!221 回合上有社区补丁

From: @zcfsite 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

backport-Allow-chronyc-read-and-write-generic-pty-type.patch

@@ -0,0 +1,26 @@
+From 822a150f673b5d376d077777d0bb41cbd3352c6b Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 22 Aug 2022 12:44:49 +0200
+Subject: [PATCH] Allow chronyc read and write generic pty type
+
+Addresses the following AVC denial:
+type=PROCTITLE msg=audit(22.08.2022 11:35:41.535:261) : proctitle=/usr/bin/chronyc sources
+type=EXECVE msg=audit(22.08.2022 11:35:41.535:261) : argc=2 a0=/usr/bin/chronyc a1=sources
+type=SYSCALL msg=audit(22.08.2022 11:35:41.535:261) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffeb8105f8f a1=0x7ffeb81049e8 a2=0x7ffeb8104a00 a3=0x8 items=0 ppid=3294 pid=3295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:chronyc_t:s0 key=(null)
+type=AVC msg=audit(22.08.2022 11:35:41.535:261) : avc:  denied  { read write } for  pid=3295 comm=chronyc path=/dev/pts/1 dev="devpts" ino=4 scontext=system_u:system_r:chronyc_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=0
+---
+ policy/modules/contrib/chronyd.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
+index 342735bc0c..3c69b3ddd6 100644
+--- a/policy/modules/contrib/chronyd.te
++++ b/policy/modules/contrib/chronyd.te
+@@ -237,3 +237,7 @@ userdom_users_dgram_send(chronyc_t)
+ optional_policy(`
+     nscd_shm_use(chronyc_t)
+ ')
++
++optional_policy(`
++	term_use_generic_ptys(chronyc_t)
++')

backport-Allow-cups-lpd-read-network-sysctls-1.patch

@@ -0,0 +1,23 @@
+From 9cb8de3f5d06e2624d728b97ab23d08321b0ad9a Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 30 Jun 2022 00:31:16 +0200
+Subject: [PATCH] Allow cups-lpd read network sysctls
+
+Addresses the following AVC denial:
+type=AVC msg=audit(06/29/2022 20:27:06.595:8551) : avc:  denied  { search } for  pid=119379 comm=cups-lpd name=net dev="proc" ino=14928 scontext=system_u:system_r:cupsd_lpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
+---
+ policy/modules/contrib/cups.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
+index 4f8958d1e0..34618c2d5d 100644
+--- a/policy/modules/contrib/cups.te
++++ b/policy/modules/contrib/cups.te
+@@ -562,6 +562,7 @@ read_sock_files_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t)
+ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+ 
+ kernel_read_kernel_sysctls(cupsd_lpd_t)
++kernel_read_net_sysctls(cupsd_lpd_t)
+ kernel_read_system_state(cupsd_lpd_t)
+ 
+ corenet_all_recvfrom_netlabel(cupsd_lpd_t)

backport-Allow-cups-lpd-read-network-sysctls.patch

@@ -0,0 +1,26 @@
+From 72220928592011263bc7e0ed291f33ca3560283d Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 23 Jun 2022 15:34:01 +0200
+Subject: [PATCH] Allow cups-lpd read network sysctls
+
+Addresses the following AVC denial:
+type=PROCTITLE msg=audit(05/18/2022 19:31:33.481:8879) : proctitle=/usr/lib/cups/daemon/cups-lpd
+type=PATH msg=audit(05/18/2022 19:31:33.481:8879) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(05/18/2022 19:31:33.481:8879) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fff5c8c3290 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=124314 auid=unset uid=lp gid=lp euid=lp suid=lp fsuid=lp egid=lp sgid=lp fsgid=lp tty=(none) ses=unset comm=cups-lpd exe=/usr/lib/cups/daemon/cups-lpd subj=system_u:system_r:cupsd_lpd_t:s0 key=(null)
+type=AVC msg=audit(05/18/2022 19:31:33.481:8879) : avc:  denied  { search } for  pid=124314 comm=cups-lpd name=net dev="proc" ino=14920 scontext=system_u:system_r:cupsd_lpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
+---
+ policy/modules/contrib/cups.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
+index 622702ddfe..4f8958d1e0 100644
+--- a/policy/modules/contrib/cups.te
++++ b/policy/modules/contrib/cups.te
+@@ -647,6 +647,7 @@ files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { dir file })
+ 
+ fs_search_auto_mountpoints(cups_pdf_t)
+ 
++kernel_read_net_sysctls(cups_pdf_t)
+ kernel_read_system_state(cups_pdf_t)
+ 
+ auth_use_nsswitch(cups_pdf_t)

