-shadow-tool-to-access-sssd-var-lib-file-di.patch deleted file mode 100644 index 798c6463569eb3e68bb9d152aa7c2cee8ba51217..0000000000000000000000000000000000000000 --- a/add-allow-shadow-tool-to-access-sssd-var-lib-file-di.patch +++ /dev/null @@ -1,31 +0,0 @@ -From edba62fdaa8115c0c194ad6d86981e8c9692b8e7 Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Thu, 4 Jun 2020 21:11:52 +0800 -Subject: [PATCH] add allow shadow tool to access sssd var lib file/dir - -Signed-off-by: guoxiaoqi ---- - policy/modules/admin/usermanage.te | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 1977309..b8d51ba 100644 ---- a/policy/modules/admin/usermanage.te -+++ b/policy/modules/admin/usermanage.te -@@ -666,8 +666,13 @@ optional_policy(` - # avc for openEuler - #sssd_var_lib_dir(groupadd_t) - optional_policy(` -+ sssd_var_lib_dir(groupadd_t) - sssd_var_lib_map_file(groupadd_t) - sssd_var_lib_write_file(groupadd_t) -+ sssd_var_lib_map_file(passwd_t) -+ sssd_var_lib_write_file(passwd_t) - sssd_var_lib_map_file(useradd_t) - sssd_var_lib_write_file(useradd_t) -+ sssd_var_lib_create_file(useradd_t) -+ sssd_var_lib_dir(useradd_t) - ') --- -1.8.3.1 - diff --git a/add-allow-to-be-access-to-sssd-dir-and-file.patch b/add-allow-to-be-access-to-sssd-dir-and-file.patch deleted file mode 100644 index 22a435cd1b682df23acebd5679bb2f3ad8b8553e..0000000000000000000000000000000000000000 --- a/add-allow-to-be-access-to-sssd-dir-and-file.patch +++ /dev/null @@ -1,110 +0,0 @@ -From e4184b665f1ca1f86fb7554095a73a71ad4a46ef Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Tue, 25 Feb 2020 18:30:13 +0800 -Subject: [PATCH] add allow to be access to sssd dir and file - -Signed-off-by: guoxiaoqi ---- - policy/modules/admin/usermanage.te | 8 +++++ - policy/modules/contrib/sssd.if | 72 ++++++++++++++++++++++++++++++++++++++ - 2 files changed, 80 insertions(+) - -diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 43fed66..c8580a7 100644 ---- a/policy/modules/admin/usermanage.te -+++ b/policy/modules/admin/usermanage.te -@@ -663,3 +663,11 @@ optional_policy(` - optional_policy(` - stapserver_manage_lib(useradd_t) - ') -+# avc for openEuler -+#sssd_var_lib_dir(groupadd_t) -+optional_policy(` -+ sssd_var_lib_map_file(groupadd_t) -+ sssd_var_lib_write_file(groupadd_t) -+ sssd_var_lib_map_file(useradd_t) -+ sssd_var_lib_write_file(useradd_t) -+') -diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if -index 50eee3f..1b61ccd 100644 ---- a/policy/modules/contrib/sssd.if -+++ b/policy/modules/contrib/sssd.if -@@ -576,3 +576,75 @@ interface(`sssd_admin',` - allow $1 sssd_unit_file_t:service all_service_perms; - - ') -+ -+######################################## -+## -+## Allow to be access to sssd lib dir. -+## -+## -+## -+## Domain to allow. -+## -+## -+# -+interface(`sssd_var_lib_dir',` -+gen_require(` -+type sssd_var_lib_t; -+') -+ -+allow $1 sssd_var_lib_t:dir { add_name write }; -+') -+ -+######################################## -+## -+## Allow to map sssd lib files. -+## -+## -+## -+## Domain to allow. -+## -+## -+# -+interface(`sssd_var_lib_map_file',` -+gen_require(` -+type sssd_var_lib_t; -+') -+ -+allow $1 sssd_var_lib_t:file map; -+') -+ -+######################################## -+## -+## Allow to write sssd lib files. -+## -+## -+## -+## Domain to allow. -+## -+## -+# -+interface(`sssd_var_lib_write_file',` -+gen_require(` -+type sssd_var_lib_t; -+') -+ -+allow $1 sssd_var_lib_t:file write; -+') -+ -+######################################## -+## -+## Allow to create sssd lib files. -+## -+## -+## -+## Domain to allow. -+## -+## -+# -+interface(`sssd_var_lib_create_file',` -+gen_require(` -+type sssd_var_lib_t; -+') -+ -+allow $1 sssd_var_lib_t:file create; -+') --- -1.8.3.1 - diff --git a/add-avc-for-kmod.patch b/add-avc-for-kmod.patch deleted file mode 100644 index 1a44778ce08809299ba0f037e5b0bb6dcb9d6b8a..0000000000000000000000000000000000000000 --- a/add-avc-for-kmod.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 9cc71f5e435a8cd95c1d186672ebbdb96e711a92 Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Thu, 16 Jul 2020 18:45:34 +0800 -Subject: [PATCH] add avc for kmod - -Signed-off-by: guoxiaoqi ---- - policy/modules/system/modutils.te | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te -index add5eca..d512b51 100644 ---- a/policy/modules/system/modutils.te -+++ b/policy/modules/system/modutils.te -@@ -259,3 +259,6 @@ ifdef(`distro_gentoo',` - ') - ') - -+# avc for openEuler -+init_nnp_daemon_domain(insmod_t) -+ --- -1.8.3.1 - diff --git a/add-avc-for-systemd-hostnamed-and-systemd-logind.patch b/add-avc-for-systemd-hostnamed-and-systemd-logind.patch deleted file mode 100644 index c49f1c7380a86c2ab41a5d24c3f6b1c37fa8c2dd..0000000000000000000000000000000000000000 --- a/add-avc-for-systemd-hostnamed-and-systemd-logind.patch +++ /dev/null @@ -1,30 +0,0 @@ -From f5e75734ba636d9a3db9e7fc4a9c7766b5f965aa Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Thu, 16 Jul 2020 19:01:43 +0800 -Subject: [PATCH] add avc for systemd-hostnamed and systemd-logind - -Signed-off-by: guoxiaoqi ---- - policy/modules/system/systemd.te | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 7cb36c4..72f413c 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -373,6 +373,12 @@ optional_policy(` - xserver_search_xdm_tmp_dirs(systemd_logind_t) - ') - -+# avc for openEuler -+allow init_t systemd_logind_var_lib_t:dir { create mounton read }; -+allow init_t systemd_logind_var_run_t:dir mounton; -+init_nnp_daemon_domain(systemd_hostnamed_t) -+init_nnp_daemon_domain(systemd_logind_t) -+ - ######################################## - # - # systemd_machined local policy --- -1.8.3.1 - diff --git a/add-avc-for-systemd-journald.patch b/add-avc-for-systemd-journald.patch index e26cdf085248e04a0cb32b795cd7a86ac29d20e1..71634bc62874bc1c81107aa54021d47ab6597336 100644 --- a/add-avc-for-systemd-journald.patch +++ b/add-avc-for-systemd-journald.patch @@ -1,53 +1,23 @@ -From 9865bc70309c32f731d85e18f8ed29af184086cf Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Thu, 16 Jul 2020 18:54:28 +0800 +From f984d0f1fa193e7f5fdf8bd8aef92b24550eaec4 Mon Sep 17 00:00:00 2001 +From: lujie42 +Date: Tue, 21 Dec 2021 17:19:13 +0800 Subject: [PATCH] add avc for systemd-journald -Signed-off-by: guoxiaoqi +Signed-off-by: lujie42 --- - policy/modules/kernel/devices.if | 18 ++++++++++++++++++ - policy/modules/kernel/kernel.if | 17 +++++++++++++++++ - policy/modules/system/init.te | 5 ++++- + policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ + policy/modules/system/init.te | 5 +++++ policy/modules/system/logging.if | 18 ++++++++++++++++++ - policy/modules/system/logging.te | 3 +++ - 5 files changed, 60 insertions(+), 1 deletion(-) + 3 files changed, 41 insertions(+) -diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 932b9bd..eb8c5c6 100644 ---- a/policy/modules/kernel/devices.if -+++ b/policy/modules/kernel/devices.if -@@ -7343,3 +7343,21 @@ interface(`dev_filetrans_xserver_named_dev',` - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") - filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") - ') -+ -+######################################## -+## -+## Allow to read the kernel messages -+## -+## -+## -+## Domain to allow. -+## -+## -+# -+interface(`dev_read_kernel_msg',` -+gen_require(` -+type kmsg_device_t; -+') -+ -+allow $1 kmsg_device_t:chr_file read; -+') diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 023ee09..a1bb39b 100644 +index 62845c1..a2e2750 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if -@@ -4268,3 +4268,20 @@ interface(`kernel_unlabeled_entry_type',` - allow $1 unlabeled_t:file { mmap_exec_file_perms ioctl lock }; - ') +@@ -4245,6 +4245,24 @@ interface(`kernel_read_netlink_audit_socket',` -+######################################## -+## + ######################################## + ## +## Access to netlink audit socket +## +## @@ -57,63 +27,63 @@ index 023ee09..a1bb39b 100644 +## +# +interface(`kernel_netlink_audit_socket',` -+gen_require(` -+type kernel_t; -+') ++ gen_require(` ++ type kernel_t; ++ ') + -+allow $1 kernel_t:netlink_audit_socket $2; ++ allow $1 kernel_t:netlink_audit_socket $2; +') ++ ++######################################## ++## + ## Execute an unlabeled file in the specified domain. + ## + ## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index a92f4d8..6bccd0b 100644 +index 9a4a0d2..0aea278 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -1946,5 +1946,8 @@ optional_policy(` - ') - ') +@@ -731,6 +731,11 @@ auth_rw_lastlog(init_t) + auth_domtrans_chk_passwd(init_t) + auth_manage_passwd(init_t) --# avc for oprnEuler +# avc for openEuler - systemd_manage_faillog(init_t) +kernel_netlink_audit_socket(init_t, getattr) -+dev_read_kernel_msg(init_t) -+logging_journal(init_t) ++logging_access_journal(init_t) ++dev_read_kmsg(init_t) ++ + ifdef(`distro_redhat',` + # it comes from setupr scripts used in systemd unit files + # has been covered by initrc_t diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 408dba0..526a813 100644 +index 8092f3e..3452bd2 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if -@@ -1686,3 +1686,21 @@ interface(`logging_dgram_send',` +@@ -1753,6 +1753,24 @@ interface(`logging_mmap_journal',` - allow $1 syslogd_t:unix_dgram_socket sendto; - ') -+ -+####################################### -+## -+## Access to files in /run/log/journal/ directory. + ####################################### + ## ++## Access to files in /run/log/journal/ directory. +## +## -+## -+## Domain allowed access. -+## ++## ++## Domain allowed access. ++## +## +# -+interface(`logging_journal',` -+gen_require(` -+type syslogd_var_run_t; -+') ++interface(`logging_access_journal',` ++ gen_require(` ++ type syslogd_var_run_t; ++ ') + -+allow $1 syslogd_var_run_t:file { create rename write }; ++ allow $1 syslogd_var_run_t:file { create rename write }; +') -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index cdaba23..ddeb00a 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -753,3 +753,6 @@ ifdef(`hide_broken_symptoms',` - ') - - logging_stream_connect_syslog(syslog_client_type) + -+# avc for openEuler -+init_nnp_daemon_domain(syslogd_t) ++####################################### ++## + ## Watch the /run/log/journal directory. + ## + ## -- 1.8.3.1 diff --git a/add-avc-for-systemd-selinux-page.patch b/add-avc-for-systemd-selinux-page.patch deleted file mode 100644 index 8e263115dc5872a85d1026376a815ec554ad23e5..0000000000000000000000000000000000000000 --- a/add-avc-for-systemd-selinux-page.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 1a6889def34747b606f4e520fbff72fe86f90b0f Mon Sep 17 00:00:00 2001 -From: lujie42 <572084868@qq.com> -Date: Tue, 24 Aug 2021 15:38:40 +0800 -Subject: [PATCH] add avc for systemd no17479 - -Signed-off-by: lujie42 <572084868@qq.com> ---- - policy/modules/kernel/domain.te | 4 ++-- - policy/modules/kernel/selinux.if | 2 +- - policy/modules/system/logging.te | 1 + - policy/modules/system/systemd.if | 7 ++++--- - policy/modules/system/systemd.te | 3 +++ - 5 files changed, 11 insertions(+), 6 deletions(-) - -diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index 8e52b17..27b112c 100644 ---- a/policy/modules/kernel/domain.te -+++ b/policy/modules/kernel/domain.te -@@ -510,7 +510,7 @@ optional_policy(` - ') - - optional_policy(` -- systemd_dbus_chat_resolved(domain) -+ systemd_chat_resolved(domain) - systemd_login_status(unconfined_domain_type) - systemd_login_reboot(unconfined_domain_type) - systemd_login_halt(unconfined_domain_type) -@@ -519,7 +519,7 @@ optional_policy(` - systemd_filetrans_named_content(named_filetrans_domain) - systemd_filetrans_named_hostname(named_filetrans_domain) - systemd_filetrans_home_content(named_filetrans_domain) -- systemd_dontaudit_write_inherited_logind_sessions_pipes(domain) -+ systemd_dontaudit_write_inherited_logind_sessions_pipes(domain) - ') - - optional_policy(` -diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if -index ac70efb..a2ab3fc 100644 ---- a/policy/modules/kernel/selinux.if -+++ b/policy/modules/kernel/selinux.if -@@ -324,7 +324,7 @@ interface(`selinux_get_enforce_mode',` - dev_search_sysfs($1) - selinux_get_fs_mount($1) - allow $1 security_t:dir list_dir_perms; -- allow $1 security_t:file read_file_perms; -+ allow $1 security_t:file mmap_read_file_perms; - allow $1 security_t:lnk_file read_lnk_file_perms; - ') - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index df4e985..482fe6d 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -622,6 +622,7 @@ term_write_unallocated_ttys(syslogd_t) - term_use_generic_ptys(syslogd_t) - - init_stream_connect(syslogd_t) -+init_read_pid_files(syslogd_t) - # for sending messages to logged in users - init_read_utmp(syslogd_t) - init_dontaudit_write_utmp(syslogd_t) -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index 514bbd7..6503c87 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -2345,8 +2345,8 @@ interface(`systemd_map_resolved_exec_files',` - - ######################################## - ## --## Send and receive messages from --## systemd resolved over dbus. -+## Exchange messages with -+## systemd resolved over dbus or varlink. - ## - ## - ## -@@ -2354,13 +2354,14 @@ interface(`systemd_map_resolved_exec_files',` - ## - ## - # --interface(`systemd_dbus_chat_resolved',` -+interface(`systemd_chat_resolved',` - gen_require(` - type systemd_resolved_t; - class dbus send_msg; - ') - - allow $1 systemd_resolved_t:dbus send_msg; -+ allow $1 systemd_resolved_t:unix_stream_socket connectto; - allow systemd_resolved_t $1:dbus send_msg; - ps_process_pattern(systemd_resolved_t, $1) - ') -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 1e96c31..7849d51 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -13,6 +13,7 @@ attribute systemd_private_tmp_type; - - attribute systemd_read_efivarfs_type; - fs_read_efivarfs_files(systemd_read_efivarfs_type) -+read_files_pattern(systemd_read_efivarfs_type, init_var_run_t, init_var_run_t) - - systemd_domain_template(systemd_logger) - systemd_domain_template(systemd_logind) -@@ -501,6 +502,7 @@ corenet_tcp_bind_dhcpd_port(systemd_networkd_t) - corenet_udp_bind_dhcpd_port(systemd_networkd_t) - - fs_read_xenfs_files(systemd_networkd_t) -+fs_read_nsfs_files(systemd_networkd_t) - - dev_read_sysfs(systemd_networkd_t) - dev_write_kmsg(systemd_networkd_t) -@@ -1066,6 +1068,7 @@ allow systemd_resolved_t