From f6e0a0687eb4a34b7d386057c401316e74413349 Mon Sep 17 00:00:00 2001 From: lujie54 Date: Fri, 2 Sep 2022 15:54:31 +0800 Subject: [PATCH] backport upstream patches (cherry picked from commit 3c7c07692627ca1644adc36f184ed13f8c674edd) --- ...dbus-broker-IPC-with-a-systemd-user-.patch | 72 ++++++++++++++++++ ...low-admin-userdomains-use-socketpair.patch | 46 ++++++++++++ ...d-init-dbus-chat-with-systemd-logind.patch | 44 +++++++++++ ...masq-watch-etc-dnsmasq.d-directories.patch | 37 ++++++++++ ...ns-to-sssd_t-and-role-access-to-sssd.patch | 39 ++++++++++ ...get-attributes-of-cgroup-filesystems.patch | 30 ++++++++ ...t-attributes-of-filesystems-with-ext.patch | 30 ++++++++ ...ect-to-snmpd-with-a-unix-domain-stre.patch | 45 +++++++++++ ...e-an-snmp-subagent-over-a-tcp-socket.patch | 56 ++++++++++++++ ...rdomain-open-read-map-system-journal.patch | 40 ++++++++++ ...attributes-of-filesystems-with-exten.patch | 29 ++++++++ ...get-attributes-of-tmpfs_t-filesystem.patch | 29 ++++++++ ...w-rpmdb-read-admin-home-config-files.patch | 39 ++++++++++ ...-rpmdb-read-generic-SSL-certificates.patch | 39 ++++++++++ ...bcontrol-use-additional-socket-types.patch | 40 ++++++++++ ...-send-a-null-signal-to-sshd-processe.patch | 37 ++++++++++ ...s-execute-passwd-in-the-passwd-domai.patch | 35 +++++++++ ...w-svnserve-send-mail-from-the-system.patch | 41 ++++++++++ ...cute-sysadmctl-in-sysadm_t-domain-us.patch | 74 +++++++++++++++++++ ...ystemd-read-unlabeled-symbolic-links.patch | 69 +++++++++++++++++ ...ow-tlp-dbus-chat-with-NetworkManager.patch | 35 +++++++++ ...s-use-pam_ssh_agent_auth-for-passwor.patch | 47 ++++++++++++ ...hat-run-systemd-are-properly-labeled.patch | 40 ++++++++++ ...xec_user_tmp_files-with-an-entrypoin.patch | 33 +++++++++ selinux-policy.spec | 29 +++++++- 25 files changed, 1054 insertions(+), 1 deletion(-) create mode 100644 backport-Allow-PID-1-and-dbus-broker-IPC-with-a-systemd-user-.patch create mode 100644 backport-Allow-admin-userdomains-use-socketpair.patch create mode 100644 backport-Allow-cloud-init-dbus-chat-with-systemd-logind.patch create mode 100644 backport-Allow-dnsmasq-watch-etc-dnsmasq.d-directories.patch create mode 100644 backport-Allow-domtrans-to-sssd_t-and-role-access-to-sssd.patch create mode 100644 backport-Allow-haproxy-get-attributes-of-cgroup-filesystems.patch create mode 100644 backport-Allow-haproxy-get-attributes-of-filesystems-with-ext.patch create mode 100644 backport-Allow-lldpd-connect-to-snmpd-with-a-unix-domain-stre.patch create mode 100644 backport-Allow-lldpd-use-an-snmp-subagent-over-a-tcp-socket.patch create mode 100644 backport-Allow-login_userdomain-open-read-map-system-journal.patch create mode 100644 backport-Allow-redis-get-attributes-of-filesystems-with-exten.patch create mode 100644 backport-Allow-rhsmcertd-get-attributes-of-tmpfs_t-filesystem.patch create mode 100644 backport-Allow-rpmdb-read-admin-home-config-files.patch create mode 100644 backport-Allow-rpmdb-read-generic-SSL-certificates.patch create mode 100644 backport-Allow-smbcontrol-use-additional-socket-types.patch create mode 100644 backport-Allow-sudodomain-send-a-null-signal-to-sshd-processe.patch create mode 100644 backport-Allow-sudodomains-execute-passwd-in-the-passwd-domai.patch create mode 100644 backport-Allow-svnserve-send-mail-from-the-system.patch create mode 100644 backport-Allow-sysadm-execute-sysadmctl-in-sysadm_t-domain-us.patch create mode 100644 backport-Allow-systemd-read-unlabeled-symbolic-links.patch create mode 100644 backport-Allow-tlp-dbus-chat-with-NetworkManager.patch create mode 100644 backport-Allow-userdomains-use-pam_ssh_agent_auth-for-passwor.patch create mode 100644 backport-Ensure-that-run-systemd-are-properly-labeled.patch create mode 100644 backport-Update-userdom_exec_user_tmp_files-with-an-entrypoin.patch diff --git a/backport-Allow-PID-1-and-dbus-broker-IPC-with-a-systemd-user-.patch b/backport-Allow-PID-1-and-dbus-broker-IPC-with-a-systemd-user-.patch new file mode 100644 index 0000000..34aaf81 --- /dev/null +++ b/backport-Allow-PID-1-and-dbus-broker-IPC-with-a-systemd-user-.patch @@ -0,0 +1,72 @@ +From 6a6fff9f00a02723d3a9c58e892e12a527df8efa Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 16 Nov 2021 20:50:48 +0100 +Subject: [PATCH] Allow PID 1 and dbus-broker IPC with a systemd user session + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6a6fff9f00a02723d3a9c58e892e12a527df8efa +Conflict: NA + +systemd-stdio-bridge is invoked using systemd-run to connect to a user +bus from a privileged context: +systemd-run -M.host -PGq --wait -pUser=user1 -pPAMName=login systemd-stdio-bridge -punix:path=${XDG_RUNTIME_DIR}/bus + +The commands sequence is as follows: +1. dnf invokes rpm +2. a scriptlet is called from rpm +3. the scriptlet calls /usr/lib/systemd/systemd-update-helper +4. systemd-update-helper calls systemctl --user @ ... +5. in the systemctl binary, sd-bus invokes systemd-run +6. which invokes systemd-stdio-bridge as the user +7. systemctl communicates with the user manager over the bridge + +Refer to this commit for more information: +https://github.com/systemd/systemd/pull/17967/commits/1b630835dff + +Addresses the following AVC denials: +---- +type=AVC msg=audit(11/15/2021 08:56:59.167:1097) : avc: denied { read write } for pid=458 comm=dbus-broker path=socket:[37803] dev="sockfs" ino=37803 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 +---- +type=AVC msg=audit(11/15/2021 08:56:59.168:1098) : avc: denied { read write } for pid=1 comm=systemd path=socket:[37803] dev="sockfs" ino=37803 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 +---- +type=PROCTITLE msg=audit(11/15/2021 08:56:59.184:1100) : proctitle=(o-bridge) +type=SYSCALL msg=audit(11/15/2021 08:56:59.184:1100) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x0 a1=TCGETS a2=0x7ffca74d78a0 a3=0x0 items=0 ppid=1 pid=6580 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(o-bridge) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) +type=AVC msg=audit(11/15/2021 08:56:59.184:1100) : avc: denied { ioctl } for pid=6580 comm=(o-bridge) path=socket:[37803] dev="sockfs" ino=37803 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 +---- + +Resolves: rhbz#2023332 +Signed-off-by: lujie54 +--- + policy/modules/contrib/dbus.te | 4 ++++ + policy/modules/system/init.te | 1 + + 2 files changed, 5 insertions(+) + +diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te +index a426d29..76fb3b6 100644 +--- a/policy/modules/contrib/dbus.te ++++ b/policy/modules/contrib/dbus.te +@@ -236,6 +236,10 @@ optional_policy(` + ') + + optional_policy(` ++ userdom_rw_stream(system_dbusd_t) ++') ++ ++optional_policy(` + virt_list_sandbox_dirs(system_dbusd_t) + ') + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index b261f08..22e363a 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -872,6 +872,7 @@ optional_policy(` + + optional_policy(` + userdom_exec_user_bin_files(init_t) ++ userdom_rw_stream(init_t) + ') + + ######################################## +-- +1.8.3.1 + diff --git a/backport-Allow-admin-userdomains-use-socketpair.patch b/backport-Allow-admin-userdomains-use-socketpair.patch new file mode 100644 index 0000000..c457861 --- /dev/null +++ b/backport-Allow-admin-userdomains-use-socketpair.patch @@ -0,0 +1,46 @@ +From fd807226d8aeb7a06e4f94974e116feedebaed59 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 6 Jan 2022 09:26:43 +0100 +Subject: [PATCH] Allow admin userdomains use socketpair() + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/fd807226d8aeb7a06e4f94974e116feedebaed59 +Conflict: NA + +In cockpit, the bridge uses socketpair() to communicate to subprocesses. +For executing administrative commands, "sudo cockpit-bridge" is spawned, +and the permissions to read and write from the socket are required. + +Simplified reproducer: +$ python3 -c 'import socket, subprocess; r = socket.socketpair(); p = subprocess.Popen(["sudo", "whoami"], stdout=r[0]); print(p.wait()); print(r[1].recv(100))' + +sudo succeeds, but recv() hangs as the data flow is blocked. + +This commit addresses the following AVC denial: + +type=PROCTITLE msg=audit(01/06/2022 03:07:28.526:5532) : proctitle=sudo whoami +type=EXECVE msg=audit(01/06/2022 03:07:28.526:5532) : argc=2 a0=sudo a1=whoami +type=SYSCALL msg=audit(01/06/2022 03:07:28.526:5532) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7f302b08c470 a1=0x7f302b106450 a2=0x7ffe20fef5b8 a3=0xffffffffffffff01 items=2 ppid=567183 pid=567184 auid=admin uid=admin gid=admin euid=root suid=root fsuid=root egid=admin sgid=admin fsgid=admin tty=pts1 ses=6 comm=sudo exe=/usr/bin/sudo subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(01/06/2022 03:07:28.526:5532) : avc: denied { read write } for pid=567184 comm=sudo path=socket:[690408] dev="sockfs" ino=690408 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 + +Resolves: rhbz#1814569 +Signed-off-by: lujie54 +--- + policy/modules/admin/sudo.if | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if +index 24ede58..4b8f975 100644 +--- a/policy/modules/admin/sudo.if ++++ b/policy/modules/admin/sudo.if +@@ -58,7 +58,7 @@ template(`sudo_role_template',` + allow $1_sudo_t $3:file read_file_perms;; + allow $1_sudo_t $3:key search; + +- allow $1_sudo_t $1_t:unix_stream_socket connectto; ++ allow $1_sudo_t $1_t:unix_stream_socket { connectto read write }; + + # Enter this derived domain from the user domain + domtrans_pattern($3, sudo_exec_t, $1_sudo_t) +-- +1.8.3.1 + diff --git a/backport-Allow-cloud-init-dbus-chat-with-systemd-logind.patch b/backport-Allow-cloud-init-dbus-chat-with-systemd-logind.patch new file mode 100644 index 0000000..da23e26 --- /dev/null +++ b/backport-Allow-cloud-init-dbus-chat-with-systemd-logind.patch @@ -0,0 +1,44 @@ +From 8ef66bbca8c278a7f9c2c13c792d885324a120e1 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 24 Nov 2021 11:32:40 +0100 +Subject: [PATCH] Allow cloud-init dbus chat with systemd-logind + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/8ef66bbca8c278a7f9c2c13c792d885324a120e1 +Conflict: NA + +When cloud-init executes a user data script to build a new image +template and there are commands using su or sudo, the process goes +through PAM stack for su/sudo which typically includes pam_systemd. +This PAM module calls systemd-logind to create a session for the user. +Then systemd-logind attempts to dbus send the results back to +cloud-init, but SELinux policy did not contain such permissions, which +resulted in 25 seconds delay: + +Jan 1 08:00:00 hostname dbus[12345]: [system] Activating via systemd: service name='org.freedesktop.login1' unit='dbus-org.freedesktop.login1.service' +Jan 1 08:00:25 hostname dbus[12345]: [system] Failed to activate service 'org.freedesktop.login1': timed out + +Addresses the following AVC denial: + +type=USER_AVC msg=audit(1637751660.446:66): pid=652 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.19 spid=723 tpid=1434 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" + +Resolves: rhbz#2009769 +Signed-off-by: lujie54 +--- + policy/modules/contrib/cloudform.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/cloudform.te b/policy/modules/contrib/cloudform.te +index 2f19544..80b9cbc 100644 +--- a/policy/modules/contrib/cloudform.te ++++ b/policy/modules/contrib/cloudform.te +@@ -105,6 +105,7 @@ miscfiles_read_localization(cloud_init_t) + selinux_validate_context(cloud_init_t) + + systemd_dbus_chat_hostnamed(cloud_init_t) ++systemd_dbus_chat_logind(cloud_init_t) + systemd_dbus_chat_timedated(cloud_init_t) + systemd_exec_systemctl(cloud_init_t) + systemd_start_all_services(cloud_init_t) +-- +1.8.3.1 + diff --git a/backport-Allow-dnsmasq-watch-etc-dnsmasq.d-directories.patch b/backport-Allow-dnsmasq-watch-etc-dnsmasq.d-directories.patch new file mode 100644 index 0000000..b374d09 --- /dev/null +++ b/backport-Allow-dnsmasq-watch-etc-dnsmasq.d-directories.patch @@ -0,0 +1,37 @@ +From 359d7cdc59a69c39c9f1d00890002dc7150b918a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 7 Dec 2021 18:08:01 +0100 +Subject: [PATCH] Allow dnsmasq watch /etc/dnsmasq.d directories + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/359d7cdc59a69c39c9f1d00890002dc7150b918a +Conflict: NA + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(12/07/2021 09:38:48.124:320) : proctitle=/usr/sbin/dnsmasq +type=PATH msg=audit(12/07/2021 09:38:48.124:320) : item=0 name=/etc/dnsmasq.d inode=29360448 dev=fd:01 mode=dir,755 ouid=root ogid=dnsmasq rdev=00:00 obj=system_u:object_r:dnsmasq_etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(12/07/2021 09:38:48.124:320) : cwd=/ +type=SYSCALL msg=audit(12/07/2021 09:38:48.124:320) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x8 a1=0x5586fa914c70 a2=0x88 a3=0x0 items=1 ppid=1 pid=5720 auid=unset uid=dnsmasq gid=dnsmasq euid=dnsmasq suid=dnsmasq fsuid=dnsmasq egid=dnsmasq sgid=dnsmasq fsgid=dnsmasq tty=(none) ses=unset comm=dnsmasq exe=/usr/sbin/dnsmasq subj=system_u:system_r:dnsmasq_t:s0 key=(null) +type=AVC msg=audit(12/07/2021 09:38:48.124:320) : avc: denied { watch } for pid=5720 comm=dnsmasq path=/etc/dnsmasq.d dev="vda1" ino=29360448 scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:object_r:dnsmasq_etc_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2029866 +Signed-off-by: lujie54 +--- + policy/modules/contrib/dnsmasq.