CaROS/meta-selinux
3
0
Fork 0
mirror of git://git.yoctoproject.org/meta-selinux synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

refpolicy: update to latest git rev

Browse Source 
* Update policy for systemd-v256

  c20cf2214 systemd: allow systemd-hostnamed to read vsock device
  4f3437040 systemd: fix policy for systemd-ssh-generator
  d852b7540 devices: add label vsock_device_t for /dev/vsock
  a4a7b830f systemd: add policy for systemd-nsresourced
  47081be47 systemd: allow system --user to create netlink_route_socket
  78cacc708 systemd: allow systemd-networkd to manage sock files under
            /run/systemd/netif
  29d0bb8c3 systemd: set context to systemd_networkd_var_lib_t for
            /var/lib/systemd/network
  22fd3ddad Allow interactive user terminal output for the NetLabel
            management tool.
  c1284c601 bluetooth: Move line.
  50a5555f2 Adding SE Policy rules to allow usage of unix stream sockets
            by dbus and bluetooth contexts when Gatt notifications are
            turned on by remote.
  2b8fa2b4a kubernetes: allow kubelet to connect all TCP ports
  9ab94df30 container: allow reading generic certs
  7530dfa3c testing: add container_kvm_t to net admin exempt list
  47eced9be Makefile: drop duplicate quotes
  b0b0d52dd various: rules required for DV manipulation in kubevirt
  21e4a44c0 container: add container_kvm_t and supporting kubevirt rules
  a9bd177bb iptables: allow reading container engine tmp files
  af0b40824 container: allow spc various rules for kubevirt
  d585f08c2 container, kubernetes: add supporting rules for kubevirt and
            multus
  9f37f86b2 dbus: dontaudit session bus domains the netadmin capability
  d9ca32f5a container: allow super privileged containers to manage BPF
            dirs
  1900fbe68 kubernetes: allow kubelet to create unlabeled dirs
  b9c8ba607 haproxy: allow interactive usage
  846804c58 podman: allow managing init runtime units
  8787b3d8d iptables: allow reading usr files

* Drop obsolete patches:
  0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
  0039-policy-modules-system-authlogin-fix-login-errors-aft.patch

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
This commit is contained in:
Yi Zhao 2024-09-12 17:18:36 +08:00 committed by Joe MacDonald
parent 3482e0e650
commit f8ccc77076
5 changed files with 108 additions and 141 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
View File

@ -1,34 +0,0 @@
From 8cbc09769a08cf3f5dcb611d471e5da298bde67c Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Wed, 1 Jul 2020 08:44:07 +0800
Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create
directory with label rpcbind_runtime_t
Fixes:
avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind"
scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023
tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
policy/modules/services/rpcbind.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
index 137c21ece..2a712192b 100644
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
@@ -25,7 +25,7 @@ files_type(rpcbind_var_lib_t)
# Local policy
#
-allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown };
# net_admin is for SO_SNDBUFFORCE
dontaudit rpcbind_t self:capability net_admin;
allow rpcbind_t self:fifo_file rw_fifo_file_perms;
--
2.25.1

104
recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch
View File

@ -1,104 +0,0 @@
From b5dae809f2b46b82b75abcb562974212b370aa39 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Fri, 8 Dec 2023 14:16:26 +0800
Subject: [PATCH] policy/modules/system/authlogin: fix login errors after
enabling systemd DynamicUser
Allow domains using PAM to read /etc/shadow to fix login errors after
enabling systemd DynamicUser.
Fixes:
avc: denied { read } for pid=434 comm="login" name="shadow"
dev="sda2" ino=26314
scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
avc: denied { open } for pid=434 comm="login" path="/etc/shadow"
dev="sda2" ino=26314
scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
avc: denied { getattr } for pid=434 comm="login" path="/etc/shadow"
dev="sda2" ino=26314
scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
avc: denied { read } for pid=457 comm="sshd" name="shadow" dev="sda2"
ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
avc: denied { open } for pid=457 comm="sshd" path="/etc/shadow"
dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
avc: denied { getattr } for pid=457 comm="sshd" path="/etc/shadow"
dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
policy/modules/admin/su.if | 4 ++--
policy/modules/system/authlogin.te | 2 +-
policy/modules/system/selinuxutil.te | 2 ++
3 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index dce1a0ea9..c55cdfc09 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -76,7 +76,7 @@ template(`su_restricted_domain_template', `
selinux_compute_access_vector($1_su_t)
auth_domtrans_chk_passwd($1_su_t)
- auth_dontaudit_read_shadow($1_su_t)
+ auth_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_create_faillog_files($1_su_t)
auth_rw_faillog($1_su_t)
@@ -183,7 +183,7 @@ template(`su_role_template',`
selinux_use_status_page($1_su_t)
auth_domtrans_chk_passwd($1_su_t)
- auth_dontaudit_read_shadow($1_su_t)
+ auth_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_create_faillog_files($1_su_t)
auth_rw_faillog($1_su_t)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 5d675bc15..2ca79e95d 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -10,7 +10,7 @@ policy_module(authlogin)
## Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
## </p>
## </desc>
-gen_tunable(authlogin_pam, true)
+gen_tunable(authlogin_pam, false)
## <desc>
## <p>
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ebc1abc10..c6b2ec47a 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -251,6 +251,7 @@ allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
+kernel_getattr_proc(newrole_t)
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctls(newrole_t)
kernel_dontaudit_getattr_proc(newrole_t)
@@ -295,6 +296,7 @@ auth_run_chk_passwd(newrole_t, newrole_roles)
auth_run_upd_passwd(newrole_t, newrole_roles)
auth_rw_faillog(newrole_t)
auth_search_faillog(newrole_t)
+auth_read_shadow(newrole_t)
# Write to utmp.
init_rw_utmp(newrole_t)
--
2.25.1