self:unix_dgram_socket create_socket_perms; - - manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) - manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) -+manage_sock_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) - manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) - init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir) - --- -1.8.3.1 - diff --git a/add-avc-for-systemd.patch b/add-avc-for-systemd.patch index c0c997a7771e30cb926d4692422a973ba05f2a5a..88e321e71c076a6e3ae6c314bbbed777104111e0 100644 --- a/add-avc-for-systemd.patch +++ b/add-avc-for-systemd.patch @@ -1,80 +1,25 @@ -From 89ae7e3f5493d253cbe42e7950e426cd41433230 Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Thu, 16 Jul 2020 19:09:57 +0800 +From dd92e4c3df1b07249810fb824bdddd2cee77c7eb Mon Sep 17 00:00:00 2001 +From: lujie42 +Date: Tue, 21 Dec 2021 17:34:01 +0800 Subject: [PATCH] add avc for systemd -Signed-off-by: guoxiaoqi +Signed-off-by: lujie42 --- - policy/modules/contrib/dbus.te | 3 +++ - policy/modules/kernel/devices.if | 18 ++++++++++++++++++ - policy/modules/system/init.te | 1 + - policy/modules/system/systemd.te | 4 ++++ - 4 files changed, 26 insertions(+) + policy/modules/system/init.te | 1 + + 1 file changed, 1 insertion(+) -diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te -index 4cf41a5..2e2732d 100644 ---- a/policy/modules/contrib/dbus.te -+++ b/policy/modules/contrib/dbus.te -@@ -384,6 +384,9 @@ optional_policy(` - xserver_append_xdm_home_files(session_bus_type) - ') - -+# avc for openEuler -+allow init_t session_dbusd_tmp_t:dir { read remove_name rmdir write }; -+allow init_t system_dbusd_var_run_t:sock_file read; - ######################################## - # - # Unconfined access to this module -diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index eb8c5c6..846bb94 100644 ---- a/policy/modules/kernel/devices.if -+++ b/policy/modules/kernel/devices.if -@@ -7361,3 +7361,21 @@ type kmsg_device_t; - - allow $1 kmsg_device_t:chr_file read; - ') -+ -+######################################## -+## -+## Allow to read the clock device. -+## -+## -+## -+## Domain to allow. -+## -+## -+# -+interface(`dev_read_clock_device',` -+gen_require(` -+type clock_device_t; -+') -+ -+allow $1 clock_device_t:chr_file read; -+') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 6bccd0b..b7a4114 100644 +index 0aea278..b1ed998 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te -@@ -1951,3 +1951,4 @@ systemd_manage_faillog(init_t) +@@ -735,6 +735,7 @@ auth_manage_passwd(init_t) kernel_netlink_audit_socket(init_t, getattr) - dev_read_kernel_msg(init_t) - logging_journal(init_t) -+dev_read_clock_device(init_t) -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 72f413c..0a65c1d 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -378,6 +378,10 @@ allow init_t systemd_logind_var_lib_t:dir { create mounton read }; - allow init_t systemd_logind_var_run_t:dir mounton; - init_nnp_daemon_domain(systemd_hostnamed_t) - init_nnp_daemon_domain(systemd_logind_t) -+init_nnp_daemon_domain(systemd_coredump_t) -+init_nnp_daemon_domain(systemd_initctl_t) -+init_nnp_daemon_domain(systemd_localed_t) -+init_nnp_daemon_domain(systemd_machined_t) + logging_access_journal(init_t) + dev_read_kmsg(init_t) ++dev_read_realtime_clock(init_t) - ######################################## - # + ifdef(`distro_redhat',` + # it comes from setupr scripts used in systemd unit files -- 1.8.3.1 diff --git a/allow-systemd-hostnamed-and-logind-read-policy.patch b/allow-systemd-hostnamed-and-logind-read-policy.patch deleted file mode 100644 index 9524c7995d6b6eead465d1e71b9567e80d01f888..0000000000000000000000000000000000000000 --- a/allow-systemd-hostnamed-and-logind-read-policy.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 8b2179cbe385e4b67ab159ac7eee159a664888e3 Mon Sep 17 00:00:00 2001 -From: HuaxinLuGitee <1539327763@qq.com> -Date: Tue, 22 Sep 2020 20:44:36 +0800 -Subject: [PATCH] commit 2 - ---- - policy/modules/system/systemd.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 7cb36c4..a98d366 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -331,6 +331,8 @@ userdom_manage_user_tmp_chr_files(systemd_logind_t) - - xserver_dbus_chat(systemd_logind_t) - -+allow systemd_logind_t security_t:file mmap_read_file_perms; -+ - optional_policy(` - apache_read_tmp_files(systemd_logind_t) - ') -@@ -818,6 +820,8 @@ systemd_read_efivarfs(systemd_hostnamed_t) - userdom_read_all_users_state(systemd_hostnamed_t) - userdom_dbus_send_all_users(systemd_hostnamed_t) - -+allow systemd_hostnamed_t security_t:file mmap_read_file_perms; -+ - optional_policy(` - dbus_system_bus_client(systemd_hostnamed_t) - dbus_connect_system_bus(systemd_hostnamed_t) --- -1.8.3.1 - diff --git a/allow-systemd-machined-create-userdbd-runtime-sock-file.patch b/allow-systemd-machined-create-userdbd-runtime-sock-file.patch deleted file mode 100644 index fcb2ce61bfc0856da993a63aec58719effaa554c..0000000000000000000000000000000000000000 --- a/allow-systemd-machined-create-userdbd-runtime-sock-file.patch +++ /dev/null @@ -1,54 +0,0 @@ -From d4a034518393bd1c0277a4dd3e87c8e94b394317 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 11 Aug 2020 12:47:42 +0200 -Subject: [PATCH] Allow systemd-machined create userdbd runtime sock files - -Create the systemd_create_userdbd_runtime_sock_files() interface. - -Resolves: rhbz#1862686 ---- - policy/modules/system/systemd.if | 18 ++++++++++++++++++ - policy/modules/system/systemd.te | 1 + - 2 files changed, 19 insertions(+) - -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index c9d2ed7..a6d8bd0 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -2374,3 +2374,21 @@ interface(`systemd_userdbd_stream_connect',` - - allow $1 systemd_userdbd_t:unix_stream_socket connectto; - ') -+ -+####################################### -+## -+## Create a named socket in userdbd runtime directory -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_create_userdbd_runtime_sock_files',` -+ gen_require(` -+ type systemd_userdbd_runtime_t; -+ ') -+ -+ create_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) -+') -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 367758a..806b7d6 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -415,6 +415,7 @@ init_manage_config_transient_files(systemd_machined_t) - logging_dgram_send(systemd_machined_t) - - systemd_read_efivarfs(systemd_machined_t) -+systemd_create_userdbd_runtime_sock_files(systemd_machined_t) - - userdom_dbus_send_all_users(systemd_machined_t) - --- -1.8.3.1 - diff --git a/allow-systemd-to-mount-unlabeled-filesystemd.patch b/allow-systemd-to-mount-unlabeled-filesystemd.patch deleted file mode 100644 index 4adc4801f9c48c5393a770d2ba00548b55ce021a..0000000000000000000000000000000000000000 --- a/allow-systemd-to-mount-unlabeled-filesystemd.patch +++ /dev/null @@ -1,25 +0,0 @@ -From e9b8e0daa3fb3f3b7079ffb6095d9842ccda4554 Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Thu, 16 Jul 2020 19:35:21 +0800 -Subject: [PATCH] allow systemd to mount unlabeled filesystemd - -Signed-off-by: guoxiaoqi ---- - policy/modules/system/init.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index b7a4114..d8ca280 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -591,6 +591,7 @@ dev_rw_wireless(init_t) - files_search_all(init_t) - files_mounton_all_mountpoints(init_t) - files_mounton_etc(init_t) -+files_mounton_isid(init_t) - files_unmount_all_file_type_fs(init_t) - files_mounton_kernel_symbol_table(init_t) - files_manage_all_pid_dirs(init_t) --- -1.8.3.1 - diff --git a/allow-systemd_machined_t-delete-userdbd-runtime-sock.patch b/allow-systemd_machined_t-delete-userdbd-runtime-sock.patch deleted file mode 100644 index cd964b836a713aedd29ffa6da328b59ed3a4c7ff..0000000000000000000000000000000000000000 --- a/allow-systemd_machined_t-delete-userdbd-runtime-sock.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 99e2285e42bb9d06dbf1322b2990ccee974e1c92 Mon Sep 17 00:00:00 2001 -From: HuaxinLuGitee <1539327763@qq.com> -Date: Thu, 17 Sep 2020 14:27:25 +0800 -Subject: [PATCH] allow systemd_machined_t delete userdbd runtime sock file - ---- - policy/modules/system/systemd.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 7cb36c4..d0127f6 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -189,6 +189,8 @@ systemd_unit_file(systemd_userdbd_unit_file_t) - type systemd_userdbd_runtime_t; - files_pid_file(systemd_userdbd_runtime_t) - -+delete_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) -+ - ####################################### - # - # Systemd_logind local policy --- -1.8.3.1 - diff --git a/backport-Add-dev_lock_all_blk_files-interface.patch b/backport-Add-dev_lock_all_blk_files-interface.patch deleted file mode 100644 index 48c1da5acfe053eb434a9150d9bc95786c5a8438..0000000000000000000000000000000000000000 --- a/backport-Add-dev_lock_all_blk_files-interface.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 395220122fcd6b93956c758a2a5094487254a89e Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 30 Jul 2020 18:21:16 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/395220122fcd6b93956c758a2a5094487254a89e -Conflict: NA -Subject: [PATCH] Add dev_lock_all_blk_files() interface - -For use in the dev_lock_all_blk_files() interface, create the -lock_blk_files_pattern and lock_blk_file_perms object permissions set. ---- - policy/modules/kernel/devices.if | 20 ++++++++++++++++++++ - policy/support/file_patterns.spt | 5 +++++ - policy/support/obj_perm_sets.spt | 1 + - 3 files changed, 26 insertions(+) - -diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 932b9bd..2a69660 100644 ---- a/policy/modules/kernel/devices.if -+++ b/policy/modules/kernel/devices.if -@@ -1169,6 +1169,26 @@ interface(`dev_getattr_all_blk_files',` - - ######################################## - ## -+## Lock on all block file device nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+# -+interface(`dev_lock_all_blk_files',` -+ gen_require(` -+ attribute device_node; -+ type device_t; -+ ') -+ -+ lock_blk_files_pattern($1, device_t, device_node) -+') -+ -+######################################## -+## - ## Read on all block file device nodes. - ## - ## -diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt -index 8aa8c36..7e3fccd 100644 ---- a/policy/support/file_patterns.spt -+++ b/policy/support/file_patterns.spt -@@ -408,6 +408,11 @@ define(`setattr_blk_files_pattern',` - allow $1 $3:blk_file setattr_blk_file_perms; - ') - -+define(`lock_blk_files_pattern',` -+ allow $1 $2:dir search_dir_perms; -+ allow $1 $3:blk_file lock_blk_file_perms; -+') -+ - define(`read_blk_files_pattern',` - allow $1 $2:dir search_dir_perms; - allow $1 $3:blk_file read_blk_file_perms; -diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt -index 399c448..524c586 100644 ---- a/policy/support/obj_perm_sets.spt -+++ b/policy/support/obj_perm_sets.spt -@@ -233,6 +233,7 @@ define(`relabel_sock_file_perms',`{ getattr relabelfrom relabelto }') - # - define(`getattr_blk_file_perms',`{ getattr }') - define(`setattr_blk_file_perms',`{ setattr }') -+define(`lock_blk_file_perms',`{ getattr lock }') - define(`read_blk_file_perms',`{ getattr open read lock ioctl }') - define(`append_blk_file_perms',`{ getattr open append lock ioctl }') - define(`write_blk_file_perms',`{ getattr open write append lock ioctl }') --- -1.8.3.1 - diff --git a/backport-Add-file-context-for-.config-Yubico.patch b/backport-Add-file-context-for-.config-Yubico.patch deleted file mode 100644 index 0de4279613d079006012990c84538083152dceee..0000000000000000000000000000000000000000 --- a/backport-Add-file-context-for-.config-Yubico.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 1363710b88904f29915e39335fef0dfb673a0f70 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 24 Aug 2020 14:29:15 +0200 -Subject: [PATCH] Add file context for ~/.config/Yubico - -Add file context specification for ~/.config/Yubico in addition to -existing ~/.yubico. Update the auth_filetrans_home_content() and -auth_filetrans_admin_home_content() interfaces accordingly. - -Resolves: rhbz#1860888 -Signed-off-by: lujie42 <572084868@qq.com> ---- - policy/modules/system/authlogin.fc | 2 ++ - policy/modules/system/authlogin.if | 2 ++ - 2 files changed, 4 insertions(+) - -diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc -index 009c156..58551ec 100644 ---- a/policy/modules/system/authlogin.fc -+++ b/policy/modules/system/authlogin.fc -@@ -1,7 +1,9 @@ - HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) -+HOME_DIR/\.config/Yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) - HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) - HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) - /root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) -+/root/\.config/Yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) - /root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) - /root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) - -diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 099166d..90ae5fe 100644 ---- a/policy/modules/system/authlogin.if -+++ b/policy/modules/system/authlogin.if -@@ -2313,6 +2313,7 @@ interface(`auth_filetrans_admin_home_content',` - userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") - userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") - userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico") -+ userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico") - ') - - -@@ -2377,6 +2378,7 @@ interface(`auth_filetrans_home_content',` - userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") - userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") - userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico") -+ userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico") - ') - - ######################################## --- -1.8.3.1 - diff --git a/backport-Add-lvm_dbus_send_msg-lvm_rw_var_run-interfaces.patch b/backport-Add-lvm_dbus_send_msg-lvm_rw_var_run-interfaces.patch deleted file mode 100644 index 95116c87af324cdfc717bae0125ed28c8b1c1191..0000000000000000000000000000000000000000 --- a/backport-Add-lvm_dbus_send_msg-lvm_rw_var_run-interfaces.