packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:718f84a1c16c7b95939b8667f5a89aae400a751c
Branches Tags
packages:main
...
compare: packages:1951163b95b157834e509f5493279f516260f41f
Branches Tags
packages:main

11 Commits
718f84a1c1 ... 1951163b95

Author SHA1 Message Date
openeuler-ci-bot
1951163b95
!247 修复因libsepol策略加强导致的编译失败 
From: @hugel 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2024-03-25 12:36:04 +00:00
gengqihu
f71b64cacf fix build error 2024-03-25 19:42:27 +08:00
openeuler-ci-bot
656662f85f
!229 回合上游社区补丁 
From: @qsw333 
Reviewed-by: @jinlun123123, @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2023-08-24 06:07:10 +00:00
qsw33
703c655d68 merge patch 2023-08-24 11:33:18 +08:00
openeuler-ci-bot
463e0446fe
!226 回合selinux-policy 上游社区补丁 
From: @huangzq6 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2023-07-28 10:03:54 +00:00
寒江舟
847ef0e6e4
update selinux-policy.spec to remove superfluous patchs 
Signed-off-by: 寒江舟 <huangzhenqiang2@huawei.com>
 2023-07-28 09:40:50 +00:00
huangzq6
a3fff401b2 backport some selinux-policy upstream patches 2023-07-28 16:45:00 +08:00
openeuler-ci-bot
218547cfaf
!221 回合上有社区补丁 
From: @zcfsite 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2023-07-03 02:04:11 +00:00
zcfsite
70654a7719 backport upstream patches 2023-06-30 17:29:07 +08:00
openeuler-ci-bot
7cb24d4355
!219 [sync] PR-218: add avc rules for cloud-init 
From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2023-06-13 07:08:19 +00:00
jinlun
93ebed86ac allow init_t create fifo file in net_conf dir. 
(cherry picked from commit f1c44428051007fc1febc84a62a2bb089b434e8b)
 2023-06-09 09:33:23 +08:00
88 changed files with 3216 additions and 1 deletions
Show Stats Expand all files Collapse all files

25
allow-init_t-create-fifo-file-in-net_conf-dir.patch Normal file
View File

@ -0,0 +1,25 @@
From b00033d4825cfc3ae9787c94ffa7e5408acf9a4b Mon Sep 17 00:00:00 2001
From: Huaxin Lu <luhuaxin1@huawei.com>
Date: Sun, 29 Jan 2023 00:36:01 +0800
Subject: [PATCH] allow init_t create fifo file in net_conf dir
Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
---
policy/modules/system/init.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8b84aa1..15b57a7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -872,6 +872,7 @@ optional_policy(`
optional_policy(`
sysnet_filetrans_cloud_net_conf(init_t)
+ manage_fifo_files_pattern(init_t, net_conf_t, net_conf_t)
')
optional_policy(`
--
2.33.0

39
backport-Add-domain_unix_read_all_semaphores-interface.patch Normal file
View File

@ -0,0 +1,39 @@
From 0fda5d6c5ee12b642ab0f6b6503807a4731d17f4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 11 Nov 2022 15:11:18 +0100
Subject: [PATCH] Add domain_unix_read_all_semaphores() interface
---
policy/modules/kernel/domain.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 0e843721ba..2fa4393292 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -568,6 +568,25 @@ interface(`domain_kill_all_domains',`
allow $1 self:capability kill;
')
+########################################
+## <summary>
+## Allow unix_read all domains semaphores
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`domain_unix_read_all_semaphores',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ allow $1 domain:sem unix_read;
+')
+
########################################
## <summary>
## Destroy all domains semaphores

38
backport-Add-gpg_filetrans_admin_home_content-interface.patch Normal file
View File

@ -0,0 +1,38 @@
From 1137f639bb3cb0b7257ffe8348abbd93882ce37b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 24 Aug 2022 18:49:25 +0200
Subject: [PATCH] Add gpg_filetrans_admin_home_content() interface
---
policy/modules/contrib/gpg.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 55fbfd996e..6e5aa43576 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -281,6 +281,24 @@ interface(`gpg_filetrans_home_content',`
userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
')
+########################################
+## <summary>
+## Transition to gpg named admin home content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gpg_filetrans_admin_home_content',`
+ gen_require(`
+ type gpg_secret_t;
+ ')
+
+ userdom_admin_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
+')
+
########################################
## <summary>
## Connected to gpg_agent_t unix stream socket.

39
backport-Add-interface-to-watch-all-filesystems.patch Normal file
View File

@ -0,0 +1,39 @@
From 972e4dbcdf87067924239db5dcc89a099298700c Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Mon, 7 Nov 2022 15:20:12 +0100
Subject: [PATCH] Add interface to watch all filesystems
Resolves: rhbz#2139363
---
policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index d7645a534f..918bf32963 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -6426,6 +6426,24 @@ interface(`fs_unmount_all_fs',`
allow $1 filesystem_type:filesystem unmount;
')
+########################################
+## <summary>
+## Watch all filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_watch_all_fs',`
+ gen_require(`
+ attribute filesystem_type;
+ ')
+
+ allow $1 filesystem_type:filesystem watch;
+')
+
########################################
## <summary>
## Get the attributes of all filesystems.

32
backport-Add-journalctl-the-sys_resource-capability.patch Normal file
View File

@ -0,0 +1,32 @@
From ec3ee928067bfde035d3e66a936bc761f9e4b25d Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 3 Feb 2023 17:20:51 +0100
Subject: [PATCH] Add journalctl the sys_resource capability
The journalctl command runs in the journalctl_t domain when executed by
a confined user (user, staff, sysadm). When is invoked with pager,
prctl() is called to change the process name.
Addresses the following AVC denial:
type=PROCTITLE msg=audit(02/02/2023 12:55:12.623:1405) : proctitle=(pager)
type=SYSCALL msg=audit(02/02/2023 12:55:12.623:1405) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x8 a2=0x7fd1a3f52000 a3=0x0 items=0 ppid=25495 pid=25516 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=39 comm=(pager) exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/02/2023 12:55:12.623:1405) : avc: denied { sys_resource } for pid=25516 comm=(pager) capability=sys_resource scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tclass=capability permissive=1
Resolves: rhbz#2136189
---
policy/modules/contrib/journalctl.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/journalctl.te b/policy/modules/contrib/journalctl.te
index 5b4329c800..b22b6a7130 100644
--- a/policy/modules/contrib/journalctl.te
+++ b/policy/modules/contrib/journalctl.te
@@ -18,6 +18,7 @@ role journalctl_roles types journalctl_t;
#
# journalctl local policy
#
+allow journalctl_t self:capability sys_resource;
allow journalctl_t self:process { fork setrlimit signal_perms };
allow journalctl_t self:fifo_file manage_fifo_file_perms;

131
backport-Add-support-for-samba-dcerpcd.patch Normal file
View File

@ -0,0 +1,131 @@
From 7367896085db099d956d666b94601fa9fc9df92a Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 1 Jun 2022 12:55:02 +0200
Subject: [PATCH] Add support for samba-dcerpcd
New samba-dcerpcd binary is shipped with samba-4.16 (refer to
https://www.samba.org/samba/history/samba-4.16.0.html) to break out
the DCERPC services from smbd. samba-dcerpcd can be invoked on demand
from smbd or "winbind --np-helper" to serve DCERPC over named pipes,
or in a standalone mode, started separately from smbd or winbind,
but this requires changes to system startup scripts.
This commit bring SELinux support for the breakout with a new
winbind_rpcd_t type.
Resolves: rhbz#2083511
---
policy/modules/contrib/samba.fc | 3 +++
policy/modules/contrib/samba.if | 19 +++++++++++++
policy/modules/contrib/samba.te | 47 +++++++++++++++++++++++++++++++++
3 files changed, 69 insertions(+)
diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc
index a93346efee..873b3091b8 100644
--- a/policy/modules/contrib/samba.fc
+++ b/policy/modules/contrib/samba.fc
@@ -18,6 +18,9 @@
/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
/usr/lib/systemd/system/winbind.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+/usr/libexec/samba/rpcd_lsad -- gen_context(system_u:object_r:winbind_rpcd_exec_t,s0)
+/usr/libexec/samba/samba-dcerpcd -- gen_context(system_u:object_r:winbind_rpcd_exec_t,s0)
+
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
index 0366038a90..80244a4360 100644
--- a/policy/modules/contrib/samba.if
+++ b/policy/modules/contrib/samba.if
@@ -1080,3 +1080,22 @@ interface(`samba_admin',`
admin_pattern($1, samba_unit_file_t)
allow $1 samba_unit_file_t:service all_service_perms;
')
+
+########################################
+## <summary>
+## Execute winbind rpcd in the winbind_rpcd_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_winbind_rpcd',`
+ gen_require(`
+ type winbind_rpcd_t, winbind_rpcd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, winbind_rpcd_exec_t, winbind_rpcd_t)
+')
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 60767f430f..03b49cba42 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -176,9 +176,17 @@ role system_r types winbind_helper_t;
type winbind_helper_exec_t;
domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
+type winbind_rpcd_t;
+type winbind_rpcd_exec_t;
+application_domain(winbind_rpcd_t, winbind_rpcd_exec_t)
+role system_r types winbind_rpcd_t;
+
type winbind_log_t;
logging_log_file(winbind_log_t)
+type winbind_rpcd_var_run_t;
+files_pid_file(winbind_rpcd_var_run_t)
+
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
@@ -1151,6 +1159,45 @@ optional_policy(`
squid_rw_stream_sockets(winbind_helper_t)
')
+########################################
+#
+# Winbind-rpcd local policy
+#
+
+allow winbind_rpcd_t self:capability { setgid setuid };
+allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms;
+allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow winbind_rpcd_t self:udp_socket create_socket_perms;
+
+allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans;
+
+read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t)
+
+manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t)
+files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file })
+manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
+manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
+
+manage_files_pattern(winbind_rpcd_t, samba_log_t, samba_log_t)
+
+manage_dirs_pattern(winbind_rpcd_t, samba_var_t, samba_var_t)
+manage_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t)
+manage_sock_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t)
+allow winbind_rpcd_t samba_var_t:file { map } ;
+
+corecmd_exec_bin(winbind_rpcd_t)
+
+optional_policy(`
+ auth_read_passwd_file(winbind_rpcd_t)
+')
+
+# interactions with smbd_t/winbind_t
+allow smbd_t winbind_rpcd_t:unix_stream_socket connectto;
+allow winbind_t winbind_rpcd_t:unix_stream_socket connectto;
+
+samba_domtrans_winbind_rpcd(smbd_t)
+samba_domtrans_winbind_rpcd(winbind_t)
+
########################################
#
# samba_unconfined_script_t local policy

38
backport-Add-the-kernel_read_proc_files-interface.patch Normal file
View File

@ -0,0 +1,38 @@
From 0d41bd657e613657b01f75645b6168cf5987e387 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 23 Jun 2022 20:49:49 +0200
Subject: [PATCH] Add the kernel_read_proc_files() interface
---
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 75623cf38f..8a83ed511d 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -1112,6 +1112,24 @@ interface(`kernel_getattr_proc_files',`
getattr_files_pattern($1, proc_t, proc_t)
')
+########################################
+## <summary>
+## Read generic files in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_read_proc_files',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ read_files_pattern($1, proc_t, proc_t)
+')
+
########################################
## <summary>
## Read generic symbolic links in /proc.

38
backport-Add-userdom_view_all_users_keys-interface.patch Normal file
View File

@ -0,0 +1,38 @@
From e37087d58b6422d0d90e321d9172cf396186fa46 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 24 Aug 2022 15:47:25 +0200
Subject: [PATCH] Add userdom_view_all_users_keys() interface
---
policy/modules/system/userdomain.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 97c27a957a..d23f2ce305 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4811,6 +4811,24 @@ interface(`userdom_read_all_users_keys',`
allow $1 userdomain:key read;
')
+########################################
+## <summary>
+## View keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_view_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key view;
+')
+
########################################
## <summary>
## Write keys for all user domains.

64
backport-Add-watch-interfaces.patch Normal file
View File

@ -0,0 +1,64 @@
From 01197e1c606be4b55b1b0551c8f8856bcb8c13f8 Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Thu, 3 Nov 2022 11:27:49 +0100
Subject: [PATCH] Add watch interfaces
Add interfacecs that allow watch filesystem.
---
policy/modules/kernel/filesystem.if | 36 +++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 2c1fdd7150..bb2f077f6d 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -264,6 +264,24 @@ interface(`fs_relabelfrom_xattr_fs',`
allow $1 fs_t:filesystem relabelfrom;
')
+########################################
+## <summary>
+## Watch filesystem with extended attributes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_watch_xattr_fs',`
+ gen_require(`
+ type fs_t;
+ ')
+
+ allow $1 fs_t:filesystem watch;
+')
+
########################################
## <summary>
## Get the filesystem quotas of a filesystem
@@ -5274,6 +5292,24 @@ interface(`fs_mount_tmpfs',`
allow $1 tmpfs_t:filesystem mount;
')
+########################################
+## <summary>
+## Watch a tmpfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_watch_tmpfs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:filesystem watch;
+')
+
########################################
## <summary>
## Dontaudit remount a tmpfs filesystem.

