diff --git a/backport-Add-systemd_getattr_generic_unit_files-interface.patch b/backport-Add-systemd_getattr_generic_unit_files-interface.patch new file mode 100644 index 0000000000000000000000000000000000000000..83b8713ab6191ad9e4f5390216320e8e3f36ec26 --- /dev/null +++ b/backport-Add-systemd_getattr_generic_unit_files-interface.patch @@ -0,0 +1,45 @@ +From 9010f07e78944ccab50bcf3bf2640f6aad3cc8cb Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 30 Mar 2022 21:29:47 +0200 +Subject: [PATCH] Add systemd_getattr_generic_unit_files() interface + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9010f07e78944ccab50bcf3bf2640f6aad3cc8cb +Conflict: NA + +Signed-off-by: lujie54 +--- + policy/modules/system/systemd.if | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index 351438c..5567da7 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -1597,6 +1597,24 @@ interface(`systemd_unit_file_filetrans',` + + ####################################### + ## ++## Get attributes of generic systemd unit files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_getattr_generic_unit_files',` ++ gen_require(` ++ type systemd_unit_file_t; ++ ') ++ ++ getattr_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t) ++') ++ ++####################################### ++## + ## Create a directory in the /usr/lib/systemd/system directory. + ## + ## +-- +1.8.3.1 + diff --git a/backport-Add-the-corecmd_watch_bin_dirs-interface.patch b/backport-Add-the-corecmd_watch_bin_dirs-interface.patch new file mode 100644 index 0000000000000000000000000000000000000000..85aebac4624b6f594a182893d1effb7e63190ccb --- /dev/null +++ b/backport-Add-the-corecmd_watch_bin_dirs-interface.patch @@ -0,0 +1,48 @@ +From 88072fd293ddd3e83c0625199d6f0561dcad99d7 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 8 Apr 2022 11:48:14 +0200 +Subject: [PATCH] Add the corecmd_watch_bin_dirs() interface + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/88072fd293ddd3e83c0625199d6f0561dcad99d7 +Conflict: NA + +Note the bin_t type is also used as a default type for files +in /usr/libexec and some additional paths. + +Signed-off-by: lujie54 +--- + policy/modules/kernel/corecommands.if | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if +index 70b6b35..d88c5c0 100644 +--- a/policy/modules/kernel/corecommands.if ++++ b/policy/modules/kernel/corecommands.if +@@ -201,6 +201,24 @@ interface(`corecmd_dontaudit_write_bin_dirs',` + + ######################################## + ## ++## Watch bin directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corecmd_watch_bin_dirs',` ++ gen_require(` ++ type bin_t; ++ ') ++ ++ allow $1 bin_t:dir watch_dir_perms; ++') ++ ++######################################## ++## + ## Get the attributes of files in bin directories. + ## + ## +-- +1.8.3.1 + diff --git a/backport-Add-the-init_append_stream_sockets-interface.patch b/backport-Add-the-init_append_stream_sockets-interface.patch new file mode 100644 index 0000000000000000000000000000000000000000..9712df6b8d15c6d11125555eba5248fe25b65657 --- /dev/null +++ b/backport-Add-the-init_append_stream_sockets-interface.patch @@ -0,0 +1,46 @@ +From 4536c1c32c0ed377b1c31aab18819dfb1a46b91e Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 1 Apr 2022 19:21:10 +0200 +Subject: [PATCH] Add the init_append_stream_sockets() interface + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/4536c1c32c0ed377b1c31aab18819dfb1a46b91e +Conflict: NA + +Signed-off-by: lujie54 +--- + policy/modules/system/init.if | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if +index 7bd438e..4b3bb59 100644 +--- a/policy/modules/system/init.if ++++ b/policy/modules/system/init.if +@@ -2789,6 +2789,25 @@ interface(`init_rw_stream_sockets',` + allow $1 init_t:unix_stream_socket rw_stream_socket_perms; + ') + ++######################################## ++## ++## Allow the specified domain to append to ++## init unix domain stream sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_append_stream_sockets',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 init_t:unix_stream_socket append; ++') ++ + ####################################### + ## + ## Allow the specified domain to write to +-- +1.8.3.1 + diff --git a/backport-Allow-chronyd-send-a-message-to-sosreport-over-datag.patch b/backport-Allow-chronyd-send-a-message-to-sosreport-over-datag.patch new file mode 100644 index 0000000000000000000000000000000000000000..879146e70057826dd91f590f2e7fadb89620b3f9 --- /dev/null +++ b/backport-Allow-chronyd-send-a-message-to-sosreport-over-datag.patch @@ -0,0 +1,61 @@ +From 05e940f535497768c2b4a8c37365b5b5156eda75 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 25 Feb 2022 14:16:52 +0100 +Subject: [PATCH] Allow chronyd send a message to sosreport over datagram + socket + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/05e940f535497768c2b4a8c37365b5b5156eda75 +Conflict: NA + +The sosreport_dgram_send() interface was added. + +Signed-off-by: lujie54 +--- + policy/modules/contrib/chronyd.te | 4 ++++ + policy/modules/contrib/sosreport.if | 18 ++++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te +index 8da80de..142139d 100644 +--- a/policy/modules/contrib/chronyd.te ++++ b/policy/modules/contrib/chronyd.te +@@ -175,6 +175,10 @@ optional_policy(` + rolekit_dgram_send(chronyd_t) + ') + ++optional_policy(` ++ sosreport_dgram_send(chronyd_t) ++') ++ + ######################################## + # + # Local policy +diff --git a/policy/modules/contrib/sosreport.if b/policy/modules/contrib/sosreport.if +index c5fbb7a..44b13a8 100644 +--- a/policy/modules/contrib/sosreport.if ++++ b/policy/modules/contrib/sosreport.if +@@ -166,3 +166,21 @@ interface(`sosreport_dbus_chat',` + allow $1 sosreport_t:dbus send_msg; + allow sosreport_t $1:dbus send_msg; + ') ++ ++######################################## ++## ++## Send a message to sosreport over the datagram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sosreport_dgram_send',` ++ gen_require(` ++ type sosreport_t; ++ ') ++ ++ allow $1 sosreport_t:unix_dgram_socket sendto; ++') +-- +1.8.3.1 + diff --git a/backport-Allow-chronyd-talk-with-unconfined-user-over-unix-do.patch b/backport-Allow-chronyd-talk-with-unconfined-user-over-unix-do.patch new file mode 100644 index 0000000000000000000000000000000000000000..21f3a430e80e3c5dd2de70438d58794e50afe94f --- /dev/null +++ b/backport-Allow-chronyd-talk-with-unconfined-user-over-unix-do.patch @@ -0,0 +1,47 @@ +From bd3f86ee9fbae47287d63c496ba936348627122b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 31 Mar 2022 10:55:05 +0200 +Subject: [PATCH] Allow chronyd talk with unconfined user over unix domain + dgram socket + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bd3f86ee9fbae47287d63c496ba936348627122b +Conflict: NA + +This permission is required by applications which use the unix datagram +socket to communicate with chronyd directly, e.g. for monitoring +purposes. The other direction of communication is allowed by a rule for +unconfined_domain_type. + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(03/17/2022 12:11:19.881:312) : proctitle=/usr/sbin/chronyd +type=PATH msg=audit(03/17/2022 12:11:19.881:312) : item=0 name=/run/chrony/chronyc.sock inode=39486 dev=00:18 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:chronyd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(03/17/2022 12:11:19.881:312) : cwd=/ +type=SOCKADDR msg=audit(03/17/2022 12:11:19.881:312) : saddr={ saddr_fam=local path=/run/chrony/chronyc.sock } +type=SYSCALL msg=audit(03/17/2022 12:11:19.881:312) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x8 a1=0x7fffeef72f20 a2=0x0 a3=0x0 items=1 ppid=1 pid=680 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) +type=AVC msg=audit(03/17/2022 12:11:19.881:312) : avc: denied { sendto } for pid=680 comm=chronyd path=/run/chrony/chronyc.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 + +Resolves: rhbz#2065313 +Signed-off-by: lujie54 +--- + policy/modules/contrib/chronyd.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te +index 142139d..342735b 100644 +--- a/policy/modules/contrib/chronyd.te ++++ b/policy/modules/contrib/chronyd.te +@@ -179,6 +179,10 @@ optional_policy(` + sosreport_dgram_send(chronyd_t) + ') + ++optional_policy(` ++ unconfined_dgram_send(chronyd_t) ++') ++ + ######################################## + # + # Local policy +-- +1.8.3.1 + diff --git a/backport-Allow-init-watch-and-watch_reads-user-ttys.patch b/backport-Allow-init-watch-and-watch_reads-user-ttys.patch new file mode 100644 index 0000000000000000000000000000000000000000..9393f5b72396e9467c5b63cdbfbdab38ec260811 --- /dev/null +++ b/backport-Allow-init-watch-and-watch_reads-user-ttys.patch @@ -0,0 +1,81 @@ +From 9e2825e96456f95ba535f3809b23ded5b62dd9a9 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 1 Mar 2022 20:20:25 +0100 +Subject: [PATCH] Allow init watch and watch_reads user ttys + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9e2825e96456f95ba535f3809b23ded5b62dd9a9 +Conflict: NA + +The term_watch_user_ttys() and term_watch_reads_user_ttys() +interfaces were added. + +Resolves: rhbz#2058823 +Signed-off-by: lujie54 +--- + policy/modules/kernel/terminal.if | 36 ++++++++++++++++++++++++++++++++++++ + policy/modules/system/init.te | 2 ++ + 2 files changed, 38 insertions(+) + +diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if +index b058850..615d215 100644 +--- a/policy/modules/kernel/terminal.if ++++ b/policy/modules/kernel/terminal.if +@@ -1824,6 +1824,42 @@ interface(`term_dontaudit_use_all_user_ttys',` + term_dontaudit_use_all_ttys($1) + ') + ++######################################## ++## ++## Watch user tty device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_watch_user_ttys',` ++ gen_require(` ++ type user_tty_device_t; ++ ') ++ ++ allow $1 user_tty_device_t:chr_file watch_chr_file_perms; ++') ++ ++######################################## ++## ++## Watch_reads user tty device nodes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`term_watch_reads_user_ttys',` ++ gen_require(` ++ type user_tty_device_t; ++ ') ++ ++ allow $1 user_tty_device_t:chr_file watch_reads_chr_file_perms; ++') ++ + #################################### + ## + ## Getattr on the virtio console. +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 033f189..a838cdd 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -377,6 +377,8 @@ term_watch_console_dev(init_t) + term_watch_reads_console_dev(init_t) + term_watch_unallocated_ttys(init_t) + term_watch_reads_unallocated_ttys(init_t) ++term_watch_user_ttys(init_t) ++term_watch_reads_user_ttys(init_t) + + # Run init scripts. + init_domtrans_script(init_t) +-- +1.8.3.1 + diff --git a/backport-Allow-keepalived-setsched-and-sys_nice.patch b/backport-Allow-keepalived-setsched-and-sys_nice.patch new file mode 100644 index 0000000000000000000000000000000000000000..665569a276c3cfd5d4f58da4394dfabf7a6d108c --- /dev/null +++ b/backport-Allow-keepalived-setsched-and-sys_nice.patch @@ -0,0 +1,42 @@ +From 7342ec730a9702ec4ba42d6b57c56bc3be82e12b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 12 Apr 2022 19:00:54 +0200 +Subject: [PATCH] Allow keepalived setsched and sys_nice + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/7342ec730a9702ec4ba42d6b57c56bc3be82e12b +Conflict: NA + +These permissions are particularly required on high load systems +when a keepalived child process may request to use more cpu resouces. + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(04/12/22 05:56:21.085:38) : proctitle=/usr/sbin/keepalived -D +type=SYSCALL msg=audit(04/12/22 05:56:21.085:38) : arch=x86_64 syscall=sched_setscheduler success=no exit=EPERM(Operation not permitted) a0=0x41c a1=SCHED_RR|SCHED_RESET_ON_FORK a2=0x7fff2554107c a3=0x0 items=0 ppid=1051 pid=1052 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) +type=AVC msg=audit(04/12/22 05:56:21.085:38) : avc: denied { setsched } for pid=1052 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process permissive=1 +type=AVC msg=audit(04/12/22 05:56:21.085:38) : avc: denied { sys_nice } for pid=1052 comm=keepalived capability=sys_nice scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=capability permissive=1 + +Resolves: rhbz#2008033 +Signed-off-by: lujie54 +--- + policy/modules/contrib/keepalived.te | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te +index 831ada9..89bc0d6 100644 +--- a/policy/modules/contrib/keepalived.te ++++ b/policy/modules/contrib/keepalived.te +@@ -37,8 +37,8 @@ files_tmpfs_file(keepalived_tmpfs_t) + # keepalived local policy + # + +-allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_ptrace }; +-allow keepalived_t self:process { signal_perms getpgid setpgid }; ++allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_nice sys_ptrace }; ++allow keepalived_t self:process { signal_perms getpgid setpgid setsched }; + allow keepalived_t self:icmp_socket create_socket_perms; + allow keepalived_t self:netlink_socket create_socket_perms; + allow keepalived_t self:netlink_generic_socket create_socket_perms; +-- +1.8.3.1 + diff --git a/backport-Allow-pcscd-the-sys_ptrace-userns-capability.patch b/backport-Allow-pcscd-the-sys_ptrace-userns-capability.patch new file mode 100644 index 0000000000000000000000000000000000000000..8e3ebb545af0e68c56893d82d8c75f82c451017b --- /dev/null +++ b/backport-Allow-pcscd-the-sys_ptrace-userns-capability.patch @@ -0,0 +1,29 @@ +From dd7761e72c40b6d826a760ea9167ca17dec8c546 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 8 Apr 2022 14:10:08 +0200 +Subject: [PATCH] Allow pcscd the sys_ptrace userns capability + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/dd7761e72c40b6d826a760ea9167ca17dec8c546 +Conflict: NA + +Resolves: rhbz#2073169 +Signed-off-by: lujie54 +--- + policy/modules/contrib/pcscd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te +index 1fdd845..d0d83da 100644 +--- a/policy/modules/contrib/pcscd.te ++++ b/policy/modules/contrib/pcscd.te +@@ -24,6 +24,7 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") + allow pcscd_t self:capability { dac_read_search fsetid }; + dontaudit pcscd_t self:capability { sys_admin }; + allow pcscd_t self:capability2 { wake_alarm }; ++allow pcscd_t self:cap_userns sys_ptrace; + allow pcscd_t self:process { signal signull }; + dontaudit pcscd_t self:process setsched; + allow pcscd_t self:fifo_file rw_fifo_file_perms; +-- +1.8.3.1 + diff --git a/backport-Allow-pppd-create-a-file-in-the-locks-directory.patch b/backport-Allow-pppd-create-a-file-in-the-locks-directory.patch new file mode 100644 index 0000000000000000000000000000000000000000..172ec744e9b2e50c1c933266a5eba03e66027e37 --- /dev/null +++ b/backport-Allow-pppd-create-a-file-in-the-locks-directory.patch @@ -0,0 +1,33 @@ +From 699f4dcf2a9b39a02427bd859c91c625e11998a6 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 8 Apr 2022 15:50:13 +0200 +Subject: [PATCH] Allow pppd create a file in the locks directory + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/699f4dcf2a9b39a02427bd859c91c625e11998a6 +Conflict: NA + +So far, a rule for creating a private lock dir was defined in the +policy. Since this commit there is also a rule for a plain file. + +Resolves: rhbz#2022902 +Signed-off-by: lujie54 +--- + policy/modules/contrib/ppp.