From c768504bbdb824d2fcb91da6b1daaf742310604d Mon Sep 17 00:00:00 2001 From: zcfsite Date: Fri, 30 Jun 2023 17:29:07 +0800 Subject: [PATCH] backport upstream patches (cherry picked from commit 70654a771918878a1e279425907617df5c39a1e2) --- ...onyc-read-and-write-generic-pty-type.patch | 26 ++++++++ ...llow-cups-lpd-read-network-sysctls-1.patch | 23 ++++++++ ...-Allow-cups-lpd-read-network-sysctls.patch | 26 ++++++++ ...the-contents-of-the-sysfs-filesystem.patch | 30 ++++++++++ ...rt-Allow-kpropd-read-network-sysctls.patch | 27 +++++++++ ...manager-to-signal-unconfined-process.patch | 32 ++++++++++ ...tfix-virtual-read-kerberos-key-table.patch | 40 +++++++++++++ ...tl-kernel-with-a-unix-stream-sockets.patch | 59 +++++++++++++++++++ ...v-kmsg-and-send-a-message-to-syslogd.patch | 31 ++++++++++ ...label-run-systemd-as-hostnamed_etc_t.patch | 26 ++++++++ selinux-policy.spec | 15 ++++- 11 files changed, 334 insertions(+), 1 deletion(-) create mode 100644 backport-Allow-chronyc-read-and-write-generic-pty-type.patch create mode 100644 backport-Allow-cups-lpd-read-network-sysctls-1.patch create mode 100644 backport-Allow-cups-lpd-read-network-sysctls.patch create mode 100644 backport-Allow-keepalived-read-the-contents-of-the-sysfs-filesystem.patch create mode 100644 backport-Allow-kpropd-read-network-sysctls.patch create mode 100644 backport-Allow-networkmanager-to-signal-unconfined-process.patch create mode 100644 backport-Allow-postfix-smtp-and-postfix-virtual-read-kerberos-key-table.patch create mode 100644 backport-Allow-system_dbusd-ioctl-kernel-with-a-unix-stream-sockets.patch create mode 100644 backport-Allow-systemd-modules-load-write-to-dev-kmsg-and-send-a-message-to-syslogd.patch create mode 100644 backport-Allow-systemd_hostnamed-label-run-systemd-as-hostnamed_etc_t.patch diff --git a/backport-Allow-chronyc-read-and-write-generic-pty-type.patch b/backport-Allow-chronyc-read-and-write-generic-pty-type.patch new file mode 100644 index 0000000..98ed58c --- /dev/null +++ b/backport-Allow-chronyc-read-and-write-generic-pty-type.patch @@ -0,0 +1,26 @@ +From 822a150f673b5d376d077777d0bb41cbd3352c6b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 22 Aug 2022 12:44:49 +0200 +Subject: [PATCH] Allow chronyc read and write generic pty type + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(22.08.2022 11:35:41.535:261) : proctitle=/usr/bin/chronyc sources +type=EXECVE msg=audit(22.08.2022 11:35:41.535:261) : argc=2 a0=/usr/bin/chronyc a1=sources +type=SYSCALL msg=audit(22.08.2022 11:35:41.535:261) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffeb8105f8f a1=0x7ffeb81049e8 a2=0x7ffeb8104a00 a3=0x8 items=0 ppid=3294 pid=3295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:chronyc_t:s0 key=(null) +type=AVC msg=audit(22.08.2022 11:35:41.535:261) : avc: denied { read write } for pid=3295 comm=chronyc path=/dev/pts/1 dev="devpts" ino=4 scontext=system_u:system_r:chronyc_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=0 +--- + policy/modules/contrib/chronyd.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te +index 342735bc0c..3c69b3ddd6 100644 +--- a/policy/modules/contrib/chronyd.te ++++ b/policy/modules/contrib/chronyd.te +@@ -237,3 +237,7 @@ userdom_users_dgram_send(chronyc_t) + optional_policy(` + nscd_shm_use(chronyc_t) + ') ++ ++optional_policy(` ++ term_use_generic_ptys(chronyc_t) ++') diff --git a/backport-Allow-cups-lpd-read-network-sysctls-1.patch b/backport-Allow-cups-lpd-read-network-sysctls-1.patch new file mode 100644 index 0000000..5791f16 --- /dev/null +++ b/backport-Allow-cups-lpd-read-network-sysctls-1.patch @@ -0,0 +1,23 @@ +From 9cb8de3f5d06e2624d728b97ab23d08321b0ad9a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 30 Jun 2022 00:31:16 +0200 +Subject: [PATCH] Allow cups-lpd read network sysctls + +Addresses the following AVC denial: +type=AVC msg=audit(06/29/2022 20:27:06.595:8551) : avc: denied { search } for pid=119379 comm=cups-lpd name=net dev="proc" ino=14928 scontext=system_u:system_r:cupsd_lpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 +--- + policy/modules/contrib/cups.