diff --git a/backport-Add-gpg_filetrans_admin_home_content-interface.patch b/backport-Add-gpg_filetrans_admin_home_content-interface.patch new file mode 100644 index 0000000000000000000000000000000000000000..2ed0fd7f4080f61a9c1f55478b822148f9e886ab --- /dev/null +++ b/backport-Add-gpg_filetrans_admin_home_content-interface.patch @@ -0,0 +1,38 @@ +From 1137f639bb3cb0b7257ffe8348abbd93882ce37b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 24 Aug 2022 18:49:25 +0200 +Subject: [PATCH] Add gpg_filetrans_admin_home_content() interface + +--- + policy/modules/contrib/gpg.if | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if +index 55fbfd996e..6e5aa43576 100644 +--- a/policy/modules/contrib/gpg.if ++++ b/policy/modules/contrib/gpg.if +@@ -281,6 +281,24 @@ interface(`gpg_filetrans_home_content',` + userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") + ') + ++######################################## ++## ++## Transition to gpg named admin home content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gpg_filetrans_admin_home_content',` ++ gen_require(` ++ type gpg_secret_t; ++ ') ++ ++ userdom_admin_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") ++') ++ + ######################################## + ## + ## Connected to gpg_agent_t unix stream socket. diff --git a/backport-Add-userdom_view_all_users_keys-interface.patch b/backport-Add-userdom_view_all_users_keys-interface.patch new file mode 100644 index 0000000000000000000000000000000000000000..f5bd6a62a26736fe27fb1124fb3c819a8b5ee2db --- /dev/null +++ b/backport-Add-userdom_view_all_users_keys-interface.patch @@ -0,0 +1,38 @@ +From e37087d58b6422d0d90e321d9172cf396186fa46 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 24 Aug 2022 15:47:25 +0200 +Subject: [PATCH] Add userdom_view_all_users_keys() interface + +--- + policy/modules/system/userdomain.if | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index 97c27a957a..d23f2ce305 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -4811,6 +4811,24 @@ interface(`userdom_read_all_users_keys',` + allow $1 userdomain:key read; + ') + ++######################################## ++## ++## View keys for all user domains. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_view_all_users_keys',` ++ gen_require(` ++ attribute userdomain; ++ ') ++ ++ allow $1 userdomain:key view; ++') ++ + ######################################## + ## + ## Write keys for all user domains. diff --git a/backport-Allow-aide-to-connect-to-systemd_machined-with-a-unix-socket.patch b/backport-Allow-aide-to-connect-to-systemd_machined-with-a-unix-socket.patch new file mode 100644 index 0000000000000000000000000000000000000000..eb6fcbbb62ee8c7f19547e9d7159f852e8096d36 --- /dev/null +++ b/backport-Allow-aide-to-connect-to-systemd_machined-with-a-unix-socket.patch @@ -0,0 +1,22 @@ +From 63ba7c49db91e64e2a37c4d4c58959dd2d9c1c89 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Mon, 10 Oct 2022 11:45:30 +0200 +Subject: [PATCH] Allow aide to connect to systemd_machined with a unix socket. + +Resolves: bz#2062936 +--- + policy/modules/contrib/aide.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/aide.te b/policy/modules/contrib/aide.te +index 05ae4ad2ed..670aa96f8b 100644 +--- a/policy/modules/contrib/aide.te ++++ b/policy/modules/contrib/aide.te +@@ -64,6 +64,7 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_machined_stream_connect(aide_t) + systemd_userdbd_stream_connect(aide_t) + ') + diff --git a/backport-Allow-chronyd-send-and-receive-chronyd-ntp-client-packets.patch b/backport-Allow-chronyd-send-and-receive-chronyd-ntp-client-packets.patch new file mode 100644 index 0000000000000000000000000000000000000000..e0a9275e5bd9d21c5202baf42ac6bffffc2c536a --- /dev/null +++ b/backport-Allow-chronyd-send-and-receive-chronyd-ntp-client-packets.patch @@ -0,0 +1,35 @@ +From b876228279a2e75b59a180ee876956aebb167376 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 22 Aug 2022 10:41:49 +0200 +Subject: [PATCH] Allow chronyd send and receive chronyd/ntp client packets + +These permissions are required when packets tagging following +/usr/share/doc/nftables/examples/secmark.nft is enabled. + +Addresses the following AVC denial: +type=AVC msg=audit(1661030515.019:1079): avc: denied { send } for pid=973 comm="chronyd" saddr=10.224.122.55 src=51686 daddr=10.25.28.124 dest=123 netif=eth0 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:ntp_client_packet_t:s0 tclass=packet permissive=0 + +and a similar one for chronyd_client_packet_t. + +Resolves: rhbz#2120016 +--- + policy/modules/contrib/chronyd.