mirror of
git://git.yoctoproject.org/meta-selinux
synced 2026-01-01 13:58:04 +00:00
refpolicy: update to latest git rev
* Update policy for systemd-v256
c20cf2214 systemd: allow systemd-hostnamed to read vsock device
4f3437040 systemd: fix policy for systemd-ssh-generator
d852b7540 devices: add label vsock_device_t for /dev/vsock
a4a7b830f systemd: add policy for systemd-nsresourced
47081be47 systemd: allow system --user to create netlink_route_socket
78cacc708 systemd: allow systemd-networkd to manage sock files under
/run/systemd/netif
29d0bb8c3 systemd: set context to systemd_networkd_var_lib_t for
/var/lib/systemd/network
22fd3ddad Allow interactive user terminal output for the NetLabel
management tool.
c1284c601 bluetooth: Move line.
50a5555f2 Adding SE Policy rules to allow usage of unix stream sockets
by dbus and bluetooth contexts when Gatt notifications are
turned on by remote.
2b8fa2b4a kubernetes: allow kubelet to connect all TCP ports
9ab94df30 container: allow reading generic certs
7530dfa3c testing: add container_kvm_t to net admin exempt list
47eced9be Makefile: drop duplicate quotes
b0b0d52dd various: rules required for DV manipulation in kubevirt
21e4a44c0 container: add container_kvm_t and supporting kubevirt rules
a9bd177bb iptables: allow reading container engine tmp files
af0b40824 container: allow spc various rules for kubevirt
d585f08c2 container, kubernetes: add supporting rules for kubevirt and
multus
9f37f86b2 dbus: dontaudit session bus domains the netadmin capability
d9ca32f5a container: allow super privileged containers to manage BPF
dirs
1900fbe68 kubernetes: allow kubelet to create unlabeled dirs
b9c8ba607 haproxy: allow interactive usage
846804c58 podman: allow managing init runtime units
8787b3d8d iptables: allow reading usr files
* Drop obsolete patches:
0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
0039-policy-modules-system-authlogin-fix-login-errors-aft.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
This commit is contained in:
Yi Zhao
Joe MacDonald
parent
3482e0e650
commit
f8ccc77076
|
|
@ -1,34 +0,0 @@
|
|||
From 8cbc09769a08cf3f5dcb611d471e5da298bde67c Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Wed, 1 Jul 2020 08:44:07 +0800
|
||||
Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create
|
||||
directory with label rpcbind_runtime_t
|
||||
|
||||
Fixes:
|
||||
avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind"
|
||||
scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/services/rpcbind.te | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
|
||||
index 137c21ece..2a712192b 100644
|
||||
--- a/policy/modules/services/rpcbind.te
|
||||
+++ b/policy/modules/services/rpcbind.te
|
||||
@@ -25,7 +25,7 @@ files_type(rpcbind_var_lib_t)
|
||||
# Local policy
|
||||
#
|
||||
|
||||
-allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
|
||||
+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown };
|
||||
# net_admin is for SO_SNDBUFFORCE
|
||||
dontaudit rpcbind_t self:capability net_admin;
|
||||
allow rpcbind_t self:fifo_file rw_fifo_file_perms;
|
||||
--
|
||||
2.25.1
|
||||
|
||||
|
|
@ -1,104 +0,0 @@
|
|||
From b5dae809f2b46b82b75abcb562974212b370aa39 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Fri, 8 Dec 2023 14:16:26 +0800
|
||||
Subject: [PATCH] policy/modules/system/authlogin: fix login errors after
|
||||
enabling systemd DynamicUser
|
||||
|
||||
Allow domains using PAM to read /etc/shadow to fix login errors after
|
||||
enabling systemd DynamicUser.
