diff --git a/backport-Add-the-map-permission-to-common_anon_inode_perm-per.patch b/backport-Add-the-map-permission-to-common_anon_inode_perm-per.patch new file mode 100644 index 0000000000000000000000000000000000000000..7d4cfba955190aa3c94e1c5069a4982241c33b63 --- /dev/null +++ b/backport-Add-the-map-permission-to-common_anon_inode_perm-per.patch @@ -0,0 +1,31 @@ +From 34264caf221fc43e17aefeeda0d1115eb89655e0 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 7 Feb 2022 18:27:52 +0100 +Subject: [PATCH] Add the map permission to common_anon_inode_perm permission + set + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/34264caf221fc43e17aefeeda0d1115eb89655e0 +Conflict: NA + +Resolves: rhbz#2025714 +Signed-off-by: lujie54 +--- + policy/support/obj_perm_sets.spt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt +index 1a2108a..2b84320 100644 +--- a/policy/support/obj_perm_sets.spt ++++ b/policy/support/obj_perm_sets.spt +@@ -280,7 +280,7 @@ define(`userfaultfd_anon_inode_perms',` + # + # Anonymous inode files (anon_inode) + # +-define(`userfaultfd_anon_inode_perms',`{ create getattr ioctl read write }') ++define(`userfaultfd_anon_inode_perms',`{ create getattr ioctl map read write }') + + ######################################## + # +-- +1.8.3.1 + diff --git a/backport-Allow-ModemManager-connect-to-the-unconfined-user-do.patch b/backport-Allow-ModemManager-connect-to-the-unconfined-user-do.patch new file mode 100644 index 0000000000000000000000000000000000000000..20812d8191b2acfe1a34df5891213351d826a67f --- /dev/null +++ b/backport-Allow-ModemManager-connect-to-the-unconfined-user-do.patch @@ -0,0 +1,32 @@ +From 51422c4a4277924046514a18b67a38b896d698f0 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 28 Jan 2022 17:40:25 +0100 +Subject: [PATCH] Allow ModemManager connect to the unconfined user domain + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/51422c4a4277924046514a18b67a38b896d698f0 +Conflict: NA + +The modemmanager_t domain was allowed to connect to unconfined_t +over a unix domain stream socket. + +Resolves: rhbz#1961571 +Signed-off-by: lujie54 +--- + policy/modules/contrib/modemmanager.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/modemmanager.te b/policy/modules/contrib/modemmanager.te +index 857ed6b..9a132b2 100644 +--- a/policy/modules/contrib/modemmanager.te ++++ b/policy/modules/contrib/modemmanager.te +@@ -82,3 +82,7 @@ optional_policy(` + udev_read_db(modemmanager_t) + udev_manage_pid_files(modemmanager_t) + ') ++ ++optional_policy(` ++ unconfined_stream_connect(modemmanager_t) ++') +-- +1.8.3.1 + diff --git a/backport-Allow-NetworkManager-talk-with-unconfined-user-over-.patch b/backport-Allow-NetworkManager-talk-with-unconfined-user-over-.patch new file mode 100644 index 0000000000000000000000000000000000000000..4820413c55a6578b75ae73d3201790efd087ae9d --- /dev/null +++ b/backport-Allow-NetworkManager-talk-with-unconfined-user-over-.patch @@ -0,0 +1,51 @@ +From f0cb46186be7437cd78c96271938b3902cec10b7 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 26 Jan 2022 10:54:36 +0100 +Subject: [PATCH] Allow NetworkManager talk with unconfined user over unix + domain dgram socket + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/f0cb46186be7437cd78c96271938b3902cec10b7 +Conflict: NA + +This permission is required for wpa_cli be able to communicate with the +wpa_supplicant service in CLI. The wpa control interface socket file is +open in /run/wpa_supplicant, the client socket in /tmp. + +This issue possibly started to appear after unconfined_t was removed from the +unpriv_user_domain attribute with the 4b4eec49a55 ("Removed adding to +attribute unpriv_userdomain from userdom_unpriv_type template") commit. + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(01/24/2022 02:56:04.040:501) : proctitle=/usr/sbin/wpa_supplicant -g /run/wpa_supplicant/global -c /etc/wpa_supplicant/wpa_supplicant.conf -u -s +type=PATH msg=audit(01/24/2022 02:56:04.040:501) : item=0 name=/tmp/wpa_ctrl_26793-1 inode=730142 dev=fd:01 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(01/24/2022 02:56:04.040:501) : cwd=/ +type=SOCKADDR msg=audit(01/24/2022 02:56:04.040:501) : saddr={ saddr_fam=local path=/tmp/wpa_ctrl_26793-1 } +type=SYSCALL msg=audit(01/24/2022 02:56:04.040:501) : arch=x86_64 syscall=sendto success=yes exit=5 a0=0x5 a1=0x5556370a4860 a2=0x5 a3=0x0 items=1 ppid=1 pid=26219 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant subj=system_u:system_r:NetworkManager_t:s0 key=(null) +type=AVC msg=audit(01/24/2022 02:56:04.040:501) : avc: denied { sendto } for pid=26219 comm=wpa_supplicant path=/tmp/wpa_ctrl_26793-1 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 + +Resolves: rhbz#2044048 +Signed-off-by: lujie54 +--- + policy/modules/contrib/networkmanager.te | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te +index 8230910..1a53f51 100644 +--- a/policy/modules/contrib/networkmanager.te ++++ b/policy/modules/contrib/networkmanager.te +@@ -498,6 +498,11 @@ optional_policy(` + openvswitch_stream_connect(NetworkManager_t) + ') + ++optional_policy(` ++ unconfined_dgram_send(NetworkManager_t) ++') ++ ++ + tunable_policy(`use_ecryptfs_home_dirs',` + fs_manage_ecryptfs_files(NetworkManager_t) + ') +-- +1.8.3.1 + diff --git a/backport-Allow-alsa-bind-mixer-controls-to-led-triggers.patch b/backport-Allow-alsa-bind-mixer-controls-to-led-triggers.patch new file mode 100644 index 0000000000000000000000000000000000000000..1897d47d6b11ffa36f0bd0488fe3c86ca726efe9 --- /dev/null +++ b/backport-Allow-alsa-bind-mixer-controls-to-led-triggers.patch @@ -0,0 +1,44 @@ +From 435388f6b50495a6615b811b129ca6d3020f7355 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 10 Feb 2022 11:38:56 +0100 +Subject: [PATCH] Allow alsa bind mixer controls to led triggers + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/435388f6b50495a6615b811b129ca6d3020f7355 +Conflict: NA + +Since v5.13, the kernel has support to bind certain alsa mixer controls +to LED triggers from userspace to control the mute-LEDS found on some +devices (typically embedded inside the keyboard's mute keys). + +To allow that, alsa needs to be able to execute "modprobe snd_ctl_led" +and write to /sys/class/sound/ctl-led/speaker/ and .../mic. + +Resolves: rhbz#1958210 +Signed-off-by: lujie54 +--- + policy/modules/contrib/alsa.te | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te +index aee9fe8..3f1a7b0 100644 +--- a/policy/modules/contrib/alsa.te ++++ b/policy/modules/contrib/alsa.te +@@ -82,12 +82,14 @@ corecmd_exec_bin(alsa_t) + + dev_getattr_fs(alsa_t) + dev_read_sound(alsa_t) +-dev_read_sysfs(alsa_t) ++dev_rw_sysfs(alsa_t) + dev_read_urand(alsa_t) + dev_write_sound(alsa_t) + + files_search_var_lib(alsa_t) + ++modutils_domtrans_kmod(alsa_t) ++ + term_dontaudit_use_console(alsa_t) + term_dontaudit_use_generic_ptys(alsa_t) + term_dontaudit_use_all_ptys(alsa_t) +-- +1.8.3.1 + diff --git a/backport-Allow-alsactl-set-group-Process-ID-of-a-process.patch b/backport-Allow-alsactl-set-group-Process-ID-of-a-process.patch new file mode 100644 index 0000000000000000000000000000000000000000..76144764a9342c3147a70ba8d785de4ced55d0d3 --- /dev/null +++ b/backport-Allow-alsactl-set-group-Process-ID-of-a-process.patch @@ -0,0 +1,33 @@ +From d5b75d954771da98c36fb7af90e24a14fb01c184 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 31 Jan 2022 12:47:23 +0100 +Subject: [PATCH] Allow alsactl set group Process ID of a process + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d5b75d954771da98c36fb7af90e24a14fb01c184 +Conflict: NA + +Addresses the following AVC denial: +type=AVC msg=audit(1624169904.74:1152): avc: denied { setpgid } for pid=115535 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=0 + +Resolves: rhbz#1974051 +Signed-off-by: lujie54 +--- + policy/modules/contrib/alsa.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te +index 97f3815..aee9fe8 100644 +--- a/policy/modules/contrib/alsa.te ++++ b/policy/modules/contrib/alsa.te +@@ -43,7 +43,7 @@ systemd_unit_file(alsa_unit_file_t) + + allow alsa_t self:capability { dac_read_search setgid setuid ipc_owner sys_nice }; + dontaudit alsa_t self:capability { sys_tty_config sys_admin }; +-allow alsa_t self:process { getsched setsched signal_perms }; ++allow alsa_t self:process { getsched setpgid setsched signal_perms }; + allow alsa_t self:sem create_sem_perms; + allow alsa_t self:shm create_shm_perms; + allow alsa_t self:unix_stream_socket { accept listen }; +-- +1.8.3.1 + diff --git a/backport-Allow-confined-sysadmin-to-use-tool-vipw.patch b/backport-Allow-confined-sysadmin-to-use-tool-vipw.patch new file mode 100644 index 0000000000000000000000000000000000000000..d24e1ccae0d1afc396bbae575f0b817e1a0e1dba --- /dev/null +++ b/backport-Allow-confined-sysadmin-to-use-tool-vipw.patch @@ -0,0 +1,46 @@ +From 9eec9eea6b6b74d8835928c32467f6edd749ff0e Mon Sep 17 00:00:00 2001 +From: Patrik Koncity +Date: Fri, 4 Feb 2022 12:04:16 +0100 +Subject: [PATCH] Allow confined sysadmin to use tool vipw + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9eec9eea6b6b74d8835928c32467f6edd749ff0e +Conflict: NA + +Allow confined sysadmin to use vipw and vigr, which edits passwd, +shadow, group, gshadow.. Dontaudit manage files and dir labeled +with admin_home_t. Also vipw need to use sss_cache tool. +Allow domain transition from sysadm_passwd_t to sssd_exec_t. + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2049018 +Signed-off-by: lujie54 +--- + policy/modules/admin/usermanage.te | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te +index a67fcc4..8fdbfbc 100644 +--- a/policy/modules/admin/usermanage.te ++++ b/policy/modules/admin/usermanage.te +@@ -501,6 +501,8 @@ init_dontaudit_rw_utmp(sysadm_passwd_t) + logging_send_syslog_msg(sysadm_passwd_t) + + userdom_use_unpriv_users_fds(sysadm_passwd_t) ++userdom_dontaudit_manage_admin_dir(sysadm_passwd_t) ++userdom_dontaudit_manage_admin_files(sysadm_passwd_t) + # user generally runs this from their home directory, so do not audit a search + # on user home dir + userdom_dontaudit_search_user_home_content(sysadm_passwd_t) +@@ -509,6 +511,10 @@ optional_policy(` + nscd_run(sysadm_passwd_t, sysadm_passwd_roles) + ') + ++optional_policy(` ++ sssd_domtrans(sysadm_passwd_t) ++') ++ + ######################################## + # + # Useradd local policy +-- +1.8.3.1 + diff --git a/backport-Allow-init-delete-generic-tmp-named-pipes.patch b/backport-Allow-init-delete-generic-tmp-named-pipes.patch new file mode 100644 index 0000000000000000000000000000000000000000..e0a6919ea037dc17800a3c8208c55237a6203d94 --- /dev/null +++ b/backport-Allow-init-delete-generic-tmp-named-pipes.patch @@ -0,0 +1,64 @@ +From da5328319db49846fb698d262c13f06230091bfb Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 28 Jan 2022 19:01:45 +0100 +Subject: [PATCH] Allow init delete generic tmp named pipes + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/da5328319db49846fb698d262c13f06230091bfb +Conflict: NA + +The files_delete_tmp_pipes() interface was added. + +Addresses the following AVC denial: +type=AVC msg=audit(1628676879.222:1003): avc: denied { unlink } for pid=1 comm="systemd" name="controller_log_37116" dev="tmpfs" ino=1235 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=fifo_file permissive=0 + +Resolves: rhbz#1992562 +Signed-off-by: lujie54 +--- + policy/modules/kernel/files.if | 18 ++++++++++++++++++ + policy/modules/system/init.te | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index bca6f15..53e463c 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -6153,6 +6153,24 @@ interface(`files_delete_tmp_sockets',` + + ######################################## + ## ++## Delete generic tmp named pipes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_delete_tmp_pipes',` ++ gen_require(` ++ type tmp_t; ++ ') ++ ++ delete_fifo_files_pattern($1, tmp_t, tmp_t) ++') ++ ++######################################## ++## + ## Remove entries from the tmp directory. + ## + ## +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index a81f5da..09a6925 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -648,6 +648,7 @@ files_read_kernel_modules(init_t) + files_map_kernel_modules(init_t) + files_dontaudit_mounton_isid(init_t) + files_delete_tmp_files(init_t) ++files_delete_tmp_pipes(init_t) + files_delete_tmp_sockets(init_t) + fs_getattr_all_fs(init_t) + fs_manage_cgroup_dirs(init_t) +-- +1.8.3.1 + diff --git a/backport-Allow-init-read-stratis-data-symlinks.patch