diff --git a/backport-Add-domain_unix_read_all_semaphores-interface.patch b/backport-Add-domain_unix_read_all_semaphores-interface.patch new file mode 100644 index 0000000..372ea06 --- /dev/null +++ b/backport-Add-domain_unix_read_all_semaphores-interface.patch @@ -0,0 +1,39 @@ +From 0fda5d6c5ee12b642ab0f6b6503807a4731d17f4 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 11 Nov 2022 15:11:18 +0100 +Subject: [PATCH] Add domain_unix_read_all_semaphores() interface + +--- + policy/modules/kernel/domain.if | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if +index 0e843721ba..2fa4393292 100644 +--- a/policy/modules/kernel/domain.if ++++ b/policy/modules/kernel/domain.if +@@ -568,6 +568,25 @@ interface(`domain_kill_all_domains',` + allow $1 self:capability kill; + ') + ++######################################## ++## ++## Allow unix_read all domains semaphores ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`domain_unix_read_all_semaphores',` ++ gen_require(` ++ attribute domain; ++ ') ++ ++ allow $1 domain:sem unix_read; ++') ++ + ######################################## + ## + ## Destroy all domains semaphores diff --git a/backport-Add-interface-to-watch-all-filesystems.patch b/backport-Add-interface-to-watch-all-filesystems.patch new file mode 100644 index 0000000..3d5b5d7 --- /dev/null +++ b/backport-Add-interface-to-watch-all-filesystems.patch @@ -0,0 +1,39 @@ +From 972e4dbcdf87067924239db5dcc89a099298700c Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Mon, 7 Nov 2022 15:20:12 +0100 +Subject: [PATCH] Add interface to watch all filesystems + +Resolves: rhbz#2139363 +--- + policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if +index d7645a534f..918bf32963 100644 +--- a/policy/modules/kernel/filesystem.if ++++ b/policy/modules/kernel/filesystem.if +@@ -6426,6 +6426,24 @@ interface(`fs_unmount_all_fs',` + allow $1 filesystem_type:filesystem unmount; + ') + ++######################################## ++## ++## Watch all filesystems. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_watch_all_fs',` ++ gen_require(` ++ attribute filesystem_type; ++ ') ++ ++ allow $1 filesystem_type:filesystem watch; ++') ++ + ######################################## + ## + ## Get the attributes of all filesystems. diff --git a/backport-Add-journalctl-the-sys_resource-capability.patch b/backport-Add-journalctl-the-sys_resource-capability.patch new file mode 100644 index 0000000..d880394 --- /dev/null +++ b/backport-Add-journalctl-the-sys_resource-capability.patch @@ -0,0 +1,32 @@ +From ec3ee928067bfde035d3e66a936bc761f9e4b25d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 3 Feb 2023 17:20:51 +0100 +Subject: [PATCH] Add journalctl the sys_resource capability + +The journalctl command runs in the journalctl_t domain when executed by +a confined user (user, staff, sysadm). When is invoked with pager, +prctl() is called to change the process name. + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(02/02/2023 12:55:12.623:1405) : proctitle=(pager) +type=SYSCALL msg=audit(02/02/2023 12:55:12.623:1405) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x8 a2=0x7fd1a3f52000 a3=0x0 items=0 ppid=25495 pid=25516 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=39 comm=(pager) exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(02/02/2023 12:55:12.623:1405) : avc: denied { sys_resource } for pid=25516 comm=(pager) capability=sys_resource scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tclass=capability permissive=1 + +Resolves: rhbz#2136189 +--- + policy/modules/contrib/journalctl.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/journalctl.te b/policy/modules/contrib/journalctl.te +index 5b4329c800..b22b6a7130 100644 +--- a/policy/modules/contrib/journalctl.te ++++ b/policy/modules/contrib/journalctl.te +@@ -18,6 +18,7 @@ role journalctl_roles types journalctl_t; + # + # journalctl local policy + # ++allow journalctl_t self:capability sys_resource; + allow journalctl_t self:process { fork setrlimit signal_perms }; + + allow journalctl_t self:fifo_file manage_fifo_file_perms; diff --git a/backport-Add-support-for-samba-dcerpcd.patch b/backport-Add-support-for-samba-dcerpcd.patch new file mode 100644 index 0000000..50fcd1c --- /dev/null +++ b/backport-Add-support-for-samba-dcerpcd.patch @@ -0,0 +1,131 @@ +From 7367896085db099d956d666b94601fa9fc9df92a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 1 Jun 2022 12:55:02 +0200 +Subject: [PATCH] Add support for samba-dcerpcd + +New samba-dcerpcd binary is shipped with samba-4.16 (refer to +https://www.samba.org/samba/history/samba-4.16.0.html) to break out +the DCERPC services from smbd. samba-dcerpcd can be invoked on demand +from smbd or "winbind --np-helper" to serve DCERPC over named pipes, +or in a standalone mode, started separately from smbd or winbind, +but this requires changes to system startup scripts. + +This commit bring SELinux support for the breakout with a new +winbind_rpcd_t type. + +Resolves: rhbz#2083511 +--- + policy/modules/contrib/samba.fc | 3 +++ + policy/modules/contrib/samba.if | 19 +++++++++++++ + policy/modules/contrib/samba.te | 47 +++++++++++++++++++++++++++++++++ + 3 files changed, 69 insertions(+) + +diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc +index a93346efee..873b3091b8 100644 +--- a/policy/modules/contrib/samba.fc ++++ b/policy/modules/contrib/samba.fc +@@ -18,6 +18,9 @@ + /usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) + /usr/lib/systemd/system/winbind.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) + ++/usr/libexec/samba/rpcd_lsad -- gen_context(system_u:object_r:winbind_rpcd_exec_t,s0) ++/usr/libexec/samba/samba-dcerpcd -- gen_context(system_u:object_r:winbind_rpcd_exec_t,s0) ++ + /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) + /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) + /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0) +diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if +index 0366038a90..80244a4360 100644 +--- a/policy/modules/contrib/samba.if ++++ b/policy/modules/contrib/samba.if +@@ -1080,3 +1080,22 @@ interface(`samba_admin',` + admin_pattern($1, samba_unit_file_t) + allow $1 samba_unit_file_t:service all_service_perms; + ') ++ ++######################################## ++## ++## Execute winbind rpcd in the winbind_rpcd_t domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`samba_domtrans_winbind_rpcd',` ++ gen_require(` ++ type winbind_rpcd_t, winbind_rpcd_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, winbind_rpcd_exec_t, winbind_rpcd_t) ++') +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 60767f430f..03b49cba42 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -176,9 +176,17 @@ role system_r types winbind_helper_t; + type winbind_helper_exec_t; + domain_entry_file(winbind_helper_t, winbind_helper_exec_t) + ++type winbind_rpcd_t; ++type winbind_rpcd_exec_t; ++application_domain(winbind_rpcd_t, winbind_rpcd_exec_t) ++role system_r types winbind_rpcd_t; ++ + type winbind_log_t; + logging_log_file(winbind_log_t) + ++type winbind_rpcd_var_run_t; ++files_pid_file(winbind_rpcd_var_run_t) ++ + type winbind_var_run_t; + files_pid_file(winbind_var_run_t) + +@@ -1151,6 +1159,45 @@ optional_policy(` + squid_rw_stream_sockets(winbind_helper_t) + ') + ++######################################## ++# ++# Winbind-rpcd local policy ++# ++ ++allow winbind_rpcd_t self:capability { setgid setuid }; ++allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms; ++allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow winbind_rpcd_t self:udp_socket create_socket_perms; ++ ++allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans; ++ ++read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t) ++ ++manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t) ++files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file }) ++manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) ++manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) ++ ++manage_files_pattern(winbind_rpcd_t, samba_log_t, samba_log_t) ++ ++manage_dirs_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) ++manage_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) ++manage_sock_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) ++allow winbind_rpcd_t samba_var_t:file { map } ; ++ ++corecmd_exec_bin(winbind_rpcd_t) ++ ++optional_policy(` ++ auth_read_passwd_file(winbind_rpcd_t) ++') ++ ++# interactions with smbd_t/winbind_t ++allow smbd_t winbind_rpcd_t:unix_stream_socket connectto; ++allow winbind_t winbind_rpcd_t:unix_stream_socket connectto; ++ ++samba_domtrans_winbind_rpcd(smbd_t) ++samba_domtrans_winbind_rpcd(winbind_t) ++ + ######################################## + # + # samba_unconfined_script_t local policy diff --git a/backport-Add-the-kernel_read_proc_files-interface.patch b/backport-Add-the-kernel_read_proc_files-interface.patch new file mode 100644 index 0000000..77fcff6 --- /dev/null +++ b/backport-Add-the-kernel_read_proc_files-interface.patch @@ -0,0 +1,38 @@ +From 0d41bd657e613657b01f75645b6168cf5987e387 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 23 Jun 2022 20:49:49 +0200 +Subject: [PATCH] Add the kernel_read_proc_files() interface + +--- + policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 75623cf38f..8a83ed511d 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -1112,6 +1112,24 @@ interface(`kernel_getattr_proc_files',` + getattr_files_pattern($1, proc_t, proc_t) + ') + ++######################################## ++## ++## Read generic files in /proc. