diff --git a/Add-initial-policy-for-the-usr-sbin-request-key-help.patch b/Add-initial-policy-for-the-usr-sbin-request-key-help.patch deleted file mode 100644 index 89a7f1c11cd55d95e25cc9fd9c2a7a39601cbb4e..0000000000000000000000000000000000000000 --- a/Add-initial-policy-for-the-usr-sbin-request-key-help.patch +++ /dev/null @@ -1,227 +0,0 @@ -From 3a1ae904dba54474a56815ba7fbf3238fcfe5a46 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Mon, 30 Jan 2023 14:46:50 +0100 -Subject: [PATCH 2/5] Add initial policy for the /usr/sbin/request-key helper - -The kernel is hard-coded to call /sbin/request-key to handle requests -for instantiating keys that are not found in the existing keyrings. - -Thus, we need to add a domain for this helper and set up a transition -into that domain from kernel_t. - -request-key dispatches the key requests to further helper programs based -on the configuration in /etc/request-key.d/*.conf and -/etc/request-key.conf. Currently, the only known used dispatcher is -/usr/sbin/nfsidmap, which is set up by the nfs-utils package to handle -requests for the 'id_resolver' key type. This patch adds the minimal -policy for this helper that is needed for an NFS mount to succeed. - -Policy for other request-key helper programs may need to be added in the -future. An optional mechanism to allow any possible configuration (e.g. -by setting up a transition over any file to unconfined_service_t) may be -also desired. For now let's at least make the one known use case work. - -Fixes: 1e8688ea6943 ("Don't make kernel_t an unconfined domain") -Signed-off-by: Ondrej Mosnacek ---- - policy/modules.conf | 7 +++++ - policy/modules/contrib/keyutils.fc | 1 + - policy/modules/contrib/keyutils.if | 43 ++++++++++++++++++++++++++++++ - policy/modules/contrib/keyutils.te | 11 ++++++++ - policy/modules/contrib/rpc.fc | 1 + - policy/modules/contrib/rpc.te | 32 ++++++++++++++++++++++ - policy/modules/kernel/kernel.if | 19 +++++++++++++ - policy/modules/kernel/kernel.te | 4 +++ - 8 files changed, 118 insertions(+) - create mode 100644 policy/modules/contrib/keyutils.fc - create mode 100644 policy/modules/contrib/keyutils.if - create mode 100644 policy/modules/contrib/keyutils.te - -diff --git a/policy/modules.conf b/policy/modules.conf -index 5e0678668..6f63c8cb6 100644 ---- a/policy/modules.conf -+++ b/policy/modules.conf -@@ -3078,3 +3078,10 @@ rhcd = module - # wireguard - # - wireguard = module -+ -+# Layer: contrib -+# Module: keyutils -+# -+# keyutils - Linux Key Management Utilities -+# -+keyutils = module -diff --git a/policy/modules/contrib/keyutils.fc b/policy/modules/contrib/keyutils.fc -new file mode 100644 -index 000000000..78c5f159f ---- /dev/null -+++ b/policy/modules/contrib/keyutils.fc -@@ -0,0 +1 @@ -+/usr/sbin/request-key -- gen_context(system_u:object_r:keyutils_request_exec_t,s0) -diff --git a/policy/modules/contrib/keyutils.if b/policy/modules/contrib/keyutils.if -new file mode 100644 -index 000000000..06daab988 ---- /dev/null -+++ b/policy/modules/contrib/keyutils.if -@@ -0,0 +1,43 @@ -+## Linux Key Management Utilities -+ -+####################################### -+## -+## Execute request-key in the keyutils request domain. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`keyutils_request_domtrans',` -+ gen_require(` -+ type keyutils_request_t, keyutils_request_exec_t; -+ ') -+ -+ domtrans_pattern($1, keyutils_request_exec_t, keyutils_request_t) -+') -+ -+######################################## -+## -+## Allows to perform key instantiation callout -+## by transitioning to the specified domain. -+## -+## -+## -+## The process type entered by request-key. -+## -+## -+## -+## -+## The executable type for the entrypoint. -+## -+## -+# -+interface(`keyutils_request_domtrans_to',` -+ gen_require(` -+ type keyutils_request_t; -+ ') -+ -+ domtrans_pattern(keyutils_request_t, $2, $1) -+') -diff --git a/policy/modules/contrib/keyutils.te b/policy/modules/contrib/keyutils.te -new file mode 100644 -index 000000000..2ea1d5e38 ---- /dev/null -+++ b/policy/modules/contrib/keyutils.te -@@ -0,0 +1,11 @@ -+policy_module(keyutils, 1.0) -+ -+type keyutils_request_exec_t; -+files_type(keyutils_request_exec_t) -+ -+type keyutils_request_t; -+domain_type(keyutils_request_t) -+domain_entry_file(keyutils_request_t, keyutils_request_exec_t) -+ -+kernel_view_key(keyutils_request_t) -+kernel_read_key(keyutils_request_t) -diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc -index 3825ef707..06a6c009c 100644 ---- a/policy/modules/contrib/rpc.fc -+++ b/policy/modules/contrib/rpc.fc -@@ -32,6 +32,7 @@ - /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) - /usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) - /usr/sbin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0) -+/usr/sbin/nfsidmap -- gen_context(system_u:object_r:nfsidmap_exec_t,s0) - - # - # /var -diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te -index f94cfa5d2..c83492a56 100644 ---- a/policy/modules/contrib/rpc.te -+++ b/policy/modules/contrib/rpc.te -@@ -434,3 +434,35 @@ optional_policy(` - optional_policy(` - xserver_rw_xdm_tmp_files(gssd_t) - ') -+ -+######################################## -+# -+# nfsidmap policy -+# -+ -+type nfsidmap_exec_t; -+files_type(nfsidmap_exec_t) -+ -+type nfsidmap_t; -+domain_type(nfsidmap_t) -+domain_entry_file(nfsidmap_t, nfsidmap_exec_t) -+ -+allow nfsidmap_t self:key write; -+allow nfsidmap_t self:netlink_route_socket r_netlink_socket_perms; -+ -+kernel_setattr_key(nfsidmap_t) -+ -+sysnet_read_config(nfsidmap_t) -+ -+optional_policy(` -+ auth_read_passwd_file(nfsidmap_t) -+') -+ -+optional_policy(` -+ logging_send_syslog_msg(nfsidmap_t) -+') -+ -+optional_policy(` -+ # /etc/request-key.d/id_resolver.conf -+ keyutils_request_domtrans_to(nfsidmap_t, nfsidmap_exec_t) -+') -diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if -index 166586f66..adb71ed3a 100644 ---- a/policy/modules/kernel/kernel.if -+++ b/policy/modules/kernel/kernel.if -@@ -579,6 +579,25 @@ interface(`kernel_dontaudit_view_key',` - - dontaudit $1 kernel_t:key view; - ') -+ -+######################################## -+## -+## Allow to set attributes on the kernel key ring. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`kernel_setattr_key',` -+ gen_require(` -+ type kernel_t; -+ ') -+ -+ allow $1 kernel_t:key setattr; -+') -+ - ######################################## - ## - ## Allows caller to read the ring buffer. -diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index f7ac8cd1f..0a27fa7ae 100644 ---- a/policy/modules/kernel/kernel.te -+++ b/policy/modules/kernel/kernel.te -@@ -410,6 +410,10 @@ optional_policy(` - kerberos_filetrans_home_content(kernel_t) - ') - -+optional_policy(` -+ keyutils_request_domtrans(kernel_t) -+') -+ - optional_policy(` - init_dbus_chat(kernel_t) - init_sigchld(kernel_t) --- -2.33.0 - diff --git a/Add-journalctl-the-sys_resource-capability.patch b/Add-journalctl-the-sys_resource-capability.patch deleted file mode 100644 index dd23d374feae1e50251d683bd4ba05bc11aa3e1e..0000000000000000000000000000000000000000 --- a/Add-journalctl-the-sys_resource-capability.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 4cb741896c440c80ea18a22ff60d4c36c5b0f95b Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 3 Feb 2023 17:20:51 +0100 -Subject: [PATCH 4/5] Add journalctl the sys_resource capability - -The journalctl command runs in the journalctl_t domain when executed by -a confined user (user, staff, sysadm). When is invoked with pager, -prctl() is called to change the process name. - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(02/02/2023 12:55:12.623:1405) : proctitle=(pager) -type=SYSCALL msg=audit(02/02/2023 12:55:12.623:1405) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x8 a2=0x7fd1a3f52000 a3=0x0 items=0 ppid=25495 pid=25516 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=39 comm=(pager) exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(02/02/2023 12:55:12.623:1405) : avc: denied { sys_resource } for pid=25516 comm=(pager) capability=sys_resource scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tclass=capability permissive=1 - -Resolves: rhbz#2136189 ---- - policy/modules/contrib/journalctl.