From 93f58e24e5a361412468e7d0f70fac17ea762a16 Mon Sep 17 00:00:00 2001 From: lujie54 Date: Tue, 13 Sep 2022 19:52:03 +0800 Subject: [PATCH] update upstream patches (cherry picked from commit 45421a28ba6bef1e238675809a1cac1738b98c84) --- ...inistrative-users-the-bpf-capability.patch | 38 ++++++++++ ...-request-the-kernel-to-load-a-module.patch | 35 +++++++++ ...proxy-access-to-various-system-files.patch | 44 +++++++++++ ...proxy-read-and-write-z90crypt-device.patch | 42 +++++++++++ ...y-read-write-and-map-ica-tmpfs-files.patch | 35 +++++++++ ...get-attributes-of-cgroup-filesystems.patch | 36 +++++++++ ...domain-create-session_dbusd-tmp-sock.patch | 72 ++++++++++++++++++ ...domain-watch-accountsd-lib-directori.patch | 38 ++++++++++ ...domain-watch-generic-directories-in-.patch | 35 +++++++++ ...domain-watch-localization-directorie.patch | 74 +++++++++++++++++++ ...domain-watch-systemd-logind-PID-dire.patch | 35 +++++++++ ...rdomain-watch-various-files-and-dirs.patch | 49 ++++++++++++ ...l-read-the-network-state-information.patch | 36 +++++++++ ...ow-sshd-read-filesystem-sysctl-files.patch | 34 +++++++++ ...d_kcm-read-and-write-z90crypt-device.patch | 42 +++++++++++ ..._t-start-and-stop-transient-services.patch | 34 +++++++++ ...redump-read-and-write-usermodehelper.patch | 39 ++++++++++ ...redump-userns-capabilities-and-root-.patch | 46 ++++++++++++ ...systemd-io-bridge-ioctl-rpm_script_t.patch | 68 +++++++++++++++++ ...gind-delete-session_dbusd-tmp-socket.patch | 69 +++++++++++++++++ ...port-Allow-tlp-read-its-systemd-unit.patch | 32 ++++++++ ...-Allow-virt_domain-map-vhost-devices.patch | 67 +++++++++++++++++ selinux-policy.spec | 27 ++++++- 23 files changed, 1026 insertions(+), 1 deletion(-) create mode 100644 backport-Allow-administrative-users-the-bpf-capability.patch create mode 100644 backport-Allow-fcoemon-request-the-kernel-to-load-a-module.patch create mode 100644 backport-Allow-gssproxy-access-to-various-system-files.patch create mode 100644 backport-Allow-gssproxy-read-and-write-z90crypt-device.patch create mode 100644 backport-Allow-gssproxy-read-write-and-map-ica-tmpfs-files.patch create mode 100644 backport-Allow-kpropd-get-attributes-of-cgroup-filesystems.patch create mode 100644 backport-Allow-login_userdomain-create-session_dbusd-tmp-sock.patch create mode 100644 backport-Allow-login_userdomain-watch-accountsd-lib-directori.patch create mode 100644 backport-Allow-login_userdomain-watch-generic-directories-in-.patch create mode 100644 backport-Allow-login_userdomain-watch-localization-directorie.patch create mode 100644 backport-Allow-login_userdomain-watch-systemd-logind-PID-dire.patch create mode 100644 backport-Allow-login_userdomain-watch-various-files-and-dirs.patch create mode 100644 backport-Allow-smbcontrol-read-the-network-state-information.patch create mode 100644 backport-Allow-sshd-read-filesystem-sysctl-files.patch create mode 100644 backport-Allow-sssd_kcm-read-and-write-z90crypt-device.patch create mode 100644 backport-Allow-sysadm_t-start-and-stop-transient-services.patch create mode 100644 backport-Allow-systemd-coredump-read-and-write-usermodehelper.patch create mode 100644 backport-Allow-systemd-coredump-userns-capabilities-and-root-.patch create mode 100644 backport-Allow-systemd-io-bridge-ioctl-rpm_script_t.patch create mode 100644 backport-Allow-systemd-logind-delete-session_dbusd-tmp-socket.patch create mode 100644 backport-Allow-tlp-read-its-systemd-unit.patch create mode 100644 backport-Allow-virt_domain-map-vhost-devices.patch diff --git a/backport-Allow-administrative-users-the-bpf-capability.patch b/backport-Allow-administrative-users-the-bpf-capability.patch new file mode 100644 index 0000000..ddf4c2c --- /dev/null +++ b/backport-Allow-administrative-users-the-bpf-capability.patch @@ -0,0 +1,38 @@ +From 0fa3cc8988c28c5da8b6844cdac0d052ec48dc3b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 12 Jan 2022 17:39:33 +0100 +Subject: [PATCH] Allow administrative users the bpf capability + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0fa3cc8988c28c5da8b6844cdac0d052ec48dc3b +Conflict: NA + +The userdom_admin_user_template() template for creating an +administrative user was updated with the bpf capability so that +e. g. users in the sysadm_r role can run perf. +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(01/12/2022 10:45:01.065:855) : proctitle=perf record -o /dev/null echo test +type=SYSCALL msg=audit(01/12/2022 10:45:01.065:855) : arch=x86_64 syscall=bpf success=no exit=ENOENT(No such file or directory) a0=BPF_PROG_GET_NEXT_ID a1=0x7fffd756dba0 a2=0x78 a3=0x3b items=0 ppid=9065 pid=9066 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=7 comm=perf exe=/usr/bin/perf subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(01/12/2022 10:45:01.065:855) : avc: denied { bpf } for pid=9066 comm=perf capability=unknown-capability(39) scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=capability2 permissive=0 + +Signed-off-by: lujie54 +--- + policy/modules/system/userdomain.if | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index cb56d28..eea0894 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -1640,6 +1640,8 @@ template(`userdom_admin_user_template',` + # $1_t local policy + # + ++ allow $1_t self:capability2 bpf; ++ + # Manipulate other users crontab. + allow $1_t self:passwd crontab; + +-- +1.8.3.1 + diff --git a/backport-Allow-fcoemon-request-the-kernel-to-load-a-module.patch b/backport-Allow-fcoemon-request-the-kernel-to-load-a-module.patch new file mode 100644 index 0000000..168136b --- /dev/null +++ b/backport-Allow-fcoemon-request-the-kernel-to-load-a-module.patch @@ -0,0 +1,35 @@ +From ed80bcd8541d224ec18de995fb7dbb3c1bd5732c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 7 Jan 2022 17:35:22 +0100 +Subject: [PATCH] Allow fcoemon request the kernel to load a module + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/ed80bcd8541d224ec18de995fb7dbb3c1bd5732c +Conflict: NA + +Addresses the following AVC denial: + +type=AVC msg=audit(1641434692.558:116): avc: denied { module_request } for pid=2995 comm="fcoemon" kmod="8021q" scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 +type=SYSCALL msg=audit(1641434692.558:116): arch=x86_64 syscall=ioctl success=no exit=ENOPKG a0=8 a1=8982 a2=7ffdd90301c0 a3=7fec871ae3e0 items=0 ppid=1 pid=2995 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fcoemon exe=/usr/sbin/fcoemon subj=s + +Resolves: rhbz#2034463 +Signed-off-by: lujie54 +--- + policy/modules/contrib/fcoe.