155
backport-Add-watch_sb-interfaces.patch Normal file
View File

@ -0,0 +1,155 @@
From a65d7a6e589268afc80c871450423c82aeab530a Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Thu, 3 Nov 2022 11:33:59 +0100
Subject: [PATCH] Add watch_sb interfaces
Add interafaces that allow watch_sb user temporary directories,
tmpfs directories, boot and root directories.
Create watch_sb_dirs_pattern and watch_sb_dir_perms
---
policy/modules/kernel/files.if | 36 +++++++++++++++++++++++++++++
policy/modules/kernel/filesystem.if | 18 +++++++++++++++
policy/modules/system/userdomain.if | 18 +++++++++++++++
policy/support/file_patterns.spt | 4 ++++
policy/support/obj_perm_sets.spt | 1 +
5 files changed, 77 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 046db519bb..eb9e6e032c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2560,6 +2560,24 @@ interface(`files_write_root_dirs',`
allow $1 root_t:dir write;
')
+########################################
+## <summary>
+## Watch_sb root directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_watch_sb_root_dirs', `
+ gen_require(`
+ type root_t;
+ ')
+
+ watch_sb_dirs_pattern($1, root_t, root_t)
+')
+
########################################
## <summary>
## Do not audit attempts to write to / dirs.
@@ -3089,6 +3107,24 @@ interface(`files_watch_boot_dirs',`
allow $1 boot_t:dir watch_dir_perms;
')
+########################################
+## <summary>
+## Watch_sb boot directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_watch_sb_boot_dirs', `
+ gen_require(`
+ type boot_t;
+ ')
+
+ watch_sb_dirs_pattern($1, boot_t, boot_t)
+')
+
########################################
## <summary>
## Watch_mount directories in /boot.
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index bb2f077f6d..d7645a534f 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -5400,6 +5400,24 @@ interface(`fs_mounton_tmpfs', `
allow $1 tmpfs_t:dir mounton;
')
+########################################
+## <summary>
+## Watch_sb tmpfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_watch_sb_tmpfs', `
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ watch_sb_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
+
########################################
## <summary>
## Get the attributes of a tmpfs
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e8817429b2..62bc19c654 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -347,6 +347,24 @@ interface(`userdom_watch_tmp_dirs',`
watch_dirs_pattern($1, user_tmp_t, user_tmp_t)
')
+#######################################
+## <summary>
+## Watch_sb user temporary directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_watch_sb_tmp_dirs',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ watch_sb_dirs_pattern($1, user_tmp_t, user_tmp_t)
+')
+
#######################################
## <summary>
## Watch_mount user temporary directories
diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
index c832c0dab0..57581a8573 100644
--- a/policy/support/file_patterns.spt
+++ b/policy/support/file_patterns.spt
@@ -88,6 +88,10 @@ define(`watch_reads_dirs_pattern',`
allow $1 $2:dir search_dir_perms;
allow $1 $3:dir watch_reads_dir_perms;
')
+define(`watch_sb_dirs_pattern',`
+ allow $1 $2:dir search_dir_perms;
+ allow $1 $3:dir watch_sb_dir_perms;
+')
define(`watch_with_perm_dirs_pattern',`
allow $1 $2:dir search_dir_perms;
allow $1 $3:dir watch_with_perm_dir_perms;
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 85283eb1e5..c76a77fac9 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -149,6 +149,7 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
define(`watch_dir_perms',`{ getattr watch }')
define(`watch_mount_dir_perms',`{ getattr watch_mount }')
define(`watch_reads_dir_perms',`{ getattr watch_reads }')
+define(`watch_sb_dir_perms',`{ getattr watch_sb }')
define(`watch_with_perm_dir_perms',`{ getattr watch_with_perm }')
#

37
backport-Add-winbind-rpcd-to-samba_enable_home_dirs-boolean.patch Normal file
View File

@ -0,0 +1,37 @@
From 480a1932eff8ba74e9373c1e7ba9a9d5f8c2d559 Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Mon, 10 Oct 2022 16:45:20 +0200
Subject: [PATCH] Add winbind-rpcd to samba_enable_home_dirs boolean
Update samba_enable_home_dirs boolean to Allow winbind-rpcd to share users home directories.
SELinux denials appeared, when users configured home directory share in the smb.conf.
type=AVC msg=audit(1661934914.346:360): avc: denied { read } for pid=4587 comm="samba-dcerpcd" path="/home/xx/Documents/xx" dev="dm-2" ino=21627745 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
Resolves: bz#2122904
---
policy/modules/contrib/samba.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 227c22516d..2280531046 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -40,7 +40,7 @@ gen_tunable(samba_portmapper, false)
## <desc>
## <p>
-## Allow samba to share users home directories.
+## Allow samba and winbind-rpcd to share users home directories.
## </p>
## </desc>
gen_tunable(samba_enable_home_dirs, false)
@@ -475,6 +475,7 @@ tunable_policy(`samba_domain_controller',`
tunable_policy(`samba_enable_home_dirs',`
userdom_manage_user_home_content(smbd_t)
+ userdom_manage_user_home_content(winbind_rpcd_t)
')
optional_policy(`

22
backport-Allow-aide-to-connect-to-systemd_machined-with-a-unix-socket.patch Normal file
View File

@ -0,0 +1,22 @@
From 63ba7c49db91e64e2a37c4d4c58959dd2d9c1c89 Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Mon, 10 Oct 2022 11:45:30 +0200
Subject: [PATCH] Allow aide to connect to systemd_machined with a unix socket.
Resolves: bz#2062936
---
policy/modules/contrib/aide.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/aide.te b/policy/modules/contrib/aide.te
index 05ae4ad2ed..670aa96f8b 100644
--- a/policy/modules/contrib/aide.te
+++ b/policy/modules/contrib/aide.te
@@ -64,6 +64,7 @@ optional_policy(`
')
optional_policy(`
+ systemd_machined_stream_connect(aide_t)
systemd_userdbd_stream_connect(aide_t)
')

30
backport-Allow-apcupsd-dbus-chat-with-systemd-logind.patch Normal file
View File

@ -0,0 +1,30 @@
From d38bb2e165ea780ef87588c1fdf1af23b6d332bf Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 3 Jan 2023 20:04:50 +0100
Subject: [PATCH] Allow apcupsd dbus chat with systemd-logind
The permission is required in case of a power outage when apcupsd wants
to initiate a shutdown.
Addresses the following USER_AVC denial:
Dec 29 08:41:25 hostname audit[516]: USER_AVC pid=516 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:apcupsd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=0#012 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
Resolves: rhbz#2157175
---
policy/modules/contrib/apcupsd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/apcupsd.te b/policy/modules/contrib/apcupsd.te
index 4ea8ba6f87..49ecadfc7c 100644
--- a/policy/modules/contrib/apcupsd.te
+++ b/policy/modules/contrib/apcupsd.te
@@ -112,6 +112,8 @@ logging_send_syslog_msg(apcupsd_t)
sysnet_dns_name_resolve(apcupsd_t)
+systemd_dbus_chat_logind(apcupsd_t)
+
userdom_use_inherited_user_ttys(apcupsd_t)
optional_policy(`

26
backport-Allow-chronyc-read-and-write-generic-pty-type.patch Normal file
View File

@ -0,0 +1,26 @@
From 822a150f673b5d376d077777d0bb41cbd3352c6b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 22 Aug 2022 12:44:49 +0200
Subject: [PATCH] Allow chronyc read and write generic pty type
Addresses the following AVC denial:
type=PROCTITLE msg=audit(22.08.2022 11:35:41.535:261) : proctitle=/usr/bin/chronyc sources
type=EXECVE msg=audit(22.08.2022 11:35:41.535:261) : argc=2 a0=/usr/bin/chronyc a1=sources
type=SYSCALL msg=audit(22.08.2022 11:35:41.535:261) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffeb8105f8f a1=0x7ffeb81049e8 a2=0x7ffeb8104a00 a3=0x8 items=0 ppid=3294 pid=3295 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chronyc exe=/usr/bin/chronyc subj=system_u:system_r:chronyc_t:s0 key=(null)
type=AVC msg=audit(22.08.2022 11:35:41.535:261) : avc: denied { read write } for pid=3295 comm=chronyc path=/dev/pts/1 dev="devpts" ino=4 scontext=system_u:system_r:chronyc_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=chr_file permissive=0
---
policy/modules/contrib/chronyd.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 342735bc0c..3c69b3ddd6 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -237,3 +237,7 @@ userdom_users_dgram_send(chronyc_t)
optional_policy(`
nscd_shm_use(chronyc_t)
')
+
+optional_policy(`
+ term_use_generic_ptys(chronyc_t)
+')

35
backport-Allow-chronyd-send-and-receive-chronyd-ntp-client-packets.patch Normal file
View File

@ -0,0 +1,35 @@
From b876228279a2e75b59a180ee876956aebb167376 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 22 Aug 2022 10:41:49 +0200
Subject: [PATCH] Allow chronyd send and receive chronyd/ntp client packets
These permissions are required when packets tagging following
/usr/share/doc/nftables/examples/secmark.nft is enabled.
Addresses the following AVC denial:
type=AVC msg=audit(1661030515.019:1079): avc: denied { send } for pid=973 comm="chronyd" saddr=10.224.122.55 src=51686 daddr=10.25.28.124 dest=123 netif=eth0 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:ntp_client_packet_t:s0 tclass=packet permissive=0
and a similar one for chronyd_client_packet_t.
Resolves: rhbz#2120016
---
policy/modules/contrib/chronyd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
index 165e311002..16ce14d97b 100644
--- a/policy/modules/contrib/chronyd.te
+++ b/policy/modules/contrib/chronyd.te
@@ -106,10 +106,12 @@ corenet_udp_sendrecv_generic_node(chronyd_t)
corenet_udp_bind_generic_node(chronyd_t)
corenet_sendrecv_ntp_server_packets(chronyd_t)
+corenet_sendrecv_ntp_client_packets(chronyd_t)
corenet_udp_bind_ntp_port(chronyd_t)
corenet_udp_sendrecv_ntp_port(chronyd_t)
corenet_sendrecv_chronyd_server_packets(chronyd_t)
+corenet_sendrecv_chronyd_client_packets(chronyd_t)
corenet_udp_bind_chronyd_port(chronyd_t)
corenet_udp_sendrecv_chronyd_port(chronyd_t)

23
backport-Allow-cups-lpd-read-network-sysctls-1.patch Normal file
View File

@ -0,0 +1,23 @@
From 9cb8de3f5d06e2624d728b97ab23d08321b0ad9a Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 30 Jun 2022 00:31:16 +0200
Subject: [PATCH] Allow cups-lpd read network sysctls
Addresses the following AVC denial:
type=AVC msg=audit(06/29/2022 20:27:06.595:8551) : avc: denied { search } for pid=119379 comm=cups-lpd name=net dev="proc" ino=14928 scontext=system_u:system_r:cupsd_lpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
---
policy/modules/contrib/cups.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 4f8958d1e0..34618c2d5d 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -562,6 +562,7 @@ read_sock_files_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t)
stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
+kernel_read_net_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
corenet_all_recvfrom_netlabel(cupsd_lpd_t)

26
backport-Allow-cups-lpd-read-network-sysctls.patch Normal file
View File

@ -0,0 +1,26 @@
From 72220928592011263bc7e0ed291f33ca3560283d Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 23 Jun 2022 15:34:01 +0200
Subject: [PATCH] Allow cups-lpd read network sysctls
Addresses the following AVC denial:
type=PROCTITLE msg=audit(05/18/2022 19:31:33.481:8879) : proctitle=/usr/lib/cups/daemon/cups-lpd
type=PATH msg=audit(05/18/2022 19:31:33.481:8879) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(05/18/2022 19:31:33.481:8879) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fff5c8c3290 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=124314 auid=unset uid=lp gid=lp euid=lp suid=lp fsuid=lp egid=lp sgid=lp fsgid=lp tty=(none) ses=unset comm=cups-lpd exe=/usr/lib/cups/daemon/cups-lpd subj=system_u:system_r:cupsd_lpd_t:s0 key=(null)
type=AVC msg=audit(05/18/2022 19:31:33.481:8879) : avc: denied { search } for pid=124314 comm=cups-lpd name=net dev="proc" ino=14920 scontext=system_u:system_r:cupsd_lpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
---
policy/modules/contrib/cups.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
index 622702ddfe..4f8958d1e0 100644
--- a/policy/modules/contrib/cups.te
+++ b/policy/modules/contrib/cups.te
@@ -647,6 +647,7 @@ files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { dir file })
fs_search_auto_mountpoints(cups_pdf_t)
+kernel_read_net_sysctls(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
auth_use_nsswitch(cups_pdf_t)

22
backport-Allow-dhcpd-bpf-capability-to-run-bpf-programs.patch Normal file
View File

@ -0,0 +1,22 @@
From 193883f3bcfb64143f5ae6754021d0f4d7bfa16d Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Thu, 27 Oct 2022 15:06:35 +0200
Subject: [PATCH] Allow dhcpd bpf capability to run bpf programs
Resolves: rhbz#2134827
---
policy/modules/contrib/dhcp.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
index dab0abe4cb..67c865926b 100644
--- a/policy/modules/contrib/dhcp.te
+++ b/policy/modules/contrib/dhcp.te
@@ -39,6 +39,7 @@ files_pid_file(dhcpd_var_run_t)
allow dhcpd_t self:capability { chown dac_read_search dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource };
dontaudit dhcpd_t self:capability { net_admin sys_admin sys_tty_config };
+allow dhcpd_t self:capability2 bpf;
allow dhcpd_t self:process { getcap setcap signal_perms };
allow dhcpd_t self:fifo_file rw_fifo_file_perms;
allow dhcpd_t self:tcp_socket { accept listen };

29
backport-Allow-dirsrv_snmp_t-to-manage-dirsrv_config_t-dirsrv_var_run_t-files.patch Normal file
View File

@ -0,0 +1,29 @@
From 8479a8400fe1b7583814356e74e9cf1c35da1dd9 Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Thu, 27 Oct 2022 16:34:31 +0200
Subject: [PATCH] Allow dirsrv_snmp_t to manage dirsrv_config_t &
dirsrv_var_run_t files
Allow LDAP-agent to manage files in directories /etc/dirsrv/ and /var/run/dirsrv.
Resolves: rhbz#2042515
---
policy/modules/contrib/dirsrv.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/dirsrv.te b/policy/modules/contrib/dirsrv.te
index feeea4467f..9865382c87 100644
--- a/policy/modules/contrib/dirsrv.te
+++ b/policy/modules/contrib/dirsrv.te
@@ -189,9 +189,9 @@ allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
-read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
-read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
+manage_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })

25
backport-Allow-exim-read-network-sysctls.patch Normal file
View File

@ -0,0 +1,25 @@
From 0b67d4d4f01428ebf80f2b695c970a27ed620b03 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 31 May 2023 08:54:38 +0200
Subject: [PATCH] Allow exim read network sysctls
The commit addresses the following AVC denial:
type=AVC msg=audit(1685423685.876:788): avc: denied { search } for pid=41331 comm="exim" name="net" dev="proc" ino=736304 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
Resolves: rhbz#2211025
---
policy/modules/contrib/exim.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
index 6e6792b06d..8ca4e25045 100644
--- a/policy/modules/contrib/exim.te
+++ b/policy/modules/contrib/exim.te
@@ -104,6 +104,7 @@ can_exec(exim_t, exim_exec_t)
kernel_read_crypto_sysctls(exim_t)
kernel_read_kernel_sysctls(exim_t)
+kernel_read_net_sysctls(exim_t)
kernel_read_network_state(exim_t)
kernel_read_system_state(exim_t)

23
backport-Allow-fprintd-bpf-capability-to-run-bpf-programs.patch Normal file
View File

@ -0,0 +1,23 @@
From d3a62f953b580565068ada2f73968ccaaab80a7f Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Thu, 27 Oct 2022 14:04:55 +0200
Subject: [PATCH] Allow fprintd bpf capability to run bpf programs
Resolves: rhbz#2134827
---
policy/modules/contrib/fprintd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/fprintd.te b/policy/modules/contrib/fprintd.te
index 7826990a3d..7a48e69eb4 100644
--- a/policy/modules/contrib/fprintd.te
+++ b/policy/modules/contrib/fprintd.te
@@ -22,7 +22,7 @@ files_tmp_file(fprintd_tmp_t)
#
allow fprintd_t self:capability { sys_admin sys_nice };
-allow fprintd_t self:capability2 wake_alarm;
+allow fprintd_t self:capability2 { bpf wake_alarm };
allow fprintd_t self:process { getsched setsched signal sigkill };
allow fprintd_t self:fifo_file rw_fifo_file_perms;
allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;

22
backport-Allow-ftpd-map-ftpd_var_run-files.patch Normal file
View File

@ -0,0 +1,22 @@
From 58294166420c372e9788b9c0308b1240dbad0c60 Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Thu, 6 Oct 2022 18:30:58 +0200
Subject: [PATCH] Allow ftpd map ftpd_var_run files
Resolves: bz#2124943
---
policy/modules/contrib/ftp.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
index ad80f16496..5edd00839f 100644
--- a/policy/modules/contrib/ftp.te
+++ b/policy/modules/contrib/ftp.te
@@ -161,6 +161,7 @@ manage_fifo_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_sock_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+allow ftpd_t ftpd_var_run_t:file map;
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)

21
backport-Allow-gpg-read-and-write-generic-pty-type.patch Normal file
View File

@ -0,0 +1,21 @@
From 0df5ce75a40e9bfe51995d7b11dd9441c9061a1f Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 24 Aug 2022 13:49:23 +0200
Subject: [PATCH] Allow gpg read and write generic pty type
---
policy/modules/contrib/gpg.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 7f96408265..24ce9b7915 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -156,6 +156,7 @@ logging_send_syslog_msg(gpg_t)
miscfiles_map_generic_certs(gpg_t)
term_search_ptys(gpg_t)
+term_use_generic_ptys(gpg_t)
userdom_use_inherited_user_terminals(gpg_t)
# sign/encrypt user files