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te +index 165e311002..16ce14d97b 100644 +--- a/policy/modules/contrib/chronyd.te ++++ b/policy/modules/contrib/chronyd.te +@@ -106,10 +106,12 @@ corenet_udp_sendrecv_generic_node(chronyd_t) + corenet_udp_bind_generic_node(chronyd_t) + + corenet_sendrecv_ntp_server_packets(chronyd_t) ++corenet_sendrecv_ntp_client_packets(chronyd_t) + corenet_udp_bind_ntp_port(chronyd_t) + corenet_udp_sendrecv_ntp_port(chronyd_t) + + corenet_sendrecv_chronyd_server_packets(chronyd_t) ++corenet_sendrecv_chronyd_client_packets(chronyd_t) + corenet_udp_bind_chronyd_port(chronyd_t) + corenet_udp_sendrecv_chronyd_port(chronyd_t) + diff --git a/backport-Allow-dhcpd-bpf-capability-to-run-bpf-programs.patch b/backport-Allow-dhcpd-bpf-capability-to-run-bpf-programs.patch new file mode 100644 index 0000000000000000000000000000000000000000..6c6f3664421d0a9cc34967a57079d9136eefe792 --- /dev/null +++ b/backport-Allow-dhcpd-bpf-capability-to-run-bpf-programs.patch @@ -0,0 +1,22 @@ +From 193883f3bcfb64143f5ae6754021d0f4d7bfa16d Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 27 Oct 2022 15:06:35 +0200 +Subject: [PATCH] Allow dhcpd bpf capability to run bpf programs + +Resolves: rhbz#2134827 +--- + policy/modules/contrib/dhcp.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te +index dab0abe4cb..67c865926b 100644 +--- a/policy/modules/contrib/dhcp.te ++++ b/policy/modules/contrib/dhcp.te +@@ -39,6 +39,7 @@ files_pid_file(dhcpd_var_run_t) + + allow dhcpd_t self:capability { chown dac_read_search dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource }; + dontaudit dhcpd_t self:capability { net_admin sys_admin sys_tty_config }; ++allow dhcpd_t self:capability2 bpf; + allow dhcpd_t self:process { getcap setcap signal_perms }; + allow dhcpd_t self:fifo_file rw_fifo_file_perms; + allow dhcpd_t self:tcp_socket { accept listen }; diff --git a/backport-Allow-dirsrv_snmp_t-to-manage-dirsrv_config_t-dirsrv_var_run_t-files.patch b/backport-Allow-dirsrv_snmp_t-to-manage-dirsrv_config_t-dirsrv_var_run_t-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..bdc09ea3ee735d5b57a313f04988c60dfc162b05 --- /dev/null +++ b/backport-Allow-dirsrv_snmp_t-to-manage-dirsrv_config_t-dirsrv_var_run_t-files.patch @@ -0,0 +1,29 @@ +From 8479a8400fe1b7583814356e74e9cf1c35da1dd9 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 27 Oct 2022 16:34:31 +0200 +Subject: [PATCH] Allow dirsrv_snmp_t to manage dirsrv_config_t & + dirsrv_var_run_t files + +Allow LDAP-agent to manage files in directories /etc/dirsrv/ and /var/run/dirsrv. + +Resolves: rhbz#2042515 +--- + policy/modules/contrib/dirsrv.te | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/policy/modules/contrib/dirsrv.te b/policy/modules/contrib/dirsrv.te +index feeea4467f..9865382c87 100644 +--- a/policy/modules/contrib/dirsrv.te ++++ b/policy/modules/contrib/dirsrv.te +@@ -189,9 +189,9 @@ allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms; + + rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) + +-read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) ++manage_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t) + +-read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t) ++manage_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t) + + manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t) + files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file }) diff --git a/backport-Allow-fprintd-bpf-capability-to-run-bpf-programs.patch b/backport-Allow-fprintd-bpf-capability-to-run-bpf-programs.patch new file mode 100644 index 0000000000000000000000000000000000000000..fbee3ef7fba1a7f1ff545f8dd64f527b2789d942 --- /dev/null +++ b/backport-Allow-fprintd-bpf-capability-to-run-bpf-programs.patch @@ -0,0 +1,23 @@ +From d3a62f953b580565068ada2f73968ccaaab80a7f Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 27 Oct 2022 14:04:55 +0200 +Subject: [PATCH] Allow fprintd bpf capability to run bpf programs + +Resolves: rhbz#2134827 +--- + policy/modules/contrib/fprintd.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/fprintd.te b/policy/modules/contrib/fprintd.te +index 7826990a3d..7a48e69eb4 100644 +--- a/policy/modules/contrib/fprintd.te ++++ b/policy/modules/contrib/fprintd.te +@@ -22,7 +22,7 @@ files_tmp_file(fprintd_tmp_t) + # + + allow fprintd_t self:capability { sys_admin sys_nice }; +-allow fprintd_t self:capability2 wake_alarm; ++allow fprintd_t self:capability2 { bpf wake_alarm }; + allow fprintd_t self:process { getsched setsched signal sigkill }; + allow fprintd_t self:fifo_file rw_fifo_file_perms; + allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms; diff --git a/backport-Allow-ftpd-map-ftpd_var_run-files.patch b/backport-Allow-ftpd-map-ftpd_var_run-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..e805591659c683028fbb830c7e8d276207055573 --- /dev/null +++ b/backport-Allow-ftpd-map-ftpd_var_run-files.patch @@ -0,0 +1,22 @@ +From 58294166420c372e9788b9c0308b1240dbad0c60 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 6 Oct 2022 18:30:58 +0200 +Subject: [PATCH] Allow ftpd map ftpd_var_run files + +Resolves: bz#2124943 +--- + policy/modules/contrib/ftp.