From 4aebbafb868782e4a8e23da250a3935d60e86d68 Mon Sep 17 00:00:00 2001 From: Clayton Casciato Date: Mon, 13 Oct 2025 09:27:57 -0600 Subject: [PATCH] refpolicy: oddjob - allow oddjob_mkhomedir_t user_terminals Signed-off-by: Clayton Casciato Signed-off-by: Yi Zhao --- ...ervices-oddjob-allow-oddjob_mkhomedi.patch | 54 +++++++++++++++++++ .../refpolicy/refpolicy_common.inc | 1 + 2 files changed, 55 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0069-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch diff --git a/recipes-security/refpolicy/refpolicy/0069-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch b/recipes-security/refpolicy/refpolicy/0069-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch new file mode 100644 index 0000000..4f74ea8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0069-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch @@ -0,0 +1,54 @@ +From d382b824f4976935ccd81ef68d547cb30289a068 Mon Sep 17 00:00:00 2001 +From: Clayton Casciato +Date: Wed, 16 Apr 2025 16:45:56 -0600 +Subject: [PATCH] oddjob: allow oddjob_mkhomedir_t user_terminals + +type=EXECVE argc=3 a0=mkhomedir_helper a1=user123 a2=0077 + +type=SYSCALL arch=armeb syscall=execve per=PER_LINUX success=yes exit=0 +a0=0x5685f8 a1=0x577518 a2=0x572f10 a3=0x0 items=0 ppid=427 pid=1367 +auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root +sgid=root fsgid=root tty=ttyAMA0 ses=unset comm=mkhomedir_helpe +exe=/usr/sbin/mkhomedir_helper +subj=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 +key=(null) + +type=AVC avc: denied { append } for pid=1367 comm=mkhomedir_helpe +path=/dev/ttyAMA0 dev="devtmpfs" ino=2 +scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 +tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file + +type=AVC avc: denied { read write } for pid=1367 comm=mkhomedir_helpe +path=/dev/ttyAMA0 dev="devtmpfs" ino=2 +scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 +tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file + +-- + +https://github.com/SELinuxProject/refpolicy/blob/RELEASE_2_20250213/policy/modules/system/userdomain.if#L4340 +https://github.com/SELinuxProject/refpolicy/blob/RELEASE_2_20250213/policy/support/obj_perm_sets.spt#L272 + +-- + +Fedora: +https://github.com/fedora-selinux/selinux-policy/commit/c03dfdc29340d93008b9ff2edc6d6b55b1f2d2a0 + +Signed-off-by: Clayton Casciato + +Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/e9a7c96ba0bca21d455bcc80cbe96caaebf32a33] + +Signed-off-by: Clayton Casciato +--- + policy/modules/services/oddjob.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te +index 299077739..814d48460 100644 +--- a/policy/modules/services/oddjob.te ++++ b/policy/modules/services/oddjob.te +@@ -100,4 +100,5 @@ userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) + userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) + userdom_manage_user_home_content_files(oddjob_mkhomedir_t) + userdom_manage_user_home_dirs(oddjob_mkhomedir_t) ++userdom_use_inherited_user_terminals(oddjob_mkhomedir_t) + userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set) diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index d1a6214..e768e22 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -84,6 +84,7 @@ SRC_URI += " \ file://0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch \ file://0067-fixdep-dbus.patch \ file://0068-fix-building-when-dbus-module-is-not-enabled.patch \ + file://0069-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch \ " S = "${WORKDIR}/refpolicy"