b/backport-Allow-init-read-stratis-data-symlinks.patch new file mode 100644 index 0000000000000000000000000000000000000000..bae0bdaa23e2b007a34e3e2c953454daaae97bbf --- /dev/null +++ b/backport-Allow-init-read-stratis-data-symlinks.patch @@ -0,0 +1,63 @@ +From a27476b303259a43324be8533ddba68e7a6dd37e Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 2 Feb 2022 16:21:01 +0100 +Subject: [PATCH] Allow init read stratis data symlinks + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/a27476b303259a43324be8533ddba68e7a6dd37e +Conflict: NA + +Addresses the following AVC denial: + +type=AVC msg=audit(02/02/22 09:39:31.790:2813) : avc: denied { read } for pid=1 comm=systemd name=fs1 dev="devtmpfs" ino=363096 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:stratisd_data_t:s0 tclass=lnk_file permissive=1 + +Resolves: rhbz#2048514 +Signed-off-by: lujie54 +--- + policy/modules/contrib/stratisd.if | 18 ++++++++++++++++++ + policy/modules/system/init.te | 4 ++++ + 2 files changed, 22 insertions(+) + +diff --git a/policy/modules/contrib/stratisd.if b/policy/modules/contrib/stratisd.if +index de2427e..32e7e66 100644 +--- a/policy/modules/contrib/stratisd.if ++++ b/policy/modules/contrib/stratisd.if +@@ -115,3 +115,21 @@ interface(`stratisd_admin',` + systemd_read_fifo_file_passwd_run($1) + ') + ') ++ ++######################################## ++## ++## Read stratisd data symlinks ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`stratisd_data_read_lnk_files',` ++ gen_require(` ++ type stratisd_data_t; ++ ') ++ ++ allow $1 stratisd_data_t:lnk_file read_lnk_file_perms; ++') +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 09a6925..033f189 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -839,6 +839,10 @@ optional_policy(` + ') + + optional_policy(` ++ stratisd_data_read_lnk_files(init_t) ++') ++ ++optional_policy(` + systemd_filetrans_named_content(init_t) + systemd_write_inhibit_pipes(init_t) + ') +-- +1.8.3.1 + diff --git a/backport-Allow-iptables-list-cgroup-directories.patch b/backport-Allow-iptables-list-cgroup-directories.patch new file mode 100644 index 0000000000000000000000000000000000000000..f057eb40d60d5c82bdeb80a3cbdaa6a2cfb05177 --- /dev/null +++ b/backport-Allow-iptables-list-cgroup-directories.patch @@ -0,0 +1,33 @@ +From 72f789dd7c218919a18dd7130d37e92e7a92b994 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 16 Feb 2022 17:40:40 +0100 +Subject: [PATCH] Allow iptables list cgroup directories + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/72f789dd7c218919a18dd7130d37e92e7a92b994 +Conflict: NA + +Addresses the following AVC denial: +[ 1591.423033] audit: type=1400 audit(1632734301.322:867): avc: denied { ioctl } for pid=11021 comm="iptables" path="/sys/fs/cgroup" dev="tmpfs" ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2008097 +Signed-off-by: lujie54 +--- + policy/modules/system/iptables.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te +index 495ee29..3374bff 100644 +--- a/policy/modules/system/iptables.te ++++ b/policy/modules/system/iptables.te +@@ -51,6 +51,8 @@ files_manage_system_conf_files(iptables_t) + files_etc_filetrans_system_conf(iptables_t) + files_etc_filetrans(iptables_t, system_conf_t, dir) + ++fs_list_cgroup_dirs(iptables_t) ++ + manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t) + files_pid_filetrans(iptables_t, iptables_var_run_t, file) + +-- +1.8.3.1 + diff --git a/backport-Allow-login_userdomain-map-var-lib-directories.patch b/backport-Allow-login_userdomain-map-var-lib-directories.patch new file mode 100644 index 0000000000000000000000000000000000000000..d983844cc24b5331cd5c0a87cfbdd06fa80324ab --- /dev/null +++ b/backport-Allow-login_userdomain-map-var-lib-directories.patch @@ -0,0 +1,34 @@ +From 2a15cfd1d0705acd84d18f3cdc669cc24ed7492f Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 9 Feb 2022 21:59:23 +0100 +Subject: [PATCH] Allow login_userdomain map /var/lib/directories + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/2a15cfd1d0705acd84d18f3cdc669cc24ed7492f +Conflict: NA + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(02/09/22 21:26:39.579:1065) : proctitle=/usr/bin/gnome-software --gapplication-service +type=MMAP msg=audit(02/09/22 21:26:39.579:1065) : fd=57 flags=MAP_PRIVATE +type=SYSCALL msg=audit(02/09/22 21:26:39.579:1065) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x16630 a2=PROT_READ a3=MAP_PRIVATE items=0 ppid=1560 pid=2148 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=pool-org.gnome. exe=/usr/bin/gnome-software subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(02/09/22 21:26:39.579:1065) : avc: denied { map } for pid=2148 comm=pool-org.gnome. path=/var/lib/flatpak/repo/objects/2f/e0503898de4e28a3382ba6d7ecdc0376cabaea9e838991464eb821c46b7ff3.dirtree dev="vda2" ino=387029 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 + +Signed-off-by: lujie54 +--- + policy/modules/system/userdomain.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 32d69b4..69b460f 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -386,6 +386,7 @@ tunable_policy(`deny_bluetooth',`',` + + dev_watch_generic_dirs(login_userdomain) + ++files_map_var_lib_files(login_userdomain) + files_watch_etc_dirs(login_userdomain) + files_watch_etc_files(login_userdomain) + files_watch_system_conf_dirs(login_userdomain) +-- +1.8.3.1 + diff --git a/backport-Allow-login_userdomain-read-systemd-runtime-files.patch b/backport-Allow-login_userdomain-read-systemd-runtime-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..ed00b83f8db1904186fc228069e82628e8cba4e1 --- /dev/null +++ b/backport-Allow-login_userdomain-read-systemd-runtime-files.patch @@ -0,0 +1,35 @@ +From 63ada8c2bf2277a228524228f5ffcac8e0aed86a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 9 Feb 2022 21:30:24 +0100 +Subject: [PATCH] Allow login_userdomain read systemd runtime files + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/63ada8c2bf2277a228524228f5ffcac8e0aed86a +Conflict: NA + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(02/09/22 21:25:30.080:274) : proctitle=/usr/lib/systemd/systemd --user +type=PATH msg=audit(02/09/22 21:25:30.080:274) : item=0 name=/run/systemd/user/session.slice.d/99-uresourced.conf inode=1336 dev=00:1a mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(02/09/22 21:25:30.080:274) : cwd=/ +type=SYSCALL msg=audit(02/09/22 21:25:30.080:274) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55d1df498fa0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1465 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(02/09/22 21:25:30.080:274) : avc: denied { read } for pid=1465 comm=systemd name=99-uresourced.conf dev="tmpfs" ino=1336 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_var_run_t:s0 tclass=file permissive=0 + +Signed-off-by: lujie54 +--- + policy/modules/system/userdomain.