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te +index 0d5c7e4..de7c0c0 100644 +--- a/policy/modules/contrib/dnsmasq.te ++++ b/policy/modules/contrib/dnsmasq.te +@@ -52,6 +52,7 @@ allow dnsmasq_t self:rawip_socket create_socket_perms; + + read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) + list_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) ++watch_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) + + manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) + files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) +-- +1.8.3.1 + diff --git a/backport-Allow-domtrans-to-sssd_t-and-role-access-to-sssd.patch b/backport-Allow-domtrans-to-sssd_t-and-role-access-to-sssd.patch new file mode 100644 index 0000000..9b38ad1 --- /dev/null +++ b/backport-Allow-domtrans-to-sssd_t-and-role-access-to-sssd.patch @@ -0,0 +1,39 @@ +From 25bdcfdf5821ddba2c47fc4306bc43debc4c0f75 Mon Sep 17 00:00:00 2001 +From: Patrik Koncity +Date: Mon, 31 Jan 2022 13:06:49 +0100 +Subject: [PATCH] Allow domtrans to sssd_t and role access to sssd + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/25bdcfdf5821ddba2c47fc4306bc43debc4c0f75 +Conflict: NA + +After previous fix in bugzilla arise a SELinux +error with role. Processes running under +unconfined_r do not have access to sssd_t. +Allow domain transition from rpm_script_t to +sssd_t and allow the rpm_script_roles in the +sssd domain. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2022690 +Signed-off-by: lujie54 +--- + policy/modules/contrib/rpm.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te +index 0866d95..b09dfe1 100644 +--- a/policy/modules/contrib/rpm.te ++++ b/policy/modules/contrib/rpm.te +@@ -489,6 +489,10 @@ optional_policy(` + ') + + optional_policy(` ++ sssd_run_sssd(rpm_script_t, rpm_script_roles) ++') ++ ++optional_policy(` + tzdata_domtrans(rpm_t) + tzdata_run(rpm_script_t, rpm_script_roles) + ') +-- +1.8.3.1 + diff --git a/backport-Allow-haproxy-get-attributes-of-cgroup-filesystems.patch b/backport-Allow-haproxy-get-attributes-of-cgroup-filesystems.patch new file mode 100644 index 0000000..1c39206 --- /dev/null +++ b/backport-Allow-haproxy-get-attributes-of-cgroup-filesystems.patch @@ -0,0 +1,30 @@ +From ab3afa4143e5d84daaa27a11743af3a6eb09c3df Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 23 Dec 2021 10:52:01 +0100 +Subject: [PATCH] Allow haproxy get attributes of cgroup filesystems + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/ab3afa4143e5d84daaa27a11743af3a6eb09c3df +Conflict: NA + +Resolves: rhbz#2035133 +Signed-off-by: lujie54 +--- + policy/modules/contrib/rhcs.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te +index 3d9199e..b143e2b 100644 +--- a/policy/modules/contrib/rhcs.te ++++ b/policy/modules/contrib/rhcs.te +@@ -665,6 +665,8 @@ dev_list_sysfs(haproxy_t) + dev_read_rand(haproxy_t) + dev_read_urand(haproxy_t) + ++fs_getattr_cgroup(haproxy_t) ++ + sysnet_dns_name_resolve(haproxy_t) + + tunable_policy(`haproxy_connect_any',` +-- +1.8.3.1 + diff --git a/backport-Allow-haproxy-get-attributes-of-filesystems-with-ext.patch b/backport-Allow-haproxy-get-attributes-of-filesystems-with-ext.patch new file mode 100644 index 0000000..f744ad0 --- /dev/null +++ b/backport-Allow-haproxy-get-attributes-of-filesystems-with-ext.patch @@ -0,0 +1,30 @@ +From b1497c15f68bf0ceac2b19684582266e717bd079 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 23 Dec 2021 10:53:06 +0100 +Subject: [PATCH] Allow haproxy get attributes of filesystems with extended + attributes + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/b1497c15f68bf0ceac2b19684582266e717bd079 +Conflict: NA + +Resolves: rhbz#2035132 +Signed-off-by: lujie54 +--- + policy/modules/contrib/rhcs.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te +index b143e2b..c6633bb 100644 +--- a/policy/modules/contrib/rhcs.te ++++ b/policy/modules/contrib/rhcs.te +@@ -666,6 +666,7 @@ dev_read_rand(haproxy_t) + dev_read_urand(haproxy_t) + + fs_getattr_cgroup(haproxy_t) ++fs_getattr_xattr_fs(haproxy_t) + + sysnet_dns_name_resolve(haproxy_t) + +-- +1.8.3.1 + diff --git a/backport-Allow-lldpd-connect-to-snmpd-with-a-unix-domain-stre.patch b/backport-Allow-lldpd-connect-to-snmpd-with-a-unix-domain-stre.patch new file mode 100644 index 0000000..eae7e93 --- /dev/null +++ b/backport-Allow-lldpd-connect-to-snmpd-with-a-unix-domain-stre.patch @@ -0,0 +1,45 @@ +From e7f00c5591082ab84c055ba250b361eefa19eb0d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 3 Jan 2022 12:27:28 +0100 +Subject: [PATCH] Allow lldpd connect to snmpd with a unix domain stream socket + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/e7f00c5591082ab84c055ba250b361eefa19eb0d +Conflict: NA + +If the lldpd service is configured to enable the SNMP subagent +(using the -x option), the lldpd process tries to connect to snmpd's +agentx. By default, the /var/agentx/master socket file is used. + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(01/03/22 06:21:57.359:417) : proctitle=/usr/sbin/lldpd -x +type=PATH msg=audit(01/03/22 06:21:57.359:417) : item=0 name=/var/agentx/master nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(01/03/22 06:21:57.359:417) : cwd=/ +type=SOCKADDR msg=audit(01/03/22 06:21:57.359:417) : saddr={ saddr_fam=local path=/var/agentx/master } +type=SYSCALL msg=audit(01/03/22 06:21:57.359:417) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x6 a1=0x5586e8de9980 a2=0x6e a3=0x0 items=1 ppid=1 pid=12595 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null) +type=AVC msg=audit(01/03/22 06:21:57.359:417) : avc: denied { search } for pid=12595 comm=lldpd name=agentx dev="vda1" ino=2034987 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#1991029 +Signed-off-by: lujie54 +--- + policy/modules/contrib/lldpad.