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/ppp.te b/policy/modules/contrib/ppp.te +index c2da84b..9b08134 100644 +--- a/policy/modules/contrib/ppp.te ++++ b/policy/modules/contrib/ppp.te +@@ -106,7 +106,7 @@ manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t) + filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file) + + manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t) +-files_lock_filetrans(pppd_t, pppd_lock_t, dir) ++files_lock_filetrans(pppd_t, pppd_lock_t, { dir file }) + files_search_locks(pppd_t) + + manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t) +-- +1.8.3.1 + diff --git a/backport-Allow-rngd-drop-privileges-via-setuid-setgid-setcap.patch b/backport-Allow-rngd-drop-privileges-via-setuid-setgid-setcap.patch new file mode 100644 index 0000000000000000000000000000000000000000..064cee2cd623ae65677e7256556d74c19e856911 --- /dev/null +++ b/backport-Allow-rngd-drop-privileges-via-setuid-setgid-setcap.patch @@ -0,0 +1,36 @@ +From 62d5fd70550ba0f6564c5240c369c421b1415eb9 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 3 Mar 2022 16:57:41 +0100 +Subject: [PATCH] Allow rngd drop privileges via setuid/setgid/setcap + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/62d5fd70550ba0f6564c5240c369c421b1415eb9 +Conflict: NA + +The rngd service starts as root to be able to access some resources +like /dev/hwrng, then it drops capabilities and changes ruid/euid/suid +and rgid/egid/sgid. + +Resolves: rhbz#2058914 +Signed-off-by: lujie54 +--- + policy/modules/contrib/rngd.te | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te +index 316d210..ca8c996 100644 +--- a/policy/modules/contrib/rngd.te ++++ b/policy/modules/contrib/rngd.te +@@ -30,8 +30,8 @@ files_pid_file(rngd_var_run_t) + # Local policy + # + +-allow rngd_t self:capability { ipc_lock sys_admin }; +-allow rngd_t self:process { setsched signal }; ++allow rngd_t self:capability { ipc_lock setgid setuid sys_admin }; ++allow rngd_t self:process { setcap setsched signal }; + allow rngd_t self:fifo_file rw_fifo_file_perms; + allow rngd_t self:netlink_kobject_uevent_socket create_socket_perms; + allow rngd_t self:unix_stream_socket { accept listen }; +-- +1.8.3.1 + diff --git a/backport-Allow-rpmdb-create-directory-in-usr-lib-sysimage.patch b/backport-Allow-rpmdb-create-directory-in-usr-lib-sysimage.patch new file mode 100644 index 0000000000000000000000000000000000000000..e147d8eec264f6bbda967e4908cdbf88b6becb44 --- /dev/null +++ b/backport-Allow-rpmdb-create-directory-in-usr-lib-sysimage.patch @@ -0,0 +1,36 @@ +From d99577b16e8be3de46528fa81133efd2dd40b7c5 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 14 Mar 2022 12:51:49 +0100 +Subject: [PATCH] Allow rpmdb create directory in /usr/lib/sysimage + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d99577b16e8be3de46528fa81133efd2dd40b7c5 +Conflict: NA + +With the 5f69c12c67d (Support /usr/lib/sysimage/rpm as the rpmdb path) +commit, the policy supports relocation of the rpmdb path to +/usr/lib/sysimage/rpm. The rpm-rebuilddb command needs to have a file +transition defined for the new path, too, which also needs to be without +a directory name as the new directory is created as +/usr/lib/sysimage/rpmrebuilddb.PID. + +Resolves: rhbz#2061141 +Signed-off-by: lujie54 +--- + policy/modules/contrib/rpm.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te +index b09dfe1..247f1fa 100644 +--- a/policy/modules/contrib/rpm.te ++++ b/policy/modules/contrib/rpm.te +@@ -265,6 +265,7 @@ allow rpmdb_t rpmdb_tmp_t:file map; + + manage_dirs_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t) + manage_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t) ++files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir) + files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir) + + manage_dirs_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t) +-- +1.8.3.1 + diff --git a/backport-Allow-sosreport-dbus-chat-abrt-systemd-timedatex.patch b/backport-Allow-sosreport-dbus-chat-abrt-systemd-timedatex.patch new file mode 100644 index 0000000000000000000000000000000000000000..4fc7295dac49ec8b23011c89e2e963e5335622e6 --- /dev/null +++ b/backport-Allow-sosreport-dbus-chat-abrt-systemd-timedatex.patch @@ -0,0 +1,93 @@ +From 37dbb1e7b5944a1cceb2009f8bbb4897150fd1ef Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Tue, 22 Feb 2022 09:48:33 +0100 +Subject: [PATCH] Allow sosreport dbus chat abrt systemd timedatex + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/37dbb1e7b5944a1cceb2009f8bbb4897150fd1ef +Conflict: NA + +Create sosreport dbus chat interface. + +Allow abrt, systemd and timedatex to dbus chat sosreport + +Signed-off-by: lujie54 +--- + policy/modules/contrib/abrt.te | 1 + + policy/modules/contrib/sosreport.if | 20 ++++++++++++++++++++ + policy/modules/contrib/timedatex.te | 5 ++++- + policy/modules/system/systemd.te | 4 ++++ + 4 files changed, 29 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te +index a68c7fd..02a12df 100644 +--- a/policy/modules/contrib/abrt.te ++++ b/policy/modules/contrib/abrt.te +@@ -350,6 +350,7 @@ optional_policy(` + #') + + optional_policy(` ++ sosreport_dbus_chat(abrt_t) + sosreport_domtrans(abrt_t) + sosreport_read_tmp_files(abrt_t) + sosreport_delete_tmp_files(abrt_t) +diff --git a/policy/modules/contrib/sosreport.if b/policy/modules/contrib/sosreport.if +index f6db7a7..c5fbb7a 100644 +--- a/policy/modules/contrib/sosreport.if ++++ b/policy/modules/contrib/sosreport.if +@@ -146,3 +146,23 @@ interface(`sosreport_signull',` + allow $1 sosreport_t:process signull; + ') + ++######################################## ++## ++## Send and receive messages from ++## sosreport over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sosreport_dbus_chat',` ++ gen_require(` ++ type sosreport_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 sosreport_t:dbus send_msg; ++ allow sosreport_t $1:dbus send_msg; ++') +diff --git a/policy/modules/contrib/timedatex.te b/policy/modules/contrib/timedatex.te +index 3a2e4db..6a640fa 100644 +--- a/policy/modules/contrib/timedatex.te ++++ b/policy/modules/contrib/timedatex.te +@@ -64,6 +64,9 @@ optional_policy(` + ') + + optional_policy(` +- userdom_dbus_send_all_users(timedatex_t) ++ sosreport_dbus_chat(timedatex_t) + ') + ++optional_policy(` ++ userdom_dbus_send_all_users(timedatex_t) ++') +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 476e2d3..97cc111 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -545,6 +545,10 @@ optional_policy(` + ') + + optional_policy(` ++ sosreport_dbus_chat(systemd_networkd_t) ++') ++ ++optional_policy(` + udev_read_db(systemd_networkd_t) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-sssd-domtrans-to-pkcs_slotd_t.patch b/backport-Allow-sssd-domtrans-to-pkcs_slotd_t.patch new file mode 100644 index 0000000000000000000000000000000000000000..6cee5234ba06cf967fe728a20547289695e38747 --- /dev/null +++ b/backport-Allow-sssd-domtrans-to-pkcs_slotd_t.patch @@ -0,0 +1,75 @@ +From b22b33e612363001d74e283e53b04192a51f7c5f Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 14 Apr 2022 19:31:18 +0200 +Subject: [PATCH] Allow sssd domtrans to pkcs_slotd_t + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/b22b33e612363001d74e283e53b04192a51f7c5f +Conflict: NA + +When sssd is configured to use smart cards login, any authentication +(e.g. sudo) will raise this AVC meaning smart card login was prevented +from working: + +type=AVC msg=audit(1620803381.118:24793): avc: denied { getattr } for pid=667312 comm="p11_child" path="/usr/sbin/pkcsslotd" dev="dm-1" ino=1581455 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_exec_t:s0 tclass=file permissive=0 + +Sudo uses pam to authenticate a user. In pam stack, there is the sssd +pam module which talks through some IPC to sssd's p11_child. +This sssd's p11_child loads through p11-kit every pkcs11 module +installed in the system, which includes the opencryptoki pkcs11 module. +Opencryptoki pkcs11 module talks through some IPC to pkcsslotd daemon, +handling the communication with HW devices or soft tokens. + +The pkcs_domtrans() interface was added. + +Resolves: rhbz#1959705 +Signed-off-by: lujie54 +--- + policy/modules/contrib/pkcs.if | 19 +++++++++++++++++++ + policy/modules/contrib/sssd.te | 1 + + 2 files changed, 20 insertions(+) + +diff --git a/policy/modules/contrib/pkcs.if b/policy/modules/contrib/pkcs.if +index 423d061..eb97d23 100644 +--- a/policy/modules/contrib/pkcs.if ++++ b/policy/modules/contrib/pkcs.if +@@ -118,6 +118,25 @@ interface(`pkcs_getattr_exec_files',` + + ######################################## + ## ++## Transition to pkcs_slotd ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`pkcs_domtrans',` ++ gen_require(` ++ type pkcs_slotd_t, pkcs_slotd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, pkcs_slotd_exec_t, pkcs_slotd_t) ++') ++ ++######################################## ++## + ## Create specific objects in the tmpfs directories + ## with a private type. + ## +diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te +index 80c0b62..f5c7d98 100644 +--- a/policy/modules/contrib/sssd.te ++++ b/policy/modules/contrib/sssd.te +@@ -221,6 +221,7 @@ optional_policy(` + ') + + optional_policy(` ++ pkcs_domtrans(sssd_t) + pkcs_read_lock(sssd_t) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-system-dbus-daemon-watch-generic-directories-i.patch b/backport-Allow-system-dbus-daemon-watch-generic-directories-i.patch new file mode 100644 index 0000000000000000000000000000000000000000..3088d570a7dd57e8b8953a14d8381cc0f9584953 --- /dev/null +++ b/backport-Allow-system-dbus-daemon-watch-generic-directories-i.patch @@ -0,0 +1,30 @@ +From 9935be1702ce951d1582e80ae8d747183ed34a5e Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 8 Apr 2022 14:02:48 +0200 +Subject: [PATCH] Allow system dbus daemon watch generic directories in + /var/lib + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9935be1702ce951d1582e80ae8d747183ed34a5e +Conflict: NA + +Resolves: rhbz#1928365 +Signed-off-by: lujie54 +--- + policy/modules/contrib/dbus.