106
recipes-security/refpolicy/refpolicy/0057-Allow-services-to-read-tmpfs-under-run-credentials.patch Normal file
View File

@ -0,0 +1,106 @@
From be681d155c6c62a2ec4939dedc921921fe73e277 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Fri, 30 Aug 2024 12:39:48 +0800
Subject: [PATCH] Allow services to read tmpfs under /run/credentials/
$ mount | grep credentials
tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-udev-load-credentials.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-tmpfiles-setup-dev-early.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-sysctl.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-tmpfiles-setup-dev.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-vconsole-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-tmpfiles-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-resolved.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/systemd-networkd.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
Fixes:
avc: denied { search } for pid=106 comm="systemd-journal" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t:s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
avc: denied { read } for pid=114 comm="udevadm" name="/" dev="tmpfs"
ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
avc: denied { open } for pid=114 comm="udevadm"
path="/run/credentials/systemd-udev-load-credentials.service"
dev="tmpfs" ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
avc: denied { read } for pid=353 comm="agetty" name="/" dev="tmpfs"
ino=1 scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
avc: denied { open } for pid=353 comm="agetty"
path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
avc: denied { getattr } for pid=353 comm="agetty"
path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
Upstream-Status: Pending
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
policy/modules/system/getty.te | 1 +
policy/modules/system/logging.te | 1 +
policy/modules/system/systemd.te | 1 +
policy/modules/system/udev.te | 1 +
4 files changed, 4 insertions(+)
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index a900226bf..75b94785b 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -75,6 +75,7 @@ fs_getattr_cgroup(getty_t)
fs_search_cgroup_dirs(getty_t)
# for error condition handling
fs_getattr_xattr_fs(getty_t)
+fs_list_tmpfs(getty_t)
mcs_process_set_categories(getty_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index fc73825fa..d5878876b 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -495,6 +495,7 @@ files_read_kernel_symbol_table(syslogd_t)
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
+fs_list_tmpfs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 22a319c36..0440b4795 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1303,6 +1303,7 @@ files_watch_root_dirs(systemd_networkd_t)
files_list_runtime(systemd_networkd_t)
fs_getattr_all_fs(systemd_networkd_t)
+fs_list_tmpfs(systemd_networkd_t)
fs_search_cgroup_dirs(systemd_networkd_t)
fs_read_nsfs_files(systemd_networkd_t)
fs_watch_memory_pressure(systemd_networkd_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index b2e43aa7d..f543a48d2 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -142,6 +142,7 @@ files_dontaudit_getattr_tmp_dirs(udev_t)
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
+fs_list_tmpfs(udev_t)
fs_read_cgroup_files(udev_t)
fs_rw_anon_inodefs_files(udev_t)
fs_search_tracefs(udev_t)
--
2.25.1

3
recipes-security/refpolicy/refpolicy_common.inc
View File

@ -48,13 +48,11 @@ SRC_URI += " \
file://0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch \ file://0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
file://0031-policy-modules-system-logging-fix-auditd-startup-fai.patch \ file://0031-policy-modules-system-logging-fix-auditd-startup-fai.patch \
file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \ file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
file://0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
file://0034-policy-modules-system-systemd-enable-support-for-sys.patch \ file://0034-policy-modules-system-systemd-enable-support-for-sys.patch \
file://0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch \ file://0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch \
file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \ file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \
file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \ file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \
file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \ file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \
file://0039-policy-modules-system-authlogin-fix-login-errors-aft.patch \
file://0040-policy-modules-system-logging-grant-getpcap-capabili.patch \ file://0040-policy-modules-system-logging-grant-getpcap-capabili.patch \
file://0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \ file://0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
file://0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \ file://0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
@ -72,6 +70,7 @@ SRC_URI += " \
file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \ file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \
file://0057-Allow-services-to-read-tmpfs-under-run-credentials.patch \
" "
S = "${WORKDIR}/refpolicy" S = "${WORKDIR}/refpolicy"

2
recipes-security/refpolicy/refpolicy_git.inc
View File

@ -2,7 +2,7 @@ PV = "2.20240226+git"
SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy" SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy"
SRCREV_refpolicy ?= "71f4bd1992e05bcd79dc5234f8a30deeb141aa3d" SRCREV_refpolicy ?= "351a5a7f4dc959769aaa8fe47c6e77f94fe5b657"
UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)" UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"