From 72d92e8e1b6d81b08f1303544d7a8f3696984b4d Mon Sep 17 00:00:00 2001 From: lujie54 Date: Thu, 15 Sep 2022 10:25:08 +0800 Subject: [PATCH] backport upstream patches (cherry picked from commit bed9e54ba5b7bdd343cb206debfe27be301e9bc5) --- ...to-manage-lnk_files-into-gnome_manag.patch | 38 +++++++ ...om_prog_run_bpf_userdomain-interface.patch | 45 ++++++++ ...ent-manage-pid-files-used-by-chronyd.patch | 62 +++++++++++ ...ain-use-userfaultfd-over-all-domains.patch | 33 ++++++ ...read-the-contents-of-the-sysfs-files.patch | 35 ++++++ ...sid-the-sys_ptrace-userns-capability.patch | 29 +++++ ...ch-xenstored-read-filesystem-sysctls.patch | 33 ++++++ ...erdomain-check-status-of-mount-units.patch | 39 +++++++ ...-Allow-openvswitch-fsetid-capability.patch | 40 +++++++ ...llow-openvswitch-search-tracefs-dirs.patch | 68 ++++++++++++ ...h-use-its-private-tmpfs-files-and-di.patch | 44 ++++++++ ...nux-read-files-on-an-nfsd-filesystem.patch | 32 ++++++ ...network-state-information-and-networ.patch | 35 ++++++ ...llow-services-execute-systemd-notify.patch | 82 ++++++++++++++ ...ort-Allow-some-domains-use-sd_notify.patch | 100 ++++++++++++++++++ ...o-run-bpftool-on-the-userdomain-attr.patch | 34 ++++++ ...temd-watch-and-watch_reads-user-ptys.patch | 92 ++++++++++++++++ ...t-Allow-xdm-read-the-kernel-key-ring.patch | 66 ++++++++++++ ...allow-login_userdomain-use-sd_notify.patch | 35 ++++++ selinux-policy.spec | 24 ++++- 20 files changed, 965 insertions(+), 1 deletion(-) create mode 100644 backport-Add-permissions-to-manage-lnk_files-into-gnome_manag.patch create mode 100644 backport-Add-the-userdom_prog_run_bpf_userdomain-interface.patch create mode 100644 backport-Allow-dhclient-manage-pid-files-used-by-chronyd.patch create mode 100644 backport-Allow-domain-use-userfaultfd-over-all-domains.patch create mode 100644 backport-Allow-firewalld-read-the-contents-of-the-sysfs-files.patch create mode 100644 backport-Allow-iscsid-the-sys_ptrace-userns-capability.patch create mode 100644 backport-Allow-launch-xenstored-read-filesystem-sysctls.patch create mode 100644 backport-Allow-login_userdomain-check-status-of-mount-units.patch create mode 100644 backport-Allow-openvswitch-fsetid-capability.patch create mode 100644 backport-Allow-openvswitch-search-tracefs-dirs.patch create mode 100644 backport-Allow-openvswitch-use-its-private-tmpfs-files-and-di.patch create mode 100644 backport-Allow-pmdalinux-read-files-on-an-nfsd-filesystem.patch create mode 100644 backport-Allow-pmie-read-network-state-information-and-networ.patch create mode 100644 backport-Allow-services-execute-systemd-notify.patch create mode 100644 backport-Allow-some-domains-use-sd_notify.patch create mode 100644 backport-Allow-sysadm_t-to-run-bpftool-on-the-userdomain-attr.patch create mode 100644 backport-Allow-systemd-watch-and-watch_reads-user-ptys.patch create mode 100644 backport-Allow-xdm-read-the-kernel-key-ring.patch create mode 100644 backport-Do-not-allow-login_userdomain-use-sd_notify.patch diff --git a/backport-Add-permissions-to-manage-lnk_files-into-gnome_manag.patch b/backport-Add-permissions-to-manage-lnk_files-into-gnome_manag.patch new file mode 100644 index 0000000..c89603b --- /dev/null +++ b/backport-Add-permissions-to-manage-lnk_files-into-gnome_manag.patch @@ -0,0 +1,38 @@ +From 705fc27141d8aeb736fecdd6a6048f59c55f6d1f Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 27 Jul 2022 18:11:34 +0200 +Subject: [PATCH] Add permissions to manage lnk_files into + gnome_manage_home_config + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/705fc27141d8aeb736fecdd6a6048f59c55f6d1f +Conflict: NA + +The gnome_manage_home_config() interface contains manage_files_pattern() +call for config_home_t files only, but symlinks can be there, too. + +Addresses the following AVC denial: +type=AVC msg=audit(1652884370.574:523): avc: denied { unlink } for pid=45745 comm="systemd-user-ru" name="user" dev="tmpfs" ino=240 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=unconfined_u:object_r:config_home_t:s0 tclass=lnk_file permissive=0 + +Resolves: rhbz#2088269 +Signed-off-by: lujie54 +--- + policy/modules/contrib/gnome.if | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if +index 1d62f2a..f52d635 100644 +--- a/policy/modules/contrib/gnome.if ++++ b/policy/modules/contrib/gnome.if +@@ -1398,7 +1398,8 @@ interface(`gnome_manage_home_config',` + ') + + manage_files_pattern($1, config_home_t, config_home_t) +- allow $1 config_home_t:file map; ++ manage_lnk_files_pattern($1, config_home_t, config_home_t) ++ allow $1 config_home_t:file map; + ') + + ####################################### +-- +1.8.3.1 + diff --git a/backport-Add-the-userdom_prog_run_bpf_userdomain-interface.patch b/backport-Add-the-userdom_prog_run_bpf_userdomain-interface.patch new file mode 100644 index 0000000..b845ac4 --- /dev/null +++ b/backport-Add-the-userdom_prog_run_bpf_userdomain-interface.patch @@ -0,0 +1,45 @@ +From aa0d31bad83cf8664e5b415b55022deaa0648552 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 2 Aug 2022 16:31:48 +0200 +Subject: [PATCH] Add the userdom_prog_run_bpf_userdomain() interface + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/aa0d31bad83cf8664e5b415b55022deaa0648552 +Conflict: NA + +The userdom_prog_run_bpf_userdomain() interface was added +to allow the caller domain to run bpftool on the userdomain attribute. + +Signed-off-by: lujie54 +--- + policy/modules/system/userdomain.if | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index aeb2deb..e14a3c5 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -6809,3 +6809,21 @@ template(`userdom_security_admin_template',` + samhain_run($1, $2) + ') + ') ++# ++######################################## ++## ++## Allow caller domain to run bpftool on userdomain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_prog_run_bpf_userdomain',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:bpf { map_create map_read map_write prog_load prog_run }; ++') +-- +1.8.3.1 + diff --git a/backport-Allow-dhclient-manage-pid-files-used-by-chronyd.patch b/backport-Allow-dhclient-manage-pid-files-used-by-chronyd.patch new file mode 100644 index 0000000..c1d921f --- /dev/null +++ b/backport-Allow-dhclient-manage-pid-files-used-by-chronyd.patch @@ -0,0 +1,62 @@ +From bf1751a3a139dfb05160330d04f68d4ab89a80f4 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 21 Jun 2022 17:45:28 +0200 +Subject: [PATCH] Allow dhclient manage pid files used by chronyd + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bf1751a3a139dfb05160330d04f68d4ab89a80f4 +Conflict: NA + +The chronyd_manage_pid_files() interface was added. + +Resolves: rhbz#2093709 +Signed-off-by: lujie54 +--- + policy/modules/contrib/chronyd.if | 19 +++++++++++++++++++ + policy/modules/system/sysnetwork.te | 1 + + 2 files changed, 20 insertions(+) + +diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if +index cad4d31..d2f5504 100644 +--- a/policy/modules/contrib/chronyd.if ++++ b/policy/modules/contrib/chronyd.if +@@ -236,6 +236,25 @@ interface(`chronyd_manage_pid',` + manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t) + ') + ++######################################## ++## ++## Manage pid files used by chronyd ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`chronyd_manage_pid_files',` ++ gen_require(` ++ type chronyd_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ manage_files_pattern($1, chronyd_var_run_t, chronyd_var_run_t) ++') ++ + ###################################### + ## + ## Create objects in /var/run +diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te +index 1bb35d1..41b851f 100644 +--- a/policy/modules/system/sysnetwork.te ++++ b/policy/modules/system/sysnetwork.te +@@ -201,6 +201,7 @@ optional_policy(` + chronyd_systemctl(dhcpc_t) + chronyd_domtrans(dhcpc_t) + chronyd_domtrans_chronyc(dhcpc_t) ++ chronyd_manage_pid_files(dhcpc_t) + chronyd_read_keys(dhcpc_t) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-domain-use-userfaultfd-over-all-domains.patch b/backport-Allow-domain-use-userfaultfd-over-all-domains.patch new file mode 100644 index 0000000..1961835 --- /dev/null +++ b/backport-Allow-domain-use-userfaultfd-over-all-domains.patch @@ -0,0 +1,33 @@ +From 3befcf9bdea867fca0d980871e251191fe234586 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 22 Jun 2022 21:27:59 +0200 +Subject: [PATCH] Allow domain use userfaultfd over all domains + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3befcf9bdea867fca0d980871e251191fe234586 +Conflict: NA + +Until now, all processes were allowed to use userfaultfd as well other +anon_inodes to get a file descriptor from the same domain. +Since this commit the permissions are allowed between different domains. + +Signed-off-by: lujie54 +--- + policy/modules/kernel/domain.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te +index f1e0bd6..1289b4c 100644 +--- a/policy/modules/kernel/domain.te ++++ b/policy/modules/kernel/domain.te +@@ -121,7 +121,7 @@ neverallow ~{ domain unlabeled_t } *:process *; + # Rules applied to all domains + # + +-allow domain self:anon_inode userfaultfd_anon_inode_perms; ++allow domain domain:anon_inode userfaultfd_anon_inode_perms; + # read /proc/(pid|self) entries + allow domain self:dir { list_dir_perms watch_dir_perms }; + allow domain self:lnk_file { read_lnk_file_perms lock ioctl }; +-- +1.8.3.1 + diff --git a/backport-Allow-firewalld-read-the-contents-of-the-sysfs-files.patch b/backport-Allow-firewalld-read-the-contents-of-the-sysfs-files.patch new file mode 100644 index 0000000..0a429c9 --- /dev/null +++ b/backport-Allow-firewalld-read-the-contents-of-the-sysfs-files.patch @@ -0,0 +1,35 @@ +From 6c9ef9467ee7e7c9d569a102b05869419409b15e Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 27 Jun 2022 09:17:43 +0200 +Subject: [PATCH] Allow firewalld read the contents of the sysfs filesystem + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/6c9ef9467ee7e7c9d569a102b05869419409b15e +Conflict: NA + +Addresses the following AVC denial which is triggered on the firewalld +service start when it tries to read /sys/devices/system/cpu/possible: + +type=AVC msg=audit(1656139734.292:232): avc: denied { read } for pid=1396 comm="firewalld" name="possible" dev="sysfs" ino=46 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 + +Resolves: rhbz#2101062 +Signed-off-by: lujie54 +--- + policy/modules/contrib/firewalld.