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index bcb3043..f1f68f7 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -406,6 +406,7 @@ mount_watch_reads_pid_files(login_userdomain) + + optional_policy(` + init_mmap_read_var_lib_files(login_userdomain) ++ init_read_pid_files(login_userdomain) + ') + + optional_policy(` +-- +1.8.3.1 + diff --git a/backport-Allow-login_userdomain-watch-library-and-fonts-dirs.patch b/backport-Allow-login_userdomain-watch-library-and-fonts-dirs.patch new file mode 100644 index 0000000000000000000000000000000000000000..0690ab3ff6d286f5642cb685ae5ea53fc1a5234c --- /dev/null +++ b/backport-Allow-login_userdomain-watch-library-and-fonts-dirs.patch @@ -0,0 +1,37 @@ +From 6d6afe09b0fd44f074e545d9642b0cc66264486e Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 9 Feb 2022 21:54:36 +0100 +Subject: [PATCH] Allow login_userdomain watch library and fonts dirs + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6d6afe09b0fd44f074e545d9642b0cc66264486e +Conflict: NA + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(02/09/22 21:48:51.576:15952) : proctitle=/usr/bin/gnome-software --gapplication-service +type=PATH msg=audit(02/09/22 21:48:51.576:15952) : item=0 name=/usr/lib64/gnome-software/plugins-16 inode=31777 dev=00:20 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(02/09/22 21:48:51.576:15952) : cwd=/home/staff +type=SYSCALL msg=audit(02/09/22 21:48:51.576:15952) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x560c414dd770 a2=0x1002fce a3=0x7ffd82509080 items=1 ppid=1560 pid=2148 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=gmain exe=/usr/bin/gnome-software subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(02/09/22 21:48:51.576:15952) : avc: denied { watch } for pid=2148 comm=gmain path=/usr/lib64/gnome-software/plugins-16 dev="vda2" ino=31777 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0 + +Signed-off-by: lujie54 +--- + policy/modules/system/userdomain.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index a833ada..32d69b4 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -398,6 +398,9 @@ files_watch_generic_tmp_dirs(login_userdomain) + fs_create_cgroup_files(login_userdomain) + fs_watch_cgroup_files(login_userdomain) + ++libs_watch_lib_dirs(login_userdomain) ++ ++miscfiles_watch_fonts_dirs(login_userdomain) + miscfiles_watch_localization_dirs(login_userdomain) + miscfiles_watch_localization_symlinks(login_userdomain) + +-- +1.8.3.1 + diff --git a/backport-Allow-login_userdomain-watch-system-configuration-di.patch b/backport-Allow-login_userdomain-watch-system-configuration-di.patch new file mode 100644 index 0000000000000000000000000000000000000000..09c7a3c1fce15a774ef41f01484bbf515266a245 --- /dev/null +++ b/backport-Allow-login_userdomain-watch-system-configuration-di.patch @@ -0,0 +1,69 @@ +From bf059ebda558a7735cfdcfb874ecc8bfc2622cb1 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 9 Feb 2022 21:52:01 +0100 +Subject: [PATCH] Allow login_userdomain watch system configuration dirs + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bf059ebda558a7735cfdcfb874ecc8bfc2622cb1 +Conflict: NA + +The files_watch_system_conf_dirs() interface was added. + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(02/09/22 21:28:19.577:2173) : proctitle=/usr/bin/gnome-software --gapplication-service +type=PATH msg=audit(02/09/22 21:28:19.577:2173) : item=0 name=/etc/yum.repos.d inode=432 dev=00:20 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:system_conf_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(02/09/22 21:28:19.577:2173) : cwd=/home/staff +type=SYSCALL msg=audit(02/09/22 21:28:19.577:2173) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x560c414ea860 a2=0x1002fce a3=0x7ffd82509080 items=1 ppid=1560 pid=2148 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=5 comm=gmain exe=/usr/bin/gnome-software subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(02/09/22 21:28:19.577:2173) : avc: denied { watch } for pid=2148 comm=gmain path=/etc/yum.repos.d dev="vda2" ino=432 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_conf_t:s0 tclass=dir permissive=0 + +Signed-off-by: lujie54 +--- + policy/modules/kernel/files.if | 19 +++++++++++++++++++ + policy/modules/system/userdomain.te | 1 + + 2 files changed, 20 insertions(+) + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index 53e463c..b375a7e 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -5720,6 +5720,25 @@ interface(`files_read_system_conf_files',` + read_lnk_files_pattern($1, etc_t, system_conf_t) + ') + ++####################################### ++## ++## Watch manageable system configuration dirs in /etc ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_watch_system_conf_dirs',` ++ gen_require(` ++ type etc_t, system_conf_t; ++ ') ++ ++ files_search_etc($1) ++ watch_dirs_pattern($1, system_conf_t, system_conf_t) ++') ++ + ###################################### + ## + ## Manage manageable system configuration files in /etc. +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index f1f68f7..a833ada 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -388,6 +388,7 @@ dev_watch_generic_dirs(login_userdomain) + + files_watch_etc_dirs(login_userdomain) + files_watch_etc_files(login_userdomain) ++files_watch_system_conf_dirs(login_userdomain) + files_watch_usr_dirs(login_userdomain) + files_watch_usr_files(login_userdomain) + files_watch_var_lib_dirs(login_userdomain) +-- +1.8.3.1 + diff --git a/backport-Allow-login_userdomain-watch-systemd-machined-PID-di.patch b/backport-Allow-login_userdomain-watch-systemd-machined-PID-di.patch new file mode 100644 index 