diff --git a/backport-Add-domain_unix_read_all_semaphores-interface.patch b/backport-Add-domain_unix_read_all_semaphores-interface.patch new file mode 100644 index 0000000000000000000000000000000000000000..372ea0607b8740f2e75b1bc96b79c36f27589e07 --- /dev/null +++ b/backport-Add-domain_unix_read_all_semaphores-interface.patch @@ -0,0 +1,39 @@ +From 0fda5d6c5ee12b642ab0f6b6503807a4731d17f4 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 11 Nov 2022 15:11:18 +0100 +Subject: [PATCH] Add domain_unix_read_all_semaphores() interface + +--- + policy/modules/kernel/domain.if | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if +index 0e843721ba..2fa4393292 100644 +--- a/policy/modules/kernel/domain.if ++++ b/policy/modules/kernel/domain.if +@@ -568,6 +568,25 @@ interface(`domain_kill_all_domains',` + allow $1 self:capability kill; + ') + ++######################################## ++## ++## Allow unix_read all domains semaphores ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`domain_unix_read_all_semaphores',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ allow $1 domain:sem unix_read; ++') ++ + ######################################## + ## + ## Destroy all domains semaphores diff --git a/backport-Add-gpg_filetrans_admin_home_content-interface.patch b/backport-Add-gpg_filetrans_admin_home_content-interface.patch new file mode 100644 index 0000000000000000000000000000000000000000..2ed0fd7f4080f61a9c1f55478b822148f9e886ab --- /dev/null +++ b/backport-Add-gpg_filetrans_admin_home_content-interface.patch @@ -0,0 +1,38 @@ +From 1137f639bb3cb0b7257ffe8348abbd93882ce37b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 24 Aug 2022 18:49:25 +0200 +Subject: [PATCH] Add gpg_filetrans_admin_home_content() interface + +--- + policy/modules/contrib/gpg.if | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if +index 55fbfd996e..6e5aa43576 100644 +--- a/policy/modules/contrib/gpg.if ++++ b/policy/modules/contrib/gpg.if +@@ -281,6 +281,24 @@ interface(`gpg_filetrans_home_content',` + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") + ') + ++######################################## ++## ++## Transition to gpg named admin home content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gpg_filetrans_admin_home_content',` ++ gen_require(` ++ type gpg_secret_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") ++') ++ + ######################################## + ## + ## Connected to gpg_agent_t unix stream socket. diff --git a/backport-Add-interface-to-watch-all-filesystems.patch b/backport-Add-interface-to-watch-all-filesystems.patch new file mode 100644 index 0000000000000000000000000000000000000000..3d5b5d7a8af5b0abd2c7f440245908443214bf88 --- /dev/null +++ b/backport-Add-interface-to-watch-all-filesystems.patch @@ -0,0 +1,39 @@ +From 972e4dbcdf87067924239db5dcc89a099298700c Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Mon, 7 Nov 2022 15:20:12 +0100 +Subject: [PATCH] Add interface to watch all filesystems + +Resolves: rhbz#2139363 +--- + policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if +index d7645a534f..918bf32963 100644 +--- a/policy/modules/kernel/filesystem.if ++++ b/policy/modules/kernel/filesystem.if +@@ -6426,6 +6426,24 @@ interface(`fs_unmount_all_fs',` + allow $1 filesystem_type:filesystem unmount; + ') + ++######################################## ++## ++## Watch all filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_watch_all_fs',` ++ gen_require(` ++ attribute filesystem_type; ++ ') ++ ++ allow $1 filesystem_type:filesystem watch; ++') ++ + ######################################## + ## + ## Get the attributes of all filesystems. diff --git a/backport-Add-journalctl-the-sys_resource-capability.patch b/backport-Add-journalctl-the-sys_resource-capability.patch new file mode 100644 index 0000000000000000000000000000000000000000..d8803941c9a2e3e281a26088f130e0755a0c321b --- /dev/null +++ b/backport-Add-journalctl-the-sys_resource-capability.patch @@ -0,0 +1,32 @@ +From ec3ee928067bfde035d3e66a936bc761f9e4b25d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 3 Feb 2023 17:20:51 +0100 +Subject: [PATCH] Add journalctl the sys_resource capability + +The journalctl command runs in the journalctl_t domain when executed by +a confined user (user, staff, sysadm). When is invoked with pager, +prctl() is called to change the process name. + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(02/02/2023 12:55:12.623:1405) : proctitle=(pager) +type=SYSCALL msg=audit(02/02/2023 12:55:12.623:1405) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x8 a2=0x7fd1a3f52000 a3=0x0 items=0 ppid=25495 pid=25516 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=39 comm=(pager) exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(02/02/2023 12:55:12.623:1405) : avc: denied { sys_resource } for pid=25516 comm=(pager) capability=sys_resource scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tclass=capability permissive=1 + +Resolves: rhbz#2136189 +--- + policy/modules/contrib/journalctl.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/journalctl.te b/policy/modules/contrib/journalctl.te +index 5b4329c800..b22b6a7130 100644 +--- a/policy/modules/contrib/journalctl.te ++++ b/policy/modules/contrib/journalctl.te +@@ -18,6 +18,7 @@ role journalctl_roles types journalctl_t; + # + # journalctl local policy + # ++allow journalctl_t self:capability sys_resource; + allow journalctl_t self:process { fork setrlimit signal_perms }; + + allow journalctl_t self:fifo_file manage_fifo_file_perms; diff --git a/backport-Add-support-for-samba-dcerpcd.patch b/backport-Add-support-for-samba-dcerpcd.patch new file mode 100644 index 0000000000000000000000000000000000000000..50fcd1c19d11f694a5a508c096f67dbd1c4744b6 --- /dev/null +++ b/backport-Add-support-for-samba-dcerpcd.patch @@ -0,0 +1,131 @@ +From 7367896085db099d956d666b94601fa9fc9df92a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 1 Jun 2022 12:55:02 +0200 +Subject: [PATCH] Add support for samba-dcerpcd + +New samba-dcerpcd binary is shipped with samba-4.16 (refer to +https://www.samba.org/samba/history/samba-4.16.0.html) to break out +the DCERPC services from smbd. samba-dcerpcd can be invoked on demand +from smbd or "winbind --np-helper" to serve DCERPC over named pipes, +or in a standalone mode, started separately from smbd or winbind, +but this requires changes to system startup scripts. + +This commit bring SELinux support for the breakout with a new +winbind_rpcd_t type. + +Resolves: rhbz#2083511 +--- + policy/modules/contrib/samba.fc | 3 +++ + policy/modules/contrib/samba.if | 19 +++++++++++++ + policy/modules/contrib/samba.te | 47 +++++++++++++++++++++++++++++++++ + 3 files changed, 69 insertions(+) + +diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc +index a93346efee..873b3091b8 100644 +--- a/policy/modules/contrib/samba.fc ++++ b/policy/modules/contrib/samba.fc +@@ -18,6 +18,9 @@ + /usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) + /usr/lib/systemd/system/winbind.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) + ++/usr/libexec/samba/rpcd_lsad -- gen_context(system_u:object_r:winbind_rpcd_exec_t,s0) ++/usr/libexec/samba/samba-dcerpcd -- gen_context(system_u:object_r:winbind_rpcd_exec_t,s0) ++ + /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) + /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) + /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) +diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if +index 0366038a90..80244a4360 100644 +--- a/policy/modules/contrib/samba.if ++++ b/policy/modules/contrib/samba.if +@@ -1080,3 +1080,22 @@ interface(`samba_admin',` + admin_pattern($1, samba_unit_file_t) + allow $1 samba_unit_file_t:service all_service_perms; + ') ++ ++######################################## ++## ++## Execute winbind rpcd in the winbind_rpcd_t domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`samba_domtrans_winbind_rpcd',` ++ gen_require(` ++ type winbind_rpcd_t, winbind_rpcd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, winbind_rpcd_exec_t, winbind_rpcd_t) ++') +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 60767f430f..03b49cba42 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -176,9 +176,17 @@ role system_r types winbind_helper_t; + type winbind_helper_exec_t; + domain_entry_file(winbind_helper_t, winbind_helper_exec_t) + ++type winbind_rpcd_t; ++type winbind_rpcd_exec_t; ++application_domain(winbind_rpcd_t, winbind_rpcd_exec_t) ++role system_r types winbind_rpcd_t; ++ + type winbind_log_t; + logging_log_file(winbind_log_t) + ++type winbind_rpcd_var_run_t; ++files_pid_file(winbind_rpcd_var_run_t) ++ + type winbind_var_run_t; + files_pid_file(winbind_var_run_t) + +@@ -1151,6 +1159,45 @@ optional_policy(` + squid_rw_stream_sockets(winbind_helper_t) + ') + ++######################################## ++# ++# Winbind-rpcd local policy ++# ++ ++allow winbind_rpcd_t self:capability { setgid setuid }; ++allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms; ++allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow winbind_rpcd_t self:udp_socket create_socket_perms; ++ ++allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans; ++ ++read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t) ++ ++manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t) ++files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file }) ++manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) ++manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) ++ ++manage_files_pattern(winbind_rpcd_t, samba_log_t, samba_log_t) ++ ++manage_dirs_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) ++manage_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) ++manage_sock_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) ++allow winbind_rpcd_t samba_var_t:file { map } ; ++ ++corecmd_exec_bin(winbind_rpcd_t) ++ ++optional_policy(` ++ auth_read_passwd_file(winbind_rpcd_t) ++') ++ ++# interactions with smbd_t/winbind_t ++allow smbd_t winbind_rpcd_t:unix_stream_socket connectto; ++allow winbind_t winbind_rpcd_t:unix_stream_socket connectto; ++ ++samba_domtrans_winbind_rpcd(smbd_t) ++samba_domtrans_winbind_rpcd(winbind_t) ++ + ######################################## + # + # samba_unconfined_script_t local policy diff --git a/backport-Add-the-kernel_read_proc_files-interface.patch b/backport-Add-the-kernel_read_proc_files-interface.patch new file mode 100644 index 0000000000000000000000000000000000000000..77fcff6994573ad2a21445a20fd93ac6d6f22cae --- /dev/null +++ b/backport-Add-the-kernel_read_proc_files-interface.patch @@ -0,0 +1,38 @@ +From 0d41bd657e613657b01f75645b6168cf5987e387 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 23 Jun 2022 20:49:49 +0200 +Subject: [PATCH] Add the kernel_read_proc_files() interface + +--- + policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 75623cf38f..8a83ed511d 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -1112,6 +1112,24 @@ interface(`kernel_getattr_proc_files',` + getattr_files_pattern($1, proc_t, proc_t) + ') + ++######################################## ++## ++## Read generic files in /proc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_read_proc_files',` ++ gen_require(` ++ type proc_t; ++ ') ++ ++ read_files_pattern($1, proc_t, proc_t) ++') ++ + ######################################## + ## + ## Read generic symbolic links in /proc. diff --git a/backport-Add-userdom_view_all_users_keys-interface.patch b/backport-Add-userdom_view_all_users_keys-interface.patch new file mode 100644 index 0000000000000000000000000000000000000000..f5bd6a62a26736fe27fb1124fb3c819a8b5ee2db --- /dev/null +++ b/backport-Add-userdom_view_all_users_keys-interface.patch @@ -0,0 +1,38 @@ +From e37087d58b6422d0d90e321d9172cf396186fa46 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 24 Aug 2022 15:47:25 +0200 +Subject: [PATCH] Add userdom_view_all_users_keys() interface + +--- + policy/modules/system/userdomain.if | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index 97c27a957a..d23f2ce305 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -4811,6 +4811,24 @@ interface(`userdom_read_all_users_keys',` + allow $1 userdomain:key read; + ') + ++######################################## ++## ++## View keys for all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_view_all_users_keys',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:key view; ++') ++ + ######################################## + ## + ## Write keys for all user domains. diff --git a/backport-Add-watch-interfaces.patch b/backport-Add-watch-interfaces.patch new file mode 100644 index 0000000000000000000000000000000000000000..b376bba15b832b7813633092e24a622f9b485754 --- /dev/null +++ b/backport-Add-watch-interfaces.patch @@ -0,0 +1,64 @@ +From 01197e1c606be4b55b1b0551c8f8856bcb8c13f8 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 3 Nov 2022 11:27:49 +0100 +Subject: [PATCH] Add watch interfaces + +Add interfacecs that allow watch filesystem. +--- + policy/modules/kernel/filesystem.if | 36 +++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if +index 2c1fdd7150..bb2f077f6d 100644 +--- a/policy/modules/kernel/filesystem.if ++++ b/policy/modules/kernel/filesystem.if +@@ -264,6 +264,24 @@ interface(`fs_relabelfrom_xattr_fs',` + allow $1 fs_t:filesystem relabelfrom; + ') + ++######################################## ++## ++## Watch filesystem with extended attributes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_watch_xattr_fs',` ++ gen_require(` ++ type fs_t; ++ ') ++ ++ allow $1 fs_t:filesystem watch; ++') ++ + ######################################## + ## + ## Get the filesystem quotas of a filesystem +@@ -5274,6 +5292,24 @@ interface(`fs_mount_tmpfs',` + allow $1 tmpfs_t:filesystem mount; + ') + ++######################################## ++## ++## Watch a tmpfs filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_watch_tmpfs',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ allow $1 tmpfs_t:filesystem watch; ++') ++ + ######################################## + ## + ## Dontaudit remount a tmpfs filesystem. diff --git a/backport-Add-watch_sb-interfaces.patch b/backport-Add-watch_sb-interfaces.patch new file mode 100644 index 0000000000000000000000000000000000000000..4dc6c3f419f71642242f9ed84316067fdebf048c --- /dev/null +++ b/backport-Add-watch_sb-interfaces.patch @@ -0,0 +1,155 @@ +From a65d7a6e589268afc80c871450423c82aeab530a Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 3 Nov 2022 11:33:59 +0100 +Subject: [PATCH] Add watch_sb interfaces + +Add interafaces that allow watch_sb user temporary directories, +tmpfs directories, boot and root directories. +Create watch_sb_dirs_pattern and watch_sb_dir_perms +--- + policy/modules/kernel/files.if | 36 +++++++++++++++++++++++++++++ + policy/modules/kernel/filesystem.if | 18 +++++++++++++++ + policy/modules/system/userdomain.if | 18 +++++++++++++++ + policy/support/file_patterns.spt | 4 ++++ + policy/support/obj_perm_sets.spt | 1 + + 5 files changed, 77 insertions(+) + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index 046db519bb..eb9e6e032c 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -2560,6 +2560,24 @@ interface(`files_write_root_dirs',` + allow $1 root_t:dir write; + ') + ++######################################## ++## ++## Watch_sb root directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_watch_sb_root_dirs', ` ++ gen_require(` ++ type root_t; ++ ') ++ ++ watch_sb_dirs_pattern($1, root_t, root_t) ++') ++ + ######################################## + ## + ## Do not audit attempts to write to / dirs. +@@ -3089,6 +3107,24 @@ interface(`files_watch_boot_dirs',` + allow $1 boot_t:dir watch_dir_perms; + ') + ++######################################## ++## ++## Watch_sb boot directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_watch_sb_boot_dirs', ` ++ gen_require(` ++ type boot_t; ++ ') ++ ++ watch_sb_dirs_pattern($1, boot_t, boot_t) ++') ++ + ######################################## + ## + ## Watch_mount directories in /boot. +diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if +index bb2f077f6d..d7645a534f 100644 +--- a/policy/modules/kernel/filesystem.if ++++ b/policy/modules/kernel/filesystem.if +@@ -5400,6 +5400,24 @@ interface(`fs_mounton_tmpfs', ` + allow $1 tmpfs_t:dir mounton; + ') + ++######################################## ++## ++## Watch_sb tmpfs directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_watch_sb_tmpfs', ` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ watch_sb_dirs_pattern($1, tmpfs_t, tmpfs_t) ++') ++ + ######################################## + ## + ## Get the attributes of a tmpfs +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index e8817429b2..62bc19c654 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -347,6 +347,24 @@ interface(`userdom_watch_tmp_dirs',` + watch_dirs_pattern($1, user_tmp_t, user_tmp_t) + ') + ++####################################### ++## ++## Watch_sb