merge patch
This commit is contained in:
qsw33
parent
463e0446fe
commit
703c655d68
39
backport-Add-domain_unix_read_all_semaphores-interface.patch
Normal file
39
backport-Add-domain_unix_read_all_semaphores-interface.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From 0fda5d6c5ee12b642ab0f6b6503807a4731d17f4 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Fri, 11 Nov 2022 15:11:18 +0100
|
||||
Subject: [PATCH] Add domain_unix_read_all_semaphores() interface
|
||||
|
||||
---
|
||||
policy/modules/kernel/domain.if | 19 +++++++++++++++++++
|
||||
1 file changed, 19 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
|
||||
index 0e843721ba..2fa4393292 100644
|
||||
--- a/policy/modules/kernel/domain.if
|
||||
+++ b/policy/modules/kernel/domain.if
|
||||
@@ -568,6 +568,25 @@ interface(`domain_kill_all_domains',`
|
||||
allow $1 self:capability kill;
|
||||
')
|
||||
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Allow unix_read all domains semaphores
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`domain_unix_read_all_semaphores',`
|
||||
+ gen_require(`
|
||||
+ attribute domain;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 domain:sem unix_read;
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Destroy all domains semaphores
|
||||
39
backport-Add-interface-to-watch-all-filesystems.patch
Normal file
39
backport-Add-interface-to-watch-all-filesystems.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From 972e4dbcdf87067924239db5dcc89a099298700c Mon Sep 17 00:00:00 2001
|
||||
From: Nikola Knazekova <nknazeko@redhat.com>
|
||||
Date: Mon, 7 Nov 2022 15:20:12 +0100
|
||||
Subject: [PATCH] Add interface to watch all filesystems
|
||||
|
||||
Resolves: rhbz#2139363
|
||||
---
|
||||
policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
|
||||
index d7645a534f..918bf32963 100644
|
||||
--- a/policy/modules/kernel/filesystem.if
|
||||
+++ b/policy/modules/kernel/filesystem.if
|
||||
@@ -6426,6 +6426,24 @@ interface(`fs_unmount_all_fs',`
|
||||
allow $1 filesystem_type:filesystem unmount;
|
||||
')
|
||||
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Watch all filesystems.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fs_watch_all_fs',`
|
||||
+ gen_require(`
|
||||
+ attribute filesystem_type;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 filesystem_type:filesystem watch;
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of all filesystems.
|
||||
32
backport-Add-journalctl-the-sys_resource-capability.patch
Normal file
32
backport-Add-journalctl-the-sys_resource-capability.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From ec3ee928067bfde035d3e66a936bc761f9e4b25d Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Fri, 3 Feb 2023 17:20:51 +0100
|
||||
Subject: [PATCH] Add journalctl the sys_resource capability
|
||||
|
||||
The journalctl command runs in the journalctl_t domain when executed by
|
||||
a confined user (user, staff, sysadm). When is invoked with pager,
|
||||
prctl() is called to change the process name.
|
||||
|
||||
Addresses the following AVC denial:
|
||||
|
||||
type=PROCTITLE msg=audit(02/02/2023 12:55:12.623:1405) : proctitle=(pager)
|
||||
type=SYSCALL msg=audit(02/02/2023 12:55:12.623:1405) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x8 a2=0x7fd1a3f52000 a3=0x0 items=0 ppid=25495 pid=25516 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=39 comm=(pager) exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null)
|
||||
type=AVC msg=audit(02/02/2023 12:55:12.623:1405) : avc: denied { sys_resource } for pid=25516 comm=(pager) capability=sys_resource scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tclass=capability permissive=1
|
||||
|
||||
Resolves: rhbz#2136189
|
||||
---
|
||||
policy/modules/contrib/journalctl.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/journalctl.te b/policy/modules/contrib/journalctl.te
|
||||
index 5b4329c800..b22b6a7130 100644
|
||||
--- a/policy/modules/contrib/journalctl.te
|
||||
+++ b/policy/modules/contrib/journalctl.te
|
||||
@@ -18,6 +18,7 @@ role journalctl_roles types journalctl_t;
|
||||
#
|
||||
# journalctl local policy
|
||||
#
|
||||
+allow journalctl_t self:capability sys_resource;
|
||||
allow journalctl_t self:process { fork setrlimit signal_perms };
|
||||
|
||||
allow journalctl_t self:fifo_file manage_fifo_file_perms;
|
||||
131
backport-Add-support-for-samba-dcerpcd.patch
Normal file
131
backport-Add-support-for-samba-dcerpcd.patch
Normal file
@ -0,0 +1,131 @@
|
||||
From 7367896085db099d956d666b94601fa9fc9df92a Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Wed, 1 Jun 2022 12:55:02 +0200
|
||||
Subject: [PATCH] Add support for samba-dcerpcd
|
||||
|
||||
New samba-dcerpcd binary is shipped with samba-4.16 (refer to
|
||||
https://www.samba.org/samba/history/samba-4.16.0.html) to break out
|
||||
the DCERPC services from smbd. samba-dcerpcd can be invoked on demand
|
||||
from smbd or "winbind --np-helper" to serve DCERPC over named pipes,
|
||||
or in a standalone mode, started separately from smbd or winbind,
|
||||
but this requires changes to system startup scripts.
|
||||
|
||||
This commit bring SELinux support for the breakout with a new
|
||||
winbind_rpcd_t type.
|
||||
|
||||
Resolves: rhbz#2083511
|
||||
---
|
||||
policy/modules/contrib/samba.fc | 3 +++
|
||||
policy/modules/contrib/samba.if | 19 +++++++++++++
|
||||
policy/modules/contrib/samba.te | 47 +++++++++++++++++++++++++++++++++
|
||||
3 files changed, 69 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc
|
||||
index a93346efee..873b3091b8 100644
|
||||
--- a/policy/modules/contrib/samba.fc
|
||||
+++ b/policy/modules/contrib/samba.fc
|
||||
@@ -18,6 +18,9 @@
|
||||
/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
|
||||
/usr/lib/systemd/system/winbind.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
|
||||
|
||||
+/usr/libexec/samba/rpcd_lsad -- gen_context(system_u:object_r:winbind_rpcd_exec_t,s0)
|
||||
+/usr/libexec/samba/samba-dcerpcd -- gen_context(system_u:object_r:winbind_rpcd_exec_t,s0)
|
||||
+
|
||||
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
|
||||
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
|
||||
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
|
||||
diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
|
||||
index 0366038a90..80244a4360 100644
|
||||
--- a/policy/modules/contrib/samba.if
|
||||
+++ b/policy/modules/contrib/samba.if
|
||||
@@ -1080,3 +1080,22 @@ interface(`samba_admin',`
|
||||
admin_pattern($1, samba_unit_file_t)
|
||||
allow $1 samba_unit_file_t:service all_service_perms;
|
||||
')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Execute winbind rpcd in the winbind_rpcd_t domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`samba_domtrans_winbind_rpcd',`
|
||||
+ gen_require(`
|
||||
+ type winbind_rpcd_t, winbind_rpcd_exec_t;
|
||||
+ ')
|
||||
+
|
||||
+ corecmd_search_bin($1)
|
||||
+ domtrans_pattern($1, winbind_rpcd_exec_t, winbind_rpcd_t)
|
||||
+')
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 60767f430f..03b49cba42 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -176,9 +176,17 @@ role system_r types winbind_helper_t;
|
||||
type winbind_helper_exec_t;
|
||||
domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
|
||||
|
||||
+type winbind_rpcd_t;
|
||||
+type winbind_rpcd_exec_t;
|
||||
+application_domain(winbind_rpcd_t, winbind_rpcd_exec_t)
|
||||
+role system_r types winbind_rpcd_t;
|
||||
+
|
||||
type winbind_log_t;
|
||||
logging_log_file(winbind_log_t)
|
||||
|
||||
+type winbind_rpcd_var_run_t;
|
||||
+files_pid_file(winbind_rpcd_var_run_t)
|
||||
+
|
||||
type winbind_var_run_t;
|
||||
files_pid_file(winbind_var_run_t)
|
||||
|
||||
@@ -1151,6 +1159,45 @@ optional_policy(`
|
||||
squid_rw_stream_sockets(winbind_helper_t)
|
||||
')
|
||||
|
||||
+########################################
|
||||
+#
|
||||
+# Winbind-rpcd local policy
|
||||
+#
|
||||
+
|
||||
+allow winbind_rpcd_t self:capability { setgid setuid };
|
||||
+allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
+allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
+allow winbind_rpcd_t self:udp_socket create_socket_perms;
|
||||
+
|
||||
+allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans;
|
||||
+
|
||||
+read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t)
|
||||
+
|
||||
+manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t)
|
||||
+files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file })
|
||||
+manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
|
||||
+manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
|
||||
+
|
||||
+manage_files_pattern(winbind_rpcd_t, samba_log_t, samba_log_t)
|
||||
+
|
||||
+manage_dirs_pattern(winbind_rpcd_t, samba_var_t, samba_var_t)
|
||||
+manage_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t)
|
||||
+manage_sock_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t)
|
||||
+allow winbind_rpcd_t samba_var_t:file { map } ;
|
||||
+
|
||||
+corecmd_exec_bin(winbind_rpcd_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ auth_read_passwd_file(winbind_rpcd_t)
|
||||
+')
|
||||
+
|
||||
+# interactions with smbd_t/winbind_t
|
||||
+allow smbd_t winbind_rpcd_t:unix_stream_socket connectto;
|
||||
+allow winbind_t winbind_rpcd_t:unix_stream_socket connectto;
|
||||
+
|
||||
+samba_domtrans_winbind_rpcd(smbd_t)
|
||||
+samba_domtrans_winbind_rpcd(winbind_t)
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# samba_unconfined_script_t local policy
|
||||
38
backport-Add-the-kernel_read_proc_files-interface.patch
Normal file
38
backport-Add-the-kernel_read_proc_files-interface.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 0d41bd657e613657b01f75645b6168cf5987e387 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Thu, 23 Jun 2022 20:49:49 +0200
|
||||
Subject: [PATCH] Add the kernel_read_proc_files() interface
|
||||
|
||||
---
|
||||
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
|
||||
1 file changed, 18 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
|
||||
index 75623cf38f..8a83ed511d 100644
|
||||
--- a/policy/modules/kernel/kernel.if
|
||||
+++ b/policy/modules/kernel/kernel.if
|
||||
@@ -1112,6 +1112,24 @@ interface(`kernel_getattr_proc_files',`
|
||||
getattr_files_pattern($1, proc_t, proc_t)
|
||||
')
|
||||
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Read generic files in /proc.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`kernel_read_proc_files',`
|
||||
+ gen_require(`
|
||||
+ type proc_t;
|
||||
+ ')
|
||||
+
|
||||
+ read_files_pattern($1, proc_t, proc_t)
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Read generic symbolic links in /proc.