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te +index 4f8958d1e0..34618c2d5d 100644 +--- a/policy/modules/contrib/cups.te ++++ b/policy/modules/contrib/cups.te +@@ -562,6 +562,7 @@ read_sock_files_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t) + stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) + + kernel_read_kernel_sysctls(cupsd_lpd_t) ++kernel_read_net_sysctls(cupsd_lpd_t) + kernel_read_system_state(cupsd_lpd_t) + + corenet_all_recvfrom_netlabel(cupsd_lpd_t) diff --git a/backport-Allow-cups-lpd-read-network-sysctls.patch b/backport-Allow-cups-lpd-read-network-sysctls.patch new file mode 100644 index 0000000..796835c --- /dev/null +++ b/backport-Allow-cups-lpd-read-network-sysctls.patch @@ -0,0 +1,26 @@ +From 72220928592011263bc7e0ed291f33ca3560283d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 23 Jun 2022 15:34:01 +0200 +Subject: [PATCH] Allow cups-lpd read network sysctls + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(05/18/2022 19:31:33.481:8879) : proctitle=/usr/lib/cups/daemon/cups-lpd +type=PATH msg=audit(05/18/2022 19:31:33.481:8879) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(05/18/2022 19:31:33.481:8879) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fff5c8c3290 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=124314 auid=unset uid=lp gid=lp euid=lp suid=lp fsuid=lp egid=lp sgid=lp fsgid=lp tty=(none) ses=unset comm=cups-lpd exe=/usr/lib/cups/daemon/cups-lpd subj=system_u:system_r:cupsd_lpd_t:s0 key=(null) +type=AVC msg=audit(05/18/2022 19:31:33.481:8879) : avc: denied { search } for pid=124314 comm=cups-lpd name=net dev="proc" ino=14920 scontext=system_u:system_r:cupsd_lpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 +--- + policy/modules/contrib/cups.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te +index 622702ddfe..4f8958d1e0 100644 +--- a/policy/modules/contrib/cups.te ++++ b/policy/modules/contrib/cups.te +@@ -647,6 +647,7 @@ files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { dir file }) + + fs_search_auto_mountpoints(cups_pdf_t) + ++kernel_read_net_sysctls(cups_pdf_t) + kernel_read_system_state(cups_pdf_t) + + auth_use_nsswitch(cups_pdf_t) diff --git a/backport-Allow-keepalived-read-the-contents-of-the-sysfs-filesystem.patch b/backport-Allow-keepalived-read-the-contents-of-the-sysfs-filesystem.patch new file mode 100644 index 0000000..850d83b --- /dev/null +++ b/backport-Allow-keepalived-read-the-contents-of-the-sysfs-filesystem.patch @@ -0,0 +1,30 @@ +From f8f11f18a9473614c47b0a35d27f5be11c954e5b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 27 Jun 2022 13:28:39 +0200 +Subject: [PATCH] Allow keepalived read the contents of the sysfs filesystem + +Addresses the following AVC denial which is triggered on the keepalived +service start when it tries to read /sys/devices/system/cpu: + +type=PROCTITLE msg=audit(06/17/2022 08:19:59.448:341) : proctitle=/usr/sbin/keepalived --dont-fork -D +type=PATH msg=audit(06/17/2022 08:19:59.448:341) : item=0 name=/sys/devices/system/cpu inode=39 dev=00:16 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(06/17/2022 08:19:59.448:341) : arch=x86_64 syscall=openat success=yes exit=12 a0=AT_FDCWD a1=0x7ff4be2afc3f a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=4449 pid=4451 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) +type=AVC msg=audit(06/17/2022 08:19:59.448:341) : avc: denied { read } for pid=4451 comm=keepalived name=cpu dev="sysfs" ino=39 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1 + +Resolves: rhbz#2098130 +--- + policy/modules/contrib/keepalived.