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te +index cccbc09..075893c 100644 +--- a/policy/modules/contrib/lldpad.te ++++ b/policy/modules/contrib/lldpad.te +@@ -83,6 +83,10 @@ optional_policy(` + ') + + optional_policy(` ++ snmp_stream_connect(lldpad_t) ++') ++ ++optional_policy(` + sysnet_read_config(lldpad_t) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-lldpd-use-an-snmp-subagent-over-a-tcp-socket.patch b/backport-Allow-lldpd-use-an-snmp-subagent-over-a-tcp-socket.patch new file mode 100644 index 0000000..5ba229b --- /dev/null +++ b/backport-Allow-lldpd-use-an-snmp-subagent-over-a-tcp-socket.patch @@ -0,0 +1,56 @@ +From c0b38cf988df48613209e48007eefd748480d52f Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 2 Dec 2021 10:55:46 +0100 +Subject: [PATCH] Allow lldpd use an snmp subagent over a tcp socket + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/c0b38cf988df48613209e48007eefd748480d52f +Conflict: NA + +When lldpd enables an snmp subagent for a tcp socket instead of udp: +LLDPD_OPTIONS="-i -k -X tcp:127.0.0.1:705" + +the following permissions are required: +- allow lldpd create and use tcp socket +- name_connect to the agentx_port_t port + +Addresses the following AVC denials: + +type=PROCTITLE msg=audit(12/02/21 06:16:32.721:425) : proctitle=/usr/sbin/lldpd -i -k -X tcp:127.0.0.1:705 +type=SYSCALL msg=audit(12/02/21 06:16:32.721:425) : arch=x86_64 syscall=socket success=yes exit=17 a0=inet a1=SOCK_STREAM a2=ip a3=0x0 items=0 ppid=129230 pid=129232 auid=unset uid=lldpd gid=lldpd euid=lldpd suid=lldpd fsuid=lldpd egid=lldpd sgid=lldpd fsgid=lldpd tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null) +type=AVC msg=audit(12/02/21 06:16:32.721:425) : avc: denied { create } for pid=129232 comm=lldpd scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:lldpad_t:s0 tclass=tcp_socket permissive=1 + +type=PROCTITLE msg=audit(12/02/21 06:16:32.721:426) : proctitle=/usr/sbin/lldpd -i -k -X tcp:127.0.0.1:705 +type=SYSCALL msg=audit(12/02/21 06:16:32.721:426) : arch=x86_64 syscall=connect success=no exit=ECONNREFUSED(Connection refused) a0=0x11 a1=0x7ffff0e22c30 a2=0x10 a3=0x0 items=0 ppid=129230 pid=129232 auid=unset uid=lldpd gid=lldpd euid=lldpd suid=lldpd fsuid=lldpd egid=lldpd sgid=lldpd fsgid=lldpd tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null) +type=AVC msg=audit(12/02/21 06:16:32.721:426) : avc: denied { name_connect } for pid=129232 comm=lldpd dest=705 scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:object_r:agentx_port_t:s0 tclass=tcp_socket permissive=1 +type=AVC msg=audit(12/02/21 06:16:32.721:426) : avc: denied { connect } for pid=129232 comm=lldpd scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:lldpad_t:s0 tclass=tcp_socket permissive=1 + +Resolves: rhbz#2028379 +Signed-off-by: lujie54 +--- + policy/modules/contrib/lldpad.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te +index 000fafb..cccbc09 100644 +--- a/policy/modules/contrib/lldpad.te ++++ b/policy/modules/contrib/lldpad.te +@@ -32,6 +32,7 @@ allow lldpad_t self:fifo_file rw_fifo_file_perms; + allow lldpad_t self:unix_stream_socket { accept connectto listen }; + allow lldpad_t self:netlink_route_socket create_netlink_socket_perms; + allow lldpad_t self:packet_socket create_socket_perms; ++allow lldpad_t self:tcp_socket create_socket_perms; + allow lldpad_t self:udp_socket create_socket_perms; + + manage_files_pattern(lldpad_t, lldpad_tmpfs_t, lldpad_tmpfs_t) +@@ -54,6 +55,8 @@ auth_read_passwd(lldpad_t) + + corecmd_exec_bin(lldpad_t) + ++corenet_tcp_connect_agentx_port(lldpad_t) ++ + dev_read_sysfs(lldpad_t) + + fs_getattr_tmpfs(lldpad_t) +-- +1.8.3.1 + diff --git a/backport-Allow-login_userdomain-open-read-map-system-journal.patch b/backport-Allow-login_userdomain-open-read-map-system-journal.patch new file mode 100644 index 0000000..1c9926a --- /dev/null +++ b/backport-Allow-login_userdomain-open-read-map-system-journal.patch @@ -0,0 +1,40 @@ +From 4d93e16f67ad41d2f72071f965c780b587303846 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 26 Nov 2021 17:28:14 +0100 +Subject: [PATCH] Allow login_userdomain open/read/map system journal + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/4d93e16f67ad41d2f72071f965c780b587303846 +Conflict: NA + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(27.10.2021 15:45:16.341:455) : proctitle=systemctl status user@1001 +type=AVC msg=audit(27.10.2021 15:45:16.341:455) : avc: denied { read } for pid=4764 comm=systemctl name=system.journal dev="tmpfs" ino=429 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1 +type=AVC msg=audit(27.10.2021 15:45:16.341:455) : avc: denied { open } for pid=4764 comm=systemctl path=/run/log/journal/edb15570307f47dd805feee9003d4e08/system.journal dev="tmpfs" ino=429 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=1 +type=SYSCALL msg=audit(27.10.2021 15:45:16.341:455) : arch=x86_64 syscall=openat success=yes exit=6 a0=0xffffff9c a1=0x7fff96d6e1c0 a2=O_RDONLY|O_NONBLOCK|O_CLOEXEC a3=0x0 items=0 ppid=4739 pid=4764 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=pts1 ses=10 comm=systemctl exe=/usr/bin/systemctl subj=user_u:user_r:user_t:s0 key=(null) + +Resolves: rhbz#2017838 +Signed-off-by: lujie54 +--- + policy/modules/system/userdomain.te | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 6a959c5..b936a81 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -410,6 +410,11 @@ optional_policy(` + ') + + optional_policy(` ++ logging_mmap_journal(login_userdomain) ++ logging_read_syslog_pid(login_userdomain) ++') ++ ++optional_policy(` + pkcs_tmpfs_named_filetrans(login_userdomain) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-redis-get-attributes-of-filesystems-with-exten.patch b/backport-Allow-redis-get-attributes-of-filesystems-with-exten.patch new file mode 100644 index 0000000..7b4e21d --- /dev/null +++ b/backport-Allow-redis-get-attributes-of-filesystems-with-exten.patch @@ -0,0 +1,29 @@ +From dbb20e7f9fb98fc322d925b66da0abc7258957cf Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 9 Nov 2021 18:35:11 +0100 +Subject: [PATCH] Allow redis get attributes of filesystems with extended + attributes + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/dbb20e7f9fb98fc322d925b66da0abc7258957cf +Conflict: NA + +Signed-off-by: lujie54 +--- + policy/modules/contrib/redis.