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te +index ad80f16496..5edd00839f 100644 +--- a/policy/modules/contrib/ftp.te ++++ b/policy/modules/contrib/ftp.te +@@ -161,6 +161,7 @@ manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) + manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t) + fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + ++allow ftpd_t ftpd_var_run_t:file map; + manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) + manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) + manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t) diff --git a/backport-Allow-gpg-read-and-write-generic-pty-type.patch b/backport-Allow-gpg-read-and-write-generic-pty-type.patch new file mode 100644 index 0000000000000000000000000000000000000000..674e02e08883223c1849e0be4655ae4563526471 --- /dev/null +++ b/backport-Allow-gpg-read-and-write-generic-pty-type.patch @@ -0,0 +1,21 @@ +From 0df5ce75a40e9bfe51995d7b11dd9441c9061a1f Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 24 Aug 2022 13:49:23 +0200 +Subject: [PATCH] Allow gpg read and write generic pty type + +--- + policy/modules/contrib/gpg.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te +index 7f96408265..24ce9b7915 100644 +--- a/policy/modules/contrib/gpg.te ++++ b/policy/modules/contrib/gpg.te +@@ -156,6 +156,7 @@ logging_send_syslog_msg(gpg_t) + miscfiles_map_generic_certs(gpg_t) + + term_search_ptys(gpg_t) ++term_use_generic_ptys(gpg_t) + + userdom_use_inherited_user_terminals(gpg_t) + # sign/encrypt user files diff --git a/backport-Allow-keepalived-bpf-capability-to-run-bpf-programs.patch b/backport-Allow-keepalived-bpf-capability-to-run-bpf-programs.patch new file mode 100644 index 0000000000000000000000000000000000000000..1472a499b5c764adb98274a15590f04e61c84c90 --- /dev/null +++ b/backport-Allow-keepalived-bpf-capability-to-run-bpf-programs.patch @@ -0,0 +1,22 @@ +From f7ee387e69162a3e82cb328d42e6e308aa1ad752 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 27 Oct 2022 14:21:32 +0200 +Subject: [PATCH] Allow keepalived bpf capability to run bpf programs + +Resolves: rhbz#2134827 +--- + policy/modules/contrib/keepalived.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te +index 0879eeb4ec..ff0b498188 100644 +--- a/policy/modules/contrib/keepalived.te ++++ b/policy/modules/contrib/keepalived.te +@@ -38,6 +38,7 @@ files_tmpfs_file(keepalived_tmpfs_t) + # + + allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_nice sys_ptrace }; ++allow keepalived_t self:capability2 bpf; + allow keepalived_t self:process { signal_perms getpgid setpgid setsched }; + allow keepalived_t self:icmp_socket create_socket_perms; + allow keepalived_t self:netlink_socket create_socket_perms; diff --git a/backport-Allow-lldpad-bpf-capability-to-run-bpf-programs.patch b/backport-Allow-lldpad-bpf-capability-to-run-bpf-programs.patch new file mode 100644 index 0000000000000000000000000000000000000000..d38b9e1cb2eaa60971c080e68747bb88ed4ec778 --- /dev/null +++ b/backport-Allow-lldpad-bpf-capability-to-run-bpf-programs.patch @@ -0,0 +1,22 @@ +From d9ae9be30d67166caf9c5d6d3e0757317e5b49b9 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 27 Oct 2022 14:22:31 +0200 +Subject: [PATCH] Allow lldpad bpf capability to run bpf programs + +Resolves: rhbz#2134827 +--- + policy/modules/contrib/lldpad.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te +index 075893cb9d..ffe3796484 100644 +--- a/policy/modules/contrib/lldpad.te ++++ b/policy/modules/contrib/lldpad.te +@@ -27,6 +27,7 @@ systemd_mount_dir(lldpad_var_run_t) + # + allow lldpad_t self:capability { chown dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot sys_resource }; + dontaudit lldpad_t self:capability { sys_admin }; ++allow lldpad_t self:capability2 bpf; + allow lldpad_t self:shm create_shm_perms; + allow lldpad_t self:fifo_file rw_fifo_file_perms; + allow lldpad_t self:unix_stream_socket { accept connectto listen }; diff --git a/backport-Allow-login_userdomain-dbus-chat-with-rhsmcertd.patch b/backport-Allow-login_userdomain-dbus-chat-with-rhsmcertd.patch new file mode 100644 index 0000000000000000000000000000000000000000..2ad5673c9aea5bcfa16711aca4313dc65ec4bf84 --- /dev/null +++ b/backport-Allow-login_userdomain-dbus-chat-with-rhsmcertd.patch @@ -0,0 +1,28 @@ +From 14a208a78ed843964f8f79903d130760aa7a9a4e Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 5 Oct 2022 19:53:23 +0200 +Subject: [PATCH] Allow login_userdomain dbus chat with rhsmcertd + +Addresses the following USER_AVC denial: +type=USER_AVC msg=audit(1662423125.839:301): pid=896 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=com.redhat.RHSM1.Config member=GetAll dest=:1.386 spid=4090 tpid=2540 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' + +Resolves: rhbz#2124388 +--- + policy/modules/system/userdomain.