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 86c35f41cfe150545db77835cb96bf342f35f44f Mon Sep 17 00:00:00 2001 -From: Tony Asleson -Date: Fri, 11 Sep 2020 11:06:28 -0500 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/86c35f41cfe150545db77835cb96bf342f35f44f -Conflict: NA -Subject: [PATCH] Add lvm_dbus_send_msg(), lvm_rw_var_run() interfaces - -Signed-off-by: Tony Asleson ---- - policy/modules/system/lvm.if | 36 ++++++++++++++++++++++++++++++++++++ - 1 file changed, 36 insertions(+) - -diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if -index fbbb39e..7f3903a 100644 ---- a/policy/modules/system/lvm.if -+++ b/policy/modules/system/lvm.if -@@ -452,4 +452,40 @@ interface(`lvm_manage_lock',` - ') - - -+######################################## -+## -+## Allow dbus send for lvm dbus API (only send needed) -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lvm_dbus_send_msg',` -+ gen_require(` -+ type lvm_t; -+ class dbus send_msg; -+ ') -+ allow $1 lvm_t:dbus send_msg; - -+') -+ -+######################################## -+## -+## Allow lvm hints file access -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`lvm_rw_var_run',` -+ gen_require(` -+ type lvm_t; -+ type lvm_var_run_t; -+ ') -+ allow $1 lvm_var_run_t:file { rw_file_perms }; -+ -+') --- -1.8.3.1 - diff --git a/backport-Add-new-devices-and-filesystem-interfaces.patch b/backport-Add-new-devices-and-filesystem-interfaces.patch deleted file mode 100644 index a5572511b95e80e958c9dec8b6855b26bc2377ca..0000000000000000000000000000000000000000 --- a/backport-Add-new-devices-and-filesystem-interfaces.patch +++ /dev/null @@ -1,102 +0,0 @@ -From e6506d8ed109fe85ae9236a62c17f68a8eeedb8f Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 4 Sep 2020 12:28:24 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/e6506d8ed109fe85ae9236a62c17f68a8eeedb8f -Conflict: NA -Subject: [PATCH] Add new devices and filesystem interfaces - -Add dev_remount_sysfs_fs(), fs_all_mount_fs_perms_xattr_fs(), -fs_all_mount_fs_perms_tmpfs() interfaces. ---- - policy/modules/kernel/devices.if | 18 ++++++++++++++++++ - policy/modules/kernel/filesystem.if | 38 +++++++++++++++++++++++++++++++++++++ - 2 files changed, 56 insertions(+) - -diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 2a69660..61fedbb 100644 ---- a/policy/modules/kernel/devices.if -+++ b/policy/modules/kernel/devices.if -@@ -4832,6 +4832,24 @@ interface(`dev_unmount_sysfs_fs',` - - ######################################## - ## -+## Remount sysfs filesystems. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`dev_remount_sysfs_fs',` -+ gen_require(` -+ type sysfs_t; -+ ') -+ -+ allow $1 sysfs_t:filesystem remount; -+') -+ -+######################################## -+## - ## Search the sysfs directories. - ## - ## -diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 17a9f08..d3f24d2 100644 ---- a/policy/modules/kernel/filesystem.if -+++ b/policy/modules/kernel/filesystem.if -@@ -169,6 +169,26 @@ interface(`fs_unmount_xattr_fs',` - - ######################################## - ## -+## Mount, remount, unmount a persistent filesystem which -+## has extended attributes, such as -+## ext3, JFS, or XFS. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_all_mount_fs_perms_xattr_fs',` -+ gen_require(` -+ type fs_t; -+ ') -+ -+ allow $1 fs_t:filesystem mount_fs_perms; -+') -+ -+######################################## -+## - ## Get the attributes of persistent - ## filesystems which have extended - ## attributes, such as ext3, JFS, or XFS. -@@ -5206,6 +5226,24 @@ interface(`fs_unmount_tmpfs',` - - ######################################## - ## -+## Mount, remount, unmount a tmpfs filesystem. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`fs_all_mount_fs_perms_tmpfs',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ allow $1 tmpfs_t:filesystem mount_fs_perms; -+') -+ -+######################################## -+## - ## Mount on tmpfs directories. - ## - ## --- -1.8.3.1 - diff --git a/backport-Add-systemd_resolved_write_pid_sock_files-interface.patch b/backport-Add-systemd_resolved_write_pid_sock_files-interface.patch deleted file mode 100644 index 62c5d19e165afef27d28515a66341bf29a47be42..0000000000000000000000000000000000000000 --- a/backport-Add-systemd_resolved_write_pid_sock_files-interface.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 33837787642166330b1400133de2023aa931f236 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 10 Dec 2020 00:15:37 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/33837787642166330b1400133de2023aa931f236 -Conflict: NA -Subject: [PATCH] Add systemd_resolved_write_pid_sock_files() interface - ---- - policy/modules/system/systemd.if | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index ffed76c..26d4927 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -318,6 +318,25 @@ interface(`systemd_resolved_read_pid',` - - ###################################### - ## -+## Write to systemd_resolved PID socket files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_resolved_write_pid_sock_files',` -+ gen_require(` -+ type systemd_resolved_var_run_t; -+ ') -+ -+ files_search_pids($1) -+ write_sock_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) -+') -+ -+###################################### -+## - ## Read systemd_login PID files. - ## - ## --- -1.8.3.1 - diff --git a/backport-Allow-IPsec-and-certmonger-to-use-opencryptoki-servi.patch b/backport-Allow-IPsec-and-certmonger-to-use-opencryptoki-servi.patch deleted file mode 100644 index cd4f83320393bb3a84cf2fcb686fd1972c5403b8..0000000000000000000000000000000000000000 --- a/backport-Allow-IPsec-and-certmonger-to-use-opencryptoki-servi.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 6cc668244e41677470f5e97ab0f680436ac61652 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 26 Apr 2021 22:39:43 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/6cc668244e41677470f5e97ab0f680436ac61652 -Conflict: NA -Subject: [PATCH] Allow IPsec and certmonger to use opencryptoki services - -Add to certmonger and ipsec policy interface pkcs_use_opencryptoki(), -which allow use opencryptoki. Opencryptoki implements PKCS#11 -standard. - -The original commit has been split in 2 parts, this is the part for ipsec. - -Resolves: rhbz#1952311 ---- - policy/modules/system/ipsec.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te -index 7e99f16..9d679cb 100644 ---- a/policy/modules/system/ipsec.te -+++ b/policy/modules/system/ipsec.te -@@ -247,6 +247,10 @@ optional_policy(` - ') - ') - -+optional_policy(` -+ pkcs_use_opencryptoki(ipsec_t) -+') -+ - ######################################## - # - # ipsec_mgmt Local policy --- -1.8.3.1 - diff --git a/backport-Allow-all-users-to-connect-to-systemd-userdbd-with-a.patch b/backport-Allow-all-users-to-connect-to-systemd-userdbd-with-a.patch deleted file mode 100644 index 81abf3251c4aec40791e2d7213413df295999a32..0000000000000000000000000000000000000000 --- a/backport-Allow-all-users-to-connect-to-systemd-userdbd-with-a.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 5e9918310dccf6d6dd1da52c19ce2a2927d0a96e Mon Sep 17 00:00:00 2001 -From: Richard Filo -Date: Mon, 24 Aug 2020 10:55:10 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/5e9918310dccf6d6dd1da52c19ce2a2927d0a96e -Conflict: NA -Subject: [PATCH] Allow all users to connect to systemd-userdbd with a unix - socket - -Add interface systemd_userdbd_stream_connect() to allow communication using userdb sockets. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1835630 ---- - policy/modules/system/userdomain.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 89b4867..756ac4a 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -209,6 +209,10 @@ optional_policy(` - xserver_filetrans_home_content(userdomain) - ') - -+optional_policy(` -+ systemd_userdbd_stream_connect(userdomain) -+') -+ - # rules for types which can read home certs - allow userdom_home_reader_certs_type home_cert_t:dir list_dir_perms; - read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t) --- -1.8.3.1 - diff --git a/backport-Allow-auditd-manage-kerberos-host-rcache-files.patch b/backport-Allow-auditd-manage-kerberos-host-rcache-files.patch deleted file mode 100644 index 8ac7cdd941b5465056dd9aa7b130b3d331923228..0000000000000000000000000000000000000000 --- a/backport-Allow-auditd-manage-kerberos-host-rcache-files.patch +++ /dev/null @@ -1,29 +0,0 @@ -From af31e95e95b62fce1e495df73d817f8a533a2190 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 28 Jul 2020 19:41:56 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/af31e95e95b62fce1e495df73d817f8a533a2190 -Conflict: NA -Subject: [PATCH] Allow auditd manage kerberos host rcache files - ---- - policy/modules/system/logging.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index cdaba23..db0b849 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -256,6 +256,10 @@ ifdef(`distro_ubuntu',` - ') - - optional_policy(` -+ kerberos_manage_host_rcache(auditd_t) -+') -+ -+optional_policy(` - mta_send_mail(auditd_t) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-dhcpc_t-domain-transition-to-chronyc_t.patch b/backport-Allow-dhcpc_t-domain-transition-to-chronyc_t.patch deleted file mode 100644 index 79aa9ee61c8e4cb31b608543fa432263a8b788cc..0000000000000000000000000000000000000000 --- a/backport-Allow-dhcpc_t-domain-transition-to-chronyc_t.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 32aa3f5509900563632fec1a1536c84da50553ed Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 1 Apr 2021 17:36:08 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/32aa3f5509900563632fec1a1536c84da50553ed -Conflict: NA -Subject: [PATCH] Allow dhcpc_t domain transition to chronyc_t - -This permission is required when dhclient-script executes -the chrony.sh script from /etc/dhcp/dhclient.d. - -Resolves: rhbz#1897388 ---- - policy/modules/system/sysnetwork.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index fb0a0c8..70eaf92 100644 ---- a/policy/modules/system/sysnetwork.te -+++ b/policy/modules/system/sysnetwork.te -@@ -198,6 +198,7 @@ optional_policy(` - chronyd_initrc_domtrans(dhcpc_t) - chronyd_systemctl(dhcpc_t) - chronyd_domtrans(dhcpc_t) -+ chronyd_domtrans_chronyc(dhcpc_t) - chronyd_read_keys(dhcpc_t) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-domain-stat-proc-filesystem.patch b/backport-Allow-domain-stat-proc-filesystem.patch deleted file mode 100644 index 61c2ee7d0610ab4e443a8547a9b9d88d49fec191..0000000000000000000000000000000000000000 --- a/backport-Allow-domain-stat-proc-filesystem.patch +++ /dev/null @@ -1,27 +0,0 @@ -From d58c107591c0f99ee8003221296f998ad75d8148 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 4 Jan 2021 19:50:49 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/d58c107591c0f99ee8003221296f998ad75d8148 -Conflict: NA -Subject: [PATCH] Allow domain stat /proc filesystem - -Resolves: rhbz#1892401 ---- - policy/modules/kernel/domain.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index c77a6fe..dff8caa 100644 ---- a/policy/modules/kernel/domain.te -+++ b/policy/modules/kernel/domain.te -@@ -129,6 +129,7 @@ allow domain self:fifo_file rw_fifo_file_perms; - allow domain self:sem create_sem_perms; - allow domain self:shm create_shm_perms; - -+kernel_getattr_proc(domain) - kernel_read_proc_symlinks(domain) - kernel_read_crypto_sysctls(domain) - kernel_read_vm_overcommit_sysctls(domain) --- -1.8.3.1 - diff --git a/backport-Allow-domain-stat-the-sys-filesystem.patch b/backport-Allow-domain-stat-the-sys-filesystem.patch deleted file mode 100644 index a7c56f46b28c687810d1f83c8f9928456c9de131..0000000000000000000000000000000000000000 --- a/backport-Allow-domain-stat-the-sys-filesystem.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 506809cbed4f682a030f29b6ee00d79b1570448f Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 19 Feb 2021 21:38:42 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/506809cbed4f682a030f29b6ee00d79b1570448f -Conflict: NA -Subject: [PATCH] Allow domain stat the /sys filesystem - -Checking for the availability of the /sys filesystem is requested -by all services that want to read hardware state information. -As such, adding this permission would semantically fit into the -dev_read_sysfs() interface to allow the getattr permission for each -domain calling this interface. This would, however, add about 300 new -rules into the policy, so the permission is allowed for the domain -attribute instead not to affect performance much. It seems safe allow -it for all domains. - -Example of such services are rngd, pcscd, usbmuxd. - -Resolves: rhbz#1928572 -Resolves: rhbz#1928611 -Resolves: rhbz#1930992 ---- - policy/modules/kernel/domain.te | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index 2ab7a49..8e52b17 100644 ---- a/policy/modules/kernel/domain.te -+++ b/policy/modules/kernel/domain.te -@@ -150,6 +150,11 @@ dev_rw_null(domain) - dev_rw_zero(domain) - term_use_controlling_term(domain) - -+# Allow all domains stat /sys. It is needed by services reading hardware -+# state information, but there is no harm to allow it to all domains in general. -+ -+dev_getattr_sysfs_fs(domain) -+ - # Allow all domains to read /dev/urandom. It is needed by all apps/services - # linked to libgcrypt. There is no harm to allow it by default. - dev_read_urand(domain) --- -1.8.3.1 - diff --git a/backport-Allow-domain-write-to-an-automount-unnamed-pipe.patch b/backport-Allow-domain-write-to-an-automount-unnamed-pipe.patch deleted file mode 100644 index 935b54aadf37530720aea7ca450d70426e0f4827..0000000000000000000000000000000000000000 --- a/backport-Allow-domain-write-to-an-automount-unnamed-pipe.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 93e95ff085a9877e5ab981db18b2ba37409b3cb2 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 24 Sep 2020 13:12:54 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/93e95ff085a9877e5ab981db18b2ba37409b3cb2 -Conflict: NA -Subject: [PATCH] Allow domain write to an automount unnamed pipe - -With the kernel commit 13c164b1a186 ("autofs: switch to kernel_write"), -an additional LSM permission check is done when a process tries to -access a directory on an autofs volume, which has not been mounted yet, -and it results in a write operation to the automount pipe. - -This commit allows any domain write to the unnamed pipe kernel uses to -communicate with automount to service the directory access request and -should be considered a temporary workaround until a different -implementation in kernel is found. - -Resolves: rhbz#1874338 ---- - policy/modules/kernel/domain.te | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index b883be0..c77a6fe 100644 ---- a/policy/modules/kernel/domain.te -+++ b/policy/modules/kernel/domain.te -@@ -570,6 +570,12 @@ optional_policy(` - ') - - optional_policy(` -+ # A workaround to handle additional permissions check -+ # introduced as an involuntary result of a kernel change -+ automount_write_pipes(domain) -+') -+ -+optional_policy(` - sosreport_append_tmp_files(domain) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-domain-write-to-systemd-resolved-PID-socket-fi.patch b/backport-Allow-domain-write-to-systemd-resolved-PID-socket-fi.patch deleted file mode 100644 index 850dc10edbcac0b59d893b6f732eb4f7824aa23f..0000000000000000000000000000000000000000 --- a/backport-Allow-domain-write-to-systemd-resolved-PID-socket-fi.