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/fcoe.te b/policy/modules/contrib/fcoe.te +index d46768a..18a30e7 100644 +--- a/policy/modules/contrib/fcoe.te ++++ b/policy/modules/contrib/fcoe.te +@@ -34,6 +34,8 @@ manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) + manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) + files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file }) + ++kernel_request_load_module(fcoemon_t) ++ + dev_rw_sysfs(fcoemon_t) + dev_create_sysfs_files(fcoemon_t) + +-- +1.8.3.1 + diff --git a/backport-Allow-gssproxy-access-to-various-system-files.patch b/backport-Allow-gssproxy-access-to-various-system-files.patch new file mode 100644 index 0000000..8d0bbf1 --- /dev/null +++ b/backport-Allow-gssproxy-access-to-various-system-files.patch @@ -0,0 +1,44 @@ +From 02d90bb3e2fc39d67a7d07cec5ca113bd0a53421 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 10 Jan 2022 17:36:15 +0100 +Subject: [PATCH] Allow gssproxy access to various system files. + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/02d90bb3e2fc39d67a7d07cec5ca113bd0a53421 +Conflict: NA + +gssproxy was allowed to: +- read system state information in /proc +- read from random number generator devices (e.g., /dev/random) +- read hardware state information + +Resolves: rhbz#2026974 +Signed-off-by: lujie54 +--- + policy/modules/contrib/gssproxy.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te +index f48457c..aa53de0 100644 +--- a/policy/modules/contrib/gssproxy.te ++++ b/policy/modules/contrib/gssproxy.te +@@ -41,6 +41,7 @@ files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_fil + + kernel_rw_rpc_sysctls(gssproxy_t) + kernel_read_network_state(gssproxy_t) ++kernel_read_system_state(gssproxy_t) + + domain_use_interactive_fds(gssproxy_t) + domain_read_all_domains_state(gssproxy_t) +@@ -51,7 +52,9 @@ fs_getattr_all_fs(gssproxy_t) + + auth_use_nsswitch(gssproxy_t) + ++dev_read_rand(gssproxy_t) + dev_read_urand(gssproxy_t) ++dev_read_sysfs(gssproxy_t) + dev_rw_crypto(gssproxy_t) + + logging_send_syslog_msg(gssproxy_t) +-- +1.8.3.1 + diff --git a/backport-Allow-gssproxy-read-and-write-z90crypt-device.patch b/backport-Allow-gssproxy-read-and-write-z90crypt-device.patch new file mode 100644 index 0000000..9e8d3d9 --- /dev/null +++ b/backport-Allow-gssproxy-read-and-write-z90crypt-device.patch @@ -0,0 +1,42 @@ +From d0fcb462896c8fb00eaa8f8b3580fffcbefcdf8b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 10 Jan 2022 17:18:30 +0100 +Subject: [PATCH] Allow gssproxy read and write z90crypt device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d0fcb462896c8fb00eaa8f8b3580fffcbefcdf8b +Conflict: NA + +This permission is required on s390x systems with the Crypto Express +adapter card. The z90crypt device driver acts as the interface to the +PCI cryptography hardware and performs asynchronous encryption +operations (RSA) as used during the SSL handshake. + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(26.11.2021 17:43:04.211:26) : proctitle=/usr/sbin/gssproxy -D +type=AVC msg=audit(26.11.2021 17:43:04.211:26) : avc: denied { read write } for pid=859 comm=gssproxy name=icastats_0 dev="tmpfs" ino=2 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:ica_tmpfs_t:s0 tclass=file permissive=0 +type=SYSCALL msg=audit(26.11.2021 17:43:04.211:26) : arch=s390x syscall=openat success=no exit=EACCES(Operace zamítnuta) a0=0xffffffffffffff9c a1=0x3ffdec7c2fb a2=O_RDWR|O_CREAT|O_NOFOLLOW|O_CLOEXEC a3=0x180 items=0 ppid=1 pid=859 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gssproxy exe=/usr/sbin/gssproxy subj=system_u:system_r:gssproxy_t:s0 key=(null) + +Resolves: rhbz#2026974 +Signed-off-by: lujie54 +--- + policy/modules/contrib/gssproxy.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te +index 18d08d1..872079f 100644 +--- a/policy/modules/contrib/gssproxy.te ++++ b/policy/modules/contrib/gssproxy.te +@@ -52,6 +52,7 @@ fs_getattr_all_fs(gssproxy_t) + auth_use_nsswitch(gssproxy_t) + + dev_read_urand(gssproxy_t) ++dev_rw_crypto(gssproxy_t) + + logging_send_syslog_msg(gssproxy_t) + +-- +1.8.3.1 + diff --git a/backport-Allow-gssproxy-read-write-and-map-ica-tmpfs-files.patch b/backport-Allow-gssproxy-read-write-and-map-ica-tmpfs-files.patch new file mode 100644 index 0000000..563d07a --- /dev/null +++ b/backport-Allow-gssproxy-read-write-and-map-ica-tmpfs-files.patch @@ -0,0 +1,35 @@ +From dc1a9f92b95e7adb963383681b8cab44f1e2a044 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 10 Jan 2022 17:25:03 +0100 +Subject: [PATCH] Allow gssproxy read, write, and map ica tmpfs files + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/dc1a9f92b95e7adb963383681b8cab44f1e2a044 +Conflict: NA + +These permissions are necessary for domains working +with the ICA crypto accelerator. + +Resolves: rhbz#2026974 +Signed-off-by: lujie54 +--- + policy/modules/contrib/gssproxy.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te +index 872079f..f48457c 100644 +--- a/policy/modules/contrib/gssproxy.te ++++ b/policy/modules/contrib/gssproxy.te +@@ -68,6 +68,10 @@ optional_policy(` + ') + + optional_policy(` ++ ica_rw_map_tmpfs_files(gssproxy_t) ++') ++ ++optional_policy(` + ipa_read_lib(gssproxy_t) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-kpropd-get-attributes-of-cgroup-filesystems.patch b/backport-Allow-kpropd-get-attributes-of-cgroup-filesystems.patch new file mode 100644 index 0000000..1fffb34 --- /dev/null +++ b/backport-Allow-kpropd-get-attributes-of-cgroup-filesystems.patch @@ -0,0 +1,36 @@ +From 747521e0f639f1aec372e87cd2e0cbed13d9416b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 13 Jan 2022 10:15:43 +0100 +Subject: [PATCH] Allow kpropd get attributes of cgroup filesystems + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/747521e0f639f1aec372e87cd2e0cbed13d9416b +Conflict: NA + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(01/12/2022 17:58:09.626:7104) : proctitle=/usr/sbin/kpropd +type=PATH msg=audit(01/12/2022 17:58:09.626:7104) : item=0 name=/sys/fs/cgroup/ inode=1 dev=00:1b mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:cgroup_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(01/12/2022 17:58:09.626:7104) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x7f78a1e413ae a1=0x7ffd080f54c0 a2=0x7f78a2137260 a3=0x0 items=1 ppid=1 pid=132239 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kpropd exe=/usr/sbin/kpropd subj=system_u:system_r:kpropd_t:s0 key=(null) +type=AVC msg=audit(01/12/2022 17:58:09.626:7104) : avc: denied { getattr } for pid=132239 comm=kpropd name=/ dev="cgroup2" ino=1 scontext=system_u:system_r:kpropd_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0 + +Signed-off-by: lujie54 +--- + policy/modules/contrib/kerberos.