backport-Allow-keepalived-read-the-contents-of-the-sysfs-filesystem.patch

@@ -0,0 +1,30 @@
+From f8f11f18a9473614c47b0a35d27f5be11c954e5b Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 27 Jun 2022 13:28:39 +0200
+Subject: [PATCH] Allow keepalived read the contents of the sysfs filesystem
+
+Addresses the following AVC denial which is triggered on the keepalived
+service start when it tries to read /sys/devices/system/cpu:
+
+type=PROCTITLE msg=audit(06/17/2022 08:19:59.448:341) : proctitle=/usr/sbin/keepalived --dont-fork -D
+type=PATH msg=audit(06/17/2022 08:19:59.448:341) : item=0 name=/sys/devices/system/cpu inode=39 dev=00:16 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=SYSCALL msg=audit(06/17/2022 08:19:59.448:341) : arch=x86_64 syscall=openat success=yes exit=12 a0=AT_FDCWD a1=0x7ff4be2afc3f a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=4449 pid=4451 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null)
+type=AVC msg=audit(06/17/2022 08:19:59.448:341) : avc:  denied  { read } for  pid=4451 comm=keepalived name=cpu dev="sysfs" ino=39 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
+
+Resolves: rhbz#2098130
+---
+ policy/modules/contrib/keepalived.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te
+index 8b5ca7171a..0879eeb4ec 100644
+--- a/policy/modules/contrib/keepalived.te
++++ b/policy/modules/contrib/keepalived.te
+@@ -81,6 +81,7 @@ corenet_tcp_connect_squid_port(keepalived_t)
+ domain_read_all_domains_state(keepalived_t)
+ domain_getattr_all_domains(keepalived_t)
+ 
++dev_read_sysfs(keepalived_t)
+ dev_read_urand(keepalived_t)
+ 
+ files_dontaudit_mounton_rootfs(keepalived_var_run_t)

backport-Allow-kpropd-read-network-sysctls.patch

@@ -0,0 +1,27 @@
+From 150db8e78ff23e54c3a54fafaf597dd207518962 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 23 Jun 2022 09:55:35 +0200
+Subject: [PATCH] Allow kpropd read network sysctls
+
+Addresses the following AVC denial:
+type=PROCTITLE msg=audit(06/23/2022 03:46:33.848:845) : proctitle=/usr/sbin/kpropd
+type=PATH msg=audit(06/23/2022 03:46:33.848:845) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 inode=44028 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
+type=CWD msg=audit(06/23/2022 03:46:33.848:845) : cwd=/
+type=SYSCALL msg=audit(06/23/2022 03:46:33.848:845) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffc7e5b8550 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=13730 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kpropd exe=/usr/sbin/kpropd subj=system_u:system_r:kpropd_t:s0 key=(null)
+type=AVC msg=audit(06/23/2022 03:46:33.848:845) : avc:  denied  { read } for  pid=13730 comm=kpropd name=disable_ipv6 dev="proc" ino=44028 scontext=system_u:system_r:kpropd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
+---
+ policy/modules/contrib/kerberos.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
+index b4d3c3e7d4..0eecd224e3 100644
+--- a/policy/modules/contrib/kerberos.te
++++ b/policy/modules/contrib/kerberos.te
+@@ -369,6 +369,7 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+ 
+ kernel_read_system_state(kpropd_t)
+ kernel_read_network_state(kpropd_t)
++kernel_read_net_sysctls(kpropd_t)
+ 
+ can_exec(kpropd_t,kpropd_exec_t)
+ 