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te +index 62cb02c..1c2d25e 100644 +--- a/policy/modules/contrib/firewalld.te ++++ b/policy/modules/contrib/firewalld.te +@@ -81,7 +81,7 @@ corecmd_exec_bin(firewalld_t) + corecmd_exec_shell(firewalld_t) + + dev_read_urand(firewalld_t) +-dev_search_sysfs(firewalld_t) ++dev_read_sysfs(firewalld_t) + + domain_use_interactive_fds(firewalld_t) + domain_obj_id_change_exemption(firewalld_t) +-- +1.8.3.1 + diff --git a/backport-Allow-iscsid-the-sys_ptrace-userns-capability.patch b/backport-Allow-iscsid-the-sys_ptrace-userns-capability.patch new file mode 100644 index 0000000..ab40405 --- /dev/null +++ b/backport-Allow-iscsid-the-sys_ptrace-userns-capability.patch @@ -0,0 +1,29 @@ +From db12459fc6360763f7358adff0026577f2d51261 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 31 May 2022 19:51:21 +0200 +Subject: [PATCH] Allow iscsid the sys_ptrace userns capability + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/db12459fc6360763f7358adff0026577f2d51261 +Conflict: NA + +Resolves: rhbz#2086871 +Signed-off-by: lujie54 +--- + policy/modules/contrib/iscsi.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/iscsi.te b/policy/modules/contrib/iscsi.te +index 76a7607..5bcf209 100644 +--- a/policy/modules/contrib/iscsi.te ++++ b/policy/modules/contrib/iscsi.te +@@ -36,6 +36,7 @@ files_pid_file(iscsi_var_run_t) + # + + allow iscsid_t self:capability { dac_read_search ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource }; ++allow iscsid_t self:cap_userns sys_ptrace; + allow iscsid_t self:process { setrlimit setsched signal }; + allow iscsid_t self:fifo_file rw_fifo_file_perms; + allow iscsid_t self:unix_stream_socket { accept connectto listen }; +-- +1.8.3.1 + diff --git a/backport-Allow-launch-xenstored-read-filesystem-sysctls.patch b/backport-Allow-launch-xenstored-read-filesystem-sysctls.patch new file mode 100644 index 0000000..f9d5e90 --- /dev/null +++ b/backport-Allow-launch-xenstored-read-filesystem-sysctls.patch @@ -0,0 +1,33 @@ +From 81ab7c124eea5b9227589286c69e08f3bbd3fe5e Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 5 Aug 2022 21:13:32 +0200 +Subject: [PATCH] Allow launch-xenstored read filesystem sysctls + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/81ab7c124eea5b9227589286c69e08f3bbd3fe5e +Conflict: NA + +Addresses the following AVC denial: +Aug 02 13:10:18 doppelganger.flyn.org audit[949]: AVC avc: denied { search } for pid=949 comm="launch-xenstore" name="fs" dev="proc" ino=15591 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir permissive=1 + +Resolves: rhbz#2114498 +Signed-off-by: lujie54 +--- + policy/modules/contrib/xen.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te +index c4bee9b..bbda603 100644 +--- a/policy/modules/contrib/xen.te ++++ b/policy/modules/contrib/xen.te +@@ -450,6 +450,8 @@ files_var_lib_filetrans(xenstored_t, xenstored_var_lib_t, { file dir sock_file } + + stream_connect_pattern(xenstored_t, evtchnd_var_run_t, evtchnd_var_run_t, evtchnd_t) + ++kernel_read_fs_sysctls(xenstored_t) ++ + auth_use_nsswitch(xenstored_t) + + can_exec(xenstored_t, xenstored_exec_t) +-- +1.8.3.1 + diff --git a/backport-Allow-login_userdomain-check-status-of-mount-units.patch b/backport-Allow-login_userdomain-check-status-of-mount-units.patch new file mode 100644 index 0000000..7f58afe --- /dev/null +++ b/backport-Allow-login_userdomain-check-status-of-mount-units.patch @@ -0,0 +1,39 @@ +From 68f9e4a144df544adc7fa733a64ac505f8189373 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 10 Aug 2022 17:08:03 +0200 +Subject: [PATCH] Allow login_userdomain check status of mount units + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/68f9e4a144df544adc7fa733a64ac505f8189373 +Conflict: NA + +Allow systemd user manager running in the context of the logged user +check status of mount units: + +systemctl --user status/show run-user-ID.mount + +Addresses the following AVC denial: + +Jul 28 11:26:24 hostname systemd[1483]: selinux: avc: denied { status } for auid=1000 uid=1000 gid=1000 path="/proc/self/mountinfo" cmdline="/usr/bin/gnome-shell" function="mac_selinux_filter" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=service permissive=0 + +Resolves: rhbz#2111834 +Signed-off-by: lujie54 +--- + policy/modules/system/userdomain.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 3ac8c12..5576a97 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -372,6 +372,8 @@ optional_policy(` + ############################################################ + # login_userdomain local policy + ++allow login_userdomain self:service status; ++ + corenet_tcp_bind_xmsg_port(login_userdomain) + + create_blk_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) +-- +1.8.3.1 + diff --git a/backport-Allow-openvswitch-fsetid-capability.patch b/backport-Allow-openvswitch-fsetid-capability.patch new file mode 100644 index 0000000..b1aef32 --- /dev/null +++ b/backport-Allow-openvswitch-fsetid-capability.patch @@ -0,0 +1,40 @@ +From e7afdeddde3b9bc8419032fe753e404947a5f2e9 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 8 Aug 2022 16:53:05 +0200 +Subject: [PATCH] Allow openvswitch fsetid capability + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/e7afdeddde3b9bc8419032fe753e404947a5f2e9 +Conflict: NA + +Working directories used by openvswitch are handled