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 7bcba980168b70a4164a1ec768ea56e723ed390b Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 25 Jan 2021 22:08:16 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/7bcba980168b70a4164a1ec768ea56e723ed390b -Conflict: NA -Subject: [PATCH] Allow domain write to systemd-resolved PID socket files - -Previously, the permission was allowed for the nsswitch_domain -attribute which turned out not to be sufficient. - -Resolves: rhbz#1900175 ---- - policy/modules/kernel/domain.te | 1 + - policy/modules/system/authlogin.te | 1 - - 2 files changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te -index dff8caa..2ab7a49 100644 ---- a/policy/modules/kernel/domain.te -+++ b/policy/modules/kernel/domain.te -@@ -510,6 +510,7 @@ optional_policy(` - systemd_login_reboot(unconfined_domain_type) - systemd_login_halt(unconfined_domain_type) - systemd_login_undefined(unconfined_domain_type) -+ systemd_resolved_write_pid_sock_files(domain) - systemd_filetrans_named_content(named_filetrans_domain) - systemd_filetrans_named_hostname(named_filetrans_domain) - systemd_filetrans_home_content(named_filetrans_domain) -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 576ec5f..068caed 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -562,7 +562,6 @@ optional_policy(` - ') - - optional_policy(` -- systemd_resolved_write_pid_sock_files(nsswitch_domain) - systemd_userdbd_stream_connect(nsswitch_domain) - systemd_machined_stream_connect(nsswitch_domain) - ') --- -1.8.3.1 - diff --git a/backport-Allow-dovecot-bind-to-smtp-ports.patch b/backport-Allow-dovecot-bind-to-smtp-ports.patch deleted file mode 100644 index 6ba675181376af123325a5968f15a5e4901da2fb..0000000000000000000000000000000000000000 --- a/backport-Allow-dovecot-bind-to-smtp-ports.patch +++ /dev/null @@ -1,29 +0,0 @@ -From f5c688321e04364bdfd030dd1412a7e5a4ecc6b6 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 10 Nov 2020 18:04:49 +0100 -Subject: [PATCH] Allow dovecot bind to smtp ports - -When dovecot is configured to listen on submission ports -(tcp 465 or 587), it requires the name_bind permission to ports -labeled smtp_port_t. - -Resolves: rhbz#1881884 ---- - dovecot.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te -index 6cf4b72e9..0b140e932 100644 ---- a/policy/modules/contrib/dovecot.te -+++ b/policy/modules/contrib/dovecot.te -@@ -147,6 +147,7 @@ corenet_tcp_bind_mail_port(dovecot_t) - corenet_tcp_bind_pop_port(dovecot_t) - corenet_tcp_bind_lmtp_port(dovecot_t) - corenet_tcp_bind_sieve_port(dovecot_t) -+corenet_tcp_bind_smtp_port(dovecot_t) - corenet_tcp_connect_all_ports(dovecot_t) - corenet_tcp_connect_postgresql_port(dovecot_t) - corenet_sendrecv_pop_server_packets(dovecot_t) --- -2.23.0 - diff --git a/backport-Allow-dyntransition-from-sshd_t-to-unconfined_t.patch b/backport-Allow-dyntransition-from-sshd_t-to-unconfined_t.patch deleted file mode 100644 index 08484d64f6ea129aa44c8f689b865f76f0c8ffb5..0000000000000000000000000000000000000000 --- a/backport-Allow-dyntransition-from-sshd_t-to-unconfined_t.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 3a9a9a5de73cadfd9629967c3e9b105b3cfc48e0 Mon Sep 17 00:00:00 2001 -From: Patrik Koncity -Date: Wed, 9 Sep 2020 12:09:09 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/3a9a9a5de73cadfd9629967c3e9b105b3cfc48e0 -Conflict: NA -Subject: [PATCH] Allow dyntransition from sshd_t to unconfined_t - -Removing attribute in previous commit affected connecting via ssh to unconfined user. -Missed dyntransition from sshd domain to unconfined domain. -Added ssh_dyntransition_to() interface. ---- - policy/modules/roles/unconfineduser.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te -index ca8947b..4ab04b3 100644 ---- a/policy/modules/roles/unconfineduser.te -+++ b/policy/modules/roles/unconfineduser.te -@@ -91,6 +91,8 @@ logging_send_syslog_msg(unconfined_t) - - systemd_config_all_services(unconfined_t) - -+ssh_dyntransition_to(unconfined_t) -+ - unconfined_domain_noaudit(unconfined_t) - domain_named_filetrans(unconfined_t) - domain_transition_all(unconfined_t) --- -1.8.3.1 - diff --git a/backport-Allow-initrc_t-create-run-chronyd-dhcp-directory-wit.patch b/backport-Allow-initrc_t-create-run-chronyd-dhcp-directory-wit.patch deleted file mode 100644 index 36916e23e211c8083a9a605b471d950498955b41..0000000000000000000000000000000000000000 --- a/backport-Allow-initrc_t-create-run-chronyd-dhcp-directory-wit.patch +++ /dev/null @@ -1,35 +0,0 @@ -From bad3809a314f6e6d1199e2201eb0c4fefbc8766a Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 14 Oct 2020 22:45:29 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/bad3809a314f6e6d1199e2201eb0c4fefbc8766a -Conflict: NA -Subject: [PATCH] Allow initrc_t create /run/chronyd-dhcp directory with a - transition - -Chronyd is required to read preferred sources files stored in -/run/chronyd-dhcp to be able to get correct time settings -from the dhcp server and have them applied. - -Resolves: rhbz#1880948 ---- - policy/modules/system/init.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index 50b655b..f72a8ef 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -1210,6 +1210,10 @@ ifdef(`distro_redhat',` - ') - - optional_policy(` -+ chronyd_pid_filetrans(initrc_t) -+ ') -+ -+ optional_policy(` - cyrus_write_data(initrc_t) - ') - --- -1.8.3.1 - diff --git a/backport-Allow-kdump_t-net_admin-capability.patch b/backport-Allow-kdump_t-net_admin-capability.patch deleted file mode 100644 index c1a6a9ad8ae3fe2f223e721138d1eed7dfa425ee..0000000000000000000000000000000000000000 --- a/backport-Allow-kdump_t-net_admin-capability.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 027923e5647f7f0d1ecbaa7fc4d03cbd193a1424 Mon Sep 17 00:00:00 2001 -From: LuLuLu <1539327763@qq.com> -Date: Tue, 25 May 2021 20:06:29 +0800 -Subject: [PATCH] Allow kdump_t net_admin capability - -When reboot with kexec, kdump_t process needs net_admin capability to run ifdown. ---- - policy/modules/contrib/kdump.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/contrib/kdump.te b/policy/modules/contrib/kdump.te -index a253134..7e73c65 100644 ---- a/policy/modules/contrib/kdump.te -+++ b/policy/modules/contrib/kdump.te -@@ -41,7 +41,7 @@ files_tmp_file(kdumpctl_tmp_t) - # kdump local policy - # - --allow kdump_t self:capability { sys_admin sys_boot dac_read_search }; -+allow kdump_t self:capability { sys_admin sys_boot dac_read_search net_admin }; - #allow kdump_t self:capability2 compromise_kernel; - - allow kdump_t self:udp_socket create_socket_perms; --- -1.8.3.1 - diff --git a/backport-Allow-local_login_t-get-attributes-of-tmpfs-filesyst.patch b/backport-Allow-local_login_t-get-attributes-of-tmpfs-filesyst.patch deleted file mode 100644 index 4290b02e064b7b141983e8ad809f78f786aaa743..0000000000000000000000000000000000000000 --- a/backport-Allow-local_login_t-get-attributes-of-tmpfs-filesyst.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 4f44d3028edb3cda2b2c1d1fc7858b481d866b94 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 19 Mar 2021 16:55:32 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/4f44d3028edb3cda2b2c1d1fc7858b481d866b94 -Conflict: NA -Subject: [PATCH] Allow local_login_t get attributes of tmpfs filesystems - -This permission is required when the system booted with cgroups v1. - -Resolves: rhbz#1894759 ---- - policy/modules/system/locallogin.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te -index 10fa85d..e1e5649 100644 ---- a/policy/modules/system/locallogin.te -+++ b/policy/modules/system/locallogin.te -@@ -113,6 +113,7 @@ files_create_home_dir(local_login_t) - - fs_search_auto_mountpoints(local_login_t) - fs_getattr_cgroup(local_login_t) -+fs_getattr_tmpfs(local_login_t) - - storage_dontaudit_getattr_fixed_disk_dev(local_login_t) - storage_dontaudit_setattr_fixed_disk_dev(local_login_t) --- -1.8.3.1 - diff --git a/backport-Allow-login_pgm-attribute-to-get-attributes-in-proc_.patch b/backport-Allow-login_pgm-attribute-to-get-attributes-in-proc_.patch deleted file mode 100644 index 414ee24a4cb45065c0bfb298ae0d308321c7887c..0000000000000000000000000000000000000000 --- a/backport-Allow-login_pgm-attribute-to-get-attributes-in-proc_.patch +++ /dev/null @@ -1,30 +0,0 @@ -From f2d77890bfcbe5b514c6205f288eeb73fe2225af Mon Sep 17 00:00:00 2001 -From: Patrik Koncity -Date: Fri, 21 Aug 2020 15:48:27 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/f2d77890bfcbe5b514c6205f288eeb73fe2225af -Conflict: NA -Subject: [PATCH] Allow login_pgm attribute to get attributes in proc_t - -Allow login_pgm attribute, which contain domain like local_login_t -and cockpit_session_t, get attributes on filesystem /proc. - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1853730 ---- - policy/modules/system/authlogin.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 6043c45..f3870d3 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -607,6 +607,7 @@ auth_filetrans_home_content(login_pgm) - # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 - kernel_search_network_sysctl(login_pgm) - kernel_rw_afs_state(login_pgm) -+kernel_getattr_proc(login_pgm) - - tunable_policy(`authlogin_radius',` - corenet_udp_bind_all_unreserved_ports(login_pgm) --- -1.8.3.1 - diff --git a/backport-Allow-login_userdomain-write-inaccessible-nodes.patch b/backport-Allow-login_userdomain-write-inaccessible-nodes.patch deleted file mode 100644 index 92f5a5bb875fc7dfd008fabe0946ca6110c132fa..0000000000000000000000000000000000000000 --- a/backport-Allow-login_userdomain-write-inaccessible-nodes.patch +++ /dev/null @@ -1,47 +0,0 @@ -From ed68ca8f488ca36b74b6146f3008a89072ffdcc9 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 5 Mar 2021 18:05:58 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/ed68ca8f488ca36b74b6146f3008a89072ffdcc9 -Conflict: NA -Subject: [PATCH] Allow login_userdomain write inaccessible nodes - -The permissions for creating blk_file, chr_file, fifo_file, sock_file -and regular file were added for systemd to create inaccessible nodes -in /run/user/*/systemd/inaccessible. - -Addresses the following denial: - -type=PATH msg=audit(22.2.2021 09:15:47.751:332) : item=1 -name=/run/user/1000/systemd/inaccessible/chr inode=8 dev=00:29 -mode=character,000 ouid=user ogid=user rdev=00:00 -obj=system_u:object_r:user_tmp_t:s0 nametype=CREATE cap_fp=none -cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=AVC msg=audit(22.2.2021 09:15:47.751:332) : avc: denied { create } -for pid=1714 comm=systemd name=chr scontext=user_u:user_r:user_t:s0-s0:c0.c1023 -tcontext=system_u:object_r:user_tmp_t:s0 tclass=chr_file permissive=1 ---- - policy/modules/system/userdomain.te | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 196bcc0..94c5ff6 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -370,6 +370,14 @@ optional_policy(` - ') - - ############################################################ -+# login_userdomain local policy -+ -+create_blk_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) -+create_chr_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) -+create_fifo_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) -+create_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) -+create_sock_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) -+ - # Local Policy Confined Admin - # - gen_require(` --- -1.8.3.1 - diff --git a/backport-Allow-nsswitch-domain-write-to-systemd-resolved-PID-.patch b/backport-Allow-nsswitch-domain-write-to-systemd-resolved-PID-.patch deleted file mode 100644 index 763d6e40e5fd14eb9453fd891038ccf99be85d54..0000000000000000000000000000000000000000 --- a/backport-Allow-nsswitch-domain-write-to-systemd-resolved-PID-.patch +++ /dev/null @@ -1,28 +0,0 @@ -From a3ec0f513ede0204be0e793b9e4f19214e9ce063 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Thu, 10 Dec 2020 00:17:57 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/a3ec0f513ede0204be0e793b9e4f19214e9ce063 -Conflict: NA -Subject: [PATCH] Allow nsswitch-domain write to systemd-resolved PID socket - files - -Resolves: rhbz#1900143 ---- - policy/modules/system/authlogin.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 068caed..576ec5f 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -562,6 +562,7 @@ optional_policy(` - ') - - optional_policy(` -+ systemd_resolved_write_pid_sock_files(nsswitch_domain) - systemd_userdbd_stream_connect(nsswitch_domain) - systemd_machined_stream_connect(nsswitch_domain) - ') --- -1.8.3.1 - diff --git a/backport-Allow-nsswitch_domain-read-cgroup-files.patch b/backport-Allow-nsswitch_domain-read-cgroup-files.patch deleted file mode 100644 index 4dd3ab1dafbaddc0b12fb8d202e014048d7bbbc9..0000000000000000000000000000000000000000 --- a/backport-Allow-nsswitch_domain-read-cgroup-files.patch +++ /dev/null @@ -1,33 +0,0 @@ -From d7924a942d84c255fb9d85f262fd68a9e08c2433 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 30 Mar 2021 20:54:17 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/d7924a942d84c255fb9d85f262fd68a9e08c2433 -Conflict: NA -Subject: [PATCH] Allow nsswitch_domain read cgroup files - -This permission is required when the systemd nss module is used -in nsswitch.conf for users or groups. The module checks whether -the current process is running in the root cgroup, or if rather -cgroup namespaces are in place. - -Resolves: rhbz#1895061 ---- - policy/modules/system/authlogin.