user temporary directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_watch_sb_tmp_dirs',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ watch_sb_dirs_pattern($1, user_tmp_t, user_tmp_t) ++') ++ + ####################################### + ## + ## Watch_mount user temporary directories +diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt +index c832c0dab0..57581a8573 100644 +--- a/policy/support/file_patterns.spt ++++ b/policy/support/file_patterns.spt +@@ -88,6 +88,10 @@ define(`watch_reads_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir watch_reads_dir_perms; + ') ++define(`watch_sb_dirs_pattern',` ++ allow $1 $2:dir search_dir_perms; ++ allow $1 $3:dir watch_sb_dir_perms; ++') + define(`watch_with_perm_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir watch_with_perm_dir_perms; +diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt +index 85283eb1e5..c76a77fac9 100644 +--- a/policy/support/obj_perm_sets.spt ++++ b/policy/support/obj_perm_sets.spt +@@ -149,6 +149,7 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') + define(`watch_dir_perms',`{ getattr watch }') + define(`watch_mount_dir_perms',`{ getattr watch_mount }') + define(`watch_reads_dir_perms',`{ getattr watch_reads }') ++define(`watch_sb_dir_perms',`{ getattr watch_sb }') + define(`watch_with_perm_dir_perms',`{ getattr watch_with_perm }') + + # diff --git a/backport-Add-winbind-rpcd-to-samba_enable_home_dirs-boolean.patch b/backport-Add-winbind-rpcd-to-samba_enable_home_dirs-boolean.patch new file mode 100644 index 0000000000000000000000000000000000000000..459676193969cbc347640575689dadf589e1b652 --- /dev/null +++ b/backport-Add-winbind-rpcd-to-samba_enable_home_dirs-boolean.patch @@ -0,0 +1,37 @@ +From 480a1932eff8ba74e9373c1e7ba9a9d5f8c2d559 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Mon, 10 Oct 2022 16:45:20 +0200 +Subject: [PATCH] Add winbind-rpcd to samba_enable_home_dirs boolean + +Update samba_enable_home_dirs boolean to Allow winbind-rpcd to share users home directories. + +SELinux denials appeared, when users configured home directory share in the smb.conf. + +type=AVC msg=audit(1661934914.346:360): avc: denied { read } for pid=4587 comm="samba-dcerpcd" path="/home/xx/Documents/xx" dev="dm-2" ino=21627745 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0 + +Resolves: bz#2122904 +--- + policy/modules/contrib/samba.te | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 227c22516d..2280531046 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -40,7 +40,7 @@ gen_tunable(samba_portmapper, false) + + ## + ##

+-## Allow samba to share users home directories. ++## Allow samba and winbind-rpcd to share users home directories. + ##

+ ## + gen_tunable(samba_enable_home_dirs, false) +@@ -475,6 +475,7 @@ tunable_policy(`samba_domain_controller',` + + tunable_policy(`samba_enable_home_dirs',` + userdom_manage_user_home_content(smbd_t) ++ userdom_manage_user_home_content(winbind_rpcd_t) + ') + + optional_policy(` diff --git a/backport-Allow-aide-to-connect-to-systemd_machined-with-a-unix-socket.patch b/backport-Allow-aide-to-connect-to-systemd_machined-with-a-unix-socket.patch new file mode 100644 index 0000000000000000000000000000000000000000..eb6fcbbb62ee8c7f19547e9d7159f852e8096d36 --- /dev/null +++ b/backport-Allow-aide-to-connect-to-systemd_machined-with-a-unix-socket.patch @@ -0,0 +1,22 @@ +From 63ba7c49db91e64e2a37c4d4c58959dd2d9c1c89 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Mon, 10 Oct 2022 11:45:30 +0200 +Subject: [PATCH] Allow aide to connect to systemd_machined with a unix socket. + +Resolves: bz#2062936 +--- + policy/modules/contrib/aide.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/aide.te b/policy/modules/contrib/aide.te +index 05ae4ad2ed..670aa96f8b 100644 +--- a/policy/modules/contrib/aide.te ++++ b/policy/modules/contrib/aide.te +@@ -64,6 +64,7 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_machined_stream_connect(aide_t) + systemd_userdbd_stream_connect(aide_t) + ') + diff --git a/backport-Allow-apcupsd-dbus-chat-with-systemd-logind.patch b/backport-Allow-apcupsd-dbus-chat-with-systemd-logind.patch new file mode 100644 index 0000000000000000000000000000000000000000..31e5c5f61959311e58808f3defadaec4bb7359b6 --- /dev/null +++ b/backport-Allow-apcupsd-dbus-chat-with-systemd-logind.patch @@ -0,0 +1,30 @@ +From d38bb2e165ea780ef87588c1fdf1af23b6d332bf Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 3 Jan 2023 20:04:50 +0100 +Subject: [PATCH] Allow apcupsd dbus chat with systemd-logind + +The permission is required in case of a power outage when apcupsd wants +to initiate a shutdown. + +Addresses the following USER_AVC denial: + +Dec 29 08:41:25 hostname audit[516]: USER_AVC pid=516 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:apcupsd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=0#012 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' + +Resolves: rhbz#2157175 +--- + policy/modules/contrib/apcupsd.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te +index 4ea8ba6f87..49ecadfc7c 100644 +--- a/policy/modules/contrib/apcupsd.te ++++ b/policy/modules/contrib/apcupsd.te +@@ -112,6 +112,8 @@ logging_send_syslog_msg(apcupsd_t) + + sysnet_dns_name_resolve(apcupsd_t) + ++systemd_dbus_chat_logind(apcupsd_t) ++ + userdom_use_inherited_user_ttys(apcupsd_t) + + optional_policy(` diff --git a/backport-Allow-chronyc-read-and-write-generic-pty-type.patch b/backport-Allow-chronyc-read-and-write-generic-pty-type.patch new file mode 100644 index 0000000000000000000000000000000000000000..98ed58c8d0f86927837c6be7d0b94d789d24052e --- /dev/null +++ b/backport-Allow-chronyc-read-and-write-generic-pty-type.patch @@ -0,0 +1,26 @@ +From 822a150f673b5d376d077777d0bb41cbd3352c6b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 22 Aug 2022 12:44:49 +0200 +Subject: [PATCH] Allow chronyc read and write generic pty type + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(22.08.2022 11:35:41.535:261) : proctitle=/usr/bin/chronyc sources +type=EXECVE msg=audit(22.08.2022 11:35:41.535:261) : argc=2 a0=/usr/bin/chronyc a1=sources +type=SYSCALL msg=audit(22.08.2022 11:35:41.535:261) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffeb8105f8f a1=0x7ffeb81049e8 a2=0x7ffeb8104a00 a3=0x8 items=0 ppid=3294 pid=3295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:chronyc_t:s0 key=(null) +type=AVC msg=audit(22.08.2022 11:35:41.535:261) : avc: denied { read write } for pid=3295 comm=chronyc path=/dev/pts/1 dev="devpts" ino=4 scontext=system_u:system_r:chronyc_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=0 +--- + policy/modules/contrib/chronyd.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te +index 342735bc0c..3c69b3ddd6 100644 +--- a/policy/modules/contrib/chronyd.te ++++ b/policy/modules/contrib/chronyd.te +@@ -237,3 +237,7 @@ userdom_users_dgram_send(chronyc_t) + optional_policy(` + nscd_shm_use(chronyc_t) + ') ++ ++optional_policy(` ++ term_use_generic_ptys(chronyc_t) ++') diff --git a/backport-Allow-chronyd-send-and-receive-chronyd-ntp-client-packets.patch b/backport-Allow-chronyd-send-and-receive-chronyd-ntp-client-packets.patch new file mode 100644 index 0000000000000000000000000000000000000000..e0a9275e5bd9d21c5202baf42ac6bffffc2c536a --- /dev/null +++ b/backport-Allow-chronyd-send-and-receive-chronyd-ntp-client-packets.patch @@ -0,0 +1,35 @@ +From b876228279a2e75b59a180ee876956aebb167376 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 22 Aug 2022 10:41:49 +0200 +Subject: [PATCH] Allow chronyd send and receive chronyd/ntp client packets + +These permissions are required when packets tagging following +/usr/share/doc/nftables/examples/secmark.nft is enabled. + +Addresses the following AVC denial: +type=AVC msg=audit(1661030515.019:1079): avc: denied { send } for pid=973 comm="chronyd" saddr=10.224.122.55 src=51686 daddr=10.25.28.124 dest=123 netif=eth0 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:ntp_client_packet_t:s0 tclass=packet permissive=0 + +and a similar one for chronyd_client_packet_t. + +Resolves: rhbz#2120016 +--- + policy/modules/contrib/chronyd.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te +index 165e311002..16ce14d97b 100644 +--- a/policy/modules/contrib/chronyd.te ++++ b/policy/modules/contrib/chronyd.te +@@ -106,10 +106,12 @@ corenet_udp_sendrecv_generic_node(chronyd_t) + corenet_udp_bind_generic_node(chronyd_t) + + corenet_sendrecv_ntp_server_packets(chronyd_t) ++corenet_sendrecv_ntp_client_packets(chronyd_t) + corenet_udp_bind_ntp_port(chronyd_t) + corenet_udp_sendrecv_ntp_port(chronyd_t) + + corenet_sendrecv_chronyd_server_packets(chronyd_t) ++corenet_sendrecv_chronyd_client_packets(chronyd_t) + corenet_udp_bind_chronyd_port(chronyd_t) + corenet_udp_sendrecv_chronyd_port(chronyd_t) + diff --git a/backport-Allow-cups-lpd-read-network-sysctls-1.patch b/backport-Allow-cups-lpd-read-network-sysctls-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..5791f16f25dbe092a67f1e732139817cb4d4d563 --- /dev/null +++ b/backport-Allow-cups-lpd-read-network-sysctls-1.patch @@ -0,0 +1,23 @@ +From 9cb8de3f5d06e2624d728b97ab23d08321b0ad9a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 30 Jun 2022 00:31:16 +0200 +Subject: [PATCH] Allow cups-lpd read network sysctls + +Addresses the following AVC denial: +type=AVC msg=audit(06/29/2022 20:27:06.595:8551) : avc: denied { search } for pid=119379 comm=cups-lpd name=net dev="proc" ino=14928 scontext=system_u:system_r:cupsd_lpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 +--- + policy/modules/contrib/cups.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te +index 4f8958d1e0..34618c2d5d 100644 +--- a/policy/modules/contrib/cups.te ++++ b/policy/modules/contrib/cups.te +@@ -562,6 +562,7 @@ read_sock_files_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t) + stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) + + kernel_read_kernel_sysctls(cupsd_lpd_t) ++kernel_read_net_sysctls(cupsd_lpd_t) + kernel_read_system_state(cupsd_lpd_t) + + corenet_all_recvfrom_netlabel(cupsd_lpd_t) diff --git a/backport-Allow-cups-lpd-read-network-sysctls.patch b/backport-Allow-cups-lpd-read-network-sysctls.patch new file mode 100644 index 0000000000000000000000000000000000000000..796835c07253136e5019e641412c466ae0bfd2ba --- /dev/null +++ b/backport-Allow-cups-lpd-read-network-sysctls.patch @@ -0,0 +1,26 @@ +From 72220928592011263bc7e0ed291f33ca3560283d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 23 Jun 2022 15:34:01 +0200 +Subject: [PATCH] Allow cups-lpd read network sysctls + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(05/18/2022 19:31:33.481:8879) : proctitle=/usr/lib/cups/daemon/cups-lpd +type=PATH msg=audit(05/18/2022 19:31:33.481:8879) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(05/18/2022 19:31:33.481:8879) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fff5c8c3290 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=124314 auid=unset uid=lp gid=lp euid=lp suid=lp fsuid=lp egid=lp sgid=lp fsgid=lp tty=(none) ses=unset comm=cups-lpd exe=/usr/lib/cups/daemon/cups-lpd subj=system_u:system_r:cupsd_lpd_t:s0 key=(null) +type=AVC msg=audit(05/18/2022 19:31:33.481:8879) : avc: denied { search } for pid=124314 comm=cups-lpd name=net dev="proc" ino=14920 scontext=system_u:system_r:cupsd_lpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 +--- + policy/modules/contrib/cups.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te +index 622702ddfe..4f8958d1e0 100644 +--- a/policy/modules/contrib/cups.te ++++ b/policy/modules/contrib/cups.te +@@ -647,6 +647,7 @@ files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { dir file }) + + fs_search_auto_mountpoints(cups_pdf_t) + ++kernel_read_net_sysctls(cups_pdf_t) + kernel_read_system_state(cups_pdf_t) + + auth_use_nsswitch(cups_pdf_t) diff --git a/backport-Allow-dhcpd-bpf-capability-to-run-bpf-programs.patch b/backport-Allow-dhcpd-bpf-capability-to-run-bpf-programs.patch new file mode 100644 index 0000000000000000000000000000000000000000..6c6f3664421d0a9cc34967a57079d9136eefe792 --- /dev/null +++ b/backport-Allow-dhcpd-bpf-capability-to-run-bpf-programs.patch @@ -0,0 +1,22 @@ +From 193883f3bcfb64143f5ae6754021d0f4d7bfa16d Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 27 Oct 2022 15:06:35 +0200 +Subject: [PATCH] Allow dhcpd bpf capability to run bpf programs + +Resolves: rhbz#2134827 +--- + policy/modules/contrib/dhcp.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te +index dab0abe4cb..67c865926b 100644 +--- a/policy/modules/contrib/dhcp.te ++++ b/policy/modules/contrib/dhcp.te +@@ -39,6 +39,7 @@ files_pid_file(dhcpd_var_run_t) + + allow dhcpd_t self:capability { chown dac_read_search dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource }; + dontaudit dhcpd_t self:capability { net_admin sys_admin sys_tty_config }; ++allow dhcpd_t self:capability2 bpf; + allow dhcpd_t self:process { getcap setcap signal_perms }; + allow dhcpd_t self:fifo_file rw_fifo_file_perms; + allow dhcpd_t self:tcp_socket { accept listen }; diff --git a/backport-Allow-dirsrv_snmp_t-to-manage-dirsrv_config_t-dirsrv_var_run_t-files.patch b/backport-Allow-dirsrv_snmp_t-to-manage-dirsrv_config_t-dirsrv_var_run_t-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..bdc09ea3ee735d5b57a313f04988c60dfc162b05 --- /dev/null +++ b/backport-Allow-dirsrv_snmp_t-to-manage-dirsrv_config_t-dirsrv_var_run_t-files.patch @@ -0,0 +1,29 @@ +From 8479a8400fe1b7583814356e74e9cf1c35da1dd9 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 27 Oct 2022 16:34:31 +0200 +Subject: [PATCH] Allow dirsrv_snmp_t to manage dirsrv_config_t & + dirsrv_var_run_t files + +Allow LDAP-agent to manage files in directories /etc/dirsrv/ and /var/run/dirsrv. + +Resolves: rhbz#2042515 +--- + policy/modules/contrib/dirsrv.te | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/policy/modules/contrib/dirsrv.te b/policy/modules/contrib/dirsrv.te +index feeea4467f..9865382c87 100644 +--- a/policy/modules/contrib/dirsrv.te ++++ b/policy/modules/contrib/dirsrv.te +@@ -189,9 +189,9 @@ allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms; + + rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) + +-read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) ++manage_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) + +-read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t) ++manage_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t) + + manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t) + files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file }) diff --git a/backport-Allow-fprintd-bpf-capability-to-run-bpf-programs.patch b/backport-Allow-fprintd-bpf-capability-to-run-bpf-programs.patch new file mode 100644 index 0000000000000000000000000000000000000000..fbee3ef7fba1a7f1ff545f8dd64f527b2789d942 --- /dev/null +++ b/backport-Allow-fprintd-bpf-capability-to-run-bpf-programs.patch @@ -0,0 +1,23 @@ +From d3a62f953b580565068ada2f73968ccaaab80a7f Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 27 Oct 2022 14:04:55 +0200 +Subject: [PATCH] Allow fprintd bpf capability to run bpf programs + +Resolves: rhbz#2134827 +--- + policy/modules/contrib/fprintd.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/fprintd.te b/policy/modules/contrib/fprintd.te +index 7826990a3d..7a48e69eb4 100644 +--- a/policy/modules/contrib/fprintd.te ++++ b/policy/modules/contrib/fprintd.te +@@ -22,7 +22,7 @@ files_tmp_file(fprintd_tmp_t) + # + + allow fprintd_t self:capability { sys_admin sys_nice }; +-allow fprintd_t self:capability2 wake_alarm; ++allow fprintd_t self:capability2 { bpf wake_alarm }; + allow fprintd_t self:process { getsched setsched signal sigkill }; + allow fprintd_t self:fifo_file rw_fifo_file_perms; + allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms; diff --git a/backport-Allow-ftpd-map-ftpd_var_run-files.patch b/backport-Allow-ftpd-map-ftpd_var_run-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..e805591659c683028fbb830c7e8d276207055573 --- /dev/null +++ b/backport-Allow-ftpd-map-ftpd_var_run-files.patch @@ -0,0 +1,22 @@ +From 58294166420c372e9788b9c0308b1240dbad0c60 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 6 Oct 2022 18:30:58 +0200 +Subject: [PATCH] Allow ftpd map ftpd_var_run files + +Resolves: bz#2124943 +--- + policy/modules/contrib/ftp.