diff --git a/backport-Add-crontab_admin_domtrans-interface.patch b/backport-Add-crontab_admin_domtrans-interface.patch new file mode 100644 index 0000000000000000000000000000000000000000..13f34f28716a1a82297efb4dae161173008ab08c --- /dev/null +++ b/backport-Add-crontab_admin_domtrans-interface.patch @@ -0,0 +1,42 @@ +From 297bdbed9b24bce48601dff2cf9c3f47a04d5da7 Mon Sep 17 00:00:00 2001 +From: Juraj Marcin +Date: Thu, 22 Feb 2024 14:24:12 +0100 +Subject: [PATCH] Add crontab_admin_domtrans interface + +This interface allows a admin domain to execute crontab and transition +to admin_crontab_t domain. + +Resolves: RHEL-1388 +--- + policy/modules/contrib/cron.if | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if +index d5987694d..821121b9a 100644 +--- a/policy/modules/contrib/cron.if ++++ b/policy/modules/contrib/cron.if +@@ -1097,3 +1097,21 @@ interface(`crontab_domtrans',` + + domtrans_pattern($1, crontab_exec_t, crontab_t) + ') ++ ++######################################## ++## ++## Execute crontab in the admin crontab domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`crontab_admin_domtrans',` ++ gen_require(` ++ type crontab_exec_t, admin_crontab_t; ++ ') ++ ++ domtrans_pattern($1, crontab_exec_t, admin_crontab_t) ++') +-- +2.43.0 + diff --git a/backport-Add-crontab_domtrans-interface.patch b/backport-Add-crontab_domtrans-interface.patch new file mode 100644 index 0000000000000000000000000000000000000000..be5d93b111a379bfaccf70ebdd1a075bca179dc5 --- /dev/null +++ b/backport-Add-crontab_domtrans-interface.patch @@ -0,0 +1,42 @@ +From afd6ecc850b85f793379d2b1eafc2673ad10c237 Mon Sep 17 00:00:00 2001 +From: Juraj Marcin +Date: Fri, 9 Feb 2024 15:33:39 +0100 +Subject: [PATCH] Add crontab_domtrans interface + +This interface allows a domain to execute crontab and transition to +crontab_t domain. + +Resolves: RHEL-1388 +--- + policy/modules/contrib/cron.if | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if +index 80419572c..d5987694d 100644 +--- a/policy/modules/contrib/cron.if ++++ b/policy/modules/contrib/cron.if +@@ -1079,3 +1079,21 @@ interface(`cron_system_spool_entrypoint',` + ') + allow $1 system_cron_spool_t:file entrypoint; + ') ++ ++######################################## ++## ++## Execute crontab in the crontab domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`crontab_domtrans',` ++ gen_require(` ++ type crontab_exec_t, crontab_t; ++ ') ++ ++ domtrans_pattern($1, crontab_exec_t, crontab_t) ++') +-- +2.43.0 + diff --git a/backport-Add-interfaces-for-watching-and-reading-ifconfig_var.patch b/backport-Add-interfaces-for-watching-and-reading-ifconfig_var.patch new file mode 100644 index 0000000000000000000000000000000000000000..4b69992edfd0319c2067fdfeb70c9cea12b409e3 --- /dev/null +++ b/backport-Add-interfaces-for-watching-and-reading-ifconfig_var.patch @@ -0,0 +1,65 @@ +From 4726e4aa542f704375483b38feb8a56d72ed49cc Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Mon, 14 Aug 2023 16:51:08 +0200 +Subject: [PATCH] Add interfaces for watching and reading ifconfig_var_run_t + +Required by frr. +https://gitlab.com/redhat/centos-stream/rpms/frr/-/merge_requests/24 + +Signed-off-by: Vit Mojzis +--- + policy/modules/system/sysnetwork.if | 38 +++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if +index 9973492cc..e1e38d523 100644 +--- a/policy/modules/system/sysnetwork.if ++++ b/policy/modules/system/sysnetwork.if +@@ -1225,6 +1225,44 @@ interface(`sysnet_manage_ifconfig_run',` + manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + ') + ++###################################### ++## ++## Watch ifconfig_var_run_t directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_watch_ifconfig_run_dirs',` ++ gen_require(` ++ type