42
backport-Allow-journalctl-relabel-with-var_log_t-and-syslogd_.patch Normal file
View File

@ -0,0 +1,42 @@
From b9d573e4cd9dc7ca4283488e166e83250c434a63 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 13 Dec 2022 19:02:04 +0100
Subject: [PATCH] Allow journalctl relabel with var_log_t and syslogd_var_run_t
files
The journald service runs in the syslogd_t domain as well as syslog
daemons. When journal-offline wants to rotate journal files, which can
be in /var/log/journal or /run/log/journal, it modifies all extended
attributes, namely copy-on-write and security.selinux content, so
relabelfrom and relabelto permissions are needed.
Addresses the following AVC denial:
type=PROCTITLE msg=audit(1670904722.619:48): proctitle="/usr/lib/systemd/systemd-journald"
type=SYSCALL msg=audit(1670904722.619:48): arch=c00000b7 syscall=7 success=no exit=-13 a0=1d a1=ffffa0000b78 a2=ffffa0000e10 a3=27 items=0 ppid=1 pid=598 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="journal-offline" exe="/usr/lib/systemd/systemd-journald" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=AVC msg=audit(1670904722.619:48): avc: denied { relabelfrom } for pid=598 comm="journal-offline" name=".#system@1d25afdf416a40bb98bce9ac89ae6846-0000000000000001-0005efadd1f07135.journal941ddc8fc49c256a" dev="tmpfs" ino=1026 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=0
Resolves: rhbz#2075527
---
policy/modules/system/logging.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index d96d862f7c..34dd6aabe1 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -509,6 +509,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
+relabel_files_pattern(syslogd_t, var_log_t, var_log_t)
allow syslogd_t var_log_t:file map;
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
files_search_spool(syslogd_t)
@@ -533,6 +534,7 @@ files_search_var_lib(syslogd_t)
allow syslogd_t syslogd_var_run_t:dir watch_dir_perms;
manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+relabel_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
mmap_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })

22
backport-Allow-keepalived-bpf-capability-to-run-bpf-programs.patch Normal file
View File

@ -0,0 +1,22 @@
From f7ee387e69162a3e82cb328d42e6e308aa1ad752 Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Thu, 27 Oct 2022 14:21:32 +0200
Subject: [PATCH] Allow keepalived bpf capability to run bpf programs
Resolves: rhbz#2134827
---
policy/modules/contrib/keepalived.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te
index 0879eeb4ec..ff0b498188 100644
--- a/policy/modules/contrib/keepalived.te
+++ b/policy/modules/contrib/keepalived.te
@@ -38,6 +38,7 @@ files_tmpfs_file(keepalived_tmpfs_t)
#
allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_nice sys_ptrace };
+allow keepalived_t self:capability2 bpf;
allow keepalived_t self:process { signal_perms getpgid setpgid setsched };
allow keepalived_t self:icmp_socket create_socket_perms;
allow keepalived_t self:netlink_socket create_socket_perms;

30
backport-Allow-keepalived-read-the-contents-of-the-sysfs-filesystem.patch Normal file
View File

@ -0,0 +1,30 @@
From f8f11f18a9473614c47b0a35d27f5be11c954e5b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 27 Jun 2022 13:28:39 +0200
Subject: [PATCH] Allow keepalived read the contents of the sysfs filesystem
Addresses the following AVC denial which is triggered on the keepalived
service start when it tries to read /sys/devices/system/cpu:
type=PROCTITLE msg=audit(06/17/2022 08:19:59.448:341) : proctitle=/usr/sbin/keepalived --dont-fork -D
type=PATH msg=audit(06/17/2022 08:19:59.448:341) : item=0 name=/sys/devices/system/cpu inode=39 dev=00:16 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(06/17/2022 08:19:59.448:341) : arch=x86_64 syscall=openat success=yes exit=12 a0=AT_FDCWD a1=0x7ff4be2afc3f a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=4449 pid=4451 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null)
type=AVC msg=audit(06/17/2022 08:19:59.448:341) : avc: denied { read } for pid=4451 comm=keepalived name=cpu dev="sysfs" ino=39 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
Resolves: rhbz#2098130
---
policy/modules/contrib/keepalived.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te
index 8b5ca7171a..0879eeb4ec 100644
--- a/policy/modules/contrib/keepalived.te
+++ b/policy/modules/contrib/keepalived.te
@@ -81,6 +81,7 @@ corenet_tcp_connect_squid_port(keepalived_t)
domain_read_all_domains_state(keepalived_t)
domain_getattr_all_domains(keepalived_t)
+dev_read_sysfs(keepalived_t)
dev_read_urand(keepalived_t)
files_dontaudit_mounton_rootfs(keepalived_var_run_t)

28
backport-Allow-keepalived-to-set-resource-limits.patch Normal file
View File

@ -0,0 +1,28 @@
From 59844c55226997c854bd82ac0f4b3e4df3da8fea Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Thu, 15 Dec 2022 12:10:58 +0100
Subject: [PATCH] Allow keepalived to set resource limits
Addresses the following AVC denial:
type=PROCTITLE msg=audit(12/06/2022 06:01:28.343:362) : proctitle=/usr/sbin/keepalived --dont-fork -D
type=SYSCALL msg=audit(12/06/2022 06:01:28.343:362) : arch=x86_64 syscall=prlimit64 success=no exit=EACCES(Permission denied) a0=0x0 a1=0xf a2=0x7ffcac307690 a3=0x0 items=0 ppid=4738 pid=4740 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=keepalived exe=/usr/sbin/keepalived subj=system_u:system_r:keepalived_t:s0 key=(null)
type=AVC msg=audit(12/06/2022 06:01:28.343:362) : avc: denied { setrlimit } for pid=4740 comm=keepalived scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=process permissive=0
Resolves: rhbz#2151212
---
policy/modules/contrib/keepalived.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te
index ff0b498188..02170721c1 100644
--- a/policy/modules/contrib/keepalived.te
+++ b/policy/modules/contrib/keepalived.te
@@ -39,7 +39,7 @@ files_tmpfs_file(keepalived_tmpfs_t)
allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_nice sys_ptrace };
allow keepalived_t self:capability2 bpf;
-allow keepalived_t self:process { signal_perms getpgid setpgid setsched };
+allow keepalived_t self:process { signal_perms getpgid setpgid setsched setrlimit };
allow keepalived_t self:icmp_socket create_socket_perms;
allow keepalived_t self:netlink_socket create_socket_perms;
allow keepalived_t self:netlink_generic_socket create_socket_perms;

27
backport-Allow-kernel-to-manage-its-own-BPF-objects.patch Normal file
View File

@ -0,0 +1,27 @@
From f33bc79e172068ca4cb47281b8fcfc9f47840b61 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 22 May 2023 14:30:26 +0200
Subject: [PATCH] Allow kernel to manage its own BPF objects
Kernel threads may end up calling __sys_bpf(), which does the usual BPF
access checks, so make sure kernel_t is allowed to at least operate on
its own BPF fds.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2186595
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policy/modules/kernel/kernel.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index b86852812b..e0fcd2dff9 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -271,6 +271,7 @@ allow kernel_t self:unix_stream_socket connectto;
allow kernel_t self:fifo_file rw_fifo_file_perms;
allow kernel_t self:sock_file read_sock_file_perms;
allow kernel_t self:fd use;
+allow kernel_t self:bpf { map_create map_read map_write prog_load prog_run };
allow kernel_t debugfs_t:dir search_dir_perms;

27
backport-Allow-kpropd-read-network-sysctls.patch Normal file
View File

@ -0,0 +1,27 @@
From 150db8e78ff23e54c3a54fafaf597dd207518962 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 23 Jun 2022 09:55:35 +0200
Subject: [PATCH] Allow kpropd read network sysctls
Addresses the following AVC denial:
type=PROCTITLE msg=audit(06/23/2022 03:46:33.848:845) : proctitle=/usr/sbin/kpropd
type=PATH msg=audit(06/23/2022 03:46:33.848:845) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 inode=44028 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(06/23/2022 03:46:33.848:845) : cwd=/
type=SYSCALL msg=audit(06/23/2022 03:46:33.848:845) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffc7e5b8550 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=13730 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=kpropd exe=/usr/sbin/kpropd subj=system_u:system_r:kpropd_t:s0 key=(null)
type=AVC msg=audit(06/23/2022 03:46:33.848:845) : avc: denied { read } for pid=13730 comm=kpropd name=disable_ipv6 dev="proc" ino=44028 scontext=system_u:system_r:kpropd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
---
policy/modules/contrib/kerberos.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
index b4d3c3e7d4..0eecd224e3 100644
--- a/policy/modules/contrib/kerberos.te
+++ b/policy/modules/contrib/kerberos.te
@@ -369,6 +369,7 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
kernel_read_system_state(kpropd_t)
kernel_read_network_state(kpropd_t)
+kernel_read_net_sysctls(kpropd_t)
can_exec(kpropd_t,kpropd_exec_t)

22
backport-Allow-lldpad-bpf-capability-to-run-bpf-programs.patch Normal file
View File

@ -0,0 +1,22 @@
From d9ae9be30d67166caf9c5d6d3e0757317e5b49b9 Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Thu, 27 Oct 2022 14:22:31 +0200
Subject: [PATCH] Allow lldpad bpf capability to run bpf programs
Resolves: rhbz#2134827
---
policy/modules/contrib/lldpad.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/lldpad.te b/policy/modules/contrib/lldpad.te
index 075893cb9d..ffe3796484 100644
--- a/policy/modules/contrib/lldpad.te
+++ b/policy/modules/contrib/lldpad.te
@@ -27,6 +27,7 @@ systemd_mount_dir(lldpad_var_run_t)
#
allow lldpad_t self:capability { chown dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot sys_resource };
dontaudit lldpad_t self:capability { sys_admin };
+allow lldpad_t self:capability2 bpf;
allow lldpad_t self:shm create_shm_perms;
allow lldpad_t self:fifo_file rw_fifo_file_perms;
allow lldpad_t self:unix_stream_socket { accept connectto listen };

28
backport-Allow-login_userdomain-dbus-chat-with-rhsmcertd.patch Normal file
View File

@ -0,0 +1,28 @@
From 14a208a78ed843964f8f79903d130760aa7a9a4e Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 5 Oct 2022 19:53:23 +0200
Subject: [PATCH] Allow login_userdomain dbus chat with rhsmcertd
Addresses the following USER_AVC denial:
type=USER_AVC msg=audit(1662423125.839:301): pid=896 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=com.redhat.RHSM1.Config member=GetAll dest=:1.386 spid=4090 tpid=2540 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Resolves: rhbz#2124388
---
policy/modules/system/userdomain.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 6502db7bf0..4f63e6f662 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -448,6 +448,10 @@ optional_policy(`
pkcs_tmpfs_named_filetrans(login_userdomain)
')
+optional_policy(`
+ rhsmcertd_dbus_chat(login_userdomain)
+')
+
optional_policy(`
rpc_watch_exports(login_userdomain)
')

30
backport-Allow-logrotate-dbus-chat-with-systemd-hostnamed.patch Normal file
View File

@ -0,0 +1,30 @@
From daca0f5683e2ed842c60d274f67fb0469afd3911 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 28 Apr 2023 17:30:22 +0200
Subject: [PATCH] Allow logrotate dbus chat with systemd-hostnamed
This denials appears when a service operating on a network is called
from logrotate to perform an action, like ejabber to reopen its logs
after logrotate finishes.
The commit addresses the following USER_AVC denial:
type=USER_AVC msg=audit(1676761204.161:9833): pid=543 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
Resolves: rhbz#2171294
---
policy/modules/contrib/logrotate.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index fdd9039f8c..24bc2e72f3 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -178,6 +178,7 @@ systemd_reload_all_services(logrotate_t)
systemd_status_all_unit_files(logrotate_t)
systemd_dbus_chat_logind(logrotate_t)
systemd_config_generic_services(logrotate_t)
+systemd_dbus_chat_hostnamed(logrotate_t)
init_stream_connect(logrotate_t)
init_reload_transient_unit(logrotate_t)

27
backport-Allow-logwatch_mail_t-read-network-sysctls.patch Normal file
View File

@ -0,0 +1,27 @@
From 293e78308264d844124f464683512193ec85e4c4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 31 Mar 2023 13:10:37 +0200
Subject: [PATCH] Allow logwatch_mail_t read network sysctls
Addresses the following AVC denial:
type=AVC msg=audit(1680192422.976:513): avc: denied { open } for pid=9788 comm="sendmail" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=33052 scontext=system_u:system_r:logwatch_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
Resolves: rhbz#2208763
---
policy/modules/contrib/logwatch.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
index 42b322fb77..ea6db46809 100644
--- a/policy/modules/contrib/logwatch.te
+++ b/policy/modules/contrib/logwatch.te
@@ -198,6 +198,8 @@ manage_files_pattern(logwatch_mail_t, logwatch_cache_t, logwatch_cache_t)
manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t)
+kernel_read_net_sysctls(logwatch_mail_t)
+
dev_read_rand(logwatch_mail_t)
dev_read_urand(logwatch_mail_t)
dev_read_sysfs(logwatch_mail_t)

31
backport-Allow-netutils-and-traceroute-bpf-capability-to-run-.patch Normal file
View File

@ -0,0 +1,31 @@
From 245ab868b3c2ed9330196f728020c5bdb20b5dff Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Thu, 27 Oct 2022 14:59:49 +0200
Subject: [PATCH] Allow netutils and traceroute bpf capability to run bpf
programs
Resolves: rhbz#2134827
---
policy/modules/admin/netutils.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index c9526d2b92..312b047edc 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -35,6 +35,7 @@ init_system_domain(traceroute_t, traceroute_exec_t)
# Perform network administration operations and have raw access to the network.
allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot setpcap };
dontaudit netutils_t self:capability { sys_admin sys_tty_config };
+allow netutils_t self:capability2 bpf;
allow netutils_t self:process { setcap signal_perms };
allow netutils_t self:netlink_generic_socket create_socket_perms;
allow netutils_t self:netlink_rdma_socket create_socket_perms;
@@ -214,6 +215,7 @@ optional_policy(`
allow traceroute_t self:capability { net_admin net_raw setuid setgid };
dontaudit traceroute_t self:capability { sys_admin };
+allow traceroute_t self:capability2 bpf;
allow traceroute_t self:netlink_generic_socket create_socket_perms;
allow traceroute_t self:netlink_rdma_socket create_socket_perms;
allow traceroute_t self:rawip_socket create_socket_perms;

32
backport-Allow-networkmanager-to-signal-unconfined-process.patch Normal file
View File