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te +index 8b5ca7171a..0879eeb4ec 100644 +--- a/policy/modules/contrib/keepalived.te ++++ b/policy/modules/contrib/keepalived.te +@@ -81,6 +81,7 @@ corenet_tcp_connect_squid_port(keepalived_t) + domain_read_all_domains_state(keepalived_t) + domain_getattr_all_domains(keepalived_t) + ++dev_read_sysfs(keepalived_t) + dev_read_urand(keepalived_t) + + files_dontaudit_mounton_rootfs(keepalived_var_run_t) diff --git a/backport-Allow-kpropd-read-network-sysctls.patch b/backport-Allow-kpropd-read-network-sysctls.patch new file mode 100644 index 0000000..83d68fb --- /dev/null +++ b/backport-Allow-kpropd-read-network-sysctls.patch @@ -0,0 +1,27 @@ +From 150db8e78ff23e54c3a54fafaf597dd207518962 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 23 Jun 2022 09:55:35 +0200 +Subject: [PATCH] Allow kpropd read network sysctls + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(06/23/2022 03:46:33.848:845) : proctitle=/usr/sbin/kpropd +type=PATH msg=audit(06/23/2022 03:46:33.848:845) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 inode=44028 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(06/23/2022 03:46:33.848:845) : cwd=/ +type=SYSCALL msg=audit(06/23/2022 03:46:33.848:845) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffc7e5b8550 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=13730 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kpropd exe=/usr/sbin/kpropd subj=system_u:system_r:kpropd_t:s0 key=(null) +type=AVC msg=audit(06/23/2022 03:46:33.848:845) : avc: denied { read } for pid=13730 comm=kpropd name=disable_ipv6 dev="proc" ino=44028 scontext=system_u:system_r:kpropd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 +--- + policy/modules/contrib/kerberos.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te +index b4d3c3e7d4..0eecd224e3 100644 +--- a/policy/modules/contrib/kerberos.te ++++ b/policy/modules/contrib/kerberos.te +@@ -369,6 +369,7 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir }) + + kernel_read_system_state(kpropd_t) + kernel_read_network_state(kpropd_t) ++kernel_read_net_sysctls(kpropd_t) + + can_exec(kpropd_t,kpropd_exec_t) + diff --git a/backport-Allow-networkmanager-to-signal-unconfined-process.patch b/backport-Allow-networkmanager-to-signal-unconfined-process.patch new file mode 100644 index 0000000..835fa2d --- /dev/null +++ b/backport-Allow-networkmanager-to-signal-unconfined-process.patch @@ -0,0 +1,32 @@ +From 0e9856f3cd11af60445ccf12cd59d35662a7e9a2 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Mon, 1 Aug 2022 16:08:08 +0200 +Subject: [PATCH] Allow networkmanager to signal unconfined process + +During kernel selftests, teamd - running in NetworkManager_t domain, checks if teamd instance is started externally. +Teamd is a daemon to control a given team network device and when started from command line, it runs in the caller domain - unconfined_t. + +time->Fri Apr 8 11:01:16 2022 +type=PROCTITLE msg=audit(1649430076.436:6807): proctitle=2F7573722F62696E2F7465616D64002D6B002D74006C6167 +type=SYSCALL msg=audit(1649430076.436:6807): arch=c000003e syscall=62 success=no exit=-13 a0=1ad7f5 a1=f a2=0 a3=7fbf0f5d6ac0 items=0 ppid=13470 pid=1759420 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="teamd" exe="/usr/bin/teamd" subj=system_u:system_r:NetworkManager_t:s0 key=(null) +type=AVC msg=audit(1649430076.436:6807): avc: denied { signal } for pid=1759420 comm="teamd" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0 + +Allow NetworkManager_t to send generic signals to the unconfined domain. + +Fix: bz#2074414 +--- + policy/modules/contrib/networkmanager.