From 37ede3a5fec01e97e481101b2b8664666c4923c7 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Thu, 6 Jun 2024 14:14:33 +0800 Subject: [PATCH] refpolicy: update to latest git rev * 2102055d4 devices: Change dev_rw_uhid() to use a policy pattern * 1cbe455a5 device: Move dev_rw_uhid definition * 7a33b4bc8 Sepolicy changes for bluez to access uhid * c6dd4087d selinuxutil: make policykit optional * 10feb47e5 newrole: allow newrole to search faillock runtime directory * bf34d3e5e sysnetwork: fixes for dhcpcd * 4663e613f Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets * 27602a932 various: various fixes * 63d50bbaa container, crio, kubernetes: minor fixes * 11e729e27 container, podman: various fixes * ef5954a0e systemd: allow systemd-sysctl to search tmpfs * 472e0442e container: allow containers to getcap * 7876e5151 container: allow system container engines to mmap runtime files * d917092a8 matrixd: add tunable for binding to all unreserved ports * 3dba91dd4 bootloader: allow systemd-boot to manage EFI binaries * ddf395d5d asterisk: allow binding to all unreserved UDP ports * 3bad3696b postgres: add a standalone execmem tunable * ef28f7879 userdom: allow users to read user home dir symlinks * 03711caea dovecot: allow dovecot-auth to read SASL keytab * cd781e783 fail2ban: allow reading net sysctls * ddc6ac493 init: allow systemd to use sshd pidfds * b9c457d80 files context for merged-usr profile on gentoo * 5040dd3b6 Need map perm for cockpit 300.4 * 2ef9838db tests.yml: Add sechecker testing * c62bd5c6c cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type * 1c694125b certbot: Drop execmem * 349411d55 xen: Drop xend/xm stack * 2a261f916 Allow systemd to pass down sig mask * 2577feb83 cups: Remove PTAL * 5b02b44e5 xen: Revoke kernel module loading permissions * 1c20c002c minissdpd: Revoke kernel module loading permissions * 5671390e2 docker: Fix dockerc typo in container_engine_executable_file * e1bc4830d cron: Use raw entrypoint rule for system_cronjob_t * 0f71792c8 uml: Remove excessive access from user domains on uml_exec_t * 511223e2d Set the type on /etc/machine-info to net_conf_t so hostnamectl can manipulate it (CRUD) * 72fc1b2a3 fix: minor correction in MCS_CATS range comment * cbf56c8ae systemd: allow notify client to stat socket Signed-off-by: Yi Zhao Signed-off-by: Joe MacDonald --- ...c-init-fix-update-alternatives-for-sysvinit.patch | 9 +++++---- ...dules-system-authlogin-fix-login-errors-aft.patch | 12 ++++++------ recipes-security/refpolicy/refpolicy_git.inc | 2 +- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch b/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch index 73a0d8a..01b7cca 100644 --- a/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch +++ b/recipes-security/refpolicy/refpolicy/0014-fc-init-fix-update-alternatives-for-sysvinit.patch @@ -1,4 +1,4 @@ -From 8eefd8242e8b08fee6886d6bba12c4af202890d0 Mon Sep 17 00:00:00 2001 +From a733674bb530f070ce5363c0b50848d3cb4e113b Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Thu, 22 Aug 2013 13:37:23 +0800 Subject: [PATCH] fc/init: fix update-alternatives for sysvinit @@ -15,16 +15,17 @@ Signed-off-by: Yi Zhao 3 files changed, 4 insertions(+) diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc -index 89d682d36..354f4d1d9 100644 +index 2e47783c2..e359539be 100644 --- a/policy/modules/admin/shutdown.fc +++ b/policy/modules/admin/shutdown.fc -@@ -7,5 +7,6 @@ +@@ -7,6 +7,7 @@ /usr/sbin/halt -- gen_context(system_u:object_r:shutdown_exec_t,s0) /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) +/usr/sbin/shutdown\.sysvinit -- gen_context(system_u:object_r:shutdown_exec_t,s0) /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0) + diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 7d2efef0a..9a5711a83 100644 --- a/policy/modules/kernel/corecommands.fc @@ -39,7 +40,7 @@ index 7d2efef0a..9a5711a83 100644 /usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index 07b12de2e..d99767ce8 100644 +index 75c75e7d1..962f18099 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -49,6 +49,7 @@ ifdef(`distro_gentoo',` diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch index ab5b967..060b01b 100644 --- a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch +++ b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch @@ -1,4 +1,4 @@ -From b81fc26631ad56608eed244c3a07f6f9b0c7e8c7 Mon Sep 17 00:00:00 2001 +From b5dae809f2b46b82b75abcb562974212b370aa39 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 8 Dec 2023 14:16:26 +0800 Subject: [PATCH] policy/modules/system/authlogin: fix login errors after @@ -67,7 +67,7 @@ index dce1a0ea9..c55cdfc09 100644 auth_create_faillog_files($1_su_t) auth_rw_faillog($1_su_t) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 3a5d1ac3e..f9d50a8d4 100644 +index 5d675bc15..2ca79e95d 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -10,7 +10,7 @@ policy_module(authlogin) @@ -80,10 +80,10 @@ index 3a5d1ac3e..f9d50a8d4 100644 ## ##

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index 3eedf82c3..875f0a02f 100644 +index ebc1abc10..c6b2ec47a 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te -@@ -247,6 +247,7 @@ allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re +@@ -251,6 +251,7 @@ allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re read_files_pattern(newrole_t, default_context_t, default_context_t) read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) @@ -91,10 +91,10 @@ index 3eedf82c3..875f0a02f 100644 kernel_read_system_state(newrole_t) kernel_read_kernel_sysctls(newrole_t) kernel_dontaudit_getattr_proc(newrole_t) -@@ -290,6 +291,7 @@ auth_use_nsswitch(newrole_t) - auth_run_chk_passwd(newrole_t, newrole_roles) +@@ -295,6 +296,7 @@ auth_run_chk_passwd(newrole_t, newrole_roles) auth_run_upd_passwd(newrole_t, newrole_roles) auth_rw_faillog(newrole_t) + auth_search_faillog(newrole_t) +auth_read_shadow(newrole_t) # Write to utmp. diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index 322c277..ee69664 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc @@ -2,7 +2,7 @@ PV = "2.20240226+git" SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy" -SRCREV_refpolicy ?= "6507eebc238b4495b1e0d3baa2bc0bb737f9819a" +SRCREV_refpolicy ?= "c920fc5d9e626874b9af8693e5aa697200f76a12" UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P\d+_\d+)"