@ -0,0 +1,32 @@
From 0e9856f3cd11af60445ccf12cd59d35662a7e9a2 Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Mon, 1 Aug 2022 16:08:08 +0200
Subject: [PATCH] Allow networkmanager to signal unconfined process
During kernel selftests, teamd - running in NetworkManager_t domain, checks if teamd instance is started externally.
Teamd is a daemon to control a given team network device and when started from command line, it runs in the caller domain - unconfined_t.
time->Fri Apr 8 11:01:16 2022
type=PROCTITLE msg=audit(1649430076.436:6807): proctitle=2F7573722F62696E2F7465616D64002D6B002D74006C6167
type=SYSCALL msg=audit(1649430076.436:6807): arch=c000003e syscall=62 success=no exit=-13 a0=1ad7f5 a1=f a2=0 a3=7fbf0f5d6ac0 items=0 ppid=13470 pid=1759420 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="teamd" exe="/usr/bin/teamd" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1649430076.436:6807): avc: denied { signal } for pid=1759420 comm="teamd" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
Allow NetworkManager_t to send generic signals to the unconfined domain.
Fix: bz#2074414
---
policy/modules/contrib/networkmanager.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index a946bc060b..c827f40785 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -532,6 +532,7 @@ optional_policy(`
optional_policy(`
unconfined_dgram_send(NetworkManager_t)
+ unconfined_signal(NetworkManager_t)
')

23
backport-Allow-pcscd-bpf-capability-to-run-bpf-programs.patch Normal file
View File

@ -0,0 +1,23 @@
From 991e1cd627e9dba1bb5a89ca87c90b2542453018 Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Thu, 27 Oct 2022 14:23:35 +0200
Subject: [PATCH] Allow pcscd bpf capability to run bpf programs
Resolves: rhbz#2134827
---
policy/modules/contrib/pcscd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pcscd.te b/policy/modules/contrib/pcscd.te
index d0d83da261..5b22ac8268 100644
--- a/policy/modules/contrib/pcscd.te
+++ b/policy/modules/contrib/pcscd.te
@@ -23,7 +23,7 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
allow pcscd_t self:capability { dac_read_search fsetid };
dontaudit pcscd_t self:capability { sys_admin };
-allow pcscd_t self:capability2 { wake_alarm };
+allow pcscd_t self:capability2 { bpf wake_alarm };
allow pcscd_t self:cap_userns sys_ptrace;
allow pcscd_t self:process { signal signull };
dontaudit pcscd_t self:process setsched;

22
backport-Allow-pkcs_slotd_t-bpf-capability-to-run-bpf-program.patch Normal file
View File

@ -0,0 +1,22 @@
From 33f983cf633bbdfba33958ee313f469b869f3c30 Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Thu, 27 Oct 2022 14:27:43 +0200
Subject: [PATCH] Allow pkcs_slotd_t bpf capability to run bpf programs
Resolves: rhbz#2134827
---
policy/modules/contrib/pkcs.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/pkcs.te b/policy/modules/contrib/pkcs.te
index 4eb8a50c83..babcc56f60 100644
--- a/policy/modules/contrib/pkcs.te
+++ b/policy/modules/contrib/pkcs.te
@@ -47,6 +47,7 @@ systemd_unit_file(pkcs_slotd_unit_file_t)
#
allow pkcs_slotd_t self:capability { fsetid kill chown };
+allow pkcs_slotd_t self:capability2 bpf;
allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms;
allow pkcs_slotd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow pkcs_slotd_t self:sem create_sem_perms;

40
backport-Allow-postfix-smtp-and-postfix-virtual-read-kerberos-key-table.patch Normal file
View File

@ -0,0 +1,40 @@
From 451140e4c1f0bb6d8df25d18d74e549a83f46e4a Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 9 Aug 2022 16:56:21 +0200
Subject: [PATCH] Allow postfix/smtp and postfix/virtual read kerberos key
table
This permission is required when postfix is configured to use virtual
mailboxes and store data into postgresql database.
Resolves: rhbz#1983308
---
policy/modules/contrib/postfix.te | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index 5451023d79..c236828d0e 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -699,6 +699,10 @@ optional_policy(`
dspam_stream_connect(postfix_smtp_t)
')
+optional_policy(`
+ kerberos_read_keytab(postfix_smtp_t)
+')
+
optional_policy(`
milter_stream_connect_all(postfix_smtp_t)
')
@@ -776,6 +780,10 @@ userdom_manage_user_home_dirs(postfix_virtual_t)
userdom_manage_user_home_content(postfix_virtual_t)
userdom_filetrans_home_content(postfix_virtual_t)
+optional_policy(`
+ kerberos_read_keytab(postfix_virtual_t)
+')
+
########################################
#
# postfix_domain common policy

30
backport-Allow-pulseaudio-create-gnome-content-.config.patch Normal file
View File

@ -0,0 +1,30 @@
From a120005379c8629aa7b6d174d7c763e4f84fedc4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 5 Oct 2022 20:36:22 +0200
Subject: [PATCH] Allow pulseaudio create gnome content (~/.config)
Addresses the following AVC denial:
type=PROCTITLE msg=audit(10/03/2022 18:19:59.393:477) : proctitle=/usr/bin/pulseaudio --daemonize=no --log-target=journal
type=PATH msg=audit(10/03/2022 18:19:59.393:477) : item=1 name=/home/username/.config nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(10/03/2022 18:19:59.393:477) : item=0 name=/home/username/ inode=25197786 dev=fd:02 mode=dir,700 ouid=username ogid=username rdev=00:00 obj=staff_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(10/03/2022 18:19:59.393:477) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x55db1dc2a420 a1=0700 a2=0xffffffff a3=0x0 items=2 ppid=6693 pid=6748 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=11 comm=pulseaudio exe=/usr/bin/pulseaudio subj=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(10/03/2022 18:19:59.393:477) : avc: denied { create } for pid=6748 comm=pulseaudio name=.config scontext=staff_u:staff_r:pulseaudio_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:config_home_t:s0 tclass=dir permissive=0
Resolves: rhbz#2124387
---
policy/modules/contrib/pulseaudio.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index b89c5f706a..bdc8263687 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -152,6 +152,7 @@ optional_policy(`
')
optional_policy(`
+ gnome_create_home_config_dirs(pulseaudio_t)
gnome_read_gkeyringd_state(pulseaudio_t)
gnome_signull_gkeyringd(pulseaudio_t)
gnome_manage_gstreamer_home_files(pulseaudio_t)

32
backport-Allow-rotatelogs-read-httpd_log_t-symlinks.patch Normal file
View File

@ -0,0 +1,32 @@
From 404c8d08e3b4ec9970baa6af55359902d43c3ded Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 20 Oct 2022 19:20:14 +0200
Subject: [PATCH] Allow rotatelogs read httpd_log_t symlinks
This permission is required when rotatelogs is used in apache httpd
configuration for handling logs and the /etc/httpd/logs path is used
where the last directory is a symlink to ../../var/log/httpd:
CustomLog "|/usr/sbin/rotatelogs /etc/httpd/logs/www.example.com 3600" combined
It is executed with /etc/httpd as CWD, so it needs the search permission
for httpd_config_t, too.
Resolves: rhbz#2030633
---
policy/modules/contrib/apache.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 73957e4459..9101494b7e 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1668,6 +1668,8 @@ optional_policy(`
allow httpd_rotatelogs_t self:capability { dac_read_search };
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
+read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
+allow httpd_rotatelogs_t httpd_config_t:dir search_dir_perms;
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)

27
backport-Allow-rpc.gssd-read-network-sysctls.patch Normal file
View File

@ -0,0 +1,27 @@
From d6bb54218c4b3f5cbed4c3b7115dc43793ebdcba Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 16 Nov 2022 16:37:54 +0100
Subject: [PATCH] Allow rpc.gssd read network sysctls
Addresses the following AVC denial:
type=AVC msg=audit(1668606673.80:374): avc: denied { read } for pid=1236 comm="rpc.gssd" name="disable_ipv6" dev="proc" ino=32004 scontext=system_u:system_r:gssd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
Resolves: rhbz#2143271
---
policy/modules/contrib/rpc.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index a13661a797..f94cfa5d24 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -369,7 +369,7 @@ kernel_read_system_state(gssd_t)
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-kernel_search_network_sysctl(gssd_t)
+kernel_read_net_sysctls(gssd_t)
kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)

49
backport-Allow-rpcd_lsad-setcap-and-use-generic-ptys.patch Normal file
View File

@ -0,0 +1,49 @@
From e1fe6ba8a75ff66e506e7d80b4d8ccb8f899ec39 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 24 May 2023 16:39:11 +0200
Subject: [PATCH] Allow rpcd_lsad setcap and use generic ptys
Allow /usr/libexec/samba/rpcd_lsad running in the winbind_rpcd_t domain
the setcap permission to use capset(2) and use generic ptys when a request
to change a password is made. Note winbind_rpcd_t is not in the daemon
attribute which is a subject of the daemons_use_tty boolean.
The commit addresses the following AVC denials:
type=PROCTITLE msg=audit(05/23/2023 15:45:49.588:911) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=2 --worker-index=0 --debuglevel=0
type=PATH msg=audit(05/23/2023 15:45:49.588:911) : item=0 name=/dev/pts/2 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(05/23/2023 15:45:49.588:911) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffce321e8c0 a1=0x7ffce321e830 a2=0x7ffce321e830 a3=0x0 items=1 ppid=129672 pid=129682 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(05/23/2023 15:45:49.588:911) : avc: denied { search } for pid=129682 comm=rpcd_lsad name=/ dev="devpts" ino=1 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=dir permissive=0
type=PROCTITLE msg=audit(05/24/2023 03:08:08.440:1130) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=2 --worker-index=0 --debuglevel=0
type=SYSCALL msg=audit(05/24/2023 03:08:08.440:1130) : arch=x86_64 syscall=capset success=no exit=EACCES(Permission denied) a0=0x561752d238b4 a1=0x561752d238bc a2=0x561752d238bc a3=0x7ffd6edcd904 items=0 ppid=164904 pid=164906 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(05/24/2023 03:08:08.440:1130) : avc: denied { setcap } for pid=164906 comm=rpcd_lsad scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0
Resolves: rhbz#2107106
---
policy/modules/contrib/samba.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 9847d3da29..1a90ca864f 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1173,6 +1173,7 @@ optional_policy(`
allow winbind_rpcd_t self:capability { setgid setuid };
allow winbind_rpcd_t self:key { read write };
allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms;
+allow winbind_rpcd_t self:process setcap;
allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto };
allow winbind_rpcd_t self:unix_stream_socket connectto;
allow winbind_rpcd_t self:udp_socket create_socket_perms;
@@ -1268,6 +1269,10 @@ optional_policy(`
systemd_userdbd_stream_connect(winbind_rpcd_t)
')
+optional_policy(`
+ term_use_generic_ptys(winbind_rpcd_t)
+')
+
optional_policy(`
unconfined_dgram_send(winbind_rpcd_t)
')

53
backport-Allow-samba-bgqd-get-a-printer-list.patch Normal file
View File

@ -0,0 +1,53 @@
From b3a5dfcc161ee097a0a5aa0fbf515e2e0bfb7430 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 5 Aug 2022 16:42:50 +0200
Subject: [PATCH] Allow samba-bgqd get a printer list
When `rpcclient localhost -c 'enumprinters'` or a similar command is executed,
samba-bgqd connects to the cups service to get the list of configured printers.
The printers are then cached and updated on regular basis.
Resolves: rhbz#2112395
---
policy/modules/contrib/samba.te | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 61598b8e39..d64ba6e569 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1198,10 +1198,16 @@ kernel_read_network_state(winbind_rpcd_t)
corecmd_exec_bin(winbind_rpcd_t)
+corenet_tcp_connect_ipp_port(winbind_rpcd_t)
+
optional_policy(`
auth_read_passwd(winbind_rpcd_t)
')
+optional_policy(`
+ cups_stream_connect(winbind_rpcd_t)
+')
+
optional_policy(`
dbus_system_bus_client(winbind_rpcd_t)
')
@@ -1236,9 +1242,16 @@ optional_policy(`
systemd_userdbd_stream_connect(winbind_rpcd_t)
')
-# interactions with smbd_t/winbind_t
+optional_policy(`
+ unconfined_dgram_send(winbind_rpcd_t)
+')
+
+# inter-process communication with other samba domains
allow smbd_t winbind_rpcd_t:unix_stream_socket connectto;
allow winbind_t winbind_rpcd_t:unix_stream_socket connectto;
+allow winbind_rpcd_t nmbd_t:unix_dgram_socket sendto;
+allow winbind_rpcd_t smbd_t:unix_dgram_socket sendto;
+allow winbind_rpcd_t winbind_t:unix_dgram_socket sendto;
allow winbind_rpcd_t winbind_t:unix_stream_socket connectto;
samba_domtrans_winbind_rpcd(smbd_t)

25
backport-Allow-samba-bgqd-to-read-a-printer-list.patch Normal file
View File

@ -0,0 +1,25 @@
From 4d2a6d493a3a523c9bbb1d5f276f94bb176f5dec Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Mon, 22 Aug 2022 16:40:09 +0200
Subject: [PATCH] Allow samba-bgqd to read a printer list
Allow samba-bgqd, helper program performing asynchronous printing-related jobs,
to read /etc/printcap file, where are stored printer definitions.
Fix: bz#2118977
---
policy/modules/contrib/samba.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 82ba1abf64..323e38b4cc 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1206,6 +1206,7 @@ optional_policy(`
')
optional_policy(`
+ cups_read_config(winbind_rpcd_t)
cups_stream_connect(winbind_rpcd_t)
')

26
backport-Allow-samba-dcerpcd-connect-to-systemd_machined-over.patch Normal file
View File

@ -0,0 +1,26 @@
From 400871693697941947ae35e9c914c129518880f0 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 22 May 2023 15:03:56 +0200
Subject: [PATCH] Allow samba-dcerpcd connect to systemd_machined over a unix
socket
The commit addresses the following AVC denial:
type=AVC msg=audit(1684646002.435:1902): avc: denied { connectto } for pid=27491 comm="rpcd_winreg" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
Resolves: rhbz#2208845
---
policy/modules/contrib/samba.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index c8123ff29d..9847d3da29 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1264,6 +1264,7 @@ optional_policy(`
')
optional_policy(`
+ systemd_machined_stream_connect(winbind_rpcd_t)
systemd_userdbd_stream_connect(winbind_rpcd_t)
')

34
backport-Allow-samba-dcerpcd-use-NSCD-services-over-a-unix-st.patch Normal file
View File

@ -0,0 +1,34 @@
From cac4a1f3b825bdc7f7eeaa4b219c95342ddd135c Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 10 Oct 2022 16:39:50 +0200
Subject: [PATCH] Allow samba-dcerpcd use NSCD services over a unix stream
socket
Addresses the following AVC denial:
type=PROCTITLE msg=audit(08/26/2022 04:14:24.657:453) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=23 --np-helper --debuglevel=0
type=PATH msg=audit(08/26/2022 04:14:24.657:453) : item=0 name=/var/run/nscd/socket inode=130894 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nscd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SOCKADDR msg=audit(08/26/2022 04:14:24.657:453) : saddr={ saddr_fam=local path=/var/run/nscd/socket }
type=SYSCALL msg=audit(08/26/2022 04:14:24.657:453) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7ffccfc81970 a2=0x6e a3=0x6 items=1 ppid=1 pid=93859 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(08/26/2022 04:14:24.657:453) : avc: denied { write } for pid=93859 comm=samba-dcerpcd name=socket dev="tmpfs" ino=130894 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=sock_file permissive=0
Resolves: rhbz#2121709
---
policy/modules/contrib/samba.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 23af3a1304..227c22516d 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1232,6 +1232,10 @@ optional_policy(`
miscfiles_read_generic_certs(winbind_rpcd_t)
')
+optional_policy(`
+ nscd_socket_use(winbind_rpcd_t)
+')
+
optional_policy(`
sssd_read_public_files(winbind_rpcd_t)
sssd_stream_connect(winbind_rpcd_t)