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te +index 093f28d..fb6a3dc 100644 +--- a/policy/modules/contrib/redis.te ++++ b/policy/modules/contrib/redis.te +@@ -99,6 +99,7 @@ tunable_policy(`redis_enable_notify',` + corecmd_exec_shell(redis_t) + + fs_getattr_tmpfs(redis_t) ++ fs_getattr_xattr_fs(redis_t) + ') + + optional_policy(` +-- +1.8.3.1 + diff --git a/backport-Allow-rhsmcertd-get-attributes-of-tmpfs_t-filesystem.patch b/backport-Allow-rhsmcertd-get-attributes-of-tmpfs_t-filesystem.patch new file mode 100644 index 0000000..c064187 --- /dev/null +++ b/backport-Allow-rhsmcertd-get-attributes-of-tmpfs_t-filesystem.patch @@ -0,0 +1,29 @@ +From 174740ce047312bb8e3ca19b3ee95766f0dc55b4 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 7 Dec 2021 15:17:15 +0100 +Subject: [PATCH] Allow rhsmcertd get attributes of tmpfs_t filesystems + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/174740ce047312bb8e3ca19b3ee95766f0dc55b4 +Conflict: NA + +Resolves: rhbz#2015820 +Signed-off-by: lujie54 +--- + policy/modules/contrib/rhsmcertd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/rhsmcertd.te b/policy/modules/contrib/rhsmcertd.te +index abd3227..7ebff7b 100644 +--- a/policy/modules/contrib/rhsmcertd.te ++++ b/policy/modules/contrib/rhsmcertd.te +@@ -101,6 +101,7 @@ files_create_boot_flag(rhsmcertd_t) + files_dontaudit_write_all_mountpoints(rhsmcertd_t) + + fs_dontaudit_write_configfs_dirs(rhsmcertd_t) ++fs_getattr_tmpfs(rhsmcertd_t) + fs_read_xenfs_files(rhsmcertd_t) + + auth_map_passwd(rhsmcertd_t) +-- +1.8.3.1 + diff --git a/backport-Allow-rpmdb-read-admin-home-config-files.patch b/backport-Allow-rpmdb-read-admin-home-config-files.patch new file mode 100644 index 0000000..80a1d6c --- /dev/null +++ b/backport-Allow-rpmdb-read-admin-home-config-files.patch @@ -0,0 +1,39 @@ +From f402b06808835ad1a8aa393739efff1e40eaf8e8 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 16 Nov 2021 22:37:25 +0100 +Subject: [PATCH] Allow rpmdb read admin home config files + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/f402b06808835ad1a8aa393739efff1e40eaf8e8 +Conflict: NA + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(11/16/2021 16:31:45.105:1455) : proctitle=/usr/bin/rpmdb --rebuilddb +type=PATH msg=audit(11/16/2021 16:31:45.105:1455) : item=0 name=/root/.rpmmacros inode=110039 dev=00:1f mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(11/16/2021 16:31:45.105:1455) : cwd=/root +type=SYSCALL msg=audit(11/16/2021 16:31:45.105:1455) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x560b2126e2a0 a2=O_RDONLY a3=0x0 items=1 ppid=40819 pid=59445 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=20 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(11/16/2021 16:31:45.105:1455) : avc: denied { open } for pid=59445 comm=rpmdb path=/root/.rpmmacros dev="sda2" ino=110039 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1 + +Resolves: rhbz#2023163 +Signed-off-by: lujie54 +--- + policy/modules/contrib/rpm.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te +index 9d2f4e6..f01d07c 100644 +--- a/policy/modules/contrib/rpm.te ++++ b/policy/modules/contrib/rpm.te +@@ -279,6 +279,10 @@ files_rw_inherited_non_security_files(rpmdb_t) + + sysnet_dontaudit_read_config(rpmdb_t) + ++optional_policy(` ++ userdom_read_admin_home_files(rpmdb_t) ++') ++ + ######################################## + # + # rpm-script Local policy +-- +1.8.3.1 + diff --git a/backport-Allow-rpmdb-read-generic-SSL-certificates.patch b/backport-Allow-rpmdb-read-generic-SSL-certificates.patch new file mode 100644 index 0000000..b4f040e --- /dev/null +++ b/backport-Allow-rpmdb-read-generic-SSL-certificates.patch @@ -0,0 +1,39 @@ +From c1d7b1ba04a91894032b88bec9d9e76b27678a3d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 16 Nov 2021 22:42:02 +0100 +Subject: [PATCH] Allow rpmdb read generic SSL certificates + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/c1d7b1ba04a91894032b88bec9d9e76b27678a3d +Conflict: NA + +Addresses the following AVC denials: +type=PROCTITLE msg=audit(11/16/2021 16:29:00.780:1008) : proctitle=/usr/bin/rpmdb --rebuilddb +type=PATH msg=audit(11/16/2021 16:29:00.780:1008) : item=0 name=/etc/pki/tls/openssl.cnf inode=145355 dev=fc:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cert_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(11/16/2021 16:29:00.780:1008) : cwd=/mnt/testarea/test +type=SYSCALL msg=audit(11/16/2021 16:29:00.780:1008) : arch=x86_64 syscall=openat success=yes exit=10 a0=0xffffff9c a1=0x5579d5c35320 a2=O_RDONLY a3=0x0 items=1 ppid=1344 pid=4427 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=rpmdb exe=/usr/bin/rpmdb subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(11/16/2021 16:29:00.780:1008) : avc: denied { open } for pid=4427 comm=rpmdb path=/etc/pki/tls/openssl.cnf dev="vda1" ino=145355 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 +type=AVC msg=audit(11/16/2021 16:29:00.780:1008) : avc: denied { search } for pid=4427 comm=rpmdb name=pki dev="vda1" ino=136481 scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=1 + +Signed-off-by: lujie54 +--- + policy/modules/contrib/rpm.