|
||||
64
backport-Add-watch-interfaces.patch
Normal file
64
backport-Add-watch-interfaces.patch
Normal file
@ -0,0 +1,64 @@
|
||||
From 01197e1c606be4b55b1b0551c8f8856bcb8c13f8 Mon Sep 17 00:00:00 2001
|
||||
From: Nikola Knazekova <nknazeko@redhat.com>
|
||||
Date: Thu, 3 Nov 2022 11:27:49 +0100
|
||||
Subject: [PATCH] Add watch interfaces
|
||||
|
||||
Add interfacecs that allow watch filesystem.
|
||||
---
|
||||
policy/modules/kernel/filesystem.if | 36 +++++++++++++++++++++++++++++
|
||||
1 file changed, 36 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
|
||||
index 2c1fdd7150..bb2f077f6d 100644
|
||||
--- a/policy/modules/kernel/filesystem.if
|
||||
+++ b/policy/modules/kernel/filesystem.if
|
||||
@@ -264,6 +264,24 @@ interface(`fs_relabelfrom_xattr_fs',`
|
||||
allow $1 fs_t:filesystem relabelfrom;
|
||||
')
|
||||
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Watch filesystem with extended attributes
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fs_watch_xattr_fs',`
|
||||
+ gen_require(`
|
||||
+ type fs_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 fs_t:filesystem watch;
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the filesystem quotas of a filesystem
|
||||
@@ -5274,6 +5292,24 @@ interface(`fs_mount_tmpfs',`
|
||||
allow $1 tmpfs_t:filesystem mount;
|
||||
')
|
||||
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Watch a tmpfs filesystem.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fs_watch_tmpfs',`
|
||||
+ gen_require(`
|
||||
+ type tmpfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 tmpfs_t:filesystem watch;
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Dontaudit remount a tmpfs filesystem.
|
||||
155
backport-Add-watch_sb-interfaces.patch
Normal file
155
backport-Add-watch_sb-interfaces.patch
Normal file
@ -0,0 +1,155 @@
|
||||
From a65d7a6e589268afc80c871450423c82aeab530a Mon Sep 17 00:00:00 2001
|
||||
From: Nikola Knazekova <nknazeko@redhat.com>
|
||||
Date: Thu, 3 Nov 2022 11:33:59 +0100
|
||||
Subject: [PATCH] Add watch_sb interfaces
|
||||
|
||||
Add interafaces that allow watch_sb user temporary directories,
|
||||
tmpfs directories, boot and root directories.
|
||||
Create watch_sb_dirs_pattern and watch_sb_dir_perms
|
||||
---
|
||||
policy/modules/kernel/files.if | 36 +++++++++++++++++++++++++++++
|
||||
policy/modules/kernel/filesystem.if | 18 +++++++++++++++
|
||||
policy/modules/system/userdomain.if | 18 +++++++++++++++
|
||||
policy/support/file_patterns.spt | 4 ++++
|
||||
policy/support/obj_perm_sets.spt | 1 +
|
||||
5 files changed, 77 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
||||
index 046db519bb..eb9e6e032c 100644
|
||||
--- a/policy/modules/kernel/files.if
|
||||
+++ b/policy/modules/kernel/files.if
|
||||
@@ -2560,6 +2560,24 @@ interface(`files_write_root_dirs',`
|
||||
allow $1 root_t:dir write;
|
||||
')
|
||||
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Watch_sb root directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_watch_sb_root_dirs', `
|
||||
+ gen_require(`
|
||||
+ type root_t;
|
||||
+ ')
|
||||
+
|
||||
+ watch_sb_dirs_pattern($1, root_t, root_t)
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to write to / dirs.
|
||||
@@ -3089,6 +3107,24 @@ interface(`files_watch_boot_dirs',`
|
||||
allow $1 boot_t:dir watch_dir_perms;
|
||||
')
|
||||
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Watch_sb boot directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_watch_sb_boot_dirs', `
|
||||
+ gen_require(`
|
||||
+ type boot_t;
|
||||
+ ')
|
||||
+
|
||||
+ watch_sb_dirs_pattern($1, boot_t, boot_t)
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Watch_mount directories in /boot.
|
||||
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
|
||||
index bb2f077f6d..d7645a534f 100644
|
||||
--- a/policy/modules/kernel/filesystem.if
|
||||
+++ b/policy/modules/kernel/filesystem.if
|
||||
@@ -5400,6 +5400,24 @@ interface(`fs_mounton_tmpfs', `
|
||||
allow $1 tmpfs_t:dir mounton;
|
||||
')
|
||||
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Watch_sb tmpfs directories.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`fs_watch_sb_tmpfs', `
|
||||
+ gen_require(`
|
||||
+ type tmpfs_t;
|
||||
+ ')
|
||||
+
|
||||
+ watch_sb_dirs_pattern($1, tmpfs_t, tmpfs_t)
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of a tmpfs
|
||||
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
|
||||
index e8817429b2..62bc19c654 100644
|
||||
--- a/policy/modules/system/userdomain.if
|
||||
+++ b/policy/modules/system/userdomain.if
|
||||
@@ -347,6 +347,24 @@ interface(`userdom_watch_tmp_dirs',`
|
||||
watch_dirs_pattern($1, user_tmp_t, user_tmp_t)
|
||||
')
|
||||
|
||||
+#######################################
|
||||
+## <summary>
|
||||
+## Watch_sb user temporary directories
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`userdom_watch_sb_tmp_dirs',`
|
||||
+ gen_require(`
|
||||
+ type user_tmp_t;
|
||||
+ ')
|
||||
+
|
||||
+ watch_sb_dirs_pattern($1, user_tmp_t, user_tmp_t)
|
||||
+')
|
||||
+
|
||||
#######################################
|
||||
## <summary>
|
||||
## Watch_mount user temporary directories
|
||||
diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
|
||||
index c832c0dab0..57581a8573 100644
|
||||
--- a/policy/support/file_patterns.spt
|
||||
+++ b/policy/support/file_patterns.spt
|
||||
@@ -88,6 +88,10 @@ define(`watch_reads_dirs_pattern',`
|
||||
allow $1 $2:dir search_dir_perms;
|
||||
allow $1 $3:dir watch_reads_dir_perms;
|
||||
')
|
||||
+define(`watch_sb_dirs_pattern',`
|
||||
+ allow $1 $2:dir search_dir_perms;
|
||||
+ allow $1 $3:dir watch_sb_dir_perms;
|
||||
+')
|
||||
define(`watch_with_perm_dirs_pattern',`
|
||||
allow $1 $2:dir search_dir_perms;
|
||||
allow $1 $3:dir watch_with_perm_dir_perms;
|
||||
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
|
||||
index 85283eb1e5..c76a77fac9 100644
|
||||
--- a/policy/support/obj_perm_sets.spt
|
||||
+++ b/policy/support/obj_perm_sets.spt
|
||||
@@ -149,6 +149,7 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
|
||||
define(`watch_dir_perms',`{ getattr watch }')
|
||||
define(`watch_mount_dir_perms',`{ getattr watch_mount }')
|
||||
define(`watch_reads_dir_perms',`{ getattr watch_reads }')
|
||||
+define(`watch_sb_dir_perms',`{ getattr watch_sb }')
|
||||
define(`watch_with_perm_dir_perms',`{ getattr watch_with_perm }')
|
||||
|
||||
#
|
||||
@ -0,0 +1,37 @@
|
||||
From 480a1932eff8ba74e9373c1e7ba9a9d5f8c2d559 Mon Sep 17 00:00:00 2001
|
||||
From: Nikola Knazekova <nknazeko@redhat.com>
|
||||
Date: Mon, 10 Oct 2022 16:45:20 +0200
|
||||
Subject: [PATCH] Add winbind-rpcd to samba_enable_home_dirs boolean
|
||||
|
||||
Update samba_enable_home_dirs boolean to Allow winbind-rpcd to share users home directories.
|
||||
|
||||
SELinux denials appeared, when users configured home directory share in the smb.conf.
|
||||
|
||||
type=AVC msg=audit(1661934914.346:360): avc: denied { read } for pid=4587 comm="samba-dcerpcd" path="/home/xx/Documents/xx" dev="dm-2" ino=21627745 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
|
||||
|
||||
Resolves: bz#2122904
|
||||
---
|
||||
policy/modules/contrib/samba.te | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 227c22516d..2280531046 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -40,7 +40,7 @@ gen_tunable(samba_portmapper, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
-## Allow samba to share users home directories.
|
||||
+## Allow samba and winbind-rpcd to share users home directories.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(samba_enable_home_dirs, false)
|
||||
@@ -475,6 +475,7 @@ tunable_policy(`samba_domain_controller',`
|
||||
|
||||
tunable_policy(`samba_enable_home_dirs',`
|
||||
userdom_manage_user_home_content(smbd_t)
|
||||
+ userdom_manage_user_home_content(winbind_rpcd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
30
backport-Allow-apcupsd-dbus-chat-with-systemd-logind.patch
Normal file
30
backport-Allow-apcupsd-dbus-chat-with-systemd-logind.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From d38bb2e165ea780ef87588c1fdf1af23b6d332bf Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Tue, 3 Jan 2023 20:04:50 +0100
|
||||
Subject: [PATCH] Allow apcupsd dbus chat with systemd-logind
|
||||
|
||||
The permission is required in case of a power outage when apcupsd wants
|
||||
to initiate a shutdown.