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te +index 76fb3b6..ced5149 100644 +--- a/policy/modules/contrib/dbus.te ++++ b/policy/modules/contrib/dbus.te +@@ -107,6 +107,7 @@ dev_rw_inherited_dri(system_dbusd_t) + files_read_var_lib_symlinks(system_dbusd_t) + files_rw_inherited_non_security_files(system_dbusd_t) + files_watch_usr_dirs(system_dbusd_t) ++files_watch_var_lib_dirs(system_dbusd_t) + + fs_getattr_all_fs(system_dbusd_t) + fs_search_auto_mountpoints(system_dbusd_t) +-- +1.8.3.1 + diff --git a/backport-Allow-systemd-gpt-auto-generator-create-and-use-netl.patch b/backport-Allow-systemd-gpt-auto-generator-create-and-use-netl.patch new file mode 100644 index 0000000000000000000000000000000000000000..12c6c2f0efc7bee034201403cb910ef75af0b2f4 --- /dev/null +++ b/backport-Allow-systemd-gpt-auto-generator-create-and-use-netl.patch @@ -0,0 +1,33 @@ +From 8398b1833c1168ac30ef8e13db39f50c187503cb Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 14 Apr 2022 18:37:38 +0200 +Subject: [PATCH] Allow systemd-gpt-auto-generator create and use + netlink_kobject_uevent_socket + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/8398b1833c1168ac30ef8e13db39f50c187503cb +Conflict: NA + +Addresses the following AVC denial: +type=AVC msg=audit(1649951765.765:599): avc: denied { create } for pid=35143 comm="systemd-gpt-aut" scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=netlink_kobject_uevent_socket permissive=0 + +Resolves: rhbz#2075589 +Signed-off-by: lujie54 +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 8fe3eb9..a9308b8 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1106,6 +1106,7 @@ systemd_read_efivarfs(systemd_hwdb_t) + # + + allow systemd_gpt_generator_t self:capability sys_rawio; ++allow systemd_gpt_generator_t self:netlink_kobject_uevent_socket create_socket_perms; + + dev_read_sysfs(systemd_gpt_generator_t) + dev_write_kmsg(systemd_gpt_generator_t) +-- +1.8.3.1 + diff --git a/backport-Allow-systemd-logind-dbus-chat-with-sosreport.patch b/backport-Allow-systemd-logind-dbus-chat-with-sosreport.patch new file mode 100644 index 0000000000000000000000000000000000000000..83a2eccb6b9cb4ee82fdb4617b9364ef3b156ec3 --- /dev/null +++ b/backport-Allow-systemd-logind-dbus-chat-with-sosreport.patch @@ -0,0 +1,31 @@ +From 676fdceecce7f6e31c7ffdd9ecebb579fb7e4fb6 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 24 Feb 2022 12:29:52 +0100 +Subject: [PATCH] Allow systemd-logind dbus chat with sosreport + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/676fdceecce7f6e31c7ffdd9ecebb579fb7e4fb6 +Conflict: NA + +Signed-off-by: lujie54 +--- + policy/modules/system/systemd.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 3eabe11..8d96c4b 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -404,6 +404,10 @@ optional_policy(` + ') + + optional_policy(` ++ sosreport_dbus_chat(systemd_logind_t) ++') ++ ++optional_policy(` + # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file + xserver_search_xdm_tmp_dirs(systemd_logind_t) + ') +-- +1.8.3.1 + diff --git a/backport-Allow-systemd-sysctl-read-the-security-state-informa.patch b/backport-Allow-systemd-sysctl-read-the-security-state-informa.patch new file mode 100644 index 0000000000000000000000000000000000000000..bdbfdec50992a23510a248d52f153baf79611a77 --- /dev/null +++ b/backport-Allow-systemd-sysctl-read-the-security-state-informa.patch @@ -0,0 +1,34 @@ +From 6d9183e183a32e3ff2caadaa4942f56aa82abe91 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 21 Feb 2022 12:55:00 +0100 +Subject: [PATCH] Allow systemd-sysctl read the security state information + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6d9183e183a32e3ff2caadaa4942f56aa82abe91 +Conflict: NA + +Addresses the following AVC denial: +Feb 19 14:19:22 audit[641]: AVC avc: denied { read } for pid=641 comm="systemd-sysctl" name="suid_dumpable" dev="proc" ino=400 scontext=system_u:system_r:systemd_sysctl_t:s0 tcontext=system_u:object_r:proc_security_t:s0 tclass=file permissive=0 +Feb 19 14:19:22 audit[641]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffd162b13d0 a2=80102 a3=0 items=0 ppid=1 pid=641 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sysctl" exe="/usr/lib/systemd/systemd-sysctl" subj=system_u:system_r:systemd_sysctl_t:s0 key=(null) +Feb 19 14:19:22 audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-sysctl" + +Resolves: rhbz#2056207 +Signed-off-by: lujie54 +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 97cc111..3eabe11 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1024,6 +1024,7 @@ allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms; + kernel_dgram_send(systemd_sysctl_t) + kernel_request_load_module(systemd_sysctl_t) + kernel_rw_all_sysctls(systemd_sysctl_t) ++kernel_read_security_state(systemd_sysctl_t) + kernel_write_security_state(systemd_sysctl_t) + + files_read_system_conf_files(systemd_sysctl_t) +-- +1.8.3.1 + diff --git a/backport-Allow-userdomain-read-symlinks-in-var-lib.patch b/backport-Allow-userdomain-read-symlinks-in-var-lib.patch new file mode 100644 index 0000000000000000000000000000000000000000..03543fe0764e941a9110128a0f0cbadd8c405fdd --- /dev/null +++ b/backport-Allow-userdomain-read-symlinks-in-var-lib.patch @@ -0,0 +1,36 @@ +From dc983b88ad1043c43de1cc19d579debcd10a778d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 15 Feb 2022 11:44:23 +0100 +Subject: [PATCH] Allow userdomain read symlinks in /var/lib + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/dc983b88ad1043c43de1cc19d579debcd10a778d +Conflict: NA + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(02/15/22 11:39:56.020:247) : proctitle=/usr/bin/gnome-software --gapplication-service +type=PATH msg=audit(02/15/22 11:39:56.020:247) : item=0 name=/var/lib/flatpak/appstream/flathub/x86_64/active/appstream.xml.gz nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(02/15/22 11:39:56.020:247) : cwd=/home/user +type=SYSCALL msg=audit(02/15/22 11:39:56.020:247) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7fb66c6f8da0 a1=F_OK a2=0x0 a3=0x20 items=1 ppid=1460 pid=2035 auid=user uid=user gid=user euid=user suid=user fsuid=user egid=user sgid=user fsgid=user tty=(none) ses=3 comm=pool-org.gnome. exe=/usr/bin/gnome-software subj=user_u:user_r:user_t:s0 key=(null) +type=AVC msg=audit(02/15/22 11:39:56.020:247) : avc: denied { read } for pid=2035 comm=pool-org.gnome. name=active dev="vda2" ino=387091 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=lnk_file permissive=0 + +Signed-off-by: lujie54 +--- + policy/modules/system/userdomain.