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/journalctl.te b/policy/modules/contrib/journalctl.te -index 5b4329c80..b22b6a713 100644 ---- a/policy/modules/contrib/journalctl.te -+++ b/policy/modules/contrib/journalctl.te -@@ -18,6 +18,7 @@ role journalctl_roles types journalctl_t; - # - # journalctl local policy - # -+allow journalctl_t self:capability sys_resource; - allow journalctl_t self:process { fork setrlimit signal_perms }; - - allow journalctl_t self:fifo_file manage_fifo_file_perms; --- -2.33.0 - diff --git a/Additional-support-for-rpmdb_migrate.patch b/Additional-support-for-rpmdb_migrate.patch deleted file mode 100644 index ba86f006311e7615e20fc9f46fdc6a6c0925edfb..0000000000000000000000000000000000000000 --- a/Additional-support-for-rpmdb_migrate.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 47fe7d4c98809fcda9dfc8f1fab24cb6f765332c Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 31 Jan 2023 19:12:39 +0100 -Subject: [PATCH 1/5] Additional support for rpmdb_migrate - -Since the 3a99b00da4 ("Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t") -commit, selinux-policy supports the rpmdb-migrate.service which is -executed after the first boot to a newer Fedora release to migrate the -rpm database from /var/lib/rpm to /usr/lib/sysimage/rpm. -Additional permissions started to be required recently. - -Resolves: rhbz#2164752 ---- - policy/modules/contrib/rpm.te | 21 ++++++++++++++------- - 1 file changed, 14 insertions(+), 7 deletions(-) - -diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te -index 247f1fa7a..cf5539abb 100644 ---- a/policy/modules/contrib/rpm.te -+++ b/policy/modules/contrib/rpm.te -@@ -260,26 +260,33 @@ optional_policy(` - # rpmdb local policy - # - --allow rpmdb_t rpm_var_lib_t:file map; --allow rpmdb_t rpmdb_tmp_t:file map; -+can_exec(rpmdb_t, rpm_exec_t) - - manage_dirs_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t) - manage_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t) --files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir) --files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir) -+read_lnk_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t) -+allow rpmdb_t rpm_var_lib_t:file map; - - manage_dirs_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t) - manage_files_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t) - files_tmp_filetrans(rpmdb_t, rpmdb_tmp_t, { file dir }) -+allow rpmdb_t rpmdb_tmp_t:file map; - --term_use_all_inherited_terms(rpmdb_t) -- --auth_dontaudit_read_passwd(rpmdb_t) -+corecmd_exec_bin(rpmdb_t) -+corecmd_exec_shell(rpmdb_t) - - files_rw_inherited_non_security_files(rpmdb_t) -+files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir) -+files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir) - - sysnet_dontaudit_read_config(rpmdb_t) - -+term_use_all_inherited_terms(rpmdb_t) -+ -+optional_policy(` -+ auth_dontaudit_read_passwd(rpmdb_t) -+') -+ - optional_policy(` - miscfiles_read_generic_certs(rpmdb_t) - ') --- -2.33.0 - diff --git a/Allow-certmonger-read-the-contents-of-the-sysfs-file.patch b/Allow-certmonger-read-the-contents-of-the-sysfs-file.patch deleted file mode 100644 index 9c1643d4efdc6481e24e4e078cae34bbbb1af193..0000000000000000000000000000000000000000 --- a/Allow-certmonger-read-the-contents-of-the-sysfs-file.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 6651eeac26984ceb7416cb4639891bd59e30c4de Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Tue, 7 Feb 2023 11:04:09 +0100 -Subject: [PATCH 5/5] Allow certmonger read the contents of the sysfs - filesystem - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(02/07/2023 04:22:50.618:3929) : proctitle=/usr/bin/python3 -I /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -type=PATH msg=audit(02/07/2023 04:22:50.618:3929) : item=0 name=/sys/devices/system/cpu/possible inode=42 dev=00:15 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 -type=SYSCALL msg=audit(02/07/2023 04:22:50.618:3929) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f9dcfbc79d8 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=25147 pid=25176 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dogtag-ipa-ca-r exe=/usr/bin/python3.11 subj=system_u:system_r:certmonger_t:s0 key=(null) -type=AVC msg=audit(02/07/2023 04:22:50.618:3929) : avc: denied { open } for pid=25176 comm=dogtag-ipa-ca-r path=/sys/devices/system/cpu/possible dev="sysfs" ino=42 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- - policy/modules/contrib/certmonger.