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 6502db7bf0..4f63e6f662 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -448,6 +448,10 @@ optional_policy(` + pkcs_tmpfs_named_filetrans(login_userdomain) + ') + ++optional_policy(` ++ rhsmcertd_dbus_chat(login_userdomain) ++') ++ + optional_policy(` + rpc_watch_exports(login_userdomain) + ') diff --git a/backport-Allow-netutils-and-traceroute-bpf-capability-to-run-.patch b/backport-Allow-netutils-and-traceroute-bpf-capability-to-run-.patch new file mode 100644 index 0000000000000000000000000000000000000000..1eba5850602b28285d8f3ce665d11ab8c1cb20be --- /dev/null +++ b/backport-Allow-netutils-and-traceroute-bpf-capability-to-run-.patch @@ -0,0 +1,31 @@ +From 245ab868b3c2ed9330196f728020c5bdb20b5dff Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 27 Oct 2022 14:59:49 +0200 +Subject: [PATCH] Allow netutils and traceroute bpf capability to run bpf + programs + +Resolves: rhbz#2134827 +--- + policy/modules/admin/netutils.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te +index c9526d2b92..312b047edc 100644 +--- a/policy/modules/admin/netutils.te ++++ b/policy/modules/admin/netutils.te +@@ -35,6 +35,7 @@ init_system_domain(traceroute_t, traceroute_exec_t) + # Perform network administration operations and have raw access to the network. + allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot setpcap }; + dontaudit netutils_t self:capability { sys_admin sys_tty_config }; ++allow netutils_t self:capability2 bpf; + allow netutils_t self:process { setcap signal_perms }; + allow netutils_t self:netlink_generic_socket create_socket_perms; + allow netutils_t self:netlink_rdma_socket create_socket_perms; +@@ -214,6 +215,7 @@ optional_policy(` + + allow traceroute_t self:capability { net_admin net_raw setuid setgid }; + dontaudit traceroute_t self:capability { sys_admin }; ++allow traceroute_t self:capability2 bpf; + allow traceroute_t self:netlink_generic_socket create_socket_perms; + allow traceroute_t self:netlink_rdma_socket create_socket_perms; + allow traceroute_t self:rawip_socket create_socket_perms; diff --git a/backport-Allow-pkcs_slotd_t-bpf-capability-to-run-bpf-program.patch b/backport-Allow-pkcs_slotd_t-bpf-capability-to-run-bpf-program.patch new file mode 100644 index 0000000000000000000000000000000000000000..f3cedf64cb19feff57153706ac9350fee85cc9c1 --- /dev/null +++ b/backport-Allow-pkcs_slotd_t-bpf-capability-to-run-bpf-program.patch @@ -0,0 +1,22 @@ +From 33f983cf633bbdfba33958ee313f469b869f3c30 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 27 Oct 2022 14:27:43 +0200 +Subject: [PATCH] Allow pkcs_slotd_t bpf capability to run bpf programs + +Resolves: rhbz#2134827 +--- + policy/modules/contrib/pkcs.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te +index 4eb8a50c83..babcc56f60 100644 +--- a/policy/modules/contrib/pkcs.te ++++ b/policy/modules/contrib/pkcs.te +@@ -47,6 +47,7 @@ systemd_unit_file(pkcs_slotd_unit_file_t) + # + + allow pkcs_slotd_t self:capability { fsetid kill chown }; ++allow pkcs_slotd_t self:capability2 bpf; + allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms; + allow pkcs_slotd_t self:netlink_kobject_uevent_socket create_socket_perms; + allow pkcs_slotd_t self:sem create_sem_perms; diff --git a/backport-Allow-pulseaudio-create-gnome-content-.config.patch b/backport-Allow-pulseaudio-create-gnome-content-.config.patch new file mode 100644 index 0000000000000000000000000000000000000000..ed8be24820dcbb74b011b8f71ee8c471dc30c56f --- /dev/null +++ b/backport-Allow-pulseaudio-create-gnome-content-.config.patch @@ -0,0 +1,30 @@ +From a120005379c8629aa7b6d174d7c763e4f84fedc4 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 5 Oct 2022 20:36:22 +0200 +Subject: [PATCH] Allow pulseaudio create gnome content (~/.config) + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(10/03/2022 18:19:59.393:477) : proctitle=/usr/bin/pulseaudio --daemonize=no --log-target=journal +type=PATH msg=audit(10/03/2022 18:19:59.393:477) : item=1 name=/home/username/.config nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(10/03/2022 18:19:59.393:477) : item=0 name=/home/username/ inode=25197786 dev=fd:02 mode=dir,700 ouid=username ogid=username rdev=00:00 obj=staff_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(10/03/2022 18:19:59.393:477) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x55db1dc2a420 a1=0700 a2=0xffffffff a3=0x0 items=2 ppid=6693 pid=6748 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=11 comm=pulseaudio exe=/usr/bin/pulseaudio subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(10/03/2022 18:19:59.393:477) : avc: denied { create } for pid=6748 comm=pulseaudio name=.config scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2124387 +--- + policy/modules/contrib/pulseaudio.