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te +index 4289d79..b4d3c3e 100644 +--- a/policy/modules/contrib/kerberos.te ++++ b/policy/modules/contrib/kerberos.te +@@ -385,6 +385,8 @@ dev_read_urand(kpropd_t) + + files_search_tmp(kpropd_t) + ++fs_getattr_cgroup(kpropd_t) ++ + selinux_validate_context(kpropd_t) + + auth_use_nsswitch(kpropd_t) +-- +1.8.3.1 + diff --git a/backport-Allow-login_userdomain-create-session_dbusd-tmp-sock.patch b/backport-Allow-login_userdomain-create-session_dbusd-tmp-sock.patch new file mode 100644 index 0000000..af4950b --- /dev/null +++ b/backport-Allow-login_userdomain-create-session_dbusd-tmp-sock.patch @@ -0,0 +1,72 @@ +From 7c18d0afc7f6b93319902dc1e5305fe66a060019 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 13 Jan 2022 19:17:31 +0100 +Subject: [PATCH] Allow login_userdomain create session_dbusd tmp socket files + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/7c18d0afc7f6b93319902dc1e5305fe66a060019 +Conflict: NA + +The dbus_create_session_tmp_sock_files() interface was added. + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(13.1.2022 18:56:38.180:8372) : proctitle=(systemd) +type=PATH msg=audit(13.1.2022 18:56:38.180:8372) : item=1 name=/run/user/1001/bus inode=40 dev=00:3f mode=socket,666 ouid=staff ogid=staff rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(13.1.2022 18:56:38.180:8372) : item=0 name=/run/user/1001/ inode=1 dev=00:3f mode=dir,700 ouid=staff ogid=staff rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SOCKADDR msg=audit(13.1.2022 18:56:38.180:8372) : saddr={ saddr_fam=local path=/run/user/1001/bus } +type=SYSCALL msg=audit(13.1.2022 18:56:38.180:8372) : arch=x86_64 syscall=bind success=yes exit=0 a0=0xc a1=0x562410fef860 a2=0x15 a3=0x0 items=2 ppid=1 pid=24940 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=23 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(13.1.2022 18:56:38.180:8372) : avc: denied { create } for pid=24940 comm=systemd name=bus scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=1 + +Signed-off-by: lujie54 +--- + policy/modules/contrib/dbus.if | 18 ++++++++++++++++++ + policy/modules/system/userdomain.te | 4 ++++ + 2 files changed, 22 insertions(+) + +diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if +index e04af61..deb6f10 100644 +--- a/policy/modules/contrib/dbus.if ++++ b/policy/modules/contrib/dbus.if +@@ -901,6 +901,24 @@ interface(`dbus_delete_session_tmp_sock_files',` + + ######################################## + ## ++## Create session_dbusd tmp socket files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dbus_create_session_tmp_sock_files',` ++ gen_require(` ++ type session_dbusd_tmp_t; ++ ') ++ ++ create_sock_files_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t) ++') ++ ++######################################## ++## + ## Allow systemctl dbus services + ## + ## +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index b936a81..9f778ee 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -404,6 +404,10 @@ optional_policy(` + ') + + optional_policy(` ++ dbus_create_session_tmp_sock_files(login_userdomain) ++') ++ ++optional_policy(` + gnome_watch_generic_data_home_dirs(login_userdomain) + gnome_watch_home_config_dirs(login_userdomain) + gnome_watch_home_config_files(login_userdomain) +-- +1.8.3.1 + diff --git a/backport-Allow-login_userdomain-watch-accountsd-lib-directori.patch b/backport-Allow-login_userdomain-watch-accountsd-lib-directori.patch new file mode 100644 index 0000000..0c7f85a --- /dev/null +++ b/backport-Allow-login_userdomain-watch-accountsd-lib-directori.patch @@ -0,0 +1,38 @@ +From 0ed8e5127011aa4a75f57c250b5cc89b71949179 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 13 Jan 2022 22:57:07 +0100 +Subject: [PATCH] Allow login_userdomain watch accountsd lib directories + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0ed8e5127011aa4a75f57c250b5cc89b71949179 +Conflict: NA + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(3.1.2022 08:48:10.041:403) : proctitle=/usr/bin/plasmashell --no-respawn +type=PATH msg=audit(3.1.2022 08:48:10.041:403) : item=0 name=/var/lib/AccountsService/icons inode=102167247 dev=fd:00 mode=dir,775 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:accountsd_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(3.1.2022 08:48:10.041:403) : arch=x86_64 syscall=inotify_add_watch success=yes exit=16 a0=0xd a1=0x556d0da251b8 a2=0x2000fc6 a3=0x7f74d2859329 items=1 ppid=1775 pid=1944 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=plasmashell exe=/usr/bin/plasmashell subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(3.1.2022 08:48:10.041:403) : avc: denied { watch } for pid=1944 comm=plasmashell path=/var/lib/AccountsService/icons dev="dm-0" ino=102167247 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:accountsd_var_lib_t:s0 tclass=dir permissive=1 + +Signed-off-by: lujie54 +--- + policy/modules/system/userdomain.