From 44297ca8a42c0006bbc887c47b2af8b156456283 Mon Sep 17 00:00:00 2001 From: lujie42 Date: Sun, 27 Nov 2022 22:53:05 +0800 Subject: [PATCH] update upstream patches (cherry picked from commit 8f5a7284a7841792a98c29daccad2b8d40a4776e) --- backport-Add-bgpd-sys_chroot-capability.patch | 33 +++++ ...t-Add-numad-the-ipc_owner-capability.patch | 35 +++++ ...ort-Allow-httpd-read-network-sysctls.patch | 34 +++++ ...Allow-init-map-its-private-tmp-files.patch | 29 ++++ ...read-write-inherited-user-fifo-files.patch | 42 ++++++ ...it-remount-all-file_type-filesystems.patch | 63 +++++++++ ...Allow-ipsec_t-read-write-tpm-devices.patch | 30 ++++ ...userdomain-watch-various-directories.patch | 133 ++++++++++++++++++ ...serdomain-write-to-boltd-named-pipes.patch | 46 ++++++ ...cd-search-tracefs-and-acct_data-dirs.patch | 77 ++++++++++ ...t-read-kerberos-homedir-config-files.patch | 30 ++++ ...s-read-write-unnamed-pipes-of-cloud-.patch | 65 +++++++++ ...-and-user_u-users-write-to-bolt-pipe.patch | 50 +++++++ ...t-auto-generator-to-check-for-empty-.patch | 38 +++++ ...er-append-to-login_userdomain-stream.patch | 64 +++++++++ ...ored-change-its-hard-resource-limits.patch | 32 +++++ ...m-can-read-.local-lib-python-site-pa.patch | 38 +++++ selinux-policy.spec | 22 ++- 18 files changed, 860 insertions(+), 1 deletion(-) create mode 100644 backport-Add-bgpd-sys_chroot-capability.patch create mode 100644 backport-Add-numad-the-ipc_owner-capability.patch create mode 100644 backport-Allow-httpd-read-network-sysctls.patch create mode 100644 backport-Allow-init-map-its-private-tmp-files.patch create mode 100644 backport-Allow-init-read-write-inherited-user-fifo-files.patch create mode 100644 backport-Allow-init-remount-all-file_type-filesystems.patch create mode 100644 backport-Allow-ipsec_t-read-write-tpm-devices.patch create mode 100644 backport-Allow-login_userdomain-watch-various-directories.patch create mode 100644 backport-Allow-login_userdomain-write-to-boltd-named-pipes.patch create mode 100644 backport-Allow-pcp-pmcd-search-tracefs-and-acct_data-dirs.patch create mode 100644 backport-Allow-ssh-client-read-kerberos-homedir-config-files.patch create mode 100644 backport-Allow-sss-daemons-read-write-unnamed-pipes-of-cloud-.patch create mode 100644 backport-Allow-staff_u-and-user_u-users-write-to-bolt-pipe.patch create mode 100644 backport-Allow-systemd-gpt-auto-generator-to-check-for-empty-.patch create mode 100644 backport-Allow-utempter-append-to-login_userdomain-stream.patch create mode 100644 backport-Allow-xenstored-change-its-hard-resource-limits.patch create mode 100644 backport-blueman-mechanism-can-read-.local-lib-python-site-pa.patch diff --git a/backport-Add-bgpd-sys_chroot-capability.patch b/backport-Add-bgpd-sys_chroot-capability.patch new file mode 100644 index 0000000..cd553a6 --- /dev/null +++ b/backport-Add-bgpd-sys_chroot-capability.patch @@ -0,0 +1,33 @@ +From 384a8eeec175cc19f18ae74950cb0d8db0e0ce1b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 23 Sep 2022 18:46:54 +0200 +Subject: [PATCH] Add bgpd sys_chroot capability + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(09/23/2022 13:39:42.856:6958) : proctitle=/usr/sbin/bgpd -R +type=PATH msg=audit(09/23/2022 13:39:42.856:6958) : item=0 name=/var/empty/bgpd inode=644194 dev=00:1e mode=dir,711 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(09/23/2022 13:39:42.856:6958) : arch=x86_64 syscall=chroot success=no exit=EPERM(Operation not permitted) a0=0x55af72eb04e7 a1=0x7f06fcd615b3 a2=0x0 a3=0x7f06fcd46ac0 items=1 ppid=115054 pid=115055 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bgpd exe=/usr/sbin/bgpd subj=system_u:system_r:zebra_t:s0 key=(null) +type=AVC msg=audit(09/23/2022 13:39:42.856:6958) : avc: denied { sys_chroot } for pid=115055 comm=bgpd capability=sys_chroot scontext=system_u:system_r:zebra_t:s0 tcontext=system_u:system_r:zebra_t:s0 tclass=capability permissive=0 + +Signed-off-by: lujie42 +--- + policy/modules/contrib/zebra.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te +index 91a604150..bae270d59 100644 +--- a/policy/modules/contrib/zebra.te ++++ b/policy/modules/contrib/zebra.te +@@ -40,7 +40,7 @@ files_pid_file(zebra_var_run_t) + # Local policy + # + +-allow zebra_t self:capability { setgid setuid net_admin net_raw }; ++allow zebra_t self:capability { setgid setuid sys_chroot net_admin net_raw }; + dontaudit zebra_t self:capability sys_tty_config; + allow zebra_t self:process { signal_perms getcap setcap }; + allow zebra_t self:file rw_file_perms; +-- +2.27.0 + diff --git a/backport-Add-numad-the-ipc_owner-capability.patch b/backport-Add-numad-the-ipc_owner-capability.patch new file mode 100644 index 0000000..0b2dd98 --- /dev/null +++ b/backport-Add-numad-the-ipc_owner-capability.patch @@ -0,0 +1,35 @@ +From 8cc57cc64467d6e60eac92d6ffc9f9d550e948a2 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 21 Sep 2022 17:20:28 +0200 +Subject: [PATCH] Add numad the ipc_owner capability + +This permission is required when the cpu allocation in a vm definition contains + +which means cpuset option will be configured by querying numad. + +Addresses the following AVC denial: + +type=AVC msg=audit(1637903670.950:2626): avc: denied { ipc_owner } for pid=72952 comm="numad" capability=15 scontext=system_u:system_r:numad_t:s0-s0:c0.c1023 tcontext=system_u:system_r:numad_t:s0-s0:c0.c1023 tclass=capability permissive=0 + +Resolves: rhbz#2026968 +Signed-off-by: lujie42 +--- + policy/modules/contrib/numad.