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te +index ad80f16496..5edd00839f 100644 +--- a/policy/modules/contrib/ftp.te ++++ b/policy/modules/contrib/ftp.te +@@ -161,6 +161,7 @@ manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) + manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) + fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + ++allow ftpd_t ftpd_var_run_t:file map; + manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) + manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) + manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) diff --git a/backport-Allow-gpg-read-and-write-generic-pty-type.patch b/backport-Allow-gpg-read-and-write-generic-pty-type.patch new file mode 100644 index 0000000000000000000000000000000000000000..674e02e08883223c1849e0be4655ae4563526471 --- /dev/null +++ b/backport-Allow-gpg-read-and-write-generic-pty-type.patch @@ -0,0 +1,21 @@ +From 0df5ce75a40e9bfe51995d7b11dd9441c9061a1f Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 24 Aug 2022 13:49:23 +0200 +Subject: [PATCH] Allow gpg read and write generic pty type + +--- + policy/modules/contrib/gpg.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te +index 7f96408265..24ce9b7915 100644 +--- a/policy/modules/contrib/gpg.te ++++ b/policy/modules/contrib/gpg.te +@@ -156,6 +156,7 @@ logging_send_syslog_msg(gpg_t) + miscfiles_map_generic_certs(gpg_t) + + term_search_ptys(gpg_t) ++term_use_generic_ptys(gpg_t) + + userdom_use_inherited_user_terminals(gpg_t) + # sign/encrypt user files diff --git a/backport-Allow-journalctl-relabel-with-var_log_t-and-syslogd_.patch b/backport-Allow-journalctl-relabel-with-var_log_t-and-syslogd_.patch new file mode 100644 index 0000000000000000000000000000000000000000..15028c26521d6959351af4966e63654de5cad333 --- /dev/null +++ b/backport-Allow-journalctl-relabel-with-var_log_t-and-syslogd_.patch @@ -0,0 +1,42 @@ +From b9d573e4cd9dc7ca4283488e166e83250c434a63 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 13 Dec 2022 19:02:04 +0100 +Subject: [PATCH] Allow journalctl relabel with var_log_t and syslogd_var_run_t + files + +The journald service runs in the syslogd_t domain as well as syslog +daemons. When journal-offline wants to rotate journal files, which can +be in /var/log/journal or /run/log/journal, it modifies all extended +attributes, namely copy-on-write and security.selinux content, so +relabelfrom and relabelto permissions are needed. + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(1670904722.619:48): proctitle="/usr/lib/systemd/systemd-journald" +type=SYSCALL msg=audit(1670904722.619:48): arch=c00000b7 syscall=7 success=no exit=-13 a0=1d a1=ffffa0000b78 a2=ffffa0000e10 a3=27 items=0 ppid=1 pid=598 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="journal-offline" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null) +type=AVC msg=audit(1670904722.619:48): avc: denied { relabelfrom } for pid=598 comm="journal-offline" name=".#system@1d25afdf416a40bb98bce9ac89ae6846-0000000000000001-0005efadd1f07135.journal941ddc8fc49c256a" dev="tmpfs" ino=1026 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=0 + +Resolves: rhbz#2075527 +--- + policy/modules/system/logging.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index d96d862f7c..34dd6aabe1 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -509,6 +509,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) + + # create/append log files. + manage_files_pattern(syslogd_t, var_log_t, var_log_t) ++relabel_files_pattern(syslogd_t, var_log_t, var_log_t) + allow syslogd_t var_log_t:file map; + rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) + files_search_spool(syslogd_t) +@@ -533,6 +534,7 @@ files_search_var_lib(syslogd_t) + allow syslogd_t syslogd_var_run_t:dir watch_dir_perms; + manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) + manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) ++relabel_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) + manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) + mmap_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) + files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir }) diff --git a/backport-Allow-keepalived-bpf-capability-to-run-bpf-programs.patch b/backport-Allow-keepalived-bpf-capability-to-run-bpf-programs.patch new file mode 100644 index 0000000000000000000000000000000000000000..1472a499b5c764adb98274a15590f04e61c84c90 --- /dev/null +++ b/backport-Allow-keepalived-bpf-capability-to-run-bpf-programs.patch @@ -0,0 +1,22 @@ +From f7ee387e69162a3e82cb328d42e6e308aa1ad752 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 27 Oct 2022 14:21:32 +0200 +Subject: [PATCH] Allow keepalived bpf capability to run bpf programs + +Resolves: rhbz#2134827 +--- + policy/modules/contrib/keepalived.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te +index 0879eeb4ec..ff0b498188 100644 +--- a/policy/modules/contrib/keepalived.te ++++ b/policy/modules/contrib/keepalived.te +@@ -38,6 +38,7 @@ files_tmpfs_file(keepalived_tmpfs_t) + # + + allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_nice sys_ptrace }; ++allow keepalived_t self:capability2 bpf; + allow keepalived_t self:process { signal_perms getpgid setpgid setsched }; + allow keepalived_t self:icmp_socket create_socket_perms; + allow keepalived_t self:netlink_socket create_socket_perms; diff --git a/backport-Allow-keepalived-read-the-contents-of-the-sysfs-filesystem.patch b/backport-Allow-keepalived-read-the-contents-of-the-sysfs-filesystem.patch new file mode 100644 index 0000000000000000000000000000000000000000..850d83b51002a857a73221a505e3c46c08ee59df --- /dev/null +++ b/backport-Allow-keepalived-read-the-contents-of-the-sysfs-filesystem.patch @@ -0,0 +1,30 @@ +From f8f11f18a9473614c47b0a35d27f5be11c954e5b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 27 Jun 2022 13:28:39 +0200 +Subject: [PATCH] Allow keepalived read the contents of the sysfs filesystem + +Addresses the following AVC denial which is triggered on the keepalived +service start when it tries to read /sys/devices/system/cpu: + +type=PROCTITLE msg=audit(06/17/2022 08:19:59.448:341) : proctitle=/usr/sbin/keepalived --dont-fork -D +type=PATH msg=audit(06/17/2022 08:19:59.448:341) : item=0 name=/sys/devices/system/cpu inode=39 dev=00:16 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(06/17/2022 08:19:59.448:341) : arch=x86_64 syscall=openat success=yes exit=12 a0=AT_FDCWD a1=0x7ff4be2afc3f a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=4449 pid=4451 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) +type=AVC msg=audit(06/17/2022 08:19:59.448:341) : avc: denied { read } for pid=4451 comm=keepalived name=cpu dev="sysfs" ino=39 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1 + +Resolves: rhbz#2098130 +--- + policy/modules/contrib/keepalived.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te +index 8b5ca7171a..0879eeb4ec 100644 +--- a/policy/modules/contrib/keepalived.te ++++ b/policy/modules/contrib/keepalived.te +@@ -81,6 +81,7 @@ corenet_tcp_connect_squid_port(keepalived_t) + domain_read_all_domains_state(keepalived_t) + domain_getattr_all_domains(keepalived_t) + ++dev_read_sysfs(keepalived_t) + dev_read_urand(keepalived_t) + + files_dontaudit_mounton_rootfs(keepalived_var_run_t) diff --git a/backport-Allow-keepalived-to-set-resource-limits.patch b/backport-Allow-keepalived-to-set-resource-limits.patch new file mode 100644 index 0000000000000000000000000000000000000000..b241e8c3b9a7e1195efd58d054f97c9550197599 --- /dev/null +++ b/backport-Allow-keepalived-to-set-resource-limits.patch @@ -0,0 +1,28 @@ +From 59844c55226997c854bd82ac0f4b3e4df3da8fea Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 15 Dec 2022 12:10:58 +0100 +Subject: [PATCH] Allow keepalived to set resource limits + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(12/06/2022 06:01:28.343:362) : proctitle=/usr/sbin/keepalived --dont-fork -D +type=SYSCALL msg=audit(12/06/2022 06:01:28.343:362) : arch=x86_64 syscall=prlimit64 success=no exit=EACCES(Permission denied) a0=0x0 a1=0xf a2=0x7ffcac307690 a3=0x0 items=0 ppid=4738 pid=4740 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) +type=AVC msg=audit(12/06/2022 06:01:28.343:362) : avc: denied { setrlimit } for pid=4740 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process permissive=0 + +Resolves: rhbz#2151212 +--- + policy/modules/contrib/keepalived.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te +index ff0b498188..02170721c1 100644 +--- a/policy/modules/contrib/keepalived.te ++++ b/policy/modules/contrib/keepalived.te +@@ -39,7 +39,7 @@ files_tmpfs_file(keepalived_tmpfs_t) + + allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_nice sys_ptrace }; + allow keepalived_t self:capability2 bpf; +-allow keepalived_t self:process { signal_perms getpgid setpgid setsched }; ++allow keepalived_t self:process { signal_perms getpgid setpgid setsched setrlimit }; + allow keepalived_t self:icmp_socket create_socket_perms; + allow keepalived_t self:netlink_socket create_socket_perms; + allow keepalived_t self:netlink_generic_socket create_socket_perms; diff --git a/backport-Allow-kpropd-read-network-sysctls.patch b/backport-Allow-kpropd-read-network-sysctls.patch new file mode 100644 index 0000000000000000000000000000000000000000..83d68fbfab98489a588d7526f066d52dd109d211 --- /dev/null +++ b/backport-Allow-kpropd-read-network-sysctls.patch @@ -0,0 +1,27 @@ +From 150db8e78ff23e54c3a54fafaf597dd207518962 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 23 Jun 2022 09:55:35 +0200 +Subject: [PATCH] Allow kpropd read network sysctls + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(06/23/2022 03:46:33.848:845) : proctitle=/usr/sbin/kpropd +type=PATH msg=audit(06/23/2022 03:46:33.848:845) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 inode=44028 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(06/23/2022 03:46:33.848:845) : cwd=/ +type=SYSCALL msg=audit(06/23/2022 03:46:33.848:845) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffc7e5b8550 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=13730 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kpropd exe=/usr/sbin/kpropd subj=system_u:system_r:kpropd_t:s0 key=(null) +type=AVC msg=audit(06/23/2022 03:46:33.848:845) : avc: denied { read } for pid=13730 comm=kpropd name=disable_ipv6 dev="proc" ino=44028 scontext=system_u:system_r:kpropd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 +--- + policy/modules/contrib/kerberos.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te +index b4d3c3e7d4..0eecd224e3 100644 +--- a/policy/modules/contrib/kerberos.te ++++ b/policy/modules/contrib/kerberos.te +@@ -369,6 +369,7 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) + + kernel_read_system_state(kpropd_t) + kernel_read_network_state(kpropd_t) ++kernel_read_net_sysctls(kpropd_t) + + can_exec(kpropd_t,kpropd_exec_t) + diff --git a/backport-Allow-lldpad-bpf-capability-to-run-bpf-programs.patch b/backport-Allow-lldpad-bpf-capability-to-run-bpf-programs.patch new file mode 100644 index 0000000000000000000000000000000000000000..d38b9e1cb2eaa60971c080e68747bb88ed4ec778 --- /dev/null +++ b/backport-Allow-lldpad-bpf-capability-to-run-bpf-programs.patch @@ -0,0 +1,22 @@ +From d9ae9be30d67166caf9c5d6d3e0757317e5b49b9 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 27 Oct 2022 14:22:31 +0200 +Subject: [PATCH] Allow lldpad bpf capability to run bpf programs + +Resolves: rhbz#2134827 +--- + policy/modules/contrib/lldpad.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te +index 075893cb9d..ffe3796484 100644 +--- a/policy/modules/contrib/lldpad.te ++++ b/policy/modules/contrib/lldpad.te +@@ -27,6 +27,7 @@ systemd_mount_dir(lldpad_var_run_t) + # + allow lldpad_t self:capability { chown dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot sys_resource }; + dontaudit lldpad_t self:capability { sys_admin }; ++allow lldpad_t self:capability2 bpf; + allow lldpad_t self:shm create_shm_perms; + allow lldpad_t self:fifo_file rw_fifo_file_perms; + allow lldpad_t self:unix_stream_socket { accept connectto listen }; diff --git a/backport-Allow-login_userdomain-dbus-chat-with-rhsmcertd.patch b/backport-Allow-login_userdomain-dbus-chat-with-rhsmcertd.patch new file mode 100644 index 0000000000000000000000000000000000000000..2ad5673c9aea5bcfa16711aca4313dc65ec4bf84 --- /dev/null +++ b/backport-Allow-login_userdomain-dbus-chat-with-rhsmcertd.patch @@ -0,0 +1,28 @@ +From 14a208a78ed843964f8f79903d130760aa7a9a4e Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 5 Oct 2022 19:53:23 +0200 +Subject: [PATCH] Allow login_userdomain dbus chat with rhsmcertd + +Addresses the following USER_AVC denial: +type=USER_AVC msg=audit(1662423125.839:301): pid=896 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=com.redhat.RHSM1.Config member=GetAll dest=:1.386 spid=4090 tpid=2540 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' + +Resolves: rhbz#2124388 +--- + policy/modules/system/userdomain.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 6502db7bf0..4f63e6f662 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -448,6 +448,10 @@ optional_policy(` + pkcs_tmpfs_named_filetrans(login_userdomain) + ') + ++optional_policy(` ++ rhsmcertd_dbus_chat(login_userdomain) ++') ++ + optional_policy(` + rpc_watch_exports(login_userdomain) + ') diff --git a/backport-Allow-logrotate-dbus-chat-with-systemd-hostnamed.patch b/backport-Allow-logrotate-dbus-chat-with-systemd-hostnamed.patch new file mode 100644 index 0000000000000000000000000000000000000000..4b6e50e17cc7df491a098bfd79811cc88c033841 --- /dev/null +++ b/backport-Allow-logrotate-dbus-chat-with-systemd-hostnamed.patch @@ -0,0 +1,30 @@ +From daca0f5683e2ed842c60d274f67fb0469afd3911 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 28 Apr 2023 17:30:22 +0200 +Subject: [PATCH] Allow logrotate dbus chat with systemd-hostnamed + +This denials appears when a service operating on a network is called +from logrotate to perform an action, like ejabber to reopen its logs +after logrotate finishes. + +The commit addresses the following USER_AVC denial: + +type=USER_AVC msg=audit(1676761204.161:9833): pid=543 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" + +Resolves: rhbz#2171294 +--- + policy/modules/contrib/logrotate.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te +index fdd9039f8c..24bc2e72f3 100644 +--- a/policy/modules/contrib/logrotate.te ++++ b/policy/modules/contrib/logrotate.te +@@ -178,6 +178,7 @@ systemd_reload_all_services(logrotate_t) + systemd_status_all_unit_files(logrotate_t) + systemd_dbus_chat_logind(logrotate_t) + systemd_config_generic_services(logrotate_t) ++systemd_dbus_chat_hostnamed(logrotate_t) + init_stream_connect(logrotate_t) + init_reload_transient_unit(logrotate_t) + diff --git a/backport-Allow-netutils-and-traceroute-bpf-capability-to-run-.patch b/backport-Allow-netutils-and-traceroute-bpf-capability-to-run-.patch new file mode 100644 index 0000000000000000000000000000000000000000..1eba5850602b28285d8f3ce665d11ab8c1cb20be --- /dev/null +++ b/backport-Allow-netutils-and-traceroute-bpf-capability-to-run-.patch @@ -0,0 +1,31 @@ +From 245ab868b3c2ed9330196f728020c5bdb20b5dff Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 27 Oct 2022 14:59:49 +0200 +Subject: [PATCH] Allow netutils and traceroute bpf capability to run bpf + programs + +Resolves: rhbz#2134827 +--- + policy/modules/admin/netutils.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te +index c9526d2b92..312b047edc 100644 +--- a/policy/modules/admin/netutils.te ++++ b/policy/modules/admin/netutils.te +@@ -35,6 +35,7 @@ init_system_domain(traceroute_t, traceroute_exec_t) + # Perform network administration operations and have raw access to the network. + allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot setpcap }; + dontaudit netutils_t self:capability { sys_admin sys_tty_config }; ++allow netutils_t self:capability2 bpf; + allow netutils_t self:process { setcap signal_perms }; + allow netutils_t self:netlink_generic_socket create_socket_perms; + allow netutils_t self:netlink_rdma_socket create_socket_perms; +@@ -214,6 +215,7 @@ optional_policy(` + + allow traceroute_t self:capability { net_admin net_raw setuid setgid }; + dontaudit traceroute_t self:capability { sys_admin }; ++allow traceroute_t self:capability2 bpf; + allow traceroute_t self:netlink_generic_socket create_socket_perms; + allow traceroute_t self:netlink_rdma_socket create_socket_perms; + allow traceroute_t self:rawip_socket create_socket_perms; diff --git a/backport-Allow-networkmanager-to-signal-unconfined-process.patch b/backport-Allow-networkmanager-to-signal-unconfined-process.patch new file mode 100644 index 0000000000000000000000000000000000000000..835fa2d9eecbe728d2465db014338f637342a722 --- /dev/null +++ b/backport-Allow-networkmanager-to-signal-unconfined-process.patch @@ -0,0 +1,32 @@ +From 0e9856f3cd11af60445ccf12cd59d35662a7e9a2 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Mon, 1 Aug 2022 16:08:08 +0200 +Subject: [PATCH] Allow networkmanager to signal unconfined process + +During kernel selftests, teamd - running in NetworkManager_t domain, checks if teamd instance is started externally. +Teamd is a daemon to control a given team network device and when started from command line, it runs in the caller domain - unconfined_t. + +time->Fri Apr 8 11:01:16 2022 +type=PROCTITLE msg=audit(1649430076.436:6807): proctitle=2F7573722F62696E2F7465616D64002D6B002D74006C6167 +type=SYSCALL msg=audit(1649430076.436:6807): arch=c000003e syscall=62 success=no exit=-13 a0=1ad7f5 a1=f a2=0 a3=7fbf0f5d6ac0 items=0 ppid=13470 pid=1759420 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="teamd" exe="/usr/bin/teamd" subj=system_u:system_r:NetworkManager_t:s0 key=(null) +type=AVC msg=audit(1649430076.436:6807): avc: denied { signal } for pid=1759420 comm="teamd" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 + +Allow NetworkManager_t to send generic signals to the unconfined domain. + +Fix: bz#2074414 +--- + policy/modules/contrib/networkmanager.