|
||||
|
||||
Addresses the following USER_AVC denial:
|
||||
|
||||
Dec 29 08:41:25 hostname audit[516]: USER_AVC pid=516 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:apcupsd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=0#012 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
|
||||
|
||||
Resolves: rhbz#2157175
|
||||
---
|
||||
policy/modules/contrib/apcupsd.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
|
||||
index 4ea8ba6f87..49ecadfc7c 100644
|
||||
--- a/policy/modules/contrib/apcupsd.te
|
||||
+++ b/policy/modules/contrib/apcupsd.te
|
||||
@@ -112,6 +112,8 @@ logging_send_syslog_msg(apcupsd_t)
|
||||
|
||||
sysnet_dns_name_resolve(apcupsd_t)
|
||||
|
||||
+systemd_dbus_chat_logind(apcupsd_t)
|
||||
+
|
||||
userdom_use_inherited_user_ttys(apcupsd_t)
|
||||
|
||||
optional_policy(`
|
||||
25
backport-Allow-exim-read-network-sysctls.patch
Normal file
25
backport-Allow-exim-read-network-sysctls.patch
Normal file
@ -0,0 +1,25 @@
|
||||
From 0b67d4d4f01428ebf80f2b695c970a27ed620b03 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Wed, 31 May 2023 08:54:38 +0200
|
||||
Subject: [PATCH] Allow exim read network sysctls
|
||||
|
||||
The commit addresses the following AVC denial:
|
||||
type=AVC msg=audit(1685423685.876:788): avc: denied { search } for pid=41331 comm="exim" name="net" dev="proc" ino=736304 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
|
||||
|
||||
Resolves: rhbz#2211025
|
||||
---
|
||||
policy/modules/contrib/exim.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
|
||||
index 6e6792b06d..8ca4e25045 100644
|
||||
--- a/policy/modules/contrib/exim.te
|
||||
+++ b/policy/modules/contrib/exim.te
|
||||
@@ -104,6 +104,7 @@ can_exec(exim_t, exim_exec_t)
|
||||
|
||||
kernel_read_crypto_sysctls(exim_t)
|
||||
kernel_read_kernel_sysctls(exim_t)
|
||||
+kernel_read_net_sysctls(exim_t)
|
||||
kernel_read_network_state(exim_t)
|
||||
kernel_read_system_state(exim_t)
|
||||
|
||||
@ -0,0 +1,42 @@
|
||||
From b9d573e4cd9dc7ca4283488e166e83250c434a63 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Tue, 13 Dec 2022 19:02:04 +0100
|
||||
Subject: [PATCH] Allow journalctl relabel with var_log_t and syslogd_var_run_t
|
||||
files
|
||||
|
||||
The journald service runs in the syslogd_t domain as well as syslog
|
||||
daemons. When journal-offline wants to rotate journal files, which can
|
||||
be in /var/log/journal or /run/log/journal, it modifies all extended
|
||||
attributes, namely copy-on-write and security.selinux content, so
|
||||
relabelfrom and relabelto permissions are needed.
|
||||
|
||||
Addresses the following AVC denial:
|
||||
type=PROCTITLE msg=audit(1670904722.619:48): proctitle="/usr/lib/systemd/systemd-journald"
|
||||
type=SYSCALL msg=audit(1670904722.619:48): arch=c00000b7 syscall=7 success=no exit=-13 a0=1d a1=ffffa0000b78 a2=ffffa0000e10 a3=27 items=0 ppid=1 pid=598 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="journal-offline" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
|
||||
type=AVC msg=audit(1670904722.619:48): avc: denied { relabelfrom } for pid=598 comm="journal-offline" name=".#system@1d25afdf416a40bb98bce9ac89ae6846-0000000000000001-0005efadd1f07135.journal941ddc8fc49c256a" dev="tmpfs" ino=1026 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=0
|
||||
|
||||
Resolves: rhbz#2075527
|
||||
---
|
||||
policy/modules/system/logging.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index d96d862f7c..34dd6aabe1 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -509,6 +509,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
|
||||
|
||||
# create/append log files.
|
||||
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
|
||||
+relabel_files_pattern(syslogd_t, var_log_t, var_log_t)
|
||||
allow syslogd_t var_log_t:file map;
|
||||
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
|
||||
files_search_spool(syslogd_t)
|
||||
@@ -533,6 +534,7 @@ files_search_var_lib(syslogd_t)
|
||||
allow syslogd_t syslogd_var_run_t:dir watch_dir_perms;
|
||||
manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
||||
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
||||
+relabel_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
||||
manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
||||
mmap_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
|
||||
files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
|
||||
28
backport-Allow-keepalived-to-set-resource-limits.patch
Normal file
28
backport-Allow-keepalived-to-set-resource-limits.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From 59844c55226997c854bd82ac0f4b3e4df3da8fea Mon Sep 17 00:00:00 2001
|
||||
From: Nikola Knazekova <nknazeko@redhat.com>
|
||||
Date: Thu, 15 Dec 2022 12:10:58 +0100
|
||||
Subject: [PATCH] Allow keepalived to set resource limits
|
||||
|
||||
Addresses the following AVC denial:
|
||||
type=PROCTITLE msg=audit(12/06/2022 06:01:28.343:362) : proctitle=/usr/sbin/keepalived --dont-fork -D
|
||||
type=SYSCALL msg=audit(12/06/2022 06:01:28.343:362) : arch=x86_64 syscall=prlimit64 success=no exit=EACCES(Permission denied) a0=0x0 a1=0xf a2=0x7ffcac307690 a3=0x0 items=0 ppid=4738 pid=4740 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null)
|
||||
type=AVC msg=audit(12/06/2022 06:01:28.343:362) : avc: denied { setrlimit } for pid=4740 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process permissive=0
|
||||
|
||||
Resolves: rhbz#2151212
|
||||
---
|
||||
policy/modules/contrib/keepalived.te | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te
|
||||
index ff0b498188..02170721c1 100644
|
||||
--- a/policy/modules/contrib/keepalived.te
|
||||
+++ b/policy/modules/contrib/keepalived.te
|
||||
@@ -39,7 +39,7 @@ files_tmpfs_file(keepalived_tmpfs_t)
|
||||
|
||||
allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_nice sys_ptrace };
|
||||
allow keepalived_t self:capability2 bpf;
|
||||
-allow keepalived_t self:process { signal_perms getpgid setpgid setsched };
|
||||
+allow keepalived_t self:process { signal_perms getpgid setpgid setsched setrlimit };
|
||||
allow keepalived_t self:icmp_socket create_socket_perms;
|
||||
allow keepalived_t self:netlink_socket create_socket_perms;
|
||||
allow keepalived_t self:netlink_generic_socket create_socket_perms;
|
||||
27
backport-Allow-kernel-to-manage-its-own-BPF-objects.patch
Normal file
27
backport-Allow-kernel-to-manage-its-own-BPF-objects.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From f33bc79e172068ca4cb47281b8fcfc9f47840b61 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Mon, 22 May 2023 14:30:26 +0200
|
||||
Subject: [PATCH] Allow kernel to manage its own BPF objects
|
||||
|
||||
Kernel threads may end up calling __sys_bpf(), which does the usual BPF
|
||||
access checks, so make sure kernel_t is allowed to at least operate on
|
||||
its own BPF fds.
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2186595
|
||||
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
---
|
||||
policy/modules/kernel/kernel.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
|
||||
index b86852812b..e0fcd2dff9 100644
|
||||
--- a/policy/modules/kernel/kernel.te
|
||||
+++ b/policy/modules/kernel/kernel.te
|
||||
@@ -271,6 +271,7 @@ allow kernel_t self:unix_stream_socket connectto;
|
||||
allow kernel_t self:fifo_file rw_fifo_file_perms;
|
||||
allow kernel_t self:sock_file read_sock_file_perms;
|
||||
allow kernel_t self:fd use;
|
||||
+allow kernel_t self:bpf { map_create map_read map_write prog_load prog_run };
|
||||
|
||||
allow kernel_t debugfs_t:dir search_dir_perms;
|
||||
|
||||
@ -0,0 +1,30 @@
|
||||
From daca0f5683e2ed842c60d274f67fb0469afd3911 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Fri, 28 Apr 2023 17:30:22 +0200
|
||||
Subject: [PATCH] Allow logrotate dbus chat with systemd-hostnamed
|
||||
|
||||
This denials appears when a service operating on a network is called
|
||||
from logrotate to perform an action, like ejabber to reopen its logs
|
||||
after logrotate finishes.
|
||||
|
||||
The commit addresses the following USER_AVC denial:
|
||||
|
||||
type=USER_AVC msg=audit(1676761204.161:9833): pid=543 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
|
||||
|
||||
Resolves: rhbz#2171294
|
||||
---
|
||||
policy/modules/contrib/logrotate.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
|
||||
index fdd9039f8c..24bc2e72f3 100644
|
||||
--- a/policy/modules/contrib/logrotate.te
|
||||
+++ b/policy/modules/contrib/logrotate.te
|
||||
@@ -178,6 +178,7 @@ systemd_reload_all_services(logrotate_t)
|
||||
systemd_status_all_unit_files(logrotate_t)
|
||||
systemd_dbus_chat_logind(logrotate_t)
|
||||
systemd_config_generic_services(logrotate_t)
|
||||
+systemd_dbus_chat_hostnamed(logrotate_t)
|
||||
init_stream_connect(logrotate_t)
|
||||
init_reload_transient_unit(logrotate_t)
|
||||
|
||||
27
backport-Allow-logwatch_mail_t-read-network-sysctls.patch
Normal file
27
backport-Allow-logwatch_mail_t-read-network-sysctls.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From 293e78308264d844124f464683512193ec85e4c4 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Fri, 31 Mar 2023 13:10:37 +0200
|
||||
Subject: [PATCH] Allow logwatch_mail_t read network sysctls
|
||||
|
||||
Addresses the following AVC denial:
|
||||
|
||||
type=AVC msg=audit(1680192422.976:513): avc: denied { open } for pid=9788 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=33052 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
|
||||
|
||||
Resolves: rhbz#2208763
|
||||
---
|
||||
policy/modules/contrib/logwatch.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
|
||||
index 42b322fb77..ea6db46809 100644
|
||||
--- a/policy/modules/contrib/logwatch.te
|
||||
+++ b/policy/modules/contrib/logwatch.te
|
||||
@@ -198,6 +198,8 @@ manage_files_pattern(logwatch_mail_t, logwatch_cache_t, logwatch_cache_t)
|
||||
|
||||
manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
|
||||
|
||||
+kernel_read_net_sysctls(logwatch_mail_t)
|
||||
+
|
||||
dev_read_rand(logwatch_mail_t)
|
||||
dev_read_urand(logwatch_mail_t)
|
||||
dev_read_sysfs(logwatch_mail_t)
|
||||
@ -0,0 +1,23 @@
|
||||
From 991e1cd627e9dba1bb5a89ca87c90b2542453018 Mon Sep 17 00:00:00 2001
|
||||
From: Nikola Knazekova <nknazeko@redhat.com>
|
||||
Date: Thu, 27 Oct 2022 14:23:35 +0200
|
||||
Subject: [PATCH] Allow pcscd bpf capability to run bpf programs
|
||||
|
||||
Resolves: rhbz#2134827
|
||||
---
|
||||
policy/modules/contrib/pcscd.te | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
|
||||
index d0d83da261..5b22ac8268 100644
|
||||
--- a/policy/modules/contrib/pcscd.te
|
||||
+++ b/policy/modules/contrib/pcscd.te
|
||||
@@ -23,7 +23,7 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
|
||||
|
||||
allow pcscd_t self:capability { dac_read_search fsetid };
|
||||
dontaudit pcscd_t self:capability { sys_admin };
|
||||
-allow pcscd_t self:capability2 { wake_alarm };
|
||||
+allow pcscd_t self:capability2 { bpf wake_alarm };
|
||||
allow pcscd_t self:cap_userns sys_ptrace;
|
||||
allow pcscd_t self:process { signal signull };
|
||||
dontaudit pcscd_t self:process setsched;
|
||||
27
backport-Allow-rpc.gssd-read-network-sysctls.patch
Normal file
27
backport-Allow-rpc.gssd-read-network-sysctls.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From d6bb54218c4b3f5cbed4c3b7115dc43793ebdcba Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Wed, 16 Nov 2022 16:37:54 +0100
|
||||
Subject: [PATCH] Allow rpc.gssd read network sysctls
|
||||
|
||||
Addresses the following AVC denial:
|
||||
|
||||
type=AVC msg=audit(1668606673.80:374): avc: denied { read } for pid=1236 comm="rpc.gssd" name="disable_ipv6" dev="proc" ino=32004 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
|
||||
|
||||
Resolves: rhbz#2143271
|
||||
---
|
||||
policy/modules/contrib/rpc.te | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
|
||||
index a13661a797..f94cfa5d24 100644
|
||||
--- a/policy/modules/contrib/rpc.te
|
||||
+++ b/policy/modules/contrib/rpc.te
|
||||
@@ -369,7 +369,7 @@ kernel_read_system_state(gssd_t)
|
||||
kernel_read_network_state(gssd_t)
|
||||
kernel_read_network_state_symlinks(gssd_t)
|
||||
kernel_request_load_module(gssd_t)
|
||||
-kernel_search_network_sysctl(gssd_t)
|
||||
+kernel_read_net_sysctls(gssd_t)
|
||||
kernel_signal(gssd_t)
|
||||
|
||||
corecmd_exec_bin(gssd_t)
|
||||
49
backport-Allow-rpcd_lsad-setcap-and-use-generic-ptys.patch
Normal file
49
backport-Allow-rpcd_lsad-setcap-and-use-generic-ptys.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From e1fe6ba8a75ff66e506e7d80b4d8ccb8f899ec39 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Wed, 24 May 2023 16:39:11 +0200
|
||||
Subject: [PATCH] Allow rpcd_lsad setcap and use generic ptys
|
||||
|
||||
Allow /usr/libexec/samba/rpcd_lsad running in the winbind_rpcd_t domain
|
||||
the setcap permission to use capset(2) and use generic ptys when a request
|
||||
to change a password is made. Note winbind_rpcd_t is not in the daemon
|
||||
attribute which is a subject of the daemons_use_tty boolean.