32
backport-Allow-samba-dcerpcd-work-with-sssd.patch Normal file
View File

@ -0,0 +1,32 @@
From 88a28fc843a9e3a0039647d0b6fdd5ac7895a286 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 21 Jun 2022 16:02:49 +0200
Subject: [PATCH] Allow samba-dcerpcd work with sssd
Addresses the following AVC denials:
type=AVC msg=audit(1655206265.325:3211): avc: denied { open } for pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/mc/initgroups" dev="vda3" ino=25205857 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file permissive=1
type=AVC msg=audit(1655206265.325:3214): avc: denied { connectto } for pid=33521 comm="samba-dcerpcd" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket permissive=1
type=AVC msg=audit(1655206265.325:3214): avc: denied { write } for pid=33521 comm="samba-dcerpcd" name="nss" dev="vda3" ino=17045861 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file permissive=1
Resolves: rhbz#2096825
---
policy/modules/contrib/samba.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 5e851af84a..091e016fd0 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1215,6 +1215,11 @@ optional_policy(`
logging_send_syslog_msg(winbind_rpcd_t)
')
+optional_policy(`
+ sssd_read_public_files(winbind_rpcd_t)
+ sssd_stream_connect(winbind_rpcd_t)
+')
+
optional_policy(`
sysnet_read_config(winbind_rpcd_t)
')

36
backport-Allow-samba-rpcd-work-with-passwords.patch Normal file
View File

@ -0,0 +1,36 @@
From d5438718efffaf9bdfb6abe2d7fe8ecb1a316b84 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 11 May 2023 17:21:03 +0200
Subject: [PATCH] Allow samba-rpcd work with passwords
A domain transition on chkpwd execution was allowed to winbind_rpcd_t
unconditionally and permissions to use the passwd command only when the
samba_domain_controller boolean is turned on.
Resolves: rhbz#2107106
---
policy/modules/contrib/samba.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 6143ea2622..c8123ff29d 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -471,6 +471,9 @@ tunable_policy(`samba_domain_controller',`
usermanage_domtrans_useradd(smbd_t)
usermanage_domtrans_groupadd(smbd_t)
allow smbd_t self:passwd passwd;
+
+ usermanage_domtrans_passwd(winbind_rpcd_t)
+ allow winbind_rpcd_t self:passwd passwd;
')
tunable_policy(`samba_enable_home_dirs',`
@@ -1213,6 +1216,7 @@ term_getattr_pty_fs(winbind_rpcd_t)
term_use_ptmx(winbind_rpcd_t)
optional_policy(`
+ auth_domtrans_chk_passwd(winbind_rpcd_t)
auth_read_passwd(winbind_rpcd_t)
')

41
backport-Allow-sbd-the-sys_ptrace-capability.patch Normal file
View File

@ -0,0 +1,41 @@
From 533de74a9a344542ab504915938b636698fd9838 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 5 Oct 2022 14:12:22 +0200
Subject: [PATCH] Allow sbd the sys_ptrace capability
The capability is required to scan open file descriptors to find out
which additional processes also have them open.
The sbd binary implements both the daemon that watches message slots
as well as the management tool for interacting with the block storage
device(s).
To get a full cluster view, pcs invokes the sbd-cmdline-tool on other
nodes through the pcsd instances running there which effects sbd
transition to sbd_t although it is a command in this case, not a
service.
Addresses the following AVC denial:
type=PROCTITLE msg=audit(09/12/2022 15:00:59.857:4015) : proctitle=/usr/sbin/sbd query-watchdog
type=PATH msg=audit(09/12/2022 15:00:59.857:4015) : item=0 name=/proc/851/fd/0 inode=21560 dev=00:05 mode=link,500 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:rpcbind_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(09/12/2022 15:00:59.857:4015) : arch=x86_64 syscall=readlink success=no exit=EACCES(Permission denied) a0=0x7ffd9edd46c0 a1=0x7ffd9edd44b0 a2=0xff a3=0x0 items=1 ppid=538646 pid=538650 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sbd exe=/usr/sbin/sbd subj=system_u:system_r:sbd_t:s0 key=(null)
type=AVC msg=audit(09/12/2022 15:00:59.857:4015) : avc: denied { sys_ptrace } for pid=538650 comm=sbd capability=sys_ptrace scontext=system_u:system_r:sbd_t:s0 tcontext=system_u:system_r:sbd_t:s0 tclass=capability permissive=0
Resolves: rhbz#2124552
---
policy/modules/contrib/sbd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/sbd.te b/policy/modules/contrib/sbd.te
index 5aea5cbe1d..4da7c6223b 100644
--- a/policy/modules/contrib/sbd.te
+++ b/policy/modules/contrib/sbd.te
@@ -22,7 +22,7 @@ userdom_user_tmpfs_file(sbd_tmpfs_t)
#
# sbd local policy
#
-allow sbd_t self:capability { dac_read_search dac_override ipc_lock kill sys_boot sys_nice sys_admin};
+allow sbd_t self:capability { dac_read_search dac_override ipc_lock kill sys_boot sys_nice sys_ptrace sys_admin};
allow sbd_t self:process { fork setsched signal_perms };
allow sbd_t self:fifo_file rw_fifo_file_perms;
allow sbd_t self:unix_stream_socket create_stream_socket_perms;

22
backport-Allow-smbd_t-process-noatsecure-permission-for-winbi.patch Normal file
View File

@ -0,0 +1,22 @@
From 3d3ff36126d0fd7a38519ede5ad076303105b891 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 25 Aug 2022 17:33:20 +0200
Subject: [PATCH] Allow smbd_t process noatsecure permission for winbind_rpcd_t
Resolves: rhbz#2117199
---
policy/modules/contrib/samba.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 323e38b4cc..d25bc64f5d 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1249,6 +1249,7 @@ optional_policy(`
')
# inter-process communication with other samba domains
+allow smbd_t winbind_rpcd_t:process noatsecure;
allow smbd_t winbind_rpcd_t:unix_stream_socket connectto;
allow winbind_t winbind_rpcd_t:unix_stream_socket connectto;
allow winbind_rpcd_t nmbd_t:unix_dgram_socket sendto;

29
backport-Allow-sssd-dbus-chat-with-system-cronjobs.patch Normal file
View File

@ -0,0 +1,29 @@
From c8a25442b17ef4a95fa45cdde90cb6df30946fb1 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 11 Nov 2022 12:37:07 +0100
Subject: [PATCH] Allow sssd dbus chat with system cronjobs
Addresses the following USER_AVC denial:
type=USER_AVC msg=audit(10/11/2022 14:36:01.711:447) : pid=973 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1467 spid=5736 tpid=7278 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=dbus permissive=0 exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
Resolves: rhbz#2132922
---
policy/modules/contrib/sssd.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index 90d04fd918..f84c905f42 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -192,6 +192,10 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
+
+ optional_policy(`
+ cron_dbus_chat_system_job(sssd_t)
+ ')
')
optional_policy(`

26
backport-Allow-syslogd-read-network-sysctls.patch Normal file
View File

@ -0,0 +1,26 @@
From 2eafd6c8cbc18aa52e320663ba6bf63f334c95d9 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 23 Nov 2022 09:20:51 +0100
Subject: [PATCH] Allow syslogd read network sysctls
Addresses the following AVC denial:
type=AVC msg=audit(1669156432.404:191): avc: denied { read } for pid=700 comm="rsyslogd" name="disable_ipv6" dev="proc" ino=19523 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
Resolves: rhbz#2145019
---
policy/modules/system/logging.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 4e00b7935a..d96d862f7c 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -541,6 +541,7 @@ kernel_rw_stream_socket_perms(syslogd_t)
kernel_read_system_state(syslogd_t)
kernel_read_network_state(syslogd_t)
kernel_read_kernel_sysctls(syslogd_t)
+kernel_read_net_sysctls(syslogd_t)
kernel_read_netlink_audit_socket(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
# Allow access to /proc/kmsg for syslog-ng

25
backport-Allow-system_cronjob_t-transition-to-rpm_script_t.patch Normal file
View File

@ -0,0 +1,25 @@
From 119f307391811d408d2cbed82632b46814376769 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 16 Feb 2023 13:04:48 +0100
Subject: [PATCH] Allow system_cronjob_t transition to rpm_script_t
This permission is required for rpm-like programs (rpm, dnf)
executed from system cronjobs, e. g. /etc/crontab.
Resolves: rhbz#2173255
---
policy/modules/contrib/cron.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index a269cfcc50..8bc806ab9c 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -545,6 +545,7 @@ ifdef(`distro_redhat',`
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
+ rpm_transition_script(system_cronjob_t, system_r)
')
')

59
backport-Allow-system_dbusd-ioctl-kernel-with-a-unix-stream-sockets.patch Normal file
View File

@ -0,0 +1,59 @@
From 6b1b4d1bad371a78c69b399088e167ccdfb646ff Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Mon, 22 Aug 2022 16:01:10 +0200
Subject: [PATCH] Allow system_dbusd ioctl kernel with a unix stream sockets
Systemd creates and starts to listen on the socket before
SELinux policy is loaded and it inherits the kernel secid as its label.
Allow system_dbusd ioctl kernel with a unix stream sockets
Create interface to allow the specified domain to ioctl a kernel with a unix domain stream sockets.
Fix: bz#2085392
---
policy/modules/contrib/dbus.te | 1 +
policy/modules/kernel/kernel.if | 19 +++++++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index a0f5679d61..eadbbab2a7 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -94,6 +94,7 @@ manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_ru
manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
+kernel_ioctl_stream_sockets(system_dbusd_t)
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
kernel_stream_connect(system_dbusd_t)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 76613d1967..253b542688 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -3738,6 +3738,25 @@ interface(`kernel_rw_stream_socket_perms',`
allow $1 kernel_t:fd use;
')
+#######################################
+## <summary>
+## Allow the specified domain to ioctl a
+## kernel with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_ioctl_stream_sockets',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 kernel_t:unix_stream_socket { getopt ioctl };
+')
+
########################################
## <summary>
## Make the specified type usable for regular entries in proc

26
backport-Allow-system_mail-t-read-network-sysctls.patch Normal file
View File

@ -0,0 +1,26 @@
From 6ceec051905cb5f8a80122eb74682ac3b9dd2f22 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 23 Sep 2022 19:30:53 +0200
Subject: [PATCH] Allow system_mail-t read network sysctls
Addresses the following AVC denial:
type=AVC msg=audit(1663932465.372:588): avc: denied { read } for pid=122144 comm="sendmail" name="disable_ipv6" dev="proc" ino=2645630 scontext=system_u:system_r:system_mail_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
Resolves: rhbz#2129326
---
policy/modules/contrib/mta.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 36c3641806..72bfa1c98a 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -188,7 +188,7 @@ allow system_mail_t mail_home_t:file manage_file_perms;
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
-kernel_search_network_sysctl(system_mail_t)
+kernel_read_net_sysctls(system_mail_t)
corecmd_exec_shell(system_mail_t)

57
backport-Allow-systemd-coredump-mounton-usr.patch Normal file
View File

@ -0,0 +1,57 @@
From 4a49782a31552a8ef0894f0c8d52a2328f269b1c Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 11 Apr 2023 13:22:29 +0200
Subject: [PATCH] Allow systemd-coredump mounton /usr
The files_mounton_usr() interface was added.
Addresses the following AVC denial:
type=AVC msg=audit(1680965603.852:5360): avc: denied { mounton } for pid=2016312 comm="(sd-parse-elf)" path="/" dev="sda4" ino=2 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1
Resolves: rhbz#2185385
---
policy/modules/kernel/files.if | 18 ++++++++++++++++++
policy/modules/system/systemd.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 1a57076567..6226fca96c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3699,6 +3699,24 @@ interface(`files_mounton_etc',`
allow $1 etc_t:dir mounton;
')
+########################################
+## <summary>
+## Mounton directories on the /usr filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_usr',`
+ gen_require(`
+ type usr_t;
+ ')
+
+ allow $1 usr_t:dir mounton;
+')
+
########################################
## <summary>
## Search the contents of /etc directories.
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 57c72d8347..60dbc205ef 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1144,6 +1144,7 @@ files_read_non_security_files(systemd_coredump_t)
files_map_non_security_files(systemd_coredump_t)
files_mounton_rootfs(systemd_coredump_t)
+files_mounton_usr(systemd_coredump_t)
fs_getattr_nsfs_files(systemd_coredump_t)

29
backport-Allow-systemd-hostnamed-dbus-chat-with-init-scripts.patch Normal file
View File

@ -0,0 +1,29 @@
From d374cf4fb2d5828aafcdd475a880c6d94b10bdff Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 11 Nov 2022 12:46:00 +0100
Subject: [PATCH] Allow systemd-hostnamed dbus chat with init scripts
Addresses the following USER_AVC denial:
type=USER_AVC msg=audit(1659032710.225:59): pid=1684 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.23 spid=2281 tpid=2280 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
Resolves: rhbz#2111632
---
policy/modules/system/systemd.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 6602d7c916..6194317382 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -903,6 +903,10 @@ optional_policy(`
dbus_system_bus_client(systemd_hostnamed_t)
dbus_connect_system_bus(systemd_hostnamed_t)
dbus_watch_pid_dir_path(systemd_hostnamed_t)
+
+ optional_policy(`
+ init_dbus_chat_script(systemd_hostnamed_t)
+ ')
')
optional_policy(`

31
backport-Allow-systemd-modules-load-write-to-dev-kmsg-and-send-a-message-to-syslogd.patch Normal file
View File

@ -0,0 +1,31 @@
From 5e6b688ea15f842e1d048828a0296c5eea3e26f0 Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Tue, 9 Aug 2022 11:11:34 +0200
Subject: [PATCH] Allow systemd-modules-load write to /dev/kmsg and send a
message to syslogd
Allow systemd_modules_load_t, early boot service that loads kernel modules,
write to the kernel messages device and send a message to syslogd over a unix domain datagram socket.
Fix: bz#2088257
---
policy/modules/system/systemd.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7d490e853c..9440943375 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1259,9 +1259,12 @@ corecmd_exec_bin(systemd_modules_load_t)
corecmd_exec_shell(systemd_modules_load_t)
dev_read_sysfs(systemd_modules_load_t)
+dev_write_kmsg(systemd_modules_load_t)
init_read_pid_files(systemd_modules_load_t)
+logging_dgram_send(systemd_modules_load_t)
+
files_map_kernel_modules(systemd_modules_load_t)
files_read_kernel_modules(systemd_modules_load_t)

36
backport-Allow-systemd-permissions-needed-for-sandboxed-services.patch Normal file
View File

@ -0,0 +1,36 @@
From c19e4cb9a3f23f2b14c31c978627f9c486a369f4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 31 Aug 2022 18:20:03 +0200
Subject: [PATCH] Allow systemd permissions needed for sandboxed services
The permissions to mounton self and get mail spool files attributes
were added for init_t. Example service requiring them is accounts-daemon
from the accountsservice package which since v22 has more tightened
sandboxing, including mounting into private namespaces and listing
accessible paths.
Resolves: rhbz#2122059
---
policy/modules/system/init.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 06be25304a..4311dbc359 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -187,6 +187,7 @@ allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
# setuid (from /sbin/shutdown)
# sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
+allow init_t self:file mounton;
allow init_t self:fifo_file rw_fifo_file_perms;
allow init_t self:service manage_service_perms;
@@ -544,6 +545,7 @@ optional_policy(`
optional_policy(`
postfix_exec(init_t)
postfix_list_spool(init_t)
+ mta_getattr_spool(init_t)
mta_read_config(init_t)
mta_manage_aliases(init_t)
')

