From ec71b13353a8f3f3fd06c1848ed795c418048a61 Mon Sep 17 00:00:00 2001 From: guoxiaoqi Date: Fri, 17 Jan 2020 17:48:20 +0800 Subject: [PATCH] enable selinux --- add-allowed-avc-for-systemd.patch | 89 +++++++++++++++++++++++++++++++ selinux-policy.spec | 15 +++--- 2 files changed, 95 insertions(+), 9 deletions(-) create mode 100644 add-allowed-avc-for-systemd.patch diff --git a/add-allowed-avc-for-systemd.patch b/add-allowed-avc-for-systemd.patch new file mode 100644 index 0000000..148ab43 --- /dev/null +++ b/add-allowed-avc-for-systemd.patch @@ -0,0 +1,89 @@ +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index cb9602c..87a28cf 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -4107,4 +4107,13 @@ interface(`kernel_unlabeled_entry_type',` + allow $1 unlabeled_t:file entrypoint; + allow $1 unlabeled_t:file { mmap_exec_file_perms ioctl lock }; + ') ++##### ++## ++#### ++interface(`kernel_file_mounton',' ++ gen_require(` ++ type sysctl_kernel_t; ++ ') + ++ allow $1 sysctl_kernel_t:file mounton; ++') +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 64a34dd..5d7080e 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -224,6 +224,7 @@ kernel_mounton_systemd_ProtectKernelTunables(init_t) + kernel_read_core_if(init_t) + kernel_mounton_core_if(init_t) + kernel_get_sysvipc_info(init_t) ++kernel_file_mounton(init_t) + + # There is bug in kernel in 4.16 where lot of domains requesting module_request, for now dontauditing + kernel_dontaudit_request_load_module(init_t) +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 87a28cf..92c9525 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -4107,9 +4107,16 @@ interface(`kernel_unlabeled_entry_type',` + allow $1 unlabeled_t:file entrypoint; + allow $1 unlabeled_t:file { mmap_exec_file_perms ioctl lock }; + ') +-##### +-## +-#### ++######################################## ++## ++## add for systemd mounton ++## ++## ++## ++## The domain for sysctl_kernel_t. ++## ++## ++# + interface(`kernel_file_mounton',' + gen_require(` + type sysctl_kernel_t; +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 22ddccf..802056c 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1140,3 +1140,5 @@ optional_policy(` + optional_policy(` + gpg_exec(systemd_importd_t) + ') ++allow init_t systemd_logind_var_lib_t:dir { create mounton read }; ++allow init_t systemd_logind_var_run_t:dir mounton; +diff --git a/1.patch b/1.patch +index c57689e..e69de29 100644 +--- a/1.patch ++++ b/1.patch +@@ -1,10 +0,0 @@ +-diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +-index 22ddccf..802056c 100644 +---- a/policy/modules/system/systemd.te +-+++ b/policy/modules/system/systemd.te +-@@ -1140,3 +1140,5 @@ optional_policy(` +- optional_policy(` +- gpg_exec(systemd_importd_t) +- ') +-+allow init_t systemd_logind_var_lib_t:dir { create mounton read }; +-+allow init_t systemd_logind_var_run_t:dir mounton; +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 802056c..03ab6bd 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1142,3 +1142,5 @@ optional_policy(` + ') + allow init_t systemd_logind_var_lib_t:dir { create mounton read }; + allow init_t systemd_logind_var_run_t:dir mounton; ++allow init_t systemd_logind_inhibit_var_run_t:dir mounton; ++allow init_t systemd_logind_sessions_t:dir mounton; diff --git a/selinux-policy.spec b/selinux-policy.spec index bc6125b..1adbd4f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 45 +Release: 46 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -58,6 +58,7 @@ Patch9005: Fix-userdom_admin_user_template-interface-by-adding-.patch Patch9006: Fix-bug-in-userdom_restricted_xwindows_user_template.patch Patch9007: add-allow-for-ldconfig-to-map-libsudo_util-so.patch Patch9008: add-allow-syslogd_t-domain-to-send-null-signal-to-all-do.patch +Patch9009: add-allowed-avc-for-systemd.patch BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc @@ -309,10 +310,6 @@ mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/ install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/ install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/ -/usr/bin/sepolicy manpage -a -p %{buildroot}/usr/share/man/man8/ -w -r %{buildroot} -mkdir %{buildroot}%{_usr}/share/selinux/devel/html -mv %{buildroot}%{_usr}/share/man/man8/*.html %{buildroot}%{_usr}/share/selinux/devel/html -mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinux/devel/html mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d install -m 644 %{SOURCE24} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy @@ -328,7 +325,7 @@ echo " # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. -SELINUX=permissive +SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. @@ -410,9 +407,6 @@ exit 0 %dir %{_usr}/share/selinux/devel %dir %{_usr}/share/selinux/devel/include %{_usr}/share/selinux/devel/include/* -%dir %{_usr}/share/selinux/devel/html -%{_usr}/share/selinux/devel/html/*html -%{_usr}/share/selinux/devel/html/*css %{_usr}/share/selinux/devel/Makefile %{_usr}/share/selinux/devel/example.* %{_usr}/share/selinux/devel/policy.* @@ -660,6 +654,9 @@ exit 0 %endif %changelog +* Thu 16 2020 openEuler Buildteam - 3.14.2-46 +- enable selinux + * Fri Jan 10 2020 openEuler Buildteam - 3.14.2-45 - update container-selinux.tgz -- Gitee