in +/usr/share/openvswitch/scripts/ovs-lib using the install command +with explicit permission mode settings. + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(08/08/2022 10:51:16.059:173) : proctitle=install -d -m 755 -o openvswitch -g hugetlbfs /var/run/openvswitch +type=PATH msg=audit(08/08/2022 10:51:16.059:173) : item=0 name=(null) inode=972 dev=00:1a mode=dir,700 ouid=openvswitch ogid=hugetlbfs rdev=00:00 obj=system_u:object_r:openvswitch_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(08/08/2022 10:51:16.059:173) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0x3 a1=0755 a2=0x0 a3=0x1000 items=1 ppid=579 pid=660 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=install exe=/usr/bin/install subj=system_u:system_r:openvswitch_t:s0 key=(null) +type=AVC msg=audit(08/08/2022 10:51:16.059:173) : avc: denied { fsetid } for pid=660 comm=install capability=fsetid scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0 + +Resolves: rhbz#2103487 +Signed-off-by: lujie54 +--- + policy/modules/contrib/openvswitch.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te +index 95acc29..ed4a73d 100644 +--- a/policy/modules/contrib/openvswitch.te ++++ b/policy/modules/contrib/openvswitch.te +@@ -35,7 +35,7 @@ systemd_unit_file(openvswitch_unit_file_t) + # openvswitch local policy + # + +-allow openvswitch_t self:capability { dac_override dac_read_search fowner net_broadcast net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill }; ++allow openvswitch_t self:capability { dac_override dac_read_search fowner fsetid net_broadcast net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill }; + allow openvswitch_t self:capability2 block_suspend; + allow openvswitch_t self:process { fork setsched setrlimit signal setcap }; + allow openvswitch_t self:fifo_file rw_fifo_file_perms; +-- +1.8.3.1 + diff --git a/backport-Allow-openvswitch-search-tracefs-dirs.patch b/backport-Allow-openvswitch-search-tracefs-dirs.patch new file mode 100644 index 0000000..b5cfe3a --- /dev/null +++ b/backport-Allow-openvswitch-search-tracefs-dirs.patch @@ -0,0 +1,68 @@ +From bae18addf147f786b24a7d2fabdaf50629bf2565 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 8 Aug 2022 13:13:35 +0200 +Subject: [PATCH] Allow openvswitch search tracefs dirs + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/bae18addf147f786b24a7d2fabdaf50629bf2565 +Conflict: NA + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(08/08/2022 05:46:18.724:169) : proctitle=modprobe openvswitch +type=KERN_MODULE msg=audit(08/08/2022 05:46:18.724:169) : name=openvswitch +type=SYSCALL msg=audit(08/08/2022 05:46:18.724:169) : arch=x86_64 syscall=init_module success=yes exit=0 a0=0x5630bbc2d8a0 a1=0xbde36 a2=0x5630b96f9cd2 a3=0x5 items=0 ppid=676 pid=680 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:openvswitch_t:s0 key=(null) +type=AVC msg=audit(08/08/2022 05:46:18.724:169) : avc: denied { search } for pid=680 comm=modprobe name=events dev="tracefs" ino=69 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 + +The fs_search_tracefs_dirs() interface was added. + +Resolves: rhbz#2103487 +Signed-off-by: lujie54 +--- + policy/modules/contrib/openvswitch.te | 1 + + policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++ + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te +index 3092492..9ed1587 100644 +--- a/policy/modules/contrib/openvswitch.te ++++ b/policy/modules/contrib/openvswitch.te +@@ -109,6 +109,7 @@ fs_getattr_all_fs(openvswitch_t) + fs_search_cgroup_dirs(openvswitch_t) + fs_manage_hugetlbfs_files(openvswitch_t) + fs_manage_hugetlbfs_dirs(openvswitch_t) ++fs_search_tracefs_dirs(openvswitch_t) + + auth_use_nsswitch(openvswitch_t) + +diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if +index 90b8393..34de37d 100644 +--- a/policy/modules/kernel/filesystem.if ++++ b/policy/modules/kernel/filesystem.if +@@ -6924,6 +6924,24 @@ interface(`fs_rw_onload_sockets',` + + ######################################## + ## ++## Search tracefs_t directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_search_tracefs_dirs',` ++ gen_require(` ++ type tracefs_t; ++ ') ++ ++ search_dirs_pattern($1, tracefs_t, tracefs_t) ++') ++ ++######################################## ++## + ## Read and write tracefs_t files + ## + ## +-- +1.8.3.1 + diff --git a/backport-Allow-openvswitch-use-its-private-tmpfs-files-and-di.patch b/backport-Allow-openvswitch-use-its-private-tmpfs-files-and-di.patch new file mode 100644 index 0000000..7ab1664 --- /dev/null +++ b/backport-Allow-openvswitch-use-its-private-tmpfs-files-and-di.patch @@ -0,0 +1,44 @@ +From 33b66b726be702dd0cdc26521381d7ba33e2bf84 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 8 Aug 2022 16:52:19 +0200 +Subject: [PATCH] Allow openvswitch use its private tmpfs files and dirs + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/33b66b726be702dd0cdc26521381d7ba33e2bf84 +Conflict: NA + +Addresses the following AVC denial: +Jul 29 19:58:32.669000 localhost audit[985]: AVC avc: denied { write } for pid=985 comm="ovsdb-server" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#1988164 +Signed-off-by: lujie54 +--- + policy/modules/contrib/openvswitch.te | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/policy/modules/contrib/openvswitch.te