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te +index a946bc060b..c827f40785 100644 +--- a/policy/modules/contrib/networkmanager.te ++++ b/policy/modules/contrib/networkmanager.te +@@ -532,6 +532,7 @@ optional_policy(` + + optional_policy(` + unconfined_dgram_send(NetworkManager_t) ++ unconfined_signal(NetworkManager_t) + ') + + diff --git a/backport-Allow-pcscd-bpf-capability-to-run-bpf-programs.patch b/backport-Allow-pcscd-bpf-capability-to-run-bpf-programs.patch new file mode 100644 index 0000000000000000000000000000000000000000..0a34444f5c1d604ec8fd9094ea160d0eab7ea2c5 --- /dev/null +++ b/backport-Allow-pcscd-bpf-capability-to-run-bpf-programs.patch @@ -0,0 +1,23 @@ +From 991e1cd627e9dba1bb5a89ca87c90b2542453018 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 27 Oct 2022 14:23:35 +0200 +Subject: [PATCH] Allow pcscd bpf capability to run bpf programs + +Resolves: rhbz#2134827 +--- + policy/modules/contrib/pcscd.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te +index d0d83da261..5b22ac8268 100644 +--- a/policy/modules/contrib/pcscd.te ++++ b/policy/modules/contrib/pcscd.te +@@ -23,7 +23,7 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") + + allow pcscd_t self:capability { dac_read_search fsetid }; + dontaudit pcscd_t self:capability { sys_admin }; +-allow pcscd_t self:capability2 { wake_alarm }; ++allow pcscd_t self:capability2 { bpf wake_alarm }; + allow pcscd_t self:cap_userns sys_ptrace; + allow pcscd_t self:process { signal signull }; + dontaudit pcscd_t self:process setsched; diff --git a/backport-Allow-pkcs_slotd_t-bpf-capability-to-run-bpf-program.patch b/backport-Allow-pkcs_slotd_t-bpf-capability-to-run-bpf-program.patch new file mode 100644 index 0000000000000000000000000000000000000000..f3cedf64cb19feff57153706ac9350fee85cc9c1 --- /dev/null +++ b/backport-Allow-pkcs_slotd_t-bpf-capability-to-run-bpf-program.patch @@ -0,0 +1,22 @@ +From 33f983cf633bbdfba33958ee313f469b869f3c30 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 27 Oct 2022 14:27:43 +0200 +Subject: [PATCH] Allow pkcs_slotd_t bpf capability to run bpf programs + +Resolves: rhbz#2134827 +--- + policy/modules/contrib/pkcs.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te +index 4eb8a50c83..babcc56f60 100644 +--- a/policy/modules/contrib/pkcs.te ++++ b/policy/modules/contrib/pkcs.te +@@ -47,6 +47,7 @@ systemd_unit_file(pkcs_slotd_unit_file_t) + # + + allow pkcs_slotd_t self:capability { fsetid kill chown }; ++allow pkcs_slotd_t self:capability2 bpf; + allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms; + allow pkcs_slotd_t self:netlink_kobject_uevent_socket create_socket_perms; + allow pkcs_slotd_t self:sem create_sem_perms; diff --git a/backport-Allow-postfix-smtp-and-postfix-virtual-read-kerberos-key-table.patch b/backport-Allow-postfix-smtp-and-postfix-virtual-read-kerberos-key-table.patch new file mode 100644 index 0000000000000000000000000000000000000000..0add0818e0ffffb4e6a918906074be7480f88a6f --- /dev/null +++ b/backport-Allow-postfix-smtp-and-postfix-virtual-read-kerberos-key-table.patch @@ -0,0 +1,40 @@ +From 451140e4c1f0bb6d8df25d18d74e549a83f46e4a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 9 Aug 2022 16:56:21 +0200 +Subject: [PATCH] Allow postfix/smtp and postfix/virtual read kerberos key + table + +This permission is required when postfix is configured to use virtual +mailboxes and store data into postgresql database. + +Resolves: rhbz#1983308 +--- + policy/modules/contrib/postfix.te | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te +index 5451023d79..c236828d0e 100644 +--- a/policy/modules/contrib/postfix.te ++++ b/policy/modules/contrib/postfix.te +@@ -699,6 +699,10 @@ optional_policy(` + dspam_stream_connect(postfix_smtp_t) + ') + ++optional_policy(` ++ kerberos_read_keytab(postfix_smtp_t) ++') ++ + optional_policy(` + milter_stream_connect_all(postfix_smtp_t) + ') +@@ -776,6 +780,10 @@ userdom_manage_user_home_dirs(postfix_virtual_t) + userdom_manage_user_home_content(postfix_virtual_t) + userdom_filetrans_home_content(postfix_virtual_t) + ++optional_policy(` ++ kerberos_read_keytab(postfix_virtual_t) ++') ++ + ######################################## + # + # postfix_domain common policy diff --git a/backport-Allow-pulseaudio-create-gnome-content-.config.patch b/backport-Allow-pulseaudio-create-gnome-content-.config.patch new file mode 100644 index 0000000000000000000000000000000000000000..ed8be24820dcbb74b011b8f71ee8c471dc30c56f --- /dev/null +++ b/backport-Allow-pulseaudio-create-gnome-content-.config.patch @@ -0,0 +1,30 @@ +From a120005379c8629aa7b6d174d7c763e4f84fedc4 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 5 Oct 2022 20:36:22 +0200 +Subject: [PATCH] Allow pulseaudio create gnome content (~/.config) + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(10/03/2022 18:19:59.393:477) : proctitle=/usr/bin/pulseaudio --daemonize=no --log-target=journal +type=PATH msg=audit(10/03/2022 18:19:59.393:477) : item=1 name=/home/username/.config nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(10/03/2022 18:19:59.393:477) : item=0 name=/home/username/ inode=25197786 dev=fd:02 mode=dir,700 ouid=username ogid=username rdev=00:00 obj=staff_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(10/03/2022 18:19:59.393:477) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x55db1dc2a420 a1=0700 a2=0xffffffff a3=0x0 items=2 ppid=6693 pid=6748 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=11 comm=pulseaudio exe=/usr/bin/pulseaudio subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(10/03/2022 18:19:59.393:477) : avc: denied { create } for pid=6748 comm=pulseaudio name=.config scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2124387 +--- + policy/modules/contrib/pulseaudio.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te +index b89c5f706a..bdc8263687 100644 +--- a/policy/modules/contrib/pulseaudio.te ++++ b/policy/modules/contrib/pulseaudio.te +@@ -152,6 +152,7 @@ optional_policy(` + ') + + optional_policy(` ++ gnome_create_home_config_dirs(pulseaudio_t) + gnome_read_gkeyringd_state(pulseaudio_t) + gnome_signull_gkeyringd(pulseaudio_t) + gnome_manage_gstreamer_home_files(pulseaudio_t) diff --git a/backport-Allow-rotatelogs-read-httpd_log_t-symlinks.patch b/backport-Allow-rotatelogs-read-httpd_log_t-symlinks.patch new file mode 100644 index 0000000000000000000000000000000000000000..061f1c57bbe8b5b017dfb132cd7b827805452b68 --- /dev/null +++ b/backport-Allow-rotatelogs-read-httpd_log_t-symlinks.patch @@ -0,0 +1,32 @@ +From 404c8d08e3b4ec9970baa6af55359902d43c3ded Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 20 Oct 2022 19:20:14 +0200 +Subject: [PATCH] Allow rotatelogs read httpd_log_t symlinks + +This permission is required when rotatelogs is used in apache httpd +configuration for handling logs and the /etc/httpd/logs path is used +where the last directory is a symlink to ../../var/log/httpd: + +CustomLog "|/usr/sbin/rotatelogs /etc/httpd/logs/www.example.com 3600" combined + +It is executed with /etc/httpd as CWD, so it needs the search permission +for httpd_config_t, too. + +Resolves: rhbz#2030633 +--- + policy/modules/contrib/apache.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te +index 73957e4459..9101494b7e 100644 +--- a/policy/modules/contrib/apache.te ++++ b/policy/modules/contrib/apache.te +@@ -1668,6 +1668,8 @@ optional_policy(` + allow httpd_rotatelogs_t self:capability { dac_read_search }; + + manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) ++read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) ++allow httpd_rotatelogs_t httpd_config_t:dir search_dir_perms; + + kernel_read_kernel_sysctls(httpd_rotatelogs_t) + kernel_dontaudit_list_proc(httpd_rotatelogs_t) diff --git a/backport-Allow-rpc.gssd-read-network-sysctls.patch b/backport-Allow-rpc.gssd-read-network-sysctls.patch new file mode 100644 index 0000000000000000000000000000000000000000..75223f2634e1baec9d6cdf32ab8d041e1627417f --- /dev/null +++ b/backport-Allow-rpc.gssd-read-network-sysctls.patch @@ -0,0 +1,27 @@ +From d6bb54218c4b3f5cbed4c3b7115dc43793ebdcba Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 16 Nov 2022 16:37:54 +0100 +Subject: [PATCH] Allow rpc.gssd read network sysctls + +Addresses the following AVC denial: + +type=AVC msg=audit(1668606673.80:374): avc: denied { read } for pid=1236 comm="rpc.gssd" name="disable_ipv6" dev="proc" ino=32004 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 + +Resolves: rhbz#2143271 +--- + policy/modules/contrib/rpc.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te +index a13661a797..f94cfa5d24 100644 +--- a/policy/modules/contrib/rpc.te ++++ b/policy/modules/contrib/rpc.te +@@ -369,7 +369,7 @@ kernel_read_system_state(gssd_t) + kernel_read_network_state(gssd_t) + kernel_read_network_state_symlinks(gssd_t) + kernel_request_load_module(gssd_t) +-kernel_search_network_sysctl(gssd_t) ++kernel_read_net_sysctls(gssd_t) + kernel_signal(gssd_t) + + corecmd_exec_bin(gssd_t) diff --git a/backport-Allow-rpcd_lsad-setcap-and-use-generic-ptys.patch b/backport-Allow-rpcd_lsad-setcap-and-use-generic-ptys.patch new file mode 100644 index 0000000000000000000000000000000000000000..63d08c46ce41f042a29afdda5831062592f5804f --- /dev/null +++ b/backport-Allow-rpcd_lsad-setcap-and-use-generic-ptys.patch @@ -0,0 +1,49 @@ +From e1fe6ba8a75ff66e506e7d80b4d8ccb8f899ec39 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 24 May 2023 16:39:11 +0200 +Subject: [PATCH] Allow rpcd_lsad setcap and use generic ptys + +Allow /usr/libexec/samba/rpcd_lsad running in the winbind_rpcd_t domain +the setcap permission to use capset(2) and use generic ptys when a request +to change a password is made. Note winbind_rpcd_t is not in the daemon +attribute which is a subject of the daemons_use_tty boolean. + +The commit addresses the following AVC denials: + +type=PROCTITLE msg=audit(05/23/2023 15:45:49.588:911) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=2 --worker-index=0 --debuglevel=0 +type=PATH msg=audit(05/23/2023 15:45:49.588:911) : item=0 name=/dev/pts/2 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(05/23/2023 15:45:49.588:911) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffce321e8c0 a1=0x7ffce321e830 a2=0x7ffce321e830 a3=0x0 items=1 ppid=129672 pid=129682 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) +type=AVC msg=audit(05/23/2023 15:45:49.588:911) : avc: denied { search } for pid=129682 comm=rpcd_lsad name=/ dev="devpts" ino=1 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=dir permissive=0 + +type=PROCTITLE msg=audit(05/24/2023 03:08:08.440:1130) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=2 --worker-index=0 --debuglevel=0 +type=SYSCALL msg=audit(05/24/2023 03:08:08.440:1130) : arch=x86_64 syscall=capset success=no exit=EACCES(Permission denied) a0=0x561752d238b4 a1=0x561752d238bc a2=0x561752d238bc a3=0x7ffd6edcd904 items=0 ppid=164904 pid=164906 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) +type=AVC msg=audit(05/24/2023 03:08:08.440:1130) : avc: denied { setcap } for pid=164906 comm=rpcd_lsad scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0 + +Resolves: rhbz#2107106 +--- + policy/modules/contrib/samba.te | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 9847d3da29..1a90ca864f 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1173,6 +1173,7 @@ optional_policy(` + allow winbind_rpcd_t self:capability { setgid setuid }; + allow winbind_rpcd_t self:key { read write }; + allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms; ++allow winbind_rpcd_t self:process setcap; + allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto }; + allow winbind_rpcd_t self:unix_stream_socket connectto; + allow winbind_rpcd_t self:udp_socket create_socket_perms; +@@ -1268,6 +1269,10 @@ optional_policy(` + systemd_userdbd_stream_connect(winbind_rpcd_t) + ') + ++optional_policy(` ++ term_use_generic_ptys(winbind_rpcd_t) ++') ++ + optional_policy(` + unconfined_dgram_send(winbind_rpcd_t) + ') diff --git a/backport-Allow-samba-bgqd-get-a-printer-list.patch b/backport-Allow-samba-bgqd-get-a-printer-list.patch new file mode 100644 index 0000000000000000000000000000000000000000..1ee5ac0319b6b0c58085aaf6ad62ef76ad54c2b6 --- /dev/null +++ b/backport-Allow-samba-bgqd-get-a-printer-list.patch @@ -0,0 +1,53 @@ +From b3a5dfcc161ee097a0a5aa0fbf515e2e0bfb7430 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 5 Aug 2022 16:42:50 +0200 +Subject: [PATCH] Allow samba-bgqd get a printer list + +When `rpcclient localhost -c 'enumprinters'` or a similar command is executed, +samba-bgqd connects to the cups service to get the list of configured printers. +The printers are then cached and updated on regular basis. + +Resolves: rhbz#2112395 +--- + policy/modules/contrib/samba.te | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 61598b8e39..d64ba6e569 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1198,10 +1198,16 @@ kernel_read_network_state(winbind_rpcd_t) + + corecmd_exec_bin(winbind_rpcd_t) + ++corenet_tcp_connect_ipp_port(winbind_rpcd_t) ++ + optional_policy(` + auth_read_passwd(winbind_rpcd_t) + ') + ++optional_policy(` ++ cups_stream_connect(winbind_rpcd_t) ++') ++ + optional_policy(` + dbus_system_bus_client(winbind_rpcd_t) + ') +@@ -1236,9 +1242,16 @@ optional_policy(` + systemd_userdbd_stream_connect(winbind_rpcd_t) + ') + +-# interactions with smbd_t/winbind_t ++optional_policy(` ++ unconfined_dgram_send(winbind_rpcd_t) ++') ++ ++# inter-process communication with other samba domains + allow smbd_t winbind_rpcd_t:unix_stream_socket connectto; + allow winbind_t winbind_rpcd_t:unix_stream_socket connectto; ++allow winbind_rpcd_t nmbd_t:unix_dgram_socket sendto; ++allow winbind_rpcd_t smbd_t:unix_dgram_socket sendto; ++allow winbind_rpcd_t winbind_t:unix_dgram_socket sendto; + allow winbind_rpcd_t winbind_t:unix_stream_socket connectto; + + samba_domtrans_winbind_rpcd(smbd_t) diff --git a/backport-Allow-samba-bgqd-to-read-a-printer-list.patch b/backport-Allow-samba-bgqd-to-read-a-printer-list.patch new file mode 100644 index 0000000000000000000000000000000000000000..8775a393b734aecbc23da7609166e2ceee2693f6 --- /dev/null +++ b/backport-Allow-samba-bgqd-to-read-a-printer-list.patch @@ -0,0 +1,25 @@ +From 4d2a6d493a3a523c9bbb1d5f276f94bb176f5dec Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Mon, 22 Aug 2022 16:40:09 +0200 +Subject: [PATCH] Allow samba-bgqd to read a printer list + +Allow samba-bgqd, helper program performing asynchronous printing-related jobs, +to read /etc/printcap file, where are stored printer definitions. + +Fix: bz#2118977 +--- + policy/modules/contrib/samba.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 82ba1abf64..323e38b4cc 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1206,6 +1206,7 @@ optional_policy(` + ') + + optional_policy(` ++ cups_read_config(winbind_rpcd_t) + cups_stream_connect(winbind_rpcd_t) + ') + diff --git a/backport-Allow-samba-dcerpcd-connect-to-systemd_machined-over.patch b/backport-Allow-samba-dcerpcd-connect-to-systemd_machined-over.patch new file mode 100644 index 0000000000000000000000000000000000000000..20b62af3e9006229d725090ac090f87efbbce783 --- /dev/null +++ b/backport-Allow-samba-dcerpcd-connect-to-systemd_machined-over.patch @@ -0,0 +1,26 @@ +From 400871693697941947ae35e9c914c129518880f0 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 22 May 2023 15:03:56 +0200 +Subject: [PATCH] Allow samba-dcerpcd connect to systemd_machined over a unix + socket + +The commit addresses the following AVC denial: +type=AVC msg=audit(1684646002.435:1902): avc: denied { connectto } for pid=27491 comm="rpcd_winreg" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0 + +Resolves: rhbz#2208845 +--- + policy/modules/contrib/samba.