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 068caed..0e54d0a 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -465,6 +465,8 @@ files_list_var_lib(nsswitch_domain) - # read /etc/nsswitch.conf - files_read_etc_files(nsswitch_domain) - -+fs_read_cgroup_files(nsswitch_domain) -+ - init_stream_connectto(nsswitch_domain) - - sysnet_dns_name_resolve(nsswitch_domain) --- -1.8.3.1 - diff --git a/backport-Allow-nsswitch_domain-to-connect-to-systemd-machined.patch b/backport-Allow-nsswitch_domain-to-connect-to-systemd-machined.patch deleted file mode 100644 index 91e53e735cc35a3f2e4d351cced3e7da3b522ad9..0000000000000000000000000000000000000000 --- a/backport-Allow-nsswitch_domain-to-connect-to-systemd-machined.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 6fe205674f9cd1face5e2cf1aeb90d265ef89ba8 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 12 Aug 2020 12:09:21 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/6fe205674f9cd1face5e2cf1aeb90d265ef89ba8 -Conflict: NA -Subject: [PATCH] Allow nsswitch_domain to connect to systemd-machined using a - unix socket - -Create the systemd_machined_stream_connect() interface. - -Resolves: rhbz#1865748 ---- - policy/modules/system/authlogin.te | 1 + - policy/modules/system/systemd.if | 19 +++++++++++++++++++ - 2 files changed, 20 insertions(+) - -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 25d1691..6043c45 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -563,6 +563,7 @@ optional_policy(` - - optional_policy(` - systemd_userdbd_stream_connect(nsswitch_domain) -+ systemd_machined_stream_connect(nsswitch_domain) - ') - - optional_policy(` -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index a6d8bd0..dbc8fc9 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -2001,6 +2001,25 @@ interface(`systemd_machined_rw_devpts_chr_files',` - - ######################################## - ## -+## Allow the specified domain to connect to -+## systemd_machined with a unix socket. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_machined_stream_connect',` -+ gen_require(` -+ type systemd_machined_t; -+ ') -+ -+ allow $1 systemd_machined_t:unix_stream_socket connectto; -+') -+ -+######################################## -+## - ## Send and receive messages from - ## systemd machined over dbus. - ## --- -1.8.3.1 - diff --git a/backport-Allow-passwd-to-get-attributes-in-proc_t.patch b/backport-Allow-passwd-to-get-attributes-in-proc_t.patch deleted file mode 100644 index 2f4b10f54aa886ed6cc06c6faff21fd063484755..0000000000000000000000000000000000000000 --- a/backport-Allow-passwd-to-get-attributes-in-proc_t.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 44a5636ce1fb9d8d306fe49b821b84114ab28746 Mon Sep 17 00:00:00 2001 -From: Patrik Koncity -Date: Fri, 21 Aug 2020 15:47:20 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/44a5636ce1fb9d8d306fe49b821b84114ab28746 -Conflict: NA -Subject: [PATCH] Allow passwd to get attributes in proc_t - -Add interface kernel_getattr_proc() to passwd policy. -This macro allow paswd get attributes on filesystem /proc. - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1858738 ---- - policy/modules/admin/usermanage.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te -index 262f01e..16b43b6 100644 ---- a/policy/modules/admin/usermanage.te -+++ b/policy/modules/admin/usermanage.te -@@ -332,6 +332,7 @@ allow passwd_t crack_db_t:dir list_dir_perms; - read_files_pattern(passwd_t, crack_db_t, crack_db_t) - - kernel_read_kernel_sysctls(passwd_t) -+kernel_getattr_proc(passwd_t) - - # for SSP - dev_read_urand(passwd_t) --- -1.8.3.1 - diff --git a/backport-Allow-stub-resolv.conf-to-be-a-symlink.patch b/backport-Allow-stub-resolv.conf-to-be-a-symlink.patch deleted file mode 100644 index 81ef77336c8eb0344cd95fedc57d88478e2bb47b..0000000000000000000000000000000000000000 --- a/backport-Allow-stub-resolv.conf-to-be-a-symlink.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 82e42900ad8027abed98f0b5d7a0969223fa4a7b Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Fri, 11 Dec 2020 17:21:14 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/82e42900ad8027abed98f0b5d7a0969223fa4a7b -Conflict: NA -Subject: [PATCH] Allow stub-resolv.conf to be a symlink - -It turns out that under certain configurations, -/var/run/systemd/resolve/stub-resolv.conf can be a symlink instead of a -regular file (see [1]). In such case, domains such as NetworkManager_t -and chronyd_t need to be able to read it, which is denied since the -symlink ends up being labeled as systemd_resolved_var_run_t. - -So make sure that such symlink is also labeled net_conf_t and extend -sysnet_read_config() to allow also reading symlinks. - -NOTE: Further unification/simplification of /etc network config symlinks -would now be possible (basically reverting f1505fca7063 ("Label -/etc/resolv.conf as net_conf_t only if it is a plain file")), but that -leads down to a deeper rabbit hole, so it's not addressed here. - -[1] https://src.fedoraproject.org/rpms/selinux-policy/pull-request/135#comment-62439 - -Signed-off-by: Ondrej Mosnacek ---- - policy/modules/system/sysnetwork.fc | 2 +- - policy/modules/system/sysnetwork.if | 3 ++- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc -index 27eb98b..de92927 100644 ---- a/policy/modules/system/sysnetwork.fc -+++ b/policy/modules/system/sysnetwork.fc -@@ -38,7 +38,7 @@ ifdef(`distro_redhat',` - /etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0) - /var/run/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) - /var/run/systemd/resolve/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) --/var/run/systemd/resolve/stub-resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) -+/var/run/systemd/resolve/stub-resolv\.conf gen_context(system_u:object_r:net_conf_t,s0) - ') - /var/run/NetworkManager/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) - -diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index d7b696b..25e6b13 100644 ---- a/policy/modules/system/sysnetwork.if -+++ b/policy/modules/system/sysnetwork.if -@@ -456,6 +456,7 @@ interface(`sysnet_read_config',` - allow $1 net_conf_t:dir list_dir_perms; - allow $1 net_conf_t:lnk_file read_lnk_file_perms; - read_files_pattern($1, net_conf_t, net_conf_t) -+ read_lnk_files_pattern($1, net_conf_t, net_conf_t) - ') - ') - -@@ -1144,7 +1145,7 @@ interface(`sysnet_filetrans_systemd_resolved',` - optional_policy(` - systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf") - systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") -- systemd_resolved_pid_filetrans($1, net_conf_t, file, "stub-resolv.conf") -+ systemd_resolved_pid_filetrans($1, net_conf_t, { file lnk_file }, "stub-resolv.conf") - ') - ') - --- -1.8.3.1 - diff --git a/backport-Allow-syslogd_t-domain-to-read-write-tmpfs-systemd-b.patch b/backport-Allow-syslogd_t-domain-to-read-write-tmpfs-systemd-b.patch deleted file mode 100644 index 5bd11bc61705f35a12d0a2fa94f1a08bd18b25a5..0000000000000000000000000000000000000000 --- a/backport-Allow-syslogd_t-domain-to-read-write-tmpfs-systemd-b.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 204a23cf3da322e59c1b7af2e5cd62c835b91c2a Mon Sep 17 00:00:00 2001 -From: Richard Filo -Date: Thu, 20 Aug 2020 22:25:28 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/204a23cf3da322e59c1b7af2e5cd62c835b91c2a -Conflict: NA -Subject: [PATCH] Allow syslogd_t domain to read/write tmpfs systemd-bootchart - files - -Create the two interfaces to allow mapping and r/w permisions. -Add this two interfaces to the policy for domain syslogd_t. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1838163 - -The one way how can the systemd-journald get a log data from any services is by socket /run/systemd/journal/socket. But when the message is bigger than max size of datagram, it must be done differently. It is by filedescriptor, which is connected to the datagram and in the file to which the file descriptor refers are the log data that were not sent. The file is created by memfd_create() syscall and in kernel the file is implemented as tmpfs. - -That means any service can communicate in this way. ---- - policy/modules/system/logging.te | 5 +++++ - policy/modules/system/systemd.if | 36 ++++++++++++++++++++++++++++++++++++ - 2 files changed, 41 insertions(+) - -diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index db0b849..8f6286d 100644 ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -720,6 +720,11 @@ optional_policy(` - ') - - optional_policy(` -+ systemd_rw_bootchart_tmpfs_files(syslogd_t) -+ systemd_map_bootchart_tmpfs_files(syslogd_t) -+') -+ -+optional_policy(` - daemontools_search_svc_dir(syslogd_t) - ') - -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index dbc8fc9..ff31161 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -2096,6 +2096,42 @@ interface(`systemd_rw_coredump_tmpfs_files',` - - ######################################## - ## -+## Mmap to systemd-bootchart temporary file system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_map_bootchart_tmpfs_files',` -+ gen_require(` -+ type systemd_bootchart_tmpfs_t; -+ ') -+ -+ allow $1 systemd_bootchart_tmpfs_t:file map; -+') -+ -+######################################## -+## -+## Read and write to systemd-bootchart temporary file system. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`systemd_rw_bootchart_tmpfs_files',` -+ gen_require(` -+ type systemd_bootchart_tmpfs_t; -+ ') -+ -+ allow $1 systemd_bootchart_tmpfs_t:file rw_file_perms; -+') -+ -+######################################## -+## - ## Allow process to read hwdb config file. - ## - ## --- -1.8.3.1 - diff --git a/backport-Allow-systemd-hostnamed-read-udev-runtime-data.patch b/backport-Allow-systemd-hostnamed-read-udev-runtime-data.patch deleted file mode 100644 index 1b8da015d72a2b75b973ae763f409c6f288fcf4c..0000000000000000000000000000000000000000 --- a/backport-Allow-systemd-hostnamed-read-udev-runtime-data.patch +++ /dev/null @@ -1,38 +0,0 @@ -From b65f4fd6426b7abb3fa9d73a1e7b8c12092696c6 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 23 Feb 2021 17:51:37 +0100 -Subject: [PATCH] Allow systemd-hostnamed read udev runtime data - -Required since systemd-248-rc1: -systemd-hostnamed now exports the "HardwareVendor" and "HardwareModel" -D-Bus properties, which are supposed to contain a pair of cleaned up, -human readable strings describing the system's vendor and model. It's -typically sourced from the firmware's DMI tables, but may be augmented -from a new hwdb database. hostnamectl shows this in the status output. - -https://github.com/systemd/systemd/blob/v248-rc1/NEWS - -Resolves: rhbz#1931959 -Signed-off-by: lujie42 <572084868@qq.com> ---- - policy/modules/system/systemd.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index adbbd37..abfe2d4 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -849,6 +849,10 @@ optional_policy(` - dbus_connect_system_bus(systemd_hostnamed_t) - ') - -+optional_policy(` -+ udev_read_pid_files(systemd_hostnamed_t) -+') -+ - ####################################### - # - # rfkill policy --- -1.8.3.1 - diff --git a/backport-Allow-systemd-logind-dbus-chat-with-fwupd.patch b/backport-Allow-systemd-logind-dbus-chat-with-fwupd.patch deleted file mode 100644 index b1d903ae2622c1f2213c18e7205ae97ce96b33d1..0000000000000000000000000000000000000000 --- a/backport-Allow-systemd-logind-dbus-chat-with-fwupd.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 5867b09c03641f8a270863952a67cff61c3cc8e4 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 24 Jul 2020 21:28:43 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/5867b09c03641f8a270863952a67cff61c3cc8e4 -Conflict: NA -Subject: [PATCH] Allow systemd-logind dbus chat with fwupd - ---- - policy/modules/system/systemd.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 7cb36c4..367758a 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -353,6 +353,10 @@ optional_policy(` - ') - - optional_policy(` -+ fwupd_dbus_chat(systemd_logind_t) -+') -+ -+optional_policy(` - # we label /run/user/$USER/dconf as config_home_t - gnome_manage_home_config_dirs(systemd_logind_t) - gnome_manage_home_config(systemd_logind_t) --- -1.8.3.1 - diff --git a/backport-Allow-systemd-logind-manage-init-s-pid-files.patch b/backport-Allow-systemd-logind-manage-init-s-pid-files.patch deleted file mode 100644 index 2bdca2675ee004ac9fb142cc4f5dcfb24206c1e2..0000000000000000000000000000000000000000 --- a/backport-Allow-systemd-logind-manage-init-s-pid-files.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 099b9776b76a31cdf8281e06f9cc27946b26cf9f Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Mon, 7 Dec 2020 22:15:18 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/099b9776b76a31cdf8281e06f9cc27946b26cf9f -Conflict: NA -Subject: [PATCH] Allow systemd-logind manage init's pid files - -Added init_manage_pid_files() interface. - -Resolves: rhbz#1856399 ---- - policy/modules/system/init.if | 18 ++++++++++++++++++ - policy/modules/system/systemd.te | 1 + - 2 files changed, 19 insertions(+) - -diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if -index 629af26..4674755 100644 ---- a/policy/modules/system/init.if -+++ b/policy/modules/system/init.if -@@ -2838,6 +2838,24 @@ interface(`init_read_pid_files',` - - ######################################## - ## -+## Manage init pid files. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`init_manage_pid_files',` -+ gen_require(` -+ type init_var_run_t; -+ ') -+ -+ manage_files_pattern($1, init_var_run_t, init_var_run_t) -+') -+ -+######################################## -+## - ## Read init unnamed pipes. - ## - ## -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 24cf02e..332d716 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -297,6 +297,7 @@ init_signal_script(systemd_logind_t) - init_getattr_script_status_files(systemd_logind_t) - init_read_utmp(systemd_logind_t) - init_config_transient_files(systemd_logind_t) -+init_manage_pid_files(systemd_logind_t) - - getty_systemctl(systemd_logind_t) - --- -1.8.3.1 - diff --git a/backport-Allow-systemd-machined-manage-systemd-userdbd-runtim.patch b/backport-Allow-systemd-machined-manage-systemd-userdbd-runtim.patch deleted file mode 100644 index 390a4846f8a87c43425359a660e9efa21b09b441..0000000000000000000000000000000000000000 --- a/backport-Allow-systemd-machined-manage-systemd-userdbd-runtim.