packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Fix-users-for-SELinux-userspace-3.4.patch
gengqihu f71b64cacf fix build error
2024-03-25 19:42:27 +08:00

147 lines
5.1 KiB
Diff
Raw Permalink Blame History

From e1e216b25df1bdb4eb7dbb8f73f32927ad6f3d1f Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 14 Apr 2022 12:07:40 +0200
Subject: [PATCH] Fix users for SELinux userspace 3.4
Latest yet to be released userspace version 3.4 added new validation and
discovered several issues in current implementation. This patch tries to
address them:
- move guest and xguest module from contrib to roles - refpolicy did
this change long time ago
- roles guest_r and xguest_r need to be defined in kernel.te
- gen_user() is supposed to be in policy/users, not in modules
- drop role multiple definitions from userdom_base_user_template as it's
and is supposed to be defined in kernel.te
---
policy/modules/kernel/kernel.te | 3 +++
policy/modules/{contrib => roles}/guest.fc | 0
policy/modules/{contrib => roles}/guest.if | 0
policy/modules/{contrib => roles}/guest.te | 4 ++--
policy/modules/roles/unconfineduser.te | 3 +--
policy/modules/{contrib => roles}/xguest.fc | 0
policy/modules/{contrib => roles}/xguest.if | 0
policy/modules/{contrib => roles}/xguest.te | 4 ++--
policy/modules/system/userdomain.if | 3 +--
9 files changed, 9 insertions(+), 8 deletions(-)
rename policy/modules/{contrib => roles}/guest.fc (100%)
rename policy/modules/{contrib => roles}/guest.if (100%)
rename policy/modules/{contrib => roles}/guest.te (82%)
rename policy/modules/{contrib => roles}/xguest.fc (100%)
rename policy/modules/{contrib => roles}/xguest.if (100%)
rename policy/modules/{contrib => roles}/xguest.te (98%)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index acbb2f74e6..73696bcb0a 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -39,6 +39,9 @@ role user_r;
# here until order dependence is fixed:
role unconfined_r;
+role guest_r;
+role xguest_r;
+
ifdef(`enable_mls',`
role secadm_r;
role auditadm_r;
diff --git a/policy/modules/contrib/guest.fc b/policy/modules/roles/guest.fc
similarity index 100%
rename from policy/modules/contrib/guest.fc
rename to policy/modules/roles/guest.fc
diff --git a/policy/modules/contrib/guest.if b/policy/modules/roles/guest.if
similarity index 100%
rename from policy/modules/contrib/guest.if
rename to policy/modules/roles/guest.if
diff --git a/policy/modules/contrib/guest.te b/policy/modules/roles/guest.te
similarity index 82%
rename from policy/modules/contrib/guest.te
rename to policy/modules/roles/guest.te
index 0605776333..2e9505d1cc 100644
--- a/policy/modules/contrib/guest.te
+++ b/policy/modules/roles/guest.te
@@ -5,7 +5,7 @@ policy_module(guest, 1.3.0)
# Declarations
#
-role guest_r;
+# role guest_r;
userdom_restricted_user_template(guest)
@@ -20,4 +20,4 @@ optional_policy(`
apache_role(guest_r, guest_t)
')
-gen_user(guest_u, user, guest_r, s0, s0)
+# gen_user(guest_u, user, guest_r, s0, s0)
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 55bca1e31e..5596e6f0ee 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -399,5 +399,4 @@ optional_policy(`
xserver_xsession_entry_type(unconfined_t)
')
-gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
+# gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/policy/modules/contrib/xguest.fc b/policy/modules/roles/xguest.fc
similarity index 100%
rename from policy/modules/contrib/xguest.fc
rename to policy/modules/roles/xguest.fc
diff --git a/policy/modules/contrib/xguest.if b/policy/modules/roles/xguest.if
similarity index 100%
rename from policy/modules/contrib/xguest.if
rename to policy/modules/roles/xguest.if
diff --git a/policy/modules/contrib/xguest.te b/policy/modules/roles/xguest.te
similarity index 98%
rename from policy/modules/contrib/xguest.te
rename to policy/modules/roles/xguest.te
index 8d3ef540a7..e19bf40fc5 100644
--- a/policy/modules/contrib/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -26,7 +26,7 @@ gen_tunable(xguest_connect_network, true)
## </desc>
gen_tunable(xguest_use_bluetooth, true)
-role xguest_r;
+# role xguest_r;
userdom_restricted_xwindows_user_template(xguest)
sysnet_dns_name_resolve(xguest_t)
@@ -203,4 +203,4 @@ optional_policy(`
role xguest_r types mozilla_t;
')
-gen_user(xguest_u, user, xguest_r, s0, s0)
+# gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b16984dd82..d5be647e85 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -27,6 +27,7 @@ template(`userdom_base_user_template',`
attribute userdomain;
type user_devpts_t, user_tty_device_t;
class context contains;
+ role $1_r;
')
attribute $1_file_type;
@@ -34,12 +35,10 @@ template(`userdom_base_user_template',`
type $1_t, userdomain, $1_usertype;
domain_type($1_t)
- role $1_r;
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
ubac_constrained($1_t)
- role $1_r;
role $1_r types $1_t;
allow system_r $1_r;
Reference in New Issue View Git Blame Copy Permalink