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_read_proc_files',` ++ gen_require(` ++ type proc_t; ++ ') ++ ++ read_files_pattern($1, proc_t, proc_t) ++') ++ + ######################################## + ## + ## Read generic symbolic links in /proc. diff --git a/backport-Add-watch-interfaces.patch b/backport-Add-watch-interfaces.patch new file mode 100644 index 0000000..b376bba --- /dev/null +++ b/backport-Add-watch-interfaces.patch @@ -0,0 +1,64 @@ +From 01197e1c606be4b55b1b0551c8f8856bcb8c13f8 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 3 Nov 2022 11:27:49 +0100 +Subject: [PATCH] Add watch interfaces + +Add interfacecs that allow watch filesystem. +--- + policy/modules/kernel/filesystem.if | 36 +++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if +index 2c1fdd7150..bb2f077f6d 100644 +--- a/policy/modules/kernel/filesystem.if ++++ b/policy/modules/kernel/filesystem.if +@@ -264,6 +264,24 @@ interface(`fs_relabelfrom_xattr_fs',` + allow $1 fs_t:filesystem relabelfrom; + ') + ++######################################## ++## ++## Watch filesystem with extended attributes ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_watch_xattr_fs',` ++ gen_require(` ++ type fs_t; ++ ') ++ ++ allow $1 fs_t:filesystem watch; ++') ++ + ######################################## + ## + ## Get the filesystem quotas of a filesystem +@@ -5274,6 +5292,24 @@ interface(`fs_mount_tmpfs',` + allow $1 tmpfs_t:filesystem mount; + ') + ++######################################## ++## ++## Watch a tmpfs filesystem. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_watch_tmpfs',` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ allow $1 tmpfs_t:filesystem watch; ++') ++ + ######################################## + ## + ## Dontaudit remount a tmpfs filesystem. diff --git a/backport-Add-watch_sb-interfaces.patch b/backport-Add-watch_sb-interfaces.patch new file mode 100644 index 0000000..4dc6c3f --- /dev/null +++ b/backport-Add-watch_sb-interfaces.patch @@ -0,0 +1,155 @@ +From a65d7a6e589268afc80c871450423c82aeab530a Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 3 Nov 2022 11:33:59 +0100 +Subject: [PATCH] Add watch_sb interfaces + +Add interafaces that allow watch_sb user temporary directories, +tmpfs directories, boot and root directories. +Create watch_sb_dirs_pattern and watch_sb_dir_perms +--- + policy/modules/kernel/files.if | 36 +++++++++++++++++++++++++++++ + policy/modules/kernel/filesystem.if | 18 +++++++++++++++ + policy/modules/system/userdomain.if | 18 +++++++++++++++ + policy/support/file_patterns.spt | 4 ++++ + policy/support/obj_perm_sets.spt | 1 + + 5 files changed, 77 insertions(+) + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index 046db519bb..eb9e6e032c 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -2560,6 +2560,24 @@ interface(`files_write_root_dirs',` + allow $1 root_t:dir write; + ') + ++######################################## ++## ++## Watch_sb root directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_watch_sb_root_dirs', ` ++ gen_require(` ++ type root_t; ++ ') ++ ++ watch_sb_dirs_pattern($1, root_t, root_t) ++') ++ + ######################################## + ## + ## Do not audit attempts to write to / dirs. +@@ -3089,6 +3107,24 @@ interface(`files_watch_boot_dirs',` + allow $1 boot_t:dir watch_dir_perms; + ') + ++######################################## ++## ++## Watch_sb boot directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_watch_sb_boot_dirs', ` ++ gen_require(` ++ type boot_t; ++ ') ++ ++ watch_sb_dirs_pattern($1, boot_t, boot_t) ++') ++ + ######################################## + ## + ## Watch_mount directories in /boot. +diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if +index bb2f077f6d..d7645a534f 100644 +--- a/policy/modules/kernel/filesystem.if ++++ b/policy/modules/kernel/filesystem.if +@@ -5400,6 +5400,24 @@ interface(`fs_mounton_tmpfs', ` + allow $1 tmpfs_t:dir mounton; + ') + ++######################################## ++## ++## Watch_sb tmpfs directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_watch_sb_tmpfs', ` ++ gen_require(` ++ type tmpfs_t; ++ ') ++ ++ watch_sb_dirs_pattern($1, tmpfs_t, tmpfs_t) ++') ++ + ######################################## + ## + ## Get the attributes of a tmpfs +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index e8817429b2..62bc19c654 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -347,6 +347,24 @@ interface(`userdom_watch_tmp_dirs',` + watch_dirs_pattern($1, user_tmp_t, user_tmp_t) + ') + ++####################################### ++## ++## Watch_sb user temporary directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_watch_sb_tmp_dirs',` ++ gen_require(` ++ type user_tmp_t; ++ ') ++ ++ watch_sb_dirs_pattern($1, user_tmp_t, user_tmp_t) ++') ++ + ####################################### + ## + ## Watch_mount user temporary directories +diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt +index c832c0dab0..57581a8573 100644 +--- a/policy/support/file_patterns.spt ++++ b/policy/support/file_patterns.spt +@@ -88,6 +88,10 @@ define(`watch_reads_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir watch_reads_dir_perms; + ') ++define(`watch_sb_dirs_pattern',` ++ allow $1 $2:dir search_dir_perms; ++ allow $1 $3:dir watch_sb_dir_perms; ++') + define(`watch_with_perm_dirs_pattern',` + allow $1 $2:dir search_dir_perms; + allow $1 $3:dir watch_with_perm_dir_perms; +diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt +index 85283eb1e5..c76a77fac9 100644 +--- a/policy/support/obj_perm_sets.spt ++++ b/policy/support/obj_perm_sets.spt +@@ -149,6 +149,7 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') + define(`watch_dir_perms',`{ getattr watch }') + define(`watch_mount_dir_perms',`{ getattr watch_mount }') + define(`watch_reads_dir_perms',`{ getattr watch_reads }') ++define(`watch_sb_dir_perms',`{ getattr watch_sb }') + define(`watch_with_perm_dir_perms',`{ getattr watch_with_perm }') + + # diff --git a/backport-Add-winbind-rpcd-to-samba_enable_home_dirs-boolean.patch b/backport-Add-winbind-rpcd-to-samba_enable_home_dirs-boolean.patch new file mode 100644 index 0000000..4596761 --- /dev/null +++ b/backport-Add-winbind-rpcd-to-samba_enable_home_dirs-boolean.patch @@ -0,0 +1,37 @@ +From 480a1932eff8ba74e9373c1e7ba9a9d5f8c2d559 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Mon, 10 Oct 2022 16:45:20 +0200 +Subject: [PATCH] Add winbind-rpcd to samba_enable_home_dirs boolean + +Update samba_enable_home_dirs boolean to Allow winbind-rpcd to share users home directories. + +SELinux denials appeared, when users configured home directory share in the smb.conf. + +type=AVC msg=audit(1661934914.346:360): avc: denied { read } for pid=4587 comm="samba-dcerpcd" path="/home/xx/Documents/xx" dev="dm-2" ino=21627745 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0 + +Resolves: bz#2122904 +--- + policy/modules/contrib/samba.te | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 227c22516d..2280531046 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -40,7 +40,7 @@ gen_tunable(samba_portmapper, false) + + ## + ##

+-## Allow samba to share users home directories. ++## Allow samba and winbind-rpcd to share users home directories. + ##

+ ## + gen_tunable(samba_enable_home_dirs, false) +@@ -475,6 +475,7 @@ tunable_policy(`samba_domain_controller',` + + tunable_policy(`samba_enable_home_dirs',` + userdom_manage_user_home_content(smbd_t) ++ userdom_manage_user_home_content(winbind_rpcd_t) + ') + + optional_policy(` diff --git a/backport-Allow-apcupsd-dbus-chat-with-systemd-logind.patch b/backport-Allow-apcupsd-dbus-chat-with-systemd-logind.patch new file mode 100644 index 0000000..31e5c5f --- /dev/null +++ b/backport-Allow-apcupsd-dbus-chat-with-systemd-logind.patch @@ -0,0 +1,30 @@ +From d38bb2e165ea780ef87588c1fdf1af23b6d332bf Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 3 Jan 2023 20:04:50 +0100 +Subject: [PATCH] Allow apcupsd dbus chat with systemd-logind + +The permission is required in case of a power outage when apcupsd wants +to initiate a shutdown. + +Addresses the following USER_AVC denial: + +Dec 29 08:41:25 hostname audit[516]: USER_AVC pid=516 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:apcupsd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=0#012 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?' + +Resolves: rhbz#2157175 +--- + policy/modules/contrib/apcupsd.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te +index 4ea8ba6f87..49ecadfc7c 100644 +--- a/policy/modules/contrib/apcupsd.te ++++ b/policy/modules/contrib/apcupsd.te +@@ -112,6 +112,8 @@ logging_send_syslog_msg(apcupsd_t) + + sysnet_dns_name_resolve(apcupsd_t) + ++systemd_dbus_chat_logind(apcupsd_t) ++ + userdom_use_inherited_user_ttys(apcupsd_t) + + optional_policy(` diff --git a/backport-Allow-exim-read-network-sysctls.patch b/backport-Allow-exim-read-network-sysctls.patch new file mode 100644 index 0000000..b5e30c4 --- /dev/null +++ b/backport-Allow-exim-read-network-sysctls.patch @@ -0,0 +1,25 @@ +From 0b67d4d4f01428ebf80f2b695c970a27ed620b03 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 31 May 2023 08:54:38 +0200 +Subject: [PATCH] Allow exim read network sysctls + +The commit addresses the following AVC denial: +type=AVC msg=audit(1685423685.876:788): avc: denied { search } for pid=41331 comm="exim" name="net" dev="proc" ino=736304 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2211025 +--- + policy/modules/contrib/exim.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te +index 6e6792b06d..8ca4e25045 100644 +--- a/policy/modules/contrib/exim.te ++++ b/policy/modules/contrib/exim.te +@@ -104,6 +104,7 @@ can_exec(exim_t, exim_exec_t) + + kernel_read_crypto_sysctls(exim_t) + kernel_read_kernel_sysctls(exim_t) ++kernel_read_net_sysctls(exim_t) + kernel_read_network_state(exim_t) + kernel_read_system_state(exim_t) + diff --git a/backport-Allow-journalctl-relabel-with-var_log_t-and-syslogd_.patch b/backport-Allow-journalctl-relabel-with-var_log_t-and-syslogd_.patch new file mode 100644 index 0000000..15028c2 --- /dev/null +++ b/backport-Allow-journalctl-relabel-with-var_log_t-and-syslogd_.patch @@ -0,0 +1,42 @@ +From b9d573e4cd9dc7ca4283488e166e83250c434a63 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 13 Dec 2022 19:02:04 +0100 +Subject: [PATCH] Allow journalctl relabel with var_log_t and syslogd_var_run_t + files + +The journald service runs in the syslogd_t domain as well as syslog +daemons. When journal-offline wants to rotate journal files, which can +be in /var/log/journal or /run/log/journal, it modifies all extended +attributes, namely copy-on-write and security.selinux content, so +relabelfrom and relabelto permissions are needed. + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(1670904722.619:48): proctitle="/usr/lib/systemd/systemd-journald" +type=SYSCALL msg=audit(1670904722.619:48): arch=c00000b7 syscall=7 success=no exit=-13 a0=1d a1=ffffa0000b78 a2=ffffa0000e10 a3=27 items=0 ppid=1 pid=598 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="journal-offline" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null) +type=AVC msg=audit(1670904722.619:48): avc: denied { relabelfrom } for pid=598 comm="journal-offline" name=".