b/policy/modules/contrib/openvswitch.te +index 9ed1587..95acc29 100644 +--- a/policy/modules/contrib/openvswitch.te ++++ b/policy/modules/contrib/openvswitch.te +@@ -21,6 +21,9 @@ logging_log_file(openvswitch_log_t) + type openvswitch_tmp_t; + files_tmp_file(openvswitch_tmp_t) + ++type openvswitch_tmpfs_t; ++files_tmpfs_file(openvswitch_tmpfs_t) ++ + type openvswitch_var_run_t; + files_pid_file(openvswitch_var_run_t) + +@@ -68,6 +71,9 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) + manage_sock_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t) + files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir sock_file }) + ++manage_dirs_pattern(openvswitch_t, openvswitch_tmpfs_t, openvswitch_tmpfs_t) ++fs_tmpfs_filetrans(openvswitch_t, openvswitch_tmpfs_t, dir) ++ + manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) + manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) + manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t) +-- +1.8.3.1 + diff --git a/backport-Allow-pmdalinux-read-files-on-an-nfsd-filesystem.patch b/backport-Allow-pmdalinux-read-files-on-an-nfsd-filesystem.patch new file mode 100644 index 0000000..11b8049 --- /dev/null +++ b/backport-Allow-pmdalinux-read-files-on-an-nfsd-filesystem.patch @@ -0,0 +1,32 @@ +From 57b29111318880eb60e2fed57b7117e87b6ece24 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 8 Aug 2022 17:46:46 +0200 +Subject: [PATCH] Allow pmdalinux read files on an nfsd filesystem + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/57b29111318880eb60e2fed57b7117e87b6ece24 +Conflict: NA + +Addresses the following AVC denial: +type=AVC msg=audit(1659885488.520:327): avc: denied { search } for pid=1394 comm="pmdalinux" name="/" dev="nfsd" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nfsd_fs_t:s0 tclass=dir permissive=1 + +Resolves: rhbz#2116153 +Signed-off-by: lujie54 +--- + policy/modules/contrib/pcp.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/pcp.te b/policy/modules/contrib/pcp.te +index c10717d..66200d4 100644 +--- a/policy/modules/contrib/pcp.te ++++ b/policy/modules/contrib/pcp.te +@@ -145,6 +145,7 @@ fs_getattr_all_fs(pcp_pmcd_t) + fs_getattr_all_dirs(pcp_pmcd_t) + fs_list_cgroup_dirs(pcp_pmcd_t) + fs_read_cgroup_files(pcp_pmcd_t) ++fs_read_nfsd_files(pcp_pmcd_t) + + init_read_utmp(pcp_pmcd_t) + +-- +1.8.3.1 + diff --git a/backport-Allow-pmie-read-network-state-information-and-networ.patch b/backport-Allow-pmie-read-network-state-information-and-networ.patch new file mode 100644 index 0000000..fc3f10f --- /dev/null +++ b/backport-Allow-pmie-read-network-state-information-and-networ.patch @@ -0,0 +1,35 @@ +From 3b46ee3ddbcc41a754d824bc4411a8c022e17390 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 2 Aug 2022 16:45:44 +0200 +Subject: [PATCH] Allow pmie read network state information and network sysctls + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3b46ee3ddbcc41a754d824bc4411a8c022e17390 +Conflict: NA + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(08/02/2022 11:34:16.597:12831) : proctitle=/usr/bin/pmie -b -F -P -l /var/log/pcp/pmie/ip-172-31-24-64.us-east-2.compute.internal/pmie.log -c config.default +type=PATH msg=audit(08/02/2022 11:34:16.597:12831) : item=0 name=/proc/net/if_inet6 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(08/02/2022 11:34:16.597:12831) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7f4aa35486d5 a1=F_OK a2=0x0 a3=0x8 items=1 ppid=1 pid=284086 auid=unset uid=pcp gid=pcp euid=pcp suid=pcp fsuid=pcp egid=pcp sgid=pcp fsgid=pcp tty=(none) ses=unset comm=pmie exe=/usr/bin/pmie subj=system_u:system_r:pcp_pmie_t:s0 key=(null) +type=AVC msg=audit(08/02/2022 11:34:16.597:12831) : avc: denied { read } for pid=284086 comm=pmie name=net dev="proc" ino=4026531845 scontext=system_u:system_r:pcp_pmie_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=lnk_file permissive=0 + +Signed-off-by: lujie54 +--- + policy/modules/contrib/pcp.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/pcp.te b/policy/modules/contrib/pcp.te +index f1c2804..c10717d 100644 +--- a/policy/modules/contrib/pcp.te ++++ b/policy/modules/contrib/pcp.te +@@ -230,6 +230,8 @@ allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto; + + allow pcp_pmie_t pcp_pmcd_t:process signal; + ++kernel_read_net_sysctls(pcp_pmie_t) ++kernel_read_network_state(pcp_pmie_t) + kernel_read_system_state(pcp_pmie_t) + kernel_dontaudit_request_load_module(pcp_pmie_t) + +-- +1.8.3.1 + diff --git a/backport-Allow-services-execute-systemd-notify.patch b/backport-Allow-services-execute-systemd-notify.patch new file mode 100644 index 0000000..0d42e65 --- /dev/null +++ b/backport-Allow-services-execute-systemd-notify.patch @@ -0,0 +1,82 @@ +From 051d2d7821542cb9dd4555f97a684c28a1861d1a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 9 Aug 2022 15:25:45 +0200 +Subject: [PATCH] Allow services execute systemd-notify + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/051d2d7821542cb9dd4555f97a684c28a1861d1a +Conflict: NA + +With the ea76c5e8b58 ("Allow some domains use sd_notify()") commit, +daemon and unconfined_service_t were allowed permissions required +to use the sd_notify() API. This commit allows to the same callers +the permissions