Projects
openEuler:Mainline
selinux-policy
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 3
View file
_service:tar_scm:selinux-policy.spec
Changed
@@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 38.6 -Release: 4 +Release: 5 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -64,6 +64,11 @@ Patch9: add-avc-for-systemd-journald.patch Patch10: add-avc-for-systemd.patch Patch11: Allow-login_pgm-setcap-permission.patch +Patch12: Additional-support-for-rpmdb_migrate.patch +Patch13: Add-initial-policy-for-the-usr-sbin-request-key-help.patch +Patch14: Allow-nm-dispatcher-plugins-read-generic-files-in-pr.patch +Patch15: Add-journalctl-the-sys_resource-capability.patch +Patch16: Allow-certmonger-read-the-contents-of-the-sysfs-file.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -743,6 +748,9 @@ %endif %changelog +* Wed May 31 2023 luhuaxin<luhuaxin1@huawei.com> - 38.6-5 +- backport some upstream patches + * Wed Mar 29 2023 luhuaxin<luhuaxin1@huawei.com> - 38.6-4 - allow login_pgm setcap permission
View file
_service:tar_scm:Add-initial-policy-for-the-usr-sbin-request-key-help.patch
Added
@@ -0,0 +1,227 @@ +From 3a1ae904dba54474a56815ba7fbf3238fcfe5a46 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek <omosnace@redhat.com> +Date: Mon, 30 Jan 2023 14:46:50 +0100 +Subject: PATCH 2/5 Add initial policy for the /usr/sbin/request-key helper + +The kernel is hard-coded to call /sbin/request-key to handle requests +for instantiating keys that are not found in the existing keyrings. + +Thus, we need to add a domain for this helper and set up a transition +into that domain from kernel_t. + +request-key dispatches the key requests to further helper programs based +on the configuration in /etc/request-key.d/*.conf and +/etc/request-key.conf. Currently, the only known used dispatcher is +/usr/sbin/nfsidmap, which is set up by the nfs-utils package to handle +requests for the 'id_resolver' key type. This patch adds the minimal +policy for this helper that is needed for an NFS mount to succeed. + +Policy for other request-key helper programs may need to be added in the +future. An optional mechanism to allow any possible configuration (e.g. +by setting up a transition over any file to unconfined_service_t) may be +also desired. For now let's at least make the one known use case work. + +Fixes: 1e8688ea6943 ("Don't make kernel_t an unconfined domain") +Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> +--- + policy/modules.conf | 7 +++++ + policy/modules/contrib/keyutils.fc | 1 + + policy/modules/contrib/keyutils.if | 43 ++++++++++++++++++++++++++++++ + policy/modules/contrib/keyutils.te | 11 ++++++++ + policy/modules/contrib/rpc.fc | 1 + + policy/modules/contrib/rpc.te | 32 ++++++++++++++++++++++ + policy/modules/kernel/kernel.if | 19 +++++++++++++ + policy/modules/kernel/kernel.te | 4 +++ + 8 files changed, 118 insertions(+) + create mode 100644 policy/modules/contrib/keyutils.fc + create mode 100644 policy/modules/contrib/keyutils.if + create mode 100644 policy/modules/contrib/keyutils.te + +diff --git a/policy/modules.conf b/policy/modules.conf +index 5e0678668..6f63c8cb6 100644 +--- a/policy/modules.conf ++++ b/policy/modules.conf +@@ -3078,3 +3078,10 @@ rhcd = module + # wireguard + # + wireguard = module ++ ++# Layer: contrib ++# Module: keyutils ++# ++# keyutils - Linux Key Management Utilities ++# ++keyutils = module +diff --git a/policy/modules/contrib/keyutils.fc b/policy/modules/contrib/keyutils.fc +new file mode 100644 +index 000000000..78c5f159f +--- /dev/null ++++ b/policy/modules/contrib/keyutils.fc +@@ -0,0 +1 @@ ++/usr/sbin/request-key -- gen_context(system_u:object_r:keyutils_request_exec_t,s0) +diff --git a/policy/modules/contrib/keyutils.if b/policy/modules/contrib/keyutils.if +new file mode 100644 +index 000000000..06daab988 +--- /dev/null ++++ b/policy/modules/contrib/keyutils.if +@@ -0,0 +1,43 @@ ++## <summary>Linux Key Management Utilities</summary> ++ ++####################################### ++## <summary> ++## Execute request-key in the keyutils request domain. ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++# ++interface(`keyutils_request_domtrans',` ++ gen_require(` ++ type keyutils_request_t, keyutils_request_exec_t; ++ ') ++ ++ domtrans_pattern($1, keyutils_request_exec_t, keyutils_request_t) ++') ++ ++######################################## ++## <summary> ++## Allows to perform key instantiation callout ++## by transitioning to the specified domain. ++## </summary> ++## <param name="domain"> ++## <summary> ++## The process type entered by request-key. ++## </summary> ++## </param> ++## <param name="entrypoint"> ++## <summary> ++## The executable type for the entrypoint. ++## </summary> ++## </param> ++# ++interface(`keyutils_request_domtrans_to',` ++ gen_require(` ++ type keyutils_request_t; ++ ') ++ ++ domtrans_pattern(keyutils_request_t, $2, $1) ++') +diff --git a/policy/modules/contrib/keyutils.te b/policy/modules/contrib/keyutils.te +new file mode 100644 +index 000000000..2ea1d5e38 +--- /dev/null ++++ b/policy/modules/contrib/keyutils.te +@@ -0,0 +1,11 @@ ++policy_module(keyutils, 1.0) ++ ++type keyutils_request_exec_t; ++files_type(keyutils_request_exec_t) ++ ++type keyutils_request_t; ++domain_type(keyutils_request_t) ++domain_entry_file(keyutils_request_t, keyutils_request_exec_t) ++ ++kernel_view_key(keyutils_request_t) ++kernel_read_key(keyutils_request_t) +diff --git a/policy/modules/contrib/rpc.fc b/policy/modules/contrib/rpc.fc +index 3825ef707..06a6c009c 100644 +--- a/policy/modules/contrib/rpc.fc ++++ b/policy/modules/contrib/rpc.fc +@@ -32,6 +32,7 @@ + /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0) + /usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0) + /usr/sbin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0) ++/usr/sbin/nfsidmap -- gen_context(system_u:object_r:nfsidmap_exec_t,s0) + + # + # /var +diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te +index f94cfa5d2..c83492a56 100644 +--- a/policy/modules/contrib/rpc.te ++++ b/policy/modules/contrib/rpc.te +@@ -434,3 +434,35 @@ optional_policy(` + optional_policy(` + xserver_rw_xdm_tmp_files(gssd_t) + ') ++ ++######################################## ++# ++# nfsidmap policy ++# ++ ++type nfsidmap_exec_t; ++files_type(nfsidmap_exec_t) ++ ++type nfsidmap_t; ++domain_type(nfsidmap_t) ++domain_entry_file(nfsidmap_t, nfsidmap_exec_t) ++ ++allow nfsidmap_t self:key write; ++allow nfsidmap_t self:netlink_route_socket r_netlink_socket_perms; ++ ++kernel_setattr_key(nfsidmap_t) ++ ++sysnet_read_config(nfsidmap_t) ++ ++optional_policy(` ++ auth_read_passwd_file(nfsidmap_t) ++') ++ ++optional_policy(` ++ logging_send_syslog_msg(nfsidmap_t) ++') ++ ++optional_policy(` ++ # /etc/request-key.d/id_resolver.conf ++ keyutils_request_domtrans_to(nfsidmap_t, nfsidmap_exec_t) ++') +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 166586f66..adb71ed3a 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -579,6 +579,25 @@ interface(`kernel_dontaudit_view_key',` + + dontaudit $1 kernel_t:key view; + ') ++ ++######################################## ++## <summary> ++## Allow to set attributes on the kernel key ring. ++## </summary> ++## <param name="domain"> ++## <summary> ++## Domain allowed access. ++## </summary> ++## </param> ++# ++interface(`kernel_setattr_key',`
View file
_service:tar_scm:Add-journalctl-the-sys_resource-capability.patch
Added