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 86617c3..465e0a3 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -409,6 +409,10 @@ optional_policy(` + ') + + optional_policy(` ++ accountsd_watch_lib(login_userdomain) ++') ++ ++optional_policy(` + dbus_create_session_tmp_sock_files(login_userdomain) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-login_userdomain-watch-generic-directories-in-.patch b/backport-Allow-login_userdomain-watch-generic-directories-in-.patch new file mode 100644 index 0000000..4780c6f --- /dev/null +++ b/backport-Allow-login_userdomain-watch-generic-directories-in-.patch @@ -0,0 +1,35 @@ +From 7821ccab9e2f62f5d4ac8f2ea8ef45d12f4bb7a2 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 13 Jan 2022 22:38:29 +0100 +Subject: [PATCH] Allow login_userdomain watch generic directories in /tmp + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/7821ccab9e2f62f5d4ac8f2ea8ef45d12f4bb7a2 +Conflict: NA + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(13.1.2022 21:50:49.647:21417) : proctitle=/usr/lib64/firefox/firefox --sm-client-id 10cddccc67000160673165200000017210015 +type=PATH msg=audit(13.1.2022 21:50:49.647:21417) : item=0 name=/tmp inode=1 dev=00:25 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(13.1.2022 21:50:49.647:21417) : arch=x86_64 syscall=inotify_add_watch success=yes exit=21 a0=0x50 a1=0x7fee2f76f1d0 a2=0x1002fce a3=0xdaddb2ff3800000 items=1 ppid=1775 pid=1088343 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=GeckoMain exe=/usr/lib64/firefox/firefox subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(13.1.2022 21:50:49.647:21417) : avc: denied { watch } for pid=1088343 comm=GeckoMain path=/tmp dev="tmpfs" ino=1 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=1 + +Signed-off-by: lujie54 +--- + policy/modules/system/userdomain.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 9f778ee..cc2d309 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -389,6 +389,7 @@ dev_watch_generic_dirs(login_userdomain) + files_watch_etc_dirs(login_userdomain) + files_watch_usr_dirs(login_userdomain) + files_watch_var_lib_dirs(login_userdomain) ++files_watch_generic_tmp_dirs(login_userdomain) + + fs_create_cgroup_files(login_userdomain) + fs_watch_cgroup_files(login_userdomain) +-- +1.8.3.1 + diff --git a/backport-Allow-login_userdomain-watch-localization-directorie.patch b/backport-Allow-login_userdomain-watch-localization-directorie.patch new file mode 100644 index 0000000..95e1c57 --- /dev/null +++ b/backport-Allow-login_userdomain-watch-localization-directorie.patch @@ -0,0 +1,74 @@ +From 04abf1566f6fbd1b87f3d55fa9c09ec59a982b4a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 13 Jan 2022 22:53:08 +0100 +Subject: [PATCH] Allow login_userdomain watch localization directories + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/04abf1566f6fbd1b87f3d55fa9c09ec59a982b4a +Conflict: NA + +The miscfiles_watch_localization_dirs() interface was added. + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(3.1.2022 08:51:36.215:442) : proctitle=/opt/google/chrome/chrome --enable-crashpad +type=PATH msg=audit(3.1.2022 08:51:36.215:442) : item=0 name=/etc/../usr/share/zoneinfo inode=67574433 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:locale_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(3.1.2022 08:51:36.215:442) : cwd=/home/username +type=SYSCALL msg=audit(3.1.2022 08:51:36.215:442) : arch=x86_64 syscall=inotify_add_watch success=yes exit=10 a0=0x18 a1=0xd0a02b08b20 a2=0x10003cc a3=0x0 items=1 ppid=1944 pid=4906 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=ThreadPoolSingl exe=/opt/google/chrome/chrome subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(3.1.2022 08:51:36.215:442) : avc: denied { watch } for pid=4906 comm=ThreadPoolSingl path=/usr/share/zoneinfo dev="dm-0" ino=67574433 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1 + +Signed-off-by: lujie54 +--- + policy/modules/system/miscfiles.if | 24 ++++++++++++++++++++++++ + policy/modules/system/userdomain.te | 1 + + 2 files changed, 25 insertions(+) + +diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if +index b63a391..e7f73d8 100644 +--- a/policy/modules/system/miscfiles.if ++++ b/policy/modules/system/miscfiles.if +@@ -557,6 +557,30 @@ interface(`miscfiles_read_localization',` + + ######################################## + ## ++## Allow process to watch localization directories. ++## ++## ++##

++## Allow the specified domain to watch localization directories ++## (e.g. /usr/share/zoneinfo/) for changes. ++##

++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`miscfiles_watch_localization_dirs',` ++ gen_require(` ++ type locale_t; ++ ') ++ ++ watch_dirs_pattern($1, locale_t, locale_t) ++') ++ ++######################################## ++## + ## Allow process to watch localization files. + ## + ## +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 824af18..86617c3 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -397,6 +397,7 @@ files_watch_generic_tmp_dirs(login_userdomain) + fs_create_cgroup_files(login_userdomain) + fs_watch_cgroup_files(login_userdomain) + ++miscfiles_watch_localization_dirs(login_userdomain) + miscfiles_watch_localization_symlinks(login_userdomain) + + mount_watch_pid_dirs(login_userdomain) +-- +1.8.3.1 + diff --git a/backport-Allow-login_userdomain-watch-systemd-logind-PID-dire.patch b/backport-Allow-login_userdomain-watch-systemd-logind-PID-dire.patch new file mode 100644 index 0000000..36b972d --- /dev/null +++ b/backport-Allow-login_userdomain-watch-systemd-logind-PID-dire.patch @@ -0,0 +1,35 @@ +From f519626b841561d71f7ef751b446a598871477bf Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 14 Jan 2022 17:13:08 +0100 +Subject: [PATCH] Allow login_userdomain watch systemd-logind PID directories + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/f519626b841561d71f7ef751b446a598871477bf +Conflict: NA + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(3.1.2022 08:48:02.005:392) : proctitle=/usr/bin/wireplumber +type=PATH msg=audit(3.1.2022 08:48:02.005:392) : item=0 name=/run/systemd/seats/ inode=72 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_logind_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(3.1.2022 08:48:02.005:392) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0x11 a1=0x7f214c69d027 a2=0x280 a3=0x0 items=1 ppid=1775 pid=2305 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=wireplumber exe=/usr/bin/wireplumber subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(3.1.2022 08:48:02.005:392) : avc: denied { watch } for pid=2305 comm=wireplumber path=/run/systemd/seats dev="tmpfs" ino=72 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=dir permissive=1 + +Signed-off-by: lujie54 +--- + policy/modules/system/userdomain.