diff --git a/recipes-security/refpolicy/refpolicy/0067-fixdep-dbus.patch b/recipes-security/refpolicy/refpolicy/0067-fixdep-dbus.patch new file mode 100644 index 0000000..9f5958a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0067-fixdep-dbus.patch @@ -0,0 +1,45 @@ +From 684b47eddf512402db552601c33e2d0ad4eef578 Mon Sep 17 00:00:00 2001 +From: Nicolas PARLANT +Date: Fri, 17 Jan 2025 15:51:48 +0100 +Subject: [PATCH] fixdep dbus + +auth_use_pam_systemd requires dbus : + +> /var/lib/selinux/targeted/tmp/modules/400/authlogin/cil:133 = +> (typeattributeset cil_gen_require dbusd_system_bus_client) + +Upstream-Status: Backport +[https://github.com/SELinuxProject/refpolicy/commit/684b47eddf512402db552601c33e2d0ad4eef578] + +Signed-off-by: Nicolas PARLANT +Signed-off-by: Yi Zhao +--- + policy/modules/system/authlogin.te | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index a75a669b9..d9d1a1428 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -142,7 +142,6 @@ term_dontaudit_use_all_ptys(chkpwd_t) + + auth_read_shadow_history(chkpwd_t) + auth_use_nsswitch(chkpwd_t) +-auth_use_pam_systemd(chkpwd_t) + + logging_send_audit_msgs(chkpwd_t) + logging_send_syslog_msg(chkpwd_t) +@@ -160,6 +159,10 @@ ifdef(`distro_ubuntu',` + ') + ') + ++ifdef(`init_systemd',` ++ auth_use_pam_systemd(chkpwd_t) ++') ++ + optional_policy(` + # apache leaks file descriptors + apache_dontaudit_rw_tcp_sockets(chkpwd_t) +-- +2.34.1 + diff --git a/recipes-security/refpolicy/refpolicy/0068-fix-building-when-dbus-module-is-not-enabled.patch b/recipes-security/refpolicy/refpolicy/0068-fix-building-when-dbus-module-is-not-enabled.patch new file mode 100644 index 0000000..8709932 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0068-fix-building-when-dbus-module-is-not-enabled.patch @@ -0,0 +1,42 @@ +From 1d62379321c19e89268ac7854a8ff8dce280ed07 Mon Sep 17 00:00:00 2001 +From: Dave Sugar +Date: Thu, 15 May 2025 10:05:24 -0400 +Subject: [PATCH] fix building when dbus module is not enabled + +Upstream-Status: Backport +[https://github.com/SELinuxProject/refpolicy/commit/1d62379321c19e89268ac7854a8ff8dce280ed07] + +Signed-off-by: Dave Sugar +Signed-off-by: Yi Zhao +--- + policy/modules/system/selinuxutil.te | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te +index 86a6e5503..cd0e8762f 100644 +--- a/policy/modules/system/selinuxutil.te ++++ b/policy/modules/system/selinuxutil.te +@@ -99,7 +99,8 @@ role run_init_roles types run_init_t; + + type selinux_dbus_t; + type selinux_dbus_exec_t; +-dbus_system_domain(selinux_dbus_t, selinux_dbus_exec_t) ++domain_type(selinux_dbus_t) ++domain_entry_file(selinux_dbus_t, selinux_dbus_exec_t) + + type semanage_t; + type semanage_exec_t; +@@ -504,6 +505,10 @@ miscfiles_read_localization(selinux_dbus_t) + + seutil_domtrans_semanage(selinux_dbus_t) + ++optional_policy(` ++ dbus_system_domain(selinux_dbus_t, selinux_dbus_exec_t) ++') ++ + optional_policy(` + policykit_dbus_chat(selinux_dbus_t) + ') +-- +2.34.1 + diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 5cb44a8..d1a6214 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -82,6 +82,8 @@ SRC_URI += " \ file://0064-policy-modules-system-locallogin-allow-sulogin_t-unc.patch \ file://0065-policy-modules-system-locallogin-allow-sulogin_t-use.patch \ file://0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch \ + file://0067-fixdep-dbus.patch \ + file://0068-fix-building-when-dbus-module-is-not-enabled.patch \ " S = "${WORKDIR}/refpolicy"