|
||||
|
||||
The commit addresses the following AVC denials:
|
||||
|
||||
type=PROCTITLE msg=audit(05/23/2023 15:45:49.588:911) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=2 --worker-index=0 --debuglevel=0
|
||||
type=PATH msg=audit(05/23/2023 15:45:49.588:911) : item=0 name=/dev/pts/2 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
|
||||
type=SYSCALL msg=audit(05/23/2023 15:45:49.588:911) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffce321e8c0 a1=0x7ffce321e830 a2=0x7ffce321e830 a3=0x0 items=1 ppid=129672 pid=129682 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
|
||||
type=AVC msg=audit(05/23/2023 15:45:49.588:911) : avc: denied { search } for pid=129682 comm=rpcd_lsad name=/ dev="devpts" ino=1 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=dir permissive=0
|
||||
|
||||
type=PROCTITLE msg=audit(05/24/2023 03:08:08.440:1130) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=2 --worker-index=0 --debuglevel=0
|
||||
type=SYSCALL msg=audit(05/24/2023 03:08:08.440:1130) : arch=x86_64 syscall=capset success=no exit=EACCES(Permission denied) a0=0x561752d238b4 a1=0x561752d238bc a2=0x561752d238bc a3=0x7ffd6edcd904 items=0 ppid=164904 pid=164906 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
|
||||
type=AVC msg=audit(05/24/2023 03:08:08.440:1130) : avc: denied { setcap } for pid=164906 comm=rpcd_lsad scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0
|
||||
|
||||
Resolves: rhbz#2107106
|
||||
---
|
||||
policy/modules/contrib/samba.te | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 9847d3da29..1a90ca864f 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1173,6 +1173,7 @@ optional_policy(`
|
||||
allow winbind_rpcd_t self:capability { setgid setuid };
|
||||
allow winbind_rpcd_t self:key { read write };
|
||||
allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
+allow winbind_rpcd_t self:process setcap;
|
||||
allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow winbind_rpcd_t self:unix_stream_socket connectto;
|
||||
allow winbind_rpcd_t self:udp_socket create_socket_perms;
|
||||
@@ -1268,6 +1269,10 @@ optional_policy(`
|
||||
systemd_userdbd_stream_connect(winbind_rpcd_t)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+ term_use_generic_ptys(winbind_rpcd_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
unconfined_dgram_send(winbind_rpcd_t)
|
||||
')
|
||||
53
backport-Allow-samba-bgqd-get-a-printer-list.patch
Normal file
53
backport-Allow-samba-bgqd-get-a-printer-list.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From b3a5dfcc161ee097a0a5aa0fbf515e2e0bfb7430 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 16:42:50 +0200
|
||||
Subject: [PATCH] Allow samba-bgqd get a printer list
|
||||
|
||||
When `rpcclient localhost -c 'enumprinters'` or a similar command is executed,
|
||||
samba-bgqd connects to the cups service to get the list of configured printers.
|
||||
The printers are then cached and updated on regular basis.
|
||||
|
||||
Resolves: rhbz#2112395
|
||||
---
|
||||
policy/modules/contrib/samba.te | 15 ++++++++++++++-
|
||||
1 file changed, 14 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 61598b8e39..d64ba6e569 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1198,10 +1198,16 @@ kernel_read_network_state(winbind_rpcd_t)
|
||||
|
||||
corecmd_exec_bin(winbind_rpcd_t)
|
||||
|
||||
+corenet_tcp_connect_ipp_port(winbind_rpcd_t)
|
||||
+
|
||||
optional_policy(`
|
||||
auth_read_passwd(winbind_rpcd_t)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+ cups_stream_connect(winbind_rpcd_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(winbind_rpcd_t)
|
||||
')
|
||||
@@ -1236,9 +1242,16 @@ optional_policy(`
|
||||
systemd_userdbd_stream_connect(winbind_rpcd_t)
|
||||
')
|
||||
|
||||
-# interactions with smbd_t/winbind_t
|
||||
+optional_policy(`
|
||||
+ unconfined_dgram_send(winbind_rpcd_t)
|
||||
+')
|
||||
+
|
||||
+# inter-process communication with other samba domains
|
||||
allow smbd_t winbind_rpcd_t:unix_stream_socket connectto;
|
||||
allow winbind_t winbind_rpcd_t:unix_stream_socket connectto;
|
||||
+allow winbind_rpcd_t nmbd_t:unix_dgram_socket sendto;
|
||||
+allow winbind_rpcd_t smbd_t:unix_dgram_socket sendto;
|
||||
+allow winbind_rpcd_t winbind_t:unix_dgram_socket sendto;
|
||||
allow winbind_rpcd_t winbind_t:unix_stream_socket connectto;
|
||||
|
||||
samba_domtrans_winbind_rpcd(smbd_t)
|
||||
25
backport-Allow-samba-bgqd-to-read-a-printer-list.patch
Normal file
25
backport-Allow-samba-bgqd-to-read-a-printer-list.patch
Normal file
@ -0,0 +1,25 @@
|
||||
From 4d2a6d493a3a523c9bbb1d5f276f94bb176f5dec Mon Sep 17 00:00:00 2001
|
||||
From: Nikola Knazekova <nknazeko@redhat.com>
|
||||
Date: Mon, 22 Aug 2022 16:40:09 +0200
|
||||
Subject: [PATCH] Allow samba-bgqd to read a printer list
|
||||
|
||||
Allow samba-bgqd, helper program performing asynchronous printing-related jobs,
|
||||
to read /etc/printcap file, where are stored printer definitions.
|
||||
|
||||
Fix: bz#2118977
|
||||
---
|
||||
policy/modules/contrib/samba.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 82ba1abf64..323e38b4cc 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1206,6 +1206,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ cups_read_config(winbind_rpcd_t)
|
||||
cups_stream_connect(winbind_rpcd_t)
|
||||
')
|
||||
|
||||
@ -0,0 +1,26 @@
|
||||
From 400871693697941947ae35e9c914c129518880f0 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Mon, 22 May 2023 15:03:56 +0200
|
||||
Subject: [PATCH] Allow samba-dcerpcd connect to systemd_machined over a unix
|
||||
socket
|
||||
|
||||
The commit addresses the following AVC denial:
|
||||
type=AVC msg=audit(1684646002.435:1902): avc: denied { connectto } for pid=27491 comm="rpcd_winreg" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
|
||||
|
||||
Resolves: rhbz#2208845
|
||||
---
|
||||
policy/modules/contrib/samba.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index c8123ff29d..9847d3da29 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1264,6 +1264,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ systemd_machined_stream_connect(winbind_rpcd_t)
|
||||
systemd_userdbd_stream_connect(winbind_rpcd_t)
|
||||
')
|
||||
|
||||
@ -0,0 +1,34 @@
|
||||
From cac4a1f3b825bdc7f7eeaa4b219c95342ddd135c Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Mon, 10 Oct 2022 16:39:50 +0200
|
||||
Subject: [PATCH] Allow samba-dcerpcd use NSCD services over a unix stream
|
||||
socket
|
||||
|
||||
Addresses the following AVC denial:
|
||||
|
||||
type=PROCTITLE msg=audit(08/26/2022 04:14:24.657:453) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=23 --np-helper --debuglevel=0
|
||||
type=PATH msg=audit(08/26/2022 04:14:24.657:453) : item=0 name=/var/run/nscd/socket inode=130894 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nscd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
|
||||
type=SOCKADDR msg=audit(08/26/2022 04:14:24.657:453) : saddr={ saddr_fam=local path=/var/run/nscd/socket }
|
||||
type=SYSCALL msg=audit(08/26/2022 04:14:24.657:453) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7ffccfc81970 a2=0x6e a3=0x6 items=1 ppid=1 pid=93859 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
|
||||
type=AVC msg=audit(08/26/2022 04:14:24.657:453) : avc: denied { write } for pid=93859 comm=samba-dcerpcd name=socket dev="tmpfs" ino=130894 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file permissive=0
|
||||
|
||||
Resolves: rhbz#2121709
|
||||
---
|
||||
policy/modules/contrib/samba.te | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 23af3a1304..227c22516d 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1232,6 +1232,10 @@ optional_policy(`
|
||||
miscfiles_read_generic_certs(winbind_rpcd_t)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+ nscd_socket_use(winbind_rpcd_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
sssd_read_public_files(winbind_rpcd_t)
|
||||
sssd_stream_connect(winbind_rpcd_t)
|
||||
32
backport-Allow-samba-dcerpcd-work-with-sssd.patch
Normal file
32
backport-Allow-samba-dcerpcd-work-with-sssd.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 88a28fc843a9e3a0039647d0b6fdd5ac7895a286 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Tue, 21 Jun 2022 16:02:49 +0200
|
||||
Subject: [PATCH] Allow samba-dcerpcd work with sssd
|
||||
|
||||
Addresses the following AVC denials:
|
||||
|
||||
type=AVC msg=audit(1655206265.325:3211): avc: denied { open } for pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
|
||||
type=AVC msg=audit(1655206265.325:3214): avc: denied { connectto } for pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
|
||||
type=AVC msg=audit(1655206265.325:3214): avc: denied { write } for pid=33521 comm="samba-dcerpcd" name="nss" dev="vda3" ino=17045861 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
|
||||
|
||||
Resolves: rhbz#2096825
|
||||
---
|
||||
policy/modules/contrib/samba.te | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 5e851af84a..091e016fd0 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1215,6 +1215,11 @@ optional_policy(`
|
||||
logging_send_syslog_msg(winbind_rpcd_t)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+ sssd_read_public_files(winbind_rpcd_t)
|
||||
+ sssd_stream_connect(winbind_rpcd_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
sysnet_read_config(winbind_rpcd_t)
|
||||
')
|
||||
36
backport-Allow-samba-rpcd-work-with-passwords.patch
Normal file
36
backport-Allow-samba-rpcd-work-with-passwords.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From d5438718efffaf9bdfb6abe2d7fe8ecb1a316b84 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Thu, 11 May 2023 17:21:03 +0200
|
||||
Subject: [PATCH] Allow samba-rpcd work with passwords
|
||||
|
||||
A domain transition on chkpwd execution was allowed to winbind_rpcd_t
|
||||
unconditionally and permissions to use the passwd command only when the
|
||||
samba_domain_controller boolean is turned on.