#system@1d25afdf416a40bb98bce9ac89ae6846-0000000000000001-0005efadd1f07135.journal941ddc8fc49c256a" dev="tmpfs" ino=1026 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=0 + +Resolves: rhbz#2075527 +--- + policy/modules/system/logging.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index d96d862f7c..34dd6aabe1 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -509,6 +509,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) + + # create/append log files. + manage_files_pattern(syslogd_t, var_log_t, var_log_t) ++relabel_files_pattern(syslogd_t, var_log_t, var_log_t) + allow syslogd_t var_log_t:file map; + rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) + files_search_spool(syslogd_t) +@@ -533,6 +534,7 @@ files_search_var_lib(syslogd_t) + allow syslogd_t syslogd_var_run_t:dir watch_dir_perms; + manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) + manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) ++relabel_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) + manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) + mmap_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) + files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir }) diff --git a/backport-Allow-keepalived-to-set-resource-limits.patch b/backport-Allow-keepalived-to-set-resource-limits.patch new file mode 100644 index 0000000..b241e8c --- /dev/null +++ b/backport-Allow-keepalived-to-set-resource-limits.patch @@ -0,0 +1,28 @@ +From 59844c55226997c854bd82ac0f4b3e4df3da8fea Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 15 Dec 2022 12:10:58 +0100 +Subject: [PATCH] Allow keepalived to set resource limits + +Addresses the following AVC denial: +type=PROCTITLE msg=audit(12/06/2022 06:01:28.343:362) : proctitle=/usr/sbin/keepalived --dont-fork -D +type=SYSCALL msg=audit(12/06/2022 06:01:28.343:362) : arch=x86_64 syscall=prlimit64 success=no exit=EACCES(Permission denied) a0=0x0 a1=0xf a2=0x7ffcac307690 a3=0x0 items=0 ppid=4738 pid=4740 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null) +type=AVC msg=audit(12/06/2022 06:01:28.343:362) : avc: denied { setrlimit } for pid=4740 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process permissive=0 + +Resolves: rhbz#2151212 +--- + policy/modules/contrib/keepalived.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te +index ff0b498188..02170721c1 100644 +--- a/policy/modules/contrib/keepalived.te ++++ b/policy/modules/contrib/keepalived.te +@@ -39,7 +39,7 @@ files_tmpfs_file(keepalived_tmpfs_t) + + allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_nice sys_ptrace }; + allow keepalived_t self:capability2 bpf; +-allow keepalived_t self:process { signal_perms getpgid setpgid setsched }; ++allow keepalived_t self:process { signal_perms getpgid setpgid setsched setrlimit }; + allow keepalived_t self:icmp_socket create_socket_perms; + allow keepalived_t self:netlink_socket create_socket_perms; + allow keepalived_t self:netlink_generic_socket create_socket_perms; diff --git a/backport-Allow-kernel-to-manage-its-own-BPF-objects.patch b/backport-Allow-kernel-to-manage-its-own-BPF-objects.patch new file mode 100644 index 0000000..12d0c42 --- /dev/null +++ b/backport-Allow-kernel-to-manage-its-own-BPF-objects.patch @@ -0,0 +1,27 @@ +From f33bc79e172068ca4cb47281b8fcfc9f47840b61 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Mon, 22 May 2023 14:30:26 +0200 +Subject: [PATCH] Allow kernel to manage its own BPF objects + +Kernel threads may end up calling __sys_bpf(), which does the usual BPF +access checks, so make sure kernel_t is allowed to at least operate on +its own BPF fds. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2186595 +Signed-off-by: Ondrej Mosnacek +--- + policy/modules/kernel/kernel.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index b86852812b..e0fcd2dff9 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -271,6 +271,7 @@ allow kernel_t self:unix_stream_socket connectto; + allow kernel_t self:fifo_file rw_fifo_file_perms; + allow kernel_t self:sock_file read_sock_file_perms; + allow kernel_t self:fd use; ++allow kernel_t self:bpf { map_create map_read map_write prog_load prog_run }; + + allow kernel_t debugfs_t:dir search_dir_perms; + diff --git a/backport-Allow-logrotate-dbus-chat-with-systemd-hostnamed.patch b/backport-Allow-logrotate-dbus-chat-with-systemd-hostnamed.patch new file mode 100644 index 0000000..4b6e50e --- /dev/null +++ b/backport-Allow-logrotate-dbus-chat-with-systemd-hostnamed.patch @@ -0,0 +1,30 @@ +From daca0f5683e2ed842c60d274f67fb0469afd3911 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 28 Apr 2023 17:30:22 +0200 +Subject: [PATCH] Allow logrotate dbus chat with systemd-hostnamed + +This denials appears when a service operating on a network is called +from logrotate to perform an action, like ejabber to reopen its logs +after logrotate finishes. + +The commit addresses the following USER_AVC denial: + +type=USER_AVC msg=audit(1676761204.161:9833): pid=543 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" + +Resolves: rhbz#2171294 +--- + policy/modules/contrib/logrotate.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te +index fdd9039f8c..24bc2e72f3 100644 +--- a/policy/modules/contrib/logrotate.te ++++ b/policy/modules/contrib/logrotate.te +@@ -178,6 +178,7 @@ systemd_reload_all_services(logrotate_t) + systemd_status_all_unit_files(logrotate_t) + systemd_dbus_chat_logind(logrotate_t) + systemd_config_generic_services(logrotate_t) ++systemd_dbus_chat_hostnamed(logrotate_t) + init_stream_connect(logrotate_t) + init_reload_transient_unit(logrotate_t) + diff --git a/backport-Allow-logwatch_mail_t-read-network-sysctls.patch b/backport-Allow-logwatch_mail_t-read-network-sysctls.patch new file mode 100644 index 0000000..1f073e9 --- /dev/null +++ b/backport-Allow-logwatch_mail_t-read-network-sysctls.patch @@ -0,0 +1,27 @@ +From 293e78308264d844124f464683512193ec85e4c4 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 31 Mar 2023 13:10:37 +0200 +Subject: [PATCH] Allow logwatch_mail_t read network sysctls + +Addresses the following AVC denial: + +type=AVC msg=audit(1680192422.976:513): avc: denied { open } for pid=9788 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=33052 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 + +Resolves: rhbz#2208763 +--- + policy/modules/contrib/logwatch.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te +index 42b322fb77..ea6db46809 100644 +--- a/policy/modules/contrib/logwatch.te ++++ b/policy/modules/contrib/logwatch.te +@@ -198,6 +198,8 @@ manage_files_pattern(logwatch_mail_t, logwatch_cache_t, logwatch_cache_t) + + manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t) + ++kernel_read_net_sysctls(logwatch_mail_t) ++ + dev_read_rand(logwatch_mail_t) + dev_read_urand(logwatch_mail_t) + dev_read_sysfs(logwatch_mail_t) diff --git a/backport-Allow-pcscd-bpf-capability-to-run-bpf-programs.patch b/backport-Allow-pcscd-bpf-capability-to-run-bpf-programs.patch new file mode 100644 index 0000000..0a34444 --- /dev/null +++ b/backport-Allow-pcscd-bpf-capability-to-run-bpf-programs.patch @@ -0,0 +1,23 @@ +From 991e1cd627e9dba1bb5a89ca87c90b2542453018 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 27 Oct 2022 14:23:35 +0200 +Subject: [PATCH] Allow pcscd bpf capability to run bpf programs + +Resolves: rhbz#2134827 +--- + policy/modules/contrib/pcscd.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te +index d0d83da261..5b22ac8268 100644 +--- a/policy/modules/contrib/pcscd.te ++++ b/policy/modules/contrib/pcscd.te +@@ -23,7 +23,7 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd") + + allow pcscd_t self:capability { dac_read_search fsetid }; + dontaudit pcscd_t self:capability { sys_admin }; +-allow pcscd_t self:capability2 { wake_alarm }; ++allow pcscd_t self:capability2 { bpf wake_alarm }; + allow pcscd_t self:cap_userns sys_ptrace; + allow pcscd_t self:process { signal signull }; + dontaudit pcscd_t self:process setsched; diff --git a/backport-Allow-rpc.gssd-read-network-sysctls.patch b/backport-Allow-rpc.gssd-read-network-sysctls.patch new file mode 100644 index 0000000..75223f2 --- /dev/null +++ b/backport-Allow-rpc.gssd-read-network-sysctls.patch @@ -0,0 +1,27 @@ +From d6bb54218c4b3f5cbed4c3b7115dc43793ebdcba Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 16 Nov 2022 16:37:54 +0100 +Subject: [PATCH] Allow rpc.gssd read network sysctls + +Addresses the following AVC denial: + +type=AVC msg=audit(1668606673.80:374): avc: denied { read } for pid=1236 comm="rpc.gssd" name="disable_ipv6" dev="proc" ino=32004 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 + +Resolves: rhbz#2143271 +--- + policy/modules/contrib/rpc.