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 9b31818705c564f94c46366ef83efa4951ffa64a Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 12 Jan 2021 18:36:07 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/9b31818705c564f94c46366ef83efa4951ffa64a -Conflict: NA -Subject: [PATCH] Allow systemd-machined manage systemd-userdbd runtime sockets - -Add the systemd_manage_userdbd_runtime_sock_files() interface -and remove systemd_create_userdbd_runtime_sock_files() -which is not used any longer. - -Resolves: rhbz#1891182 ---- - policy/modules/system/systemd.if | 6 +++--- - policy/modules/system/systemd.te | 2 +- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index d10ae16..67479ce 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -2486,7 +2486,7 @@ interface(`systemd_userdbd_stream_connect',` - - ####################################### - ## --## Create a named socket in userdbd runtime directory -+## Manage named sockets in userdbd runtime directory - ## - ## - ## -@@ -2494,10 +2494,10 @@ interface(`systemd_userdbd_stream_connect',` - ## - ## - # --interface(`systemd_create_userdbd_runtime_sock_files',` -+interface(`systemd_manage_userdbd_runtime_sock_files',` - gen_require(` - type systemd_userdbd_runtime_t; - ') - -- create_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) -+ manage_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) - ') -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index c806b29..3eb12be 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -416,7 +416,7 @@ init_manage_config_transient_files(systemd_machined_t) - logging_dgram_send(systemd_machined_t) - - systemd_read_efivarfs(systemd_machined_t) --systemd_create_userdbd_runtime_sock_files(systemd_machined_t) -+systemd_manage_userdbd_runtime_sock_files(systemd_machined_t) - - userdom_dbus_send_all_users(systemd_machined_t) - --- -1.8.3.1 - diff --git a/backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch b/backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch deleted file mode 100644 index 5d563f4775b3d5b573bf17f98414552960e2de4e..0000000000000000000000000000000000000000 --- a/backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 17fe432dfcf5b3e3b4d6185cfdab6489135045e8 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 8 Dec 2020 15:53:05 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/17fe432dfcf5b3e3b4d6185cfdab6489135045e8 -Conflict: NA -Subject: [PATCH] Allow systemd-resolved manage its private runtime symlinks - -Resolves: rhbz#1896796 ---- - policy/modules/system/systemd.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 806b7d6..24cf02e 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1047,6 +1047,7 @@ allow systemd_resolved_t self:unix_dgram_socket create_socket_perms; - - manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) - manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) -+manage_lnk_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t) - init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir) - - list_dirs_pattern(systemd_resolved_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) --- -1.8.3.1 - diff --git a/backport-Allow-traceroute_t-and-ping_t-to-bind-generic-nodes.patch b/backport-Allow-traceroute_t-and-ping_t-to-bind-generic-nodes.patch deleted file mode 100644 index 461078ebd35e4bce58f0f7f82eea7fe4b5fdb374..0000000000000000000000000000000000000000 --- a/backport-Allow-traceroute_t-and-ping_t-to-bind-generic-nodes.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 1aa9e5609375815103d2445df1746cb90a02b55a Mon Sep 17 00:00:00 2001 -From: Patrik Koncity -Date: Tue, 11 Aug 2020 14:19:29 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/1aa9e5609375815103d2445df1746cb90a02b55a -Conflict: NA -Subject: [PATCH] Allow traceroute_t and ping_t to bind generic nodes. - -Use newly created macro corenet_icmp_bind_generic_node() for ping_t and traceroute_t. -This macro allowing bind generic nodes in node_t domain. ---- - policy/modules/admin/netutils.te | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index f835af5..5793fe9 100644 ---- a/policy/modules/admin/netutils.te -+++ b/policy/modules/admin/netutils.te -@@ -140,6 +140,7 @@ corenet_raw_sendrecv_generic_node(ping_t) - corenet_tcp_sendrecv_generic_node(ping_t) - corenet_raw_bind_generic_node(ping_t) - corenet_tcp_sendrecv_all_ports(ping_t) -+corenet_icmp_bind_generic_node(ping_t) - - fs_dontaudit_getattr_xattr_fs(ping_t) - fs_dontaudit_rw_anon_inodefs_files(ping_t) -@@ -245,6 +246,7 @@ corenet_tcp_connect_all_ports(traceroute_t) - corenet_sendrecv_all_client_packets(traceroute_t) - corenet_sendrecv_traceroute_server_packets(traceroute_t) - corenet_sctp_bind_generic_node(traceroute_t) -+corenet_icmp_bind_generic_node(traceroute_t) - - corecmd_exec_bin(traceroute_t) - --- -1.8.3.1 - diff --git a/backport-Allow-unconfined_t-to-node_bind-icmp_sockets-in-node.patch b/backport-Allow-unconfined_t-to-node_bind-icmp_sockets-in-node.patch deleted file mode 100644 index c8e9d7d65452001dc054c4481fae949a19b3d109..0000000000000000000000000000000000000000 --- a/backport-Allow-unconfined_t-to-node_bind-icmp_sockets-in-node.patch +++ /dev/null @@ -1,31 +0,0 @@ -From e4f9c9f4f4c5af851410fde006f6589c0bf7f863 Mon Sep 17 00:00:00 2001 -From: Patrik Koncity -Date: Wed, 5 Aug 2020 17:26:20 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/e4f9c9f4f4c5af851410fde006f6589c0bf7f863 -Conflict: NA -Subject: [PATCH] Allow unconfined_t to node_bind icmp_sockets in node_t domain - -When uncofined user run ping or traceroute, this process get label unconfined_t. -Allow to ping or traceroute, which run as unconfined_t, to node_bind icmp_sockets in node_t domain. - -Bugzila: https://bugzilla.redhat.com/show_bug.cgi?id=1848929#c0 ---- - policy/modules/kernel/corenetwork.te.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index c317449..b718ab0 100644 ---- a/policy/modules/kernel/corenetwork.te.in -+++ b/policy/modules/kernel/corenetwork.te.in -@@ -465,7 +465,7 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; - - # Bind to any network address. - allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket sctp_socket} name_bind; --allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind; -+allow corenet_unconfined_type node_type:{ dccp_socket icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind; - - # Infiniband - corenet_ib_access_all_pkeys(corenet_unconfined_type) --- -1.8.3.1 - diff --git a/backport-Change-transitions-for-.config-Yubico.patch b/backport-Change-transitions-for-.config-Yubico.patch deleted file mode 100644 index ac6318113b6049a68f8949f3d5e95db29522e3c1..0000000000000000000000000000000000000000 --- a/backport-Change-transitions-for-.config-Yubico.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 099ea7b7bd113cac657f98d406c77839cce98859 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 25 Aug 2020 16:33:38 +0200 -Subject: [PATCH] Change transitions for ~/.config/Yubico - -Created the auth_filetrans_auth_home_content() interface which is used -to allow the filename transition in gnome config directory for the -login_pgm and userdomain attributes. - -This commit reverts the transitions introduced in -commit 1363710b88904f29915e39335fef0dfb673a0f70. - -Signed-off-by: lujie42 <572084868@qq.com> ---- - policy/modules/system/authlogin.if | 23 +++++++++++++++++++++-- - policy/modules/system/authlogin.te | 1 + - policy/modules/system/userdomain.te | 2 ++ - 3 files changed, 24 insertions(+), 2 deletions(-) - -diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if -index 90ae5fe..ab68d31 100644 ---- a/policy/modules/system/authlogin.if -+++ b/policy/modules/system/authlogin.if -@@ -2313,7 +2313,6 @@ interface(`auth_filetrans_admin_home_content',` - userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") - userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") - userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico") -- userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico") - ') - - -@@ -2378,7 +2377,27 @@ interface(`auth_filetrans_home_content',` - userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") - userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") - userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico") -- userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico") -+') -+ -+######################################## -+## -+## Create auth directory in the config home directory -+## with a correct label. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`auth_filetrans_auth_home_content',` -+ gen_require(` -+ type auth_home_t; -+ ') -+ -+ optional_policy(` -+ gnome_config_filetrans($1, auth_home_t, dir, "Yubico") -+ ') - ') - - ######################################## -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index f3870d3..068caed 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -603,6 +603,7 @@ manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t) - manage_files_pattern(login_pgm, auth_home_t, auth_home_t) - auth_filetrans_admin_home_content(login_pgm) - auth_filetrans_home_content(login_pgm) -+auth_filetrans_auth_home_content(login_pgm) - - # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321 - kernel_search_network_sysctl(login_pgm) -diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te -index 756ac4a..196bcc0 100644 ---- a/policy/modules/system/userdomain.te -+++ b/policy/modules/system/userdomain.te -@@ -147,6 +147,7 @@ dontaudit unpriv_userdomain self:dir setattr; - allow unpriv_userdomain self:file manage_file_perms; - allow unpriv_userdomain self:key manage_key_perms; - -+auth_filetrans_auth_home_content(userdomain) - - files_dontaudit_manage_boot_files(unpriv_userdomain) - -@@ -289,6 +290,7 @@ userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp") - - optional_policy(` - gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates") -+ gnome_config_filetrans(userdom_filetrans_type, auth_home_t, dir, "Yubico") - #gnome_admin_home_gconf_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin") - ') - --- -1.8.3.1 - diff --git a/backport-Create-chronyd_pid_filetrans-interface.patch b/backport-Create-chronyd_pid_filetrans-interface.patch deleted file mode 100644 index 6b092a82dd0333afb881db9e4f68ccdc638e390c..0000000000000000000000000000000000000000 --- a/backport-Create-chronyd_pid_filetrans-interface.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 25d2a5c01c34d72c20f5d219227ad87897411967 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Wed, 14 Oct 2020 22:41:52 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/25d2a5c01c34d72c20f5d219227ad87897411967 -Conflict: NA -Subject: [PATCH] Create chronyd_pid_filetrans() interface - ---- - policy/modules/contrib/chronyd.if | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if -index c1b1b71..3d47264 100644 ---- a/policy/modules/contrib/chronyd.if -+++ b/policy/modules/contrib/chronyd.if -@@ -236,6 +236,25 @@ interface(`chronyd_manage_pid',` - manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t) - ') - -+###################################### -+## -+## Create objects in /var/run -+## with chronyd runtime private file type. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`chronyd_pid_filetrans',` -+ gen_require(` -+ type chronyd_var_run_t; -+ ') -+ -+ files_pid_filetrans($1, chronyd_var_run_t, dir, "chrony-dhcp") -+') -+ - #################################### - ## - ## All of the rules required to --- -1.8.3.1 - diff --git a/backport-Create-macro-corenet_icmp_bind_generic_node.patch b/backport-Create-macro-corenet_icmp_bind_generic_node.patch deleted file mode 100644 index 0bdaac612725a57d2176a008f10306eb89799d33..0000000000000000000000000000000000000000 --- a/backport-Create-macro-corenet_icmp_bind_generic_node.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 65c1a66265908f3d5a39fa201d6b6f9f2a2981a4 Mon Sep 17 00:00:00 2001 -From: Patrik Koncity -Date: Tue, 11 Aug 2020 13:51:55 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/65c1a66265908f3d5a39fa201d6b6f9f2a2981a4 -Conflict: NA -Subject: [PATCH] Create macro corenet_icmp_bind_generic_node() - -This macro allowing bind ICMP sockets to generic nodes in node_t domain. ---- - policy/modules/kernel/corenetwork.if.in | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in -index 1ed5283..1858e41 100644 ---- a/policy/modules/kernel/corenetwork.if.in -+++ b/policy/modules/kernel/corenetwork.if.in -@@ -863,6 +863,24 @@ interface(`corenet_sctp_bind_generic_node',` - - ######################################## - ## -+## Bind ICMP sockets to generic nodes. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`corenet_icmp_bind_generic_node',` -+ gen_require(` -+ type node_t; -+ ') -+ -+ allow $1 node_t:icmp_socket node_bind; -+') -+ -+######################################## -+## - ## Bind TCP sockets to generic nodes. - ## - ## --- -1.8.3.1 - diff --git a/backport-Define-named-file-transition-for-sshd-on-tmp-krb5_0..patch b/backport-Define-named-file-transition-for-sshd-on-tmp-krb5_0..patch deleted file mode 100644 index 430035b6962dff2d21db784da01245df4c93ad6d..0000000000000000000000000000000000000000 --- a/backport-Define-named-file-transition-for-sshd-on-tmp-krb5_0..patch +++ /dev/null @@ -1,26 +0,0 @@ -From 5d5feca5ce10b7b4f45c44431c8c258685eeef61 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 11 Aug 2020 22:15:55 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/5d5feca5ce10b7b4f45c44431c8c258685eeef61 -Conflict: NA -Subject: [PATCH] Define named file transition for sshd on /tmp/krb5_0.rcache2 - ---- - policy/modules/services/ssh.