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te +index a946bc060b..c827f40785 100644 +--- a/policy/modules/contrib/networkmanager.te ++++ b/policy/modules/contrib/networkmanager.te +@@ -532,6 +532,7 @@ optional_policy(` + + optional_policy(` + unconfined_dgram_send(NetworkManager_t) ++ unconfined_signal(NetworkManager_t) + ') + + diff --git a/backport-Allow-postfix-smtp-and-postfix-virtual-read-kerberos-key-table.patch b/backport-Allow-postfix-smtp-and-postfix-virtual-read-kerberos-key-table.patch new file mode 100644 index 0000000..0add081 --- /dev/null +++ b/backport-Allow-postfix-smtp-and-postfix-virtual-read-kerberos-key-table.patch @@ -0,0 +1,40 @@ +From 451140e4c1f0bb6d8df25d18d74e549a83f46e4a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 9 Aug 2022 16:56:21 +0200 +Subject: [PATCH] Allow postfix/smtp and postfix/virtual read kerberos key + table + +This permission is required when postfix is configured to use virtual +mailboxes and store data into postgresql database. + +Resolves: rhbz#1983308 +--- + policy/modules/contrib/postfix.te | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te +index 5451023d79..c236828d0e 100644 +--- a/policy/modules/contrib/postfix.te ++++ b/policy/modules/contrib/postfix.te +@@ -699,6 +699,10 @@ optional_policy(` + dspam_stream_connect(postfix_smtp_t) + ') + ++optional_policy(` ++ kerberos_read_keytab(postfix_smtp_t) ++') ++ + optional_policy(` + milter_stream_connect_all(postfix_smtp_t) + ') +@@ -776,6 +780,10 @@ userdom_manage_user_home_dirs(postfix_virtual_t) + userdom_manage_user_home_content(postfix_virtual_t) + userdom_filetrans_home_content(postfix_virtual_t) + ++optional_policy(` ++ kerberos_read_keytab(postfix_virtual_t) ++') ++ + ######################################## + # + # postfix_domain common policy diff --git a/backport-Allow-system_dbusd-ioctl-kernel-with-a-unix-stream-sockets.patch b/backport-Allow-system_dbusd-ioctl-kernel-with-a-unix-stream-sockets.patch new file mode 100644 index 0000000..aefd563 --- /dev/null +++ b/backport-Allow-system_dbusd-ioctl-kernel-with-a-unix-stream-sockets.patch @@ -0,0 +1,59 @@ +From 6b1b4d1bad371a78c69b399088e167ccdfb646ff Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Mon, 22 Aug 2022 16:01:10 +0200 +Subject: [PATCH] Allow system_dbusd ioctl kernel with a unix stream sockets + +Systemd creates and starts to listen on the socket before +SELinux policy is loaded and it inherits the kernel secid as its label. + +Allow system_dbusd ioctl kernel with a unix stream sockets +Create interface to allow the specified domain to ioctl a kernel with a unix domain stream sockets. + +Fix: bz#2085392 +--- + policy/modules/contrib/dbus.te | 1 + + policy/modules/kernel/kernel.if | 19 +++++++++++++++++++ + 2 files changed, 20 insertions(+) + +diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te +index a0f5679d61..eadbbab2a7 100644 +--- a/policy/modules/contrib/dbus.te ++++ b/policy/modules/contrib/dbus.te +@@ -94,6 +94,7 @@ manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_ru + manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t) + files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir }) + ++kernel_ioctl_stream_sockets(system_dbusd_t) + kernel_read_system_state(system_dbusd_t) + kernel_read_kernel_sysctls(system_dbusd_t) + kernel_stream_connect(system_dbusd_t) +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 76613d1967..253b542688 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -3738,6 +3738,25 @@ interface(`kernel_rw_stream_socket_perms',` + allow $1 kernel_t:fd use; + ') + ++####################################### ++## ++## Allow the specified domain to ioctl a ++## kernel with a unix domain stream sockets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_ioctl_stream_sockets',` ++ gen_require(` ++ type init_t; ++ ') ++ ++ allow $1 kernel_t:unix_stream_socket { getopt ioctl }; ++') ++ + ######################################## + ## + ## Make the specified type usable for regular entries in proc diff --git a/backport-Allow-systemd-modules-load-write-to-dev-kmsg-and-send-a-message-to-syslogd.patch b/backport-Allow-systemd-modules-load-write-to-dev-kmsg-and-send-a-message-to-syslogd.patch new file mode 100644 index 0000000..9edab5d --- /dev/null +++ b/backport-Allow-systemd-modules-load-write-to-dev-kmsg-and-send-a-message-to-syslogd.patch @@ -0,0 +1,31 @@ +From 5e6b688ea15f842e1d048828a0296c5eea3e26f0 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Tue, 9 Aug 2022 11:11:34 +0200 +Subject: [PATCH] Allow systemd-modules-load write to /dev/kmsg and send a + message to syslogd + +Allow systemd_modules_load_t, early boot service that loads kernel modules, +write to the kernel messages device and send a message to syslogd over a unix domain datagram socket. + +Fix: bz#2088257 +--- + policy/modules/system/systemd.