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te +index a13661a797..f94cfa5d24 100644 +--- a/policy/modules/contrib/rpc.te ++++ b/policy/modules/contrib/rpc.te +@@ -369,7 +369,7 @@ kernel_read_system_state(gssd_t) + kernel_read_network_state(gssd_t) + kernel_read_network_state_symlinks(gssd_t) + kernel_request_load_module(gssd_t) +-kernel_search_network_sysctl(gssd_t) ++kernel_read_net_sysctls(gssd_t) + kernel_signal(gssd_t) + + corecmd_exec_bin(gssd_t) diff --git a/backport-Allow-rpcd_lsad-setcap-and-use-generic-ptys.patch b/backport-Allow-rpcd_lsad-setcap-and-use-generic-ptys.patch new file mode 100644 index 0000000..63d08c4 --- /dev/null +++ b/backport-Allow-rpcd_lsad-setcap-and-use-generic-ptys.patch @@ -0,0 +1,49 @@ +From e1fe6ba8a75ff66e506e7d80b4d8ccb8f899ec39 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 24 May 2023 16:39:11 +0200 +Subject: [PATCH] Allow rpcd_lsad setcap and use generic ptys + +Allow /usr/libexec/samba/rpcd_lsad running in the winbind_rpcd_t domain +the setcap permission to use capset(2) and use generic ptys when a request +to change a password is made. Note winbind_rpcd_t is not in the daemon +attribute which is a subject of the daemons_use_tty boolean. + +The commit addresses the following AVC denials: + +type=PROCTITLE msg=audit(05/23/2023 15:45:49.588:911) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=2 --worker-index=0 --debuglevel=0 +type=PATH msg=audit(05/23/2023 15:45:49.588:911) : item=0 name=/dev/pts/2 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(05/23/2023 15:45:49.588:911) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffce321e8c0 a1=0x7ffce321e830 a2=0x7ffce321e830 a3=0x0 items=1 ppid=129672 pid=129682 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) +type=AVC msg=audit(05/23/2023 15:45:49.588:911) : avc: denied { search } for pid=129682 comm=rpcd_lsad name=/ dev="devpts" ino=1 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=dir permissive=0 + +type=PROCTITLE msg=audit(05/24/2023 03:08:08.440:1130) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=2 --worker-index=0 --debuglevel=0 +type=SYSCALL msg=audit(05/24/2023 03:08:08.440:1130) : arch=x86_64 syscall=capset success=no exit=EACCES(Permission denied) a0=0x561752d238b4 a1=0x561752d238bc a2=0x561752d238bc a3=0x7ffd6edcd904 items=0 ppid=164904 pid=164906 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) +type=AVC msg=audit(05/24/2023 03:08:08.440:1130) : avc: denied { setcap } for pid=164906 comm=rpcd_lsad scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0 + +Resolves: rhbz#2107106 +--- + policy/modules/contrib/samba.te | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 9847d3da29..1a90ca864f 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1173,6 +1173,7 @@ optional_policy(` + allow winbind_rpcd_t self:capability { setgid setuid }; + allow winbind_rpcd_t self:key { read write }; + allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms; ++allow winbind_rpcd_t self:process setcap; + allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto }; + allow winbind_rpcd_t self:unix_stream_socket connectto; + allow winbind_rpcd_t self:udp_socket create_socket_perms; +@@ -1268,6 +1269,10 @@ optional_policy(` + systemd_userdbd_stream_connect(winbind_rpcd_t) + ') + ++optional_policy(` ++ term_use_generic_ptys(winbind_rpcd_t) ++') ++ + optional_policy(` + unconfined_dgram_send(winbind_rpcd_t) + ') diff --git a/backport-Allow-samba-bgqd-get-a-printer-list.patch b/backport-Allow-samba-bgqd-get-a-printer-list.patch new file mode 100644 index 0000000..1ee5ac0 --- /dev/null +++ b/backport-Allow-samba-bgqd-get-a-printer-list.patch @@ -0,0 +1,53 @@ +From b3a5dfcc161ee097a0a5aa0fbf515e2e0bfb7430 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 5 Aug 2022 16:42:50 +0200 +Subject: [PATCH] Allow samba-bgqd get a printer list + +When `rpcclient localhost -c 'enumprinters'` or a similar command is executed, +samba-bgqd connects to the cups service to get the list of configured printers. +The printers are then cached and updated on regular basis. + +Resolves: rhbz#2112395 +--- + policy/modules/contrib/samba.te | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 61598b8e39..d64ba6e569 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1198,10 +1198,16 @@ kernel_read_network_state(winbind_rpcd_t) + + corecmd_exec_bin(winbind_rpcd_t) + ++corenet_tcp_connect_ipp_port(winbind_rpcd_t) ++ + optional_policy(` + auth_read_passwd(winbind_rpcd_t) + ') + ++optional_policy(` ++ cups_stream_connect(winbind_rpcd_t) ++') ++ + optional_policy(` + dbus_system_bus_client(winbind_rpcd_t) + ') +@@ -1236,9 +1242,16 @@ optional_policy(` + systemd_userdbd_stream_connect(winbind_rpcd_t) + ') + +-# interactions with smbd_t/winbind_t ++optional_policy(` ++ unconfined_dgram_send(winbind_rpcd_t) ++') ++ ++# inter-process communication with other samba domains + allow smbd_t winbind_rpcd_t:unix_stream_socket connectto; + allow winbind_t winbind_rpcd_t:unix_stream_socket connectto; ++allow winbind_rpcd_t nmbd_t:unix_dgram_socket sendto; ++allow winbind_rpcd_t smbd_t:unix_dgram_socket sendto; ++allow winbind_rpcd_t winbind_t:unix_dgram_socket sendto; + allow winbind_rpcd_t winbind_t:unix_stream_socket connectto; + + samba_domtrans_winbind_rpcd(smbd_t) diff --git a/backport-Allow-samba-bgqd-to-read-a-printer-list.patch b/backport-Allow-samba-bgqd-to-read-a-printer-list.patch new file mode 100644 index 0000000..8775a39 --- /dev/null +++ b/backport-Allow-samba-bgqd-to-read-a-printer-list.patch @@ -0,0 +1,25 @@ +From 4d2a6d493a3a523c9bbb1d5f276f94bb176f5dec Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Mon, 22 Aug 2022 16:40:09 +0200 +Subject: [PATCH] Allow samba-bgqd to read a printer list + +Allow samba-bgqd, helper program performing asynchronous printing-related jobs, +to read /etc/printcap file, where are stored printer definitions. + +Fix: bz#2118977 +--- + policy/modules/contrib/samba.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 82ba1abf64..323e38b4cc 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1206,6 +1206,7 @@ optional_policy(` + ') + + optional_policy(` ++ cups_read_config(winbind_rpcd_t) + cups_stream_connect(winbind_rpcd_t) + ') + diff --git a/backport-Allow-samba-dcerpcd-connect-to-systemd_machined-over.patch b/backport-Allow-samba-dcerpcd-connect-to-systemd_machined-over.patch new file mode 100644 index 0000000..20b62af --- /dev/null +++ b/backport-Allow-samba-dcerpcd-connect-to-systemd_machined-over.patch @@ -0,0 +1,26 @@ +From 400871693697941947ae35e9c914c129518880f0 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 22 May 2023 15:03:56 +0200 +Subject: [PATCH] Allow samba-dcerpcd connect to systemd_machined over a unix + socket + +The commit addresses the following AVC denial: +type=AVC msg=audit(1684646002.435:1902): avc: denied { connectto } for pid=27491 comm="rpcd_winreg" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0 + +Resolves: rhbz#2208845 +--- + policy/modules/contrib/samba.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index c8123ff29d..9847d3da29 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1264,6 +1264,7 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_machined_stream_connect(winbind_rpcd_t) + systemd_userdbd_stream_connect(winbind_rpcd_t) + ') + diff --git a/backport-Allow-samba-dcerpcd-use-NSCD-services-over-a-unix-st.patch b/backport-Allow-samba-dcerpcd-use-NSCD-services-over-a-unix-st.patch new file mode 100644 index 0000000..a22af78 --- /dev/null +++ b/backport-Allow-samba-dcerpcd-use-NSCD-services-over-a-unix-st.patch @@ -0,0 +1,34 @@ +From cac4a1f3b825bdc7f7eeaa4b219c95342ddd135c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 10 Oct 2022 16:39:50 +0200 +Subject: [PATCH] Allow samba-dcerpcd use NSCD services over a unix stream + socket + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(08/26/2022 04:14:24.657:453) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=23 --np-helper --debuglevel=0 +type=PATH msg=audit(08/26/2022 04:14:24.657:453) : item=0 name=/var/run/nscd/socket inode=130894 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nscd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SOCKADDR msg=audit(08/26/2022 04:14:24.657:453) : saddr={ saddr_fam=local path=/var/run/nscd/socket } +type=SYSCALL msg=audit(08/26/2022 04:14:24.657:453) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7ffccfc81970 a2=0x6e a3=0x6 items=1 ppid=1 pid=93859 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) +type=AVC msg=audit(08/26/2022 04:14:24.657:453) : avc: denied { write } for pid=93859 comm=samba-dcerpcd name=socket dev="tmpfs" ino=130894 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file permissive=0 + +Resolves: rhbz#2121709 +--- + policy/modules/contrib/samba.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 23af3a1304..227c22516d 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1232,6 +1232,10 @@ optional_policy(` + miscfiles_read_generic_certs(winbind_rpcd_t) + ') + ++optional_policy(` ++ nscd_socket_use(winbind_rpcd_t) ++') ++ + optional_policy(` + sssd_read_public_files(winbind_rpcd_t) + sssd_stream_connect(winbind_rpcd_t) diff --git a/backport-Allow-samba-dcerpcd-work-with-sssd.patch b/backport-Allow-samba-dcerpcd-work-with-sssd.patch new file mode 100644 index 0000000..7741c09 --- /dev/null +++ b/backport-Allow-samba-dcerpcd-work-with-sssd.patch @@ -0,0 +1,32 @@ +From 88a28fc843a9e3a0039647d0b6fdd5ac7895a286 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 21 Jun 2022 16:02:49 +0200 +Subject: [PATCH] Allow samba-dcerpcd work with sssd + +Addresses the following AVC denials: + +type=AVC msg=audit(1655206265.325:3211): avc: denied { open } for pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1 +type=AVC msg=audit(1655206265.325:3214): avc: denied { connectto } for pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1 +type=AVC msg=audit(1655206265.325:3214): avc: denied { write } for pid=33521 comm="samba-dcerpcd" name="nss" dev="vda3" ino=17045861 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1 + +Resolves: rhbz#2096825 +--- + policy/modules/contrib/samba.te | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 5e851af84a..091e016fd0 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1215,6 +1215,11 @@ optional_policy(` + logging_send_syslog_msg(winbind_rpcd_t) + ') + ++optional_policy(` ++ sssd_read_public_files(winbind_rpcd_t) ++ sssd_stream_connect(winbind_rpcd_t) ++') ++ + optional_policy(` + sysnet_read_config(winbind_rpcd_t) + ') diff --git a/backport-Allow-samba-rpcd-work-with-passwords.patch b/backport-Allow-samba-rpcd-work-with-passwords.patch new file mode 100644 index 0000000..80164b7 --- /dev/null +++ b/backport-Allow-samba-rpcd-work-with-passwords.patch @@ -0,0 +1,36 @@ +From d5438718efffaf9bdfb6abe2d7fe8ecb1a316b84 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 11 May 2023 17:21:03 +0200 +Subject: [PATCH] Allow samba-rpcd work with passwords + +A domain transition on chkpwd execution was allowed to winbind_rpcd_t +unconditionally and permissions to use the passwd command only when the +samba_domain_controller boolean is turned on. + +Resolves: rhbz#2107106 +--- + policy/modules/contrib/samba.