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te +index f01d07c..0866d95 100644 +--- a/policy/modules/contrib/rpm.te ++++ b/policy/modules/contrib/rpm.te +@@ -280,6 +280,10 @@ files_rw_inherited_non_security_files(rpmdb_t) + sysnet_dontaudit_read_config(rpmdb_t) + + optional_policy(` ++ miscfiles_read_generic_certs(rpmdb_t) ++') ++ ++optional_policy(` + userdom_read_admin_home_files(rpmdb_t) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-smbcontrol-use-additional-socket-types.patch b/backport-Allow-smbcontrol-use-additional-socket-types.patch new file mode 100644 index 0000000..892ebb3 --- /dev/null +++ b/backport-Allow-smbcontrol-use-additional-socket-types.patch @@ -0,0 +1,40 @@ +From 0269eebb529eef5288b4b6dd1c62604dbd230230 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 23 Nov 2021 14:32:54 +0100 +Subject: [PATCH] Allow smbcontrol use additional socket types + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0269eebb529eef5288b4b6dd1c62604dbd230230 +Conflict: NA + +In order to set debug level, smbcontrol was allowed to: +- create and use udp socket +- create and use netlink route sockets, read route configuration state + +AVC denials example: + +type=PROCTITLE msg=audit(11/23/2021 08:19:05.790:553) : proctitle=smbcontrol all debug 100 +type=SYSCALL msg=audit(11/23/2021 08:19:05.790:553) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=ip a3=0x7fbb520a88b8 items=0 ppid=1060 pid=2372 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=3 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(11/23/2021 08:19:05.790:553) : avc: denied { create } for pid=2372 comm=smbcontrol scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tclass=netlink_route_socket permissive=0 + +Resolves: rhbz#2025931 +Signed-off-by: lujie54 +--- + policy/modules/contrib/samba.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 72322f5..cb89bcf 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -718,6 +718,8 @@ allow smbcontrol_t self:capability2 block_suspend; + allow smbcontrol_t self:process { signal signull }; + # internal communication is often done using fifo and unix sockets. + allow smbcontrol_t self:fifo_file rw_file_perms; ++allow smbcontrol_t self:netlink_route_socket r_netlink_socket_perms; ++allow smbcontrol_t self:udp_socket create_socket_perms; + allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; + allow smbcontrol_t self:unix_dgram_socket create_socket_perms; + +-- +1.8.3.1 + diff --git a/backport-Allow-sudodomain-send-a-null-signal-to-sshd-processe.patch b/backport-Allow-sudodomain-send-a-null-signal-to-sshd-processe.patch new file mode 100644 index 0000000..82f4200 --- /dev/null +++ b/backport-Allow-sudodomain-send-a-null-signal-to-sshd-processe.patch @@ -0,0 +1,37 @@ +From c5082c2dc80dbbd549ca9a246ef97ef6cf20a277 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 18 Nov 2021 19:29:01 +0100 +Subject: [PATCH] Allow sudodomain send a null signal to sshd processes + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/c5082c2dc80dbbd549ca9a246ef97ef6cf20a277 +Conflict: NA + +This denial appears when maxlogins is specified in PAM limits configuration: +type=PROCTITLE msg=audit(11/18/21 13:22:44.231:774) : proctitle=sudo -u staff echo +type=SYSCALL msg=audit(11/18/21 13:22:44.231:774) : arch=x86_64 syscall=kill success=no exit=EACCES(Permission denied) a0=0x1a2c a1=SIG0 a2=0x4 a3=0x7ffd93c089cf items=0 ppid=6747 pid=6748 auid=staff uid=root gid=staff euid=root suid=root fsuid=root egid=staff sgid=staff fsgid=staff tty=(none) ses=16 comm=sudo exe=/usr/bin/sudo subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(11/18/21 13:22:44.231:774) : avc: denied { signull } for pid=6748 comm=sudo scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0 + +Resolves: rhbz#1966945 +Signed-off-by: lujie54 +--- + policy/modules/admin/sudo.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te +index b281028..333b465 100644 +--- a/policy/modules/admin/sudo.te ++++ b/policy/modules/admin/sudo.te +@@ -129,6 +129,10 @@ optional_policy(` + ') + + optional_policy(` ++ ssh_signull(sudodomain) ++') ++ ++optional_policy(` + systemd_write_inherited_logind_sessions_pipes(sudodomain) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-sudodomains-execute-passwd-in-the-passwd-domai.patch b/backport-Allow-sudodomains-execute-passwd-in-the-passwd-domai.patch new file mode 100644 index 0000000..6bad72a --- /dev/null +++ b/backport-Allow-sudodomains-execute-passwd-in-the-passwd-domai.patch @@ -0,0 +1,35 @@ +From 3b826a9f34d86388fde3a07a9dcfeccdc762bafe Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 20 Dec 2021 11:47:29 +0100 +Subject: [PATCH] Allow sudodomains execute passwd in the passwd domain + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3b826a9f34d86388fde3a07a9dcfeccdc762bafe +Conflict: NA + +When an unprivileged user in the sysadm_r role executes passwd +through sudo, it transitions into sysadm_sudo_t domain by default. +With this commit, the process transitions back to sysadm_t. + +Resolves: rhbz#1943572 +Signed-off-by: lujie54 +--- + policy/modules/admin/sudo.if | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if +index e79eef7..356b150 100644 +--- a/policy/modules/admin/sudo.if ++++ b/policy/modules/admin/sudo.if +@@ -98,6 +98,9 @@ template(`sudo_role_template',` + kerberos_read_config($1_sudo_t) + ') + ++ optional_policy(` ++ usermanage_domtrans_passwd($1_sudo_t) ++ ') + ') + + ######################################## +-- +1.8.3.1 + diff --git a/backport-Allow-svnserve-send-mail-from-the-system.patch b/backport-Allow-svnserve-send-mail-from-the-system.patch new file mode 100644 index 0000000..4719d45 --- /dev/null +++ b/backport-Allow-svnserve-send-mail-from-the-system.patch @@ -0,0 +1,41 @@ +From c43df4f0131a7870beef94eb9c5a5fb048379566 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 24 Nov 2021 16:13:35 +0100 +Subject: [PATCH] Allow svnserve send mail from the system + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/c43df4f0131a7870beef94eb9c5a5fb048379566 +Conflict: NA + +If a svn hook needs to send an e-mail, the service needs to be allowed +to execute an MTA program. In this commit, the mta_send_mail() interface +call for svnserve_t was added to allow permissions to execute types from +the mta_exec_type attribute which currently is: +- courier_exec_t +- exim_exec_t +- postfix_postdrop_t +- sendmail_exec_t + +Resolves: rhbz#2004843 +Signed-off-by: lujie54 +--- + policy/modules/contrib/svnserve.