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index c8123ff29d..9847d3da29 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1264,6 +1264,7 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_machined_stream_connect(winbind_rpcd_t) + systemd_userdbd_stream_connect(winbind_rpcd_t) + ') + diff --git a/backport-Allow-samba-dcerpcd-use-NSCD-services-over-a-unix-st.patch b/backport-Allow-samba-dcerpcd-use-NSCD-services-over-a-unix-st.patch new file mode 100644 index 0000000000000000000000000000000000000000..a22af782a84f685e897e3ada2e76088a04819cc7 --- /dev/null +++ b/backport-Allow-samba-dcerpcd-use-NSCD-services-over-a-unix-st.patch @@ -0,0 +1,34 @@ +From cac4a1f3b825bdc7f7eeaa4b219c95342ddd135c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 10 Oct 2022 16:39:50 +0200 +Subject: [PATCH] Allow samba-dcerpcd use NSCD services over a unix stream + socket + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(08/26/2022 04:14:24.657:453) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=23 --np-helper --debuglevel=0 +type=PATH msg=audit(08/26/2022 04:14:24.657:453) : item=0 name=/var/run/nscd/socket inode=130894 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nscd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SOCKADDR msg=audit(08/26/2022 04:14:24.657:453) : saddr={ saddr_fam=local path=/var/run/nscd/socket } +type=SYSCALL msg=audit(08/26/2022 04:14:24.657:453) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7ffccfc81970 a2=0x6e a3=0x6 items=1 ppid=1 pid=93859 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) +type=AVC msg=audit(08/26/2022 04:14:24.657:453) : avc: denied { write } for pid=93859 comm=samba-dcerpcd name=socket dev="tmpfs" ino=130894 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file permissive=0 + +Resolves: rhbz#2121709 +--- + policy/modules/contrib/samba.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 23af3a1304..227c22516d 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1232,6 +1232,10 @@ optional_policy(` + miscfiles_read_generic_certs(winbind_rpcd_t) + ') + ++optional_policy(` ++ nscd_socket_use(winbind_rpcd_t) ++') ++ + optional_policy(` + sssd_read_public_files(winbind_rpcd_t) + sssd_stream_connect(winbind_rpcd_t) diff --git a/backport-Allow-samba-dcerpcd-work-with-sssd.patch b/backport-Allow-samba-dcerpcd-work-with-sssd.patch new file mode 100644 index 0000000000000000000000000000000000000000..7741c09b0d7ab12404b23842792be0ba7a5b19d4 --- /dev/null +++ b/backport-Allow-samba-dcerpcd-work-with-sssd.patch @@ -0,0 +1,32 @@ +From 88a28fc843a9e3a0039647d0b6fdd5ac7895a286 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 21 Jun 2022 16:02:49 +0200 +Subject: [PATCH] Allow samba-dcerpcd work with sssd + +Addresses the following AVC denials: + +type=AVC msg=audit(1655206265.325:3211): avc: denied { open } for pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1655206265.325:3214): avc: denied { connectto } for pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 +type=AVC msg=audit(1655206265.325:3214): avc: denied { write } for pid=33521 comm="samba-dcerpcd" name="nss" dev="vda3" ino=17045861 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 + +Resolves: rhbz#2096825 +--- + policy/modules/contrib/samba.te | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 5e851af84a..091e016fd0 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1215,6 +1215,11 @@ optional_policy(` + logging_send_syslog_msg(winbind_rpcd_t) + ') + ++optional_policy(` ++ sssd_read_public_files(winbind_rpcd_t) ++ sssd_stream_connect(winbind_rpcd_t) ++') ++ + optional_policy(` + sysnet_read_config(winbind_rpcd_t) + ') diff --git a/backport-Allow-samba-rpcd-work-with-passwords.patch b/backport-Allow-samba-rpcd-work-with-passwords.patch new file mode 100644 index 0000000000000000000000000000000000000000..80164b77b890e296efeb994569bd5e6914f9d939 --- /dev/null +++ b/backport-Allow-samba-rpcd-work-with-passwords.patch @@ -0,0 +1,36 @@ +From d5438718efffaf9bdfb6abe2d7fe8ecb1a316b84 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 11 May 2023 17:21:03 +0200 +Subject: [PATCH] Allow samba-rpcd work with passwords + +A domain transition on chkpwd execution was allowed to winbind_rpcd_t +unconditionally and permissions to use the passwd command only when the +samba_domain_controller boolean is turned on. + +Resolves: rhbz#2107106 +--- + policy/modules/contrib/samba.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 6143ea2622..c8123ff29d 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -471,6 +471,9 @@ tunable_policy(`samba_domain_controller',` + usermanage_domtrans_useradd(smbd_t) + usermanage_domtrans_groupadd(smbd_t) + allow smbd_t self:passwd passwd; ++ ++ usermanage_domtrans_passwd(winbind_rpcd_t) ++ allow winbind_rpcd_t self:passwd passwd; + ') + + tunable_policy(`samba_enable_home_dirs',` +@@ -1213,6 +1216,7 @@ term_getattr_pty_fs(winbind_rpcd_t) + term_use_ptmx(winbind_rpcd_t) + + optional_policy(` ++ auth_domtrans_chk_passwd(winbind_rpcd_t) + auth_read_passwd(winbind_rpcd_t) + ') + diff --git a/backport-Allow-sbd-the-sys_ptrace-capability.patch b/backport-Allow-sbd-the-sys_ptrace-capability.patch new file mode 100644 index 0000000000000000000000000000000000000000..d20eb378b0bb85bb1e9c9b3eb8cb32fbc5810984 --- /dev/null +++ b/backport-Allow-sbd-the-sys_ptrace-capability.patch @@ -0,0 +1,41 @@ +From 533de74a9a344542ab504915938b636698fd9838 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 5 Oct 2022 14:12:22 +0200 +Subject: [PATCH] Allow sbd the sys_ptrace capability + +The capability is required to scan open file descriptors to find out +which additional processes also have them open. + +The sbd binary implements both the daemon that watches message slots +as well as the management tool for interacting with the block storage +device(s). + +To get a full cluster view, pcs invokes the sbd-cmdline-tool on other +nodes through the pcsd instances running there which effects sbd +transition to sbd_t although it is a command in this case, not a +service. + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(09/12/2022 15:00:59.857:4015) : proctitle=/usr/sbin/sbd query-watchdog +type=PATH msg=audit(09/12/2022 15:00:59.857:4015) : item=0 name=/proc/851/fd/0 inode=21560 dev=00:05 mode=link,500 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:rpcbind_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(09/12/2022 15:00:59.857:4015) : arch=x86_64 syscall=readlink success=no exit=EACCES(Permission denied) a0=0x7ffd9edd46c0 a1=0x7ffd9edd44b0 a2=0xff a3=0x0 items=1 ppid=538646 pid=538650 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) +type=AVC msg=audit(09/12/2022 15:00:59.857:4015) : avc: denied { sys_ptrace } for pid=538650 comm=sbd capability=sys_ptrace scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:system_r:sbd_t:s0 tclass=capability permissive=0 + +Resolves: rhbz#2124552 +--- + policy/modules/contrib/sbd.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/sbd.te b/policy/modules/contrib/sbd.te +index 5aea5cbe1d..4da7c6223b 100644 +--- a/policy/modules/contrib/sbd.te ++++ b/policy/modules/contrib/sbd.te +@@ -22,7 +22,7 @@ userdom_user_tmpfs_file(sbd_tmpfs_t) + # + # sbd local policy + # +-allow sbd_t self:capability { dac_read_search dac_override ipc_lock kill sys_boot sys_nice sys_admin}; ++allow sbd_t self:capability { dac_read_search dac_override ipc_lock kill sys_boot sys_nice sys_ptrace sys_admin}; + allow sbd_t self:process { fork setsched signal_perms }; + allow sbd_t self:fifo_file rw_fifo_file_perms; + allow sbd_t self:unix_stream_socket create_stream_socket_perms; diff --git a/backport-Allow-smbd_t-process-noatsecure-permission-for-winbi.patch b/backport-Allow-smbd_t-process-noatsecure-permission-for-winbi.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc94a4f216892c15571b557dea00111eaf3a1a0d --- /dev/null +++ b/backport-Allow-smbd_t-process-noatsecure-permission-for-winbi.patch @@ -0,0 +1,22 @@ +From 3d3ff36126d0fd7a38519ede5ad076303105b891 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 25 Aug 2022 17:33:20 +0200 +Subject: [PATCH] Allow smbd_t process noatsecure permission for winbind_rpcd_t + +Resolves: rhbz#2117199 +--- + policy/modules/contrib/samba.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 323e38b4cc..d25bc64f5d 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1249,6 +1249,7 @@ optional_policy(` + ') + + # inter-process communication with other samba domains ++allow smbd_t winbind_rpcd_t:process noatsecure; + allow smbd_t winbind_rpcd_t:unix_stream_socket connectto; + allow winbind_t winbind_rpcd_t:unix_stream_socket connectto; + allow winbind_rpcd_t nmbd_t:unix_dgram_socket sendto; diff --git a/backport-Allow-sssd-dbus-chat-with-system-cronjobs.patch b/backport-Allow-sssd-dbus-chat-with-system-cronjobs.patch new file mode 100644 index 0000000000000000000000000000000000000000..592fb567c8248b99af3b28d82782c2e8f1564dd0 --- /dev/null +++ b/backport-Allow-sssd-dbus-chat-with-system-cronjobs.patch @@ -0,0 +1,29 @@ +From c8a25442b17ef4a95fa45cdde90cb6df30946fb1 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 11 Nov 2022 12:37:07 +0100 +Subject: [PATCH] Allow sssd dbus chat with system cronjobs + +Addresses the following USER_AVC denial: + +type=USER_AVC msg=audit(10/11/2022 14:36:01.711:447) : pid=973 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1467 spid=5736 tpid=7278 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' + +Resolves: rhbz#2132922 +--- + policy/modules/contrib/sssd.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te +index 90d04fd918..f84c905f42 100644 +--- a/policy/modules/contrib/sssd.te ++++ b/policy/modules/contrib/sssd.te +@@ -192,6 +192,10 @@ optional_policy(` + optional_policy(` + dbus_system_bus_client(sssd_t) + dbus_connect_system_bus(sssd_t) ++ ++ optional_policy(` ++ cron_dbus_chat_system_job(sssd_t) ++ ') + ') + + optional_policy(` diff --git a/backport-Allow-syslogd-read-network-sysctls.patch b/backport-Allow-syslogd-read-network-sysctls.patch new file mode 100644 index 0000000000000000000000000000000000000000..ba25741e29893141190698809bdd9b2e9ea0564f --- /dev/null +++ b/backport-Allow-syslogd-read-network-sysctls.patch @@ -0,0 +1,26 @@ +From 2eafd6c8cbc18aa52e320663ba6bf63f334c95d9 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 23 Nov 2022 09:20:51 +0100 +Subject: [PATCH] Allow syslogd read network sysctls + +Addresses the following AVC denial: + +type=AVC msg=audit(1669156432.404:191): avc: denied { read } for pid=700 comm="rsyslogd" name="disable_ipv6" dev="proc" ino=19523 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 + +Resolves: rhbz#2145019 +--- + policy/modules/system/logging.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 4e00b7935a..d96d862f7c 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -541,6 +541,7 @@ kernel_rw_stream_socket_perms(syslogd_t) + kernel_read_system_state(syslogd_t) + kernel_read_network_state(syslogd_t) + kernel_read_kernel_sysctls(syslogd_t) ++kernel_read_net_sysctls(syslogd_t) + kernel_read_netlink_audit_socket(syslogd_t) + kernel_read_proc_symlinks(syslogd_t) + # Allow access to /proc/kmsg for syslog-ng diff --git a/backport-Allow-system_cronjob_t-transition-to-rpm_script_t.patch b/backport-Allow-system_cronjob_t-transition-to-rpm_script_t.patch new file mode 100644 index 0000000000000000000000000000000000000000..a0cbe3c51a5eae0ff86a18243ca4c41c03352e5b --- /dev/null +++ b/backport-Allow-system_cronjob_t-transition-to-rpm_script_t.patch @@ -0,0 +1,25 @@ +From 119f307391811d408d2cbed82632b46814376769 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 16 Feb 2023 13:04:48 +0100 +Subject: [PATCH] Allow system_cronjob_t transition to rpm_script_t + +This permission is required for rpm-like programs (rpm, dnf) +executed from system cronjobs, e. g. /etc/crontab. + +Resolves: rhbz#2173255 +--- + policy/modules/contrib/cron.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te +index a269cfcc50..8bc806ab9c 100644 +--- a/policy/modules/contrib/cron.te ++++ b/policy/modules/contrib/cron.te +@@ -545,6 +545,7 @@ ifdef(`distro_redhat',` + # via redirection of standard out. + optional_policy(` + rpm_manage_log(system_cronjob_t) ++ rpm_transition_script(system_cronjob_t, system_r) + ') + ') + diff --git a/backport-Allow-system_dbusd-ioctl-kernel-with-a-unix-stream-sockets.patch b/backport-Allow-system_dbusd-ioctl-kernel-with-a-unix-stream-sockets.patch new file mode 100644 index 0000000000000000000000000000000000000000..aefd563fc36ffb49150d0e0ca928522bb536237a --- /dev/null +++ b/backport-Allow-system_dbusd-ioctl-kernel-with-a-unix-stream-sockets.patch @@ -0,0 +1,59 @@ +From 6b1b4d1bad371a78c69b399088e167ccdfb646ff Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Mon, 22 Aug 2022 16:01:10 +0200 +Subject: [PATCH] Allow system_dbusd ioctl kernel with a unix stream sockets + +Systemd creates and starts to listen on the socket before +SELinux policy is loaded and it inherits the kernel secid as its label. + +Allow system_dbusd ioctl kernel with a unix stream sockets +Create interface to allow the specified domain to ioctl a kernel with a unix domain stream sockets. + +Fix: bz#2085392 +--- + policy/modules/contrib/dbus.te | 1 + + policy/modules/kernel/kernel.if | 19 +++++++++++++++++++ + 2 files changed, 20 insertions(+) + +diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te +index a0f5679d61..eadbbab2a7 100644 +--- a/policy/modules/contrib/dbus.te ++++ b/policy/modules/contrib/dbus.te +@@ -94,6 +94,7 @@ manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_ru + manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) + files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir }) + ++kernel_ioctl_stream_sockets(system_dbusd_t) + kernel_read_system_state(system_dbusd_t) + kernel_read_kernel_sysctls(system_dbusd_t) + kernel_stream_connect(system_dbusd_t) +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 76613d1967..253b542688 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -3738,6 +3738,25 @@ interface(`kernel_rw_stream_socket_perms',` + allow $1 kernel_t:fd use; + ') + ++####################################### ++## ++## Allow the specified domain to ioctl a ++## kernel with a unix domain stream sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_ioctl_stream_sockets',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 kernel_t:unix_stream_socket { getopt ioctl }; ++') ++ + ######################################## + ## + ## Make the specified type usable for regular entries in proc diff --git a/backport-Allow-system_mail-t-read-network-sysctls.patch b/backport-Allow-system_mail-t-read-network-sysctls.patch new file mode 100644 index 0000000000000000000000000000000000000000..9d8365a7c96f7755cf625a5d370150dfedfac335 --- /dev/null +++ b/backport-Allow-system_mail-t-read-network-sysctls.patch @@ -0,0 +1,26 @@ +From 6ceec051905cb5f8a80122eb74682ac3b9dd2f22 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 23 Sep 2022 19:30:53 +0200 +Subject: [PATCH] Allow system_mail-t read network sysctls + +Addresses the following AVC denial: +type=AVC msg=audit(1663932465.372:588): avc: denied { read } for pid=122144 comm="sendmail" name="disable_ipv6" dev="proc" ino=2645630 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 + +Resolves: rhbz#2129326 +--- + policy/modules/contrib/mta.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te +index 36c3641806..72bfa1c98a 100644 +--- a/policy/modules/contrib/mta.te ++++ b/policy/modules/contrib/mta.te +@@ -188,7 +188,7 @@ allow system_mail_t mail_home_t:file manage_file_perms; + + read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) + +-kernel_search_network_sysctl(system_mail_t) ++kernel_read_net_sysctls(system_mail_t) + + corecmd_exec_shell(system_mail_t) + diff --git a/backport-Allow-systemd-coredump-mounton-usr.patch b/backport-Allow-systemd-coredump-mounton-usr.patch new file mode 100644 index 0000000000000000000000000000000000000000..946e3f1865606714295ff986823914c81d1028b1 --- /dev/null +++ b/backport-Allow-systemd-coredump-mounton-usr.patch @@ -0,0 +1,57 @@ +From 4a49782a31552a8ef0894f0c8d52a2328f269b1c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 11 Apr 2023 13:22:29 +0200 +Subject: [PATCH] Allow systemd-coredump mounton /usr + +The files_mounton_usr() interface was added. + +Addresses the following AVC denial: +type=AVC msg=audit(1680965603.852:5360): avc: denied { mounton } for pid=2016312 comm="(sd-parse-elf)" path="/" dev="sda4" ino=2 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1 + +Resolves: rhbz#2185385 +--- + policy/modules/kernel/files.if | 18 ++++++++++++++++++ + policy/modules/system/systemd.te | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index 1a57076567..6226fca96c 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -3699,6 +3699,24 @@ interface(`files_mounton_etc',` + allow $1 etc_t:dir mounton; + ') + ++######################################## ++## ++## Mounton directories on the /usr filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_mounton_usr',` ++ gen_require(` ++ type usr_t; ++ ') ++ ++ allow $1 usr_t:dir mounton; ++') ++ + ######################################## + ## + ## Search the contents of /etc directories. +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 57c72d8347..60dbc205ef 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1144,6 +1144,7 @@ files_read_non_security_files(systemd_coredump_t) + files_map_non_security_files(systemd_coredump_t) + + files_mounton_rootfs(systemd_coredump_t) ++files_mounton_usr(systemd_coredump_t) + + fs_getattr_nsfs_files(systemd_coredump_t) + diff --git a/backport-Allow-systemd-hostnamed-dbus-chat-with-init-scripts.patch b/backport-Allow-systemd-hostnamed-dbus-chat-with-init-scripts.patch new file mode 100644 index 0000000000000000000000000000000000000000..2ced9c656d46af9a665ed5fda1ce8b1248b8ffd6 --- /dev/null +++ b/backport-Allow-systemd-hostnamed-dbus-chat-with-init-scripts.patch @@ -0,0 +1,29 @@ +From d374cf4fb2d5828aafcdd475a880c6d94b10bdff Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 11 Nov 2022 12:46:00 +0100 +Subject: [PATCH] Allow systemd-hostnamed dbus chat with init scripts + +Addresses the following USER_AVC denial: + +type=USER_AVC msg=audit(1659032710.225:59): pid=1684 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.23 spid=2281 tpid=2280 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" + +Resolves: rhbz#2111632 +--- + policy/modules/system/systemd.