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/numad.te b/policy/modules/contrib/numad.te +index cf8f99b02..97f923b25 100644 +--- a/policy/modules/contrib/numad.te ++++ b/policy/modules/contrib/numad.te +@@ -23,7 +23,7 @@ files_pid_file(numad_var_run_t) + # numad local policy + # + +-allow numad_t self:capability { kill sys_nice sys_ptrace } ; ++allow numad_t self:capability { ipc_owner kill sys_nice sys_ptrace } ; + allow numad_t self:fifo_file rw_fifo_file_perms; + allow numad_t self:msgq create_msgq_perms; + allow numad_t self:msg { send receive }; +-- +2.27.0 + diff --git a/backport-Allow-httpd-read-network-sysctls.patch b/backport-Allow-httpd-read-network-sysctls.patch new file mode 100644 index 0000000..3e20727 --- /dev/null +++ b/backport-Allow-httpd-read-network-sysctls.patch @@ -0,0 +1,34 @@ +From d98fa390807abca9bc1631f2562d0bba46b67bfd Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 5 Sep 2022 15:39:30 +0200 +Subject: [PATCH] Allow httpd read network sysctls + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(09/05/2022 15:03:53.634:444) : proctitle=/usr/bin/caddy run --environ --resume +type=PATH msg=audit(09/05/2022 15:03:53.634:444) : item=0 name=/proc/sys/net/core/somaxconn inode=28391 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(09/05/2022 15:03:53.634:444) : arch=x86_64 syscall=openat success=yes exit=8 a0=AT_FDCWD a1=0xc000098c80 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1856 auid=unset uid=caddy gid=caddy euid=caddy suid=caddy fsuid=caddy egid=caddy sgid=caddy fsgid=caddy tty=(none) ses=unset comm=caddy exe=/usr/bin/caddy subj=system_u:system_r:httpd_t:s0 key=(null) +type=AVC msg=audit(09/05/2022 15:03:53.634:444) : avc: denied { open } for pid=1856 comm=caddy path=/proc/sys/net/core/somaxconn dev="proc" ino=28391 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 +type=AVC msg=audit(09/05/2022 15:03:53.634:444) : avc: denied { read } for pid=1856 comm=caddy name=somaxconn dev="proc" ino=28391 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 + +Resolves: rhbz#2122886 +Signed-off-by: lujie42 +--- + policy/modules/contrib/apache.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te +index 0e4d4bf87..13e72686c 100644 +--- a/policy/modules/contrib/apache.te ++++ b/policy/modules/contrib/apache.te +@@ -597,6 +597,7 @@ manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) + manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t) + + kernel_read_kernel_sysctls(httpd_t) ++kernel_read_net_sysctls(httpd_t) + # for modules that want to access /proc/meminfo + kernel_read_system_state(httpd_t) + kernel_read_network_state(httpd_t) +-- +2.27.0 + diff --git a/backport-Allow-init-map-its-private-tmp-files.patch b/backport-Allow-init-map-its-private-tmp-files.patch new file mode 100644 index 0000000..351bd77 --- /dev/null +++ b/backport-Allow-init-map-its-private-tmp-files.patch @@ -0,0 +1,29 @@ +From 74d69e714236347f733e83eb1c623148628d89c6 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 26 Sep 2022 17:59:13 +0200 +Subject: [PATCH] Allow init map its private tmp files + +Addresses the following AVC denial: +type=AVC msg=audit(11/24/2021 01:50:26.378:167) : avc: denied { map } for pid=1414 comm=cpupower-gui-he path=/var/tmp/ffi6reIpN (deleted) dev="nvme0n1p3" ino=88707980 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_tmp_t:s0 tclass=file permissive=0 + +Resolves: rhbz#2026228 +Signed-off-by: lujie42 +--- + policy/modules/system/init.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index c81f0d0be..fd03f1d03 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -208,6 +208,7 @@ manage_dirs_pattern(init_t, init_tmp_t, init_tmp_t) + manage_lnk_files_pattern(init_t, init_tmp_t, init_tmp_t) + manage_sock_files_pattern(init_t, init_tmp_t, init_tmp_t) + files_tmp_filetrans(init_t, init_tmp_t, { file sock_file }) ++allow init_t init_tmp_t:file map; + + manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t) + manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t) +-- +2.27.0 + diff --git a/backport-Allow-init-read-write-inherited-user-fifo-files.patch b/backport-Allow-init-read-write-inherited-user-fifo-files.patch new file mode 100644 index 0000000..a00414a --- /dev/null +++ b/backport-Allow-init-read-write-inherited-user-fifo-files.patch @@ -0,0 +1,42 @@ +From 95d7034936ed5f2d01ffcf55a52a5d3c3c8a7825 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 21 Sep 2022 13:41:18 +0200 +Subject: [PATCH] Allow init read/write inherited user fifo files + +This commit backs the usage of "systemd-run --pipe" when standard input, +output, and error of the transient service are inherited from the +systemd-run command itself. The --pipe switch allows systemd-run to be +used within shell pipelines. + +Addresses the following AVC denials: + +type=AVC msg=audit(09/21/2022 05:24:28.596:328) : avc: denied { write } for pid=1 comm=systemd