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/svnserve.te b/policy/modules/contrib/svnserve.te +index 874e7c2..c603551 100644 +--- a/policy/modules/contrib/svnserve.te ++++ b/policy/modules/contrib/svnserve.te +@@ -90,6 +90,10 @@ optional_policy(` + ') + + optional_policy(` ++ mta_send_mail(svnserve_t) ++') ++ ++optional_policy(` + sasl_connect(svnserve_t) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-sysadm-execute-sysadmctl-in-sysadm_t-domain-us.patch b/backport-Allow-sysadm-execute-sysadmctl-in-sysadm_t-domain-us.patch new file mode 100644 index 0000000..c180a6d --- /dev/null +++ b/backport-Allow-sysadm-execute-sysadmctl-in-sysadm_t-domain-us.patch @@ -0,0 +1,74 @@ +From 8879c209b0916931aab95d733fc7f4b52b99258b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 22 Dec 2021 13:06:33 +0100 +Subject: [PATCH] Allow sysadm execute sysadmctl in sysadm_t domain using sudo + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/8879c209b0916931aab95d733fc7f4b52b99258b +Conflict: NA + +When an unprivileged user in the sysadm_r role executes systemctl +through sudo, it transitions into sysadm_sudo_t domain by default. +With this commit, the process transitions back to sysadm_t. + +The systemd_domtrans_systemctl() interface was added. + +Resolves: rhbz#2013749 +Signed-off-by: lujie54 +--- + policy/modules/admin/sudo.if | 5 +++++ + policy/modules/system/systemd.if | 23 +++++++++++++++++++++++ + 2 files changed, 28 insertions(+) + +diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if +index f6df896..24ede58 100644 +--- a/policy/modules/admin/sudo.if ++++ b/policy/modules/admin/sudo.if +@@ -101,6 +101,11 @@ template(`sudo_role_template',` + ') + + optional_policy(` ++ systemd_domtrans_systemctl($1_sudo_t, $3) ++ systemd_systemctl_entrypoint($3) ++ ') ++ ++ optional_policy(` + userdom_write_user_tmp_sockets($1_sudo_t) + ') + +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index ec58e33..351438c 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -128,6 +128,29 @@ interface(`systemd_systemctl_entrypoint',` + + ####################################### + ## ++## Execute systemctl in the specified domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Domain to transition to. ++## ++## ++# ++interface(`systemd_domtrans_systemctl',` ++ gen_require(` ++ type systemd_systemctl_exec_t; ++ ') ++ ++ domain_auto_transition_pattern($1, systemd_systemctl_exec_t, $2) ++') ++ ++####################################### ++## + ## Create a file type used for systemd unit files. + ## + ## +-- +1.8.3.1 + diff --git a/backport-Allow-systemd-read-unlabeled-symbolic-links.patch b/backport-Allow-systemd-read-unlabeled-symbolic-links.patch new file mode 100644 index 0000000..c6994cb --- /dev/null +++ b/backport-Allow-systemd-read-unlabeled-symbolic-links.patch @@ -0,0 +1,69 @@ +From 07b06a7f6cb1f41b92de5d29d21ac89c4d362457 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 7 Dec 2021 17:15:44 +0100 +Subject: [PATCH] Allow systemd read unlabeled symbolic links + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/07b06a7f6cb1f41b92de5d29d21ac89c4d362457 +Conflict: NA + +On a system boot systemd starts to launch services in the current target. +When it attempts to access a symbolic link which is critical for systemd +to continue and the symlink is unlabeled, the autorelabel target cannot +be reached to start relabeling and fix the unlabeled files. +This scenario applies to /etc/localtime when it was changed in SELinux +disabled mode. + +Since this commit, systemd is allowed the read access to symbolic links +with the unlabeled_t type. + +Resolves: rhbz#2021835 +Signed-off-by: lujie54 +--- + policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ + policy/modules/system/init.te | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 62845c1..1b684f5 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -2922,6 +2922,24 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_files',` + + ######################################## + ## ++## Read unlabeled symbolic links. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_read_unlabeled_lnk_files',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:lnk_file read_lnk_file_perms; ++') ++ ++######################################## ++## + ## Read and write unlabeled block device nodes. + ## + ## +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 22e363a..0de5f4a 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -588,6 +588,7 @@ tunable_policy(`deny_bluetooth',`',` + ') + + kernel_list_unlabeled(init_t) ++kernel_read_unlabeled_lnk_files(init_t) + kernel_read_network_state(init_t) + kernel_rw_all_sysctls(init_t) + kernel_rw_security_state(init_t) +-- +1.8.3.1 + diff --git a/backport-Allow-tlp-dbus-chat-with-NetworkManager.patch b/backport-Allow-tlp-dbus-chat-with-NetworkManager.patch new file mode 100644 index 0000000..d31f758 --- /dev/null +++ b/backport-Allow-tlp-dbus-chat-with-NetworkManager.patch @@ -0,0 +1,35 @@ +From e8ff8cb50ada4155ec179b016729df1b78fb55c8 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 5 Nov 2021 17:52:02 +0100 +Subject: [PATCH] Allow tlp dbus-chat with NetworkManager + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/e8ff8cb50ada4155ec179b016729df1b78fb55c8 +Conflict: NA + +Addresses the following AVC denial: +type=USER_AVC msg=audit(05/11/21 09:11:56.868:303) : pid=1076 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus permissive=0 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' + +Resolves: rhbz#2013439 +Signed-off-by: lujie54 +--- + policy/modules/contrib/tlp.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/tlp.te b/policy/modules/contrib/tlp.te +index 35432f1..b9491ee 100644 +--- a/policy/modules/contrib/tlp.te ++++ b/policy/modules/contrib/tlp.te +@@ -88,6 +88,10 @@ optional_policy(` + ') + + optional_policy(` ++ networkmanager_dbus_chat(tlp_t) ++') ++ ++optional_policy(` + sssd_read_public_files(tlp_t) + sssd_stream_connect(tlp_t) + ') +-- +1.8.3.1 + diff --git a/backport-Allow-userdomains-use-pam_ssh_agent_auth-for-passwor.patch b/backport-Allow-userdomains-use-pam_ssh_agent_auth-for-passwor.patch new file mode 100644 index 0000000..66361fe --- /dev/null +++ b/backport-Allow-userdomains-use-pam_ssh_agent_auth-for-passwor.patch @@ -0,0 +1,47 @@ +From 901ac5314982f5600ef11691969b9af89aeba772 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 20 Dec 2021 14:21:33 +0100 +Subject: [PATCH] Allow userdomains use pam_ssh_agent_auth for passwordless + sudo + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/901ac5314982f5600ef11691969b9af89aeba772 +Conflict: NA + +The pam_ssh_agent_auth module can be used for granting permissions based +on SSH agent requests. When configured