fix build error

2024-03-25 19:42:27 +08:00 · 2024-03-25 19:42:27 +08:00 · f71b64cacf
commit f71b64cacf
parent 656662f85f
5 changed files with 157 additions and 1 deletions
--- a/backport-Fix-users-for-SELinux-userspace-3.4.patch
+++ b/backport-Fix-users-for-SELinux-userspace-3.4.patch
@ -0,0 +1,146 @@
 From e1e216b25df1bdb4eb7dbb8f73f32927ad6f3d1f Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 14 Apr 2022 12:07:40 +0200
 Subject: [PATCH] Fix users for SELinux userspace 3.4
 Latest yet to be released userspace version 3.4 added new validation and
 discovered several issues in current implementation. This patch tries to
 address them:
 - move guest and xguest module from contrib to roles - refpolicy did
 this change long time ago
 - roles guest_r and xguest_r need to be defined in kernel.te
 - gen_user() is supposed to be in policy/users, not in modules
 - drop role multiple definitions from userdom_base_user_template as it's
 and is supposed to be defined in kernel.te
 ---
 policy/modules/kernel/kernel.te             | 3 +++
 policy/modules/{contrib => roles}/guest.fc  | 0
 policy/modules/{contrib => roles}/guest.if  | 0
 policy/modules/{contrib => roles}/guest.te  | 4 ++--
 policy/modules/roles/unconfineduser.te      | 3 +--
 policy/modules/{contrib => roles}/xguest.fc | 0
 policy/modules/{contrib => roles}/xguest.if | 0
 policy/modules/{contrib => roles}/xguest.te | 4 ++--
 policy/modules/system/userdomain.if         | 3 +--
 9 files changed, 9 insertions(+), 8 deletions(-)
 rename policy/modules/{contrib => roles}/guest.fc (100%)
 rename policy/modules/{contrib => roles}/guest.if (100%)
 rename policy/modules/{contrib => roles}/guest.te (82%)
 rename policy/modules/{contrib => roles}/xguest.fc (100%)
 rename policy/modules/{contrib => roles}/xguest.if (100%)
 rename policy/modules/{contrib => roles}/xguest.te (98%)
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
 index acbb2f74e6..73696bcb0a 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
@@ -39,6 +39,9 @@ role user_r;
 # here until order dependence is fixed:
 role unconfined_r;
 +role guest_r;
 +role xguest_r;
 +
 ifdef(`enable_mls',`
 	role secadm_r;
 	role auditadm_r;
 diff --git a/policy/modules/contrib/guest.fc b/policy/modules/roles/guest.fc
 similarity index 100%
 rename from policy/modules/contrib/guest.fc
 rename to policy/modules/roles/guest.fc
 diff --git a/policy/modules/contrib/guest.if b/policy/modules/roles/guest.if
 similarity index 100%
 rename from policy/modules/contrib/guest.if
 rename to policy/modules/roles/guest.if
 diff --git a/policy/modules/contrib/guest.te b/policy/modules/roles/guest.te
 similarity index 82%
 rename from policy/modules/contrib/guest.te
 rename to policy/modules/roles/guest.te
 index 0605776333..2e9505d1cc 100644
 --- a/policy/modules/contrib/guest.te
 +++ b/policy/modules/roles/guest.te
@@ -5,7 +5,7 @@ policy_module(guest, 1.3.0)
 # Declarations
 #
 -role guest_r;
 +# role guest_r;
 userdom_restricted_user_template(guest)
@@ -20,4 +20,4 @@ optional_policy(`
 	apache_role(guest_r, guest_t)
 ')
 -gen_user(guest_u, user, guest_r, s0, s0)
 +# gen_user(guest_u, user, guest_r, s0, s0)
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 index 55bca1e31e..5596e6f0ee 100644
 --- a/policy/modules/roles/unconfineduser.te
 +++ b/policy/modules/roles/unconfineduser.te
@@ -399,5 +399,4 @@ optional_policy(`
 	xserver_xsession_entry_type(unconfined_t)
 ')
 -gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 -
 +# gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 diff --git a/policy/modules/contrib/xguest.fc b/policy/modules/roles/xguest.fc
 similarity index 100%
 rename from policy/modules/contrib/xguest.fc
 rename to policy/modules/roles/xguest.fc
 diff --git a/policy/modules/contrib/xguest.if b/policy/modules/roles/xguest.if
 similarity index 100%
 rename from policy/modules/contrib/xguest.if
 rename to policy/modules/roles/xguest.if
 diff --git a/policy/modules/contrib/xguest.te b/policy/modules/roles/xguest.te
 similarity index 98%
 rename from policy/modules/contrib/xguest.te
 rename to policy/modules/roles/xguest.te
 index 8d3ef540a7..e19bf40fc5 100644
 --- a/policy/modules/contrib/xguest.te
 +++ b/policy/modules/roles/xguest.te
@@ -26,7 +26,7 @@ gen_tunable(xguest_connect_network, true)
 ## </desc>
 gen_tunable(xguest_use_bluetooth, true)
 -role xguest_r;
 +# role xguest_r;
 userdom_restricted_xwindows_user_template(xguest)
 sysnet_dns_name_resolve(xguest_t)
@@ -203,4 +203,4 @@ optional_policy(`
 	role xguest_r types mozilla_t;
 ')
 -gen_user(xguest_u, user, xguest_r, s0, s0)
 +# gen_user(xguest_u, user, xguest_r, s0, s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
 index b16984dd82..d5be647e85 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
@@ -27,6 +27,7 @@ template(`userdom_base_user_template',`
 		attribute userdomain;
 		type user_devpts_t, user_tty_device_t;
 		class context contains;
 +		role $1_r;
 	')
 	attribute $1_file_type;
@@ -34,12 +35,10 @@ template(`userdom_base_user_template',`
 	type $1_t, userdomain, $1_usertype;
 	domain_type($1_t)
 -	role $1_r;
 	corecmd_shell_entry_type($1_t)
 	corecmd_bin_entry_type($1_t)
 	domain_user_exemption_target($1_t)
 	ubac_constrained($1_t)
 -	role $1_r;
 	role $1_r types $1_t;
 	allow system_r $1_r;
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 35.5
-Release: 21
+Release: 22
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
@ -275,6 +275,7 @@ Patch6205: backport-Allow-pcscd-bpf-capability-to-run-bpf-programs.patch
 Patch6206: backport-Allow-logwatch_mail_t-read-network-sysctls.patch
 Patch6207: backport-Allow-exim-read-network-sysctls.patch
 Patch6208: backport-Allow-kernel-to-manage-its-own-BPF-objects.patch
 Patch6209: backport-Fix-users-for-SELinux-userspace-3.4.patch
 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@ -951,6 +952,9 @@ exit 0
 %endif
 %changelog
 * Mon Mar 25 2024 gengqihu <gengqihu2@h-partners.com> - 35.5-22
 - fix semodule_package fail
 * Thu Aug 24 2023 wangqingsan <wangqingsan@huawei.com> - 35.5-21
 - backport upstream patches
--- a/1
+++ b/1
@ -36,3 +36,4 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- a/2
+++ b/2
@ -36,3 +36,5 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(guest_u, user, guest_r, s0, s0)
 gen_user(xguest_u, user, xguest_r, s0, s0)
--- a/3
+++ b/3
@ -36,3 +36,6 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # not in the sysadm_r.
 #
 gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(guest_u, user, guest_r, s0, s0)
 gen_user(xguest_u, user, xguest_r, s0, s0)