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te -index e721254ae..c72f05b44 100644 ---- a/policy/modules/contrib/certmonger.te -+++ b/policy/modules/contrib/certmonger.te -@@ -82,6 +82,7 @@ corecmd_exec_shell(certmonger_t) - - dev_read_rand(certmonger_t) - dev_read_urand(certmonger_t) -+dev_read_sysfs(certmonger_t) - - domain_use_interactive_fds(certmonger_t) - --- -2.33.0 - diff --git a/Allow-login_pgm-setcap-permission.patch b/Allow-login_pgm-setcap-permission.patch deleted file mode 100644 index 9a5de525811c547fc601d111cea879e549557300..0000000000000000000000000000000000000000 --- a/Allow-login_pgm-setcap-permission.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 704e79751a2219a7a1e647084be6dbf04e679bf6 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 3 Mar 2023 12:22:12 +0100 -Subject: [PATCH] Allow login_pgm setcap permission - -There is a pam_cap module as a part of the libcap package. When a -capability is added to the login process using pam_cap, the setcap -permission is required. - -Example setup: - - echo "cap_dac_read_search exampleuser" > /etc/security/capability.conf - echo "auth required pam_cap.so" >> /etc/pam.d/postlogin - -Addresses the following AVC denial: - -type=PROCTITLE msg=audit(03/03/2023 06:30:19.302:505) : proctitle=sshd: exampleuser [priv] -type=SYSCALL msg=audit(03/03/2023 06:30:19.302:505) : arch=x86_64 syscall=capset success=no exit=EACCES(Permission denied) a0=0x55b8338dc6f4 a1=0x55b8338dc6fc a2=0x55b8338dc6fc a3=0x55b83388d010 items=0 ppid=1350 pid=1357 auid=exampleuser uid=root gid=exampleuser euid=root suid=root fsuid=root egid=exampleuser sgid=exampleuser fsgid=exampleuser tty=(none) ses=7 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) -type=AVC msg=audit(03/03/2023 06:30:19.302:505) : avc: denied { setcap } for pid=1357 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0 - -Resolves: rhbz#2172541 -Signed-off-by: Huaxin Lu ---- - policy/modules/system/authlogin.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index feabf67ab..2c3628a31 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -593,7 +593,7 @@ allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms; - allow login_pgm self:netlink_selinux_socket create_socket_perms; - allow login_pgm self:capability ipc_lock; - dontaudit login_pgm self:capability net_admin; --allow login_pgm self:process setkeycreate; -+allow login_pgm self:process { setcap setkeycreate }; - allow login_pgm self:key manage_key_perms; - userdom_manage_all_users_keys(login_pgm) - allow login_pgm nsswitch_domain:key manage_key_perms; --- -2.33.0 - diff --git a/Allow-nm-dispatcher-plugins-read-generic-files-in-pr.patch b/Allow-nm-dispatcher-plugins-read-generic-files-in-pr.patch deleted file mode 100644 index 15f8f117d2ecf3fd53c68caf948c84b27beb0a80..0000000000000000000000000000000000000000 --- a/Allow-nm-dispatcher-plugins-read-generic-files-in-pr.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 908adc1066c5df1e7d3b3a08f336a218b57c1dc2 Mon Sep 17 00:00:00 2001 -From: Zdenek Pytela -Date: Fri, 3 Feb 2023 18:15:19 +0100 -Subject: [PATCH 3/5] Allow nm-dispatcher plugins read generic files in /proc - -It turns out the systemctl command needs to read /proc/cpuinfo at -the aarch64 architecture, so the permission was allowed for the -networkmanager_dispatcher_plugin attribute. - -The commit addresses the following AVC denial: -type=PROCTITLE msg=audit(26.1.2023 15:30:09.970:47) : proctitle=/bin/systemctl --no-block reload iscsi.service -type=SYSCALL msg=audit(26.1.2023 15:30:09.970:47) : arch=aarch64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0xffff9b8f5170 a2=O_RDONLY a3=0x0 items=0 ppid=1186 pid=1188 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 key=(null) -type=AVC msg=audit(26.1.2023 15:30:09.970:47) : avc: denied { open } for pid=1188 comm=systemctl path=/proc/cpuinfo dev="proc" ino=4026531987 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 -type=AVC msg=audit(26.1.2023 15:30:09.970:47) : avc: denied { read } for pid=1188 comm=systemctl name=cpuinfo dev="proc" ino=4026531987 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 - -Resolves: rhbz#2164845 ---- - policy/modules/contrib/networkmanager.