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 6143ea2622..c8123ff29d 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -471,6 +471,9 @@ tunable_policy(`samba_domain_controller',` + usermanage_domtrans_useradd(smbd_t) + usermanage_domtrans_groupadd(smbd_t) + allow smbd_t self:passwd passwd; ++ ++ usermanage_domtrans_passwd(winbind_rpcd_t) ++ allow winbind_rpcd_t self:passwd passwd; + ') + + tunable_policy(`samba_enable_home_dirs',` +@@ -1213,6 +1216,7 @@ term_getattr_pty_fs(winbind_rpcd_t) + term_use_ptmx(winbind_rpcd_t) + + optional_policy(` ++ auth_domtrans_chk_passwd(winbind_rpcd_t) + auth_read_passwd(winbind_rpcd_t) + ') + diff --git a/backport-Allow-smbd_t-process-noatsecure-permission-for-winbi.patch b/backport-Allow-smbd_t-process-noatsecure-permission-for-winbi.patch new file mode 100644 index 0000000..fc94a4f --- /dev/null +++ b/backport-Allow-smbd_t-process-noatsecure-permission-for-winbi.patch @@ -0,0 +1,22 @@ +From 3d3ff36126d0fd7a38519ede5ad076303105b891 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 25 Aug 2022 17:33:20 +0200 +Subject: [PATCH] Allow smbd_t process noatsecure permission for winbind_rpcd_t + +Resolves: rhbz#2117199 +--- + policy/modules/contrib/samba.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 323e38b4cc..d25bc64f5d 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1249,6 +1249,7 @@ optional_policy(` + ') + + # inter-process communication with other samba domains ++allow smbd_t winbind_rpcd_t:process noatsecure; + allow smbd_t winbind_rpcd_t:unix_stream_socket connectto; + allow winbind_t winbind_rpcd_t:unix_stream_socket connectto; + allow winbind_rpcd_t nmbd_t:unix_dgram_socket sendto; diff --git a/backport-Allow-sssd-dbus-chat-with-system-cronjobs.patch b/backport-Allow-sssd-dbus-chat-with-system-cronjobs.patch new file mode 100644 index 0000000..592fb56 --- /dev/null +++ b/backport-Allow-sssd-dbus-chat-with-system-cronjobs.patch @@ -0,0 +1,29 @@ +From c8a25442b17ef4a95fa45cdde90cb6df30946fb1 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 11 Nov 2022 12:37:07 +0100 +Subject: [PATCH] Allow sssd dbus chat with system cronjobs + +Addresses the following USER_AVC denial: + +type=USER_AVC msg=audit(10/11/2022 14:36:01.711:447) : pid=973 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1467 spid=5736 tpid=7278 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' + +Resolves: rhbz#2132922 +--- + policy/modules/contrib/sssd.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te +index 90d04fd918..f84c905f42 100644 +--- a/policy/modules/contrib/sssd.te ++++ b/policy/modules/contrib/sssd.te +@@ -192,6 +192,10 @@ optional_policy(` + optional_policy(` + dbus_system_bus_client(sssd_t) + dbus_connect_system_bus(sssd_t) ++ ++ optional_policy(` ++ cron_dbus_chat_system_job(sssd_t) ++ ') + ') + + optional_policy(` diff --git a/backport-Allow-syslogd-read-network-sysctls.patch b/backport-Allow-syslogd-read-network-sysctls.patch new file mode 100644 index 0000000..ba25741 --- /dev/null +++ b/backport-Allow-syslogd-read-network-sysctls.patch @@ -0,0 +1,26 @@ +From 2eafd6c8cbc18aa52e320663ba6bf63f334c95d9 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 23 Nov 2022 09:20:51 +0100 +Subject: [PATCH] Allow syslogd read network sysctls + +Addresses the following AVC denial: + +type=AVC msg=audit(1669156432.404:191): avc: denied { read } for pid=700 comm="rsyslogd" name="disable_ipv6" dev="proc" ino=19523 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 + +Resolves: rhbz#2145019 +--- + policy/modules/system/logging.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 4e00b7935a..d96d862f7c 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -541,6 +541,7 @@ kernel_rw_stream_socket_perms(syslogd_t) + kernel_read_system_state(syslogd_t) + kernel_read_network_state(syslogd_t) + kernel_read_kernel_sysctls(syslogd_t) ++kernel_read_net_sysctls(syslogd_t) + kernel_read_netlink_audit_socket(syslogd_t) + kernel_read_proc_symlinks(syslogd_t) + # Allow access to /proc/kmsg for syslog-ng diff --git a/backport-Allow-system_cronjob_t-transition-to-rpm_script_t.patch b/backport-Allow-system_cronjob_t-transition-to-rpm_script_t.patch new file mode 100644 index 0000000..a0cbe3c --- /dev/null +++ b/backport-Allow-system_cronjob_t-transition-to-rpm_script_t.patch @@ -0,0 +1,25 @@ +From 119f307391811d408d2cbed82632b46814376769 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 16 Feb 2023 13:04:48 +0100 +Subject: [PATCH] Allow system_cronjob_t transition to rpm_script_t + +This permission is required for rpm-like programs (rpm, dnf) +executed from system cronjobs, e. g. /etc/crontab. + +Resolves: rhbz#2173255 +--- + policy/modules/contrib/cron.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te +index a269cfcc50..8bc806ab9c 100644 +--- a/policy/modules/contrib/cron.te ++++ b/policy/modules/contrib/cron.te +@@ -545,6 +545,7 @@ ifdef(`distro_redhat',` + # via redirection of standard out. + optional_policy(` + rpm_manage_log(system_cronjob_t) ++ rpm_transition_script(system_cronjob_t, system_r) + ') + ') + diff --git a/backport-Allow-systemd-coredump-mounton-usr.patch b/backport-Allow-systemd-coredump-mounton-usr.patch new file mode 100644 index 0000000..946e3f1 --- /dev/null +++ b/backport-Allow-systemd-coredump-mounton-usr.patch @@ -0,0 +1,57 @@ +From 4a49782a31552a8ef0894f0c8d52a2328f269b1c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 11 Apr 2023 13:22:29 +0200 +Subject: [PATCH] Allow systemd-coredump mounton /usr + +The files_mounton_usr() interface was added. + +Addresses the following AVC denial: +type=AVC msg=audit(1680965603.852:5360): avc: denied { mounton } for pid=2016312 comm="(sd-parse-elf)" path="/" dev="sda4" ino=2 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1 + +Resolves: rhbz#2185385 +--- + policy/modules/kernel/files.if | 18 ++++++++++++++++++ + policy/modules/system/systemd.te | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index 1a57076567..6226fca96c 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -3699,6 +3699,24 @@ interface(`files_mounton_etc',` + allow $1 etc_t:dir mounton; + ') + ++######################################## ++## ++## Mounton directories on the /usr filesystem ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_mounton_usr',` ++ gen_require(` ++ type usr_t; ++ ') ++ ++ allow $1 usr_t:dir mounton; ++') ++ + ######################################## + ## + ## Search the contents of /etc directories. +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 57c72d8347..60dbc205ef 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1144,6 +1144,7 @@ files_read_non_security_files(systemd_coredump_t) + files_map_non_security_files(systemd_coredump_t) + + files_mounton_rootfs(systemd_coredump_t) ++files_mounton_usr(systemd_coredump_t) + + fs_getattr_nsfs_files(systemd_coredump_t) + diff --git a/backport-Allow-systemd-hostnamed-dbus-chat-with-init-scripts.patch b/backport-Allow-systemd-hostnamed-dbus-chat-with-init-scripts.patch new file mode 100644 index 0000000..2ced9c6 --- /dev/null +++ b/backport-Allow-systemd-hostnamed-dbus-chat-with-init-scripts.patch @@ -0,0 +1,29 @@ +From d374cf4fb2d5828aafcdd475a880c6d94b10bdff Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 11 Nov 2022 12:46:00 +0100 +Subject: [PATCH] Allow systemd-hostnamed dbus chat with init scripts + +Addresses the following USER_AVC denial: + +type=USER_AVC msg=audit(1659032710.225:59): pid=1684 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.23 spid=2281 tpid=2280 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" + +Resolves: rhbz#2111632 +--- + policy/modules/system/systemd.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 6602d7c916..6194317382 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -903,6 +903,10 @@ optional_policy(` + dbus_system_bus_client(systemd_hostnamed_t) + dbus_connect_system_bus(systemd_hostnamed_t) + dbus_watch_pid_dir_path(systemd_hostnamed_t) ++ ++ optional_policy(` ++ init_dbus_chat_script(systemd_hostnamed_t) ++ ') + ') + + optional_policy(` diff --git a/backport-Allow-systemd-resolved-send-a-datagram-to-journald.patch b/backport-Allow-systemd-resolved-send-a-datagram-to-journald.patch new file mode 100644 index 0000000..b85833a --- /dev/null +++ b/backport-Allow-systemd-resolved-send-a-datagram-to-journald.patch @@ -0,0 +1,29 @@ +From a7e6b82865350053269b0abab82889e18095358d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 30 Jan 2023 14:22:02 +0100 +Subject: [PATCH] Allow systemd-resolved send a datagram to journald + +Addresses the following AVC denial: + +type=AVC msg=audit(1674810195.623:587): avc: denied { sendto } for pid=47442 comm="systemd-resolve" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 + +Resolves: rhbz#2165134 +--- + policy/modules/system/systemd.