|
||||
|
||||
Resolves: rhbz#2107106
|
||||
---
|
||||
policy/modules/contrib/samba.te | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 6143ea2622..c8123ff29d 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -471,6 +471,9 @@ tunable_policy(`samba_domain_controller',`
|
||||
usermanage_domtrans_useradd(smbd_t)
|
||||
usermanage_domtrans_groupadd(smbd_t)
|
||||
allow smbd_t self:passwd passwd;
|
||||
+
|
||||
+ usermanage_domtrans_passwd(winbind_rpcd_t)
|
||||
+ allow winbind_rpcd_t self:passwd passwd;
|
||||
')
|
||||
|
||||
tunable_policy(`samba_enable_home_dirs',`
|
||||
@@ -1213,6 +1216,7 @@ term_getattr_pty_fs(winbind_rpcd_t)
|
||||
term_use_ptmx(winbind_rpcd_t)
|
||||
|
||||
optional_policy(`
|
||||
+ auth_domtrans_chk_passwd(winbind_rpcd_t)
|
||||
auth_read_passwd(winbind_rpcd_t)
|
||||
')
|
||||
|
||||
@ -0,0 +1,22 @@
|
||||
From 3d3ff36126d0fd7a38519ede5ad076303105b891 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Thu, 25 Aug 2022 17:33:20 +0200
|
||||
Subject: [PATCH] Allow smbd_t process noatsecure permission for winbind_rpcd_t
|
||||
|
||||
Resolves: rhbz#2117199
|
||||
---
|
||||
policy/modules/contrib/samba.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 323e38b4cc..d25bc64f5d 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1249,6 +1249,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
# inter-process communication with other samba domains
|
||||
+allow smbd_t winbind_rpcd_t:process noatsecure;
|
||||
allow smbd_t winbind_rpcd_t:unix_stream_socket connectto;
|
||||
allow winbind_t winbind_rpcd_t:unix_stream_socket connectto;
|
||||
allow winbind_rpcd_t nmbd_t:unix_dgram_socket sendto;
|
||||
29
backport-Allow-sssd-dbus-chat-with-system-cronjobs.patch
Normal file
29
backport-Allow-sssd-dbus-chat-with-system-cronjobs.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From c8a25442b17ef4a95fa45cdde90cb6df30946fb1 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Fri, 11 Nov 2022 12:37:07 +0100
|
||||
Subject: [PATCH] Allow sssd dbus chat with system cronjobs
|
||||
|
||||
Addresses the following USER_AVC denial:
|
||||
|
||||
type=USER_AVC msg=audit(10/11/2022 14:36:01.711:447) : pid=973 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1467 spid=5736 tpid=7278 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
|
||||
|
||||
Resolves: rhbz#2132922
|
||||
---
|
||||
policy/modules/contrib/sssd.te | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
|
||||
index 90d04fd918..f84c905f42 100644
|
||||
--- a/policy/modules/contrib/sssd.te
|
||||
+++ b/policy/modules/contrib/sssd.te
|
||||
@@ -192,6 +192,10 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(sssd_t)
|
||||
dbus_connect_system_bus(sssd_t)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ cron_dbus_chat_system_job(sssd_t)
|
||||
+ ')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
26
backport-Allow-syslogd-read-network-sysctls.patch
Normal file
26
backport-Allow-syslogd-read-network-sysctls.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From 2eafd6c8cbc18aa52e320663ba6bf63f334c95d9 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Wed, 23 Nov 2022 09:20:51 +0100
|
||||
Subject: [PATCH] Allow syslogd read network sysctls
|
||||
|
||||
Addresses the following AVC denial:
|
||||
|
||||
type=AVC msg=audit(1669156432.404:191): avc: denied { read } for pid=700 comm="rsyslogd" name="disable_ipv6" dev="proc" ino=19523 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
|
||||
|
||||
Resolves: rhbz#2145019
|
||||
---
|
||||
policy/modules/system/logging.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index 4e00b7935a..d96d862f7c 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -541,6 +541,7 @@ kernel_rw_stream_socket_perms(syslogd_t)
|
||||
kernel_read_system_state(syslogd_t)
|
||||
kernel_read_network_state(syslogd_t)
|
||||
kernel_read_kernel_sysctls(syslogd_t)
|
||||
+kernel_read_net_sysctls(syslogd_t)
|
||||
kernel_read_netlink_audit_socket(syslogd_t)
|
||||
kernel_read_proc_symlinks(syslogd_t)
|
||||
# Allow access to /proc/kmsg for syslog-ng
|
||||
@ -0,0 +1,25 @@
|
||||
From 119f307391811d408d2cbed82632b46814376769 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Thu, 16 Feb 2023 13:04:48 +0100
|
||||
Subject: [PATCH] Allow system_cronjob_t transition to rpm_script_t
|
||||
|
||||
This permission is required for rpm-like programs (rpm, dnf)
|
||||
executed from system cronjobs, e. g. /etc/crontab.
|
||||
|
||||
Resolves: rhbz#2173255
|
||||
---
|
||||
policy/modules/contrib/cron.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
|
||||
index a269cfcc50..8bc806ab9c 100644
|
||||
--- a/policy/modules/contrib/cron.te
|
||||
+++ b/policy/modules/contrib/cron.te
|
||||
@@ -545,6 +545,7 @@ ifdef(`distro_redhat',`
|
||||
# via redirection of standard out.
|
||||
optional_policy(`
|
||||
rpm_manage_log(system_cronjob_t)
|
||||
+ rpm_transition_script(system_cronjob_t, system_r)
|
||||
')
|
||||
')
|
||||
|
||||
57
backport-Allow-systemd-coredump-mounton-usr.patch
Normal file
57
backport-Allow-systemd-coredump-mounton-usr.patch
Normal file
@ -0,0 +1,57 @@
|
||||
From 4a49782a31552a8ef0894f0c8d52a2328f269b1c Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Tue, 11 Apr 2023 13:22:29 +0200
|
||||
Subject: [PATCH] Allow systemd-coredump mounton /usr
|
||||
|
||||
The files_mounton_usr() interface was added.
|
||||
|
||||
Addresses the following AVC denial:
|
||||
type=AVC msg=audit(1680965603.852:5360): avc: denied { mounton } for pid=2016312 comm="(sd-parse-elf)" path="/" dev="sda4" ino=2 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1
|
||||
|
||||
Resolves: rhbz#2185385
|
||||
---
|
||||
policy/modules/kernel/files.if | 18 ++++++++++++++++++
|
||||
policy/modules/system/systemd.te | 1 +
|
||||
2 files changed, 19 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
||||
index 1a57076567..6226fca96c 100644
|
||||
--- a/policy/modules/kernel/files.if
|
||||
+++ b/policy/modules/kernel/files.if
|
||||
@@ -3699,6 +3699,24 @@ interface(`files_mounton_etc',`
|
||||
allow $1 etc_t:dir mounton;
|
||||
')
|
||||
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Mounton directories on the /usr filesystem
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_mounton_usr',`
|
||||
+ gen_require(`
|
||||
+ type usr_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 usr_t:dir mounton;
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Search the contents of /etc directories.
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index 57c72d8347..60dbc205ef 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -1144,6 +1144,7 @@ files_read_non_security_files(systemd_coredump_t)
|
||||
files_map_non_security_files(systemd_coredump_t)
|
||||
|
||||
files_mounton_rootfs(systemd_coredump_t)
|
||||
+files_mounton_usr(systemd_coredump_t)
|
||||
|
||||
fs_getattr_nsfs_files(systemd_coredump_t)
|
||||
|
||||
@ -0,0 +1,29 @@
|
||||
From d374cf4fb2d5828aafcdd475a880c6d94b10bdff Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Fri, 11 Nov 2022 12:46:00 +0100
|
||||
Subject: [PATCH] Allow systemd-hostnamed dbus chat with init scripts
|
||||
|
||||
Addresses the following USER_AVC denial:
|
||||
|
||||
type=USER_AVC msg=audit(1659032710.225:59): pid=1684 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.23 spid=2281 tpid=2280 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
|
||||
|
||||
Resolves: rhbz#2111632
|
||||
---
|
||||
policy/modules/system/systemd.te | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index 6602d7c916..6194317382 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -903,6 +903,10 @@ optional_policy(`
|
||||
dbus_system_bus_client(systemd_hostnamed_t)
|
||||
dbus_connect_system_bus(systemd_hostnamed_t)
|
||||
dbus_watch_pid_dir_path(systemd_hostnamed_t)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ init_dbus_chat_script(systemd_hostnamed_t)
|
||||
+ ')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -0,0 +1,29 @@
|
||||
From a7e6b82865350053269b0abab82889e18095358d Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Mon, 30 Jan 2023 14:22:02 +0100
|
||||
Subject: [PATCH] Allow systemd-resolved send a datagram to journald
|
||||
|
||||
Addresses the following AVC denial:
|
||||
|
||||
type=AVC msg=audit(1674810195.623:587): avc: denied { sendto } for pid=47442 comm="systemd-resolve" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0
|
||||
|
||||
Resolves: rhbz#2165134
|
||||
---
|
||||
policy/modules/system/systemd.te | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index 7c625074c4..57c72d8347 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -1267,6 +1267,10 @@ optional_policy(`
|
||||
systemd_dbus_chat_logind(systemd_resolved_t)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+ logging_dgram_send(systemd_resolved_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
networkmanager_dbus_chat(systemd_resolved_t)
|
||||
')
|
||||
@ -0,0 +1,62 @@
|
||||
From 522fab1033215e698e44f261ea110dc08e6d2c7c Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Wed, 21 Dec 2022 12:32:15 +0100
|
||||
Subject: [PATCH] Allow systemd-resolved watch tmpfs directories
|
||||
|
||||
This permission is required when the system is booted with
|
||||
systemd.volatile=overlay. Overlay filesystems are mounted as ramfs
|
||||
or tmpfs, the tmpfs_t type is assigned to "/".