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 7d490e853c..9440943375 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1259,9 +1259,12 @@ corecmd_exec_bin(systemd_modules_load_t) + corecmd_exec_shell(systemd_modules_load_t) + + dev_read_sysfs(systemd_modules_load_t) ++dev_write_kmsg(systemd_modules_load_t) + + init_read_pid_files(systemd_modules_load_t) + ++logging_dgram_send(systemd_modules_load_t) ++ + files_map_kernel_modules(systemd_modules_load_t) + files_read_kernel_modules(systemd_modules_load_t) + diff --git a/backport-Allow-systemd_hostnamed-label-run-systemd-as-hostnamed_etc_t.patch b/backport-Allow-systemd_hostnamed-label-run-systemd-as-hostnamed_etc_t.patch new file mode 100644 index 0000000..8c45d13 --- /dev/null +++ b/backport-Allow-systemd_hostnamed-label-run-systemd-as-hostnamed_etc_t.patch @@ -0,0 +1,26 @@ +From db58b4d32e06d17dff7a6e2adf3a3164a318fef2 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Fri, 5 Aug 2022 15:46:01 +0200 +Subject: [PATCH] Allow systemd_hostnamed label /run/systemd/* as + hostnamed_etc_t + +Allow systemd_hostnamed_t to create files in /run/systemd/* with label hostnamed_etc_t +Names of these files include hashes. + +Fix: bz#1976684 +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index a9308b8cce..7d490e853c 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -851,6 +851,7 @@ allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms; + manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) + manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) + files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file) ++init_pid_filetrans(systemd_hostnamed_t, hostname_etc_t, file ) + + kernel_dgram_send(systemd_hostnamed_t) + kernel_read_xen_state(systemd_hostnamed_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index bf56037..910ec17 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 35.5 -Release: 18 +Release: 19 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -193,6 +193,16 @@ Patch6123: backport-Allow-init-remount-all-file_type-filesystems.patch Patch6124: backport-Allow-xenstored-change-its-hard-resource-limits.patch Patch6125: backport-Allow-init-map-its-private-tmp-files.patch Patch6126: backport-Allow-sss-daemons-read-write-unnamed-pipes-of-cloud-.patch +Patch6127: backport-Allow-kpropd-read-network-sysctls.patch +Patch6128: backport-Allow-cups-lpd-read-network-sysctls.patch +Patch6129: backport-Allow-keepalived-read-the-contents-of-the-sysfs-filesystem.patch +Patch6130: backport-Allow-cups-lpd-read-network-sysctls-1.patch +Patch6131: backport-Allow-systemd_hostnamed-label-run-systemd-as-hostnamed_etc_t.patch +Patch6132: backport-Allow-networkmanager-to-signal-unconfined-process.patch +Patch6133: backport-Allow-systemd-modules-load-write-to-dev-kmsg-and-send-a-message-to-syslogd.patch +Patch6134: backport-Allow-postfix-smtp-and-postfix-virtual-read-kerberos-key-table.patch +Patch6135: backport-Allow-system_dbusd-ioctl-kernel-with-a-unix-stream-sockets.patch +Patch6136: backport-Allow-chronyc-read-and-write-generic-pty-type.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -869,6 +879,9 @@ exit 0 %endif %changelog +* Fri Jun 30 2023 zcfsite - 35.5-19 +- backport upstream patches + * Thu Jun 08 2023 jinlun - 35.5-18 - allow init_t create fifo file in net_conf dir. -- Gitee