From 7bd2902998afad3ac67a1f6df4ae68d9e17cae27 Mon Sep 17 00:00:00 2001 From: wangjiang Date: Thu, 23 Mar 2023 10:40:09 +0800 Subject: [PATCH] backport patch Allow virt_domain read device sysctls --- ...t-Allow-icecast-rename-its-log-files.patch | 25 +++++++++++++++ ...llow-virt_domain-read-device-sysctls.patch | 32 +++++++++++++++++++ selinux-policy.spec | 8 ++++- 3 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 backport-Allow-icecast-rename-its-log-files.patch create mode 100644 backport-Allow-virt_domain-read-device-sysctls.patch diff --git a/backport-Allow-icecast-rename-its-log-files.patch b/backport-Allow-icecast-rename-its-log-files.patch new file mode 100644 index 0000000..44ecbb9 --- /dev/null +++ b/backport-Allow-icecast-rename-its-log-files.patch @@ -0,0 +1,25 @@ +From 6a800840bda95fca3ee5e723ae4c7ea0de9cf95f Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 18 Jan 2023 17:49:03 +0100 +Subject: [PATCH] Allow icecast rename its log files + +This permission is required when icecast is configured with +"logarchive 1" and the log file size reaches the "logsize" limit. + +Resolves: rhbz#2156763 +--- + policy/modules/contrib/icecast.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/icecast.te b/policy/modules/contrib/icecast.te +index 23f8b5d4c7..33267a72fe 100644 +--- a/policy/modules/contrib/icecast.te ++++ b/policy/modules/contrib/icecast.te +@@ -41,6 +41,7 @@ allow icecast_t self:tcp_socket { accept listen }; + allow icecast_t icecast_log_t:dir setattr_dir_perms; + append_files_pattern(icecast_t, icecast_log_t, icecast_log_t) + create_files_pattern(icecast_t, icecast_log_t, icecast_log_t) ++rename_files_pattern(icecast_t, icecast_log_t, icecast_log_t) + setattr_files_pattern(icecast_t, icecast_log_t, icecast_log_t) + + manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) diff --git a/backport-Allow-virt_domain-read-device-sysctls.patch b/backport-Allow-virt_domain-read-device-sysctls.patch new file mode 100644 index 0000000..4badb91 --- /dev/null +++ b/backport-Allow-virt_domain-read-device-sysctls.patch @@ -0,0 +1,32 @@ +From 7fb3ecc364ef89ed3e992e0a3e8f54f7275ba3f7 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 13 Oct 2022 16:24:56 +0200 +Subject: [PATCH] Allow virt_domain read device sysctls + +This denial appears when a vm is configured with 3D acceleration enabled. + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(13.10.2022 15:38:15.538:1556) : proctitle=/usr/bin/qemu-system-x86_64 -name guest=f37beta,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"raw +type=PATH msg=audit(13.10.2022 15:38:15.538:1556) : item=0 name=/proc/sys/dev/i915/perf_stream_paranoid inode=27625 dev=00:17 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_dev_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(13.10.2022 15:38:15.538:1556) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x7f2d4d9fcee8 a2=0x7ffc229e3210 a3=0x0 items=1 ppid=1 pid=136663 auid=unset uid=qemu gid=qemu euid=qemu suid=qemu fsuid=qemu egid=qemu sgid=qemu fsgid=qemu tty=(none) ses=unset comm=qemu-system-x86 exe=/usr/bin/qemu-system-x86_64 subj=system_u:system_r:svirt_t:s0:c641,c1000 key=(null) +type=AVC msg=audit(13.10.2022 15:38:15.538:1556) : avc: denied { getattr } for pid=136663 comm=qemu-system-x86 path=/proc/sys/dev/i915/perf_stream_paranoid dev="proc" ino=27625 scontext=system_u:system_r:svirt_t:s0:c641,c1000 tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=file permissive=1 +type=AVC msg=audit(13.10.2022 15:38:15.538:1556) : avc: denied { search } for pid=136663 comm=qemu-system-x86 name=dev dev="proc" ino=27623 scontext=system_u:system_r:svirt_t:s0:c641,c1000 tcontext=system_u:object_r:sysctl_dev_t:s0 tclass=dir permissive=1 + +Resolves: rhbz#2143886 +--- + policy/modules/contrib/virt.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te +index 645b06c1e7..83eca915fe 100644 +--- a/policy/modules/contrib/virt.te ++++ b/policy/modules/contrib/virt.te +@@ -880,6 +880,7 @@ read_files_pattern(virt_domain, virt_content_t, virt_content_t) + dontaudit virt_domain virt_content_t:file write_file_perms; + dontaudit virt_domain virt_content_t:dir write; + ++kernel_read_device_sysctls(virt_domain) + kernel_read_net_sysctls(virt_domain) + kernel_read_network_state(virt_domain) + kernel_ib_access_unlabeled_pkeys(virt_domain) diff --git a/selinux-policy.spec b/selinux-policy.spec index 7e27b93..ebb0670 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 35.5 -Release: 15 +Release: 16 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -63,6 +63,8 @@ Patch7: add-avc-for-openEuler-1.patch Patch8: allow-rpcbind-to-bind-all-port.patch Patch9: add-avc-for-systemd-journald.patch Patch10: add-avc-for-systemd.patch +Patch11: backport-Allow-virt_domain-read-device-sysctls.patch +Patch12: backport-Allow-icecast-rename-its-log-files.patch Patch6000: backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch Patch6001: backport-Allow-chage-domtrans-to-sssd.patch @@ -863,6 +865,10 @@ exit 0 %endif %changelog +* Thu Mar 23 2023 wangjiang - 35.5-16 +- backport patch Allow virt_domain read device sysctls + Allow icecast rename its log files + * Mon Dec 12 2022 Ge Wang - 35.5-15 - add var_lib_t for obs-server -- Gitee