|
||||
|
||||
The files_watch_tmpfs_dirs() interface was added.
|
||||
|
||||
Addresses the following AVC denial:
|
||||
|
||||
type=AVC msg=audit(1663671100.753:186): avc: denied { watch } for pid=674 comm="systemd-resolve" path="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
|
||||
|
||||
Resolves: rhbz#2128246
|
||||
---
|
||||
policy/modules/kernel/files.if | 18 ++++++++++++++++++
|
||||
policy/modules/system/systemd.te | 1 +
|
||||
2 files changed, 19 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
|
||||
index eb9e6e032c..1a57076567 100644
|
||||
--- a/policy/modules/kernel/files.if
|
||||
+++ b/policy/modules/kernel/files.if
|
||||
@@ -9802,6 +9802,24 @@ interface(`files_rw_tmpfs_files',`
|
||||
allow $1 tmpfsfile:file { read write };
|
||||
')
|
||||
|
||||
+##########################################
|
||||
+## <summary>
|
||||
+## Watch a tmpfs directory.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed access
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+#
|
||||
+interface(`files_watch_tmpfs_dirs',`
|
||||
+ gen_require(`
|
||||
+ type root_t;
|
||||
+ ')
|
||||
+
|
||||
+ allow $1 tmpfs_t:dir watch_dir_perms;
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read security files
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index 3a6fd02c3e..77187a80e4 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -1244,6 +1244,7 @@ dev_write_kmsg(systemd_resolved_t)
|
||||
dev_read_sysfs(systemd_resolved_t)
|
||||
|
||||
files_watch_root_dirs(systemd_resolved_t)
|
||||
+files_watch_tmpfs_dirs(systemd_resolved_t)
|
||||
files_watch_var_run_dirs(systemd_resolved_t)
|
||||
|
||||
init_watch_pid_dir(systemd_resolved_t)
|
||||
32
backport-Allow-systemd-rfkill-the-bpf-capability.patch
Normal file
32
backport-Allow-systemd-rfkill-the-bpf-capability.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 978245dc94680ac0cf55d11f37e2d788bc68bc1a Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Mon, 19 Dec 2022 14:31:15 +0100
|
||||
Subject: [PATCH] Allow systemd-rfkill the bpf capability
|
||||
|
||||
Linux Socket Filtering (LSF) is derived from the Berkeley Packet Filter
|
||||
and uses the same mechanism to allow a user-space program to attach a
|
||||
filter onto any socket and allow or disallow certain types of data to
|
||||
come through the socket.
|
||||
The systemd-rfkill service wants to listen only to related udev events,
|
||||
so it needs to set a filter for which the bpf capability is required.
|
||||
|
||||
Addresses the following USER_AVC denial:
|
||||
type=AVC msg=audit(1669160827.102:10): avc: denied { bpf } for pid=954 comm="systemd-rfkill" capability=39 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:system_r:systemd_rfkill_t:s0 tclass=capability2 permissive=0
|
||||
|
||||
Resolves: rhbz#2149390
|
||||
---
|
||||
policy/modules/system/systemd.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index 77187a80e4..10b1b2d9b2 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -947,6 +947,7 @@ tunable_policy(`systemd_socket_proxyd_connect_any',`
|
||||
#
|
||||
|
||||
allow systemd_rfkill_t self:capability { net_admin sys_admin};
|
||||
+allow systemd_rfkill_t self:capability2 bpf;
|
||||
allow systemd_rfkill_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
|
||||
@ -0,0 +1,25 @@
|
||||
From b75e34887410c756e09763994cce88584a214da2 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Thu, 8 Dec 2022 20:06:14 +0100
|
||||
Subject: [PATCH] Allow systemd-timedated watch init runtime dir
|
||||
|
||||
Addresses the following AVC denial:
|
||||
Dec 08 06:43:24 audit[7055]: AVC avc: denied { watch } for pid=7055 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
|
||||
|
||||
Resolves: rhbz#2151806
|
||||
---
|
||||
policy/modules/system/systemd.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index 8fb7509147..3a6fd02c3e 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -1017,6 +1017,7 @@ fs_getattr_xattr_fs(systemd_timedated_t)
|
||||
|
||||
init_dbus_chat(systemd_timedated_t)
|
||||
init_status(systemd_timedated_t)
|
||||
+init_watch_pid_dir(systemd_timedated_t)
|
||||
|
||||
kernel_read_network_state(systemd_timedated_t)
|
||||
|
||||
@ -0,0 +1,58 @@
|
||||
From a266ee5b8b29d8f64a51cc408d558ae92c5e86ee Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Wed, 4 Jan 2023 14:16:56 +0100
|
||||
Subject: [PATCH] Allow systemd-userdbd the sys_resource capability
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This permission is required for the process be able to set its
|
||||
arg start and end address, refer to prctl(2):
|
||||
|
||||
PR_SET_MM (since Linux 3.3)
|
||||
Modify certain kernel memory map descriptor fields of the calling
|
||||
process. Usually these fields are set by the kernel and dynamic loader
|
||||
(see ld.so(8) for more information) and a regular application should not
|
||||
use this feature. However, there are cases, such as self-modifying pro‐
|
||||
grams, where a program might find it useful to change its own memory
|
||||
map.
|
||||
|
||||
The calling process must have the CAP_SYS_RESOURCE capability. The
|
||||
value in arg2 is one of the options below, while arg3 provides a new
|
||||
value for the option. The arg4 and arg5 arguments must be zero if un‐
|
||||
used.
|
||||
|
||||
PR_SET_MM_ARG_START
|
||||
Set the address above which the program command line is placed.
|
||||
|
||||
PR_SET_MM_ARG_END
|
||||
Set the address below which the program command line is placed.
|
||||
|
||||
Addresses the following AVC denials:
|
||||
|
||||
type=PROCTITLE msg=audit(01/04/2023 06:21:21.285:112) : proctitle=(sd-worker)
|
||||
type=SYSCALL msg=audit(01/04/2023 06:21:21.285:112) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x8 a2=0x7fa791901000 a3=0x0 items=0 ppid=1367 pid=1384 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(sd-worker) exe=/usr/lib/systemd/systemd-userdbd subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
|
||||
type=AVC msg=audit(01/04/2023 06:21:21.285:112) : avc: denied { sys_resource } for pid=1384 comm=(sd-worker) capability=sys_resource scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=1
|
||||
|
||||
type=PROCTITLE msg=audit(01/04/2023 06:21:23.761:156) : proctitle=systemd-userwork: processing...
|
||||
type=SYSCALL msg=audit(01/04/2023 06:21:23.761:156) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x9 a2=0x7fcc48186020 a3=0x0 items=0 ppid=1367 pid=1385 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-userwor exe=/usr/lib/systemd/systemd-userwork subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
|
||||
type=AVC msg=audit(01/04/2023 06:21:23.761:156) : avc: denied { sys_resource } for pid=1385 comm=systemd-userwor capability=sys_resource scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=1
|
||||
|
||||
Resolves: rhbz#2166509
|
||||
---
|
||||
policy/modules/system/systemd.te | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index 10b1b2d9b2..7c625074c4 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -1461,7 +1461,7 @@ optional_policy(`
|
||||
#
|
||||
# systemd_userdbd local policy
|
||||
#
|
||||
-allow systemd_userdbd_t self:capability dac_read_search;
|
||||
+allow systemd_userdbd_t self:capability { dac_read_search sys_resource };
|
||||
|
||||
manage_dirs_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
|
||||
manage_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
|
||||
27
backport-Allow-tlp-read-generic-SSL-certificates.patch
Normal file
27
backport-Allow-tlp-read-generic-SSL-certificates.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From 610162346b12f1d34198fb8f435e2426bc28462c Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Thu, 22 Dec 2022 12:05:13 +0100
|
||||
Subject: [PATCH] Allow tlp read generic SSL certificates
|
||||
|
||||
Addresses the following AVC denial and further ones:
|
||||
|
||||
type=AVC msg=audit(1659568944.632:728): avc: denied { search } for pid=34604 comm="modinfo" name="pki" dev="dm-1" ino=2490465 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0
|
||||
|
||||
Resolves: rhbz#2115141
|
||||
---
|
||||
policy/modules/contrib/tlp.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/tlp.te b/policy/modules/contrib/tlp.te
|
||||
index 38ba44adb9..f73b8bbdcf 100644
|
||||
--- a/policy/modules/contrib/tlp.te
|
||||
+++ b/policy/modules/contrib/tlp.te
|
||||
@@ -65,6 +65,8 @@ files_load_kernel_modules(tlp_t)
|
||||
init_status(tlp_t)
|
||||
init_stream_connectto(tlp_t)
|
||||
|
||||
+miscfiles_read_generic_certs(tlp_t)
|
||||
+
|
||||
modutils_exec_kmod(tlp_t)
|
||||
modutils_read_module_config(tlp_t)
|
||||
modutils_read_module_deps_files(tlp_t)
|
||||
@ -0,0 +1,25 @@
|
||||
From 4c7f07ac123d25d9b053fa798067c7ef883fb17b Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Tue, 15 Nov 2022 14:57:01 +0100
|
||||
Subject: [PATCH] Allow winbind-rpcd get attributes of device and pty
|
||||
filesystems
|
||||
|
||||
Resolves: rhbz#2107106
|
||||
---
|
||||
policy/modules/contrib/samba.te | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 88fb46b700..1395047b3e 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1203,6 +1203,9 @@ corecmd_exec_bin(winbind_rpcd_t)
|
||||
|
||||
corenet_tcp_connect_ipp_port(winbind_rpcd_t)
|
||||
|
||||
+dev_getattr_fs(winbind_rpcd_t)
|
||||
+
|
||||
+term_getattr_pty_fs(winbind_rpcd_t)
|
||||
term_use_ptmx(winbind_rpcd_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -0,0 +1,29 @@
|
||||
From e91d34918bd3e80aefa7236c014a2ad537a74966 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Thu, 22 Dec 2022 13:14:35 +0100
|
||||
Subject: [PATCH] Allow winbind-rpcd make a TCP connection to the ldap port
|
||||
|
||||
Addresses the following AVC denial:
|
||||
|
||||
type=PROCTITLE msg=audit(12/06/2022 12:58:18.767:2236) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=35 --np-helper --debuglevel=2
|
||||
type=SOCKADDR msg=audit(12/06/2022 12:58:18.767:2236) : saddr={ saddr_fam=inet laddr=127.0.0.1 lport=389 }