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te +index b89c5f706a..bdc8263687 100644 +--- a/policy/modules/contrib/pulseaudio.te ++++ b/policy/modules/contrib/pulseaudio.te +@@ -152,6 +152,7 @@ optional_policy(` + ') + + optional_policy(` ++ gnome_create_home_config_dirs(pulseaudio_t) + gnome_read_gkeyringd_state(pulseaudio_t) + gnome_signull_gkeyringd(pulseaudio_t) + gnome_manage_gstreamer_home_files(pulseaudio_t) diff --git a/backport-Allow-rotatelogs-read-httpd_log_t-symlinks.patch b/backport-Allow-rotatelogs-read-httpd_log_t-symlinks.patch new file mode 100644 index 0000000000000000000000000000000000000000..061f1c57bbe8b5b017dfb132cd7b827805452b68 --- /dev/null +++ b/backport-Allow-rotatelogs-read-httpd_log_t-symlinks.patch @@ -0,0 +1,32 @@ +From 404c8d08e3b4ec9970baa6af55359902d43c3ded Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 20 Oct 2022 19:20:14 +0200 +Subject: [PATCH] Allow rotatelogs read httpd_log_t symlinks + +This permission is required when rotatelogs is used in apache httpd +configuration for handling logs and the /etc/httpd/logs path is used +where the last directory is a symlink to ../../var/log/httpd: + +CustomLog "|/usr/sbin/rotatelogs /etc/httpd/logs/www.example.com 3600" combined + +It is executed with /etc/httpd as CWD, so it needs the search permission +for httpd_config_t, too. + +Resolves: rhbz#2030633 +--- + policy/modules/contrib/apache.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te +index 73957e4459..9101494b7e 100644 +--- a/policy/modules/contrib/apache.te ++++ b/policy/modules/contrib/apache.te +@@ -1668,6 +1668,8 @@ optional_policy(` + allow httpd_rotatelogs_t self:capability { dac_read_search }; + + manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) ++read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) ++allow httpd_rotatelogs_t httpd_config_t:dir search_dir_perms; + + kernel_read_kernel_sysctls(httpd_rotatelogs_t) + kernel_dontaudit_list_proc(httpd_rotatelogs_t) diff --git a/backport-Allow-sbd-the-sys_ptrace-capability.patch b/backport-Allow-sbd-the-sys_ptrace-capability.patch new file mode 100644 index 0000000000000000000000000000000000000000..d20eb378b0bb85bb1e9c9b3eb8cb32fbc5810984 --- /dev/null +++ b/backport-Allow-sbd-the-sys_ptrace-capability.patch @@ -0,0 +1,41 @@ +From 533de74a9a344542ab504915938b636698fd9838 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 5 Oct 2022 14:12:22 +0200 +Subject: [PATCH] Allow sbd the sys_ptrace capability + +The capability is required to scan open file descriptors to find out +which additional processes also have them open. + +The sbd binary implements both the daemon that watches message slots +as well as the management tool for interacting with the block storage +device(s). + +To get a full cluster view, pcs invokes the sbd-cmdline-tool on other +nodes through the pcsd instances running there which effects sbd +transition to sbd_t although it is a command in this case, not a +service. + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(09/12/2022 15:00:59.857:4015) : proctitle=/usr/sbin/sbd query-watchdog +type=PATH msg=audit(09/12/2022 15:00:59.857:4015) : item=0 name=/proc/851/fd/0 inode=21560 dev=00:05 mode=link,500 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:rpcbind_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(09/12/2022 15:00:59.857:4015) : arch=x86_64 syscall=readlink success=no exit=EACCES(Permission denied) a0=0x7ffd9edd46c0 a1=0x7ffd9edd44b0 a2=0xff a3=0x0 items=1 ppid=538646 pid=538650 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null) +type=AVC msg=audit(09/12/2022 15:00:59.857:4015) : avc: denied { sys_ptrace } for pid=538650 comm=sbd capability=sys_ptrace scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:system_r:sbd_t:s0 tclass=capability permissive=0 + +Resolves: rhbz#2124552 +--- + policy/modules/contrib/sbd.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/sbd.te b/policy/modules/contrib/sbd.te +index 5aea5cbe1d..4da7c6223b 100644 +--- a/policy/modules/contrib/sbd.te ++++ b/policy/modules/contrib/sbd.te +@@ -22,7 +22,7 @@ userdom_user_tmpfs_file(sbd_tmpfs_t) + # + # sbd local policy + # +-allow sbd_t self:capability { dac_read_search dac_override ipc_lock kill sys_boot sys_nice sys_admin}; ++allow sbd_t self:capability { dac_read_search dac_override ipc_lock kill sys_boot sys_nice sys_ptrace sys_admin}; + allow sbd_t self:process { fork setsched signal_perms }; + allow sbd_t self:fifo_file rw_fifo_file_perms; + allow sbd_t self:unix_stream_socket create_stream_socket_perms; diff --git a/backport-Allow-system_mail-t-read-network-sysctls.patch b/backport-Allow-system_mail-t-read-network-sysctls.patch new file mode 100644 index 0000000000000000000000000000000000000000..9d8365a7c96f7755cf625a5d370150dfedfac335 --- /dev/null +++ b/backport-Allow-system_mail-t-read-network-sysctls.patch @@ -0,0 +1,26 @@ +From 6ceec051905cb5f8a80122eb74682ac3b9dd2f22 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 23 Sep 2022 19:30:53 +0200 +Subject: [PATCH] Allow system_mail-t read network sysctls + +Addresses the following AVC denial: +type=AVC msg=audit(1663932465.372:588): avc: denied { read } for pid=122144 comm="sendmail" name="disable_ipv6" dev="proc" ino=2645630 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 + +Resolves: rhbz#2129326 +--- + policy/modules/contrib/mta.