From cbdfb9612d391d3aefcab99d08386bf8072e83a4 Mon Sep 17 00:00:00 2001 From: Clayton Casciato Date: Wed, 30 Apr 2025 11:22:04 -0600 Subject: [PATCH] refpolicy: oddjob - allow oddjob_mkhomedir_t privfd:fd use Signed-off-by: Clayton Casciato Signed-off-by: Yi Zhao --- ...ervices-oddjob-allow-oddjob_mkhomedi.patch | 62 +++++++++++++++++++ .../refpolicy/refpolicy_common.inc | 1 + 2 files changed, 63 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch diff --git a/recipes-security/refpolicy/refpolicy/0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch b/recipes-security/refpolicy/refpolicy/0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch new file mode 100644 index 0000000..bb25790 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch @@ -0,0 +1,62 @@ +From a80bd03836c75b0a9b4d0d342a0000ef20c5cd2d Mon Sep 17 00:00:00 2001 +From: Clayton Casciato +Date: Wed, 9 Apr 2025 17:34:10 -0600 +Subject: [PATCH] oddjob: allow oddjob_mkhomedir_t privfd:fd use + +type=PROCTITLE proctitle=mkhomedir_helper user123 0077 + +type=EXECVE argc=3 a0=mkhomedir_helper a1=user123 a2=0077 + +type=SYSCALL arch=armeb syscall=execve per=PER_LINUX success=yes exit=0 +a0=0x5b79d8 a1=0x5a64d0 a2=0x5b0f10 a3=0x0 items=0 ppid=429 pid=1369 +auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root +sgid=root fsgid=root tty=ttyAMA0 ses=unset comm=mkhomedir_helpe +exe=/usr/sbin/mkhomedir_helper +subj=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 +key=(null) + +type=AVC avc: denied { use } for pid=1369 comm=mkhomedir_helpe +path=/dev/ttyAMA0 dev="devtmpfs" ino=2 +scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 +tcontext=system_u:system_r:getty_t:s0 tclass=fd + +-- + +Ref: +https://github.com/SELinuxProject/refpolicy/blob/RELEASE_2_20250213/policy/modules/system/getty.te#L12 + +https://danwalsh.livejournal.com/77728.html +https://github.com/SELinuxProject/selinux-notebook/blob/20240430/src/type_statements.md#typeattribute + +-- + +Fedora: +$ sesearch -A --source oddjob_mkhomedir_t --target getty_t --class fd +allow application_domain_type privfd:fd use; +allow domain domain:fd use; [ domain_fd_use ]:True + +$ getsebool domain_fd_use +domain_fd_use --> on + +Signed-off-by: Clayton Casciato + +Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/a3a6b17045412be07f63581f6e10310175e82ddf] + +Signed-off-by: Clayton Casciato +--- + policy/modules/services/oddjob.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te +index 6ea785851..299077739 100644 +--- a/policy/modules/services/oddjob.te ++++ b/policy/modules/services/oddjob.te +@@ -79,6 +79,8 @@ kernel_read_system_state(oddjob_mkhomedir_t) + + auth_use_nsswitch(oddjob_mkhomedir_t) + ++domain_use_interactive_fds(oddjob_mkhomedir_t) ++ + logging_send_syslog_msg(oddjob_mkhomedir_t) + + miscfiles_read_localization(oddjob_mkhomedir_t) diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 7b6822d..2eadeb7 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -81,6 +81,7 @@ SRC_URI += " \ file://0063-policy-modules-system-locallogin-dontaudit-sulogin_t.patch \ file://0064-policy-modules-system-locallogin-allow-sulogin_t-unc.patch \ file://0065-policy-modules-system-locallogin-allow-sulogin_t-use.patch \ + file://0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch \ " S = "${WORKDIR}/refpolicy"