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 7c625074c4..57c72d8347 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1267,6 +1267,10 @@ optional_policy(` + systemd_dbus_chat_logind(systemd_resolved_t) + ') + ++optional_policy(` ++ logging_dgram_send(systemd_resolved_t) ++') ++ + optional_policy(` + networkmanager_dbus_chat(systemd_resolved_t) + ') diff --git a/backport-Allow-systemd-resolved-watch-tmpfs-directories.patch b/backport-Allow-systemd-resolved-watch-tmpfs-directories.patch new file mode 100644 index 0000000..1ca7e6b --- /dev/null +++ b/backport-Allow-systemd-resolved-watch-tmpfs-directories.patch @@ -0,0 +1,62 @@ +From 522fab1033215e698e44f261ea110dc08e6d2c7c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 21 Dec 2022 12:32:15 +0100 +Subject: [PATCH] Allow systemd-resolved watch tmpfs directories + +This permission is required when the system is booted with +systemd.volatile=overlay. Overlay filesystems are mounted as ramfs +or tmpfs, the tmpfs_t type is assigned to "/". + +The files_watch_tmpfs_dirs() interface was added. + +Addresses the following AVC denial: + +type=AVC msg=audit(1663671100.753:186): avc: denied { watch } for pid=674 comm="systemd-resolve" path="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2128246 +--- + policy/modules/kernel/files.if | 18 ++++++++++++++++++ + policy/modules/system/systemd.te | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index eb9e6e032c..1a57076567 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -9802,6 +9802,24 @@ interface(`files_rw_tmpfs_files',` + allow $1 tmpfsfile:file { read write }; + ') + ++########################################## ++## ++## Watch a tmpfs directory. ++## ++## ++## ++## Domain allowed access ++## ++## ++# ++interface(`files_watch_tmpfs_dirs',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ allow $1 tmpfs_t:dir watch_dir_perms; ++') ++ + ######################################## + ## + ## Do not audit attempts to read security files +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 3a6fd02c3e..77187a80e4 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1244,6 +1244,7 @@ dev_write_kmsg(systemd_resolved_t) + dev_read_sysfs(systemd_resolved_t) + + files_watch_root_dirs(systemd_resolved_t) ++files_watch_tmpfs_dirs(systemd_resolved_t) + files_watch_var_run_dirs(systemd_resolved_t) + + init_watch_pid_dir(systemd_resolved_t) diff --git a/backport-Allow-systemd-rfkill-the-bpf-capability.patch b/backport-Allow-systemd-rfkill-the-bpf-capability.patch new file mode 100644 index 0000000..1f4e5e2 --- /dev/null +++ b/backport-Allow-systemd-rfkill-the-bpf-capability.patch @@ -0,0 +1,32 @@ +From 978245dc94680ac0cf55d11f37e2d788bc68bc1a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 19 Dec 2022 14:31:15 +0100 +Subject: [PATCH] Allow systemd-rfkill the bpf capability + +Linux Socket Filtering (LSF) is derived from the Berkeley Packet Filter +and uses the same mechanism to allow a user-space program to attach a +filter onto any socket and allow or disallow certain types of data to +come through the socket. +The systemd-rfkill service wants to listen only to related udev events, +so it needs to set a filter for which the bpf capability is required. + +Addresses the following USER_AVC denial: +type=AVC msg=audit(1669160827.102:10): avc: denied { bpf } for pid=954 comm="systemd-rfkill" capability=39 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:system_r:systemd_rfkill_t:s0 tclass=capability2 permissive=0 + +Resolves: rhbz#2149390 +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 77187a80e4..10b1b2d9b2 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -947,6 +947,7 @@ tunable_policy(`systemd_socket_proxyd_connect_any',` + # + + allow systemd_rfkill_t self:capability { net_admin sys_admin}; ++allow systemd_rfkill_t self:capability2 bpf; + allow systemd_rfkill_t self:netlink_kobject_uevent_socket create_socket_perms; + + manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) diff --git a/backport-Allow-systemd-timedated-watch-init-runtime-dir.patch b/backport-Allow-systemd-timedated-watch-init-runtime-dir.patch new file mode 100644 index 0000000..17b53a7 --- /dev/null +++ b/backport-Allow-systemd-timedated-watch-init-runtime-dir.patch @@ -0,0 +1,25 @@ +From b75e34887410c756e09763994cce88584a214da2 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 8 Dec 2022 20:06:14 +0100 +Subject: [PATCH] Allow systemd-timedated watch init runtime dir + +Addresses the following AVC denial: +Dec 08 06:43:24 audit[7055]: AVC avc: denied { watch } for pid=7055 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2151806 +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 8fb7509147..3a6fd02c3e 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1017,6 +1017,7 @@ fs_getattr_xattr_fs(systemd_timedated_t) + + init_dbus_chat(systemd_timedated_t) + init_status(systemd_timedated_t) ++init_watch_pid_dir(systemd_timedated_t) + + kernel_read_network_state(systemd_timedated_t) + diff --git a/backport-Allow-systemd-userdbd-the-sys_resource-capability.patch b/backport-Allow-systemd-userdbd-the-sys_resource-capability.patch new file mode 100644 index 0000000..52e4180 --- /dev/null +++ b/backport-Allow-systemd-userdbd-the-sys_resource-capability.patch @@ -0,0 +1,58 @@ +From a266ee5b8b29d8f64a51cc408d558ae92c5e86ee Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 4 Jan 2023 14:16:56 +0100 +Subject: [PATCH] Allow systemd-userdbd the sys_resource capability +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This permission is required for the process be able to set its +arg start and end address, refer to prctl(2): + + PR_SET_MM (since Linux 3.3) + Modify certain kernel memory map descriptor fields of the calling + process. Usually these fields are set by the kernel and dynamic loader + (see ld.so(8) for more information) and a regular application should not + use this feature. However, there are cases, such as self-modifying pro‐ + grams, where a program might find it useful to change its own memory + map. + + The calling process must have the CAP_SYS_RESOURCE capability. The + value in arg2 is one of the options below, while arg3 provides a new + value for the option. The arg4 and arg5 arguments must be zero if un‐ + used. + + PR_SET_MM_ARG_START + Set the address above which the program command line is placed. + + PR_SET_MM_ARG_END + Set the address below which the program command line is placed. + +Addresses the following AVC denials: + +type=PROCTITLE msg=audit(01/04/2023 06:21:21.285:112) : proctitle=(sd-worker) +type=SYSCALL msg=audit(01/04/2023 06:21:21.285:112) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x8 a2=0x7fa791901000 a3=0x0 items=0 ppid=1367 pid=1384 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(sd-worker) exe=/usr/lib/systemd/systemd-userdbd subj=system_u:system_r:systemd_userdbd_t:s0 key=(null) +type=AVC msg=audit(01/04/2023 06:21:21.285:112) : avc: denied { sys_resource } for pid=1384 comm=(sd-worker) capability=sys_resource scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=1 + +type=PROCTITLE msg=audit(01/04/2023 06:21:23.761:156) : proctitle=systemd-userwork: processing... +type=SYSCALL msg=audit(01/04/2023 06:21:23.761:156) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x9 a2=0x7fcc48186020 a3=0x0 items=0 ppid=1367 pid=1385 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-userwor exe=/usr/lib/systemd/systemd-userwork subj=system_u:system_r:systemd_userdbd_t:s0 key=(null) +type=AVC msg=audit(01/04/2023 06:21:23.761:156) : avc: denied { sys_resource } for pid=1385 comm=systemd-userwor capability=sys_resource scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=1 + +Resolves: rhbz#2166509 +--- + policy/modules/system/systemd.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 10b1b2d9b2..7c625074c4 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1461,7 +1461,7 @@ optional_policy(` + # + # systemd_userdbd local policy + # +-allow systemd_userdbd_t self:capability dac_read_search; ++allow systemd_userdbd_t self:capability { dac_read_search sys_resource }; + + manage_dirs_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) + manage_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) diff --git a/backport-Allow-tlp-read-generic-SSL-certificates.patch b/backport-Allow-tlp-read-generic-SSL-certificates.patch new file mode 100644 index 0000000..67b27cf --- /dev/null +++ b/backport-Allow-tlp-read-generic-SSL-certificates.patch @@ -0,0 +1,27 @@ +From 610162346b12f1d34198fb8f435e2426bc28462c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 22 Dec 2022 12:05:13 +0100 +Subject: [PATCH] Allow tlp read generic SSL certificates + +Addresses the following AVC denial and further ones: + +type=AVC msg=audit(1659568944.632:728): avc: denied { search } for pid=34604 comm="modinfo" name="pki" dev="dm-1" ino=2490465 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2115141 +--- + policy/modules/contrib/tlp.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/tlp.te b/policy/modules/contrib/tlp.te +index 38ba44adb9..f73b8bbdcf 100644 +--- a/policy/modules/contrib/tlp.te ++++ b/policy/modules/contrib/tlp.te +@@ -65,6 +65,8 @@ files_load_kernel_modules(tlp_t) + init_status(tlp_t) + init_stream_connectto(tlp_t) + ++miscfiles_read_generic_certs(tlp_t) ++ + modutils_exec_kmod(tlp_t) + modutils_read_module_config(tlp_t) + modutils_read_module_deps_files(tlp_t) diff --git a/backport-Allow-winbind-rpcd-get-attributes-of-device-and-pty-.patch b/backport-Allow-winbind-rpcd-get-attributes-of-device-and-pty-.patch new file mode 100644 index 0000000..dd6115d --- /dev/null +++ b/backport-Allow-winbind-rpcd-get-attributes-of-device-and-pty-.patch @@ -0,0 +1,25 @@ +From 4c7f07ac123d25d9b053fa798067c7ef883fb17b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 15 Nov 2022 14:57:01 +0100 +Subject: [PATCH] Allow winbind-rpcd get attributes of device and pty + filesystems + +Resolves: rhbz#2107106 +--- + policy/modules/contrib/samba.