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te -index 7b09f29..b06cc76 100644 ---- a/policy/modules/services/ssh.te -+++ b/policy/modules/services/ssh.te -@@ -380,6 +380,7 @@ optional_policy(` - - optional_policy(` - kerberos_read_keytab(sshd_t) -+ kerberos_tmp_filetrans_host_rcache(sshd_t, "krb5_0.rcache2") - kerberos_use(sshd_t) - kerberos_write_kadmind_tmp_files(sshd_t) - ') --- -1.8.3.1 - diff --git a/backport-Update-systemd_resolved_read_pid-to-also-read-symlin.patch b/backport-Update-systemd_resolved_read_pid-to-also-read-symlin.patch deleted file mode 100644 index 46edcbd3b34e512c04c4fb41bbcefcc031019670..0000000000000000000000000000000000000000 --- a/backport-Update-systemd_resolved_read_pid-to-also-read-symlin.patch +++ /dev/null @@ -1,30 +0,0 @@ -From ade23054745c5a738abc8760dfc425f8bf916944 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 8 Dec 2020 16:05:22 +0100 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/ade23054745c5a738abc8760dfc425f8bf916944 -Conflict: NA -Subject: [PATCH] Update systemd_resolved_read_pid() to also read symlinks - -In the systemd_resolved_read_pid() interface, list and read permissions -were allowed for directories and plain files. However, symlinks also can -be in the same directory. This commit adds read permissions for the -lnk_file class. ---- - policy/modules/system/systemd.if | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index ff31161..ffed76c 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -313,6 +313,7 @@ interface(`systemd_resolved_read_pid',` - files_search_pids($1) - list_dirs_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) - read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) -+ read_lnk_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) - ') - - ###################################### --- -1.8.3.1 - diff --git a/backport-iptables.fc-Add-missing-legacy-entries.patch b/backport-iptables.fc-Add-missing-legacy-entries.patch deleted file mode 100644 index adfbb0694a6f4073933e0ece46d03a77dcbdd839..0000000000000000000000000000000000000000 --- a/backport-iptables.fc-Add-missing-legacy-entries.patch +++ /dev/null @@ -1,39 +0,0 @@ -From feefaa074e75466aa75c29f17a3d83ac6ce004f0 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Thu, 18 Feb 2021 10:00:12 +0100 -Subject: [PATCH] iptables.fc: Add missing legacy entries - -The iptables, arptables, and ebtables stack is being deprecated in favor -of nftables. For now, netfilter reimplementations of these tools are -available for backwards compatibility, but have a diffferent filename -now (the main location is now a symlink). Add file context entries for -arptables and ebtables; iptables is already covered by the wildcard -rule. - -This change fixed several ebtables-related denials for me. - -Signed-off-by: Ondrej Mosnacek ---- - policy/modules/system/iptables.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 2c19023..9fb2e34 100644 ---- a/policy/modules/system/iptables.fc -+++ b/policy/modules/system/iptables.fc -@@ -13,10 +13,12 @@ - /usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) - - /usr/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/arptables-legacy -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/ebtables-legacy -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) --- -1.8.3.1 - diff --git a/backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch b/backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch deleted file mode 100644 index 97e1784251908de13f7f102921067aca2736cfd3..0000000000000000000000000000000000000000 --- a/backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch +++ /dev/null @@ -1,40 +0,0 @@ -From dfbaf8f3be6470e0964df8c1b5ae9717f85a4675 Mon Sep 17 00:00:00 2001 -From: LuLuLu <1539327763@qq.com> -Date: Fri, 11 Jun 2021 11:25:18 +0800 -Subject: [PATCH] iptables.fc: Add missing legacy-restore and legacy-save - entries - -/usr/sbin/ebtables-restore and /usr/sbin/ebtables-save are miss labeled now. Each of them is a link file that can link to two differenet files. - -For /usr/sbin/ebtables-restore on fc 34: - -Remove iptables-nft and install ebtables-legacy: -lrwxrwxrwx. 1 root root 34 Apr 23 06:56 /sbin/ebtables-restore -> /etc/alternatives/ebtables-restore -lrwxrwxrwx. 1 root root 33 Jun 10 20:31 /etc/alternatives/ebtables-restore -> /usr/sbin/ebtables-legacy-restore - -Remove ebtables-legacy and install iptables-nft: -lrwxrwxrwx. 1 root root 34 Apr 23 06:56 /sbin/ebtables-restore -> /etc/alternatives/ebtables-restore -lrwxrwxrwx. 1 root root 30 Jun 10 20:35 /etc/alternatives/ebtables-restore -> /usr/sbin/ebtables-nft-restore -lrwxrwxrwx. 1 root root 17 Jan 28 08:48 /usr/sbin/ebtables-nft-restore -> xtables-nft-multi - -/sbin/ebtables-save is similar. But the label of /usr/sbin/ebtables-legacy-restore and /usr/sbin/ebtables-legacy-save is lack. ---- - policy/modules/system/iptables.fc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index 9fb2e34..e8ee5c0 100644 ---- a/policy/modules/system/iptables.fc -+++ b/policy/modules/system/iptables.fc -@@ -19,6 +19,8 @@ - /usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ebtables-legacy -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/ebtables-legacy-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/ebtables-legacy-save -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) --- -1.8.3.1 - diff --git a/backport-iptables.fc-Remove-duplicate-file-context-entries.patch b/backport-iptables.fc-Remove-duplicate-file-context-entries.patch deleted file mode 100644 index a6d0c402c4cf86c8ba1bba54d4d728a8059c11d7..0000000000000000000000000000000000000000 --- a/backport-iptables.fc-Remove-duplicate-file-context-entries.patch +++ /dev/null @@ -1,49 +0,0 @@ -From c33aa1f2bdb74f689bd54565e363fa67f3aa148f Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Thu, 18 Feb 2021 09:50:50 +0100 -Subject: [PATCH] iptables.fc: Remove duplicate file context entries - -There is an quivalency rule /sbin -> /usr/sbin so these are redundant. -A few entries were missing in the /usr/sbin block - add them to avoid -regressions. - -Signed-off-by: Ondrej Mosnacek ---- - policy/modules/system/iptables.fc | 20 ++------------------ - 1 file changed, 2 insertions(+), 18 deletions(-) - -diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc -index d8161fc..639a59b 100644 ---- a/policy/modules/system/iptables.fc -+++ b/policy/modules/system/iptables.fc -@@ -12,25 +12,9 @@ - - /usr/libexec/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) - --/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ip6?tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ip6?tables-restore.* -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ip6?tables-multi.* -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/nft -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/xtables-legacy-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) --/sbin/xtables-nft-multi -- gen_context(system_u:object_r:iptables_exec_t,s0) -- - /usr/sbin/arptables -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/arptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) -+/usr/sbin/arptables-save -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0) - /usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0) --- -1.8.3.1 - diff --git a/backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch b/backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch deleted file mode 100644 index 1a8adbb657ad6913b63361b869330811dab93355..0000000000000000000000000000000000000000 --- a/backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch +++ /dev/null @@ -1,145 +0,0 @@ -From bc79683118e529a8325fd229840915efe30c3f48 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Mon, 3 Aug 2020 14:49:31 +0200 -Reference: https://github.com/fedora-selinux/selinux-policy/commit/bc79683118e529a8325fd229840915efe30c3f48 -Conflict: NA -Subject: [PATCH] sysnetwork.if: avoid directly referencing - systemd_resolved_var_run_t - -Instead create a systemd_resolved_pid_filetrans() interface in -systemd.if and use that. Also used a unified interface for adding these -transitions in sysnet_filetrans_named_content() and directly in the -systemd module. - -Signed-off-by: Ondrej Mosnacek ---- - policy/modules/system/sysnetwork.if | 36 +++++++++++++++++++++++++++--------- - policy/modules/system/systemd.if | 34 ++++++++++++++++++++++++++++++++++ - policy/modules/system/systemd.te | 4 +--- - 3 files changed, 62 insertions(+), 12 deletions(-) - -diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if -index 10172d6..d7b696b 100644 ---- a/policy/modules/system/sysnetwork.if -+++ b/policy/modules/system/sysnetwork.if -@@ -1127,6 +1127,29 @@ interface(`sysnet_role_transition_dhcpc',` - - ######################################## - ## -+## Set up filename transitions for systemd-resolved network -+## configuration content. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`sysnet_filetrans_systemd_resolved',` -+ gen_require(` -+ type net_conf_t; -+ ') -+ -+ optional_policy(` -+ systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf") -+ systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") -+ systemd_resolved_pid_filetrans($1, net_conf_t, file, "stub-resolv.conf") -+ ') -+') -+ -+######################################## -+## - ## Transition to sysnet named content - ## - ## -@@ -1138,7 +1161,6 @@ interface(`sysnet_role_transition_dhcpc',` - interface(`sysnet_filetrans_named_content',` - gen_require(` - type net_conf_t; -- type systemd_resolved_var_run_t; - ') - - files_etc_filetrans($1, net_conf_t, file, "resolv.conf") -@@ -1160,15 +1182,11 @@ interface(`sysnet_filetrans_named_content',` - init_pid_filetrans($1, net_conf_t, dir, "network") - - optional_policy(` -- networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf") -- networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") -- ') -+ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf") -+ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") -+ ') - -- optional_policy(` -- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf") -- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf.tmp") -- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "stub-resolv.conf") -- ') -+ sysnet_filetrans_systemd_resolved($1) - ') - - ######################################## -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index 26d4927..d10ae16 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -335,6 +335,40 @@ interface(`systemd_resolved_write_pid_sock_files',` - write_sock_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) - ') - -+######################################## -+## -+## Create objects in /var/run/systemd/resolve with a private -+## type using a type_transition. -+## -+## -+## -+## Domain allowed access. -+## -+## -+## -+## -+## Private file type. -+## -+## -+## -+## -+## Object classes to be created. -+## -+## -+## -+## -+## The name of the object being created. -+## -+## -+# -+interface(`systemd_resolved_pid_filetrans',` -+ gen_require(` -+ type systemd_resolved_var_run_t; -+ ') -+ -+ filetrans_pattern($1, systemd_resolved_var_run_t, $2, $3, $4) -+') -+ - ###################################### - ## - ## Read systemd_login PID files. -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 332d716..c806b29 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -1071,9 +1071,7 @@ dev_write_kmsg(systemd_resolved_t) - dev_read_sysfs(systemd_resolved_t) - - sysnet_manage_config(systemd_resolved_t) --sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf") --sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "stub-resolv.conf") --sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf.tmp") -+sysnet_filetrans_systemd_resolved(systemd_resolved_t) - - systemd_read_efivarfs(systemd_resolved_t) - --- -1.8.3.1 - diff --git a/backport-systemd-allow-all-systemd-services-to-check-selinux-.patch b/backport-systemd-allow-all-systemd-services-to-check-selinux-.patch deleted file mode 100644 index 424b3a33260771bf0ad038f5db80e5bfae32f44a..0000000000000000000000000000000000000000 --- a/backport-systemd-allow-all-systemd-services-to-check-selinux-.patch +++ /dev/null @@ -1,42 +0,0 @@ -From a96ac9ed374cab65f53a26cd39053705569532bc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 28 Oct 2020 09:17:15 +0100 -Subject: [PATCH] systemd: allow all systemd services to check selinux status - -After https://github.com/systemd/systemd/commit/fd5e402fa9 most systemd -services fail to start with: - -Oct 27 13:50:38 workstation-uefi systemd[1]: Starting systemd-hostnamed.service... -Oct 27 13:50:38 workstation-uefi systemd-hostnamed[944]: Failed to open SELinux status page: Permission denied -Oct 27 13:50:38 workstation-uefi systemd[1]: systemd-hostnamed.service: Main process exited, code=exited, status=1/FAILURE - -After disabling dontaudit: - -Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc: denied { read } for pid=1043 comm="systemd-hostnam" name="status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 -Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc: denied { open } for pid=1043 comm="systemd-hostnam" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 -Oct 27 14:05:08 workstation-uefi audit[1043]: AVC avc: denied { map } for pid=1043 comm="systemd-hostnam" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 - -As first step, allow all systemd services to check selinux status. -The check for selinux status is called from mac_selinux_init() which -is called in 16 different places, so I don't think it makes sense to -try to list them all. Any code which wants to create a labelled file is -likely to call mac_selinux_init(). ---- - policy/modules/system/systemd.if | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if -index ff3116142..253396f1c 100644 ---- a/policy/modules/system/systemd.if -+++ b/policy/modules/system/systemd.if -@@ -24,6 +24,7 @@ template(`systemd_domain_template',` - kernel_read_system_state($1_t) - - auth_use_nsswitch($1_t) -+ selinux_get_enforce_mode($1_t) - ') - - ###################################### --- -2.23.0 - diff --git a/container-selinux.tgz b/container-selinux.tgz index 61071fb2dfcb44e08ea537eac40571144655838a..99d2beafc1820266eeed4bc062285179009bee92 100644 Binary files a/container-selinux.tgz and b/container-selinux.tgz differ diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist index 8b288f7131bf09fb1c8dc8d22d98107f41a2ebab..1bf47105126cc8787a9e14a36635be58cc725576 100644 --- a/file_contexts.subs_dist +++ b/file_contexts.subs_dist @@ -19,3 +19,4 @@ /sbin /usr/sbin /sysroot/tmp /tmp /var/usrlocal /usr/local +/var/mnt /mnt diff --git a/macro-expander b/macro-expander new file mode 100644 index 0000000000000000000000000000000000000000..2670b61dcaa29b7e89146f773c21bc45595abaf4 --- /dev/null +++ b/macro-expander @@ -0,0 +1,81 @@ +#!