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 69b460f..3ac8c12 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -387,6 +387,7 @@ tunable_policy(`deny_bluetooth',`',` + dev_watch_generic_dirs(login_userdomain) + + files_map_var_lib_files(login_userdomain) ++files_read_var_lib_symlinks(login_userdomain) + files_watch_etc_dirs(login_userdomain) + files_watch_etc_files(login_userdomain) + files_watch_system_conf_dirs(login_userdomain) +-- +1.8.3.1 + diff --git a/backport-Label-var-run-ecblp0-pipe-with-cupsd_var_run_t.patch b/backport-Label-var-run-ecblp0-pipe-with-cupsd_var_run_t.patch new file mode 100644 index 0000000000000000000000000000000000000000..be5c5770e51cdf4cab2d862db31e838d910f7a68 --- /dev/null +++ b/backport-Label-var-run-ecblp0-pipe-with-cupsd_var_run_t.patch @@ -0,0 +1,34 @@ +From a203bc37147e4480375faebc76021e7548790c70 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 14 Mar 2022 14:20:15 +0100 +Subject: [PATCH] Label /var/run/ecblp0 pipe with cupsd_var_run_t + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/a203bc37147e4480375faebc76021e7548790c70 +Conflict: NA + +With the edce3e31ec2 (Label /var/run/ecblp0 as cupsd_var_run_t) commit, +default file context for /var/run/ecblp0 was defined for a plain file +instead of a named pipe which is actually used by epson drivers. + +Resolves: rhbz#2061427 +Signed-off-by: lujie54 +--- + policy/modules/contrib/cups.fc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/cups.fc b/policy/modules/contrib/cups.fc +index f09217f..467eb7e 100644 +--- a/policy/modules/contrib/cups.fc ++++ b/policy/modules/contrib/cups.fc +@@ -70,7 +70,7 @@ + /var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0) + /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh) + /var/run/hplip(/.*) gen_context(system_u:object_r:cupsd_var_run_t,s0) +-/var/run/ecblp0 -- gen_context(system_u:object_r:cupsd_var_run_t,s0) ++/var/run/ecblp0 -p gen_context(system_u:object_r:cupsd_var_run_t,s0) + /var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0) + /var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0) + /var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0) +-- +1.8.3.1 + diff --git a/backport-Support-using-systemd-update-helper-in-rpm-scriptlet.patch b/backport-Support-using-systemd-update-helper-in-rpm-scriptlet.patch new file mode 100644 index 0000000000000000000000000000000000000000..0dd67a1814b4a06c32bfca5e7699645c6e53e49b --- /dev/null +++ b/backport-Support-using-systemd-update-helper-in-rpm-scriptlet.patch @@ -0,0 +1,90 @@ +From f5b0c2d2f6ed3f4039129eb7c76b91f6cf819498 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 8 Jul 2022 15:20:59 +0200 +Subject: [PATCH] Support using systemd-update-helper in rpm scriptlets + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/f5b0c2d2f6ed3f4039129eb7c76b91f6cf819498 +Conflict: NA + +Addresses the following AVC denials, dontaudited by default: +type=AVC msg=audit(07/08/2022 15:03:18.969:819) : avc: denied { read write } for pid=1 comm=systemd path=socket:[47621] dev="sockfs" ino=47621 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 + +type=PROCTITLE msg=audit(07/08/2022 15:06:59.478:968) : proctitle=dbus-broker --log 4 --controller 9 --machine-id 31c23619ce0349e999f66291729cc4f6 --max-bytes 536870912 --max-fds 4096 --max-matc +type=SYSCALL msg=audit(07/08/2022 15:06:59.478:968) : arch=x86_64 syscall=recvmsg success=yes exit=720 a0=0x10 a1=0x7ffe701a5890 a2=MSG_DONTWAIT|MSG_CMSG_CLOEXEC a3=0xffffffff items=0 ppid=561 pid=567 auid=unset uid=dbus gid=dbus euid=dbus suid=dbus fsuid=dbus egid=dbus sgid=dbus fsgid=dbus tty=(none) ses=unset comm=dbus-broker exe=/usr/bin/dbus-broker subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(07/08/2022 15:06:59.478:968) : avc: denied { read write } for pid=567 comm=dbus-broker path=socket:[51281] dev="sockfs" ino=51281 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 + +The rpm_script_rw_stream_sockets() interface was added. + +Resolves: rhbz#2100528 +Signed-off-by: lujie54 +--- + policy/modules/contrib/dbus.te | 4 ++++ + policy/modules/contrib/rpm.if | 20 ++++++++++++++++++++ + policy/modules/system/init.te | 1 + + 3 files changed, 25 insertions(+) + +diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te +index ced5149..a0f5679 100644 +--- a/policy/modules/contrib/dbus.te ++++ b/policy/modules/contrib/dbus.te +@@ -215,6 +215,10 @@ optional_policy(` + ') + + optional_policy(` ++ rpm_script_rw_stream_sockets(system_dbusd_t) ++') ++ ++optional_policy(` + snapper_read_inherited_pipe(system_dbusd_t) + ') + +diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if +index 190f3e2..c6833ba 100644 +--- a/policy/modules/contrib/rpm.if ++++ b/policy/modules/contrib/rpm.if +@@ -958,6 +958,7 @@ interface(`rpm_admin',` + rpm_run($1, $2) + ') + ++####################################### + ## + ## Allow the specified domain to ioctl rpm_script_t + ## with a unix domain stream socket. +@@ -975,3 +976,22 @@ interface(`rpm_script_ioctl_stream_sockets',` + + allow $1 rpm_script_t:unix_stream_socket ioctl; + ') ++ ++####################################### ++## ++## Allow the specified domain read and write to rpm_script_t ++## over a unix domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpm_script_rw_stream_sockets',` ++ gen_require(` ++ type rpm_script_t; ++ ') ++ ++ allow $1 rpm_script_t:unix_stream_socket { read write }; ++') +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index f772288..f12a937 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -521,6 +521,7 @@ optional_policy(` + optional_policy(` + rpm_read_db(init_t) + rpm_script_ioctl_stream_sockets(init_t) ++ rpm_script_rw_stream_sockets(init_t) + ') + + optional_policy(` +-- +1.8.3.1 + diff --git a/backport-filesystem-add-fs_use_trans-for-ramfs.patch b/backport-filesystem-add-fs_use_trans-for-ramfs.patch new file mode 100644 index 0000000000000000000000000000000000000000..5680fc4215052c5a03b6205418553113970d29d4 --- /dev/null +++ b/backport-filesystem-add-fs_use_trans-for-ramfs.patch @@ -0,0 +1,42 @@ +From a7697467e082ffd4f68a9e03539db3578b5f34d5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Wed, 27 Oct 2021 21:18:27 +0200 +Subject: [PATCH] filesystem: add fs_use_trans for ramfs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/a7697467e082ffd4f68a9e03539db3578b5f34d5 +Conflict: NA + +Enable extended attributes for inodes on ramfs filesystems, similar to +tmpfs filesystems. + +For example systemd uses ramfs for service credentials[1], and xattr +support is needed for per service based labeling[2]. + +[1]: https://www.freedesktop.org/software/systemd/man/systemd-creds.html +[2]: https://github.com/systemd/systemd/pull/21158 + +Signed-off-by: Christian Göttsche +Signed-off-by: lujie54 +--- + policy/modules/kernel/filesystem.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te +index 1941da1..6a2ad8c 100644 +--- a/policy/modules/kernel/filesystem.te ++++ b/policy/modules/kernel/filesystem.te +@@ -178,7 +178,7 @@ genfscon pstore / gen_context(system_u:object_r:pstore_t,s0) + type ramfs_t; + fs_type(ramfs_t) + files_mountpoint(ramfs_t) +-genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0) ++fs_use_trans ramfs gen_context(system_u:object_r:ramfs_t,s0); + + type romfs_t; + fs_type(romfs_t) +-- +1.8.3.1 + diff --git a/selinux-policy.spec b/selinux-policy.spec index 08f284113ab8d2325ebad3a611977839ff0c3a65..ef5388868bb4ac546f0f1aa6523d2ce591170abf 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 35.5 -Release: 10 +Release: 11 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -134,6 +134,27 @@ Patch6066: backport-Allow-confined-sysadmin-to-use-tool-vipw.patch Patch6067: backport-Allow-sysadm_passwd_t-to-relabel-passwd-and-group-fi.patch Patch6068: backport-Allow-systemd-networkd-create-and-use-netlink-netfil.patch Patch6069: backport-Allow-iptables-list-cgroup-directories.patch +Patch6070: backport-filesystem-add-fs_use_trans-for-ramfs.patch +Patch6071: backport-Allow-userdomain-read-symlinks-in-var-lib.patch +Patch6072: backport-Allow-systemd-sysctl-read-the-security-state-informa.patch +Patch6073: backport-Allow-sosreport-dbus-chat-abrt-systemd-timedatex.patch +Patch6074: backport-Allow-chronyd-send-a-message-to-sosreport-over-datag.patch +Patch6075: backport-Allow-systemd-logind-dbus-chat-with-sosreport.patch +Patch6076: backport-Allow-init-watch-and-watch_reads-user-ttys.patch +Patch6077: backport-Allow-rngd-drop-privileges-via-setuid-setgid-setcap.patch +Patch6078: backport-Allow-rpmdb-create-directory-in-usr-lib-sysimage.patch +Patch6079: backport-Label-var-run-ecblp0-pipe-with-cupsd_var_run_t.patch +Patch6080: backport-Add-systemd_getattr_generic_unit_files-interface.patch +Patch6081: backport-Allow-chronyd-talk-with-unconfined-user-over-unix-do.patch +Patch6082: backport-Add-the-init_append_stream_sockets-interface.patch +Patch6083: backport-Add-the-corecmd_watch_bin_dirs-interface.patch +Patch6084: backport-Allow-pcscd-the-sys_ptrace-userns-capability.patch +Patch6085: backport-Allow-system-dbus-daemon-watch-generic-directories-i.patch +Patch6086: backport-Allow-pppd-create-a-file-in-the-locks-directory.patch +Patch6087: backport-Allow-keepalived-setsched-and-sys_nice.patch +Patch6088: backport-Allow-sssd-domtrans-to-pkcs_slotd_t.patch +Patch6089: backport-Allow-systemd-gpt-auto-generator-create-and-use-netl.patch +Patch6090: backport-Support-using-systemd-update-helper-in-rpm-scriptlet.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -804,6 +825,9 @@ exit 0 %endif %changelog +* Tue Sep 13 2022 lujie - 35.5-11 +- backport upstream patches + * Tue Sep 13 2022 lujie - 35.5-10 - backport upstream patches