29
backport-Allow-systemd-resolved-send-a-datagram-to-journald.patch Normal file
View File

@ -0,0 +1,29 @@
From a7e6b82865350053269b0abab82889e18095358d Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 30 Jan 2023 14:22:02 +0100
Subject: [PATCH] Allow systemd-resolved send a datagram to journald
Addresses the following AVC denial:
type=AVC msg=audit(1674810195.623:587): avc: denied { sendto } for pid=47442 comm="systemd-resolve" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0
Resolves: rhbz#2165134
---
policy/modules/system/systemd.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7c625074c4..57c72d8347 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1267,6 +1267,10 @@ optional_policy(`
systemd_dbus_chat_logind(systemd_resolved_t)
')
+optional_policy(`
+ logging_dgram_send(systemd_resolved_t)
+')
+
optional_policy(`
networkmanager_dbus_chat(systemd_resolved_t)
')

62
backport-Allow-systemd-resolved-watch-tmpfs-directories.patch Normal file
View File

@ -0,0 +1,62 @@
From 522fab1033215e698e44f261ea110dc08e6d2c7c Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 21 Dec 2022 12:32:15 +0100
Subject: [PATCH] Allow systemd-resolved watch tmpfs directories
This permission is required when the system is booted with
systemd.volatile=overlay. Overlay filesystems are mounted as ramfs
or tmpfs, the tmpfs_t type is assigned to "/".
The files_watch_tmpfs_dirs() interface was added.
Addresses the following AVC denial:
type=AVC msg=audit(1663671100.753:186): avc: denied { watch } for pid=674 comm="systemd-resolve" path="/" dev="overlay" ino=2 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
Resolves: rhbz#2128246
---
policy/modules/kernel/files.if | 18 ++++++++++++++++++
policy/modules/system/systemd.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index eb9e6e032c..1a57076567 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -9802,6 +9802,24 @@ interface(`files_rw_tmpfs_files',`
allow $1 tmpfsfile:file { read write };
')
+##########################################
+## <summary>
+## Watch a tmpfs directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`files_watch_tmpfs_dirs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 tmpfs_t:dir watch_dir_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to read security files
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 3a6fd02c3e..77187a80e4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1244,6 +1244,7 @@ dev_write_kmsg(systemd_resolved_t)
dev_read_sysfs(systemd_resolved_t)
files_watch_root_dirs(systemd_resolved_t)
+files_watch_tmpfs_dirs(systemd_resolved_t)
files_watch_var_run_dirs(systemd_resolved_t)
init_watch_pid_dir(systemd_resolved_t)

32
backport-Allow-systemd-rfkill-the-bpf-capability.patch Normal file
View File

@ -0,0 +1,32 @@
From 978245dc94680ac0cf55d11f37e2d788bc68bc1a Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 19 Dec 2022 14:31:15 +0100
Subject: [PATCH] Allow systemd-rfkill the bpf capability
Linux Socket Filtering (LSF) is derived from the Berkeley Packet Filter
and uses the same mechanism to allow a user-space program to attach a
filter onto any socket and allow or disallow certain types of data to
come through the socket.
The systemd-rfkill service wants to listen only to related udev events,
so it needs to set a filter for which the bpf capability is required.
Addresses the following USER_AVC denial:
type=AVC msg=audit(1669160827.102:10): avc: denied { bpf } for pid=954 comm="systemd-rfkill" capability=39 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:system_r:systemd_rfkill_t:s0 tclass=capability2 permissive=0
Resolves: rhbz#2149390
---
policy/modules/system/systemd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 77187a80e4..10b1b2d9b2 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -947,6 +947,7 @@ tunable_policy(`systemd_socket_proxyd_connect_any',`
#
allow systemd_rfkill_t self:capability { net_admin sys_admin};
+allow systemd_rfkill_t self:capability2 bpf;
allow systemd_rfkill_t self:netlink_kobject_uevent_socket create_socket_perms;
manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)

25
backport-Allow-systemd-timedated-watch-init-runtime-dir.patch Normal file
View File

@ -0,0 +1,25 @@
From b75e34887410c756e09763994cce88584a214da2 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 8 Dec 2022 20:06:14 +0100
Subject: [PATCH] Allow systemd-timedated watch init runtime dir
Addresses the following AVC denial:
Dec 08 06:43:24 audit[7055]: AVC avc: denied { watch } for pid=7055 comm="systemd-timesyn" path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_timedated_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
Resolves: rhbz#2151806
---
policy/modules/system/systemd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 8fb7509147..3a6fd02c3e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1017,6 +1017,7 @@ fs_getattr_xattr_fs(systemd_timedated_t)
init_dbus_chat(systemd_timedated_t)
init_status(systemd_timedated_t)
+init_watch_pid_dir(systemd_timedated_t)
kernel_read_network_state(systemd_timedated_t)

58
backport-Allow-systemd-userdbd-the-sys_resource-capability.patch Normal file
View File

@ -0,0 +1,58 @@
From a266ee5b8b29d8f64a51cc408d558ae92c5e86ee Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 4 Jan 2023 14:16:56 +0100
Subject: [PATCH] Allow systemd-userdbd the sys_resource capability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This permission is required for the process be able to set its
arg start and end address, refer to prctl(2):
PR_SET_MM (since Linux 3.3)
Modify certain kernel memory map descriptor fields of the calling
process. Usually these fields are set by the kernel and dynamic loader
(see ld.so(8) for more information) and a regular application should not
use this feature. However, there are cases, such as self-modifying pro
grams, where a program might find it useful to change its own memory
map.
The calling process must have the CAP_SYS_RESOURCE capability. The
value in arg2 is one of the options below, while arg3 provides a new
value for the option. The arg4 and arg5 arguments must be zero if un
used.
PR_SET_MM_ARG_START
Set the address above which the program command line is placed.
PR_SET_MM_ARG_END
Set the address below which the program command line is placed.
Addresses the following AVC denials:
type=PROCTITLE msg=audit(01/04/2023 06:21:21.285:112) : proctitle=(sd-worker)
type=SYSCALL msg=audit(01/04/2023 06:21:21.285:112) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x8 a2=0x7fa791901000 a3=0x0 items=0 ppid=1367 pid=1384 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(sd-worker) exe=/usr/lib/systemd/systemd-userdbd subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
type=AVC msg=audit(01/04/2023 06:21:21.285:112) : avc: denied { sys_resource } for pid=1384 comm=(sd-worker) capability=sys_resource scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=1
type=PROCTITLE msg=audit(01/04/2023 06:21:23.761:156) : proctitle=systemd-userwork: processing...
type=SYSCALL msg=audit(01/04/2023 06:21:23.761:156) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x9 a2=0x7fcc48186020 a3=0x0 items=0 ppid=1367 pid=1385 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-userwor exe=/usr/lib/systemd/systemd-userwork subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
type=AVC msg=audit(01/04/2023 06:21:23.761:156) : avc: denied { sys_resource } for pid=1385 comm=systemd-userwor capability=sys_resource scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=1
Resolves: rhbz#2166509
---
policy/modules/system/systemd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 10b1b2d9b2..7c625074c4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1461,7 +1461,7 @@ optional_policy(`
#
# systemd_userdbd local policy
#
-allow systemd_userdbd_t self:capability dac_read_search;
+allow systemd_userdbd_t self:capability { dac_read_search sys_resource };
manage_dirs_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
manage_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)

26
backport-Allow-systemd_hostnamed-label-run-systemd-as-hostnamed_etc_t.patch Normal file
View File

@ -0,0 +1,26 @@
From db58b4d32e06d17dff7a6e2adf3a3164a318fef2 Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Fri, 5 Aug 2022 15:46:01 +0200
Subject: [PATCH] Allow systemd_hostnamed label /run/systemd/* as
hostnamed_etc_t
Allow systemd_hostnamed_t to create files in /run/systemd/* with label hostnamed_etc_t
Names of these files include hashes.
Fix: bz#1976684
---
policy/modules/system/systemd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index a9308b8cce..7d490e853c 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -851,6 +851,7 @@ allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms;
manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t)
files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file)
+init_pid_filetrans(systemd_hostnamed_t, hostname_etc_t, file )
kernel_dgram_send(systemd_hostnamed_t)
kernel_read_xen_state(systemd_hostnamed_t)

27
backport-Allow-tlp-read-generic-SSL-certificates.patch Normal file
View File

@ -0,0 +1,27 @@
From 610162346b12f1d34198fb8f435e2426bc28462c Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 22 Dec 2022 12:05:13 +0100
Subject: [PATCH] Allow tlp read generic SSL certificates
Addresses the following AVC denial and further ones:
type=AVC msg=audit(1659568944.632:728): avc: denied { search } for pid=34604 comm="modinfo" name="pki" dev="dm-1" ino=2490465 scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0
Resolves: rhbz#2115141
---
policy/modules/contrib/tlp.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/tlp.te b/policy/modules/contrib/tlp.te
index 38ba44adb9..f73b8bbdcf 100644
--- a/policy/modules/contrib/tlp.te
+++ b/policy/modules/contrib/tlp.te
@@ -65,6 +65,8 @@ files_load_kernel_modules(tlp_t)
init_status(tlp_t)
init_stream_connectto(tlp_t)
+miscfiles_read_generic_certs(tlp_t)
+
modutils_exec_kmod(tlp_t)
modutils_read_module_config(tlp_t)
modutils_read_module_deps_files(tlp_t)

32
backport-Allow-tor-get-filesystem-attributes.patch Normal file
View File

@ -0,0 +1,32 @@
From e485345b572121f09778da9c146cf1bcd22ae0cf Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 12 Sep 2022 17:26:03 +0200
Subject: [PATCH] Allow tor get filesystem attributes
In particular, attributes of cgroup filesystems and generic filesystems
with extended attributes.
Addresses the following AVC denials:
type=AVC msg=audit(1633585335.809:601): avc: denied { getattr } for pid=1881 comm="tor" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1633585335.809:602): avc: denied { getattr } for pid=1881 comm="tor" name="/" dev="dm-0" ino=256 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
Resolves: rhbz#2012006
---
policy/modules/contrib/tor.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 0dc670b885..ae36c255ca 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -124,6 +124,9 @@ domain_use_interactive_fds(tor_t)
files_read_etc_runtime_files(tor_t)
+fs_getattr_cgroup(tor_t)
+fs_getattr_xattr_fs(tor_t)
+
auth_use_nsswitch(tor_t)
logging_send_syslog_msg(tor_t)

41
backport-Allow-unconfined-and-sysadm-users-transition-for-root-.gnupg.patch Normal file
View File

@ -0,0 +1,41 @@
From 9cc99c46be86915aec6dd7a13c00dfb6117c5c12 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 24 Aug 2022 18:51:14 +0200
Subject: [PATCH] Allow unconfined and sysadm users transition for /root/.gnupg
---
policy/modules/roles/sysadm.te | 5 +++++
policy/modules/roles/unconfineduser.te | 4 ++++
2 files changed, 9 insertions(+)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 529a5146d4..c40f1edb04 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -308,6 +308,11 @@ optional_policy(`
optional_policy(`
gnome_filetrans_fontconfig_home_content(sysadm_t)
')
+
+optional_policy(`
+ gpg_filetrans_admin_home_content(sysadm_t)
+')
+
optional_policy(`
hostname_run(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index e01e515ce3..6ab52d9032 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -152,6 +152,10 @@ optional_policy(`
devicekit_dbus_chat_power(unconfined_t)
')
+ optional_policy(`
+ gpg_filetrans_admin_home_content(unconfined_t)
+ ')
+
optional_policy(`
kpatch_run(unconfined_t,unconfined_r)
')

29
backport-Allow-vlock-search-the-contents-of-the-dev-pts-directory.patch Normal file
View File

@ -0,0 +1,29 @@
From f5d181f909dc380ede72219ede558ed4052c143f Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 10 Oct 2022 16:47:39 +0200
Subject: [PATCH] Allow vlock search the contents of the /dev/pts directory
Addresses the following AVC denial:
type=PROCTITLE msg=audit(08/31/2022 09:28:27.751:867) : proctitle=vlock
type=PATH msg=audit(08/31/2022 09:28:27.751:867) : item=0 name=/dev/pts/1 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(08/31/2022 09:28:27.751:867) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x55b5ce6f0b60 a1=0x7ffdd6518320 a2=0x7ffdd6518320 a3=0x0 items=1 ppid=9040 pid=12550 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=17 comm=vlock exe=/usr/bin/vlock subj=sysadm_u:sysadm_r:vlock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(08/31/2022 09:28:27.751:867) : avc: denied { search } for pid=12550 comm=vlock name=/ dev="devpts" ino=1 scontext=sysadm_u:sysadm_r:vlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=dir permissive=0
Resolves: rhbz#2122838
---
policy/modules/contrib/vlock.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te
index de409cc610..418f2f7ab5 100644
--- a/policy/modules/contrib/vlock.te
+++ b/policy/modules/contrib/vlock.te
@@ -40,5 +40,7 @@ init_dontaudit_rw_utmp(vlock_t)
logging_send_syslog_msg(vlock_t)
+term_search_ptys(vlock_t)
+
userdom_dontaudit_search_user_home_dirs(vlock_t)
userdom_use_inherited_user_terminals(vlock_t)

25
backport-Allow-winbind-rpcd-get-attributes-of-device-and-pty-.patch Normal file
View File

@ -0,0 +1,25 @@
From 4c7f07ac123d25d9b053fa798067c7ef883fb17b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 15 Nov 2022 14:57:01 +0100
Subject: [PATCH] Allow winbind-rpcd get attributes of device and pty
filesystems
Resolves: rhbz#2107106
---
policy/modules/contrib/samba.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 88fb46b700..1395047b3e 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1203,6 +1203,9 @@ corecmd_exec_bin(winbind_rpcd_t)
corenet_tcp_connect_ipp_port(winbind_rpcd_t)
+dev_getattr_fs(winbind_rpcd_t)
+
+term_getattr_pty_fs(winbind_rpcd_t)
term_use_ptmx(winbind_rpcd_t)
optional_policy(`

29
backport-Allow-winbind-rpcd-make-a-TCP-connection-to-the-ldap.patch Normal file
View File

@ -0,0 +1,29 @@
From e91d34918bd3e80aefa7236c014a2ad537a74966 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 22 Dec 2022 13:14:35 +0100
Subject: [PATCH] Allow winbind-rpcd make a TCP connection to the ldap port
Addresses the following AVC denial:
type=PROCTITLE msg=audit(12/06/2022 12:58:18.767:2236) : proctitle=/usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=35 --np-helper --debuglevel=2
type=SOCKADDR msg=audit(12/06/2022 12:58:18.767:2236) : saddr={ saddr_fam=inet laddr=127.0.0.1 lport=389 }
type=SYSCALL msg=audit(12/06/2022 12:58:18.767:2236) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0xf a1=0x55f673a4ace0 a2=0x10 a3=0x0 items=0 ppid=1 pid=7080 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=samba-dcerpcd exe=/usr/libexec/samba/samba-dcerpcd subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(12/06/2022 12:58:18.767:2236) : avc: denied { name_connect } for pid=7080 comm=samba-dcerpcd dest=389 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=0
Resolves: rhbz#2152642
---
policy/modules/contrib/samba.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 8746918587..6143ea2622 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1205,6 +1205,7 @@ kernel_read_network_state(winbind_rpcd_t)
corecmd_exec_bin(winbind_rpcd_t)
corenet_tcp_connect_ipp_port(winbind_rpcd_t)
+corenet_tcp_connect_ldap_port(winbind_rpcd_t)
dev_getattr_fs(winbind_rpcd_t)