to execute systemd-notify in the caller domain. + +Aug 02 13:10:18 hostname audit[956]: AVC avc: denied { execute_no_trans } for pid=956 comm="launch-xenstore" path="/usr/bin/systemd-notify" dev="sda4" ino=4200844 scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:object_r:systemd_notify_exec_t:s0 tclass=file permissive=1 + +Resolves: rhbz#2114498 +Signed-off-by: lujie54 +--- + policy/modules/system/init.te | 1 + + policy/modules/system/systemd.if | 18 ++++++++++++++++++ + policy/modules/system/unconfined.te | 4 ++++ + 3 files changed, 23 insertions(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index e4bc96f..33052c6 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -1955,6 +1955,7 @@ allow initrc_domain systemprocess:process transition; + optional_policy(` + systemd_getattr_unit_dirs(daemon) + systemd_getattr_unit_dirs(systemprocess) ++ systemd_exec_notify(daemon) + ') + + optional_policy(` +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index 51b966a..61f5476 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -998,6 +998,24 @@ interface(`systemd_timedated_manage_lib_dirs',` + + ######################################## + ## ++## Execute systemd-notify in the caller domain ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_exec_notify',` ++ gen_require(` ++ type systemd_notify_exec_t; ++ ') ++ ++ can_exec($1, systemd_notify_exec_t) ++') ++ ++######################################## ++## + ## Execute a domain transition to run systemd_notify. + ## + ## +diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te +index 4da1290..e6f86cf 100644 +--- a/policy/modules/system/unconfined.te ++++ b/policy/modules/system/unconfined.te +@@ -35,6 +35,10 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_exec_notify(unconfined_service_t) ++') ++ ++optional_policy(` + virt_transition_svirt(unconfined_service_t, system_r) + ') + +-- +1.8.3.1 + diff --git a/backport-Allow-some-domains-use-sd_notify.patch b/backport-Allow-some-domains-use-sd_notify.patch new file mode 100644 index 0000000..0d1ad4d --- /dev/null +++ b/backport-Allow-some-domains-use-sd_notify.patch @@ -0,0 +1,100 @@ +From 033c1ffb7c25c218f35ac5053d7f3a482c7df6af Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 14 Jul 2022 10:30:12 +0200 +Subject: [PATCH] Allow some domains use sd_notify() + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/033c1ffb7c25c218f35ac5053d7f3a482c7df6af +Conflict: NA + +sd_notify() and a few similar systemd library functions may be called by +a service to notify the service manager about state changes. It can be +used to send arbitrary information. Most importantly, it can be used for +start-up completion notification. + +With this commit, all types in the daemon and login_userdomain +attributes and unconfined_service_t can connect to init (PID 1) and +init can write back to the fifo_file created by the domain. + +Resolves: rhbz#1903305 +Signed-off-by: lujie54 +--- + policy/modules/system/init.if | 21 +++++++++++++++++++++ + policy/modules/system/init.te | 2 ++ + policy/modules/system/unconfined.te | 2 ++ + policy/modules/system/userdomain.te | 2 ++ + 4 files changed, 27 insertions(+) + +diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if +index 4b3bb59..c07649b 100644 +--- a/policy/modules/system/init.if ++++ b/policy/modules/system/init.if +@@ -3000,6 +3000,27 @@ interface(`init_rw_tcp_sockets',` + allow $1 init_t:tcp_socket { read write getattr }; + ') + ++####################################### ++## ++## Use sd_notify ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`init_use_notify',` ++ gen_require(` ++ type init_t, init_var_run_t; ++ ') ++ ++ files_search_pids($1) ++ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) ++ allow $1 init_var_run_t:sock_file read_sock_file_perms; ++ allow init_t $1:fifo_file write_fifo_file_perms; ++') ++ + ######################################## + ## + ## Get the system status information from init +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 073ce2c..e4bc96f 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -1335,6 +1335,8 @@ ifdef(`distro_suse',` + + domain_dontaudit_use_interactive_fds(daemon) + ++init_use_notify(daemon) ++ + userdom_dontaudit_list_admin_dir(daemon) + userdom_dontaudit_search_user_tmp(daemon) + +diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te +index ed03aad..4da1290 100644 +--- a/policy/modules/system/unconfined.te ++++ b/policy/modules/system/unconfined.te +@@ -20,6 +20,8 @@ role unconfined_r types unconfined_service_t; + corecmd_bin_entry_type(unconfined_service_t) + corecmd_shell_entry_type(unconfined_service_t) + ++init_use_notify(unconfined_service_t) ++ + optional_policy(` + rpm_transition_script(unconfined_service_t, system_r) + ') +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 3ac8c12..0980247 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -400,6 +400,8 @@ files_watch_generic_tmp_dirs(login_userdomain) + fs_create_cgroup_files(login_userdomain) + fs_watch_cgroup_files(login_userdomain) + ++init_use_notify(login_userdomain) ++ + libs_watch_lib_dirs(login_userdomain) + + miscfiles_watch_fonts_dirs(login_userdomain) +-- +1.8.3.1 + diff --git a/backport-Allow-sysadm_t-to-run-bpftool-on-the-userdomain-attr.patch