|
||||
type=SYSCALL msg=audit(12/06/2022 12:58:18.767:2236) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xf a1=0x55f673a4ace0 a2=0x10 a3=0x0 items=0 ppid=1 pid=7080 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
|
||||
type=AVC msg=audit(12/06/2022 12:58:18.767:2236) : avc: denied { name_connect } for pid=7080 comm=samba-dcerpcd dest=389 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0
|
||||
|
||||
Resolves: rhbz#2152642
|
||||
---
|
||||
policy/modules/contrib/samba.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 8746918587..6143ea2622 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1205,6 +1205,7 @@ kernel_read_network_state(winbind_rpcd_t)
|
||||
corecmd_exec_bin(winbind_rpcd_t)
|
||||
|
||||
corenet_tcp_connect_ipp_port(winbind_rpcd_t)
|
||||
+corenet_tcp_connect_ldap_port(winbind_rpcd_t)
|
||||
|
||||
dev_getattr_fs(winbind_rpcd_t)
|
||||
|
||||
@ -0,0 +1,37 @@
|
||||
From 9921e239291412f21c98806f2777dba7fce8bbe4 Mon Sep 17 00:00:00 2001
|
||||
From: Nikola Knazekova <nknazeko@redhat.com>
|
||||
Date: Thu, 15 Dec 2022 12:07:05 +0100
|
||||
Subject: [PATCH] Allow winbind-rpcd manage samba_share_t files and dirs
|
||||
|
||||
Allow winbind connect to init_t unix_stream_socket
|
||||
|
||||
Resolves: rhbz#2150680
|
||||
---
|
||||
policy/modules/contrib/samba.te | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 1395047b3e..8746918587 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1185,6 +1185,9 @@ manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_ru
|
||||
files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file })
|
||||
|
||||
# access to files of other samba domains
|
||||
+manage_dirs_pattern(winbind_rpcd_t, samba_share_t, samba_share_t)
|
||||
+manage_files_pattern(winbind_rpcd_t, samba_share_t, samba_share_t)
|
||||
+
|
||||
manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
|
||||
read_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
|
||||
manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
|
||||
@@ -1225,6 +1228,10 @@ optional_policy(`
|
||||
dirsrv_stream_connect(winbind_rpcd_t)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+ init_stream_connectto(winbind_rpcd_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
kerberos_read_keytab(winbind_rpcd_t)
|
||||
kerberos_use(winbind_rpcd_t)
|
||||
@ -0,0 +1,26 @@
|
||||
From d55213e04801baef4979cb38340737d69cb66d0c Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Mon, 19 Sep 2022 12:28:38 +0200
|
||||
Subject: [PATCH] Allow winbind-rpcd read and write its key ring
|
||||
|
||||
Addresses the following AVC denials:
|
||||
type=AVC msg=audit(1663577560.480:3619): avc: denied { write } for pid=109517 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1
|
||||
type=AVC msg=audit(1663577560.480:3620): avc: denied { read } for pid=109517 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1
|
||||
|
||||
Resolves: rhbz#2127854
|
||||
---
|
||||
policy/modules/contrib/samba.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index d25bc64f5d..23af3a1304 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1167,6 +1167,7 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow winbind_rpcd_t self:capability { setgid setuid };
|
||||
+allow winbind_rpcd_t self:key { read write };
|
||||
allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow winbind_rpcd_t self:unix_stream_socket connectto;
|
||||
@ -0,0 +1,30 @@
|
||||
From ea6e506843ed60097d84b14dea6945fd4e885fb0 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Fri, 11 Nov 2022 14:00:10 +0100
|
||||
Subject: [PATCH] Allow winbind-rpcd use the terminal multiplexor
|
||||
|
||||
Addresses the following AVC denial:
|
||||
|
||||
type=PROCTITLE msg=audit(07/14/2022 07:07:43.161:380) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=3 --worker-index=0 --debuglevel=0
|
||||
type=PATH msg=audit(07/14/2022 07:07:43.161:380) : item=0 name=/dev/ptmx inode=11387 dev=00:06 mode=character,666 ouid=root ogid=tty rdev=05:02 obj=system_u:object_r:ptmx_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
|
||||
type=SYSCALL msg=audit(07/14/2022 07:07:43.161:380) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fb1d4cf2a46 a2=O_RDWR|O_NOCTTY a3=0x0 items=1 ppid=6326 pid=6336 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
|
||||
type=AVC msg=audit(07/14/2022 07:07:43.161:380) : avc: denied { read write } for pid=6336 comm=rpcd_lsad name=ptmx dev="devtmpfs" ino=11387 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file permissive=0
|
||||
|
||||
Resolves: rhbz#2107106
|
||||
---
|
||||
policy/modules/contrib/samba.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 2280531046..88fb46b700 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1203,6 +1203,8 @@ corecmd_exec_bin(winbind_rpcd_t)
|
||||
|
||||
corenet_tcp_connect_ipp_port(winbind_rpcd_t)
|
||||
|
||||
+term_use_ptmx(winbind_rpcd_t)
|
||||
+
|
||||
optional_policy(`
|
||||
auth_read_passwd(winbind_rpcd_t)
|
||||
')
|
||||
24
backport-Allow-winbind-rpcd-write-to-winbind-pid-files.patch
Normal file
24
backport-Allow-winbind-rpcd-write-to-winbind-pid-files.patch
Normal file
@ -0,0 +1,24 @@
|
||||
From 495539633271d0e187e221dec061e122812cb5c2 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 17:30:47 +0200
|
||||
Subject: [PATCH] Allow winbind-rpcd write to winbind pid files
|
||||
|
||||
Addresses the following AVC denial:
|
||||
|
||||
type=AVC msg=audit(1658286623.868:2435): avc: denied { write } for pid=6219 comm="samba-dcerpcd" name="samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1
|
||||
---
|
||||
policy/modules/contrib/samba.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index d64ba6e569..82ba1abf64 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1176,6 +1176,7 @@ allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans;
|
||||
|
||||
read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t)
|
||||
|
||||
+write_files_pattern(winbind_rpcd_t, winbind_var_run_t, winbind_var_run_t)
|
||||
write_sock_files_pattern(winbind_rpcd_t, winbind_var_run_t, winbind_var_run_t)
|
||||
|
||||
manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t)
|
||||
@ -0,0 +1,29 @@
|
||||
From e9ed412d419a865d8a9a396469d1f2bda351f30d Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Fri, 17 Jun 2022 19:46:05 +0200
|
||||
Subject: [PATCH] Allow winbind_rpcd_t connect to self over a
|
||||
unix_stream_socket
|
||||
|
||||
Addresses the following AVC denial:
|
||||
|
||||
type=PROCTITLE msg=audit(06/13/2022 04:54:59.247:2004) : proctitle=/usr/libexec/samba/rpcd_classic --configfile=/etc/samba/smb.conf --worker-group=6 --worker-index=0 --debuglevel=10
|
||||
type=AVC msg=audit(06/13/2022 04:54:59.247:2004) : avc: denied { connectto } for pid=23402 comm=rpcd_classic path=/run/samba/ncalrpc/np/winreg scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_stream_socket permissive=0
|
||||
type=SYSCALL msg=audit(06/13/2022 04:54:59.247:2004) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x10 a1=0x5624dd0ca5d0 a2=0x6e a3=0x7fe7094db260 items=0 ppid=23239 pid=23402 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_classic exe=/usr/libexec/samba/rpcd_classic subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
|
||||
|
||||
Resolves: rhbz#2096255
|
||||
---
|
||||
policy/modules/contrib/samba.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 7087c37e7a..5e851af84a 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1168,6 +1168,7 @@ optional_policy(`
|
||||
allow winbind_rpcd_t self:capability { setgid setuid };
|
||||
allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
+allow winbind_rpcd_t self:unix_stream_socket connectto;
|
||||
allow winbind_rpcd_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans;
|
||||
60
backport-Update-policy-for-samba-dcerpcd.patch
Normal file
60
backport-Update-policy-for-samba-dcerpcd.patch
Normal file
@ -0,0 +1,60 @@
|
||||
From 044ed83f8ebde938bbc49f6e071a8548ddc8505d Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Wed, 8 Jun 2022 16:24:15 +0200
|
||||
Subject: [PATCH] Update policy for samba-dcerpcd
|
||||
|
||||
The initial policy was updated to allow:
|
||||
- use sssd and systemd nsswitch modules
|
||||
- read kernel network state
|
||||
- use dbus
|
||||
- manage samba log directories
|
||||
- read winbind runtime files
|
||||
|
||||
Resolves: rhbz#2083504
|
||||
---
|
||||
policy/modules/contrib/samba.te | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 03b49cba42..99cb452f7b 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1019,6 +1019,7 @@ manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var
|
||||
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
|
||||
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
|
||||
files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })
|
||||
+files_pid_filetrans(winbind_t, winbind_rpcd_var_run_t, file, "samba-dcerpcd.pid")
|
||||
filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
|
||||
# /run/samba/krb5cc_samba
|
||||
manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
|
||||
@@ -1175,9 +1176,12 @@ read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t)
|
||||
|
||||
manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t)
|
||||
files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file })
|
||||
+
|
||||
+# access to files of other samba domains
|
||||
manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
|
||||
manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
|
||||
|
||||
+manage_dirs_pattern(winbind_rpcd_t, samba_log_t, samba_log_t)
|
||||
manage_files_pattern(winbind_rpcd_t, samba_log_t, samba_log_t)
|
||||
|
||||
manage_dirs_pattern(winbind_rpcd_t, samba_var_t, samba_var_t)
|
||||
@@ -1185,10 +1189,16 @@ manage_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t)
|
||||
manage_sock_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t)
|
||||
