From 1100f0e48debbcaa07091afbd350883ef60c0ce6 Mon Sep 17 00:00:00 2001 From: Clayton Casciato Date: Wed, 22 Oct 2025 09:26:18 -0600 Subject: [PATCH] refpolicy: dbus - allow system_dbusd_t unconfined_t:fd use Signed-off-by: Clayton Casciato Signed-off-by: Yi Zhao --- ...ervices-dbus-allow-system_dbusd_t-un.patch | 59 +++++++++++++++++++ .../refpolicy/refpolicy_common.inc | 1 + 2 files changed, 60 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0064-policy-modules-services-dbus-allow-system_dbusd_t-un.patch diff --git a/recipes-security/refpolicy/refpolicy/0064-policy-modules-services-dbus-allow-system_dbusd_t-un.patch b/recipes-security/refpolicy/refpolicy/0064-policy-modules-services-dbus-allow-system_dbusd_t-un.patch new file mode 100644 index 0000000..6279c0c --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0064-policy-modules-services-dbus-allow-system_dbusd_t-un.patch @@ -0,0 +1,59 @@ +From bd85d4340b7af107749d65f673df781978214c3a Mon Sep 17 00:00:00 2001 +From: Clayton Casciato +Date: Tue, 8 Jul 2025 16:58:05 -0600 +Subject: [PATCH] dbus: allow system_dbusd_t unconfined_t:fd use + +"sudo su -" + +-- + +type=PROCTITLE proctitle=/usr/bin/dbus-daemon --system +--address=systemd: --nofork --nopidfile --systemd-activation +--syslog-only + +type=SYSCALL arch=armeb syscall=recvmsg per=PER_LINUX success=yes +exit=312 a0=0x12 a1=0xbef207c8 a2=MSG_CMSG_CLOEXEC a3=0x1 items=0 +ppid=1 pid=184 auid=unset uid=messagebus gid=messagebus euid=messagebus +suid=messagebus fsuid=messagebus egid=messagebus sgid=messagebus +fsgid=messagebus tty=(none) ses=unset comm=dbus-daemon +exe=/usr/bin/dbus-daemon subj=system_u:system_r:system_dbusd_t:s0 +key=(null) + +type=AVC avc: denied { use } for pid=184 comm=dbus-daemon +path=anon_inode:[pidfd] dev="pidfs" ino=303 +scontext=system_u:system_r:system_dbusd_t:s0 +tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=fd + +-- + +Fedora: + +$ sesearch -A --source system_dbusd_t --target unconfined_t --class fd --perm use +allow domain domain:fd use; [ domain_fd_use ]:True +allow domain unconfined_t:fd use; +allow systemprocess initrc_transition_domain:fd use; + +$ getsebool domain_fd_use +domain_fd_use --> on + +Signed-off-by: Clayton Casciato + +Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/c0848ca7b7469436ae1ec3190c808ea5a92e6bc6] + +Signed-off-by: Clayton Casciato +--- + policy/modules/services/dbus.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te +index 4e2e32ec0..1420ede29 100644 +--- a/policy/modules/services/dbus.te ++++ b/policy/modules/services/dbus.te +@@ -285,6 +285,7 @@ optional_policy(` + + optional_policy(` + unconfined_dbus_send(system_dbusd_t) ++ unconfined_use_fds(system_dbusd_t) + ') + + optional_policy(` diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 8782dbe..9d729df 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -79,6 +79,7 @@ SRC_URI += " \ file://0061-policy-modules-services-chronyd-allow-chronyd_t-kern.patch \ file://0062-policy-modules-services-ssh-allow-sshd_t-kernel_t-sy.patch \ file://0063-policy-modules-services-ssh-allow-sshd_t-userdomain-.patch \ + file://0064-policy-modules-services-dbus-allow-system_dbusd_t-un.patch \ " S = "${WORKDIR}/refpolicy"