diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch deleted file mode 100644 index 073068e..0000000 --- a/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 8cbc09769a08cf3f5dcb611d471e5da298bde67c Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Wed, 1 Jul 2020 08:44:07 +0800 -Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create - directory with label rpcbind_runtime_t - -Fixes: -avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind" -scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/services/rpcbind.te | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te -index 137c21ece..2a712192b 100644 ---- a/policy/modules/services/rpcbind.te -+++ b/policy/modules/services/rpcbind.te -@@ -25,7 +25,7 @@ files_type(rpcbind_var_lib_t) - # Local policy - # - --allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config }; -+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown }; - # net_admin is for SO_SNDBUFFORCE - dontaudit rpcbind_t self:capability net_admin; - allow rpcbind_t self:fifo_file rw_fifo_file_perms; --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch deleted file mode 100644 index 060b01b..0000000 --- a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch +++ /dev/null @@ -1,104 +0,0 @@ -From b5dae809f2b46b82b75abcb562974212b370aa39 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Fri, 8 Dec 2023 14:16:26 +0800 -Subject: [PATCH] policy/modules/system/authlogin: fix login errors after - enabling systemd DynamicUser - -Allow domains using PAM to read /etc/shadow to fix login errors after -enabling systemd DynamicUser. - -Fixes: -avc: denied { read } for pid=434 comm="login" name="shadow" -dev="sda2" ino=26314 -scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 - -avc: denied { open } for pid=434 comm="login" path="/etc/shadow" -dev="sda2" ino=26314 -scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 - -avc: denied { getattr } for pid=434 comm="login" path="/etc/shadow" -dev="sda2" ino=26314 -scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 - -avc: denied { read } for pid=457 comm="sshd" name="shadow" dev="sda2" -ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 - -avc: denied { open } for pid=457 comm="sshd" path="/etc/shadow" -dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 - -avc: denied { getattr } for pid=457 comm="sshd" path="/etc/shadow" -dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 -tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 - -Upstream-Status: Inappropriate [embedded specific] - -Signed-off-by: Yi Zhao ---- - policy/modules/admin/su.if | 4 ++-- - policy/modules/system/authlogin.te | 2 +- - policy/modules/system/selinuxutil.te | 2 ++ - 3 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if -index dce1a0ea9..c55cdfc09 100644 ---- a/policy/modules/admin/su.if -+++ b/policy/modules/admin/su.if -@@ -76,7 +76,7 @@ template(`su_restricted_domain_template', ` - selinux_compute_access_vector($1_su_t) - - auth_domtrans_chk_passwd($1_su_t) -- auth_dontaudit_read_shadow($1_su_t) -+ auth_read_shadow($1_su_t) - auth_use_nsswitch($1_su_t) - auth_create_faillog_files($1_su_t) - auth_rw_faillog($1_su_t) -@@ -183,7 +183,7 @@ template(`su_role_template',` - selinux_use_status_page($1_su_t) - - auth_domtrans_chk_passwd($1_su_t) -- auth_dontaudit_read_shadow($1_su_t) -+ auth_read_shadow($1_su_t) - auth_use_nsswitch($1_su_t) - auth_create_faillog_files($1_su_t) - auth_rw_faillog($1_su_t) -diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te -index 5d675bc15..2ca79e95d 100644 ---- a/policy/modules/system/authlogin.te -+++ b/policy/modules/system/authlogin.te -@@ -10,7 +10,7 @@ policy_module(authlogin) - ## Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM. - ##

- ## --gen_tunable(authlogin_pam, true) -+gen_tunable(authlogin_pam, false) - - ## - ##

-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te -index ebc1abc10..c6b2ec47a 100644 ---- a/policy/modules/system/selinuxutil.te -+++ b/policy/modules/system/selinuxutil.te -@@ -251,6 +251,7 @@ allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re - read_files_pattern(newrole_t, default_context_t, default_context_t) - read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) - -+kernel_getattr_proc(newrole_t) - kernel_read_system_state(newrole_t) - kernel_read_kernel_sysctls(newrole_t) - kernel_dontaudit_getattr_proc(newrole_t) -@@ -295,6 +296,7 @@ auth_run_chk_passwd(newrole_t, newrole_roles) - auth_run_upd_passwd(newrole_t, newrole_roles) - auth_rw_faillog(newrole_t) - auth_search_faillog(newrole_t) -+auth_read_shadow(newrole_t) - - # Write to utmp. - init_rw_utmp(newrole_t) --- -2.25.1 - diff --git a/recipes-security/refpolicy/refpolicy/0057-Allow-services-to-read-tmpfs-under-run-credentials.patch b/recipes-security/refpolicy/refpolicy/0057-Allow-services-to-read-tmpfs-under-run-credentials.patch new file mode 100644 index 0000000..629de01 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0057-Allow-services-to-read-tmpfs-under-run-credentials.patch @@ -0,0 +1,106 @@ +From be681d155c6c62a2ec4939dedc921921fe73e277 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Fri, 30 Aug 2024 12:39:48 +0800 +Subject: [PATCH] Allow services to read tmpfs under /run/credentials/ + +$ mount | grep credentials +tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap) +tmpfs on /run/credentials/systemd-udev-load-credentials.