ifconfig_var_run_t; ++ ') ++ ++ watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ++') ++ ++######################################## ++## ++## Read ifconfig_var_run_t files and link files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`sysnet_read_ifconfig_run_files',` ++ gen_require(` ++ type ifconfig_var_run_t; ++ ') ++ ++ list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ++ read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ++ read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ++') ++ + ######################################## + ## + ## Transition to sysnet ifconfig named content +-- +2.43.0 + diff --git a/backport-Allow-NetworkManager-the-sys_ptrace-capability-in-us.patch b/backport-Allow-NetworkManager-the-sys_ptrace-capability-in-us.patch new file mode 100644 index 0000000000000000000000000000000000000000..54f2eb55fcfc1135ea98d448191cd77aed834d14 --- /dev/null +++ b/backport-Allow-NetworkManager-the-sys_ptrace-capability-in-us.patch @@ -0,0 +1,31 @@ +From 0c28ee45fceb83eeeb78448126180629ac150375 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 18 Mar 2024 16:07:51 +0100 +Subject: [PATCH] Allow NetworkManager the sys_ptrace capability in user + namespace + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(03/11/2024 06:47:26.478:1051) : proctitle=/usr/sbin/NetworkManager --no-daemon +type=SYSCALL msg=audit(03/11/2024 06:47:26.478:1051) : arch=x86_64 syscall=read success=yes exit=185 a0=0x16 a1=0x7ffc1fa820b0 a2=0x1000 a3=0x0 items=0 ppid=1 pid=627 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null) +type=AVC msg=audit(03/11/2024 06:47:26.478:1051) : avc: denied { sys_ptrace } for pid=627 comm=NetworkManager capability=sys_ptrace scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=cap_userns permissive=0 + +Resolves: RHEL-24346 +--- + policy/modules/contrib/networkmanager.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te +index a4167fa84..f7bc6f3be 100644 +--- a/policy/modules/contrib/networkmanager.te ++++ b/policy/modules/contrib/networkmanager.te +@@ -79,6 +79,7 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t) + allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_read_search dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot }; + dontaudit NetworkManager_t self:capability sys_tty_config; + allow NetworkManager_t self:capability2 bpf; ++allow NetworkManager_t self:cap_userns sys_ptrace; + + allow NetworkManager_t self:bpf { map_create map_read map_write prog_load prog_run }; + +-- +2.43.0 + diff --git a/backport-Allow-abrt-dump-journal-core-connect-to-systemd-mach.patch b/backport-Allow-abrt-dump-journal-core-connect-to-systemd-mach.patch new file mode 100644 index 0000000000000000000000000000000000000000..ad29bed2accf110dcecfd00ff753357839ba3bef --- /dev/null +++ b/backport-Allow-abrt-dump-journal-core-connect-to-systemd-mach.patch @@ -0,0 +1,31 @@ +From 1652297104e4e6f9b3dfe4482d04e8bb3360df4d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 29 Apr 2024 10:51:56 +0200 +Subject: [PATCH] Allow abrt-dump-journal-core connect to systemd-machined + +abrt-dump-journal-core was allowed to connect to systemd-machined +over a unix socket. + +The commit addresses the following AVC denial and 2 related ones: +type=AVC msg=audit(1714352016.324:249): avc: denied { connectto } for pid=2471 comm="abrt-dump-journ" path="/run/systemd/userdb/io.systemd.Machine" scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0 + +Resolves: rhbz#2277658 +--- + policy/modules/contrib/abrt.