37
backport-Allow-winbind-rpcd-manage-samba_share_t-files-and-di.patch Normal file
View File

@ -0,0 +1,37 @@
From 9921e239291412f21c98806f2777dba7fce8bbe4 Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Thu, 15 Dec 2022 12:07:05 +0100
Subject: [PATCH] Allow winbind-rpcd manage samba_share_t files and dirs
Allow winbind connect to init_t unix_stream_socket
Resolves: rhbz#2150680
---
policy/modules/contrib/samba.te | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 1395047b3e..8746918587 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1185,6 +1185,9 @@ manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_ru
files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file })
# access to files of other samba domains
+manage_dirs_pattern(winbind_rpcd_t, samba_share_t, samba_share_t)
+manage_files_pattern(winbind_rpcd_t, samba_share_t, samba_share_t)
+
manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
read_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
@@ -1225,6 +1228,10 @@ optional_policy(`
dirsrv_stream_connect(winbind_rpcd_t)
')
+optional_policy(`
+ init_stream_connectto(winbind_rpcd_t)
+')
+
optional_policy(`
kerberos_read_keytab(winbind_rpcd_t)
kerberos_use(winbind_rpcd_t)

26
backport-Allow-winbind-rpcd-read-and-write-its-key-ring.patch Normal file
View File

@ -0,0 +1,26 @@
From d55213e04801baef4979cb38340737d69cb66d0c Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 19 Sep 2022 12:28:38 +0200
Subject: [PATCH] Allow winbind-rpcd read and write its key ring
Addresses the following AVC denials:
type=AVC msg=audit(1663577560.480:3619): avc: denied { write } for pid=109517 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1
type=AVC msg=audit(1663577560.480:3620): avc: denied { read } for pid=109517 comm="samba-dcerpcd" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=key permissive=1
Resolves: rhbz#2127854
---
policy/modules/contrib/samba.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index d25bc64f5d..23af3a1304 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1167,6 +1167,7 @@ optional_policy(`
#
allow winbind_rpcd_t self:capability { setgid setuid };
+allow winbind_rpcd_t self:key { read write };
allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms;
allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto };
allow winbind_rpcd_t self:unix_stream_socket connectto;

30
backport-Allow-winbind-rpcd-use-the-terminal-multiplexor.patch Normal file
View File

@ -0,0 +1,30 @@
From ea6e506843ed60097d84b14dea6945fd4e885fb0 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 11 Nov 2022 14:00:10 +0100
Subject: [PATCH] Allow winbind-rpcd use the terminal multiplexor
Addresses the following AVC denial:
type=PROCTITLE msg=audit(07/14/2022 07:07:43.161:380) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=3 --worker-index=0 --debuglevel=0
type=PATH msg=audit(07/14/2022 07:07:43.161:380) : item=0 name=/dev/ptmx inode=11387 dev=00:06 mode=character,666 ouid=root ogid=tty rdev=05:02 obj=system_u:object_r:ptmx_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(07/14/2022 07:07:43.161:380) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fb1d4cf2a46 a2=O_RDWR|O_NOCTTY a3=0x0 items=1 ppid=6326 pid=6336 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(07/14/2022 07:07:43.161:380) : avc: denied { read write } for pid=6336 comm=rpcd_lsad name=ptmx dev="devtmpfs" ino=11387 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file permissive=0
Resolves: rhbz#2107106
---
policy/modules/contrib/samba.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 2280531046..88fb46b700 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1203,6 +1203,8 @@ corecmd_exec_bin(winbind_rpcd_t)
corenet_tcp_connect_ipp_port(winbind_rpcd_t)
+term_use_ptmx(winbind_rpcd_t)
+
optional_policy(`
auth_read_passwd(winbind_rpcd_t)
')

24
backport-Allow-winbind-rpcd-write-to-winbind-pid-files.patch Normal file
View File

@ -0,0 +1,24 @@
From 495539633271d0e187e221dec061e122812cb5c2 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 5 Aug 2022 17:30:47 +0200
Subject: [PATCH] Allow winbind-rpcd write to winbind pid files
Addresses the following AVC denial:
type=AVC msg=audit(1658286623.868:2435): avc: denied { write } for pid=6219 comm="samba-dcerpcd" name="samba-dcerpcd.pid" dev="tmpfs" ino=1643 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:winbind_var_run_t:s0 tclass=file permissive=1
---
policy/modules/contrib/samba.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index d64ba6e569..82ba1abf64 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1176,6 +1176,7 @@ allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans;
read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t)
+write_files_pattern(winbind_rpcd_t, winbind_var_run_t, winbind_var_run_t)
write_sock_files_pattern(winbind_rpcd_t, winbind_var_run_t, winbind_var_run_t)
manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t)

29
backport-Allow-winbind_rpcd_t-connect-to-self-over-a-unix_str.patch Normal file
View File

@ -0,0 +1,29 @@
From e9ed412d419a865d8a9a396469d1f2bda351f30d Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 17 Jun 2022 19:46:05 +0200
Subject: [PATCH] Allow winbind_rpcd_t connect to self over a
unix_stream_socket
Addresses the following AVC denial:
type=PROCTITLE msg=audit(06/13/2022 04:54:59.247:2004) : proctitle=/usr/libexec/samba/rpcd_classic --configfile=/etc/samba/smb.conf --worker-group=6 --worker-index=0 --debuglevel=10
type=AVC msg=audit(06/13/2022 04:54:59.247:2004) : avc: denied { connectto } for pid=23402 comm=rpcd_classic path=/run/samba/ncalrpc/np/winreg scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=unix_stream_socket permissive=0
type=SYSCALL msg=audit(06/13/2022 04:54:59.247:2004) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x10 a1=0x5624dd0ca5d0 a2=0x6e a3=0x7fe7094db260 items=0 ppid=23239 pid=23402 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_classic exe=/usr/libexec/samba/rpcd_classic subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
Resolves: rhbz#2096255
---
policy/modules/contrib/samba.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 7087c37e7a..5e851af84a 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1168,6 +1168,7 @@ optional_policy(`
allow winbind_rpcd_t self:capability { setgid setuid };
allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms;
allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow winbind_rpcd_t self:unix_stream_socket connectto;
allow winbind_rpcd_t self:udp_socket create_socket_perms;
allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans;

146
backport-Fix-users-for-SELinux-userspace-3.4.patch Normal file
View File

@ -0,0 +1,146 @@
From e1e216b25df1bdb4eb7dbb8f73f32927ad6f3d1f Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 14 Apr 2022 12:07:40 +0200
Subject: [PATCH] Fix users for SELinux userspace 3.4
Latest yet to be released userspace version 3.4 added new validation and
discovered several issues in current implementation. This patch tries to
address them:
- move guest and xguest module from contrib to roles - refpolicy did
this change long time ago
- roles guest_r and xguest_r need to be defined in kernel.te
- gen_user() is supposed to be in policy/users, not in modules
- drop role multiple definitions from userdom_base_user_template as it's
and is supposed to be defined in kernel.te
---
policy/modules/kernel/kernel.te | 3 +++
policy/modules/{contrib => roles}/guest.fc | 0
policy/modules/{contrib => roles}/guest.if | 0
policy/modules/{contrib => roles}/guest.te | 4 ++--
policy/modules/roles/unconfineduser.te | 3 +--
policy/modules/{contrib => roles}/xguest.fc | 0
policy/modules/{contrib => roles}/xguest.if | 0
policy/modules/{contrib => roles}/xguest.te | 4 ++--
policy/modules/system/userdomain.if | 3 +--
9 files changed, 9 insertions(+), 8 deletions(-)
rename policy/modules/{contrib => roles}/guest.fc (100%)
rename policy/modules/{contrib => roles}/guest.if (100%)
rename policy/modules/{contrib => roles}/guest.te (82%)
rename policy/modules/{contrib => roles}/xguest.fc (100%)
rename policy/modules/{contrib => roles}/xguest.if (100%)
rename policy/modules/{contrib => roles}/xguest.te (98%)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index acbb2f74e6..73696bcb0a 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -39,6 +39,9 @@ role user_r;
# here until order dependence is fixed:
role unconfined_r;
+role guest_r;
+role xguest_r;
+
ifdef(`enable_mls',`
role secadm_r;
role auditadm_r;
diff --git a/policy/modules/contrib/guest.fc b/policy/modules/roles/guest.fc
similarity index 100%
rename from policy/modules/contrib/guest.fc
rename to policy/modules/roles/guest.fc
diff --git a/policy/modules/contrib/guest.if b/policy/modules/roles/guest.if
similarity index 100%
rename from policy/modules/contrib/guest.if
rename to policy/modules/roles/guest.if
diff --git a/policy/modules/contrib/guest.te b/policy/modules/roles/guest.te
similarity index 82%
rename from policy/modules/contrib/guest.te
rename to policy/modules/roles/guest.te
index 0605776333..2e9505d1cc 100644
--- a/policy/modules/contrib/guest.te
+++ b/policy/modules/roles/guest.te
@@ -5,7 +5,7 @@ policy_module(guest, 1.3.0)
# Declarations
#
-role guest_r;
+# role guest_r;
userdom_restricted_user_template(guest)
@@ -20,4 +20,4 @@ optional_policy(`
apache_role(guest_r, guest_t)
')
-gen_user(guest_u, user, guest_r, s0, s0)
+# gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 55bca1e31e..5596e6f0ee 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -399,5 +399,4 @@ optional_policy(`
xserver_xsession_entry_type(unconfined_t)
')
-gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
+# gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/policy/modules/contrib/xguest.fc b/policy/modules/roles/xguest.fc
similarity index 100%
rename from policy/modules/contrib/xguest.fc
rename to policy/modules/roles/xguest.fc
diff --git a/policy/modules/contrib/xguest.if b/policy/modules/roles/xguest.if
similarity index 100%
rename from policy/modules/contrib/xguest.if
rename to policy/modules/roles/xguest.if
diff --git a/policy/modules/contrib/xguest.te b/policy/modules/roles/xguest.te
similarity index 98%
rename from policy/modules/contrib/xguest.te
rename to policy/modules/roles/xguest.te
index 8d3ef540a7..e19bf40fc5 100644
--- a/policy/modules/contrib/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -26,7 +26,7 @@ gen_tunable(xguest_connect_network, true)
## </desc>
gen_tunable(xguest_use_bluetooth, true)
-role xguest_r;
+# role xguest_r;
userdom_restricted_xwindows_user_template(xguest)
sysnet_dns_name_resolve(xguest_t)
@@ -203,4 +203,4 @@ optional_policy(`
role xguest_r types mozilla_t;
')
-gen_user(xguest_u, user, xguest_r, s0, s0)
+# gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b16984dd82..d5be647e85 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -27,6 +27,7 @@ template(`userdom_base_user_template',`
attribute userdomain;
type user_devpts_t, user_tty_device_t;
class context contains;
+ role $1_r;
')
attribute $1_file_type;
@@ -34,12 +35,10 @@ template(`userdom_base_user_template',`
type $1_t, userdomain, $1_usertype;
domain_type($1_t)
- role $1_r;
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
ubac_constrained($1_t)
- role $1_r;
role $1_r types $1_t;
allow system_r $1_r;

52
backport-Stop-ignoring-standalone-interface-files.patch Normal file
View File

@ -0,0 +1,52 @@
From 3a55e3a69bb33261abcd8104d93e0ee83d5da35a Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 1 Sep 2021 10:06:44 +0200
Subject: [PATCH] Stop ignoring standalone interface files
Interface files without corresponding .te where ignored, unless the
module name was specified in modules.conf.
Standalone interface files are useful for backwards compatibility in
case a policy module removed from this repository.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
Makefile | 4 ++++
Rules.modular | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index a9dfef1bc1..4a08bba6fa 100644
--- a/Makefile
+++ b/Makefile
@@ -264,6 +264,7 @@ generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in
# sort here since it removes duplicates, which can happen
# when a generated file is already generated
detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te))
+detected_ifs := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.if)) $(generated_if))
modxml := $(addprefix $(tmpdir)/, $(detected_mods:.te=.xml))
layerxml := $(sort $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers)))))
@@ -307,6 +308,9 @@ off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_c
# add modules not in modules.conf to the off list
off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
+# all interface files without corresponding .te - backwards compatibility
+standalone_ifs := $(filter-out $(subst .te,.if, $(base_mods) $(mod_mods) $(off_mods)), $(notdir $(detected_ifs)))
+
# filesystems to be used in labeling targets
filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
diff --git a/Rules.modular b/Rules.modular
index ad65733e10..258c8b6560 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -4,7 +4,7 @@
#
all_modules := $(base_mods) $(mod_mods) $(off_mods)
-all_interfaces := $(all_modules:.te=.if)
+all_interfaces := $(all_modules:.te=.if) $(standalone_ifs)
base_pkg := $(builddir)base.pp
base_fc := $(builddir)base.fc

60
backport-Update-policy-for-samba-dcerpcd.patch Normal file
View File

@ -0,0 +1,60 @@
From 044ed83f8ebde938bbc49f6e071a8548ddc8505d Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 8 Jun 2022 16:24:15 +0200
Subject: [PATCH] Update policy for samba-dcerpcd
The initial policy was updated to allow:
- use sssd and systemd nsswitch modules
- read kernel network state
- use dbus
- manage samba log directories
- read winbind runtime files
Resolves: rhbz#2083504
---
policy/modules/contrib/samba.te | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 03b49cba42..99cb452f7b 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1019,6 +1019,7 @@ manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })
+files_pid_filetrans(winbind_t, winbind_rpcd_var_run_t, file, "samba-dcerpcd.pid")
filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
# /run/samba/krb5cc_samba
manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
@@ -1175,9 +1176,12 @@ read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t)
manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t)
files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file })
+
+# access to files of other samba domains
manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
+manage_dirs_pattern(winbind_rpcd_t, samba_log_t, samba_log_t)
manage_files_pattern(winbind_rpcd_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_rpcd_t, samba_var_t, samba_var_t)
@@ -1185,10 +1189,16 @@ manage_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t)
allow winbind_rpcd_t samba_var_t:file { map } ;
+kernel_read_network_state(winbind_rpcd_t)
+
corecmd_exec_bin(winbind_rpcd_t)
optional_policy(`
- auth_read_passwd_file(winbind_rpcd_t)
+ auth_read_passwd(winbind_rpcd_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(winbind_rpcd_t)
')
# interactions with smbd_t/winbind_t

37
backport-Update-samba-dcerpcd-policy-for-kerberos-usage-2.patch Normal file
View File

@ -0,0 +1,37 @@
From 837f63743214363362334e910dcb06d35cd5cb99 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 27 Jun 2022 17:22:40 +0200
Subject: [PATCH] Update samba-dcerpcd policy for kerberos usage 2
These additional permissions were added:
- read kerberos key tables
- read generic SSL certificates
Resolves: rhbz#2096521
---
policy/modules/contrib/samba.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 091e016fd0..4be4401cda 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1208,6 +1208,7 @@ optional_policy(`
')
optional_policy(`
+ kerberos_read_keytab(winbind_rpcd_t)
kerberos_use(winbind_rpcd_t)
')
@@ -1215,6 +1216,10 @@ optional_policy(`
logging_send_syslog_msg(winbind_rpcd_t)
')
+optional_policy(`
+ miscfiles_read_generic_certs(winbind_rpcd_t)
+')
+
optional_policy(`
sssd_read_public_files(winbind_rpcd_t)
sssd_stream_connect(winbind_rpcd_t)