@@ -0,0 +1,35 @@ +From 4cb741896c440c80ea18a22ff60d4c36c5b0f95b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela <zpytela@redhat.com> +Date: Fri, 3 Feb 2023 17:20:51 +0100 +Subject: PATCH 4/5 Add journalctl the sys_resource capability + +The journalctl command runs in the journalctl_t domain when executed by +a confined user (user, staff, sysadm). When is invoked with pager, +prctl() is called to change the process name. + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(02/02/2023 12:55:12.623:1405) : proctitle=(pager) +type=SYSCALL msg=audit(02/02/2023 12:55:12.623:1405) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x8 a2=0x7fd1a3f52000 a3=0x0 items=0 ppid=25495 pid=25516 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=39 comm=(pager) exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(02/02/2023 12:55:12.623:1405) : avc: denied { sys_resource } for pid=25516 comm=(pager) capability=sys_resource scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tclass=capability permissive=1 + +Resolves: rhbz#2136189 +--- + policy/modules/contrib/journalctl.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/journalctl.te b/policy/modules/contrib/journalctl.te +index 5b4329c80..b22b6a713 100644 +--- a/policy/modules/contrib/journalctl.te ++++ b/policy/modules/contrib/journalctl.te +@@ -18,6 +18,7 @@ role journalctl_roles types journalctl_t; + # + # journalctl local policy + # ++allow journalctl_t self:capability sys_resource; + allow journalctl_t self:process { fork setrlimit signal_perms }; + + allow journalctl_t self:fifo_file manage_fifo_file_perms; +-- +2.33.0 +
View file
_service:tar_scm:Additional-support-for-rpmdb_migrate.patch
Added
@@ -0,0 +1,64 @@ +From 47fe7d4c98809fcda9dfc8f1fab24cb6f765332c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela <zpytela@redhat.com> +Date: Tue, 31 Jan 2023 19:12:39 +0100 +Subject: PATCH 1/5 Additional support for rpmdb_migrate + +Since the 3a99b00da4 ("Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t") +commit, selinux-policy supports the rpmdb-migrate.service which is +executed after the first boot to a newer Fedora release to migrate the +rpm database from /var/lib/rpm to /usr/lib/sysimage/rpm. +Additional permissions started to be required recently. + +Resolves: rhbz#2164752 +--- + policy/modules/contrib/rpm.te | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te +index 247f1fa7a..cf5539abb 100644 +--- a/policy/modules/contrib/rpm.te ++++ b/policy/modules/contrib/rpm.te +@@ -260,26 +260,33 @@ optional_policy(` + # rpmdb local policy + # + +-allow rpmdb_t rpm_var_lib_t:file map; +-allow rpmdb_t rpmdb_tmp_t:file map; ++can_exec(rpmdb_t, rpm_exec_t) + + manage_dirs_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t) + manage_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t) +-files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir) +-files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir) ++read_lnk_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t) ++allow rpmdb_t rpm_var_lib_t:file map; + + manage_dirs_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t) + manage_files_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t) + files_tmp_filetrans(rpmdb_t, rpmdb_tmp_t, { file dir }) ++allow rpmdb_t rpmdb_tmp_t:file map; + +-term_use_all_inherited_terms(rpmdb_t) +- +-auth_dontaudit_read_passwd(rpmdb_t) ++corecmd_exec_bin(rpmdb_t) ++corecmd_exec_shell(rpmdb_t) + + files_rw_inherited_non_security_files(rpmdb_t) ++files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir) ++files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir) + + sysnet_dontaudit_read_config(rpmdb_t) + ++term_use_all_inherited_terms(rpmdb_t) ++ ++optional_policy(` ++ auth_dontaudit_read_passwd(rpmdb_t) ++') ++ + optional_policy(` + miscfiles_read_generic_certs(rpmdb_t) + ') +-- +2.33.0 +
View file