for using in the sudo pam module, +it requires permissions for sudodomain to use the user socket file and +stream connect to its corresponding userdomain. + +Resolves: rhbz#1917879 +Signed-off-by: lujie54 +--- + policy/modules/admin/sudo.if | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if +index 356b150..f6df896 100644 +--- a/policy/modules/admin/sudo.if ++++ b/policy/modules/admin/sudo.if +@@ -58,6 +58,8 @@ template(`sudo_role_template',` + allow $1_sudo_t $3:file read_file_perms;; + allow $1_sudo_t $3:key search; + ++ allow $1_sudo_t $1_t:unix_stream_socket connectto; ++ + # Enter this derived domain from the user domain + domtrans_pattern($3, sudo_exec_t, $1_sudo_t) + +@@ -99,6 +101,10 @@ template(`sudo_role_template',` + ') + + optional_policy(` ++ userdom_write_user_tmp_sockets($1_sudo_t) ++ ') ++ ++ optional_policy(` + usermanage_domtrans_passwd($1_sudo_t) + ') + ') +-- +1.8.3.1 + diff --git a/backport-Ensure-that-run-systemd-are-properly-labeled.patch b/backport-Ensure-that-run-systemd-are-properly-labeled.patch new file mode 100644 index 0000000..e8b4c8e --- /dev/null +++ b/backport-Ensure-that-run-systemd-are-properly-labeled.patch @@ -0,0 +1,40 @@ +From 5c05ced263586a9e7e92a045ab7b8e4454d6f4ff Mon Sep 17 00:00:00 2001 +From: Demi Marie Obenour +Date: Tue, 30 Nov 2021 18:50:55 -0500 +Subject: [PATCH] Ensure that `/run/systemd/*` are properly labeled + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/5c05ced263586a9e7e92a045ab7b8e4454d6f4ff +Conflict: NA + +`/run/systemd/generator.{early,late}` were not covered by the type_transition rules. + +Signed-off-by: lujie54 +--- + policy/modules/system/init.if | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if +index ced08f3..7bd438e 100644 +--- a/policy/modules/system/init.if ++++ b/policy/modules/system/init.if +@@ -3288,7 +3288,7 @@ interface(`init_filetrans_named_content',` + type initrc_var_run_t; + type machineid_t; + type initctl_t; +- type systemd_unit_file_t; ++ type systemd_unit_file_t; + ') + + files_pid_filetrans($1, initrc_var_run_t, file, "utmp") +@@ -3296,6 +3296,8 @@ interface(`init_filetrans_named_content',` + files_etc_filetrans($1, machineid_t, file, "machine-id" ) + files_pid_filetrans($1, initctl_t, fifo_file, "fifo" ) + init_pid_filetrans($1, systemd_unit_file_t, dir, "generator") ++ init_pid_filetrans($1, systemd_unit_file_t, dir, "generator.early") ++ init_pid_filetrans($1, systemd_unit_file_t, dir, "generator.late") + init_pid_filetrans($1, systemd_unit_file_t, dir, "system") + ') + +-- +1.8.3.1 + diff --git a/backport-Update-userdom_exec_user_tmp_files-with-an-entrypoin.patch b/backport-Update-userdom_exec_user_tmp_files-with-an-entrypoin.patch new file mode 100644 index 0000000..75d0dca --- /dev/null +++ b/backport-Update-userdom_exec_user_tmp_files-with-an-entrypoin.patch @@ -0,0 +1,33 @@ +From 84f1d7c3fe6113effd8eedc2a6602c72fd5d482c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 18 Nov 2021 19:08:05 +0100 +Subject: [PATCH] Update userdom_exec_user_tmp_files() with an entrypoint rule + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/84f1d7c3fe6113effd8eedc2a6602c72fd5d482c +Conflict: NA + +The userdom_exec_user_tmp_files() interface contains rules +to allow execution of user temporary files, but there were no rules +containing the executable type as entrypoint. + +Resolves: rhbz#1966945 +Signed-off-by: lujie54 +--- + policy/modules/system/userdomain.if | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index d5a4094..cb56d28 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -556,6 +556,7 @@ interface(`userdom_exec_user_tmp_files',` + type user_tmp_t; + ') + ++ allow $1 user_tmp_t:file entrypoint; + exec_files_pattern($1, user_tmp_t, user_tmp_t) + dontaudit $1 user_tmp_t:sock_file execute; + files_search_tmp($1) +-- +1.8.3.1 + diff --git a/selinux-policy.spec b/selinux-policy.spec index 5140517..5edc492 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 35.5 -Release: 7 +Release: 8 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -66,6 +66,30 @@ Patch10: add-avc-for-systemd.patch Patch6000: backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch Patch6001: backport-Allow-chage-domtrans-to-sssd.patch +Patch6002: backport-Allow-domtrans-to-sssd_t-and-role-access-to-sssd.patch +Patch6003: backport-Allow-tlp-dbus-chat-with-NetworkManager.patch +Patch6004: backport-Allow-redis-get-attributes-of-filesystems-with-exten.patch +Patch6005: backport-Allow-rpmdb-read-admin-home-config-files.patch +Patch6006: backport-Allow-rpmdb-read-generic-SSL-certificates.patch +Patch6007: backport-Allow-PID-1-and-dbus-broker-IPC-with-a-systemd-user-.patch +Patch6008: backport-Allow-sudodomain-send-a-null-signal-to-sshd-processe.patch +Patch6009: backport-Update-userdom_exec_user_tmp_files-with-an-entrypoin.patch +Patch6010: backport-Allow-svnserve-send-mail-from-the-system.patch +Patch6011: backport-Allow-cloud-init-dbus-chat-with-systemd-logind.patch +Patch6012: backport-Allow-smbcontrol-use-additional-socket-types.patch +Patch6013: backport-Allow-login_userdomain-open-read-map-system-journal.patch +Patch6014: backport-Allow-lldpd-use-an-snmp-subagent-over-a-tcp-socket.patch +Patch6015: backport-Allow-rhsmcertd-get-attributes-of-tmpfs_t-filesystem.patch +Patch6016: backport-Allow-dnsmasq-watch-etc-dnsmasq.d-directories.patch +Patch6017: backport-Allow-systemd-read-unlabeled-symbolic-links.patch +Patch6018: backport-Allow-sudodomains-execute-passwd-in-the-passwd-domai.patch +Patch6019: backport-Allow-userdomains-use-pam_ssh_agent_auth-for-passwor.patch +Patch6020: backport-Allow-sysadm-execute-sysadmctl-in-sysadm_t-domain-us.patch +Patch6021: backport-Allow-haproxy-get-attributes-of-cgroup-filesystems.patch +Patch6022: backport-Allow-haproxy-get-attributes-of-filesystems-with-ext.patch +Patch6023: backport-Allow-lldpd-connect-to-snmpd-with-a-unix-domain-stre.patch +Patch6024: backport-Allow-admin-userdomains-use-socketpair.patch +Patch6025: backport-Ensure-that-run-systemd-are-properly-labeled.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -736,6 +760,9 @@ exit 0 %endif %changelog +* Fri Sep 2 2022 lujie - 35.5-8 +- backport upstream patches + * Thu Aug 18 2022 xuwenlong - 35.5-7 - Allow chage domtrans to sssd -- Gitee