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 88fb46b700..1395047b3e 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1203,6 +1203,9 @@ corecmd_exec_bin(winbind_rpcd_t) + + corenet_tcp_connect_ipp_port(winbind_rpcd_t) + ++dev_getattr_fs(winbind_rpcd_t) ++ ++term_getattr_pty_fs(winbind_rpcd_t) + term_use_ptmx(winbind_rpcd_t) + + optional_policy(` diff --git a/backport-Allow-winbind-rpcd-make-a-TCP-connection-to-the-ldap.patch b/backport-Allow-winbind-rpcd-make-a-TCP-connection-to-the-ldap.patch new file mode 100644 index 0000000..98d600e --- /dev/null +++ b/backport-Allow-winbind-rpcd-make-a-TCP-connection-to-the-ldap.patch @@ -0,0 +1,29 @@ +From e91d34918bd3e80aefa7236c014a2ad537a74966 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 22 Dec 2022 13:14:35 +0100 +Subject: [PATCH] Allow winbind-rpcd make a TCP connection to the ldap port + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(12/06/2022 12:58:18.767:2236) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=35 --np-helper --debuglevel=2 +type=SOCKADDR msg=audit(12/06/2022 12:58:18.767:2236) : saddr={ saddr_fam=inet laddr=127.0.0.1 lport=389 } +type=SYSCALL msg=audit(12/06/2022 12:58:18.767:2236) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xf a1=0x55f673a4ace0 a2=0x10 a3=0x0 items=0 ppid=1 pid=7080 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) +type=AVC msg=audit(12/06/2022 12:58:18.767:2236) : avc: denied { name_connect } for pid=7080 comm=samba-dcerpcd dest=389 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0 + +Resolves: rhbz#2152642 +--- + policy/modules/contrib/samba.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 8746918587..6143ea2622 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1205,6 +1205,7 @@ kernel_read_network_state(winbind_rpcd_t) + corecmd_exec_bin(winbind_rpcd_t) + + corenet_tcp_connect_ipp_port(winbind_rpcd_t) ++corenet_tcp_connect_ldap_port(winbind_rpcd_t) + + dev_getattr_fs(winbind_rpcd_t) + diff --git a/backport-Allow-winbind-rpcd-manage-samba_share_t-files-and-di.patch b/backport-Allow-winbind-rpcd-manage-samba_share_t-files-and-di.patch new file mode 100644 index 0000000..4e4df30 --- /dev/null +++ b/backport-Allow-winbind-rpcd-manage-samba_share_t-files-and-di.patch @@ -0,0 +1,37 @@ +From 9921e239291412f21c98806f2777dba7fce8bbe4 Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Thu, 15 Dec 2022 12:07:05 +0100 +Subject: [PATCH] Allow winbind-rpcd manage samba_share_t files and dirs + +Allow winbind connect to init_t unix_stream_socket + +Resolves: rhbz#2150680 +--- + policy/modules/contrib/samba.te | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 1395047b3e..8746918587 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1185,6 +1185,9 @@ manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_ru + files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file }) + + # access to files of other samba domains ++manage_dirs_pattern(winbind_rpcd_t, samba_share_t, samba_share_t) ++manage_files_pattern(winbind_rpcd_t, samba_share_t, samba_share_t) ++ + manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) + read_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) + manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) +@@ -1225,6 +1228,10 @@ optional_policy(` + dirsrv_stream_connect(winbind_rpcd_t) + ') + ++optional_policy(` ++ init_stream_connectto(winbind_rpcd_t) ++') ++ + optional_policy(` + kerberos_read_keytab(winbind_rpcd_t) + kerberos_use(winbind_rpcd_t) diff --git a/backport-Allow-winbind-rpcd-read-and-write-its-key-ring.patch b/backport-Allow-winbind-rpcd-read-and-write-its-key-ring.patch new file mode 100644 index 0000000..575f549 --- /dev/null +++ b/backport-Allow-winbind-rpcd-read-and-write-its-key-ring.patch @@ -0,0 +1,26 @@ +From d55213e04801baef4979cb38340737d69cb66d0c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 19 Sep 2022 12:28:38 +0200 +Subject: [PATCH] Allow winbind-rpcd read and write its key ring + +Addresses the following AVC denials: +type=AVC msg=audit(1663577560.480:3619): avc: denied { write } for pid=109517 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1 +type=AVC msg=audit(1663577560.480:3620): avc: denied { read } for pid=109517 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1 + +Resolves: rhbz#2127854 +--- + policy/modules/contrib/samba.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index d25bc64f5d..23af3a1304 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1167,6 +1167,7 @@ optional_policy(` + # + + allow winbind_rpcd_t self:capability { setgid setuid }; ++allow winbind_rpcd_t self:key { read write }; + allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms; + allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto }; + allow winbind_rpcd_t self:unix_stream_socket connectto; diff --git a/backport-Allow-winbind-rpcd-use-the-terminal-multiplexor.patch b/backport-Allow-winbind-rpcd-use-the-terminal-multiplexor.patch new file mode 100644 index 0000000..8b8422e --- /dev/null +++ b/backport-Allow-winbind-rpcd-use-the-terminal-multiplexor.patch @@ -0,0 +1,30 @@ +From ea6e506843ed60097d84b14dea6945fd4e885fb0 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 11 Nov 2022 14:00:10 +0100 +Subject: [PATCH] Allow winbind-rpcd use the terminal multiplexor + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(07/14/2022 07:07:43.161:380) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=3 --worker-index=0 --debuglevel=0 +type=PATH msg=audit(07/14/2022 07:07:43.161:380) : item=0 name=/dev/ptmx inode=11387 dev=00:06 mode=character,666 ouid=root ogid=tty rdev=05:02 obj=system_u:object_r:ptmx_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(07/14/2022 07:07:43.161:380) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fb1d4cf2a46 a2=O_RDWR|O_NOCTTY a3=0x0 items=1 ppid=6326 pid=6336 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) +type=AVC msg=audit(07/14/2022 07:07:43.161:380) : avc: denied { read write } for pid=6336 comm=rpcd_lsad name=ptmx dev="devtmpfs" ino=11387 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file permissive=0 + +Resolves: rhbz#2107106 +--- + policy/modules/contrib/samba.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 2280531046..88fb46b700 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1203,6 +1203,8 @@ corecmd_exec_bin(winbind_rpcd_t) + + corenet_tcp_connect_ipp_port(winbind_rpcd_t) + ++term_use_ptmx(winbind_rpcd_t) ++ + optional_policy(` + auth_read_passwd(winbind_rpcd_t) + ') diff --git a/backport-Allow-winbind-rpcd-write-to-winbind-pid-files.patch b/backport-Allow-winbind-rpcd-write-to-winbind-pid-files.patch new file mode 100644 index 0000000..5ba54ba --- /dev/null +++ b/backport-Allow-winbind-rpcd-write-to-winbind-pid-files.patch @@ -0,0 +1,24 @@ +From 495539633271d0e187e221dec061e122812cb5c2 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 5 Aug 2022 17:30:47 +0200 +Subject: [PATCH] Allow winbind-rpcd write to winbind pid files + +Addresses the following AVC denial: + +type=AVC msg=audit(1658286623.868:2435): avc: denied { write } for pid=6219 comm="samba-dcerpcd" name="samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1 +--- + policy/modules/contrib/samba.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index d64ba6e569..82ba1abf64 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1176,6 +1176,7 @@ allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans; + + read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t) + ++write_files_pattern(winbind_rpcd_t, winbind_var_run_t, winbind_var_run_t) + write_sock_files_pattern(winbind_rpcd_t, winbind_var_run_t, winbind_var_run_t) + + manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t) diff --git a/backport-Allow-winbind_rpcd_t-connect-to-self-over-a-unix_str.patch b/backport-Allow-winbind_rpcd_t-connect-to-self-over-a-unix_str.patch new file mode 100644 index 0000000..b394304 --- /dev/null +++ b/backport-Allow-winbind_rpcd_t-connect-to-self-over-a-unix_str.patch @@ -0,0 +1,29 @@ +From e9ed412d419a865d8a9a396469d1f2bda351f30d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 17 Jun 2022 19:46:05 +0200 +Subject: [PATCH] Allow winbind_rpcd_t connect to self over a + unix_stream_socket + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(06/13/2022 04:54:59.247:2004) : proctitle=/usr/libexec/samba/rpcd_classic --configfile=/etc/samba/smb.conf --worker-group=6 --worker-index=0 --debuglevel=10 +type=AVC msg=audit(06/13/2022 04:54:59.247:2004) : avc: denied { connectto } for pid=23402 comm=rpcd_classic path=/run/samba/ncalrpc/np/winreg scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_stream_socket permissive=0 +type=SYSCALL msg=audit(06/13/2022 04:54:59.247:2004) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x10 a1=0x5624dd0ca5d0 a2=0x6e a3=0x7fe7094db260 items=0 ppid=23239 pid=23402 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_classic exe=/usr/libexec/samba/rpcd_classic subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) + +Resolves: rhbz#2096255 +--- + policy/modules/contrib/samba.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 7087c37e7a..5e851af84a 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1168,6 +1168,7 @@ optional_policy(` + allow winbind_rpcd_t self:capability { setgid setuid }; + allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms; + allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto }; ++allow winbind_rpcd_t self:unix_stream_socket connectto; + allow winbind_rpcd_t self:udp_socket create_socket_perms; + + allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans; diff --git a/backport-Update-policy-for-samba-dcerpcd.patch b/backport-Update-policy-for-samba-dcerpcd.patch new file mode 100644 index 0000000..236b162 --- /dev/null +++ b/backport-Update-policy-for-samba-dcerpcd.patch @@ -0,0 +1,60 @@ +From 044ed83f8ebde938bbc49f6e071a8548ddc8505d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 8 Jun 2022 16:24:15 +0200 +Subject: [PATCH] Update policy for samba-dcerpcd + +The initial policy was updated to allow: +- use sssd and systemd nsswitch modules +- read kernel network state +- use dbus +- manage samba log directories +- read winbind runtime files + +Resolves: rhbz#2083504 +--- + policy/modules/contrib/samba.te | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 03b49cba42..99cb452f7b 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1019,6 +1019,7 @@ manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var + manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) + manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) + files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir }) ++files_pid_filetrans(winbind_t, winbind_rpcd_var_run_t, file, "samba-dcerpcd.pid") + filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) + # /run/samba/krb5cc_samba + manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) +@@ -1175,9 +1176,12 @@ read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t) + + manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t) + files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file }) ++ ++# access to files of other samba domains + manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) + manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) + ++manage_dirs_pattern(winbind_rpcd_t, samba_log_t, samba_log_t) + manage_files_pattern(winbind_rpcd_t, samba_log_t, samba_log_t) + + manage_dirs_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) +@@ -1185,10 +1189,16 @@ manage_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) + manage_sock_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t) + allow winbind_rpcd_t samba_var_t:file { map } ; + ++kernel_read_network_state(winbind_rpcd_t) ++ + corecmd_exec_bin(winbind_rpcd_t) + + optional_policy(` +- auth_read_passwd_file(winbind_rpcd_t) ++ auth_read_passwd(winbind_rpcd_t) ++') ++ ++optional_policy(` ++ dbus_system_bus_client(winbind_rpcd_t) + ') + + # interactions with smbd_t/winbind_t diff --git a/backport-Update-samba-dcerpcd-policy-for-kerberos-usage-2.patch b/backport-Update-samba-dcerpcd-policy-for-kerberos-usage-2.patch new file mode 100644 index 0000000..3e06153 --- /dev/null +++ b/backport-Update-samba-dcerpcd-policy-for-kerberos-usage-2.patch @@ -0,0 +1,37 @@ +From 837f63743214363362334e910dcb06d35cd5cb99 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 27 Jun 2022 17:22:40 +0200 +Subject: [PATCH] Update samba-dcerpcd policy for kerberos usage 2 + +These additional permissions were added: +- read kerberos key tables +- read generic SSL certificates + +Resolves: rhbz#2096521 +--- + policy/modules/contrib/samba.te | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 091e016fd0..4be4401cda 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1208,6 +1208,7 @@ optional_policy(` + ') + + optional_policy(` ++ kerberos_read_keytab(winbind_rpcd_t) + kerberos_use(winbind_rpcd_t) + ') + +@@ -1215,6 +1216,10 @@ optional_policy(` + logging_send_syslog_msg(winbind_rpcd_t) + ') + ++optional_policy(` ++ miscfiles_read_generic_certs(winbind_rpcd_t) ++') ++ + optional_policy(` + sssd_read_public_files(winbind_rpcd_t) + sssd_stream_connect(winbind_rpcd_t) diff --git a/backport-Update-samba-dcerpcd-policy-for-kerberos-usage.patch b/backport-Update-samba-dcerpcd-policy-for-kerberos-usage.patch new file mode 100644 index 0000000..7823b6a --- /dev/null +++ b/backport-Update-samba-dcerpcd-policy-for-kerberos-usage.patch @@ -0,0 +1,45 @@ +From e6584a21427a408c09781f2c5cf978b0f18db1cc Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 17 Jun 2022 18:34:28 +0200 +Subject: [PATCH] Update samba-dcerpcd policy for kerberos usage + +Resolves: rhbz#2096825 +--- + policy/modules/contrib/samba.te | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 99cb452f7b..7087c37e7a 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1179,6 +1179,7 @@ files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file }) + + # access to files of other samba domains + manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) ++read_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) + manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t) + + manage_dirs_pattern(winbind_rpcd_t, samba_log_t, samba_log_t) +@@ -1201,6 +1202,22 @@ optional_policy(` + dbus_system_bus_client(winbind_rpcd_t) + ') + ++optional_policy(` ++ dirsrv_stream_connect(winbind_rpcd_t) ++') ++ ++optional_policy(` ++ kerberos_use(winbind_rpcd_t) ++') ++ ++optional_policy(` ++ logging_send_syslog_msg(winbind_rpcd_t) ++') ++ ++optional_policy(` ++ sysnet_read_config(winbind_rpcd_t) ++') ++ + # interactions with smbd_t/winbind_t + allow smbd_t winbind_rpcd_t:unix_stream_socket connectto; + allow winbind_t winbind_rpcd_t:unix_stream_socket connectto; diff --git a/backport-Update-winbind_rpcd_t.patch b/backport-Update-winbind_rpcd_t.patch new file mode 100644 index 0000000..af5c4a8 --- /dev/null +++ b/backport-Update-winbind_rpcd_t.patch @@ -0,0 +1,51 @@ +From 37512b85ed2712a57370c9df57db84b96b3d0f9d Mon Sep 17 00:00:00 2001 +From: Nikola Knazekova +Date: Wed, 13 Jul 2022 18:12:31 +0200 +Subject: [PATCH] Update winbind_rpcd_t + +Allow smbcontrol send winbind_rpcd_t unix_dgram_socket +Allow winbind_rpcd_t to write winbind_var_run_t sock files +Allow winbind_rpcd_t connect to winbind_t over unix_stream_socket +Allow winbind_rpcd_t to connect to systemd-userdbd with a unix socket + +Fix: rhbz#2102084 +--- + policy/modules/contrib/samba.te | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 4be4401cda..61598b8e39 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -745,6 +745,7 @@ allow smbcontrol_t samba_var_t:file map; + + allow smbcontrol_t nmbd_t:unix_dgram_socket sendto; + allow smbcontrol_t smbd_t:unix_dgram_socket sendto; ++allow smbcontrol_t winbind_rpcd_t:unix_dgram_socket sendto; + allow smbcontrol_t winbind_t:unix_dgram_socket sendto; + + samba_read_config(smbcontrol_t) +@@ -1175,6 +1176,8 @@ allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans; + + read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t) + ++write_sock_files_pattern(winbind_rpcd_t, winbind_var_run_t, winbind_var_run_t) ++ + manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t) + files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file }) + +@@ -1229,9 +1232,14 @@ optional_policy(` + sysnet_read_config(winbind_rpcd_t) + ') + ++optional_policy(` ++ systemd_userdbd_stream_connect(winbind_rpcd_t) ++') ++ + # interactions with smbd_t/winbind_t + allow smbd_t winbind_rpcd_t:unix_stream_socket connectto; + allow winbind_t winbind_rpcd_t:unix_stream_socket connectto; ++allow winbind_rpcd_t winbind_t:unix_stream_socket connectto; + + samba_domtrans_winbind_rpcd(smbd_t) + samba_domtrans_winbind_rpcd(winbind_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 5f0e1e1..1c7f093 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 35.5 -Release: 20 +Release: 21 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -228,6 +228,53 @@ Patch6158: backport-Allow-lldpad-bpf-capability-to-run-bpf-programs.patch Patch6159: backport-Allow-pkcs_slotd_t-bpf-capability-to-run-bpf-program.patch Patch6160: backport-Allow-netutils-and-traceroute-bpf-capability-to-run-.patch Patch6161: backport-Allow-dhcpd-bpf-capability-to-run-bpf-programs.patch +Patch6162: backport-Add-watch-interfaces.patch +Patch6163: backport-Add-watch_sb-interfaces.patch +Patch6164: backport-Add-interface-to-watch-all-filesystems.patch +Patch6165: backport-Allow-sssd-dbus-chat-with-system-cronjobs.patch +Patch6166: backport-Allow-systemd-hostnamed-dbus-chat-with-init-scripts.patch +Patch6167: backport-Add-domain_unix_read_all_semaphores-interface.patch +Patch6168: backport-Allow-rpc.gssd-read-network-sysctls.patch +Patch6169: backport-Allow-syslogd-read-network-sysctls.patch +Patch6170: backport-Allow-systemd-timedated-watch-init-runtime-dir.patch +Patch6171: backport-Allow-journalctl-relabel-with-var_log_t-and-syslogd_.patch +Patch6172: backport-Allow-systemd-resolved-watch-tmpfs-directories.patch +Patch6173: backport-Allow-tlp-read-generic-SSL-certificates.patch +Patch6174: backport-Allow-apcupsd-dbus-chat-with-systemd-logind.patch +Patch6175: backport-Allow-systemd-rfkill-the-bpf-capability.patch +Patch6176: backport-Allow-systemd-userdbd-the-sys_resource-capability.patch +Patch6177: backport-Allow-systemd-resolved-send-a-datagram-to-journald.patch +Patch6178: backport-Allow-system_cronjob_t-transition-to-rpm_script_t.patch +Patch6179: backport-Allow-systemd-coredump-mounton-usr.patch +Patch6180: backport-Add-journalctl-the-sys_resource-capability.patch +Patch6181: backport-Allow-logrotate-dbus-chat-with-systemd-hostnamed.patch +Patch6182: backport-Add-support-for-samba-dcerpcd.patch +Patch6183: backport-Update-policy-for-samba-dcerpcd.patch +Patch6184: backport-Update-samba-dcerpcd-policy-for-kerberos-usage.patch +Patch6185: backport-Allow-winbind_rpcd_t-connect-to-self-over-a-unix_str.patch +Patch6186: backport-Allow-samba-dcerpcd-work-with-sssd.patch +Patch6187: backport-Update-samba-dcerpcd-policy-for-kerberos-usage-2.patch +Patch6188: backport-Update-winbind_rpcd_t.patch +Patch6189: backport-Allow-samba-bgqd-get-a-printer-list.patch +Patch6190: backport-Allow-winbind-rpcd-write-to-winbind-pid-files.patch +Patch6191: backport-Allow-samba-bgqd-to-read-a-printer-list.patch +Patch6192: backport-Allow-smbd_t-process-noatsecure-permission-for-winbi.patch +Patch6193: backport-Allow-winbind-rpcd-read-and-write-its-key-ring.patch +Patch6194: backport-Allow-samba-dcerpcd-use-NSCD-services-over-a-unix-st.patch +Patch6195: backport-Add-winbind-rpcd-to-samba_enable_home_dirs-boolean.patch +Patch6196: backport-Allow-winbind-rpcd-use-the-terminal-multiplexor.patch +Patch6197: backport-Allow-winbind-rpcd-get-attributes-of-device-and-pty-.patch +Patch6198: backport-Allow-winbind-rpcd-manage-samba_share_t-files-and-di.patch +Patch6199: backport-Allow-winbind-rpcd-make-a-TCP-connection-to-the-ldap.patch +Patch6200: backport-Allow-samba-rpcd-work-with-passwords.patch +Patch6201: backport-Allow-samba-dcerpcd-connect-to-systemd_machined-over.patch +Patch6202: backport-Allow-rpcd_lsad-setcap-and-use-generic-ptys.patch +Patch6203: backport-Allow-keepalived-to-set-resource-limits.patch +Patch6204: backport-Add-the-kernel_read_proc_files-interface.patch +Patch6205: backport-Allow-pcscd-bpf-capability-to-run-bpf-programs.patch +Patch6206: backport-Allow-logwatch_mail_t-read-network-sysctls.patch +Patch6207: backport-Allow-exim-read-network-sysctls.patch +Patch6208: backport-Allow-kernel-to-manage-its-own-BPF-objects.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -904,6 +951,9 @@ exit 0 %endif %changelog +* Thu Aug 24 2023 wangqingsan - 35.5-21 +- backport upstream patches + * Fri Jul 28 2023 huangzq6 - 35.5-20 - backport some selinux-policy upstream patches