b/backport-Allow-sysadm_t-to-run-bpftool-on-the-userdomain-attr.patch new file mode 100644 index 0000000..6eb260b --- /dev/null +++ b/backport-Allow-sysadm_t-to-run-bpftool-on-the-userdomain-attr.patch @@ -0,0 +1,34 @@ +From 3578a24d63f5901469482950f40bcb757d695baf Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 2 Aug 2022 16:42:58 +0200 +Subject: [PATCH] Allow sysadm_t to run bpftool on the userdomain attribute + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3578a24d63f5901469482950f40bcb757d695baf +Conflict: NA + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(08/02/2022 11:36:12.251:13079) : proctitle=perf record -o /dev/null echo test +type=SYSCALL msg=audit(08/02/2022 11:36:12.251:13079) : arch=x86_64 syscall=bpf success=no exit=EACCES(Permission denied) a0=BPF_PROG_GET_FD_BY_ID a1=0x7ffda3e17100 a2=0x90 a3=0x55bd94ea10a0 items=0 ppid=291258 pid=291259 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=141 comm=perf exe=/usr/bin/perf subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(08/02/2022 11:36:12.251:13079) : avc: denied { prog_run } for pid=291259 comm=perf scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=bpf permissive=0 + +Signed-off-by: lujie54 +--- + policy/modules/roles/sysadm.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te +index d9e11b6..ed1b86f 100644 +--- a/policy/modules/roles/sysadm.te ++++ b/policy/modules/roles/sysadm.te +@@ -109,6 +109,8 @@ userdom_exec_admin_home_files(sysadm_t) + userdom_manage_admin_files(sysadm_t) + userdom_manage_admin_dirs(sysadm_t) + ++userdom_prog_run_bpf_userdomain(sysadm_t) ++ + corenet_ib_access_unlabeled_pkeys(sysadm_t) + corenet_ib_manage_subnet_unlabeled_endports(sysadm_t) + corenet_tcp_bind_all_rpc_ports(sysadm_t) +-- +1.8.3.1 + diff --git a/backport-Allow-systemd-watch-and-watch_reads-user-ptys.patch b/backport-Allow-systemd-watch-and-watch_reads-user-ptys.patch new file mode 100644 index 0000000..b9faabc --- /dev/null +++ b/backport-Allow-systemd-watch-and-watch_reads-user-ptys.patch @@ -0,0 +1,92 @@ +From d3e2a2c32da4229c1c27840560074585b7762844 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 13 May 2022 19:02:56 +0200 +Subject: [PATCH] Allow systemd watch and watch_reads user ptys + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/d3e2a2c32da4229c1c27840560074585b7762844 +Conflict: NA + +This permission is required for "systemd-run --shell" to work. + +The following AVC denial was addressed: + +type=PROCTITLE msg=audit(05/13/2022 10:57:19.765:435) : proctitle=(bash) +type=PATH msg=audit(05/13/2022 10:57:19.765:435) : item=0 name=/dev/pts/1 inode=4 dev=00:19 mode=character,620 ouid=root ogid=tty rdev=88:01 obj=unconfined_u:object_r:user_devpts_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(05/13/2022 10:57:19.765:435) : cwd=/ +type=SYSCALL msg=audit(05/13/2022 10:57:19.765:435) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x55e39a4fe560 a2=0x18 a3=0x0 items=1 ppid=1 pid=1109 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(bash) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) +type=AVC msg=audit(05/13/2022 10:57:19.765:435) : avc: denied { watch watch_reads } for pid=1109 comm=(bash) path=/dev/pts/1 dev="devpts" ino=4 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=0 + +The following interfaces were added: +- userdom_watch_user_ptys +- userdom_watch_reads_user_ptys + +Resolves: rhbz#1980241 +Signed-off-by: lujie54 +--- + policy/modules/system/init.te | 2 ++ + policy/modules/system/userdomain.if | 36 ++++++++++++++++++++++++++++++++++++ + 2 files changed, 38 insertions(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index a838cdd..f772288 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -419,6 +419,8 @@ userdom_nnp_transition_login_userdomain(init_t) + userdom_noatsecure_login_userdomain(init_t) + userdom_sigchld_login_userdomain(init_t) + userdom_use_user_ptys(init_t) ++userdom_watch_user_ptys(init_t) ++userdom_watch_reads_user_ptys(init_t) + + allow init_t self:process setsched; + +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index b16984d..aeb2deb 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -3989,6 +3989,42 @@ interface(`userdom_use_user_ptys',` + + ######################################## + ## ++## Watch a user pty. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_watch_user_ptys',` ++ gen_require(` ++ type user_devpts_t; ++ ') ++ ++ allow $1 user_devpts_t:chr_file watch_chr_file_perms; ++') ++ ++######################################## ++## ++## Watch_reads a user pty. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_watch_reads_user_ptys',` ++ gen_require(` ++ type user_devpts_t; ++ ') ++ ++ allow $1 user_devpts_t:chr_file watch_reads_chr_file_perms; ++') ++ ++######################################## ++## + ## Read and write a inherited user domain pty. + ## + ## +-- +1.8.3.1 + diff --git a/backport-Allow-xdm-read-the-kernel-key-ring.patch b/backport-Allow-xdm-read-the-kernel-key-ring.patch new file mode 100644 index 0000000..2022b02 --- /dev/null +++ b/backport-Allow-xdm-read-the-kernel-key-ring.patch @@ -0,0 +1,66 @@ +From 400c278dc20c89d2b85a351c9a6567d3fb348a01 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 10 Aug 2022 17:26:03 +0200 +Subject: [PATCH] Allow xdm read the kernel key ring + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/400c278dc20c89d2b85a351c9a6567d3fb348a01 +Conflict: NA + +The kernel_read_key() interface was added. + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(28.7.2022 13:38:34.889:250) : proctitle=gdm-session-worker [pam/gdm-autologin] +type=SYSCALL msg=audit(28.7.2022 13:38:34.889:250) : arch=x86_64 syscall=keyctl success=yes exit=10 a0=0xb a1=0x1276ecec a2=0x0 a3=0x0 items=0 ppid=1417 pid=1455 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(28.7.2022 13:38:34.889:250) : avc: denied { read } for pid=1455 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 + +Resolves: rhbz#2111834 +Signed-off-by: lujie54 +--- + policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ + policy/modules/services/xserver.te | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 6828750..8ffd498 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -510,6 +510,24 @@ interface(`kernel_rw_key',` + + ######################################## + ## ++## Allow read the kernel key ring. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_read_key',` ++ gen_require(` ++ type kernel_t; ++ ') ++ ++ allow $1 kernel_t:key read; ++') ++ ++######################################## ++## + ## Allow view the kernel key ring. + ## + ## +diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te +index cc215b8..6638ed9 100644 +--- a/policy/modules/services/xserver.te ++++ b/policy/modules/services/xserver.te +@@ -566,6 +566,7 @@ kernel_read_net_sysctls(xdm_t) + kernel_read_network_state(xdm_t) + kernel_request_load_module(xdm_t) + kernel_stream_connect(xdm_t) ++kernel_read_key(xdm_t) + kernel_view_key(xdm_t) + + corecmd_exec_shell(xdm_t) +-- +1.8.3.1 + diff --git a/backport-Do-not-allow-login_userdomain-use-sd_notify.patch b/backport-Do-not-allow-login_userdomain-use-sd_notify.patch new file mode 100644 index 0000000..722bb1f --- /dev/null +++ b/backport-Do-not-allow-login_userdomain-use-sd_notify.patch @@ -0,0 +1,35 @@ +From 722bd1fc180b12193c2d551c82eda101f26c098f Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 8 Aug 2022 17:35:10 +0200 +Subject: [PATCH] Do not allow login_userdomain use sd_notify() + +Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/722bd1fc180b12193c2d551c82eda101f26c098f +Conflict: NA + +This commit partially reverts the ea76c5e8b586 ("Allow some domains use +sd_notify()") commit. While any systemd service should be allowed to +use sd_notify, which includes unconfined_service_t, login userdomains +should only talk to user service manager which runs in the respective +userdomain. + +Signed-off-by: lujie54 +--- + policy/modules/system/userdomain.te | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 0980247..3ac8c12 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -400,8 +400,6 @@ files_watch_generic_tmp_dirs(login_userdomain) + fs_create_cgroup_files(login_userdomain) + fs_watch_cgroup_files(login_userdomain) + +-init_use_notify(login_userdomain) +- + libs_watch_lib_dirs(login_userdomain) + + miscfiles_watch_fonts_dirs(login_userdomain) +-- +1.8.3.1 + diff --git a/selinux-policy.spec b/selinux-policy.spec index 5e24ea7..d92fcb9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 35.5 -Release: 11 +Release: 12 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -155,6 +155,25 @@ Patch6087: backport-Allow-keepalived-setsched-and-sys_nice.patch Patch6088: backport-Allow-sssd-domtrans-to-pkcs_slotd_t.patch Patch6089: backport-Allow-systemd-gpt-auto-generator-create-and-use-netl.patch Patch6090: backport-Support-using-systemd-update-helper-in-rpm-scriptlet.patch +Patch6091: backport-Allow-systemd-watch-and-watch_reads-user-ptys.patch +Patch6092: backport-Allow-iscsid-the-sys_ptrace-userns-capability.patch +Patch6093: backport-Allow-firewalld-read-the-contents-of-the-sysfs-files.patch +Patch6094: backport-Allow-domain-use-userfaultfd-over-all-domains.patch +Patch6095: backport-Add-permissions-to-manage-lnk_files-into-gnome_manag.patch +Patch6096: backport-Allow-dhclient-manage-pid-files-used-by-chronyd.patch +Patch6097: backport-Add-the-userdom_prog_run_bpf_userdomain-interface.patch +Patch6098: backport-Allow-sysadm_t-to-run-bpftool-on-the-userdomain-attr.patch +Patch6099: backport-Allow-pmie-read-network-state-information-and-networ.patch +Patch6100: backport-Allow-pmdalinux-read-files-on-an-nfsd-filesystem.patch +Patch6101: backport-Allow-some-domains-use-sd_notify.patch +Patch6102: backport-Do-not-allow-login_userdomain-use-sd_notify.patch +Patch6103: backport-Allow-services-execute-systemd-notify.patch +Patch6104: backport-Allow-openvswitch-search-tracefs-dirs.patch +Patch6105: backport-Allow-openvswitch-use-its-private-tmpfs-files-and-di.patch +Patch6106: backport-Allow-openvswitch-fsetid-capability.patch +Patch6107: backport-Allow-launch-xenstored-read-filesystem-sysctls.patch +Patch6108: backport-Allow-login_userdomain-check-status-of-mount-units.patch +Patch6109: backport-Allow-xdm-read-the-kernel-key-ring.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -825,6 +844,9 @@ exit 0 %endif %changelog +* Thu Sep 15 2022 lujie - 35.5-12 +- backport upstream patches + * Tue Sep 13 2022 lujie - 35.5-11 - backport upstream patches -- Gitee