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap) +tmpfs on /run/credentials/systemd-tmpfiles-setup-dev-early.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap) +tmpfs on /run/credentials/systemd-sysctl.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap) +tmpfs on /run/credentials/systemd-tmpfiles-setup-dev.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap) +tmpfs on /run/credentials/systemd-vconsole-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap) +tmpfs on /run/credentials/systemd-tmpfiles-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap) +tmpfs on /run/credentials/systemd-resolved.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap) +tmpfs on /run/credentials/systemd-networkd.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap) +tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap) + +Fixes: +avc: denied { search } for pid=106 comm="systemd-journal" name="/" +dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t:s15:c0.c1023 +tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1 + +avc: denied { read } for pid=114 comm="udevadm" name="/" dev="tmpfs" +ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1 + +avc: denied { open } for pid=114 comm="udevadm" +path="/run/credentials/systemd-udev-load-credentials.service" +dev="tmpfs" ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1 + +avc: denied { read } for pid=353 comm="agetty" name="/" dev="tmpfs" +ino=1 scontext=system_u:system_r:getty_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1 + +avc: denied { open } for pid=353 comm="agetty" +path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1 +scontext=system_u:system_r:getty_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1 + +avc: denied { getattr } for pid=353 comm="agetty" +path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1 +scontext=system_u:system_r:getty_t:s0-s15:c0.c1023 +tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1 + +Upstream-Status: Pending + +Signed-off-by: Yi Zhao +--- + policy/modules/system/getty.te | 1 + + policy/modules/system/logging.te | 1 + + policy/modules/system/systemd.te | 1 + + policy/modules/system/udev.te | 1 + + 4 files changed, 4 insertions(+) + +diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te +index a900226bf..75b94785b 100644 +--- a/policy/modules/system/getty.te ++++ b/policy/modules/system/getty.te +@@ -75,6 +75,7 @@ fs_getattr_cgroup(getty_t) + fs_search_cgroup_dirs(getty_t) + # for error condition handling + fs_getattr_xattr_fs(getty_t) ++fs_list_tmpfs(getty_t) + + mcs_process_set_categories(getty_t) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index fc73825fa..d5878876b 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -495,6 +495,7 @@ files_read_kernel_symbol_table(syslogd_t) + files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) + + fs_getattr_all_fs(syslogd_t) ++fs_list_tmpfs(syslogd_t) + fs_search_auto_mountpoints(syslogd_t) + + mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 22a319c36..0440b4795 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1303,6 +1303,7 @@ files_watch_root_dirs(systemd_networkd_t) + files_list_runtime(systemd_networkd_t) + + fs_getattr_all_fs(systemd_networkd_t) ++fs_list_tmpfs(systemd_networkd_t) + fs_search_cgroup_dirs(systemd_networkd_t) + fs_read_nsfs_files(systemd_networkd_t) + fs_watch_memory_pressure(systemd_networkd_t) +diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te +index b2e43aa7d..f543a48d2 100644 +--- a/policy/modules/system/udev.te ++++ b/policy/modules/system/udev.te +@@ -142,6 +142,7 @@ files_dontaudit_getattr_tmp_dirs(udev_t) + + fs_getattr_all_fs(udev_t) + fs_list_inotifyfs(udev_t) ++fs_list_tmpfs(udev_t) + fs_read_cgroup_files(udev_t) + fs_rw_anon_inodefs_files(udev_t) + fs_search_tracefs(udev_t) +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 7b45882..8c9d046 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -48,13 +48,11 @@ SRC_URI += " \ file://0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch \ file://0031-policy-modules-system-logging-fix-auditd-startup-fai.patch \ file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \ - file://0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \ file://0034-policy-modules-system-systemd-enable-support-for-sys.patch \ file://0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch \ file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \ file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \ file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \ - file://0039-policy-modules-system-authlogin-fix-login-errors-aft.patch \ file://0040-policy-modules-system-logging-grant-getpcap-capabili.patch \ file://0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \ file://0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \ @@ -72,6 +70,7 @@ SRC_URI += " \ file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \ + file://0057-Allow-services-to-read-tmpfs-under-run-credentials.patch \ " S = "${WORKDIR}/refpolicy" diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index 80d92ac..4043005 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc @@ -2,7 +2,7 @@ PV = "2.20240226+git" SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy" -SRCREV_refpolicy ?= "71f4bd1992e05bcd79dc5234f8a30deeb141aa3d" +SRCREV_refpolicy ?= "351a5a7f4dc959769aaa8fe47c6e77f94fe5b657" UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P\d+_\d+)"