45
backport-Update-samba-dcerpcd-policy-for-kerberos-usage.patch Normal file
View File

@ -0,0 +1,45 @@
From e6584a21427a408c09781f2c5cf978b0f18db1cc Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 17 Jun 2022 18:34:28 +0200
Subject: [PATCH] Update samba-dcerpcd policy for kerberos usage
Resolves: rhbz#2096825
---
policy/modules/contrib/samba.te | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 99cb452f7b..7087c37e7a 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1179,6 +1179,7 @@ files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file })
# access to files of other samba domains
manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
+read_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
manage_dirs_pattern(winbind_rpcd_t, samba_log_t, samba_log_t)
@@ -1201,6 +1202,22 @@ optional_policy(`
dbus_system_bus_client(winbind_rpcd_t)
')
+optional_policy(`
+ dirsrv_stream_connect(winbind_rpcd_t)
+')
+
+optional_policy(`
+ kerberos_use(winbind_rpcd_t)
+')
+
+optional_policy(`
+ logging_send_syslog_msg(winbind_rpcd_t)
+')
+
+optional_policy(`
+ sysnet_read_config(winbind_rpcd_t)
+')
+
# interactions with smbd_t/winbind_t
allow smbd_t winbind_rpcd_t:unix_stream_socket connectto;
allow winbind_t winbind_rpcd_t:unix_stream_socket connectto;

34
backport-Update-tor_bind_all_unreserved_ports-interface.patch Normal file
View File

@ -0,0 +1,34 @@
From 5ba29432782295ceaeb0085d0fe9123d7736b0f1 Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Mon, 22 Aug 2022 15:43:13 +0200
Subject: [PATCH] Update tor_bind_all_unreserved_ports interface
When enabled boolean tor_bind_all_unreserved_ports,
allow tor bind UDP sockets to all ports > 1024.
Fix: bz#2089486
---
policy/modules/contrib/tor.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 4b0554c374..0dc670b885 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -8,7 +8,7 @@ policy_module(tor, 1.9.0)
## <desc>
## <p>
## Determine whether tor can bind
-## tcp sockets to all unreserved ports.
+## tcp and udp sockets to all unreserved ports.
## </p>
## </desc>
gen_tunable(tor_bind_all_unreserved_ports, false)
@@ -131,6 +131,7 @@ logging_send_syslog_msg(tor_t)
tunable_policy(`tor_bind_all_unreserved_ports',`
corenet_sendrecv_all_server_packets(tor_t)
corenet_tcp_bind_all_unreserved_ports(tor_t)
+ corenet_udp_bind_all_unreserved_ports(tor_t)
')
tunable_policy(`tor_can_network_relay',`

51
backport-Update-winbind_rpcd_t.patch Normal file
View File

@ -0,0 +1,51 @@
From 37512b85ed2712a57370c9df57db84b96b3d0f9d Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Wed, 13 Jul 2022 18:12:31 +0200
Subject: [PATCH] Update winbind_rpcd_t
Allow smbcontrol send winbind_rpcd_t unix_dgram_socket
Allow winbind_rpcd_t to write winbind_var_run_t sock files
Allow winbind_rpcd_t connect to winbind_t over unix_stream_socket
Allow winbind_rpcd_t to connect to systemd-userdbd with a unix socket
Fix: rhbz#2102084
---
policy/modules/contrib/samba.te | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 4be4401cda..61598b8e39 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -745,6 +745,7 @@ allow smbcontrol_t samba_var_t:file map;
allow smbcontrol_t nmbd_t:unix_dgram_socket sendto;
allow smbcontrol_t smbd_t:unix_dgram_socket sendto;
+allow smbcontrol_t winbind_rpcd_t:unix_dgram_socket sendto;
allow smbcontrol_t winbind_t:unix_dgram_socket sendto;
samba_read_config(smbcontrol_t)
@@ -1175,6 +1176,8 @@ allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans;
read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t)
+write_sock_files_pattern(winbind_rpcd_t, winbind_var_run_t, winbind_var_run_t)
+
manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t)
files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file })
@@ -1229,9 +1232,14 @@ optional_policy(`
sysnet_read_config(winbind_rpcd_t)
')
+optional_policy(`
+ systemd_userdbd_stream_connect(winbind_rpcd_t)
+')
+
# interactions with smbd_t/winbind_t
allow smbd_t winbind_rpcd_t:unix_stream_socket connectto;
allow winbind_t winbind_rpcd_t:unix_stream_socket connectto;
+allow winbind_rpcd_t winbind_t:unix_stream_socket connectto;
samba_domtrans_winbind_rpcd(smbd_t)
samba_domtrans_winbind_rpcd(winbind_t)

28
backport-pidof-executed-by-abrt-can-readlink-proc-exe.patch Normal file
View File

@ -0,0 +1,28 @@
From 52645b77fe4aeb47f538538097c99aa47adbe2d7 Mon Sep 17 00:00:00 2001
From: Milos Malik <mmalik@redhat.com>
Date: Wed, 7 Sep 2022 10:53:07 +0200
Subject: [PATCH] pidof executed by abrt can readlink /proc/*/exe
At least one of the ABRT addons calls `pidof abrtd` which leads to
{ sys_ptrace } SELinux denials in cap_userns class.
In order to support the full functionality of ABRT and its addons,
I believe that SELinux policy should allow this access.
Resolves: BZ#2071586
---
policy/modules/contrib/abrt.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index 02a12dfab1..16db11a3c3 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -115,6 +115,7 @@ ifdef(`enable_mcs',`
#
allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
+allow abrt_t self:cap_userns sys_ptrace;
dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };

101
selinux-policy.spec
View File

@ -12,7 +12,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 35.5
Release: 17
Release: 22
License: GPLv2+
URL: https://github.com/fedora-selinux/selinux-policy/
@ -193,6 +193,89 @@ Patch6123: backport-Allow-init-remount-all-file_type-filesystems.patch
Patch6124: backport-Allow-xenstored-change-its-hard-resource-limits.patch
Patch6125: backport-Allow-init-map-its-private-tmp-files.patch
Patch6126: backport-Allow-sss-daemons-read-write-unnamed-pipes-of-cloud-.patch
Patch6127: backport-Allow-kpropd-read-network-sysctls.patch
Patch6128: backport-Allow-cups-lpd-read-network-sysctls.patch
Patch6129: backport-Allow-keepalived-read-the-contents-of-the-sysfs-filesystem.patch
Patch6130: backport-Allow-cups-lpd-read-network-sysctls-1.patch
Patch6131: backport-Allow-systemd_hostnamed-label-run-systemd-as-hostnamed_etc_t.patch
Patch6132: backport-Allow-networkmanager-to-signal-unconfined-process.patch
Patch6133: backport-Allow-systemd-modules-load-write-to-dev-kmsg-and-send-a-message-to-syslogd.patch
Patch6134: backport-Allow-postfix-smtp-and-postfix-virtual-read-kerberos-key-table.patch
Patch6135: backport-Allow-system_dbusd-ioctl-kernel-with-a-unix-stream-sockets.patch
Patch6136: backport-Allow-chronyc-read-and-write-generic-pty-type.patch
Patch6137: backport-Allow-gpg-read-and-write-generic-pty-type.patch
Patch6138: backport-Add-userdom_view_all_users_keys-interface.patch
Patch6139: backport-Add-gpg_filetrans_admin_home_content-interface.patch
Patch6140: backport-Allow-unconfined-and-sysadm-users-transition-for-root-.gnupg.patch
Patch6141: backport-Update-tor_bind_all_unreserved_ports-interface.patch
Patch6142: backport-Allow-chronyd-send-and-receive-chronyd-ntp-client-packets.patch
Patch6143: backport-Allow-systemd-permissions-needed-for-sandboxed-services.patch
Patch6144: backport-Allow-tor-get-filesystem-attributes.patch
Patch6145: backport-pidof-executed-by-abrt-can-readlink-proc-exe.patch
Patch6146: backport-Allow-system_mail-t-read-network-sysctls.patch
Patch6147: backport-Stop-ignoring-standalone-interface-files.patch
Patch6148: backport-Allow-sbd-the-sys_ptrace-capability.patch
Patch6149: backport-Allow-login_userdomain-dbus-chat-with-rhsmcertd.patch
Patch6150: backport-Allow-pulseaudio-create-gnome-content-.config.patch
Patch6151: backport-Allow-ftpd-map-ftpd_var_run-files.patch
Patch6152: backport-Allow-vlock-search-the-contents-of-the-dev-pts-directory.patch
Patch6153: backport-Allow-aide-to-connect-to-systemd_machined-with-a-unix-socket.patch
Patch6154: backport-Allow-rotatelogs-read-httpd_log_t-symlinks.patch
Patch6155: backport-Allow-dirsrv_snmp_t-to-manage-dirsrv_config_t-dirsrv_var_run_t-files.patch
Patch6156: backport-Allow-fprintd-bpf-capability-to-run-bpf-programs.patch
Patch6157: backport-Allow-keepalived-bpf-capability-to-run-bpf-programs.patch
Patch6158: backport-Allow-lldpad-bpf-capability-to-run-bpf-programs.patch
Patch6159: backport-Allow-pkcs_slotd_t-bpf-capability-to-run-bpf-program.patch
Patch6160: backport-Allow-netutils-and-traceroute-bpf-capability-to-run-.patch
Patch6161: backport-Allow-dhcpd-bpf-capability-to-run-bpf-programs.patch
Patch6162: backport-Add-watch-interfaces.patch
Patch6163: backport-Add-watch_sb-interfaces.patch
Patch6164: backport-Add-interface-to-watch-all-filesystems.patch
Patch6165: backport-Allow-sssd-dbus-chat-with-system-cronjobs.patch
Patch6166: backport-Allow-systemd-hostnamed-dbus-chat-with-init-scripts.patch
Patch6167: backport-Add-domain_unix_read_all_semaphores-interface.patch
Patch6168: backport-Allow-rpc.gssd-read-network-sysctls.patch
Patch6169: backport-Allow-syslogd-read-network-sysctls.patch
Patch6170: backport-Allow-systemd-timedated-watch-init-runtime-dir.patch
Patch6171: backport-Allow-journalctl-relabel-with-var_log_t-and-syslogd_.patch
Patch6172: backport-Allow-systemd-resolved-watch-tmpfs-directories.patch
Patch6173: backport-Allow-tlp-read-generic-SSL-certificates.patch
Patch6174: backport-Allow-apcupsd-dbus-chat-with-systemd-logind.patch
Patch6175: backport-Allow-systemd-rfkill-the-bpf-capability.patch
Patch6176: backport-Allow-systemd-userdbd-the-sys_resource-capability.patch
Patch6177: backport-Allow-systemd-resolved-send-a-datagram-to-journald.patch
Patch6178: backport-Allow-system_cronjob_t-transition-to-rpm_script_t.patch
Patch6179: backport-Allow-systemd-coredump-mounton-usr.patch
Patch6180: backport-Add-journalctl-the-sys_resource-capability.patch
Patch6181: backport-Allow-logrotate-dbus-chat-with-systemd-hostnamed.patch
Patch6182: backport-Add-support-for-samba-dcerpcd.patch
Patch6183: backport-Update-policy-for-samba-dcerpcd.patch
Patch6184: backport-Update-samba-dcerpcd-policy-for-kerberos-usage.patch
Patch6185: backport-Allow-winbind_rpcd_t-connect-to-self-over-a-unix_str.patch
Patch6186: backport-Allow-samba-dcerpcd-work-with-sssd.patch
Patch6187: backport-Update-samba-dcerpcd-policy-for-kerberos-usage-2.patch
Patch6188: backport-Update-winbind_rpcd_t.patch
Patch6189: backport-Allow-samba-bgqd-get-a-printer-list.patch
Patch6190: backport-Allow-winbind-rpcd-write-to-winbind-pid-files.patch
Patch6191: backport-Allow-samba-bgqd-to-read-a-printer-list.patch
Patch6192: backport-Allow-smbd_t-process-noatsecure-permission-for-winbi.patch
Patch6193: backport-Allow-winbind-rpcd-read-and-write-its-key-ring.patch
Patch6194: backport-Allow-samba-dcerpcd-use-NSCD-services-over-a-unix-st.patch
Patch6195: backport-Add-winbind-rpcd-to-samba_enable_home_dirs-boolean.patch
Patch6196: backport-Allow-winbind-rpcd-use-the-terminal-multiplexor.patch
Patch6197: backport-Allow-winbind-rpcd-get-attributes-of-device-and-pty-.patch
Patch6198: backport-Allow-winbind-rpcd-manage-samba_share_t-files-and-di.patch
Patch6199: backport-Allow-winbind-rpcd-make-a-TCP-connection-to-the-ldap.patch
Patch6200: backport-Allow-samba-rpcd-work-with-passwords.patch
Patch6201: backport-Allow-samba-dcerpcd-connect-to-systemd_machined-over.patch
Patch6202: backport-Allow-rpcd_lsad-setcap-and-use-generic-ptys.patch
Patch6203: backport-Allow-keepalived-to-set-resource-limits.patch
Patch6204: backport-Add-the-kernel_read_proc_files-interface.patch
Patch6205: backport-Allow-pcscd-bpf-capability-to-run-bpf-programs.patch
Patch6206: backport-Allow-logwatch_mail_t-read-network-sysctls.patch
Patch6207: backport-Allow-exim-read-network-sysctls.patch
Patch6208: backport-Allow-kernel-to-manage-its-own-BPF-objects.patch
Patch6209: backport-Fix-users-for-SELinux-userspace-3.4.patch
Patch9000: add-qemu_exec_t-for-stratovirt.patch
Patch9001: fix-context-of-usr-bin-rpmdb.patch
@ -200,6 +283,7 @@ Patch9002: Add-permission-open-to-files_read_inherited_tmp_file.patch
Patch9003: allow-httpd-to-put-files-in-httpd-config-dir.patch
Patch9004: allow-map-postfix_master_t.patch
Patch9005: add-rule-for-hostnamed-to-rpmscript-dbus-chat.patch
Patch9006: allow-init_t-create-fifo-file-in-net_conf-dir.patch
BuildArch: noarch
BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
@ -868,6 +952,21 @@ exit 0
%endif
%changelog
* Mon Mar 25 2024 gengqihu <gengqihu2@h-partners.com> - 35.5-22
- fix semodule_package fail
* Thu Aug 24 2023 wangqingsan <wangqingsan@huawei.com> - 35.5-21
- backport upstream patches
* Fri Jul 28 2023 huangzq6 <huangzhenqiang2@huawei.com> - 35.5-20
- backport some selinux-policy upstream patches
* Fri Jun 30 2023 zcfsite <zhchf2010@126.com> - 35.5-19
- backport upstream patches
* Thu Jun 08 2023 jinlun <jinlun@huawei.com> - 35.5-18
- allow init_t create fifo file in net_conf dir.
* Thu Mar 23 2023 wangjiang <wangjiang37@h-partners.com> - 35.5-17
- backport patch Allow virt_domain read device sysctls
Allow icecast rename its log files

1
users-minimum
View File

@ -36,3 +36,4 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)

2
users-mls
View File

@ -36,3 +36,5 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# not in the sysadm_r.
#
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(guest_u, user, guest_r, s0, s0)
gen_user(xguest_u, user, xguest_r, s0, s0)

3
users-targeted
View File

@ -36,3 +36,6 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(guest_u, user, guest_r, s0, s0)
gen_user(xguest_u, user, xguest_r, s0, s0)