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te +index a933b4c9c..d6a343a53 100644 +--- a/policy/modules/contrib/abrt.te ++++ b/policy/modules/contrib/abrt.te +@@ -594,6 +594,7 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_machined_stream_connect(abrt_dump_oops_t) + systemd_userdbd_stream_connect(abrt_dump_oops_t) + ') + +-- +2.43.0 + diff --git a/backport-Allow-abrt-dump-journal-core-connect-to-systemd-user.patch b/backport-Allow-abrt-dump-journal-core-connect-to-systemd-user.patch new file mode 100644 index 0000000000000000000000000000000000000000..a0f01af067179e25d2b5404d6bf8d3bf4b61ae87 --- /dev/null +++ b/backport-Allow-abrt-dump-journal-core-connect-to-systemd-user.patch @@ -0,0 +1,38 @@ +From ede625a526c79116533ac96d52e05fcb18853611 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 24 Apr 2024 19:02:00 +0200 +Subject: [PATCH] Allow abrt-dump-journal-core connect to systemd-userdbd + +abrt-dump-journal-core was allowed to connect to systemd-userdbd +over a unix socket. + +The commit addresses the following AVC denial and 2 related ones: +type=PROCTITLE msg=audit(02/25/2024 23:20:22.981:1367) : proctitle=/usr/bin/abrt-dump-journal-core -D -T -f -e +type=PATH msg=audit(02/25/2024 23:20:22.981:1367) : item=0 name=/run/systemd/userdb/io.systemd.DropIn inode=907 dev=00:1a mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_userdbd_runtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SOCKADDR msg=audit(02/25/2024 23:20:22.981:1367) : saddr={ saddr_fam=local path=/run/systemd/userdb/io.systemd.DropIn } +type=SYSCALL msg=audit(02/25/2024 23:20:22.981:1367) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x3a a1=0x7fffd87b9910 a2=0x28 a3=0x559c798649e0 items=1 ppid=1 pid=1503 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=abrt-dump-journ exe=/usr/bin/abrt-dump-journal-core subj=system_u:system_r:abrt_dump_oops_t:s0 key=(null) +type=AVC msg=audit(02/25/2024 23:20:22.981:1367) : avc: denied { connectto } for pid=1503 comm=abrt-dump-journ path=/run/systemd/userdb/io.systemd.Multiplexer scontext=system_u:system_r:abrt_dump_oops_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=unix_stream_socket permissive=1 + +Resolves: rhbz#2265927 +--- + policy/modules/contrib/abrt.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te +index 5888ea5f0..a933b4c9c 100644 +--- a/policy/modules/contrib/abrt.te ++++ b/policy/modules/contrib/abrt.te +@@ -593,6 +593,10 @@ optional_policy(` + sssd_stream_connect(abrt_dump_oops_t) + ') + ++optional_policy(` ++ systemd_userdbd_stream_connect(abrt_dump_oops_t) ++') ++ + optional_policy(` + xserver_exec(abrt_dump_oops_t) + ') +-- +2.43.0 + diff --git a/backport-Allow-admin-user-read-write-on-fixed_disk_device_t.patch b/backport-Allow-admin-user-read-write-on-fixed_disk_device_t.patch new file mode 100644 index 0000000000000000000000000000000000000000..73cc2fa57c794e41d5594a6348ec86160b281858 --- /dev/null +++ b/backport-Allow-admin-user-read-write-on-fixed_disk_device_t.patch @@ -0,0 +1,26 @@ +From feeef6aa6130ed4fbdb4f7eb4940957f3bf24c98 Mon Sep 17 00:00:00 2001 +From: Juraj Marcin +Date: Mon, 12 Feb 2024 14:17:49 +0100 +Subject: [PATCH] Allow admin user read/write on fixed_disk_device_t + +Resolves: RHEL-23434 +--- + policy/modules/system/userdomain.if | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index 58d21eefe..937915bbe 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -1760,7 +1760,7 @@ template(`userdom_admin_user_template',` + + storage_raw_read_removable_device($1_t) + storage_raw_write_removable_device($1_t) +- storage_dontaudit_read_fixed_disk($1_t) ++ storage_raw_rw_fixed_disk($1_t) + + term_use_all_inherited_terms($1_t) + term_use_unallocated_ttys($1_t) +-- +2.43.0 + diff --git a/backport-Allow-cgred_t-to-get-attributes-of-cgroup-filesystem.patch b/backport-Allow-cgred_t-to-get-attributes-of-cgroup-filesystem.patch new file mode 100644 index 0000000000000000000000000000000000000000..9b3ea399d5343564de7afb4c61f07a9b557cdb95 --- /dev/null +++ b/backport-Allow-cgred_t-to-get-attributes-of-cgroup-filesystem.patch @@ -0,0 +1,28 @@ +From d2f6c78e8342a07282ed0c9c8f047337bd3f4f07 Mon Sep 17 00:00:00 2001 +From: Naoki Tanaka +Date: Sat, 9 Mar 2024 00:10:29 +0000 +Subject: [PATCH] Allow cgred_t to get attributes of cgroup filesystems + +Need to allow cgred_t to get attributes of cgroup filesystems +as libcgroup package adds support for systemd. + +Signed-off-by: Naoki Tanaka +--- + policy/modules/contrib/cgroup.