backport-Allow-networkmanager-to-signal-unconfined-process.patch

@@ -0,0 +1,32 @@
+From 0e9856f3cd11af60445ccf12cd59d35662a7e9a2 Mon Sep 17 00:00:00 2001
+From: Nikola Knazekova <nknazeko@redhat.com>
+Date: Mon, 1 Aug 2022 16:08:08 +0200
+Subject: [PATCH] Allow networkmanager to signal unconfined process
+
+During kernel selftests, teamd - running in NetworkManager_t domain, checks if teamd instance is started externally.
+Teamd is a daemon to control a given team network device and when started from command line, it runs in the caller domain - unconfined_t.
+
+time->Fri Apr  8 11:01:16 2022
+type=PROCTITLE msg=audit(1649430076.436:6807): proctitle=2F7573722F62696E2F7465616D64002D6B002D74006C6167
+type=SYSCALL msg=audit(1649430076.436:6807): arch=c000003e syscall=62 success=no exit=-13 a0=1ad7f5 a1=f a2=0 a3=7fbf0f5d6ac0 items=0 ppid=13470 pid=1759420 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="teamd" exe="/usr/bin/teamd" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
+type=AVC msg=audit(1649430076.436:6807): avc:  denied  { signal } for  pid=1759420 comm="teamd" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
+
+Allow NetworkManager_t to send generic signals to the unconfined domain.
+
+Fix: bz#2074414
+---
+ policy/modules/contrib/networkmanager.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
+index a946bc060b..c827f40785 100644
+--- a/policy/modules/contrib/networkmanager.te
++++ b/policy/modules/contrib/networkmanager.te
+@@ -532,6 +532,7 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	unconfined_dgram_send(NetworkManager_t)
++	unconfined_signal(NetworkManager_t)
+ ')
+ 
+ 

backport-Allow-postfix-smtp-and-postfix-virtual-read-kerberos-key-table.patch

@@ -0,0 +1,40 @@
+From 451140e4c1f0bb6d8df25d18d74e549a83f46e4a Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 9 Aug 2022 16:56:21 +0200
+Subject: [PATCH] Allow postfix/smtp and postfix/virtual read kerberos key
+ table
+
+This permission is required when postfix is configured to use virtual
+mailboxes and store data into postgresql database.
+
+Resolves: rhbz#1983308
+---
+ policy/modules/contrib/postfix.te | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
+index 5451023d79..c236828d0e 100644
+--- a/policy/modules/contrib/postfix.te
++++ b/policy/modules/contrib/postfix.te
+@@ -699,6 +699,10 @@ optional_policy(`
+ 	dspam_stream_connect(postfix_smtp_t)
+ ')
+ 
++optional_policy(`
++	kerberos_read_keytab(postfix_smtp_t)
++')
++
+ optional_policy(`
+ 	milter_stream_connect_all(postfix_smtp_t)
+ ')
+@@ -776,6 +780,10 @@ userdom_manage_user_home_dirs(postfix_virtual_t)
+ userdom_manage_user_home_content(postfix_virtual_t)
+ userdom_filetrans_home_content(postfix_virtual_t)
+ 
++optional_policy(`
++	kerberos_read_keytab(postfix_virtual_t)
++')
++
+ ########################################
+ #
+ # postfix_domain common policy

backport-Allow-system_dbusd-ioctl-kernel-with-a-unix-stream-sockets.patch

@@ -0,0 +1,59 @@
+From 6b1b4d1bad371a78c69b399088e167ccdfb646ff Mon Sep 17 00:00:00 2001
+From: Nikola Knazekova <nknazeko@redhat.com>
+Date: Mon, 22 Aug 2022 16:01:10 +0200
+Subject: [PATCH] Allow system_dbusd ioctl kernel with a unix stream sockets
+
+Systemd creates and starts to listen on the socket before
+SELinux policy is loaded  and it inherits the kernel secid as its label.
+
+Allow system_dbusd ioctl kernel with a unix stream sockets
+Create interface to allow the specified domain to ioctl a kernel with a unix domain stream sockets.
+
+Fix: bz#2085392
+---
+ policy/modules/contrib/dbus.te  |  1 +
+ policy/modules/kernel/kernel.if | 19 +++++++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
+index a0f5679d61..eadbbab2a7 100644
+--- a/policy/modules/contrib/dbus.te
++++ b/policy/modules/contrib/dbus.te
+@@ -94,6 +94,7 @@ manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_ru
+ manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
+ files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
+ 
++kernel_ioctl_stream_sockets(system_dbusd_t)
+ kernel_read_system_state(system_dbusd_t)
+ kernel_read_kernel_sysctls(system_dbusd_t)
+ kernel_stream_connect(system_dbusd_t)
+diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
+index 76613d1967..253b542688 100644
+--- a/policy/modules/kernel/kernel.if
++++ b/policy/modules/kernel/kernel.if
+@@ -3738,6 +3738,25 @@ interface(`kernel_rw_stream_socket_perms',`
+     allow $1 kernel_t:fd use;
+ ')
+ 
++#######################################
++## <summary>
++##  Allow the specified domain to ioctl a
++##  kernel with a unix domain stream sockets.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`kernel_ioctl_stream_sockets',`
++    gen_require(`
++        type init_t;
++    ')
++
++    allow $1 kernel_t:unix_stream_socket { getopt ioctl };
++')
++
+ ########################################
+ ## <summary>
+ ##	Make the specified type usable for regular entries in proc

backport-Allow-systemd-modules-load-write-to-dev-kmsg-and-send-a-message-to-syslogd.patch