|
||||
|
||||
Fixes:
|
||||
avc: denied { read } for pid=434 comm="login" name="shadow"
|
||||
dev="sda2" ino=26314
|
||||
scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
|
||||
|
||||
avc: denied { open } for pid=434 comm="login" path="/etc/shadow"
|
||||
dev="sda2" ino=26314
|
||||
scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
|
||||
|
||||
avc: denied { getattr } for pid=434 comm="login" path="/etc/shadow"
|
||||
dev="sda2" ino=26314
|
||||
scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
|
||||
|
||||
avc: denied { read } for pid=457 comm="sshd" name="shadow" dev="sda2"
|
||||
ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
|
||||
|
||||
avc: denied { open } for pid=457 comm="sshd" path="/etc/shadow"
|
||||
dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
|
||||
|
||||
avc: denied { getattr } for pid=457 comm="sshd" path="/etc/shadow"
|
||||
dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/admin/su.if | 4 ++--
|
||||
policy/modules/system/authlogin.te | 2 +-
|
||||
policy/modules/system/selinuxutil.te | 2 ++
|
||||
3 files changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
|
||||
index dce1a0ea9..c55cdfc09 100644
|
||||
--- a/policy/modules/admin/su.if
|
||||
+++ b/policy/modules/admin/su.if
|
||||
@@ -76,7 +76,7 @@ template(`su_restricted_domain_template', `
|
||||
selinux_compute_access_vector($1_su_t)
|
||||
|
||||
auth_domtrans_chk_passwd($1_su_t)
|
||||
- auth_dontaudit_read_shadow($1_su_t)
|
||||
+ auth_read_shadow($1_su_t)
|
||||
auth_use_nsswitch($1_su_t)
|
||||
auth_create_faillog_files($1_su_t)
|
||||
auth_rw_faillog($1_su_t)
|
||||
@@ -183,7 +183,7 @@ template(`su_role_template',`
|
||||
selinux_use_status_page($1_su_t)
|
||||
|
||||
auth_domtrans_chk_passwd($1_su_t)
|
||||
- auth_dontaudit_read_shadow($1_su_t)
|
||||
+ auth_read_shadow($1_su_t)
|
||||
auth_use_nsswitch($1_su_t)
|
||||
auth_create_faillog_files($1_su_t)
|
||||
auth_rw_faillog($1_su_t)
|
||||
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
|
||||
index 5d675bc15..2ca79e95d 100644
|
||||
--- a/policy/modules/system/authlogin.te
|
||||
+++ b/policy/modules/system/authlogin.te
|
||||
@@ -10,7 +10,7 @@ policy_module(authlogin)
|
||||
## Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
|
||||
## </p>
|
||||
## </desc>
|
||||
-gen_tunable(authlogin_pam, true)
|
||||
+gen_tunable(authlogin_pam, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
|
||||
index ebc1abc10..c6b2ec47a 100644
|
||||
--- a/policy/modules/system/selinuxutil.te
|
||||
+++ b/policy/modules/system/selinuxutil.te
|
||||
@@ -251,6 +251,7 @@ allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re
|
||||
read_files_pattern(newrole_t, default_context_t, default_context_t)
|
||||
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
|
||||
|
||||
+kernel_getattr_proc(newrole_t)
|
||||
kernel_read_system_state(newrole_t)
|
||||
kernel_read_kernel_sysctls(newrole_t)
|
||||
kernel_dontaudit_getattr_proc(newrole_t)
|
||||
@@ -295,6 +296,7 @@ auth_run_chk_passwd(newrole_t, newrole_roles)
|
||||
auth_run_upd_passwd(newrole_t, newrole_roles)
|
||||
auth_rw_faillog(newrole_t)
|
||||
auth_search_faillog(newrole_t)
|
||||
+auth_read_shadow(newrole_t)
|
||||
|
||||
# Write to utmp.
|
||||
init_rw_utmp(newrole_t)
|
||||
--
|
||||
2.25.1
|
||||
|
||||
|
|
@ -0,0 +1,106 @@
|
|||
From be681d155c6c62a2ec4939dedc921921fe73e277 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Fri, 30 Aug 2024 12:39:48 +0800
|
||||
Subject: [PATCH] Allow services to read tmpfs under /run/credentials/
|
||||
|
||||
$ mount | grep credentials
|
||||
tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
|
||||
tmpfs on /run/credentials/systemd-udev-load-credentials.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
|
||||
tmpfs on /run/credentials/systemd-tmpfiles-setup-dev-early.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
|
||||
tmpfs on /run/credentials/systemd-sysctl.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
|
||||
tmpfs on /run/credentials/systemd-tmpfiles-setup-dev.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
|
||||
tmpfs on /run/credentials/systemd-vconsole-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
|
||||
tmpfs on /run/credentials/systemd-tmpfiles-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
|
||||
tmpfs on /run/credentials/systemd-resolved.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
|
||||
tmpfs on /run/credentials/systemd-networkd.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
|
||||
tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
|
||||
|
||||
Fixes:
|
||||
avc: denied { search } for pid=106 comm="systemd-journal" name="/"
|
||||
dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t:s15:c0.c1023
|
||||
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
|
||||
|
||||
avc: denied { read } for pid=114 comm="udevadm" name="/" dev="tmpfs"