0000000000000000000000000000000000000000..f9d7442cb9c4fc23cf9c1ca8b38715699a054263 --- /dev/null +++ b/backport-Allow-login_userdomain-watch-systemd-machined-PID-di.patch @@ -0,0 +1,35 @@ +From b909895c58d7709343e59e24f115d5ede1f46944 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 14 Jan 2022 17:16:43 +0100 +Subject: [PATCH] Allow login_userdomain watch systemd-machined PID directories + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/b909895c58d7709343e59e24f115d5ede1f46944 +Conflict: NA + +Addresses the following AVC denial: +- +type=PROCTITLE msg=audit(3.1.2022 08:48:02.005:393) : proctitle=/usr/bin/wireplumber +type=PATH msg=audit(3.1.2022 08:48:02.005:393) : item=0 name=/run/systemd/machines/ inode=75 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_machined_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(3.1.2022 08:48:02.005:393) : arch=x86_64 syscall=inotify_add_watch success=yes exit=4 a0=0x11 a1=0x7f214c69d052 a2=0x280 a3=0x0 items=1 ppid=1775 pid=2305 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=wireplumber exe=/usr/bin/wireplumber subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(3.1.2022 08:48:02.005:393) : avc: denied { watch } for pid=2305 comm=wireplumber path=/run/systemd/machines dev="tmpfs" ino=75 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_machined_var_run_t:s0 tclass=dir permissive=1 + +Signed-off-by: lujie54 +--- + policy/modules/system/userdomain.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 5643687..573ad14 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -434,6 +434,7 @@ optional_policy(` + optional_policy(` + systemd_login_watch_pid_dirs(login_userdomain) + systemd_login_watch_session_dirs(login_userdomain) ++ systemd_machined_watch_pid_dirs(login_userdomain) + ') + + ############################################################ +-- +1.8.3.1 + diff --git a/backport-Allow-login_userdomain-write-to-session_dbusd-tmp-so.patch b/backport-Allow-login_userdomain-write-to-session_dbusd-tmp-so.patch new file mode 100644 index 0000000000000000000000000000000000000000..cece1c96febeb5674f58b1d15928566d08f321b4 --- /dev/null +++ b/backport-Allow-login_userdomain-write-to-session_dbusd-tmp-so.patch @@ -0,0 +1,37 @@ +From d0f957291c4282f74b675e476ccd64d074178e7b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 18 Jan 2022 08:54:45 +0100 +Subject: [PATCH] Allow login_userdomain write to session_dbusd tmp socket + files + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d0f957291c4282f74b675e476ccd64d074178e7b +Conflict: NA + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(01/17/2022 18:06:43.240:4086) : proctitle=/usr/lib/systemd/systemd --user +type=PATH msg=audit(01/17/2022 18:06:43.240:4086) : item=0 name=/proc/self/fd/27 inode=15 dev=00:34 mode=socket,666 ouid=user31979 ogid=user31979 rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(01/17/2022 18:06:43.240:4086) : cwd=/ +type=SYSCALL msg=audit(01/17/2022 18:06:43.240:4086) : arch=x86_64 syscall=utimensat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ffd627865d0 a2=0x0 a3=0x0 items=1 ppid=1 pid=97102 auid=user31979 uid=user31979 gid=user31979 euid=user31979 suid=user31979 fsuid=user31979 egid=user31979 sgid=user31979 fsgid=user31979 tty=(none) ses=19 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(01/17/2022 18:06:43.240:4086) : avc: denied { write } for pid=97102 comm=systemd name=bus dev="tmpfs" ino=15 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0 + +Signed-off-by: lujie54 +--- + policy/modules/system/userdomain.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 573ad14..33557e4 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -414,6 +414,7 @@ optional_policy(` + + optional_policy(` + dbus_create_session_tmp_sock_files(login_userdomain) ++ dbus_write_session_tmp_sock_files(login_userdomain) + ') + + optional_policy(` +-- +1.8.3.1 + diff --git a/backport-Allow-sanlock-get-attributes-of-filesystems-with-ext.patch b/backport-Allow-sanlock-get-attributes-of-filesystems-with-ext.patch new file mode 100644 index 0000000000000000000000000000000000000000..bef1ace96711aa20024dd5b7b9dc1578b1d22102 --- /dev/null +++ b/backport-Allow-sanlock-get-attributes-of-filesystems-with-ext.patch @@ -0,0 +1,35 @@ +From 5269978ad17fff8988f94a2327fa750e5d70c14d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 2 Feb 2022 11:29:39 +0100 +Subject: [PATCH] Allow sanlock get attributes of filesystems with extended + attributes + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/5269978ad17fff8988f94a2327fa750e5d70c14d +Conflict: NA + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(01/28/2022 09:41:01.094:1832) : proctitle=/usr/sbin/sanlock daemon +type=AVC msg=audit(01/28/2022 09:41:01.094:1832) : avc: denied { getattr } for pid=37165 comm=sanlock name=/ dev="dm-3" ino=128 scontext=system_u:system_r:sanlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 +type=SYSCALL msg=audit(01/28/2022 09:41:01.094:1832) : arch=x86_64 syscall=statfs success=no exit=EACCES(Permission denied) a0=0x7fdade30b49d a1=0x7ffeeeb41a70 a2=0x49 a3=0x1000 items=0 ppid=1 pid=37165 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sanlock exe=/usr/sbin/sanlock subj=system_u:system_r:sanlock_t:s0-s0:c0.c1023 key=(null) + +Resolves: rhbz#2047811 +Signed-off-by: lujie54 +--- + policy/modules/contrib/sanlock.