CaROS/meta-selinux
3
0
Fork 0
mirror of git://git.yoctoproject.org/meta-selinux synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

refpolicy: unconfined - fix oddjob security_compute_sid

Browse Source 
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This commit is contained in:
Clayton Casciato 2025-04-03 17:11:37 -06:00 committed by Yi Zhao
parent 1f9893f585
commit 1e27a745f3
2 changed files with 59 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
recipes-security/refpolicy/refpolicy/0059-policy-modules-system-unconfined-fix-oddjob-security.patch Normal file
View File

@ -0,0 +1,58 @@
From ccdb93b7566c4e2492da20ec7a0c19691206703f Mon Sep 17 00:00:00 2001
From: Clayton Casciato <ccasciato@21sw.us>
Date: Mon, 3 Mar 2025 10:40:41 -0700
Subject: [PATCH] unconfined: fix oddjob security_compute_sid
type=PROCTITLE proctitle=mkhomedir_helper user123 0077
type=SYSCALL syscall=socket per=PER_LINUX success=yes exit=3 a0=local
a1=SOCK_STREAM a2=ip a3=0xbee9d8a8 items=0 ppid=404 pid=1386 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=ttyAMA0 ses=unset comm=mkhomedir_helpe
exe=/usr/sbin/mkhomedir_helper
subj=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
key=(null)
type=SELINUX_ERR op=security_compute_sid
invalid_context=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
tclass=unix_stream_socket
--
Similar problem and resolution:
https://github.com/SELinuxProject/refpolicy/pull/171
--
Fedora:
https://github.com/fedora-selinux/selinux-policy/blob/v41.33/policy/modules/roles/unconfineduser.te#L365
--
Reference:
https://github.com/SELinuxProject/selinux-notebook/blob/main/src/auditing.md#general-selinux-audit-events
Signed-off-by: Clayton Casciato <ccasciato@21sw.us>
Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/bcb8e1d4dbff48477a9a8a7d215e32370c6e779b]
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
---
policy/modules/system/unconfined.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index d54fe2fd4..a2f898551 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -157,7 +157,7 @@ optional_policy(`
')
optional_policy(`
- oddjob_domtrans_mkhomedir(unconfined_t)
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
')
optional_policy(`

1
recipes-security/refpolicy/refpolicy_common.inc
View File

@ -74,6 +74,7 @@ SRC_URI += " \
file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \
file://0057-policy-modules-system-authlogin-chkpwd_t-dac_read_se.patch \
file://0058-policy-modules-services-chronyd-allow_dac_read_searc.patch \
file://0059-policy-modules-system-unconfined-fix-oddjob-security.patch \
"
S = "${WORKDIR}/refpolicy"