path=pipe:[16980] dev="pipefs" ino=16980 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0 + +type=AVC msg=audit(09/21/2022 05:34:12.088:422) : avc: denied { read } for pid=1 comm=systemd path=pipe:[18554] dev="pipefs" ino=18554 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0 + +type=PROCTITLE msg=audit(09/21/2022 05:36:42.853:427) : proctitle=(grep) +type=SYSCALL msg=audit(09/21/2022 05:36:42.853:427) : arch=x86_64 syscall=ioctl success=no exit=EACCES(Permission denied) a0=0x0 a1=TCGETS a2=0x7ffebe2ae1c0 a3=0x0 items=0 ppid=1 pid=1269 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(grep) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) +type=AVC msg=audit(09/21/2022 05:36:42.853:427) : avc: denied { ioctl } for pid=1269 comm=(grep) path=pipe:[18588] dev="pipefs" ino=18588 ioctlcmd=TCGETS scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=fifo_file permissive=0 + +Resolves: rhbz#2036829 +Signed-off-by: lujie42 +--- + policy/modules/system/init.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 33052c66f..f369aa50e 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -413,7 +413,7 @@ userdom_manage_tmp_sockets(init_t) + userdom_delete_user_tmp_files(init_t) + userdom_delete_user_home_content_files(init_t) + userdom_connectto_stream(init_t) +- ++userdom_rw_inherited_user_pipes(init_t) + userdom_transition_login_userdomain(init_t) + userdom_nnp_transition_login_userdomain(init_t) + userdom_noatsecure_login_userdomain(init_t) +-- +2.27.0 + diff --git a/backport-Allow-init-remount-all-file_type-filesystems.patch b/backport-Allow-init-remount-all-file_type-filesystems.patch new file mode 100644 index 0000000..5b2d345 --- /dev/null +++ b/backport-Allow-init-remount-all-file_type-filesystems.patch @@ -0,0 +1,63 @@ +From 355731c1c456907fc7097257e50e4c0377f17953 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 7 Sep 2022 09:41:19 +0200 +Subject: [PATCH] Allow init remount all file_type filesystems + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(1650874039.465:8427): proctitle="(coredump)" +type=PATH msg=audit(1650874039.465:8427): item=0 name="/proc/self/fd/4" inode=256 dev=00:32 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:swapfile_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(1650874039.465:8427): arch=c000003e syscall=165 success=yes exit=0 a0=0 a1=7ffeea790a00 a2=0 a3=1021 items=1 ppid=1 pid=208737 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(coredump)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) +type=AVC msg=audit(1650874039.465:8427): avc: denied { remount } for pid=208737 comm="(coredump)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:swapfile_t:s0 tclass=filesystem permissive=1 + +Resolves: rhbz#2125693 +Signed-off-by: lujie42 +--- + policy/modules/kernel/files.if | 18 ++++++++++++++++++ + policy/modules/system/init.te | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index 2bb2908df..165eb4a12 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -1947,6 +1947,24 @@ interface(`files_unmount_all_file_type_fs',` + allow $1 file_type:filesystem unmount; + ') + ++######################################## ++## ++## Remount all filesystems with the type of a file. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_remount_all_file_type_fs',` ++ gen_require(` ++ attribute file_type; ++ ') ++ ++ allow $1 file_type:filesystem remount; ++') ++ + ######################################## + ## + ## Read all non-authentication related +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index f369aa50e..c81f0d0be 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -627,6 +627,7 @@ dev_rw_wireless(init_t) + files_search_all(init_t) + files_mounton_all_mountpoints(init_t) + files_unmount_all_file_type_fs(init_t) ++files_remount_all_file_type_fs(init_t) + files_mounton_kernel_symbol_table(init_t) + files_manage_all_pid_dirs(init_t) + files_write_all_pid_sockets(init_t) +-- +2.27.0 + diff --git a/backport-Allow-ipsec_t-read-write-tpm-devices.patch b/backport-Allow-ipsec_t-read-write-tpm-devices.patch new file mode 100644 index 0000000..db22f0f --- /dev/null +++ b/backport-Allow-ipsec_t-read-write-tpm-devices.patch @@ -0,0 +1,30 @@ +From c836064999e34f071b4b411c47b87d544cd8f6d4 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 31 Aug 2022 18:58:39 +0200 +Subject: [PATCH] Allow ipsec_t read/write tpm devices + +Addresses the following AVC denial: + +type=AVC msg=audit(1652729361.214:334): avc: denied { getattr } for pid=1642 comm="charon" path="/dev/tpmrm0" dev="devtmpfs" ino=135 scontext=system_u:system_r:ipsec_t:s0 tcontext=system_u:object_r:tpm_device_t:s0 tclass=chr_file permissive=0 + +Resolves: rhbz#2086926 +Signed-off-by: lujie42 +--- + policy/modules/system/ipsec.