/bin/bash + +function usage { + echo "Usage: $0 [ -c | -t [ -M ] ] " + echo "Options: + -c generate CIL output + -t generate standard policy source format (.te) allow rules - this is default + -M generate complete module .te output +" +} + +function cleanup { + rm -rf $TEMP_STORE +} + +while getopts "chMt" opt; do + case $opt in + c) GENCIL=1 + ;; + t) GENTE=1 + ;; + M) GENTEMODULE=1 + ;; + h) usage + exit 0 + ;; + \?) usage + exit 1 + ;; + esac +done + +shift $((OPTIND-1)) + +SELINUX_MACRO=$1 + +if [ -z "$SELINUX_MACRO" ] +then + exit 1 +fi + +TEMP_STORE="$(mktemp -d)" +cd $TEMP_STORE || exit 1 + +IFS="(" +set $1 +SELINUX_DOMAIN="${2::-1}" + +echo -e "policy_module(expander, 1.0.0) \n" \ + "gen_require(\`\n" \ + "type $SELINUX_DOMAIN ; \n" \ + "')" > expander.te + +echo "$SELINUX_MACRO" >> expander.te + +make -f /usr/share/selinux/devel/Makefile tmp/all_interfaces.conf &> /dev/null + +if [ "x$GENCIL" = "x1" ]; then + + make -f /usr/share/selinux/devel/Makefile expander.pp &> /dev/null + MAKE_RESULT=$? + + if [ $MAKE_RESULT -ne 2 ] + then + /usr/libexec/selinux/hll/pp < $TEMP_STORE/expander.pp > $TEMP_STORE/expander.cil 2> /dev/null + grep -v "cil_gen_require" $TEMP_STORE/expander.cil | sort -u + fi +fi + +if [ "$GENTE" = "1" ] || [ "x$GENCIL" != "x1" ]; then + m4 -D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/loadable_module.spt tmp/all_interfaces.conf expander.te > expander.tmp 2> /dev/null + if [ "x$GENTEMODULE" = "x1" ]; then + # sed '/^#.*$/d;/^\s*$/d;/^\s*class .*/d;/^\s*category .*/d;s/^\s*//' expander.tmp + sed '/^#.*$/d;/^\s*$/d;/^\s*category .*/d;s/^\s*//' expander.tmp + else + grep '^\s*allow' expander.tmp | sed 's/^\s*//' + fi +fi + +cd - > /dev/null || exit 1 +cleanup diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf index a8775dbe058fcd04ae3046b411fbfdd016ede092..e7456ef911ae21223b0edaa9a656e3695ba96210 100644 --- a/modules-targeted-base.conf +++ b/modules-targeted-base.conf @@ -391,10 +391,3 @@ udev = module # The unconfined domain. # unconfined = module - -# Layer: system -# Module: kdbus -# -# Policy for kdbus. -# -kdbus = module diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf index 9568fe60afce9d48ea15b9ed02e9e6647f8d5ffc..16c50db793f4a23808a5ce9045665307d2dbed69 100644 --- a/modules-targeted-contrib.conf +++ b/modules-targeted-contrib.conf @@ -2663,3 +2663,17 @@ rrdcached = module # stratisd # stratisd = module + +# Layer: contrib +# Module: ica +# +# ica +# +ica = module + +# Layer: contrib +# Module: fedoratp +# +# fedoratp +# +fedoratp = module diff --git a/rpm.macros b/rpm.macros index 9da4c611ce9c0236dcd42f7d63a154bd73a7c1a9..f63f5fedc07db072fa4efd1a1ae3e830b45a2966 100644 --- a/rpm.macros +++ b/rpm.macros @@ -38,7 +38,11 @@ BuildRequires: selinux-policy-devel \ Requires(post): selinux-policy-base >= %{_selinux_policy_version} \ Requires(post): libselinux-utils \ Requires(post): policycoreutils \ +%if 0%{?fedora} || 0%{?rhel} > 7\ Requires(post): policycoreutils-python-utils \ +%else \ +Requires(post): policycoreutils-python \ +%endif \ %{nil} # %selinux_modules_install [-s ] [-p ] module [module]... diff --git a/selinux-policy-02b35cf.tar.gz b/selinux-policy-02b35cf.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..f66b9a80443fac2c91eeef965b9281365032fd46 Binary files /dev/null and b/selinux-policy-02b35cf.tar.gz differ diff --git a/selinux-policy-9c84d68.tar.gz b/selinux-policy-9c84d68.tar.gz deleted file mode 100644 index c245c80fc1566cd634467117b3c6466e9cbb1506..0000000000000000000000000000000000000000 Binary files a/selinux-policy-9c84d68.tar.gz and /dev/null differ diff --git a/selinux-policy-contrib-27225b9.tar.gz b/selinux-policy-contrib-27225b9.tar.gz deleted file mode 100644 index 035d809aa7b1fc4a06bcd634bff3a8707a9f9121..0000000000000000000000000000000000000000 Binary files a/selinux-policy-contrib-27225b9.tar.gz and /dev/null differ diff --git a/selinux-policy.spec b/selinux-policy.spec index aa7e01a1ebfa0082618029d25c19abdcb7754fa0..ccec0e2e43d59768b67fc82fc82b842cae6946ae 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -5,19 +5,22 @@ %define BUILD_TARGETED 1 %define BUILD_MINIMUM 1 %define BUILD_MLS 1 -%define POLICYVER 32 -%define POLICYCOREUTILSVER 3.0-5 -%define CHECKPOLICYVER 3.0 +%define POLICYVER 33 +%define POLICYCOREUTILSVER 3.2 +%define CHECKPOLICYVER 3.2 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.14.2 -Release: 77 +Version: 35.5 +Release: 1 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ -Source0: https://github.com/fedora-selinux/selinux-policy/archive/9c84d687e0fef5d8e4e25273bd25f58c28a7c67c/selinux-policy-9c84d68.tar.gz -Source1: https://github.com/fedora-selinux/selinux-policy-contrib/archive/27225b9de42be65760194536680c9d596f1a1895/selinux-policy-contrib-27225b9.tar.gz +Source0: https://github.com/fedora-selinux/selinux-policy/archive/02b35cff10d8743e075379c062f565f2bb97c032/selinux-policy-02b35cf.tar.gz + +# Tool helps during policy development, to expand system m4 macros to raw allow rules +# Git repo: https://github.com/fedora-selinux/macro-expander.git +Source1: macro-expander # We obtain Source2~Source24 from https://src.fedoraproject.org/rpms/selinux-policy/tree/master Source2: modules-targeted-base.conf @@ -50,75 +53,20 @@ Source24: rpm.macros Source35: container-selinux.tgz Patch0: Allow-local_login-to-be-access-to-var-run-files-and-.patch -Patch1: access-to-iptables-run-file.patch -Patch2: add-access-to-faillog-file-for-systemd.patch -Patch3: add-allow-to-be-access-to-sssd-dir-and-file.patch -Patch4: add-allow-shadow-tool-to-access-sssd-var-lib-file-di.patch -Patch5: fix-selinux-label-for-hostname-digest-list.patch -Patch6: solve-shutdown-permission-denied-caused-by-dracut.patch -Patch7: add-allow-for-ldconfig-to-map-libsudo_util-so.patch -Patch8: add-avc-for-kmod.patch -Patch9: allow-ipmievd-to-read-the-process-state-proc-pid-of-.patch -Patch10: add-avc-for-systemd-journald.patch -Patch11: add-avc-for-systemd-hostnamed-and-systemd-logind.patch -Patch12: add-avc-for-systemd.patch -Patch13: allow-systemd-to-mount-unlabeled-filesystemd.patch -Patch14: add_userman_access_run_dir.patch -Patch15: allow-systemd-machined-create-userdbd-runtime-sock-file.patch -Patch16: allow-systemd_machined_t-delete-userdbd-runtime-sock.patch -Patch17: allow-systemd-hostnamed-and-logind-read-policy.patch -Patch18: add-firewalld-fc.patch -Patch19: add-allow-systemd-timedated-to-unlink-etc-link.patch -Patch20: add-avc-for-openEuler-1.patch -Patch21: backport-systemd-allow-all-systemd-services-to-check-selinux-.patch -Patch22: backport-Allow-dovecot-bind-to-smtp-ports.patch -Patch23: allow-rpcbind-to-bind-all-port.patch - -Patch6000: backport-Allow-kdump_t-net_admin-capability.patch -Patch6001: backport-Allow-systemd-logind-dbus-chat-with-fwupd.patch -Patch6002: backport-Allow-auditd-manage-kerberos-host-rcache-files.patch -Patch6003: backport-Add-dev_lock_all_blk_files-interface.patch -Patch6005: backport-Define-named-file-transition-for-sshd-on-tmp-krb5_0..patch -Patch6006: backport-Allow-nsswitch_domain-to-connect-to-systemd-machined.patch -Patch6007: backport-Allow-unconfined_t-to-node_bind-icmp_sockets-in-node.patch -Patch6008: backport-Create-macro-corenet_icmp_bind_generic_node.patch -Patch6009: backport-Allow-traceroute_t-and-ping_t-to-bind-generic-nodes.patch -Patch6010: backport-Allow-passwd-to-get-attributes-in-proc_t.patch -Patch6011: backport-Allow-login_pgm-attribute-to-get-attributes-in-proc_.patch -Patch6012: backport-Allow-syslogd_t-domain-to-read-write-tmpfs-systemd-b.patch -Patch6013: backport-Allow-all-users-to-connect-to-systemd-userdbd-with-a.patch -Patch6014: backport-Add-new-devices-and-filesystem-interfaces.patch -Patch6015: backport-Add-lvm_dbus_send_msg-lvm_rw_var_run-interfaces.patch -Patch6016: backport-Allow-domain-write-to-an-automount-unnamed-pipe.patch -Patch6017: backport-Allow-dyntransition-from-sshd_t-to-unconfined_t.patch -Patch6018: backport-Allow-initrc_t-create-run-chronyd-dhcp-directory-wit.patch -Patch6019: backport-Update-systemd_resolved_read_pid-to-also-read-symlin.patch -Patch6020: backport-Allow-systemd-resolved-manage-its-private-runtime-sy.patch -Patch6021: backport-Allow-systemd-logind-manage-init-s-pid-files.patch -Patch6022: backport-Add-systemd_resolved_write_pid_sock_files-interface.patch -Patch6023: backport-Allow-nsswitch-domain-write-to-systemd-resolved-PID-.patch -Patch6024: backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch -Patch6025: backport-Allow-stub-resolv.conf-to-be-a-symlink.patch -Patch6026: backport-Allow-domain-stat-proc-filesystem.patch -Patch6027: backport-Allow-domain-write-to-systemd-resolved-PID-socket-fi.patch -Patch6028: backport-Allow-systemd-machined-manage-systemd-userdbd-runtim.patch -Patch6029: backport-Allow-domain-stat-the-sys-filesystem.patch -Patch6030: backport-Allow-login_userdomain-write-inaccessible-nodes.patch -Patch6031: backport-Allow-local_login_t-get-attributes-of-tmpfs-filesyst.patch -Patch6032: backport-Allow-dhcpc_t-domain-transition-to-chronyc_t.patch -Patch6033: backport-Allow-nsswitch_domain-read-cgroup-files.patch -Patch6034: backport-Allow-IPsec-and-certmonger-to-use-opencryptoki-servi.patch -Patch6035: backport-Create-chronyd_pid_filetrans-interface.patch -Patch6036: backport-iptables.fc-Remove-duplicate-file-context-entries.patch -Patch6037: backport-iptables.fc-Add-missing-legacy-entries.patch -Patch6038: backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch -Patch6039: backport-Allow-systemd-hostnamed-read-udev-runtime-data.patch -Patch6040: backport-Add-file-context-for-.config-Yubico.patch -Patch6041: backport-Change-transitions-for-.config-Yubico.patch +Patch1: fix-selinux-label-for-hostname-digest-list.patch +Patch2: add-allow-for-ldconfig-to-map-libsudo_util-so.patch +Patch3: allow-ipmievd-to-read-the-process-state-proc-pid-of-.patch +Patch4: add_userman_access_run_dir.patch +Patch5: add-firewalld-fc.patch +Patch6: add-allow-systemd-timedated-to-unlink-etc-link.patch +Patch7: add-avc-for-openEuler-1.patch +Patch8: allow-rpcbind-to-bind-all-port.patch +Patch9: add-avc-for-systemd-journald.patch +Patch10: add-avc-for-systemd.patch + +#Patch6000: backport-Allow-kdump_t-net_admin-capability.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch -Patch9001: add-avc-for-systemd-selinux-page.patch -Patch9002: add-allow-rasdaemon-cap_sys_admin.patch BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc @@ -243,13 +191,14 @@ if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.p %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \ rm -f ${FILE_CONTEXT}.pre; \ fi; \ +%{_sbindir}/restorecon -R /var/lib/rpm \ if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ continue; \ fi; %define preInstall() \ if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \ - for MOD_NAME in ganesha ipa_custodia; do \ + for MOD_NAME in ganesha ipa_custodia kdbus; do \ if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \ %{_sbindir}/semodule -n -d $MOD_NAME; \ fi; \ @@ -342,13 +291,8 @@ end %build %prep -%setup -n %{name}-contrib-27225b9de42be65760194536680c9d596f1a1895 -q -b 1 -tar -xf %{SOURCE35} -contrib_path=`pwd` -%setup -n %{name}-9c84d687e0fef5d8e4e25273bd25f58c28a7c67c -q - -refpolicy_path=`pwd` -cp $contrib_path/* $refpolicy_path/policy/modules/contrib +%setup -n %{name}-02b35cff10d8743e075379c062f565f2bb97c032 -q +tar -C policy/modules/contrib -xf %{SOURCE35} %autopatch -p1 @@ -365,6 +309,8 @@ touch %{buildroot}%{_sysconfdir}/selinux/config touch %{buildroot}%{_sysconfdir}/sysconfig/selinux mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ cp %{SOURCE21} %{buildroot}%{_usr}/lib/tmpfiles.d/ +mkdir -p %{buildroot}%{_bindir} +install -m 755 %{SOURCE1} %{buildroot}%{_bindir}/ mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ @@ -509,6 +455,7 @@ selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null exit 0 %files devel +%{_bindir}/macro-expander %dir %{_usr}/share/selinux/devel %dir %{_usr}/share/selinux/devel/include %{_usr}/share/selinux/devel/include/* @@ -785,6 +732,9 @@ exit 0 %endif %changelog +* Sat Dec 11 2021 lujie42 - 35.5-1 +- update selinux-policy-3.14.2 to selinux-policy-35.5-1 + * Fri Nov 26 2021 gaoyusong - 3.14.2-77 - Fix CVE-2020-24612 @@ -853,7 +803,7 @@ exit 0 * Sat May 29 2021 luhuaxin <1539327763@qq.com> - 3.14.2-67 - allow kdump_t net_admin capability -* Thu Mar 27 2021 luhuaxin <1539327763@qq.com> - 3.14.2-66 +* Sat Mar 27 2021 luhuaxin <1539327763@qq.com> - 3.14.2-66 - allow rpcbind to bind all port * Fri Mar 5 2021 luhuaxin <1539327763@qq.com> - 3.14.2-65 @@ -873,7 +823,7 @@ exit 0 * Thu Sep 24 2020 openEuler Buildteam - 3.14.2-61 - add add-firewalld-fc.patch -* Thu Sep 22 2020 openEuler Buildteam - 3.14.2-60 +* Tue Sep 22 2020 openEuler Buildteam - 3.14.2-60 - add allow-systemd-hostnamed-and-logind-read-policy.patch * Thu Sep 17 2020 openEuler Buildteam - 3.14.2-59 diff --git a/solve-shutdown-permission-denied-caused-by-dracut.patch b/solve-shutdown-permission-denied-caused-by-dracut.patch deleted file mode 100644 index 94b7a4fd00f5c47e55b6ee994688137a648578ce..0000000000000000000000000000000000000000 --- a/solve-shutdown-permission-denied-caused-by-dracut.patch +++ /dev/null @@ -1,52 +0,0 @@ -From f14eec646bb7aaef59c4e5a9fa37be21e9797964 Mon Sep 17 00:00:00 2001 -From: guoxiaoqi -Date: Thu, 4 Jun 2020 20:41:46 +0800 -Subject: [PATCH] solve shutdown permission denied caused by dracut - -Signed-off-by: guoxiaoqi ---- - policy/modules/system/init.te | 2 ++ - policy/modules/system/lvm.te | 1 + - policy/modules/system/mount.te | 1 + - 3 files changed, 4 insertions(+) - -diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index e3e8b37..73cccdc 100644 ---- a/policy/modules/system/init.te -+++ b/policy/modules/system/init.te -@@ -215,6 +215,8 @@ dev_filetrans(init_t, initctl_t, fifo_file) - # Modify utmp. - allow init_t initrc_var_run_t:file { rw_file_perms setattr }; - -+allow init_t root_t:dir create; -+ - kernel_read_system_state(init_t) - kernel_share_state(init_t) - kernel_stream_connect(init_t) -diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te -index 99babc9..77fb8f7 100644 ---- a/policy/modules/system/lvm.te -+++ b/policy/modules/system/lvm.te -@@ -323,6 +323,7 @@ init_use_fds(lvm_t) - init_dontaudit_getattr_initctl(lvm_t) - init_use_script_ptys(lvm_t) - init_read_script_state(lvm_t) -+init_nnp_daemon_domain(lvm_t) - - logging_send_syslog_msg(lvm_t) - logging_stream_connect_syslog(lvm_t) -diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te -index 816066d..e884bf5 100644 ---- a/policy/modules/system/mount.te -+++ b/policy/modules/system/mount.te -@@ -186,6 +186,7 @@ init_use_script_ptys(mount_t) - init_dontaudit_getattr_initctl(mount_t) - init_stream_connect_script(mount_t) - init_rw_script_stream_sockets(mount_t) -+init_nnp_daemon_domain(mount_t) - - logging_send_syslog_msg(mount_t) - --- -1.8.3.1 -