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 465e0a3..5643687 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -432,6 +432,7 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_login_watch_pid_dirs(login_userdomain) + systemd_login_watch_session_dirs(login_userdomain) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-login_userdomain-watch-various-files-and-dirs.patch b/backport-Allow-login_userdomain-watch-various-files-and-dirs.patch new file mode 100644 index 0000000..3b5801b --- /dev/null +++ b/backport-Allow-login_userdomain-watch-various-files-and-dirs.patch @@ -0,0 +1,49 @@ +From 0675ab63c83c96dd65d9793c5ff2835253329bba Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 13 Jan 2022 22:43:33 +0100 +Subject: [PATCH] Allow login_userdomain watch various files and dirs + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/0675ab63c83c96dd65d9793c5ff2835253329bba +Conflict: NA + +Addresses the following AVC denials: + +type=PROCTITLE msg=audit(3.1.2022 14:44:22.064:986) : proctitle=/usr/libexec/kscreenlocker_greet --graceTime 75000 --ksldfd 46 +type=PATH msg=audit(3.1.2022 14:44:22.064:986) : item=0 name=/etc/fstab inode=100663543 dev=fd:00 mode=file,664 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(3.1.2022 14:44:22.064:986) : arch=x86_64 syscall=inotify_add_watch success=yes exit=2 a0=0x18 a1=0x56518e638958 a2=0xcc6 a3=0x56518e6392d0 items=1 ppid=1881 pid=45075 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=kscreenlocker_g exe=/usr/libexec/kscreenlocker_greet subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(3.1.2022 14:44:22.064:986) : avc: denied { watch } for pid=45075 comm=kscreenlocker_g path=/etc/fstab dev="dm-0" ino=100663543 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 + +type=PROCTITLE msg=audit(3.1.2022 14:44:22.064:987) : proctitle=/usr/libexec/kscreenlocker_greet --graceTime 75000 --ksldfd 46 +type=PATH msg=audit(3.1.2022 14:44:22.064:987) : item=0 name=/var/run inode=1 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(3.1.2022 14:44:22.064:987) : arch=x86_64 syscall=inotify_add_watch success=yes exit=1 a0=0x1a a1=0x7f74ecdfae35 a2=0x100 a3=0x0 items=1 ppid=1881 pid=45075 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=kscreenlocker_g exe=/usr/libexec/kscreenlocker_greet subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(3.1.2022 14:44:22.064:987) : avc: denied { watch } for pid=45075 comm=kscreenlocker_g path=/run dev="tmpfs" ino=1 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 + +type=PROCTITLE msg=audit(3.1.2022 14:44:22.213:989) : proctitle=/usr/libexec/kscreenlocker_greet --graceTime 75000 --ksldfd 46 +type=PATH msg=audit(3.1.2022 14:44:22.213:989) : item=0 name=/usr/share/plasma/desktoptheme/breeze-dark/metadata.desktop inode=1684078 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(3.1.2022 14:44:22.213:989) : arch=x86_64 syscall=inotify_add_watch success=yes exit=5 a0=0xf a1=0x7f74d8001438 a2=0x2000fc6 a3=0x7f74f2f73329 items=1 ppid=1881 pid=45075 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=kscreenlocker_g exe=/usr/libexec/kscreenlocker_greet subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(3.1.2022 14:44:22.213:989) : avc: denied { watch } for pid=45075 comm=kscreenlocker_g path=/usr/share/plasma/desktoptheme/breeze-dark/metadata.desktop dev="dm-0" ino=1684078 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 + +Signed-off-by: lujie54 +--- + policy/modules/system/userdomain.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index cc2d309..824af18 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -387,8 +387,11 @@ tunable_policy(`deny_bluetooth',`',` + dev_watch_generic_dirs(login_userdomain) + + files_watch_etc_dirs(login_userdomain) ++files_watch_etc_files(login_userdomain) + files_watch_usr_dirs(login_userdomain) ++files_watch_usr_files(login_userdomain) + files_watch_var_lib_dirs(login_userdomain) ++files_watch_var_run_dirs(login_userdomain) + files_watch_generic_tmp_dirs(login_userdomain) + + fs_create_cgroup_files(login_userdomain) +-- +1.8.3.1 + diff --git a/backport-Allow-smbcontrol-read-the-network-state-information.patch b/backport-Allow-smbcontrol-read-the-network-state-information.patch new file mode 100644 index 0000000..3e7b13a --- /dev/null +++ b/backport-Allow-smbcontrol-read-the-network-state-information.patch @@ -0,0 +1,36 @@ +From 72bf03e76b3dd93ee4d29b573574cc394c74220b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 7 Jan 2022 18:24:37 +0100 +Subject: [PATCH] Allow smbcontrol read the network state information + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/72bf03e76b3dd93ee4d29b573574cc394c74220b +Conflict: NA + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(12/15/2021 14:56:51.308:2289) : proctitle=smbcontrol winbind ping +type=AVC msg=audit(12/15/2021 14:56:51.308:2289) : avc: denied { read } for pid=39355 comm=smbcontrol name=unix dev="proc" ino=4026532055 scontext=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_net_t:s0 tclass=file permissive=0 +type=SYSCALL msg=audit(12/15/2021 14:56:51.308:2289) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7fffd5d76250 a1=R_OK a2=0x8 a3=0x562d2bf87764 items=0 ppid=36929 pid=39355 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=9 comm=smbcontrol exe=/usr/bin/smbcontrol subj=unconfined_u:unconfined_r:smbcontrol_t:s0-s0:c0.c1023 key=(null) + +Resolves: rhbz#2038157 +Signed-off-by: lujie54 +--- + policy/modules/contrib/samba.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index cb89bcf..daf5349 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -743,6 +743,8 @@ samba_read_config(smbcontrol_t) + samba_search_var(smbcontrol_t) + samba_read_winbind_pid(smbcontrol_t) + ++kernel_read_network_state(smbcontrol_t) ++ + domain_use_interactive_fds(smbcontrol_t) + + dev_read_urand(smbcontrol_t) +-- +1.8.3.1 + diff --git a/backport-Allow-sshd-read-filesystem-sysctl-files.patch b/backport-Allow-sshd-read-filesystem-sysctl-files.patch new file mode 100644 index 0000000..74a56c8 --- /dev/null +++ b/backport-Allow-sshd-read-filesystem-sysctl-files.patch @@ -0,0 +1,34 @@ +From 84dd4309ad6d644edea2c3cf448f516f4e008c04 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 11 Jan 2022 15:17:27 +0100 +Subject: [PATCH] Allow sshd read filesystem sysctl files + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/84dd4309ad6d644edea2c3cf448f516f4e008c04 +Conflict: NA + +This permissions is required when "nofile unlimited" is configured +in the system resources limits for a user. + +echo "testuser hard nofile unlimited" >> /etc/security/limits.d/testuser.conf + +Resolves: rhbz#2036585 +Signed-off-by: lujie54 +--- + policy/modules/services/ssh.