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 6602d7c916..6194317382 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -903,6 +903,10 @@ optional_policy(` + dbus_system_bus_client(systemd_hostnamed_t) + dbus_connect_system_bus(systemd_hostnamed_t) + dbus_watch_pid_dir_path(systemd_hostnamed_t) ++ ++ optional_policy(` ++ init_dbus_chat_script(systemd_hostnamed_t) ++ ') + ') + + optional_policy(` diff --git a/backport-Allow-systemd-modules-load-write-to-dev-kmsg-and-send-a-message-to-syslogd.patch b/backport-Allow-systemd-modules-load-write-to-dev-kmsg-and-send-a-message-to-syslogd.patch new file mode 100644 index 0000000000000000000000000000000000000000..9edab5d0f0730e07605592f76c30683d852883c5 --- /dev/null +++ b/backport-Allow-systemd-modules-load-write-to-dev-kmsg-and-send-a-message-to-syslogd.patch @@ -0,0 +1,31 @@ +From 5e6b688ea15f842e1d048828a0296c5eea3e26f0 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Tue, 9 Aug 2022 11:11:34 +0200 +Subject: [PATCH] Allow systemd-modules-load write to /dev/kmsg and send a + message to syslogd + +Allow systemd_modules_load_t, early boot service that loads kernel modules, +write to the kernel messages device and send a message to syslogd over a unix domain datagram socket. + +Fix: bz#2088257 +--- + policy/modules/system/systemd.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 7d490e853c..9440943375 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1259,9 +1259,12 @@ corecmd_exec_bin(systemd_modules_load_t) + corecmd_exec_shell(systemd_modules_load_t) + + dev_read_sysfs(systemd_modules_load_t) ++dev_write_kmsg(systemd_modules_load_t) + + init_read_pid_files(systemd_modules_load_t) + ++logging_dgram_send(systemd_modules_load_t) ++ + files_map_kernel_modules(systemd_modules_load_t) + files_read_kernel_modules(systemd_modules_load_t) + diff --git a/backport-Allow-systemd-permissions-needed-for-sandboxed-services.patch b/backport-Allow-systemd-permissions-needed-for-sandboxed-services.patch new file mode 100644 index 0000000000000000000000000000000000000000..3f83769eaeb39c76226501076efb31e05c77cd08 --- /dev/null +++ b/backport-Allow-systemd-permissions-needed-for-sandboxed-services.patch @@ -0,0 +1,36 @@ +From c19e4cb9a3f23f2b14c31c978627f9c486a369f4 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 31 Aug 2022 18:20:03 +0200 +Subject: [PATCH] Allow systemd permissions needed for sandboxed services + +The permissions to mounton self and get mail spool files attributes +were added for init_t. Example service requiring them is accounts-daemon +from the accountsservice package which since v22 has more tightened +sandboxing, including mounting into private namespaces and listing +accessible paths. + +Resolves: rhbz#2122059 +--- + policy/modules/system/init.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 06be25304a..4311dbc359 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -187,6 +187,7 @@ allow init_t self:bpf { map_create map_read map_write prog_load prog_run }; + # setuid (from /sbin/shutdown) + # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot() + ++allow init_t self:file mounton; + allow init_t self:fifo_file rw_fifo_file_perms; + + allow init_t self:service manage_service_perms; +@@ -544,6 +545,7 @@ optional_policy(` + optional_policy(` + postfix_exec(init_t) + postfix_list_spool(init_t) ++ mta_getattr_spool(init_t) + mta_read_config(init_t) + mta_manage_aliases(init_t) + ') diff --git a/backport-Allow-systemd-resolved-send-a-datagram-to-journald.patch b/backport-Allow-systemd-resolved-send-a-datagram-to-journald.patch new file mode 100644 index 0000000000000000000000000000000000000000..b85833a8c53797c8d106f784d554d2627ff2daef --- /dev/null +++ b/backport-Allow-systemd-resolved-send-a-datagram-to-journald.patch @@ -0,0 +1,29 @@ +From a7e6b82865350053269b0abab82889e18095358d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 30 Jan 2023 14:22:02 +0100 +Subject: [PATCH] Allow systemd-resolved send a datagram to journald + +Addresses the following AVC denial: + +type=AVC msg=audit(1674810195.623:587): avc: denied { sendto } for pid=47442 comm="systemd-resolve" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 + +Resolves: rhbz#2165134 +--- + policy/modules/system/systemd.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 7c625074c4..57c72d8347 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1267,6 +1267,10 @@ optional_policy(` + systemd_dbus_chat_logind(systemd_resolved_t) + ') + ++optional_policy(` ++ logging_dgram_send(systemd_resolved_t) ++') ++ + optional_policy(` + networkmanager_dbus_chat(systemd_resolved_t) + ') diff --git a/backport-Allow-systemd-resolved-watch-tmpfs-directories.patch b/backport-Allow-systemd-resolved-watch-tmpfs-directories.patch new file mode 100644 index 0000000000000000000000000000000000000000..1ca7e6b3aae3cfa355abbf08d0196194815baf34 --- /dev/null +++ b/backport-Allow-systemd-resolved-watch-tmpfs-directories.patch @@ -0,0 +1,62 @@ +From 522fab1033215e698e44f261ea110dc08e6d2c7c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 21 Dec 2022 12:32:15 +0100 +Subject: [PATCH] Allow systemd-resolved watch tmpfs directories + +This permission is required when the system is booted with +systemd.volatile=overlay. Overlay filesystems are mounted as ramfs +or tmpfs, the tmpfs_t type is assigned to "/". + +The files_watch_tmpfs_dirs() interface was added. + +Addresses the following AVC denial: + +type=AVC msg=audit(1663671100.753:186): avc: denied { watch } for pid=674 comm="systemd-resolve" path="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2128246 +--- + policy/modules/kernel/files.if | 18 ++++++++++++++++++ + policy/modules/system/systemd.te | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index eb9e6e032c..1a57076567 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -9802,6 +9802,24 @@ interface(`files_rw_tmpfs_files',` + allow $1 tmpfsfile:file { read write }; + ') + ++########################################## ++## ++## Watch a tmpfs directory. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_watch_tmpfs_dirs',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ allow $1 tmpfs_t:dir watch_dir_perms; ++') ++ + ######################################## + ## + ## Do not audit attempts to read security files +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 3a6fd02c3e..77187a80e4 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1244,6 +1244,7 @@ dev_write_kmsg(systemd_resolved_t) + dev_read_sysfs(systemd_resolved_t) + + files_watch_root_dirs(systemd_resolved_t) ++files_watch_tmpfs_dirs(systemd_resolved_t) + files_watch_var_run_dirs(systemd_resolved_t) + + init_watch_pid_dir(systemd_resolved_t) diff --git a/backport-Allow-systemd-rfkill-the-bpf-capability.patch b/backport-Allow-systemd-rfkill-the-bpf-capability.patch new file mode 100644 index 0000000000000000000000000000000000000000..1f4e5e2ed1a49e448d55891cecc5da8b2c3966f8 --- /dev/null +++ b/backport-Allow-systemd-rfkill-the-bpf-capability.patch @@ -0,0 +1,32 @@ +From 978245dc94680ac0cf55d11f37e2d788bc68bc1a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 19 Dec 2022 14:31:15 +0100 +Subject: [PATCH] Allow systemd-rfkill the bpf capability + +Linux Socket Filtering (LSF) is derived from the Berkeley Packet Filter +and uses the same mechanism to allow a user-space program to attach a +filter onto any socket and allow or disallow certain types of data to +come through the socket. +The systemd-rfkill service wants to listen only to related udev events, +so it needs to set a filter for which the bpf capability is required. + +Addresses the following USER_AVC denial: +type=AVC msg=audit(1669160827.102:10): avc: denied { bpf } for pid=954 comm="systemd-rfkill" capability=39 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:system_r:systemd_rfkill_t:s0 tclass=capability2 permissive=0 + +Resolves: rhbz#2149390 +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 77187a80e4..10b1b2d9b2 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -947,6 +947,7 @@ tunable_policy(`systemd_socket_proxyd_connect_any',` + # + + allow systemd_rfkill_t self:capability { net_admin sys_admin}; ++allow systemd_rfkill_t self:capability2 bpf; + allow systemd_rfkill_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) diff --git a/backport-Allow-systemd-timedated-watch-init-runtime-dir.patch b/backport-Allow-systemd-timedated-watch-init-runtime-dir.patch new file mode 100644 index 0000000000000000000000000000000000000000..17b53a70d88e81be30021cd2e79a7d4632a85ef3 --- /dev/null +++ b/backport-Allow-systemd-timedated-watch-init-runtime-dir.patch @@ -0,0 +1,25 @@ +From b75e34887410c756e09763994cce88584a214da2 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 8 Dec 2022 20:06:14 +0100 +Subject: [PATCH] Allow systemd-timedated watch init runtime dir + +Addresses the following AVC denial: +Dec 08 06:43:24 audit[7055]: AVC avc: denied { watch } for pid=7055 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2151806 +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 8fb7509147..3a6fd02c3e 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1017,6 +1017,7 @@ fs_getattr_xattr_fs(systemd_timedated_t) + + init_dbus_chat(systemd_timedated_t) + init_status(systemd_timedated_t) ++init_watch_pid_dir(systemd_timedated_t) + + kernel_read_network_state(systemd_timedated_t) + diff --git a/backport-Allow-systemd-userdbd-the-sys_resource-capability.patch b/backport-Allow-systemd-userdbd-the-sys_resource-capability.patch new file mode 100644 index 0000000000000000000000000000000000000000..52e4180bc93ca11a09eb79944b0e30e9c533a72c --- /dev/null +++ b/backport-Allow-systemd-userdbd-the-sys_resource-capability.patch @@ -0,0 +1,58 @@ +From a266ee5b8b29d8f64a51cc408d558ae92c5e86ee Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 4 Jan 2023 14:16:56 +0100 +Subject: [PATCH] Allow systemd-userdbd the sys_resource capability +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This permission is required for the process be able to set its +arg start and end address, refer to prctl(2): + + PR_SET_MM (since Linux 3.3) + Modify certain kernel memory map descriptor fields of the calling + process. Usually these fields are set by the kernel and dynamic loader + (see ld.so(8) for more information) and a regular application should not + use this feature. However, there are cases, such as self-modifying pro‐ + grams, where a program might find it useful to change its own memory + map. + + The calling process must have the CAP_SYS_RESOURCE capability. The + value in arg2 is one of the options below, while arg3 provides a new + value for the option. The arg4 and arg5 arguments must be zero if un‐ + used. + + PR_SET_MM_ARG_START + Set the address above which the program command line is placed. + + PR_SET_MM_ARG_END + Set the address below which the program command line is placed. + +Addresses the following AVC denials: + +type=PROCTITLE msg=audit(01/04/2023 06:21:21.285:112) : proctitle=(sd-worker) +type=SYSCALL msg=audit(01/04/2023 06:21:21.285:112) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x8 a2=0x7fa791901000 a3=0x0 items=0 ppid=1367 pid=1384 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(sd-worker) exe=/usr/lib/systemd/systemd-userdbd subj=system_u:system_r:systemd_userdbd_t:s0 key=(null) +type=AVC msg=audit(01/04/2023 06:21:21.285:112) : avc: denied { sys_resource } for pid=1384 comm=(sd-worker) capability=sys_resource scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=1 + +type=PROCTITLE msg=audit(01/04/2023 06:21:23.761:156) : proctitle=systemd-userwork: processing... +type=SYSCALL msg=audit(01/04/2023 06:21:23.761:156) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x9 a2=0x7fcc48186020 a3=0x0 items=0 ppid=1367 pid=1385 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-userwor exe=/usr/lib/systemd/systemd-userwork subj=system_u:system_r:systemd_userdbd_t:s0 key=(null) +type=AVC msg=audit(01/04/2023 06:21:23.761:156) : avc: denied { sys_resource } for pid=1385 comm=systemd-userwor capability=sys_resource scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=1 + +Resolves: rhbz#2166509 +--- + policy/modules/system/systemd.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 10b1b2d9b2..7c625074c4 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1461,7 +1461,7 @@ optional_policy(` + # + # systemd_userdbd local policy + # +-allow systemd_userdbd_t self:capability dac_read_search; ++allow systemd_userdbd_t self:capability { dac_read_search sys_resource }; + + manage_dirs_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) + manage_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) diff --git a/backport-Allow-systemd_hostnamed-label-run-systemd-as-hostnamed_etc_t.patch b/backport-Allow-systemd_hostnamed-label-run-systemd-as-hostnamed_etc_t.patch new file mode 100644 index 0000000000000000000000000000000000000000..8c45d1372e63da794374f8a8a093211efec493f7 --- /dev/null +++ b/backport-Allow-systemd_hostnamed-label-run-systemd-as-hostnamed_etc_t.patch @@ -0,0 +1,26 @@ +From db58b4d32e06d17dff7a6e2adf3a3164a318fef2 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Fri, 5 Aug 2022 15:46:01 +0200 +Subject: [PATCH] Allow systemd_hostnamed label /run/systemd/* as + hostnamed_etc_t + +Allow systemd_hostnamed_t to create files in /run/systemd/* with label hostnamed_etc_t +Names of these files include hashes. + +Fix: bz#1976684 +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index a9308b8cce..7d490e853c 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -851,6 +851,7 @@ allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms; + manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) + manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) + files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file) ++init_pid_filetrans(systemd_hostnamed_t, hostname_etc_t, file ) + + kernel_dgram_send(systemd_hostnamed_t) + kernel_read_xen_state(systemd_hostnamed_t) diff --git a/backport-Allow-tlp-read-generic-SSL-certificates.patch b/backport-Allow-tlp-read-generic-SSL-certificates.patch new file mode 100644 index 0000000000000000000000000000000000000000..67b27cf8cfe2115c17b27b1ff13d1e83b6050c55 --- /dev/null +++ b/backport-Allow-tlp-read-generic-SSL-certificates.patch @@ -0,0 +1,27 @@ +From 610162346b12f1d34198fb8f435e2426bc28462c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 22 Dec 2022 12:05:13 +0100 +Subject: [PATCH] Allow tlp read generic SSL certificates + +Addresses the following AVC denial and further ones: + +type=AVC msg=audit(1659568944.632:728): avc: denied { search } for pid=34604 comm="modinfo" name="pki" dev="dm-1" ino=2490465 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2115141 +--- + policy/modules/contrib/tlp.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/tlp.te b/policy/modules/contrib/tlp.te +index 38ba44adb9..f73b8bbdcf 100644 +--- a/policy/modules/contrib/tlp.te ++++ b/policy/modules/contrib/tlp.te +@@ -65,6 +65,8 @@ files_load_kernel_modules(tlp_t) + init_status(tlp_t) + init_stream_connectto(tlp_t) + ++miscfiles_read_generic_certs(tlp_t) ++ + modutils_exec_kmod(tlp_t) + modutils_read_module_config(tlp_t) + modutils_read_module_deps_files(tlp_t) diff --git a/backport-Allow-tor-get-filesystem-attributes.patch b/backport-Allow-tor-get-filesystem-attributes.patch new file mode 100644 index 0000000000000000000000000000000000000000..4282a2ea8394c5d2d4e74f76aad2a7c9994a6771 --- /dev/null +++ b/backport-Allow-tor-get-filesystem-attributes.patch @@ -0,0 +1,32 @@ +From e485345b572121f09778da9c146cf1bcd22ae0cf Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 12 Sep 2022 17:26:03 +0200 +Subject: [PATCH] Allow tor get filesystem attributes + +In particular, attributes of cgroup filesystems and generic filesystems +with extended attributes. + +Addresses the following AVC denials: + +type=AVC msg=audit(1633585335.809:601): avc: denied { getattr } for pid=1881 comm="tor" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1 +type=AVC msg=audit(1633585335.809:602): avc: denied { getattr } for pid=1881 comm="tor" name="/" dev="dm-0" ino=256 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 + +Resolves: rhbz#2012006 +--- + policy/modules/contrib/tor.