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/sanlock.te b/policy/modules/contrib/sanlock.te +index 04bd655..914062b 100644 +--- a/policy/modules/contrib/sanlock.te ++++ b/policy/modules/contrib/sanlock.te +@@ -96,6 +96,7 @@ domain_use_interactive_fds(sanlock_t) + files_read_mnt_symlinks(sanlock_t) + + fs_getattr_cgroup(sanlock_t) ++fs_getattr_xattr_fs(sanlock_t) + fs_rw_cephfs_files(sanlock_t) + + storage_raw_rw_fixed_disk(sanlock_t) +-- +1.8.3.1 + diff --git a/backport-Allow-sysadm_passwd_t-to-relabel-passwd-and-group-fi.patch b/backport-Allow-sysadm_passwd_t-to-relabel-passwd-and-group-fi.patch new file mode 100644 index 0000000000000000000000000000000000000000..77e249547110cdc59d1fd941eec2cc52da22d57f --- /dev/null +++ b/backport-Allow-sysadm_passwd_t-to-relabel-passwd-and-group-fi.patch @@ -0,0 +1,77 @@ +From 369f900039cff9443e86fdf7254ba8b11dc6adb5 Mon Sep 17 00:00:00 2001 +From: Patrik Koncity +Date: Thu, 10 Feb 2022 11:46:13 +0100 +Subject: [PATCH] Allow sysadm_passwd_t to relabel passwd and group files + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/369f900039cff9443e86fdf7254ba8b11dc6adb5 +Conflict: NA + +Vigr mechanism of editing group and passwd +files work on principle of recreating the current +file with new changes. Due to this mechanism is +need to again relabel file with selinux label. +Creating interface allowing relabel to the passwd_file_t +type. Allow relabeling for sysadm_passwd_t domain. +Allow dac_override permission for sysadm_passwd_t type. + +Signed-off-by: lujie54 +--- + policy/modules/admin/usermanage.te | 3 ++- + policy/modules/system/authlogin.if | 20 ++++++++++++++++++++ + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te +index 8fdbfbc..155fb68 100644 +--- a/policy/modules/admin/usermanage.te ++++ b/policy/modules/admin/usermanage.te +@@ -433,7 +433,7 @@ optional_policy(` + # Password admin local policy + # + +-allow sysadm_passwd_t self:capability { chown dac_read_search fsetid setuid setgid sys_resource }; ++allow sysadm_passwd_t self:capability { chown dac_override dac_read_search fsetid setuid setgid sys_resource }; + allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow sysadm_passwd_t self:process { setrlimit setfscreate }; + allow sysadm_passwd_t self:fd use; +@@ -478,6 +478,7 @@ term_getattr_all_ptys(sysadm_passwd_t) + auth_manage_passwd(sysadm_passwd_t) + auth_manage_shadow(sysadm_passwd_t) + auth_relabel_shadow(sysadm_passwd_t) ++auth_relabelto_passwd_files(sysadm_passwd_t) + auth_etc_filetrans_shadow(sysadm_passwd_t) + auth_use_nsswitch(sysadm_passwd_t) + +diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if +index ad55205..b5b3702 100644 +--- a/policy/modules/system/authlogin.if ++++ b/policy/modules/system/authlogin.if +@@ -851,6 +851,26 @@ interface(`auth_relabel_shadow',` + + ####################################### + ## ++## Relabel to the ++## password file type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`auth_relabelto_passwd_files',` ++ gen_require(` ++ type passwd_file_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 passwd_file_t:file relabelto; ++') ++ ++####################################### ++## + ## Append to the login failure log. + ## + ## +-- +1.8.3.1 + diff --git a/backport-Allow-systemd-logind-delete-session_dbusd-tmp-socket.patch b/backport-Allow-systemd-logind-delete-session_dbusd-tmp-socket.patch index 39936fe867b2941604f564d2dbcd5378b9d1a8a1..09546b0d5d4a362898fc42373f23396d92f05cea 100644 --- a/backport-Allow-systemd-logind-delete-session_dbusd-tmp-socket.patch +++ b/backport-Allow-systemd-logind-delete-session_dbusd-tmp-socket.patch @@ -10,27 +10,57 @@ The dbus_delete_session_tmp_sock_files() interface was added. Addresses the following AVC denial: -type=PROCTITLE msg=audit(13.1.2022 18:57:09.055:9086) : proctitle=/usr/lib/systemd/systemd-user-runtime-dir stop 1001 -type=PATH msg=audit(13.1.2022 18:57:09.055:9086) : item=1 name=bus inode=40 dev=00:3f mode=socket,666 ouid=staff ogid=staff rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=PATH msg=audit(13.1.2022 18:57:09.055:9086) : item=0 name=/ inode=1 dev=00:3f mode=dir,700 ouid=staff ogid=staff rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(13.1.2022 18:57:09.055:9086) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0x3 a1=0x560b86610d9b a2=0x0 a3=0x78 items=2 ppid=1 pid=26510 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-ru exe=/usr/lib/systemd/systemd-user-runtime-dir subj=system_u:system_r:systemd_logind_t:s0 key=(null) -type=AVC msg=audit(13.1.2022 18:57:09.055:9086) : avc: denied { unlink } for pid=26510 comm=systemd-user-ru name=bus dev="tmpfs" ino=40 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=staff_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=1 +type=PROCTITLE msg=audit(13.1.2022 18:57:09.055:9086) : proctitle=/usr/lib/systemd/systemd-user-runtime-dir stop 100 +1 +type=PATH msg=audit(13.1.2022 18:57:09.055:9086) : item=1 name=bus inode=40 dev=00:3f mode=socket,666 ouid=staff ogi +d=staff rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_ +fver=0 cap_frootid=0 +type=PATH msg=audit(13.1.2022 18:57:09.055:9086) : item=0 name=/ inode=1 dev=00:3f mode=dir,700 ouid=staff ogid=staf +f rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_froo +tid=0 +type=SYSCALL msg=audit(13.1.2022 18:57:09.055:9086) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0x3 a1=0x56 +0b86610d9b a2=0x0 a3=0x78 items=2 ppid=1 pid=26510 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid= +root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-user-ru exe=/usr/lib/systemd/systemd-user-runtime-dir su +bj=system_u:system_r:systemd_logind_t:s0 key=(null) +type=AVC msg=audit(13.1.2022 18:57:09.055:9086) : avc: denied { unlink } for pid=26510 comm=systemd-user-ru name= +bus dev="tmpfs" ino=40 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=staff_u:object_r:session_dbusd_tmp_t: +s0 tclass=sock_file permissive=1 Resolves: rhbz#2039671 Signed-off-by: lujie54 --- - policy/modules/contrib/dbus.if | 18 ++++++++++++++++++ + policy/modules/contrib/dbus.if | 36 ++++++++++++++++++++++++++++++++++++ policy/modules/system/systemd.te | 1 + - 2 files changed, 19 insertions(+) + 2 files changed, 37 insertions(+) diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if -index 71c77a0..e04af61 100644 +index 6f923ad..70e7bcd 100644 --- a/policy/modules/contrib/dbus.if +++ b/policy/modules/contrib/dbus.if -@@ -883,6 +883,24 @@ interface(`dbus_write_session_tmp_sock_files',` +@@ -863,6 +863,42 @@ interface(`dbus_manage_session_tmp_dirs',` + manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t) + ') - ######################################## - ## ++###################################### ++## ++## Write to session_dbusd tmp socket files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dbus_write_session_tmp_sock_files',` ++ gen_require(` ++ type session_dbusd_tmp_t; ++ ') ++ ++ write_sock_files_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t) ++') ++ ++######################################## ++## +## Delete session_dbusd tmp socket files. +## +## @@ -47,16 +77,14 @@ index 71c77a0..e04af61 100644 + delete_sock_files_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t) +') + -+######################################## -+## + ######################################## + ## ## Allow systemctl dbus services - ## - ## diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 43fffdc..edd4354 100644 +index a62f1fe..2b54d0b 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te -@@ -364,6 +364,7 @@ optional_policy(` +@@ -363,6 +363,7 @@ optional_policy(` optional_policy(` dbus_connect_system_bus(systemd_logind_t) dbus_system_bus_client(systemd_logind_t) diff --git a/backport-Allow-systemd-networkd-create-and-use-netlink-netfil.patch b/backport-Allow-systemd-networkd-create-and-use-netlink-netfil.patch new file mode 100644 index 0000000000000000000000000000000000000000..25080c30485ef6b0fae2aa1ee20a62bf61c6e976 --- /dev/null +++ b/backport-Allow-systemd-networkd-create-and-use-netlink-netfil.patch @@ -0,0 +1,30 @@ +From 2bd78f27bb7a806bf89070c31e4f813b61f1155e Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 14 Feb 2022 10:51:06 +0100 +Subject: [PATCH] Allow systemd-networkd create and use netlink netfilter + socket + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/2bd78f27bb7a806bf89070c31e4f813b61f1155e +Conflict: NA + +Resolves: rhbz#2054006 +Signed-off-by: lujie54 +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 2d8db7e..476e2d3 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -490,6 +490,7 @@ allow systemd_networkd_t self:process { getcap setcap }; + + allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms; + allow systemd_networkd_t self:netlink_generic_socket create_socket_perms; ++allow systemd_networkd_t self:netlink_netfilter_socket create_socket_perms; + allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; + allow systemd_networkd_t self:unix_dgram_socket create_socket_perms; + allow systemd_networkd_t self:packet_socket create_socket_perms; +-- +1.8.3.1 + diff --git a/backport-Allow-systemd-services-watch-dbusd-pid-directory-and.patch b/backport-Allow-systemd-services-watch-dbusd-pid-directory-and.patch new file mode 100644 index 0000000000000000000000000000000000000000..ecc83900f3bf6e09bcb6b55ab9ecca7a4ad8032e --- /dev/null +++ b/backport-Allow-systemd-services-watch-dbusd-pid-directory-and.patch @@ -0,0 +1,114 @@ +From 569208d534e1a53d75b187ec44ecda856ee6139c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 26 Jan 2022 14:41:59 +0100 +Subject: [PATCH] Allow systemd services watch dbusd pid directory and its + parents + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/569208d534e1a53d75b187ec44ecda856ee6139c +Conflict: NA + +The following services were allowed to watch /run/dbus and all its +parents: +- systemd-hostnamed +- systemd-machined +- systemd-networkd +- systemd-resolved +- systemd-timesyncd and systemd-timedated + +These permissions are required when the services start earlier than +dbus-broker manages to establish the socket communication, e. g. after + + $ systemctl disable NetworkManager && systemctl enable systemd-networkd + +The dbus_watch_pid_dir_path() interface was added. The redundant +dbus_watch_pid_dirs() calls were removed. + +Resolves: rhbz#2031668 +Signed-off-by: lujie54 +--- + policy/modules/contrib/dbus.if | 21 +++++++++++++++++++++ + policy/modules/system/systemd.te | 7 +++++-- + 2 files changed, 26 insertions(+), 2 deletions(-) + +diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if +index deb6f10..7ec03b1 100644 +--- a/policy/modules/contrib/dbus.if ++++ b/policy/modules/contrib/dbus.if +@@ -606,6 +606,27 @@ interface(`dbus_watch_pid_dirs',` + + ######################################## + ## ++## Watch system dbusd pid directory and all its parents ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dbus_watch_pid_dir_path',` ++ gen_require(` ++ type system_dbusd_var_run_t; ++ ') ++ ++ files_watch_root_dirs($1) ++ files_watch_var_run_dirs($1) ++ files_search_pids($1) ++ allow $1 system_dbusd_var_run_t:dir watch_dir_perms; ++') ++ ++######################################## ++## + ## Read and write system dbus tmp socket files. + ## + ## +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index ea2b27e..2d8db7e 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -458,6 +458,7 @@ getty_start_services(systemd_machined_t) + optional_policy(` + dbus_connect_system_bus(systemd_machined_t) + dbus_system_bus_client(systemd_machined_t) ++ dbus_watch_pid_dir_path(systemd_machined_t) + ') + + optional_policy(` +@@ -536,6 +537,7 @@ init_named_pid_filetrans(systemd_logind_t, systemd_networkd_var_run_t, dir, "net + optional_policy(` + dbus_system_bus_client(systemd_networkd_t) + dbus_connect_system_bus(systemd_networkd_t) ++ dbus_watch_pid_dir_path(systemd_networkd_t) + dbus_read_pid_files(systemd_networkd_t) + dbus_read_pid_sock_files(systemd_networkd_t) + systemd_dbus_chat_logind(systemd_networkd_t) +@@ -862,6 +864,7 @@ userdom_dbus_send_all_users(systemd_hostnamed_t) + optional_policy(` + dbus_system_bus_client(systemd_hostnamed_t) + dbus_connect_system_bus(systemd_hostnamed_t) ++ dbus_watch_pid_dir_path(systemd_hostnamed_t) + ') + + optional_policy(` +@@ -978,7 +981,7 @@ optional_policy(` + dbus_system_bus_client(systemd_timedated_t) + dbus_connect_system_bus(systemd_timedated_t) + dbus_read_pid_sock_files(systemd_timedated_t) +- dbus_watch_pid_dirs(systemd_timedated_t) ++ dbus_watch_pid_dir_path(systemd_timedated_t) + dbus_watch_pid_sock_files(systemd_timedated_t) + ') + +@@ -1168,8 +1171,8 @@ optional_policy(` + dbus_connect_system_bus(systemd_resolved_t) + dbus_read_pid_files(systemd_resolved_t) + dbus_read_pid_sock_files(systemd_resolved_t) ++ dbus_watch_pid_dir_path(systemd_resolved_t) + dbus_watch_pid_sock_files(systemd_resolved_t) +- dbus_watch_pid_dirs(systemd_resolved_t) + systemd_dbus_chat_logind(systemd_resolved_t) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-timedatex-dbus-chat-with-xdm.patch b/backport-Allow-timedatex-dbus-chat-with-xdm.patch new file mode 100644 index 0000000000000000000000000000000000000000..691a74d740b6be9e255d2c32757141e2146f9ae8 --- /dev/null +++ b/backport-Allow-timedatex-dbus-chat-with-xdm.patch @@ -0,0 +1,36 @@ +From 40a8223b142eb3ed9d63869b5dc447b0ede4ebf3 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 28 Jan 2022 17:04:07 +0100 +Subject: [PATCH] Allow timedatex dbus chat with xdm + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/40a8223b142eb3ed9d63869b5dc447b0ede4ebf3 +Conflict: NA + +Addresses the following USER_AVC denial: + +type=USER_AVC msg=audit(1642064568.655:164): pid=942 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetTimezone dest=:1.201 spid=6469 tpid=6505 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:timedatex_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'^]UID="dbus" AUID="unset" SAUID="dbus" + +Resolves: rhbz#2040214 +Signed-off-by: lujie54 +--- + policy/modules/contrib/timedatex.