allow winbind_rpcd_t samba_var_t:file { map } ;
|
||||
|
||||
+kernel_read_network_state(winbind_rpcd_t)
|
||||
+
|
||||
corecmd_exec_bin(winbind_rpcd_t)
|
||||
|
||||
optional_policy(`
|
||||
- auth_read_passwd_file(winbind_rpcd_t)
|
||||
+ auth_read_passwd(winbind_rpcd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ dbus_system_bus_client(winbind_rpcd_t)
|
||||
')
|
||||
|
||||
# interactions with smbd_t/winbind_t
|
||||
@ -0,0 +1,37 @@
|
||||
From 837f63743214363362334e910dcb06d35cd5cb99 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Mon, 27 Jun 2022 17:22:40 +0200
|
||||
Subject: [PATCH] Update samba-dcerpcd policy for kerberos usage 2
|
||||
|
||||
These additional permissions were added:
|
||||
- read kerberos key tables
|
||||
- read generic SSL certificates
|
||||
|
||||
Resolves: rhbz#2096521
|
||||
---
|
||||
policy/modules/contrib/samba.te | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 091e016fd0..4be4401cda 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1208,6 +1208,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ kerberos_read_keytab(winbind_rpcd_t)
|
||||
kerberos_use(winbind_rpcd_t)
|
||||
')
|
||||
|
||||
@@ -1215,6 +1216,10 @@ optional_policy(`
|
||||
logging_send_syslog_msg(winbind_rpcd_t)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+ miscfiles_read_generic_certs(winbind_rpcd_t)
|
||||
+')
|
||||
+
|
||||
optional_policy(`
|
||||
sssd_read_public_files(winbind_rpcd_t)
|
||||
sssd_stream_connect(winbind_rpcd_t)
|
||||
@ -0,0 +1,45 @@
|
||||
From e6584a21427a408c09781f2c5cf978b0f18db1cc Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Pytela <zpytela@redhat.com>
|
||||
Date: Fri, 17 Jun 2022 18:34:28 +0200
|
||||
Subject: [PATCH] Update samba-dcerpcd policy for kerberos usage
|
||||
|
||||
Resolves: rhbz#2096825
|
||||
---
|
||||
policy/modules/contrib/samba.te | 17 +++++++++++++++++
|
||||
1 file changed, 17 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 99cb452f7b..7087c37e7a 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -1179,6 +1179,7 @@ files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file })
|
||||
|
||||
# access to files of other samba domains
|
||||
manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
|
||||
+read_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
|
||||
manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
|
||||
|
||||
manage_dirs_pattern(winbind_rpcd_t, samba_log_t, samba_log_t)
|
||||
@@ -1201,6 +1202,22 @@ optional_policy(`
|
||||
dbus_system_bus_client(winbind_rpcd_t)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+ dirsrv_stream_connect(winbind_rpcd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ kerberos_use(winbind_rpcd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ logging_send_syslog_msg(winbind_rpcd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ sysnet_read_config(winbind_rpcd_t)
|
||||
+')
|
||||
+
|
||||
# interactions with smbd_t/winbind_t
|
||||
allow smbd_t winbind_rpcd_t:unix_stream_socket connectto;
|
||||
allow winbind_t winbind_rpcd_t:unix_stream_socket connectto;
|
||||
51
backport-Update-winbind_rpcd_t.patch
Normal file
51
backport-Update-winbind_rpcd_t.patch
Normal file
@ -0,0 +1,51 @@
|
||||
From 37512b85ed2712a57370c9df57db84b96b3d0f9d Mon Sep 17 00:00:00 2001
|
||||
From: Nikola Knazekova <nknazeko@redhat.com>
|
||||
Date: Wed, 13 Jul 2022 18:12:31 +0200
|
||||
Subject: [PATCH] Update winbind_rpcd_t
|
||||
|
||||
Allow smbcontrol send winbind_rpcd_t unix_dgram_socket
|
||||
Allow winbind_rpcd_t to write winbind_var_run_t sock files
|
||||
Allow winbind_rpcd_t connect to winbind_t over unix_stream_socket
|
||||
Allow winbind_rpcd_t to connect to systemd-userdbd with a unix socket
|
||||
|
||||
Fix: rhbz#2102084
|
||||
---
|
||||
policy/modules/contrib/samba.te | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
||||
index 4be4401cda..61598b8e39 100644
|
||||
--- a/policy/modules/contrib/samba.te
|
||||
+++ b/policy/modules/contrib/samba.te
|
||||
@@ -745,6 +745,7 @@ allow smbcontrol_t samba_var_t:file map;
|
||||
|
||||
allow smbcontrol_t nmbd_t:unix_dgram_socket sendto;
|
||||
allow smbcontrol_t smbd_t:unix_dgram_socket sendto;
|
||||
+allow smbcontrol_t winbind_rpcd_t:unix_dgram_socket sendto;
|
||||
allow smbcontrol_t winbind_t:unix_dgram_socket sendto;
|
||||
|
||||
samba_read_config(smbcontrol_t)
|
||||
@@ -1175,6 +1176,8 @@ allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans;
|
||||
|
||||
read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t)
|
||||
|
||||
+write_sock_files_pattern(winbind_rpcd_t, winbind_var_run_t, winbind_var_run_t)
|
||||
+
|
||||
manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t)
|
||||
files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file })
|
||||
|
||||
@@ -1229,9 +1232,14 @@ optional_policy(`
|
||||
sysnet_read_config(winbind_rpcd_t)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+ systemd_userdbd_stream_connect(winbind_rpcd_t)
|
||||
+')
|
||||
+
|
||||
# interactions with smbd_t/winbind_t
|
||||
allow smbd_t winbind_rpcd_t:unix_stream_socket connectto;
|
||||
allow winbind_t winbind_rpcd_t:unix_stream_socket connectto;
|
||||
+allow winbind_rpcd_t winbind_t:unix_stream_socket connectto;
|
||||
|
||||
samba_domtrans_winbind_rpcd(smbd_t)
|
||||
samba_domtrans_winbind_rpcd(winbind_t)
|
||||
@ -12,7 +12,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 35.5
|
||||
Release: 20
|
||||
Release: 21
|
||||
License: GPLv2+
|
||||
URL: https://github.com/fedora-selinux/selinux-policy/
|
||||
|
||||
@ -228,6 +228,53 @@ Patch6158: backport-Allow-lldpad-bpf-capability-to-run-bpf-programs.patch
|
||||
Patch6159: backport-Allow-pkcs_slotd_t-bpf-capability-to-run-bpf-program.patch
|
||||
Patch6160: backport-Allow-netutils-and-traceroute-bpf-capability-to-run-.patch
|
||||
Patch6161: backport-Allow-dhcpd-bpf-capability-to-run-bpf-programs.patch
|
||||
Patch6162: backport-Add-watch-interfaces.patch
|
||||
Patch6163: backport-Add-watch_sb-interfaces.patch
|
||||
Patch6164: backport-Add-interface-to-watch-all-filesystems.patch
|
||||
Patch6165: backport-Allow-sssd-dbus-chat-with-system-cronjobs.patch
|
||||
Patch6166: backport-Allow-systemd-hostnamed-dbus-chat-with-init-scripts.patch
|
||||
Patch6167: backport-Add-domain_unix_read_all_semaphores-interface.patch
|
||||
Patch6168: backport-Allow-rpc.gssd-read-network-sysctls.patch
|
||||
Patch6169: backport-Allow-syslogd-read-network-sysctls.patch
|
||||
Patch6170: backport-Allow-systemd-timedated-watch-init-runtime-dir.patch
|
||||
Patch6171: backport-Allow-journalctl-relabel-with-var_log_t-and-syslogd_.patch
|
||||
Patch6172: backport-Allow-systemd-resolved-watch-tmpfs-directories.patch
|
||||
Patch6173: backport-Allow-tlp-read-generic-SSL-certificates.patch
|
||||
Patch6174: backport-Allow-apcupsd-dbus-chat-with-systemd-logind.patch
|
||||
Patch6175: backport-Allow-systemd-rfkill-the-bpf-capability.patch
|
||||
Patch6176: backport-Allow-systemd-userdbd-the-sys_resource-capability.patch
|
||||
Patch6177: backport-Allow-systemd-resolved-send-a-datagram-to-journald.patch
|
||||
Patch6178: backport-Allow-system_cronjob_t-transition-to-rpm_script_t.patch
|
||||
Patch6179: backport-Allow-systemd-coredump-mounton-usr.patch
|
||||
Patch6180: backport-Add-journalctl-the-sys_resource-capability.patch
|
||||
Patch6181: backport-Allow-logrotate-dbus-chat-with-systemd-hostnamed.patch
|
||||
Patch6182: backport-Add-support-for-samba-dcerpcd.patch
|
||||
Patch6183: backport-Update-policy-for-samba-dcerpcd.patch
|
||||
Patch6184: backport-Update-samba-dcerpcd-policy-for-kerberos-usage.patch
|
||||
Patch6185: backport-Allow-winbind_rpcd_t-connect-to-self-over-a-unix_str.patch
|
||||
Patch6186: backport-Allow-samba-dcerpcd-work-with-sssd.patch
|
||||
Patch6187: backport-Update-samba-dcerpcd-policy-for-kerberos-usage-2.patch
|
||||
Patch6188: backport-Update-winbind_rpcd_t.patch
|
||||
Patch6189: backport-Allow-samba-bgqd-get-a-printer-list.patch
|
||||
Patch6190: backport-Allow-winbind-rpcd-write-to-winbind-pid-files.patch
|
||||
Patch6191: backport-Allow-samba-bgqd-to-read-a-printer-list.patch
|
||||
Patch6192: backport-Allow-smbd_t-process-noatsecure-permission-for-winbi.patch
|
||||
Patch6193: backport-Allow-winbind-rpcd-read-and-write-its-key-ring.patch
|
||||
Patch6194: backport-Allow-samba-dcerpcd-use-NSCD-services-over-a-unix-st.patch
|
||||
Patch6195: backport-Add-winbind-rpcd-to-samba_enable_home_dirs-boolean.patch
|
||||
Patch6196: backport-Allow-winbind-rpcd-use-the-terminal-multiplexor.patch
|
||||
Patch6197: backport-Allow-winbind-rpcd-get-attributes-of-device-and-pty-.patch
|
||||
Patch6198: backport-Allow-winbind-rpcd-manage-samba_share_t-files-and-di.patch
|
||||
Patch6199: backport-Allow-winbind-rpcd-make-a-TCP-connection-to-the-ldap.patch
|
||||
Patch6200: backport-Allow-samba-rpcd-work-with-passwords.patch
|
||||
Patch6201: backport-Allow-samba-dcerpcd-connect-to-systemd_machined-over.patch
|
||||
Patch6202: backport-Allow-rpcd_lsad-setcap-and-use-generic-ptys.patch
|
||||
Patch6203: backport-Allow-keepalived-to-set-resource-limits.patch
|
||||
Patch6204: backport-Add-the-kernel_read_proc_files-interface.patch
|
||||
Patch6205: backport-Allow-pcscd-bpf-capability-to-run-bpf-programs.patch
|
||||
Patch6206: backport-Allow-logwatch_mail_t-read-network-sysctls.patch
|
||||
Patch6207: backport-Allow-exim-read-network-sysctls.patch
|
||||
Patch6208: backport-Allow-kernel-to-manage-its-own-BPF-objects.patch
|
||||
|
||||
Patch9000: add-qemu_exec_t-for-stratovirt.patch
|
||||
Patch9001: fix-context-of-usr-bin-rpmdb.patch
|
||||
@ -904,6 +951,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Aug 24 2023 wangqingsan <wangqingsan@huawei.com> - 35.5-21
|
||||
- backport upstream patches
|
||||
|
||||
* Fri Jul 28 2023 huangzq6 <huangzhenqiang2@huawei.com> - 35.5-20
|
||||
- backport some selinux-policy upstream patches
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user