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te +index 43186c0b9..cd432b15f 100644 +--- a/policy/modules/system/ipsec.te ++++ b/policy/modules/system/ipsec.te +@@ -180,6 +180,7 @@ corenet_rw_tun_tap_dev(ipsec_t) + dev_read_sysfs(ipsec_t) + dev_read_rand(ipsec_t) + dev_read_urand(ipsec_t) ++dev_rw_tpm(ipsec_t) + + domain_use_interactive_fds(ipsec_t) + +-- +2.27.0 + diff --git a/backport-Allow-login_userdomain-watch-various-directories.patch b/backport-Allow-login_userdomain-watch-various-directories.patch new file mode 100644 index 0000000..7418325 --- /dev/null +++ b/backport-Allow-login_userdomain-watch-various-directories.patch @@ -0,0 +1,133 @@ +From 36df7e2855b03c57fd7b3a1ac0d4939fd54a8673 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 9 Sep 2022 09:33:18 +0200 +Subject: [PATCH] Allow login_userdomain watch various directories + +The inotify_add_watch(2) syscalls are called by plasmashell and some +other processes (chrome, desk-portal, dolphin, kwallet, logout-greeter, systemsettings). + +Addresses the following AVC denials examples: + +type=PROCTITLE msg=audit(17.8.2022 22:14:39.050:315) : proctitle=/usr/bin/plasmashell --no-respawn +type=PATH msg=audit(17.8.2022 22:14:39.050:315) : item=0 name=/ inode=128 dev=fd:00 mode=dir,555 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(17.8.2022 22:14:39.050:315) : arch=x86_64 syscall=inotify_add_watch success=yes exit=6 a0=0x9 a1=0x559ff6613b98 a2=0x2000fc6 a3=0x559ff663b226 items=1 ppid=1610 pid=1824 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=plasmashell exe=/usr/bin/plasmashell subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(17.8.2022 22:14:39.050:315) : avc: denied { watch } for pid=1824 comm=plasmashell path=/ dev="dm-0" ino=128 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 + +type=PROCTITLE msg=audit(22.8.2022 18:35:47.341:4615) : proctitle=/usr/bin/dolphin /run/media/username/0893-C004 +type=PATH msg=audit(22.8.2022 18:35:47.341:4615) : item=0 name=/run/media/username/342cbc31-ca2a-4f65-bf60-59f2f3dfdce8 inode=2 dev=08:02 mode=dir,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(22.8.2022 18:35:47.341:4615) : arch=x86_64 syscall=inotify_add_watch success=yes exit=7 a0=0x9 a1=0x55da0ceca788 a2=0x2000fc6 a3=0x55da0d0e6fd6 items=1 ppid=1610 pid=481970 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=dolphin exe=/usr/bin/dolphin subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(22.8.2022 18:35:47.341:4615) : avc: denied { watch } for pid=481970 comm=dolphin path=/run/media/username/342cbc31-ca2a-4f65-bf60-59f2f3dfdce8 dev="sda2" ino=2 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 + +The rpc_watch_exports() and kernel_watch_unlabeled_dirs() interfaces +were added. + +Signed-off-by: lujie42 +--- + policy/modules/contrib/rpc.if | 19 +++++++++++++++++++ + policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ + policy/modules/system/userdomain.te | 13 +++++++++++++ + 3 files changed, 50 insertions(+) + +diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if +index 0c6410612..b234bca58 100644 +--- a/policy/modules/contrib/rpc.if ++++ b/policy/modules/contrib/rpc.if +@@ -150,6 +150,25 @@ interface(`rpc_manage_exports',` + manage_files_pattern($1, exports_t, exports_t) + ') + ++######################################## ++## ++## Watch nfs file exports ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`rpc_watch_exports',` ++ gen_require(` ++ type exports_t; ++ ') ++ ++ files_search_etc($1) ++ allow $1 exports_t:file watch_file_perms; ++') ++ + ######################################## + ## + ## Execute domain in nfsd domain. +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 8ffd4988f..f669f866c 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -2842,6 +2842,24 @@ interface(`kernel_rw_unlabeled_files',` + allow $1 unlabeled_t:file rw_file_perms; + ') + ++######################################## ++## ++## Watch unlabeled directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_watch_unlabeled_dirs',` ++ gen_require(` ++ type unlabeled_t; ++ ') ++ ++ allow $1 unlabeled_t:dir watch_dir_perms; ++') ++ + ######################################## + ## + ## Do not audit attempts by caller to get the +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 5576a97cb..1cf86a09e 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -386,12 +386,19 @@ tunable_policy(`deny_bluetooth',`',` + allow login_userdomain self:bluetooth_socket rw_stream_socket_perms; + ') + ++kernel_watch_unlabeled_dirs(login_userdomain) ++ ++auth_watch_passwd(login_userdomain) ++ ++corecmd_watch_bin_dirs(login_userdomain) ++ + dev_watch_generic_dirs(login_userdomain) + + files_map_var_lib_files(login_userdomain) + files_read_var_lib_symlinks(login_userdomain) + files_watch_etc_dirs(login_userdomain) + files_watch_etc_files(login_userdomain) ++files_watch_root_dirs(login_userdomain) + files_watch_system_conf_dirs(login_userdomain) + files_watch_usr_dirs(login_userdomain) + files_watch_usr_files(login_userdomain) +@@ -441,10 +448,16 @@ optional_policy(` + pkcs_tmpfs_named_filetrans(login_userdomain) + ') + ++optional_policy(` ++ rpc_watch_exports(login_userdomain) ++') ++ ++ + optional_policy(` + systemd_login_watch_pid_dirs(login_userdomain) + systemd_login_watch_session_dirs(login_userdomain) + systemd_machined_watch_pid_dirs(login_userdomain) ++ systemd_resolved_watch_pid_dirs(login_userdomain) + ') + + ############################################################ +-- +2.27.0 + diff --git a/backport-Allow-login_userdomain-write-to-boltd-named-pipes.patch b/backport-Allow-login_userdomain-write-to-boltd-named-pipes.patch new file mode 100644 index 0000000..f186189 --- /dev/null +++ b/backport-Allow-login_userdomain-write-to-boltd-named-pipes.patch @@ -0,0 +1,46 @@ +From 7d20b237ff092cd615045ff25a3d0c9c741f145d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 9 Sep 2022 17:22:52 +0200 +Subject: [PATCH] Allow login_userdomain write to boltd named pipes + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(5.9.2022 23:01:30.921:15103) : proctitle=systemd-stdio-bridge -punix:path=/run/user/1000/bus +type=PATH msg=audit(5.9.2022 23:01:30.921:15103) : item=0 name= inode=32185282 dev=00:08 mode=socket,777 ouid=root ogid=root rdev=00:00 obj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(5.9.2022 23:01:30.921:15103) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0x0 a1=0x7f7a005b7093 a2=0x7fff374a7080 a3=0x1000 items=1 ppid=1 pid=1870519 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=10 comm=systemd-stdio-b exe=/usr/bin/systemd-stdio-bridge subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(5.9.2022 23:01:30.921:15103) : avc: denied { getattr } for pid=1870519 comm=systemd-stdio-b path=socket:[32185282] dev="sockfs" ino=32185282 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 + +Signed-off-by: lujie42 +--- + policy/modules/contrib/rpm.if | 2 +- + policy/modules/system/userdomain.te | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/rpm.if b/policy/modules/contrib/rpm.if +index c6833ba7d..ec09e164d 100644 +--- a/policy/modules/contrib/rpm.if ++++ b/policy/modules/contrib/rpm.if +@@ -993,5 +993,5 @@ interface(`rpm_script_rw_stream_sockets',` + type rpm_script_t; + ') + +- allow $1 rpm_script_t:unix_stream_socket { read write }; ++ allow $1 rpm_script_t:unix_stream_socket { rw_socket_perms }; + ') +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 1cf86a09e..bdccda7ea 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -452,6 +452,9 @@ optional_policy(` + rpc_watch_exports(login_userdomain) + ') + ++optional_policy(` ++ rpm_script_rw_stream_sockets(login_userdomain) ++') + + optional_policy(` + systemd_login_watch_pid_dirs(login_userdomain) +-- +2.27.0 + diff --git a/backport-Allow-pcp-pmcd-search-tracefs-and-acct_data-dirs.patch b/backport-Allow-pcp-pmcd-search-tracefs-and-acct_data-dirs.patch new file mode 100644 index 0000000..54e8077 --- /dev/null +++ b/backport-Allow-pcp-pmcd-search-tracefs-and-acct_data-dirs.patch @@ -0,0 +1,77 @@ +From b821da04f48bfc97b4e214df7e17326df0c5ed7a Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Tue, 6 Sep 2022 15:19:59 +0200 +Subject: [PATCH] Allow pcp pmcd search tracefs and acct_data dirs + +Allow Performance Metrics Domain Agent (PMDA) search accesses on the directory /sys/kernel/tracing. +Addresses the following AVC denial: +type=AVC msg=audit(1642589553.515:244): avc: denied { search } for pid=2039 comm="pmdakvm" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0 +Resolves: bz#2041845 + +Allow pmdaproc search accesses on the directory /var/account. +Add interface to allow search process accounting data. +Addresses the following AVC denial: +type=AVC msg=audit(1642589553.499:243): avc: denied { search } for pid=2036 comm="pmdaproc" name="account" dev="sdf1" ino=9175045 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:acct_data_t:s0 tclass=dir permissive=0 +Resolves: bz#2041843 + +Signed-off-by: lujie42 +--- + policy/modules/contrib/acct.if | 18 ++++++++++++++++++ + policy/modules/contrib/pcp.te | 5 +++++ + 2 files changed, 23 insertions(+) + +diff --git a/policy/modules/contrib/acct.if b/policy/modules/contrib/acct.if +index bc4038b45..86dcc1d5f 100644 +--- a/policy/modules/contrib/acct.if ++++ b/policy/modules/contrib/acct.if +@@ -60,6 +60,24 @@ interface(`acct_exec_data',` + can_exec($1, acct_data_t) + ') + ++######################################## ++## ++## Search process accounting data. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`acct_search_data',` ++ gen_require(` ++ type acct_data_t; ++ ') ++ ++ search_dirs_pattern($1, acct_data_t, acct_data_t) ++') ++ + ######################################## + ## + ## Create, read, write, and delete +diff --git a/policy/modules/contrib/pcp.te b/policy/modules/contrib/pcp.te +index 66200d46f..920456afc 100644 +--- a/policy/modules/contrib/pcp.te ++++ b/policy/modules/contrib/pcp.te +@@ -146,6 +146,7 @@ fs_getattr_all_dirs(pcp_pmcd_t) + fs_list_cgroup_dirs(pcp_pmcd_t) + fs_read_cgroup_files(pcp_pmcd_t) + fs_read_nfsd_files(pcp_pmcd_t) ++fs_search_tracefs_dirs(pcp_pmcd_t) + + init_read_utmp(pcp_pmcd_t) + +@@ -159,6 +160,10 @@ storage_raw_read_fixed_disk(pcp_pmcd_t) + userdom_read_user_tmp_files(pcp_pmcd_t) + userdom_manage_unpriv_user_semaphores(pcp_pmcd_t) + ++optional_policy(` ++ acct_search_data(pcp_pmcd_t) ++') ++ + optional_policy(` + cron_read_pid_files(pcp_pmcd_t) + ') +-- +2.27.0 + diff --git a/backport-Allow-ssh-client-read-kerberos-homedir-config-files.patch b/backport-Allow-ssh-client-read-kerberos-homedir-config-files.patch new file mode 100644 index 0000000..91f4716 --- /dev/null +++ b/backport-Allow-ssh-client-read-kerberos-homedir-config-files.patch @@ -0,0 +1,30 @@ +From b7cd8535f926e9f6e38499714f0d97b12b77dde6 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 22 Aug 2022 12:25:09 +0200 +Subject: [PATCH] Allow ssh client read kerberos homedir config files + +Addresses the following AVC denial: +type=PATH msg=audit(22.8.2022 10:09:52.495:4019) : item=0 name=/home/user/.k5identity inode=15144919 dev=fd:03 mode=file,664 ouid=user ogid=user rdev=00:00 obj=staff_u:object_r:krb5_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(22.8.2022 10:09:52.495:4019) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x564acca009b0 a2=O_RDONLY a3=0x0 items=1 ppid=78842 pid=439750 auid=user uid=user gid=user euid=user suid=user fsuid=user egid=user sgid=user fsgid=user tty=pts12 ses=3 comm=ssh exe=/usr/bin/ssh subj=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(22.8.2022 10:09:52.495:4019) : avc: denied { open } for pid=439750 comm=ssh path=/home/user/.k5identity dev="dm-3" ino=15144919 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:krb5_home_t:s0 tclass=file permissive=1 + +Signed-off-by: lujie42 +--- + policy/modules/services/ssh.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te +index bf988b7f2..15b611e46 100644 +--- a/policy/modules/services/ssh.te ++++ b/policy/modules/services/ssh.te +@@ -246,6 +246,7 @@ optional_policy(` + ') + + optional_policy(` ++ kerberos_read_home_content(ssh_t) + kerberos_read_keytab(ssh_t) + ') + +-- +2.27.0 + diff --git a/backport-Allow-sss-daemons-read-write-unnamed-pipes-of-cloud-.patch b/backport-Allow-sss-daemons-read-write-unnamed-pipes-of-cloud-.patch new file mode 100644 index 0000000..7e69dcc --- /dev/null +++ b/backport-Allow-sss-daemons-read-write-unnamed-pipes-of-cloud-.patch @@ -0,0 +1,65 @@ +From 3478cb66bc08866173e82fa070c160c0c03513bd Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 30 Sep 2022 16:08:55 +0200 +Subject: [PATCH] Allow sss daemons read/write unnamed pipes of cloud-init + +The cloudform_rw_pipes() interface was added. + +Addresses the following AVC denials: +[ 10.779755] fedora audit[812]: AVC avc: denied { read } for pid=812 comm="sss_cache" path="pipe:[18908]" dev="pipefs" ino=18908 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 +[ 10.779916] fedora audit[812]: AVC avc: denied { write } for pid=812 comm="sss_cache" path="pipe:[18909]" dev="pipefs" ino=18909 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 + +Resolves: rhbz#2073265 +Signed-off-by: lujie42 +--- + policy/modules/contrib/cloudform.if | 18 ++++++++++++++++++ + policy/modules/contrib/sssd.te | 4 ++++ + 2 files changed, 22 insertions(+) + +diff --git a/policy/modules/contrib/cloudform.if b/policy/modules/contrib/cloudform.if +index 55fe0d668..4a17c4872 100644 +--- a/policy/modules/contrib/cloudform.if ++++ b/policy/modules/contrib/cloudform.if +@@ -41,6 +41,24 @@ interface(`cloudform_init_domtrans',` + domtrans_pattern($1, cloud_init_exec_t, cloud_init_t) + ') + ++######################################## ++## ++## Read and write unnamed cloud-init pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cloudform_rw_pipes',` ++ gen_require(` ++ type cloud_init_t; ++ ') ++ ++ allow $1 cloud_init_t:fifo_file rw_fifo_file_perms; ++') ++ + ###################################### + ## + ## Execute mongod in the caller domain. +diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te +index f5c7d980d..90d04fd91 100644 +--- a/policy/modules/contrib/sssd.te ++++ b/policy/modules/contrib/sssd.te +@@ -185,6 +185,10 @@ optional_policy(` + bind_read_cache(sssd_t) + ') + ++optional_policy(` ++ cloudform_rw_pipes(sssd_t) ++') ++ + optional_policy(` + dbus_system_bus_client(sssd_t) + dbus_connect_system_bus(sssd_t) +-- +2.27.0 + diff --git a/backport-Allow-staff_u-and-user_u-users-write-to-bolt-pipe.patch b/backport-Allow-staff_u-and-user_u-users-write-to-bolt-pipe.patch new file mode 100644 index 0000000..02d78db --- /dev/null +++ b/backport-Allow-staff_u-and-user_u-users-write-to-bolt-pipe.patch @@ -0,0 +1,50 @@ +From 5adbc14b634b60c5bd779fb22c5bf4a674a83020 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 9 Sep 2022 17:21:10 +0200 +Subject: [PATCH] Allow staff_u and user_u users write to bolt pipe + +Addresses the following AVC denial: +- +type=PROCTITLE msg=audit(6.9.2022 07:26:55.355:15479) : proctitle=boltctl power +type=SYSCALL msg=audit(6.9.2022 07:26:55.355:15479) : arch=x86_64 syscall=recvmsg success=yes exit=16 a0=0x5 a1=0x7f341adfd940 a2=MSG_CMSG_CLOEXEC a3=0x7fff30353080 items=0 ppid=1832290 pid=1905598 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=pts18 ses=3 comm=gdbus exe=/usr/bin/boltctl subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(6.9.2022 07:26:55.355:15479) : avc: denied { write } for pid=1905598 comm=gdbus path=/run/boltd/power/1.guard.fifo dev="tmpfs" ino=95970 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boltd_var_run_t:s0 tclass=fifo_file permissive=1 + +Signed-off-by: lujie42 +--- + policy/modules/roles/staff.te | 4 ++++ + policy/modules/roles/unprivuser.te | 4 ++++ + 2 files changed, 8 insertions(+) + +diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te +index a573eba03..907710baf 100644 +--- a/policy/modules/roles/staff.te ++++ b/policy/modules/roles/staff.te +@@ -103,6 +103,10 @@ optional_policy(` + blueman_dbus_chat(staff_t) + ') + ++optional_policy(` ++ boltd_write_var_run_pipes(staff_t) ++') ++ + optional_policy(` + kdumpgui_dbus_chat(staff_t) + ') +diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te +index 56a8be217..a4781914e 100644 +--- a/policy/modules/roles/unprivuser.te ++++ b/policy/modules/roles/unprivuser.te +@@ -66,6 +66,10 @@ optional_policy(` + bluetooth_role(user_r, user_t) + ') + ++optional_policy(` ++ boltd_write_var_run_pipes(user_t) ++') ++ + optional_policy(` + colord_dbus_chat(user_t) + ') +-- +2.27.0 + diff --git a/backport-Allow-systemd-gpt-auto-generator-to-check-for-empty-.patch b/backport-Allow-systemd-gpt-auto-generator-to-check-for-empty-.patch new file mode 100644 index 0000000..ac1636c --- /dev/null +++ b/backport-Allow-systemd-gpt-auto-generator-to-check-for-empty-.patch @@ -0,0 +1,38 @@ +From 8304d9b80b3cb22e429d2113cf81dca07d306dd7 Mon Sep 17 00:00:00 2001 +From: Quintin Hill +Date: Fri, 2 Sep 2022 16:44:37 +0100 +Subject: [PATCH] Allow systemd-gpt-auto-generator to check for empty dirs + +systemd-gpt-auto-generator wants to check that certain subdirectories of / are empty before generating mount units for them this is not permitted by policy. + +Addresses: +systemd-gpt-auto-generator[388]: Cannot check if "/home" is empty: Permission denied +kernel: audit: type=1400 audit(1662118200.418:80): avc: denied { read } for pid=388 comm="systemd-gpt-aut" name="home" dev="sda2" ino=3180 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir permissive=0 +audit[388]: AVC avc: denied { read } for pid=388 comm="systemd-gpt-aut" name="var" dev="sda2" ino=362569 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0 +systemd-gpt-auto-generator[388]: Cannot check if "/var" is empty: Permission denied + +Resolves: rhbz#2123765 +Signed-off-by: lujie42 +--- + policy/modules/system/systemd.te | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index a9308b8cc..028820491 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1112,6 +1112,11 @@ dev_read_sysfs(systemd_gpt_generator_t) + dev_write_kmsg(systemd_gpt_generator_t) + dev_read_rand(systemd_gpt_generator_t) + ++files_list_boot(systemd_gpt_generator_t) ++files_list_home(systemd_gpt_generator_t) ++files_list_tmp(systemd_gpt_generator_t) ++files_list_usr(systemd_gpt_generator_t) ++files_list_var(systemd_gpt_generator_t) + + fstools_exec(systemd_gpt_generator_t) + +-- +2.27.0 + diff --git a/backport-Allow-utempter-append-to-login_userdomain-stream.patch b/backport-Allow-utempter-append-to-login_userdomain-stream.patch new file mode 100644 index 0000000..5d1dcb8 --- /dev/null +++ b/backport-Allow-utempter-append-to-login_userdomain-stream.patch @@ -0,0 +1,64 @@ +From 1c0959233b2d061dffb8e6d34b4f49d664d68af9 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 9 Sep 2022 17:38:35 +0200 +Subject: [PATCH] Allow utempter append to login_userdomain stream + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(23.8.2022 11:20:02.949:5147) : proctitle=/usr/libexec/utempter/utempter add :0 +type=PATH msg=audit(23.8.2022 11:20:02.949:5147) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=33828998 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(23.8.2022 11:20:02.949:5147) : item=0 name=/usr/libexec/utempter/utempter inode=35940312 dev=fd:00 mode=file,sgid,711 ouid=root ogid=utmp rdev=00:00 obj=system_u:object_r:utempter_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=EXECVE msg=audit(23.8.2022 11:20:02.949:5147) : argc=3 a0=/usr/libexec/utempter/utempter a1=add a2=:0 +type=SYSCALL msg=audit(23.8.2022 11:20:02.949:5147) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x559ff13c4220 a1=0x559ff13c5170 a2=0x7ffc47314488 a3=0x8 items=2 ppid=544463 pid=544464 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=utmp sgid=utmp fsgid=utmp tty=pts17 ses=3 comm=utempter exe=/usr/libexec/utempter/utempter subj=staff_u:staff_r:utempter_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(23.8.2022 11:20:02.949:5147) : avc: denied { append } for pid=544464 comm=utempter path=socket:[935095] dev="sockfs" ino=935095 scontext=staff_u:staff_r:utempter_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 + +Signed-off-by: lujie42 +--- + policy/modules/system/authlogin.te | 1 + + policy/modules/system/userdomain.if | 18 ++++++++++++++++++ + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index 1885fa699..feabf67ab 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -423,6 +423,7 @@ domain_use_interactive_fds(utempter_t) + + logging_search_logs(utempter_t) + ++userdom_append_stream_userdomain(utempter_t) + userdom_use_inherited_user_terminals(utempter_t) + # Allow utemper to write to /tmp/.xses-* + userdom_write_user_tmp_files(utempter_t) +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index e14a3c58f..43192ae29 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -6637,6 +6637,24 @@ interface(`userdom_login_userdomain',` + typeattribute $1 login_userdomain; + ') + ++######################################## ++## ++## Append to login_userdomain stream. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_append_stream_userdomain',` ++ gen_require(` ++ attribute login_userdomain; ++ ') ++ ++ allow $1 login_userdomain:unix_stream_socket { getattr append }; ++') ++ + ######################################## + ## + ## Do not audit attempts to check the +-- +2.27.0 + diff --git a/backport-Allow-xenstored-change-its-hard-resource-limits.patch b/backport-Allow-xenstored-change-its-hard-resource-limits.patch new file mode 100644 index 0000000..3509bc1 --- /dev/null +++ b/backport-Allow-xenstored-change-its-hard-resource-limits.patch @@ -0,0 +1,32 @@ +From ad912918e04aefd676e3a2772d7252a978652695 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 26 Sep 2022 15:00:49 +0200 +Subject: [PATCH] Allow xenstored change its hard resource limits + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(09/23/2022 14:49:28.646:155) : proctitle=prlimit --nofile=1073741816 /usr/sbin/xenstored --pid-file /var/run/xen/xenstored.pid +type=SYSCALL msg=audit(09/23/2022 14:49:28.646:155) : arch=x86_64 syscall=prlimit64 success=no exit=EACCES(Permission denied) a0=0x0 a1=0x7 a2=0x55fa676e15b0 a3=0x0 items=0 ppid=532 pid=536 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=prlimit exe=/usr/bin/prlimit subj=system_u:system_r:xenstored_t:s0 key=(null) +type=AVC msg=audit(09/23/2022 14:49:28.646:155) : avc: denied { setrlimit } for pid=536 comm=prlimit scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:system_r:xenstored_t:s0 tclass=process permissive=0 + +Resolves: rhbz#2125693 +Signed-off-by: lujie42 +--- + policy/modules/contrib/xen.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te +index bbda6032b..6e1e83b4d 100644 +--- a/policy/modules/contrib/xen.te ++++ b/policy/modules/contrib/xen.te +@@ -423,6 +423,7 @@ optional_policy(` + # + + allow xenstored_t self:capability { dac_read_search ipc_lock sys_resource }; ++allow xenstored_t self:process setrlimit; + allow xenstored_t self:unix_stream_socket create_stream_socket_perms; + allow xenstored_t self:unix_dgram_socket create_socket_perms; + +-- +2.27.0 + diff --git a/backport-blueman-mechanism-can-read-.local-lib-python-site-pa.patch b/backport-blueman-mechanism-can-read-.local-lib-python-site-pa.patch new file mode 100644 index 0000000..3b6dfc0 --- /dev/null +++ b/backport-blueman-mechanism-can-read-.local-lib-python-site-pa.patch @@ -0,0 +1,38 @@ +From 284df66be2e1432333b8134606b30fd76c877123 Mon Sep 17 00:00:00 2001 +From: Milos Malik +Date: Wed, 7 Sep 2022 09:57:13 +0200 +Subject: [PATCH] blueman-mechanism can read ~/.local/lib/python*/site-packages + directory + +If the ~/.local/lib/python*/site-packages/ directory exists in root's +home directory then the blueman-mechanism service tries to read that +directory during its start. + +The blueman-mechanism program is written in Python and I believe that +Python is trying to find locally installed python modules. + +In order to avoid these SELinux denials, SELinux policy should allow +the access. + +Resolves: BZ#2027044 +Signed-off-by: lujie42 +--- + policy/modules/contrib/blueman.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/blueman.te b/policy/modules/contrib/blueman.te +index 4389ad441..305c5270c 100644 +--- a/policy/modules/contrib/blueman.te ++++ b/policy/modules/contrib/blueman.te +@@ -93,7 +93,7 @@ optional_policy(` + ') + + optional_policy(` +- gnome_search_gconf(blueman_t) ++ gnome_search_gconf_data_dir(blueman_t) + ') + + optional_policy(` +-- +2.27.0 + diff --git a/selinux-policy.spec b/selinux-policy.spec index 1f4cc9f..fd45501 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 35.5 -Release: 13 +Release: 14 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -174,6 +174,23 @@ Patch6106: backport-Allow-openvswitch-fsetid-capability.patch Patch6107: backport-Allow-launch-xenstored-read-filesystem-sysctls.patch Patch6108: backport-Allow-login_userdomain-check-status-of-mount-units.patch Patch6109: backport-Allow-xdm-read-the-kernel-key-ring.patch +Patch6110: backport-Allow-ssh-client-read-kerberos-homedir-config-files.patch +Patch6111: backport-Allow-ipsec_t-read-write-tpm-devices.patch +Patch6112: backport-Allow-httpd-read-network-sysctls.patch +Patch6113: backport-Allow-pcp-pmcd-search-tracefs-and-acct_data-dirs.patch +Patch6114: backport-Allow-systemd-gpt-auto-generator-to-check-for-empty-.patch +Patch6115: backport-Allow-login_userdomain-watch-various-directories.patch +Patch6116: backport-Allow-staff_u-and-user_u-users-write-to-bolt-pipe.patch +Patch6117: backport-Allow-login_userdomain-write-to-boltd-named-pipes.patch +Patch6118: backport-Allow-utempter-append-to-login_userdomain-stream.patch +Patch6119: backport-blueman-mechanism-can-read-.local-lib-python-site-pa.patch +Patch6120: backport-Allow-init-read-write-inherited-user-fifo-files.patch +Patch6121: backport-Add-numad-the-ipc_owner-capability.patch +Patch6122: backport-Add-bgpd-sys_chroot-capability.patch +Patch6123: backport-Allow-init-remount-all-file_type-filesystems.patch +Patch6124: backport-Allow-xenstored-change-its-hard-resource-limits.patch +Patch6125: backport-Allow-init-map-its-private-tmp-files.patch +Patch6126: backport-Allow-sss-daemons-read-write-unnamed-pipes-of-cloud-.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -845,6 +862,9 @@ exit 0 %endif %changelog +* Sun Nov 27 2022 lujie - 35.5-14 +- backport upstream patches + * Mon Sep 19 2022 xinghe - 35.5-13 - allow map postfix_master_t -- Gitee