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/timedatex.te b/policy/modules/contrib/timedatex.te +index 003c4c3..3a2e4db 100644 +--- a/policy/modules/contrib/timedatex.te ++++ b/policy/modules/contrib/timedatex.te +@@ -57,6 +57,10 @@ optional_policy(` + init_dbus_chat(timedatex_t) + + policykit_dbus_chat(timedatex_t) ++ ++ optional_policy(` ++ xserver_dbus_chat_xdm(timedatex_t) ++ ') + ') + + optional_policy(` +-- +1.8.3.1 + diff --git a/backport-Allow-tumblerd-write-to-session_dbusd-tmp-socket-fil.patch b/backport-Allow-tumblerd-write-to-session_dbusd-tmp-socket-fil.patch new file mode 100644 index 0000000000000000000000000000000000000000..1758858b479b6e9e089301586bb5afd878617d26 --- /dev/null +++ b/backport-Allow-tumblerd-write-to-session_dbusd-tmp-socket-fil.patch @@ -0,0 +1,32 @@ +From d9bf0729b58d4e3c0c66015961013c1cb64c4a24 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 20 Jan 2022 17:15:18 +0100 +Subject: [PATCH] Allow tumblerd write to session_dbusd tmp socket files + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d9bf0729b58d4e3c0c66015961013c1cb64c4a24 +Conflict: NA + +Addresses the following AVC denial: +type=AVC msg=audit(1642635456.954:3314): avc: denied { write } for pid=104519 comm="tumblerd" name="bus" dev="tmpfs" ino=40 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0 + +Resolves: rhbz#2042696 +Signed-off-by: lujie54 +--- + policy/modules/contrib/thumb.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/thumb.te b/policy/modules/contrib/thumb.te +index 0444a36..27eb72c 100644 +--- a/policy/modules/contrib/thumb.te ++++ b/policy/modules/contrib/thumb.te +@@ -146,6 +146,7 @@ optional_policy(` + dbus_stream_connect_session_bus(thumb_t) + dbus_chat_session_bus(thumb_t) + dbus_system_bus_client(thumb_t) ++ dbus_write_session_tmp_sock_files(thumb_t) + ') + + optional_policy(` +-- +1.8.3.1 + diff --git a/backport-Update-chronyd_pid_filetrans-to-allow-create-dirs.patch b/backport-Update-chronyd_pid_filetrans-to-allow-create-dirs.patch new file mode 100644 index 0000000000000000000000000000000000000000..4db1dcf290fdc48ceba4e4c9c2680baab6feb7ee --- /dev/null +++ b/backport-Update-chronyd_pid_filetrans-to-allow-create-dirs.patch @@ -0,0 +1,31 @@ +From d251c0553ecc432f0aa8a6769e76795902b9ebcd Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 8 Feb 2022 18:33:51 +0100 +Subject: [PATCH] Update chronyd_pid_filetrans() to allow create dirs + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d251c0553ecc432f0aa8a6769e76795902b9ebcd +Conflict: NA + +The chronyd_pid_filetrans() interface was updated so that the caller +domain is now allowed to create the /run/chrony-dhcp directory. + +Signed-off-by: lujie54 +--- + policy/modules/contrib/chronyd.if | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if +index 3d47264..cad4d31 100644 +--- a/policy/modules/contrib/chronyd.if ++++ b/policy/modules/contrib/chronyd.if +@@ -252,6 +252,7 @@ interface(`chronyd_pid_filetrans',` + type chronyd_var_run_t; + ') + ++ create_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t) + files_pid_filetrans($1, chronyd_var_run_t, dir, "chrony-dhcp") + ') + +-- +1.8.3.1 + diff --git a/selinux-policy.spec b/selinux-policy.spec index 721ed1f6f5063daa786bc2054005dfa2537ca137..7c343dc71b209776f4422b531d32802bdd8ce563 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 35.5 -Release: 9 +Release: 10 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -112,6 +112,28 @@ Patch6044: backport-Allow-login_userdomain-watch-various-files-and-dirs.patch Patch6045: backport-Allow-login_userdomain-watch-localization-directorie.patch Patch6046: backport-Allow-login_userdomain-watch-accountsd-lib-directori.patch Patch6047: backport-Allow-login_userdomain-watch-systemd-logind-PID-dire.patch +Patch6048: backport-Allow-login_userdomain-watch-systemd-machined-PID-di.patch +Patch6049: backport-Allow-login_userdomain-write-to-session_dbusd-tmp-so.patch +Patch6050: backport-Allow-tumblerd-write-to-session_dbusd-tmp-socket-fil.patch +Patch6051: backport-Allow-NetworkManager-talk-with-unconfined-user-over-.patch +Patch6052: backport-Allow-timedatex-dbus-chat-with-xdm.patch +Patch6053: backport-Allow-init-delete-generic-tmp-named-pipes.patch +Patch6054: backport-Allow-alsa-bind-mixer-controls-to-led-triggers.patch +Patch6055: backport-Allow-ModemManager-connect-to-the-unconfined-user-do.patch +Patch6056: backport-Allow-systemd-services-watch-dbusd-pid-directory-and.patch +Patch6057: backport-Allow-init-read-stratis-data-symlinks.patch +Patch6058: backport-Allow-sanlock-get-attributes-of-filesystems-with-ext.patch +Patch6059: backport-Add-the-map-permission-to-common_anon_inode_perm-per.patch +Patch6060: backport-Update-chronyd_pid_filetrans-to-allow-create-dirs.patch +Patch6061: backport-Allow-alsactl-set-group-Process-ID-of-a-process.patch +Patch6062: backport-Allow-login_userdomain-read-systemd-runtime-files.patch +Patch6063: backport-Allow-login_userdomain-watch-system-configuration-di.patch +Patch6064: backport-Allow-login_userdomain-watch-library-and-fonts-dirs.patch +Patch6065: backport-Allow-login_userdomain-map-var-lib-directories.patch +Patch6066: backport-Allow-confined-sysadmin-to-use-tool-vipw.patch +Patch6067: backport-Allow-sysadm_passwd_t-to-relabel-passwd-and-group-fi.patch +Patch6068: backport-Allow-systemd-networkd-create-and-use-netlink-netfil.patch +Patch6069: backport-Allow-iptables-list-cgroup-directories.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -782,6 +804,9 @@ exit 0 %endif %changelog +* Tue Sep 13 2022 lujie - 35.5-10 +- backport upstream patches + * Tue Sep 13 2022 lujie - 35.5-9 - backport upstream patches