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te +index 36c3641806..72bfa1c98a 100644 +--- a/policy/modules/contrib/mta.te ++++ b/policy/modules/contrib/mta.te +@@ -188,7 +188,7 @@ allow system_mail_t mail_home_t:file manage_file_perms; + + read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type) + +-kernel_search_network_sysctl(system_mail_t) ++kernel_read_net_sysctls(system_mail_t) + + corecmd_exec_shell(system_mail_t) + diff --git a/backport-Allow-systemd-permissions-needed-for-sandboxed-services.patch b/backport-Allow-systemd-permissions-needed-for-sandboxed-services.patch new file mode 100644 index 0000000000000000000000000000000000000000..3f83769eaeb39c76226501076efb31e05c77cd08 --- /dev/null +++ b/backport-Allow-systemd-permissions-needed-for-sandboxed-services.patch @@ -0,0 +1,36 @@ +From c19e4cb9a3f23f2b14c31c978627f9c486a369f4 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 31 Aug 2022 18:20:03 +0200 +Subject: [PATCH] Allow systemd permissions needed for sandboxed services + +The permissions to mounton self and get mail spool files attributes +were added for init_t. Example service requiring them is accounts-daemon +from the accountsservice package which since v22 has more tightened +sandboxing, including mounting into private namespaces and listing +accessible paths. + +Resolves: rhbz#2122059 +--- + policy/modules/system/init.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 06be25304a..4311dbc359 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -187,6 +187,7 @@ allow init_t self:bpf { map_create map_read map_write prog_load prog_run }; + # setuid (from /sbin/shutdown) + # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot() + ++allow init_t self:file mounton; + allow init_t self:fifo_file rw_fifo_file_perms; + + allow init_t self:service manage_service_perms; +@@ -544,6 +545,7 @@ optional_policy(` + optional_policy(` + postfix_exec(init_t) + postfix_list_spool(init_t) ++ mta_getattr_spool(init_t) + mta_read_config(init_t) + mta_manage_aliases(init_t) + ') diff --git a/backport-Allow-tor-get-filesystem-attributes.patch b/backport-Allow-tor-get-filesystem-attributes.patch new file mode 100644 index 0000000000000000000000000000000000000000..4282a2ea8394c5d2d4e74f76aad2a7c9994a6771 --- /dev/null +++ b/backport-Allow-tor-get-filesystem-attributes.patch @@ -0,0 +1,32 @@ +From e485345b572121f09778da9c146cf1bcd22ae0cf Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 12 Sep 2022 17:26:03 +0200 +Subject: [PATCH] Allow tor get filesystem attributes + +In particular, attributes of cgroup filesystems and generic filesystems +with extended attributes. + +Addresses the following AVC denials: + +type=AVC msg=audit(1633585335.809:601): avc: denied { getattr } for pid=1881 comm="tor" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1 +type=AVC msg=audit(1633585335.809:602): avc: denied { getattr } for pid=1881 comm="tor" name="/" dev="dm-0" ino=256 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 + +Resolves: rhbz#2012006 +--- + policy/modules/contrib/tor.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te +index 0dc670b885..ae36c255ca 100644 +--- a/policy/modules/contrib/tor.te ++++ b/policy/modules/contrib/tor.te +@@ -124,6 +124,9 @@ domain_use_interactive_fds(tor_t) + + files_read_etc_runtime_files(tor_t) + ++fs_getattr_cgroup(tor_t) ++fs_getattr_xattr_fs(tor_t) ++ + auth_use_nsswitch(tor_t) + + logging_send_syslog_msg(tor_t) diff --git a/backport-Allow-unconfined-and-sysadm-users-transition-for-root-.gnupg.patch b/backport-Allow-unconfined-and-sysadm-users-transition-for-root-.gnupg.patch new file mode 100644 index 0000000000000000000000000000000000000000..fabc0b2fb194ac407dc51cc0ce7deff56712f0a1 --- /dev/null +++ b/backport-Allow-unconfined-and-sysadm-users-transition-for-root-.gnupg.patch @@ -0,0 +1,41 @@ +From 9cc99c46be86915aec6dd7a13c00dfb6117c5c12 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 24 Aug 2022 18:51:14 +0200 +Subject: [PATCH] Allow unconfined and sysadm users transition for /root/.gnupg + +--- + policy/modules/roles/sysadm.te | 5 +++++ + policy/modules/roles/unconfineduser.te | 4 ++++ + 2 files changed, 9 insertions(+) + +diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te +index 529a5146d4..c40f1edb04 100644 +--- a/policy/modules/roles/sysadm.te ++++ b/policy/modules/roles/sysadm.te +@@ -308,6 +308,11 @@ optional_policy(` + optional_policy(` + gnome_filetrans_fontconfig_home_content(sysadm_t) + ') ++ ++optional_policy(` ++ gpg_filetrans_admin_home_content(sysadm_t) ++') ++ + optional_policy(` + hostname_run(sysadm_t, sysadm_r) + ') +diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te +index e01e515ce3..6ab52d9032 100644 +--- a/policy/modules/roles/unconfineduser.te ++++ b/policy/modules/roles/unconfineduser.te +@@ -152,6 +152,10 @@ optional_policy(` + devicekit_dbus_chat_power(unconfined_t) + ') + ++ optional_policy(` ++ gpg_filetrans_admin_home_content(unconfined_t) ++ ') ++ + optional_policy(` + kpatch_run(unconfined_t,unconfined_r) + ') diff --git a/backport-Allow-vlock-search-the-contents-of-the-dev-pts-directory.patch b/backport-Allow-vlock-search-the-contents-of-the-dev-pts-directory.patch new file mode 100644 index 0000000000000000000000000000000000000000..d3668f9aeeb1c93e16a196ee2af966ad32036779 --- /dev/null +++ b/backport-Allow-vlock-search-the-contents-of-the-dev-pts-directory.patch @@ -0,0 +1,29 @@ +From f5d181f909dc380ede72219ede558ed4052c143f Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 10 Oct 2022 16:47:39 +0200 +Subject: [PATCH] Allow vlock search the contents of the /dev/pts directory + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(08/31/2022 09:28:27.751:867) : proctitle=vlock +type=PATH msg=audit(08/31/2022 09:28:27.751:867) : item=0 name=/dev/pts/1 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(08/31/2022 09:28:27.751:867) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x55b5ce6f0b60 a1=0x7ffdd6518320 a2=0x7ffdd6518320 a3=0x0 items=1 ppid=9040 pid=12550 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=17 comm=vlock exe=/usr/bin/vlock subj=sysadm_u:sysadm_r:vlock_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(08/31/2022 09:28:27.751:867) : avc: denied { search } for pid=12550 comm=vlock name=/ dev="devpts" ino=1 scontext=sysadm_u:sysadm_r:vlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2122838 +--- + policy/modules/contrib/vlock.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te +index de409cc610..418f2f7ab5 100644 +--- a/policy/modules/contrib/vlock.te ++++ b/policy/modules/contrib/vlock.te +@@ -40,5 +40,7 @@ init_dontaudit_rw_utmp(vlock_t) + + logging_send_syslog_msg(vlock_t) + ++term_search_ptys(vlock_t) ++ + userdom_dontaudit_search_user_home_dirs(vlock_t) + userdom_use_inherited_user_terminals(vlock_t) diff --git a/backport-Stop-ignoring-standalone-interface-files.patch b/backport-Stop-ignoring-standalone-interface-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..9db026fbe57d58573eb3812bb5813e4ed1483fff --- /dev/null +++ b/backport-Stop-ignoring-standalone-interface-files.patch @@ -0,0 +1,52 @@ +From 3a55e3a69bb33261abcd8104d93e0ee83d5da35a Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Wed, 1 Sep 2021 10:06:44 +0200 +Subject: [PATCH] Stop ignoring standalone interface files + +Interface files without corresponding .te where ignored, unless the +module name was specified in modules.conf. + +Standalone interface files are useful for backwards compatibility in +case a policy module removed from this repository. + +Signed-off-by: Vit Mojzis +--- + Makefile | 4 ++++ + Rules.modular | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index a9dfef1bc1..4a08bba6fa 100644 +--- a/Makefile ++++ b/Makefile +@@ -264,6 +264,7 @@ generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in + # sort here since it removes duplicates, which can happen + # when a generated file is already generated + detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te)) ++detected_ifs := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.if)) $(generated_if)) + + modxml := $(addprefix $(tmpdir)/, $(detected_mods:.te=.xml)) + layerxml := $(sort $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers))))) +@@ -307,6 +308,9 @@ off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_c + # add modules not in modules.conf to the off list + off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods))) + ++# all interface files without corresponding .te - backwards compatibility ++standalone_ifs := $(filter-out $(subst .te,.if, $(base_mods) $(mod_mods) $(off_mods)), $(notdir $(detected_ifs))) ++ + # filesystems to be used in labeling targets + filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';) + fs_names := "btrfs ext2 ext3 ext4 xfs jfs" +diff --git a/Rules.modular b/Rules.modular +index ad65733e10..258c8b6560 100644 +--- a/Rules.modular ++++ b/Rules.modular +@@ -4,7 +4,7 @@ + # + + all_modules := $(base_mods) $(mod_mods) $(off_mods) +-all_interfaces := $(all_modules:.te=.if) ++all_interfaces := $(all_modules:.te=.if) $(standalone_ifs) + + base_pkg := $(builddir)base.pp + base_fc := $(builddir)base.fc diff --git a/backport-Update-tor_bind_all_unreserved_ports-interface.patch b/backport-Update-tor_bind_all_unreserved_ports-interface.patch new file mode 100644 index 0000000000000000000000000000000000000000..399c93518e727d8ba6270ab40297b97536ffb0e6 --- /dev/null +++ b/backport-Update-tor_bind_all_unreserved_ports-interface.patch @@ -0,0 +1,34 @@ +From 5ba29432782295ceaeb0085d0fe9123d7736b0f1 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Mon, 22 Aug 2022 15:43:13 +0200 +Subject: [PATCH] Update tor_bind_all_unreserved_ports interface + +When enabled boolean tor_bind_all_unreserved_ports, +allow tor bind UDP sockets to all ports > 1024. + +Fix: bz#2089486 +--- + policy/modules/contrib/tor.te | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te +index 4b0554c374..0dc670b885 100644 +--- a/policy/modules/contrib/tor.te ++++ b/policy/modules/contrib/tor.te +@@ -8,7 +8,7 @@ policy_module(tor, 1.9.0) + ## + ##