_service:tar_scm:Allow-certmonger-read-the-contents-of-the-sysfs-file.patch
Added
@@ -0,0 +1,31 @@ +From 6651eeac26984ceb7416cb4639891bd59e30c4de Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela <zpytela@redhat.com> +Date: Tue, 7 Feb 2023 11:04:09 +0100 +Subject: PATCH 5/5 Allow certmonger read the contents of the sysfs + filesystem + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(02/07/2023 04:22:50.618:3929) : proctitle=/usr/bin/python3 -I /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit +type=PATH msg=audit(02/07/2023 04:22:50.618:3929) : item=0 name=/sys/devices/system/cpu/possible inode=42 dev=00:15 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(02/07/2023 04:22:50.618:3929) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f9dcfbc79d8 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=25147 pid=25176 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dogtag-ipa-ca-r exe=/usr/bin/python3.11 subj=system_u:system_r:certmonger_t:s0 key=(null) +type=AVC msg=audit(02/07/2023 04:22:50.618:3929) : avc: denied { open } for pid=25176 comm=dogtag-ipa-ca-r path=/sys/devices/system/cpu/possible dev="sysfs" ino=42 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 +--- + policy/modules/contrib/certmonger.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te +index e721254ae..c72f05b44 100644 +--- a/policy/modules/contrib/certmonger.te ++++ b/policy/modules/contrib/certmonger.te +@@ -82,6 +82,7 @@ corecmd_exec_shell(certmonger_t) + + dev_read_rand(certmonger_t) + dev_read_urand(certmonger_t) ++dev_read_sysfs(certmonger_t) + + domain_use_interactive_fds(certmonger_t) + +-- +2.33.0 +
View file
_service:tar_scm:Allow-nm-dispatcher-plugins-read-generic-files-in-pr.patch
Added
@@ -0,0 +1,35 @@ +From 908adc1066c5df1e7d3b3a08f336a218b57c1dc2 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela <zpytela@redhat.com> +Date: Fri, 3 Feb 2023 18:15:19 +0100 +Subject: PATCH 3/5 Allow nm-dispatcher plugins read generic files in /proc + +It turns out the systemctl command needs to read /proc/cpuinfo at +the aarch64 architecture, so the permission was allowed for the +networkmanager_dispatcher_plugin attribute. + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(26.1.2023 15:30:09.970:47) : proctitle=/bin/systemctl --no-block reload iscsi.service +type=SYSCALL msg=audit(26.1.2023 15:30:09.970:47) : arch=aarch64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0xffff9b8f5170 a2=O_RDONLY a3=0x0 items=0 ppid=1186 pid=1188 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/usr/bin/systemctl subj=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 key=(null) +type=AVC msg=audit(26.1.2023 15:30:09.970:47) : avc: denied { open } for pid=1188 comm=systemctl path=/proc/cpuinfo dev="proc" ino=4026531987 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 +type=AVC msg=audit(26.1.2023 15:30:09.970:47) : avc: denied { read } for pid=1188 comm=systemctl name=cpuinfo dev="proc" ino=4026531987 scontext=system_u:system_r:NetworkManager_dispatcher_iscsid_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 + +Resolves: rhbz#2164845 +--- + policy/modules/contrib/networkmanager.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te +index 0e3218929..ef77fdb32 100644 +--- a/policy/modules/contrib/networkmanager.te ++++ b/policy/modules/contrib/networkmanager.te +@@ -584,6 +584,7 @@ manage_files_pattern(NetworkManager_dispatcher_console_t, NetworkManager_dispatc + + read_files_pattern(NetworkManager_dispatcher_dnssec_t, NetworkManager_etc_t, NetworkManager_etc_rw_t) + ++kernel_read_proc_files(networkmanager_dispatcher_plugin) + kernel_request_load_module(NetworkManager_dispatcher_ddclient_t) + + auth_read_passwd(networkmanager_dispatcher_plugin) +-- +2.33.0 +
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2