@@ -0,0 +1,31 @@
+From 5e6b688ea15f842e1d048828a0296c5eea3e26f0 Mon Sep 17 00:00:00 2001
+From: Nikola Knazekova <nknazeko@redhat.com>
+Date: Tue, 9 Aug 2022 11:11:34 +0200
+Subject: [PATCH] Allow systemd-modules-load write to /dev/kmsg and send a
+ message to syslogd
+
+Allow systemd_modules_load_t, early boot service that loads kernel modules,
+write to the kernel messages device and send a message to syslogd over a unix domain datagram socket.
+
+Fix: bz#2088257
+---
+ policy/modules/system/systemd.te | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 7d490e853c..9440943375 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1259,9 +1259,12 @@ corecmd_exec_bin(systemd_modules_load_t)
+ corecmd_exec_shell(systemd_modules_load_t)
+ 
+ dev_read_sysfs(systemd_modules_load_t)
++dev_write_kmsg(systemd_modules_load_t)
+ 
+ init_read_pid_files(systemd_modules_load_t)
+ 
++logging_dgram_send(systemd_modules_load_t)
++
+ files_map_kernel_modules(systemd_modules_load_t)
+ files_read_kernel_modules(systemd_modules_load_t)
+ 

backport-Allow-systemd_hostnamed-label-run-systemd-as-hostnamed_etc_t.patch

@@ -0,0 +1,26 @@
+From db58b4d32e06d17dff7a6e2adf3a3164a318fef2 Mon Sep 17 00:00:00 2001
+From: Nikola Knazekova <nknazeko@redhat.com>
+Date: Fri, 5 Aug 2022 15:46:01 +0200
+Subject: [PATCH] Allow systemd_hostnamed label /run/systemd/* as
+ hostnamed_etc_t
+
+Allow systemd_hostnamed_t to create files in /run/systemd/* with label hostnamed_etc_t
+Names of these files include hashes.
+
+Fix: bz#1976684
+---
+ policy/modules/system/systemd.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index a9308b8cce..7d490e853c 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -851,6 +851,7 @@ allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms;
+ manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
+ manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
+ files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file)
++init_pid_filetrans(systemd_hostnamed_t, hostname_etc_t, file )
+ 
+ kernel_dgram_send(systemd_hostnamed_t)
+ kernel_read_xen_state(systemd_hostnamed_t)

selinux-policy.spec

@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 35.5
-Release: 18
+Release: 19
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -193,6 +193,16 @@ Patch6123: backport-Allow-init-remount-all-file_type-filesystems.patch
 Patch6124: backport-Allow-xenstored-change-its-hard-resource-limits.patch
 Patch6125: backport-Allow-init-map-its-private-tmp-files.patch
 Patch6126: backport-Allow-sss-daemons-read-write-unnamed-pipes-of-cloud-.patch
+Patch6127: backport-Allow-kpropd-read-network-sysctls.patch
+Patch6128: backport-Allow-cups-lpd-read-network-sysctls.patch
+Patch6129: backport-Allow-keepalived-read-the-contents-of-the-sysfs-filesystem.patch
+Patch6130: backport-Allow-cups-lpd-read-network-sysctls-1.patch
+Patch6131: backport-Allow-systemd_hostnamed-label-run-systemd-as-hostnamed_etc_t.patch
+Patch6132: backport-Allow-networkmanager-to-signal-unconfined-process.patch
+Patch6133: backport-Allow-systemd-modules-load-write-to-dev-kmsg-and-send-a-message-to-syslogd.patch
+Patch6134: backport-Allow-postfix-smtp-and-postfix-virtual-read-kerberos-key-table.patch
+Patch6135: backport-Allow-system_dbusd-ioctl-kernel-with-a-unix-stream-sockets.patch
+Patch6136: backport-Allow-chronyc-read-and-write-generic-pty-type.patch
 
 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@@ -869,6 +879,9 @@ exit 0
 %endif
 
 %changelog
+* Fri Jun 30 2023 zcfsite <zhchf2010@126.com> - 35.5-19
+- backport upstream patches
+
 * Thu Jun 08 2023 jinlun <jinlun@huawei.com> - 35.5-18
 - allow init_t create fifo file in net_conf dir.