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te +index 10126e7..bf988b7 100644 +--- a/policy/modules/services/ssh.te ++++ b/policy/modules/services/ssh.te +@@ -303,6 +303,7 @@ allow sshd_t sshd_keytab_t:file read_file_perms; + + kernel_search_key(sshd_t) + kernel_link_key(sshd_t) ++kernel_read_fs_sysctls(sshd_t) + kernel_read_net_sysctls(sshd_t) + + files_search_all(sshd_t) +-- +1.8.3.1 + diff --git a/backport-Allow-sssd_kcm-read-and-write-z90crypt-device.patch b/backport-Allow-sssd_kcm-read-and-write-z90crypt-device.patch new file mode 100644 index 0000000..62cabe4 --- /dev/null +++ b/backport-Allow-sssd_kcm-read-and-write-z90crypt-device.patch @@ -0,0 +1,42 @@ +From 80e7516c09c41c989176947265df41e39e94a31a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 10 Jan 2022 17:15:56 +0100 +Subject: [PATCH] Allow sssd_kcm read and write z90crypt device +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/80e7516c09c41c989176947265df41e39e94a31a +Conflict: NA + +This permission is required on s390x systems with the Crypto Express +adapter card. The z90crypt device driver acts as the interface to the +PCI cryptography hardware and performs asynchronous encryption +operations (RSA) as used during the SSL handshake. + +Addresses the following AVC denial: +PROCTITLE msg=audit(26.11.2021 17:43:18.641:78) : proctitle=/usr/libexec/sssd/sssd_kcm --uid 0 --gid 0 --logger=files +type=AVC msg=audit(26.11.2021 17:43:18.641:78) : avc: denied { read write } for pid=1724 comm=sssd_kcm name=z90crypt dev="devtmpfs" ino=111 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=0 +type=SYSCALL msg=audit(26.11.2021 17:43:18.641:78) : arch=s390x syscall=openat success=no exit=EACCES(Operace zamítnuta) a0=0xffffffffffffff9c a1=0x3ffa56906e6 a2=O_RDWR a3=0x0 items=0 ppid=1 pid=1724 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_kcm exe=/usr/libexec/sssd/sssd_kcm subj=system_u:system_r:sssd_t:s0 key=(null) + +Resolves: rhbz#2026974 +Signed-off-by: lujie54 +--- + policy/modules/contrib/sssd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te +index b510dca..e5c8673 100644 +--- a/policy/modules/contrib/sssd.te ++++ b/policy/modules/contrib/sssd.te +@@ -106,6 +106,7 @@ corecmd_exec_bin(sssd_t) + + dev_read_urand(sssd_t) + dev_read_sysfs(sssd_t) ++dev_rw_crypto(sssd_t) + + domain_read_all_domains_state(sssd_t) + domain_obj_id_change_exemption(sssd_t) +-- +1.8.3.1 + diff --git a/backport-Allow-sysadm_t-start-and-stop-transient-services.patch b/backport-Allow-sysadm_t-start-and-stop-transient-services.patch new file mode 100644 index 0000000..c2ce37c --- /dev/null +++ b/backport-Allow-sysadm_t-start-and-stop-transient-services.patch @@ -0,0 +1,34 @@ +From 489674d8ad8253a18cf88425f2fe3dbf265d03a1 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 17 Jan 2022 12:44:10 +0100 +Subject: [PATCH] Allow sysadm_t start and stop transient services + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/489674d8ad8253a18cf88425f2fe3dbf265d03a1 +Conflict: NA + +Addresses the following AVC denial: + +type=USER_AVC msg=audit(01/07/2022 03:27:48.362:345) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=unset uid=root gid=root cmdline="" scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system permissive=1 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' # Date: Mon Jan 17 12:44:10 2022 +0100 + +Resolves: rhbz#2031065 +Signed-off-by: lujie54 +--- + policy/modules/roles/sysadm.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te +index fae8028..d9e11b6 100644 +--- a/policy/modules/roles/sysadm.te ++++ b/policy/modules/roles/sysadm.te +@@ -81,6 +81,8 @@ init_exec(sysadm_t) + init_exec_script_files(sysadm_t) + init_dbus_chat(sysadm_t) + init_script_role_transition(sysadm_r) ++init_start(sysadm_t) ++init_stop(sysadm_t) + init_status(sysadm_t) + init_reboot(sysadm_t) + init_halt(sysadm_t) +-- +1.8.3.1 + diff --git a/backport-Allow-systemd-coredump-read-and-write-usermodehelper.patch b/backport-Allow-systemd-coredump-read-and-write-usermodehelper.patch new file mode 100644 index 0000000..54a0a2b --- /dev/null +++ b/backport-Allow-systemd-coredump-read-and-write-usermodehelper.patch @@ -0,0 +1,39 @@ +From 9ca08c39af36079809e9247957d86e86009a3e6a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 13 Jan 2022 19:23:19 +0100 +Subject: [PATCH] Allow systemd-coredump read and write usermodehelper state + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9ca08c39af36079809e9247957d86e86009a3e6a +Conflict: NA + +When systemd (PID1) crashes, it freezes and systemd services cannot be +started, so coredump handling with systemd-coredump will not work +either. As frozen systemd does not collect zombies any longer, it looks +reasonable to avoid spawning further processes as much as possible. + +Therefore systemd-coredump will write "|/bin/false" to the +kernel.core_pattern kernel tunable when it detects that it was PID 1 +that had crashed to disable coredumping. + +Resolves: rhbz#1982961 +Signed-off-by: lujie54 +--- + policy/modules/system/systemd.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index edd4354..5a78a8c 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1055,6 +1055,8 @@ manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_cor + mmap_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t) + init_var_lib_filetrans(systemd_coredump_t, systemd_coredump_var_lib_t, dir, "coredump") + ++kernel_rw_usermodehelper_state(systemd_coredump_t) ++ + dev_write_kmsg(systemd_coredump_t) + + # To read info about the crashed process from /proc +-- +1.8.3.1 + diff --git a/backport-Allow-systemd-coredump-userns-capabilities-and-root-.patch b/backport-Allow-systemd-coredump-userns-capabilities-and-root-.patch new file mode 100644 index 0000000..03045c8 --- /dev/null +++ b/backport-Allow-systemd-coredump-userns-capabilities-and-root-.patch @@ -0,0 +1,46 @@ +From 4ed22744f5a99c1f2b997b915b340de7abe8d15d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 13 Jan 2022 21:08:14 +0100 +Subject: [PATCH] Allow systemd-coredump userns capabilities and root mounton + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/4ed22744f5a99c1f2b997b915b340de7abe8d15d +Conflict: NA + +systemd-coredump forks a child process to perform core file analysis +(comm=(sd-parse-elf)), and before doing the actual analysis, it sets +up a sandbox using mount and user namespaces. + +Refer to https://github.com/systemd/systemd/commit/61aea456c1 +for the systemd upstream change. + +Resolves: rhbz#2031356 +Signed-off-by: lujie54 +--- + policy/modules/system/systemd.te | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 5a78a8c..ea2b27e 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1040,7 +1040,7 @@ systemd_read_efivarfs(systemd_sysctl_t) + # setgid setuid - to set own credentials to match the dumped process credentials + # setpcap - to drop capabilities + allow systemd_coredump_t self:capability { dac_read_search net_admin setgid setpcap setuid sys_ptrace }; +-allow systemd_coredump_t self:cap_userns sys_ptrace; ++allow systemd_coredump_t self:cap_userns { dac_read_search dac_override sys_admin sys_ptrace }; + + # To set its capability set + allow systemd_coredump_t self:process setcap; +@@ -1067,6 +1067,8 @@ domain_read_all_domains_state(systemd_coredump_t) + files_read_non_security_files(systemd_coredump_t) + files_map_non_security_files(systemd_coredump_t) + ++files_mounton_rootfs(systemd_coredump_t) ++ + fs_getattr_nsfs_files(systemd_coredump_t) + + optional_policy(` +-- +1.8.3.1 + diff --git a/backport-Allow-systemd-io-bridge-ioctl-rpm_script_t.patch b/backport-Allow-systemd-io-bridge-ioctl-rpm_script_t.patch new file mode 100644 index 0000000..cd27dc6 --- /dev/null +++ b/backport-Allow-systemd-io-bridge-ioctl-rpm_script_t.patch @@ -0,0 +1,68 @@ +From 3ecf12ffdad26ee5c6361a7c1e82ba507abdc04f Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 13 Jan 2022 22:12:03 +0100 +Subject: [PATCH] Allow systemd-io-bridge ioctl rpm_script_t +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3ecf12ffdad26ee5c6361a7c1e82ba507abdc04f +Conflict: NA + +The permission to allow systemd-io-bridge ioctl rpm_script_t +with a unix domain stream socket was added to the policy. +It may be required when rpm packages are updated. + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(3.1.2022 01:17:50.921:486) : proctitle=(o-bridge) +type=SYSCALL msg=audit(3.1.2022 01:17:50.921:486) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Pro toto zařízení nevhodné ioctl) a0=0x0 a1=TCGETS a2=0x7ffe8195d1e0 a3=0x7f9ea8a35ca0 items=0 ppid=1 pid=2846 auid=sddm uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=(o-bridge) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) +type=AVC msg=audit(3.1.2022 01:17:50.921:486) : avc: denied { ioctl } for pid=2846 comm=(o-bridge) path=socket:[43260] dev="sockfs" ino=43260 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 + +Resolves: rhbz#2024489 +Signed-off-by: lujie54 +--- + policy/modules/contrib/rpm.if | 18 ++++++++++++++++++ + policy/modules/system/init.te | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if +index db809c6..190f3e2 100644 +--- a/policy/modules/contrib/rpm.if ++++ b/policy/modules/contrib/rpm.if +@@ -957,3 +957,21 @@ interface(`rpm_admin',` + + rpm_run($1, $2) + ') ++ ++## ++## Allow the specified domain to ioctl rpm_script_t ++## with a unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_script_ioctl_stream_sockets',` ++ gen_require(` ++ type rpm_script_t; ++ ') ++ ++ allow $1 rpm_script_t:unix_stream_socket ioctl; ++') +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 0de5f4a..a81f5da 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -516,6 +516,7 @@ optional_policy(` + + optional_policy(` + rpm_read_db(init_t) ++ rpm_script_ioctl_stream_sockets(init_t) + ') + + optional_policy(` +-- +1.8.3.1 + diff --git a/backport-Allow-systemd-logind-delete-session_dbusd-tmp-socket.patch b/backport-Allow-systemd-logind-delete-session_dbusd-tmp-socket.patch new file mode 100644 index 0000000..39936fe --- /dev/null +++ b/backport-Allow-systemd-logind-delete-session_dbusd-tmp-socket.patch @@ -0,0 +1,69 @@ +From 13c9a34e3e717785cf37706a964294733f6c5b00 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 13 Jan 2022 19:09:13 +0100 +Subject: [PATCH] Allow systemd-logind delete session_dbusd tmp socket files + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/13c9a34e3e717785cf37706a964294733f6c5b00 +Conflict: NA + +The dbus_delete_session_tmp_sock_files() interface was added. + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(13.1.2022 18:57:09.055:9086) : proctitle=/usr/lib/systemd/systemd-user-runtime-dir stop 1001 +type=PATH msg=audit(13.1.2022 18:57:09.055:9086) : item=1 name=bus inode=40 dev=00:3f mode=socket,666 ouid=staff ogid=staff rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(13.1.2022 18:57:09.055:9086) : item=0 name=/ inode=1 dev=00:3f mode=dir,700 ouid=staff ogid=staff rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(13.1.2022 18:57:09.055:9086) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0x3 a1=0x560b86610d9b a2=0x0 a3=0x78 items=2 ppid=1 pid=26510 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-ru exe=/usr/lib/systemd/systemd-user-runtime-dir subj=system_u:system_r:systemd_logind_t:s0 key=(null) +type=AVC msg=audit(13.1.2022 18:57:09.055:9086) : avc: denied { unlink } for pid=26510 comm=systemd-user-ru name=bus dev="tmpfs" ino=40 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=staff_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=1 + +Resolves: rhbz#2039671 +Signed-off-by: lujie54 +--- + policy/modules/contrib/dbus.if | 18 ++++++++++++++++++ + policy/modules/system/systemd.te | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if +index 71c77a0..e04af61 100644 +--- a/policy/modules/contrib/dbus.if ++++ b/policy/modules/contrib/dbus.if +@@ -883,6 +883,24 @@ interface(`dbus_write_session_tmp_sock_files',` + + ######################################## + ## ++## Delete session_dbusd tmp socket files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dbus_delete_session_tmp_sock_files',` ++ gen_require(` ++ type session_dbusd_tmp_t; ++ ') ++ ++ delete_sock_files_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t) ++') ++ ++######################################## ++## + ## Allow systemctl dbus services + ## + ## +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 43fffdc..edd4354 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -364,6 +364,7 @@ optional_policy(` + optional_policy(` + dbus_connect_system_bus(systemd_logind_t) + dbus_system_bus_client(systemd_logind_t) ++ dbus_delete_session_tmp_sock_files(systemd_logind_t) + dbus_manage_session_tmp_dirs(systemd_logind_t) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-tlp-read-its-systemd-unit.patch b/backport-Allow-tlp-read-its-systemd-unit.patch new file mode 100644 index 0000000..6a751d8 --- /dev/null +++ b/backport-Allow-tlp-read-its-systemd-unit.patch @@ -0,0 +1,32 @@ +From 6f8f2fbdaa248e9d8967456b79888b4484ca9ad7 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 10 Jan 2022 21:51:47 +0100 +Subject: [PATCH] Allow tlp read its systemd unit + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6f8f2fbdaa248e9d8967456b79888b4484ca9ad7 +Conflict: NA + +A tlp script executes systemctl to get status of the tlp service unit. + +Resolves: rhbz#2013451 +Signed-off-by: lujie54 +--- + policy/modules/contrib/tlp.