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te +index 0dc670b885..ae36c255ca 100644 +--- a/policy/modules/contrib/tor.te ++++ b/policy/modules/contrib/tor.te +@@ -124,6 +124,9 @@ domain_use_interactive_fds(tor_t) + + files_read_etc_runtime_files(tor_t) + ++fs_getattr_cgroup(tor_t) ++fs_getattr_xattr_fs(tor_t) ++ + auth_use_nsswitch(tor_t) + + logging_send_syslog_msg(tor_t) diff --git a/backport-Allow-unconfined-and-sysadm-users-transition-for-root-.gnupg.patch b/backport-Allow-unconfined-and-sysadm-users-transition-for-root-.gnupg.patch new file mode 100644 index 0000000000000000000000000000000000000000..fabc0b2fb194ac407dc51cc0ce7deff56712f0a1 --- /dev/null +++ b/backport-Allow-unconfined-and-sysadm-users-transition-for-root-.gnupg.patch @@ -0,0 +1,41 @@ +From 9cc99c46be86915aec6dd7a13c00dfb6117c5c12 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 24 Aug 2022 18:51:14 +0200 +Subject: [PATCH] Allow unconfined and sysadm users transition for /root/.gnupg + +--- + policy/modules/roles/sysadm.te | 5 +++++ + policy/modules/roles/unconfineduser.te | 4 ++++ + 2 files changed, 9 insertions(+) + +diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te +index 529a5146d4..c40f1edb04 100644 +--- a/policy/modules/roles/sysadm.te ++++ b/policy/modules/roles/sysadm.te +@@ -308,6 +308,11 @@ optional_policy(` + optional_policy(` + gnome_filetrans_fontconfig_home_content(sysadm_t) + ') ++ ++optional_policy(` ++ gpg_filetrans_admin_home_content(sysadm_t) ++') ++ + optional_policy(` + hostname_run(sysadm_t, sysadm_r) + ') +diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te +index e01e515ce3..6ab52d9032 100644 +--- a/policy/modules/roles/unconfineduser.te ++++ b/policy/modules/roles/unconfineduser.te +@@ -152,6 +152,10 @@ optional_policy(` + devicekit_dbus_chat_power(unconfined_t) + ') + ++ optional_policy(` ++ gpg_filetrans_admin_home_content(unconfined_t) ++ ') ++ + optional_policy(` + kpatch_run(unconfined_t,unconfined_r) + ') diff --git a/backport-Allow-vlock-search-the-contents-of-the-dev-pts-directory.patch b/backport-Allow-vlock-search-the-contents-of-the-dev-pts-directory.patch new file mode 100644 index 0000000000000000000000000000000000000000..d3668f9aeeb1c93e16a196ee2af966ad32036779 --- /dev/null +++ b/backport-Allow-vlock-search-the-contents-of-the-dev-pts-directory.patch @@ -0,0 +1,29 @@ +From f5d181f909dc380ede72219ede558ed4052c143f Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 10 Oct 2022 16:47:39 +0200 +Subject: [PATCH] Allow vlock search the contents of the /dev/pts directory + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(08/31/2022 09:28:27.751:867) : proctitle=vlock +type=PATH msg=audit(08/31/2022 09:28:27.751:867) : item=0 name=/dev/pts/1 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(08/31/2022 09:28:27.751:867) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x55b5ce6f0b60 a1=0x7ffdd6518320 a2=0x7ffdd6518320 a3=0x0 items=1 ppid=9040 pid=12550 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=17 comm=vlock exe=/usr/bin/vlock subj=sysadm_u:sysadm_r:vlock_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(08/31/2022 09:28:27.751:867) : avc: denied { search } for pid=12550 comm=vlock name=/ dev="devpts" ino=1 scontext=sysadm_u:sysadm_r:vlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2122838 +--- + policy/modules/contrib/vlock.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te +index de409cc610..418f2f7ab5 100644 +--- a/policy/modules/contrib/vlock.te ++++ b/policy/modules/contrib/vlock.te +@@ -40,5 +40,7 @@ init_dontaudit_rw_utmp(vlock_t) + + logging_send_syslog_msg(vlock_t) + ++term_search_ptys(vlock_t) ++ + userdom_dontaudit_search_user_home_dirs(vlock_t) + userdom_use_inherited_user_terminals(vlock_t) diff --git a/backport-Allow-winbind-rpcd-get-attributes-of-device-and-pty-.patch b/backport-Allow-winbind-rpcd-get-attributes-of-device-and-pty-.patch new file mode 100644 index 0000000000000000000000000000000000000000..dd6115d1c6669b67d12e2305ca1f18d6df869a38 --- /dev/null +++ b/backport-Allow-winbind-rpcd-get-attributes-of-device-and-pty-.patch @@ -0,0 +1,25 @@ +From 4c7f07ac123d25d9b053fa798067c7ef883fb17b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 15 Nov 2022 14:57:01 +0100 +Subject: [PATCH] Allow winbind-rpcd get attributes of device and pty + filesystems + +Resolves: rhbz#2107106 +--- + policy/modules/contrib/samba.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 88fb46b700..1395047b3e 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1203,6 +1203,9 @@ corecmd_exec_bin(winbind_rpcd_t) + + corenet_tcp_connect_ipp_port(winbind_rpcd_t) + ++dev_getattr_fs(winbind_rpcd_t) ++ ++term_getattr_pty_fs(winbind_rpcd_t) + term_use_ptmx(winbind_rpcd_t) + + optional_policy(` diff --git a/backport-Allow-winbind-rpcd-make-a-TCP-connection-to-the-ldap.patch b/backport-Allow-winbind-rpcd-make-a-TCP-connection-to-the-ldap.patch new file mode 100644 index 0000000000000000000000000000000000000000..98d600e725ebafd42ac2e55b3a4bc3133abbef94 --- /dev/null +++ b/backport-Allow-winbind-rpcd-make-a-TCP-connection-to-the-ldap.patch @@ -0,0 +1,29 @@ +From e91d34918bd3e80aefa7236c014a2ad537a74966 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 22 Dec 2022 13:14:35 +0100 +Subject: [PATCH] Allow winbind-rpcd make a TCP connection to the ldap port + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(12/06/2022 12:58:18.767:2236) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=35 --np-helper --debuglevel=2 +type=SOCKADDR msg=audit(12/06/2022 12:58:18.767:2236) : saddr={ saddr_fam=inet laddr=127.0.0.1 lport=389 } +type=SYSCALL msg=audit(12/06/2022 12:58:18.767:2236) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xf a1=0x55f673a4ace0 a2=0x10 a3=0x0 items=0 ppid=1 pid=7080 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) +type=AVC msg=audit(12/06/2022 12:58:18.767:2236) : avc: denied { name_connect } for pid=7080 comm=samba-dcerpcd dest=389 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0 + +Resolves: rhbz#2152642 +--- + policy/modules/contrib/samba.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 8746918587..6143ea2622 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1205,6 +1205,7 @@ kernel_read_network_state(winbind_rpcd_t) + corecmd_exec_bin(winbind_rpcd_t) + + corenet_tcp_connect_ipp_port(winbind_rpcd_t) ++corenet_tcp_connect_ldap_port(winbind_rpcd_t) + + dev_getattr_fs(winbind_rpcd_t) + diff --git a/backport-Allow-winbind-rpcd-manage-samba_share_t-files-and-di.patch b/backport-Allow-winbind-rpcd-manage-samba_share_t-files-and-di.patch new file mode 100644 index 0000000000000000000000000000000000000000..4e4df3013d7544186603528fe572389b52707ff2 --- /dev/null +++ b/backport-Allow-winbind-rpcd-manage-samba_share_t-files-and-di.patch @@ -0,0 +1,37 @@ +From 9921e239291412f21c98806f2777dba7fce8bbe4 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 15 Dec 2022 12:07:05 +0100 +Subject: [PATCH] Allow winbind-rpcd manage samba_share_t files and dirs + +Allow winbind connect to init_t unix_stream_socket + +Resolves: rhbz#2150680 +--- + policy/modules/contrib/samba.te | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 1395047b3e..8746918587 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1185,6 +1185,9 @@ manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_ru + files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file }) + + # access to files of other samba domains ++manage_dirs_pattern(winbind_rpcd_t, samba_share_t, samba_share_t) ++manage_files_pattern(winbind_rpcd_t, samba_share_t, samba_share_t) ++ + manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) + read_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) + manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) +@@ -1225,6 +1228,10 @@ optional_policy(` + dirsrv_stream_connect(winbind_rpcd_t) + ') + ++optional_policy(` ++ init_stream_connectto(winbind_rpcd_t) ++') ++ + optional_policy(` + kerberos_read_keytab(winbind_rpcd_t) + kerberos_use(winbind_rpcd_t) diff --git a/backport-Allow-winbind-rpcd-read-and-write-its-key-ring.patch b/backport-Allow-winbind-rpcd-read-and-write-its-key-ring.patch new file mode 100644 index 0000000000000000000000000000000000000000..575f549b35e07ed4212343bca3be71c38cb72ed7 --- /dev/null +++ b/backport-Allow-winbind-rpcd-read-and-write-its-key-ring.patch @@ -0,0 +1,26 @@ +From d55213e04801baef4979cb38340737d69cb66d0c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 19 Sep 2022 12:28:38 +0200 +Subject: [PATCH] Allow winbind-rpcd read and write its key ring + +Addresses the following AVC denials: +type=AVC msg=audit(1663577560.480:3619): avc: denied { write } for pid=109517 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1 +type=AVC msg=audit(1663577560.480:3620): avc: denied { read } for pid=109517 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1 + +Resolves: rhbz#2127854 +--- + policy/modules/contrib/samba.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index d25bc64f5d..23af3a1304 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1167,6 +1167,7 @@ optional_policy(` + # + + allow winbind_rpcd_t self:capability { setgid setuid }; ++allow winbind_rpcd_t self:key { read write }; + allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms; + allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto }; + allow winbind_rpcd_t self:unix_stream_socket connectto; diff --git a/backport-Allow-winbind-rpcd-use-the-terminal-multiplexor.patch b/backport-Allow-winbind-rpcd-use-the-terminal-multiplexor.patch new file mode 100644 index 0000000000000000000000000000000000000000..8b8422ebb295f1ce207230037f18ef2522a29d4b --- /dev/null +++ b/backport-Allow-winbind-rpcd-use-the-terminal-multiplexor.patch @@ -0,0 +1,30 @@ +From ea6e506843ed60097d84b14dea6945fd4e885fb0 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 11 Nov 2022 14:00:10 +0100 +Subject: [PATCH] Allow winbind-rpcd use the terminal multiplexor + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(07/14/2022 07:07:43.161:380) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=3 --worker-index=0 --debuglevel=0 +type=PATH msg=audit(07/14/2022 07:07:43.161:380) : item=0 name=/dev/ptmx inode=11387 dev=00:06 mode=character,666 ouid=root ogid=tty rdev=05:02 obj=system_u:object_r:ptmx_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(07/14/2022 07:07:43.161:380) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fb1d4cf2a46 a2=O_RDWR|O_NOCTTY a3=0x0 items=1 ppid=6326 pid=6336 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) +type=AVC msg=audit(07/14/2022 07:07:43.161:380) : avc: denied { read write } for pid=6336 comm=rpcd_lsad name=ptmx dev="devtmpfs" ino=11387 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file permissive=0 + +Resolves: rhbz#2107106 +--- + policy/modules/contrib/samba.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 2280531046..88fb46b700 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1203,6 +1203,8 @@ corecmd_exec_bin(winbind_rpcd_t) + + corenet_tcp_connect_ipp_port(winbind_rpcd_t) + ++term_use_ptmx(winbind_rpcd_t) ++ + optional_policy(` + auth_read_passwd(winbind_rpcd_t) + ') diff --git a/backport-Allow-winbind-rpcd-write-to-winbind-pid-files.patch b/backport-Allow-winbind-rpcd-write-to-winbind-pid-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..5ba54baea49724e35794e16d8cd3e9700b1605e3 --- /dev/null +++ b/backport-Allow-winbind-rpcd-write-to-winbind-pid-files.patch @@ -0,0 +1,24 @@ +From 495539633271d0e187e221dec061e122812cb5c2 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 5 Aug 2022 17:30:47 +0200 +Subject: [PATCH] Allow winbind-rpcd write to winbind pid files + +Addresses the following AVC denial: + +type=AVC msg=audit(1658286623.868:2435): avc: denied { write } for pid=6219 comm="samba-dcerpcd" name="samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1 +--- + policy/modules/contrib/samba.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index d64ba6e569..82ba1abf64 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1176,6 +1176,7 @@ allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans; + + read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t) + ++write_files_pattern(winbind_rpcd_t, winbind_var_run_t, winbind_var_run_t) + write_sock_files_pattern(winbind_rpcd_t, winbind_var_run_t, winbind_var_run_t) + + manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t) diff --git a/backport-Allow-winbind_rpcd_t-connect-to-self-over-a-unix_str.patch b/backport-Allow-winbind_rpcd_t-connect-to-self-over-a-unix_str.patch new file mode 100644 index 0000000000000000000000000000000000000000..b3943049d6018e1ea49533246ed62feeb1735654 --- /dev/null +++ b/backport-Allow-winbind_rpcd_t-connect-to-self-over-a-unix_str.patch @@ -0,0 +1,29 @@ +From e9ed412d419a865d8a9a396469d1f2bda351f30d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 17 Jun 2022 19:46:05 +0200 +Subject: [PATCH] Allow winbind_rpcd_t connect to self over a + unix_stream_socket + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(06/13/2022 04:54:59.247:2004) : proctitle=/usr/libexec/samba/rpcd_classic --configfile=/etc/samba/smb.conf --worker-group=6 --worker-index=0 --debuglevel=10 +type=AVC msg=audit(06/13/2022 04:54:59.247:2004) : avc: denied { connectto } for pid=23402 comm=rpcd_classic path=/run/samba/ncalrpc/np/winreg scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_stream_socket permissive=0 +type=SYSCALL msg=audit(06/13/2022 04:54:59.247:2004) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x10 a1=0x5624dd0ca5d0 a2=0x6e a3=0x7fe7094db260 items=0 ppid=23239 pid=23402 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_classic exe=/usr/libexec/samba/rpcd_classic subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) + +Resolves: rhbz#2096255 +--- + policy/modules/contrib/samba.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 7087c37e7a..5e851af84a 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1168,6 +1168,7 @@ optional_policy(` + allow winbind_rpcd_t self:capability { setgid setuid }; + allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms; + allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow winbind_rpcd_t self:unix_stream_socket connectto; + allow winbind_rpcd_t self:udp_socket create_socket_perms; + + allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans; diff --git a/backport-Stop-ignoring-standalone-interface-files.patch b/backport-Stop-ignoring-standalone-interface-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..9db026fbe57d58573eb3812bb5813e4ed1483fff --- /dev/null +++ b/backport-Stop-ignoring-standalone-interface-files.patch @@ -0,0 +1,52 @@ +From 3a55e3a69bb33261abcd8104d93e0ee83d5da35a Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Wed, 1 Sep 2021 10:06:44 +0200 +Subject: [PATCH] Stop ignoring standalone interface files + +Interface files without corresponding .te where ignored, unless the +module name was specified in modules.conf. + +Standalone interface files are useful for backwards compatibility in +case a policy module removed from this repository. + +Signed-off-by: Vit Mojzis +--- + Makefile | 4 ++++ + Rules.modular | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index a9dfef1bc1..4a08bba6fa 100644 +--- a/Makefile ++++ b/Makefile +@@ -264,6 +264,7 @@ generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in + # sort here since it removes duplicates, which can happen + # when a generated file is already generated + detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te)) ++detected_ifs := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.if)) $(generated_if)) + + modxml := $(addprefix $(tmpdir)/, $(detected_mods:.te=.xml)) + layerxml := $(sort $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers))))) +@@ -307,6 +308,9 @@ off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_c + # add modules not in modules.conf to the off list + off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods))) + ++# all interface files without corresponding .te - backwards compatibility ++standalone_ifs := $(filter-out $(subst .te,.if, $(base_mods) $(mod_mods) $(off_mods)), $(notdir $(detected_ifs))) ++ + # filesystems to be used in labeling targets + filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';) + fs_names := "btrfs ext2 ext3 ext4 xfs jfs" +diff --git a/Rules.modular b/Rules.modular +index ad65733e10..258c8b6560 100644 +--- a/Rules.modular ++++ b/Rules.modular +@@ -4,7 +4,7 @@ + # + + all_modules := $(base_mods) $(mod_mods) $(off_mods) +-all_interfaces := $(all_modules:.te=.if) ++all_interfaces := $(all_modules:.te=.if) $(standalone_ifs) + + base_pkg := $(builddir)base.pp + base_fc := $(builddir)base.fc diff --git a/backport-Update-policy-for-samba-dcerpcd.patch b/backport-Update-policy-for-samba-dcerpcd.patch new file mode 100644 index 0000000000000000000000000000000000000000..236b1620e9934050c126af08f46f3a15f1e20c9e --- /dev/null +++ b/backport-Update-policy-for-samba-dcerpcd.patch @@ -0,0 +1,60 @@ +From 044ed83f8ebde938bbc49f6e071a8548ddc8505d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 8 Jun 2022 16:24:15 +0200 +Subject: [PATCH] Update policy for samba-dcerpcd + +The initial policy was updated to allow: +- use sssd and systemd nsswitch modules +- read kernel network state +- use dbus +- manage samba log directories +- read winbind runtime files + +Resolves: rhbz#2083504 +--- + policy/modules/contrib/samba.te | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 03b49cba42..99cb452f7b 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1019,6 +1019,7 @@ manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var + manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) + manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) + files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir }) ++files_pid_filetrans(winbind_t, winbind_rpcd_var_run_t, file, "samba-dcerpcd.pid") + filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) + # /run/samba/krb5cc_samba + manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) +@@ -1175,9 +1176,12 @@ read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t) + + manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t) + files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file }) ++ ++# access to files of other samba domains + manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) + manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) + ++manage_dirs_pattern(winbind_rpcd_t, samba_log_t, samba_log_t) + manage_files_pattern(winbind_rpcd_t, samba_log_t, samba_log_t) + + manage_dirs_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) +@@ -1185,10 +1189,16 @@ manage_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) + manage_sock_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) + allow winbind_rpcd_t samba_var_t:file { map } ; + ++kernel_read_network_state(winbind_rpcd_t) ++ + corecmd_exec_bin(winbind_rpcd_t) + + optional_policy(` +- auth_read_passwd_file(winbind_rpcd_t) ++ auth_read_passwd(winbind_rpcd_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(winbind_rpcd_t) + ') + + # interactions with smbd_t/winbind_t diff --git a/backport-Update-samba-dcerpcd-policy-for-kerberos-usage-2.patch b/backport-Update-samba-dcerpcd-policy-for-kerberos-usage-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..3e06153347b6e0ca66318fe007357017349f9b16 --- /dev/null +++ b/backport-Update-samba-dcerpcd-policy-for-kerberos-usage-2.patch @@ -0,0 +1,37 @@ +From 837f63743214363362334e910dcb06d35cd5cb99 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 27 Jun 2022 17:22:40 +0200 +Subject: [PATCH] Update samba-dcerpcd policy for kerberos usage 2 + +These additional permissions were added: +- read kerberos key tables +- read generic SSL certificates + +Resolves: rhbz#2096521 +--- + policy/modules/contrib/samba.te | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 091e016fd0..4be4401cda 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1208,6 +1208,7 @@ optional_policy(` + ') + + optional_policy(` ++ kerberos_read_keytab(winbind_rpcd_t) + kerberos_use(winbind_rpcd_t) + ') + +@@ -1215,6 +1216,10 @@ optional_policy(` + logging_send_syslog_msg(winbind_rpcd_t) + ') + ++optional_policy(` ++ miscfiles_read_generic_certs(winbind_rpcd_t) ++') ++ + optional_policy(` + sssd_read_public_files(winbind_rpcd_t) + sssd_stream_connect(winbind_rpcd_t) diff --git a/backport-Update-samba-dcerpcd-policy-for-kerberos-usage.patch b/backport-Update-samba-dcerpcd-policy-for-kerberos-usage.patch new file mode 100644 index 0000000000000000000000000000000000000000..7823b6ac0aefb53c07b1adaa3bfb8fc7189436ed --- /dev/null +++ b/backport-Update-samba-dcerpcd-policy-for-kerberos-usage.patch @@ -0,0 +1,45 @@ +From e6584a21427a408c09781f2c5cf978b0f18db1cc Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 17 Jun 2022 18:34:28 +0200 +Subject: [PATCH] Update samba-dcerpcd policy for kerberos usage + +Resolves: rhbz#2096825 +--- + policy/modules/contrib/samba.te | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 99cb452f7b..7087c37e7a 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1179,6 +1179,7 @@ files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file }) + + # access to files of other samba domains + manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) ++read_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) + manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) + + manage_dirs_pattern(winbind_rpcd_t, samba_log_t, samba_log_t) +@@ -1201,6 +1202,22 @@ optional_policy(` + dbus_system_bus_client(winbind_rpcd_t) + ') + ++optional_policy(` ++ dirsrv_stream_connect(winbind_rpcd_t) ++') ++ ++optional_policy(` ++ kerberos_use(winbind_rpcd_t) ++') ++ ++optional_policy(` ++ logging_send_syslog_msg(winbind_rpcd_t) ++') ++ ++optional_policy(` ++ sysnet_read_config(winbind_rpcd_t) ++') ++ + # interactions with smbd_t/winbind_t + allow smbd_t winbind_rpcd_t:unix_stream_socket connectto; + allow winbind_t winbind_rpcd_t:unix_stream_socket connectto; diff --git a/backport-Update-tor_bind_all_unreserved_ports-interface.patch b/backport-Update-tor_bind_all_unreserved_ports-interface.patch new file mode 100644 index 0000000000000000000000000000000000000000..399c93518e727d8ba6270ab40297b97536ffb0e6 --- /dev/null +++ b/backport-Update-tor_bind_all_unreserved_ports-interface.patch @@ -0,0 +1,34 @@ +From 5ba29432782295ceaeb0085d0fe9123d7736b0f1 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Mon, 22 Aug 2022 15:43:13 +0200 +Subject: [PATCH] Update tor_bind_all_unreserved_ports interface + +When enabled boolean tor_bind_all_unreserved_ports, +allow tor bind UDP sockets to all ports > 1024. + +Fix: bz#2089486 +--- + policy/modules/contrib/tor.te | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te +index 4b0554c374..0dc670b885 100644 +--- a/policy/modules/contrib/tor.te ++++ b/policy/modules/contrib/tor.te +@@ -8,7 +8,7 @@ policy_module(tor, 1.9.0) + ## + ##

+ ## Determine whether tor can bind +-## tcp sockets to all unreserved ports. ++## tcp and udp sockets to all unreserved ports. + ##

+ ## + gen_tunable(tor_bind_all_unreserved_ports, false) +@@ -131,6 +131,7 @@ logging_send_syslog_msg(tor_t) + tunable_policy(`tor_bind_all_unreserved_ports',` + corenet_sendrecv_all_server_packets(tor_t) + corenet_tcp_bind_all_unreserved_ports(tor_t) ++ corenet_udp_bind_all_unreserved_ports(tor_t) + ') + + tunable_policy(`tor_can_network_relay',` diff --git a/backport-Update-winbind_rpcd_t.patch b/backport-Update-winbind_rpcd_t.patch new file mode 100644 index 0000000000000000000000000000000000000000..af5c4a8be253cf9e1eb70cafe316b38f552f4682 --- /dev/null +++ b/backport-Update-winbind_rpcd_t.patch @@ -0,0 +1,51 @@ +From 37512b85ed2712a57370c9df57db84b96b3d0f9d Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Wed, 13 Jul 2022 18:12:31 +0200 +Subject: [PATCH] Update winbind_rpcd_t + +Allow smbcontrol send winbind_rpcd_t unix_dgram_socket +Allow winbind_rpcd_t to write winbind_var_run_t sock files +Allow winbind_rpcd_t connect to winbind_t over unix_stream_socket +Allow winbind_rpcd_t to connect to systemd-userdbd with a unix socket + +Fix: rhbz#2102084 +--- + policy/modules/contrib/samba.te | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 4be4401cda..61598b8e39 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -745,6 +745,7 @@ allow smbcontrol_t samba_var_t:file map; + + allow smbcontrol_t nmbd_t:unix_dgram_socket sendto; + allow smbcontrol_t smbd_t:unix_dgram_socket sendto; ++allow smbcontrol_t winbind_rpcd_t:unix_dgram_socket sendto; + allow smbcontrol_t winbind_t:unix_dgram_socket sendto; + + samba_read_config(smbcontrol_t) +@@ -1175,6 +1176,8 @@ allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans; + + read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t) + ++write_sock_files_pattern(winbind_rpcd_t, winbind_var_run_t, winbind_var_run_t) ++ + manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t) + files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file }) + +@@ -1229,9 +1232,14 @@ optional_policy(` + sysnet_read_config(winbind_rpcd_t) + ') + ++optional_policy(` ++ systemd_userdbd_stream_connect(winbind_rpcd_t) ++') ++ + # interactions with smbd_t/winbind_t + allow smbd_t winbind_rpcd_t:unix_stream_socket connectto; + allow winbind_t winbind_rpcd_t:unix_stream_socket connectto; ++allow winbind_rpcd_t winbind_t:unix_stream_socket connectto; + + samba_domtrans_winbind_rpcd(smbd_t) + samba_domtrans_winbind_rpcd(winbind_t) diff --git a/backport-pidof-executed-by-abrt-can-readlink-proc-exe.patch b/backport-pidof-executed-by-abrt-can-readlink-proc-exe.patch new file mode 100644 index 0000000000000000000000000000000000000000..2fea8c8e40f72ea5c956f32e53b04c7ef09c4e0e --- /dev/null +++ b/backport-pidof-executed-by-abrt-can-readlink-proc-exe.patch @@ -0,0 +1,28 @@ +From 52645b77fe4aeb47f538538097c99aa47adbe2d7 Mon Sep 17 00:00:00 2001 +From: Milos Malik +Date: Wed, 7 Sep 2022 10:53:07 +0200 +Subject: [PATCH] pidof executed by abrt can readlink /proc/*/exe + +At least one of the ABRT addons calls `pidof abrtd` which leads to +{ sys_ptrace } SELinux denials in cap_userns class. + +In order to support the full functionality of ABRT and its addons, +I believe that SELinux policy should allow this access. + +Resolves: BZ#2071586 +--- + policy/modules/contrib/abrt.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te +index 02a12dfab1..16db11a3c3 100644 +--- a/policy/modules/contrib/abrt.te ++++ b/policy/modules/contrib/abrt.te +@@ -115,6 +115,7 @@ ifdef(`enable_mcs',` + # + + allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; ++allow abrt_t self:cap_userns sys_ptrace; + dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace }; + allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; + diff --git a/selinux-policy.spec b/selinux-policy.spec index ebb0670c81f704fdc16c478686c3017e8bd0000d..5493c843a1aa2d10a7f810d735aa7733068f88a1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 35.5 -Release: 16 +Release: 17 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -193,6 +193,85 @@ Patch6123: backport-Allow-init-remount-all-file_type-filesystems.patch Patch6124: backport-Allow-xenstored-change-its-hard-resource-limits.patch Patch6125: backport-Allow-init-map-its-private-tmp-files.patch Patch6126: backport-Allow-sss-daemons-read-write-unnamed-pipes-of-cloud-.patch +Patch6127: backport-Allow-kpropd-read-network-sysctls.patch +Patch6128: backport-Allow-cups-lpd-read-network-sysctls.patch +Patch6129: backport-Allow-keepalived-read-the-contents-of-the-sysfs-filesystem.patch +Patch6130: backport-Allow-cups-lpd-read-network-sysctls-1.patch +Patch6131: backport-Allow-systemd_hostnamed-label-run-systemd-as-hostnamed_etc_t.patch +Patch6132: backport-Allow-networkmanager-to-signal-unconfined-process.patch +Patch6133: backport-Allow-systemd-modules-load-write-to-dev-kmsg-and-send-a-message-to-syslogd.patch +Patch6134: backport-Allow-postfix-smtp-and-postfix-virtual-read-kerberos-key-table.patch +Patch6135: backport-Allow-system_dbusd-ioctl-kernel-with-a-unix-stream-sockets.patch +Patch6136: backport-Allow-chronyc-read-and-write-generic-pty-type.patch +Patch6137: backport-Allow-gpg-read-and-write-generic-pty-type.patch +Patch6138: backport-Add-userdom_view_all_users_keys-interface.patch +Patch6139: backport-Add-gpg_filetrans_admin_home_content-interface.patch +Patch6140: backport-Allow-unconfined-and-sysadm-users-transition-for-root-.gnupg.patch +Patch6141: backport-Update-tor_bind_all_unreserved_ports-interface.patch +Patch6142: backport-Allow-chronyd-send-and-receive-chronyd-ntp-client-packets.patch +Patch6143: backport-Allow-systemd-permissions-needed-for-sandboxed-services.patch +Patch6144: backport-Allow-tor-get-filesystem-attributes.patch +Patch6145: backport-pidof-executed-by-abrt-can-readlink-proc-exe.patch +Patch6146: backport-Allow-system_mail-t-read-network-sysctls.patch +Patch6147: backport-Stop-ignoring-standalone-interface-files.patch +Patch6148: backport-Allow-sbd-the-sys_ptrace-capability.patch +Patch6149: backport-Allow-login_userdomain-dbus-chat-with-rhsmcertd.patch +Patch6150: backport-Allow-pulseaudio-create-gnome-content-.config.patch +Patch6151: backport-Allow-ftpd-map-ftpd_var_run-files.patch +Patch6152: backport-Allow-vlock-search-the-contents-of-the-dev-pts-directory.patch +Patch6153: backport-Allow-aide-to-connect-to-systemd_machined-with-a-unix-socket.patch +Patch6154: backport-Allow-rotatelogs-read-httpd_log_t-symlinks.patch +Patch6155: backport-Allow-dirsrv_snmp_t-to-manage-dirsrv_config_t-dirsrv_var_run_t-files.patch +Patch6156: backport-Allow-fprintd-bpf-capability-to-run-bpf-programs.patch +Patch6157: backport-Allow-keepalived-bpf-capability-to-run-bpf-programs.patch +Patch6158: backport-Allow-lldpad-bpf-capability-to-run-bpf-programs.patch +Patch6159: backport-Allow-pkcs_slotd_t-bpf-capability-to-run-bpf-program.patch +Patch6160: backport-Allow-netutils-and-traceroute-bpf-capability-to-run-.patch +Patch6161: backport-Allow-dhcpd-bpf-capability-to-run-bpf-programs.patch +Patch6162: backport-Add-watch-interfaces.patch +Patch6163: backport-Add-watch_sb-interfaces.patch +Patch6164: backport-Add-interface-to-watch-all-filesystems.patch +Patch6165: backport-Allow-sssd-dbus-chat-with-system-cronjobs.patch +Patch6166: backport-Allow-systemd-hostnamed-dbus-chat-with-init-scripts.patch +Patch6167: backport-Add-domain_unix_read_all_semaphores-interface.patch +Patch6168: backport-Allow-rpc.gssd-read-network-sysctls.patch +Patch6169: backport-Allow-syslogd-read-network-sysctls.patch +Patch6170: backport-Allow-systemd-timedated-watch-init-runtime-dir.patch +Patch6171: backport-Allow-journalctl-relabel-with-var_log_t-and-syslogd_.patch +Patch6172: backport-Allow-systemd-resolved-watch-tmpfs-directories.patch +Patch6173: backport-Allow-tlp-read-generic-SSL-certificates.patch +Patch6174: backport-Allow-apcupsd-dbus-chat-with-systemd-logind.patch +Patch6175: backport-Allow-systemd-rfkill-the-bpf-capability.patch +Patch6176: backport-Allow-systemd-userdbd-the-sys_resource-capability.patch +Patch6177: backport-Allow-systemd-resolved-send-a-datagram-to-journald.patch +Patch6178: backport-Allow-system_cronjob_t-transition-to-rpm_script_t.patch +Patch6179: backport-Allow-systemd-coredump-mounton-usr.patch +Patch6180: backport-Add-journalctl-the-sys_resource-capability.patch +Patch6181: backport-Allow-logrotate-dbus-chat-with-systemd-hostnamed.patch +Patch6182: backport-Add-support-for-samba-dcerpcd.patch +Patch6183: backport-Update-policy-for-samba-dcerpcd.patch +Patch6184: backport-Update-samba-dcerpcd-policy-for-kerberos-usage.patch +Patch6185: backport-Allow-winbind_rpcd_t-connect-to-self-over-a-unix_str.patch +Patch6186: backport-Allow-samba-dcerpcd-work-with-sssd.patch +Patch6187: backport-Update-samba-dcerpcd-policy-for-kerberos-usage-2.patch +Patch6188: backport-Update-winbind_rpcd_t.patch +Patch6189: backport-Allow-samba-bgqd-get-a-printer-list.patch +Patch6190: backport-Allow-winbind-rpcd-write-to-winbind-pid-files.patch +Patch6191: backport-Allow-samba-bgqd-to-read-a-printer-list.patch +Patch6192: backport-Allow-smbd_t-process-noatsecure-permission-for-winbi.patch +Patch6193: backport-Allow-winbind-rpcd-read-and-write-its-key-ring.patch +Patch6194: backport-Allow-samba-dcerpcd-use-NSCD-services-over-a-unix-st.patch +Patch6195: backport-Add-winbind-rpcd-to-samba_enable_home_dirs-boolean.patch +Patch6196: backport-Allow-winbind-rpcd-use-the-terminal-multiplexor.patch +Patch6197: backport-Allow-winbind-rpcd-get-attributes-of-device-and-pty-.patch +Patch6198: backport-Allow-winbind-rpcd-manage-samba_share_t-files-and-di.patch +Patch6199: backport-Allow-winbind-rpcd-make-a-TCP-connection-to-the-ldap.patch +Patch6200: backport-Allow-samba-rpcd-work-with-passwords.patch +Patch6201: backport-Allow-samba-dcerpcd-connect-to-systemd_machined-over.patch +Patch6202: backport-Allow-rpcd_lsad-setcap-and-use-generic-ptys.patch +Patch6203: backport-Allow-keepalived-to-set-resource-limits.patch +Patch6204: backport-Add-the-kernel_read_proc_files-interface.patch +Patch6205: backport-Allow-pcscd-bpf-capability-to-run-bpf-programs.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -865,6 +944,9 @@ exit 0 %endif %changelog +* Tue Jun 13 2023 jinlun - 35.5-17 +- backport upstream patches. + * Thu Mar 23 2023 wangjiang - 35.5-16 - backport patch Allow virt_domain read device sysctls Allow icecast rename its log files