+ ## Determine whether tor can bind +-## tcp sockets to all unreserved ports. ++## tcp and udp sockets to all unreserved ports. + ##

+ ## + gen_tunable(tor_bind_all_unreserved_ports, false) +@@ -131,6 +131,7 @@ logging_send_syslog_msg(tor_t) + tunable_policy(`tor_bind_all_unreserved_ports',` + corenet_sendrecv_all_server_packets(tor_t) + corenet_tcp_bind_all_unreserved_ports(tor_t) ++ corenet_udp_bind_all_unreserved_ports(tor_t) + ') + + tunable_policy(`tor_can_network_relay',` diff --git a/backport-pidof-executed-by-abrt-can-readlink-proc-exe.patch b/backport-pidof-executed-by-abrt-can-readlink-proc-exe.patch new file mode 100644 index 0000000000000000000000000000000000000000..2fea8c8e40f72ea5c956f32e53b04c7ef09c4e0e --- /dev/null +++ b/backport-pidof-executed-by-abrt-can-readlink-proc-exe.patch @@ -0,0 +1,28 @@ +From 52645b77fe4aeb47f538538097c99aa47adbe2d7 Mon Sep 17 00:00:00 2001 +From: Milos Malik +Date: Wed, 7 Sep 2022 10:53:07 +0200 +Subject: [PATCH] pidof executed by abrt can readlink /proc/*/exe + +At least one of the ABRT addons calls `pidof abrtd` which leads to +{ sys_ptrace } SELinux denials in cap_userns class. + +In order to support the full functionality of ABRT and its addons, +I believe that SELinux policy should allow this access. + +Resolves: BZ#2071586 +--- + policy/modules/contrib/abrt.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te +index 02a12dfab1..16db11a3c3 100644 +--- a/policy/modules/contrib/abrt.te ++++ b/policy/modules/contrib/abrt.te +@@ -115,6 +115,7 @@ ifdef(`enable_mcs',` + # + + allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; ++allow abrt_t self:cap_userns sys_ptrace; + dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace }; + allow abrt_t self:process { setpgid sigkill signal signull setsched getsched }; + diff --git a/selinux-policy.spec b/selinux-policy.spec index 910ec17837cc8c984943f05874b6836ad6d4be6d..5f0e1e198bbb22f8940a281f0855fb2113f45e89 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 35.5 -Release: 19 +Release: 20 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -203,6 +203,31 @@ Patch6133: backport-Allow-systemd-modules-load-write-to-dev-kmsg-and-send-a-mess Patch6134: backport-Allow-postfix-smtp-and-postfix-virtual-read-kerberos-key-table.patch Patch6135: backport-Allow-system_dbusd-ioctl-kernel-with-a-unix-stream-sockets.patch Patch6136: backport-Allow-chronyc-read-and-write-generic-pty-type.patch +Patch6137: backport-Allow-gpg-read-and-write-generic-pty-type.patch +Patch6138: backport-Add-userdom_view_all_users_keys-interface.patch +Patch6139: backport-Add-gpg_filetrans_admin_home_content-interface.patch +Patch6140: backport-Allow-unconfined-and-sysadm-users-transition-for-root-.gnupg.patch +Patch6141: backport-Update-tor_bind_all_unreserved_ports-interface.patch +Patch6142: backport-Allow-chronyd-send-and-receive-chronyd-ntp-client-packets.patch +Patch6143: backport-Allow-systemd-permissions-needed-for-sandboxed-services.patch +Patch6144: backport-Allow-tor-get-filesystem-attributes.patch +Patch6145: backport-pidof-executed-by-abrt-can-readlink-proc-exe.patch +Patch6146: backport-Allow-system_mail-t-read-network-sysctls.patch +Patch6147: backport-Stop-ignoring-standalone-interface-files.patch +Patch6148: backport-Allow-sbd-the-sys_ptrace-capability.patch +Patch6149: backport-Allow-login_userdomain-dbus-chat-with-rhsmcertd.patch +Patch6150: backport-Allow-pulseaudio-create-gnome-content-.config.patch +Patch6151: backport-Allow-ftpd-map-ftpd_var_run-files.patch +Patch6152: backport-Allow-vlock-search-the-contents-of-the-dev-pts-directory.patch +Patch6153: backport-Allow-aide-to-connect-to-systemd_machined-with-a-unix-socket.patch +Patch6154: backport-Allow-rotatelogs-read-httpd_log_t-symlinks.patch +Patch6155: backport-Allow-dirsrv_snmp_t-to-manage-dirsrv_config_t-dirsrv_var_run_t-files.patch +Patch6156: backport-Allow-fprintd-bpf-capability-to-run-bpf-programs.patch +Patch6157: backport-Allow-keepalived-bpf-capability-to-run-bpf-programs.patch +Patch6158: backport-Allow-lldpad-bpf-capability-to-run-bpf-programs.patch +Patch6159: backport-Allow-pkcs_slotd_t-bpf-capability-to-run-bpf-program.patch +Patch6160: backport-Allow-netutils-and-traceroute-bpf-capability-to-run-.patch +Patch6161: backport-Allow-dhcpd-bpf-capability-to-run-bpf-programs.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -879,6 +904,9 @@ exit 0 %endif %changelog +* Fri Jul 28 2023 huangzq6 - 35.5-20 +- backport some selinux-policy upstream patches + * Fri Jun 30 2023 zcfsite - 35.5-19 - backport upstream patches