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/tlp.te b/policy/modules/contrib/tlp.te +index b9491ee..e2de3b2 100644 +--- a/policy/modules/contrib/tlp.te ++++ b/policy/modules/contrib/tlp.te +@@ -28,6 +28,8 @@ allow tlp_t self:udp_socket create_socket_perms; + allow tlp_t self:unix_dgram_socket create_socket_perms; + allow tlp_t self:netlink_generic_socket create_socket_perms; + ++allow tlp_t tlp_unit_file_t:file read_file_perms; ++ + manage_dirs_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t) + manage_files_pattern(tlp_t, tlp_var_run_t, tlp_var_run_t) + files_pid_filetrans(tlp_t, tlp_var_run_t, { dir file }) +-- +1.8.3.1 + diff --git a/backport-Allow-virt_domain-map-vhost-devices.patch b/backport-Allow-virt_domain-map-vhost-devices.patch new file mode 100644 index 0000000..76a8c2f --- /dev/null +++ b/backport-Allow-virt_domain-map-vhost-devices.patch @@ -0,0 +1,67 @@ +From 7a512a8dcaa5b522c6bf3f558fa251b6a77bccf0 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 7 Jan 2022 18:17:12 +0100 +Subject: [PATCH] Allow virt_domain map vhost devices + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/7a512a8dcaa5b522c6bf3f558fa251b6a77bccf0 +Conflict: NA + +The dev_map_vhost() interface was added. + +This commit addresses the following AVC denial: + +type=PROCTITLE msg=audit(12/26/2021 22:21:14.465:1513) : proctitle=/usr/libexec/qemu-kvm -name guest=r9,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"raw","file":"/ +type=AVC msg=audit(12/26/2021 22:21:14.465:1513) : avc: denied { map } for pid=31328 comm=CPU 0/KVM path=/dev/vhost-vdpa-0 dev="devtmpfs" ino=876 scontext=system_u:system_r:svirt_t:s0:c135,c969 tcontext=system_u:object_r:vhost_device_t:s0 tclass=chr_file permissive=0 +type=SYSCALL msg=audit(12/26/2021 22:21:14.465:1513) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x1000 a2=PROT_WRITE a3=MAP_SHARED items=0 ppid=1 pid=31328 auid=unset uid=unknown(107) gid=unknown(107) euid=unknown(107) suid=unknown(107) fsuid=unknown(107) egid=unknown(107) sgid=unknown(107) fsgid=unknown(107) tty=(none) ses=unset comm=CPU 0/KVM exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c135,c969 key=(null) + +Resolves: rhbz#2035702 +Signed-off-by: lujie54 +--- + policy/modules/contrib/virt.te | 1 + + policy/modules/kernel/devices.if | 18 ++++++++++++++++++ + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te +index b14222b..340056b 100644 +--- a/policy/modules/contrib/virt.te ++++ b/policy/modules/contrib/virt.te +@@ -969,6 +969,7 @@ dev_rw_infiniband_dev(virt_domain) + dev_rw_dri(virt_domain) + dev_rw_tpm(virt_domain) + dev_rw_xserver_misc(virt_domain) ++dev_map_vhost(virt_domain) + + domain_use_interactive_fds(virt_domain) + +diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if +index f7f8e98..51d9ab4 100644 +--- a/policy/modules/kernel/devices.if ++++ b/policy/modules/kernel/devices.if +@@ -5964,6 +5964,24 @@ interface(`dev_rw_inherited_vhost',` + + ######################################## + ## ++## Allow map the vhost devices ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_map_vhost',` ++ gen_require(` ++ type device_t, vhost_device_t; ++ ') ++ ++ allow $1 vhost_device_t:chr_file map; ++') ++ ++######################################## ++## + ## Read and write VMWare devices. + ## + ## +-- +1.8.3.1 + diff --git a/selinux-policy.spec b/selinux-policy.spec index fe56cfd..721ed1f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 35.5 -Release: 8 +Release: 9 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -90,6 +90,28 @@ Patch6022: backport-Allow-haproxy-get-attributes-of-filesystems-with-ext.patch Patch6023: backport-Allow-lldpd-connect-to-snmpd-with-a-unix-domain-stre.patch Patch6024: backport-Allow-admin-userdomains-use-socketpair.patch Patch6025: backport-Ensure-that-run-systemd-are-properly-labeled.patch +Patch6026: backport-Allow-fcoemon-request-the-kernel-to-load-a-module.patch +Patch6027: backport-Allow-virt_domain-map-vhost-devices.patch +Patch6028: backport-Allow-smbcontrol-read-the-network-state-information.patch +Patch6029: backport-Allow-sssd_kcm-read-and-write-z90crypt-device.patch +Patch6030: backport-Allow-gssproxy-read-and-write-z90crypt-device.patch +Patch6031: backport-Allow-gssproxy-read-write-and-map-ica-tmpfs-files.patch +Patch6032: backport-Allow-gssproxy-access-to-various-system-files.patch +Patch6033: backport-Allow-tlp-read-its-systemd-unit.patch +Patch6034: backport-Allow-sshd-read-filesystem-sysctl-files.patch +Patch6035: backport-Allow-sysadm_t-start-and-stop-transient-services.patch +Patch6036: backport-Allow-administrative-users-the-bpf-capability.patch +Patch6037: backport-Allow-kpropd-get-attributes-of-cgroup-filesystems.patch +Patch6038: backport-Allow-systemd-logind-delete-session_dbusd-tmp-socket.patch +Patch6039: backport-Allow-login_userdomain-create-session_dbusd-tmp-sock.patch +Patch6040: backport-Allow-systemd-coredump-read-and-write-usermodehelper.patch +Patch6041: backport-Allow-systemd-coredump-userns-capabilities-and-root-.patch +Patch6042: backport-Allow-systemd-io-bridge-ioctl-rpm_script_t.patch +Patch6043: backport-Allow-login_userdomain-watch-generic-directories-in-.patch +Patch6044: backport-Allow-login_userdomain-watch-various-files-and-dirs.patch +Patch6045: backport-Allow-login_userdomain-watch-localization-directorie.patch +Patch6046: backport-Allow-login_userdomain-watch-accountsd-lib-directori.patch +Patch6047: backport-Allow-login_userdomain-watch-systemd-logind-PID-dire.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -760,6 +782,9 @@ exit 0 %endif %changelog +* Tue Sep 13 2022 lujie - 35.5-9 +- backport upstream patches + * Fri Sep 2 2022 lujie - 35.5-8 - backport upstream patches -- Gitee