|
||||
ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
|
||||
|
||||
avc: denied { open } for pid=114 comm="udevadm"
|
||||
path="/run/credentials/systemd-udev-load-credentials.service"
|
||||
dev="tmpfs" ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
|
||||
|
||||
avc: denied { read } for pid=353 comm="agetty" name="/" dev="tmpfs"
|
||||
ino=1 scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
|
||||
|
||||
avc: denied { open } for pid=353 comm="agetty"
|
||||
path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
|
||||
scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
|
||||
|
||||
avc: denied { getattr } for pid=353 comm="agetty"
|
||||
path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
|
||||
scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
|
||||
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
|
||||
|
||||
Upstream-Status: Pending
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
policy/modules/system/getty.te | 1 +
|
||||
policy/modules/system/logging.te | 1 +
|
||||
policy/modules/system/systemd.te | 1 +
|
||||
policy/modules/system/udev.te | 1 +
|
||||
4 files changed, 4 insertions(+)
|
||||
|
||||
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
|
||||
index a900226bf..75b94785b 100644
|
||||
--- a/policy/modules/system/getty.te
|
||||
+++ b/policy/modules/system/getty.te
|
||||
@@ -75,6 +75,7 @@ fs_getattr_cgroup(getty_t)
|
||||
fs_search_cgroup_dirs(getty_t)
|
||||
# for error condition handling
|
||||
fs_getattr_xattr_fs(getty_t)
|
||||
+fs_list_tmpfs(getty_t)
|
||||
|
||||
mcs_process_set_categories(getty_t)
|
||||
|
||||
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
|
||||
index fc73825fa..d5878876b 100644
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -495,6 +495,7 @@ files_read_kernel_symbol_table(syslogd_t)
|
||||
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
|
||||
|
||||
fs_getattr_all_fs(syslogd_t)
|
||||
+fs_list_tmpfs(syslogd_t)
|
||||
fs_search_auto_mountpoints(syslogd_t)
|
||||
|
||||
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
|
||||
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
||||
index 22a319c36..0440b4795 100644
|
||||
--- a/policy/modules/system/systemd.te
|
||||
+++ b/policy/modules/system/systemd.te
|
||||
@@ -1303,6 +1303,7 @@ files_watch_root_dirs(systemd_networkd_t)
|
||||
files_list_runtime(systemd_networkd_t)
|
||||
|
||||
fs_getattr_all_fs(systemd_networkd_t)
|
||||
+fs_list_tmpfs(systemd_networkd_t)
|
||||
fs_search_cgroup_dirs(systemd_networkd_t)
|
||||
fs_read_nsfs_files(systemd_networkd_t)
|
||||
fs_watch_memory_pressure(systemd_networkd_t)
|
||||
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
|
||||
index b2e43aa7d..f543a48d2 100644
|
||||
--- a/policy/modules/system/udev.te
|
||||
+++ b/policy/modules/system/udev.te
|
||||
@@ -142,6 +142,7 @@ files_dontaudit_getattr_tmp_dirs(udev_t)
|
||||
|
||||
fs_getattr_all_fs(udev_t)
|
||||
fs_list_inotifyfs(udev_t)
|
||||
+fs_list_tmpfs(udev_t)
|
||||
fs_read_cgroup_files(udev_t)
|
||||
fs_rw_anon_inodefs_files(udev_t)
|
||||
fs_search_tracefs(udev_t)
|
||||
--
|
||||
2.25.1
|
||||
|
||||
|
|
@ -48,13 +48,11 @@ SRC_URI += " \
|
|||
file://0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
|
||||
file://0031-policy-modules-system-logging-fix-auditd-startup-fai.patch \
|
||||
file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
|
||||
file://0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
|
||||
file://0034-policy-modules-system-systemd-enable-support-for-sys.patch \
|
||||
file://0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch \
|
||||
file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \
|
||||
file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \
|
||||
file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \
|
||||
file://0039-policy-modules-system-authlogin-fix-login-errors-aft.patch \
|
||||
file://0040-policy-modules-system-logging-grant-getpcap-capabili.patch \
|
||||
file://0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
|
||||
file://0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
|
||||
|
|
@ -72,6 +70,7 @@ SRC_URI += " \
|
|||
file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
|
||||
file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
|
||||
file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \
|
||||
file://0057-Allow-services-to-read-tmpfs-under-run-credentials.patch \
|
||||
"
|
||||
|
||||
S = "${WORKDIR}/refpolicy"
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ PV = "2.20240226+git"
|
|||
|
||||
SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy"
|
||||
|
||||
SRCREV_refpolicy ?= "71f4bd1992e05bcd79dc5234f8a30deeb141aa3d"
|
||||
SRCREV_refpolicy ?= "351a5a7f4dc959769aaa8fe47c6e77f94fe5b657"
|
||||
|
||||
UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user