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te -index 0e3218929..ef77fdb32 100644 ---- a/policy/modules/contrib/networkmanager.te -+++ b/policy/modules/contrib/networkmanager.te -@@ -584,6 +584,7 @@ manage_files_pattern(NetworkManager_dispatcher_console_t, NetworkManager_dispatc - - read_files_pattern(NetworkManager_dispatcher_dnssec_t, NetworkManager_etc_t, NetworkManager_etc_rw_t) - -+kernel_read_proc_files(networkmanager_dispatcher_plugin) - kernel_request_load_module(NetworkManager_dispatcher_ddclient_t) - - auth_read_passwd(networkmanager_dispatcher_plugin) --- -2.33.0 - diff --git a/Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch b/Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch index 16d8a4a7c69599e857365b488de07c064d3058f2..895b13126f985f13af4e6b57e41dd6fdafa2baa2 100644 --- a/Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch +++ b/Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch @@ -5,15 +5,16 @@ Subject: [PATCH] Revert "Don't allow kernel_t to execute bin_t/usr_t binaries without a transition" This reverts commit 18c5559222ea3ca3588c8d32c06cddc41b66f688. + --- - policy/modules/kernel/kernel.te | 12 +++--------- - 1 file changed, 3 insertions(+), 9 deletions(-) + policy/modules/kernel/kernel.te | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index f7ac8cd1f..2df33b0ac 100644 +index fc6f5f8..daf0801 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te -@@ -347,16 +347,10 @@ selinux_compute_create_context(kernel_t) +@@ -351,18 +351,10 @@ selinux_compute_create_context(kernel_t) term_use_all_terms(kernel_t) term_use_ptmx(kernel_t) @@ -28,10 +29,13 @@ index f7ac8cd1f..2df33b0ac 100644 -role system_r types kernel_generic_helper_t; -corecmd_bin_entry_type(kernel_generic_helper_t) -corecmd_bin_domtrans(kernel_t, kernel_generic_helper_t) +- +-allow kernel_generic_helper_t kernel_t:fifo_file read_inherited_fifo_file_perms; +# /proc/sys/kernel/modprobe is set to /bin/true if not using modules. +corecmd_exec_bin(kernel_t) domain_use_all_fds(kernel_t) domain_signal_all_domains(kernel_t) -- -2.25.1 +2.27.0 + diff --git a/selinux-policy.spec b/selinux-policy.spec index 6b91c9de4cb655e16d920f2ac48b36413566a69c..aa545d1ddff3488717973cc4d4a417bb1c0f4a04 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -11,12 +11,12 @@ Summary: SELinux policy configuration Name: selinux-policy -Version: 38.6 -Release: 5 +Version: 38.21 +Release: 1 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ -Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v38.6.tar.gz +Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v38.21.tar.gz # Tool helps during policy development, to expand system m4 macros to raw allow rules # Git repo: https://github.com/fedora-selinux/macro-expander.git @@ -63,12 +63,6 @@ Patch7: add-avc-for-os-1.patch Patch8: allow-rpcbind-to-bind-all-port.patch Patch9: add-avc-for-systemd-journald.patch Patch10: add-avc-for-systemd.patch -Patch11: Allow-login_pgm-setcap-permission.patch -Patch12: Additional-support-for-rpmdb_migrate.patch -Patch13: Add-initial-policy-for-the-usr-sbin-request-key-help.patch -Patch14: Allow-nm-dispatcher-plugins-read-generic-files-in-pr.patch -Patch15: Add-journalctl-the-sys_resource-capability.patch -Patch16: Allow-certmonger-read-the-contents-of-the-sysfs-file.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -748,6 +742,9 @@ exit 0 %endif %changelog +* Fri Jul 21 2023 jinlun - 38.21-1 +- update version to 38.21 + * Wed May 31 2023 luhuaxin - 38.6-5 - backport some upstream patches diff --git a/v38.21.tar.gz b/v38.21.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..0badc87abdd5c6e9420693c44ea2dda74c2eb132 Binary files /dev/null and b/v38.21.tar.gz differ diff --git a/v38.6.tar.gz b/v38.6.tar.gz deleted file mode 100644 index 8bde637f3157c9c5d23f5170e37db205216c5601..0000000000000000000000000000000000000000 Binary files a/v38.6.tar.gz and /dev/null differ