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/cgroup.te b/policy/modules/contrib/cgroup.te +index b04669b2a..aca4a02ec 100644 +--- a/policy/modules/contrib/cgroup.te ++++ b/policy/modules/contrib/cgroup.te +@@ -105,6 +105,7 @@ files_getattr_all_files(cgred_t) + files_getattr_all_sockets(cgred_t) + files_read_all_symlinks(cgred_t) + ++fs_getattr_cgroup(cgred_t) + fs_manage_cgroup_dirs(cgred_t) + fs_manage_cgroup_files(cgred_t) + +-- +2.43.0 + diff --git a/backport-Allow-chronyd-restricted-read-chronyd-key-files.patch b/backport-Allow-chronyd-restricted-read-chronyd-key-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..ed1aff2e5f87f44d0afed65e77e80876d6182d11 --- /dev/null +++ b/backport-Allow-chronyd-restricted-read-chronyd-key-files.patch @@ -0,0 +1,29 @@ +From 1c4b591ba635c2dfeb4f0b97046a3d290c3e1bcb Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 23 Jan 2024 17:15:41 +0100 +Subject: [PATCH] Allow chronyd-restricted read chronyd key files + +The commit addresses the following AVC denial: +type=AVC msg=audit(1706021857.079:1326): avc: denied { read } for pid=25023 comm="chronyd" name="chrony.keys" dev="xvda4" ino=17299976 scontext=system_u:system_r:chronyd_restricted_t:s0 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file permissive=0 + +Resolves: RHEL-18219 +--- + policy/modules/contrib/chronyd.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te +index 232849cbf..c5dfdffec 100644 +--- a/policy/modules/contrib/chronyd.te ++++ b/policy/modules/contrib/chronyd.te +@@ -208,6 +208,8 @@ allow chronyd_restricted_t self:tcp_socket create_stream_socket_perms; + allow chronyd_restricted_t self:udp_socket create_socket_perms; + allow chronyd_restricted_t self:unix_dgram_socket create_socket_perms; + ++allow chronyd_restricted_t chronyd_keys_t:file read_file_perms; ++ + manage_files_pattern(chronyd_restricted_t, chronyd_var_lib_t, chronyd_var_lib_t) + + allow chronyd_restricted_t chronyd_var_log_t:dir getattr_dir_perms; +-- +2.43.0 + diff --git a/backport-Allow-conntrackd_t-to-use-bpf-capability2.patch b/backport-Allow-conntrackd_t-to-use-bpf-capability2.patch new file mode 100644 index 0000000000000000000000000000000000000000..f470911396e037747d6eca3f51a292ffbb708efa --- /dev/null +++ b/backport-Allow-conntrackd_t-to-use-bpf-capability2.patch @@ -0,0 +1,31 @@ +From 5c1c6248da111065d56c8bd7e7e1447134d5c527 Mon Sep 17 00:00:00 2001 +From: Juraj Marcin +Date: Mon, 22 Jan 2024 16:00:18 +0100 +Subject: [PATCH] Allow conntrackd_t to use bpf capability2 + +When conntrackd filters packets using kernelspace filter, it needs the +capability to do so efficiently. + +Addresses following AVC denials: +type=AVC msg=audit(01/22/2024 12:46:49.999:248) : avc: denied { bpf } for pid=1927 comm=conntrackd capability=bpf scontext=system_u:system_r:conntrackd_t:s0 tcontext=system_u:system_r:conntrackd_t:s0 tclass=capability2 permissive=0 + +Resolves: RHEL-22277 +--- + policy/modules/contrib/conntrackd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/conntrackd.te b/policy/modules/contrib/conntrackd.te +index 5093ed600..06ae69f84 100644 +--- a/policy/modules/contrib/conntrackd.te ++++ b/policy/modules/contrib/conntrackd.te +@@ -34,6 +34,7 @@ files_lock_file(conntrackd_var_lock_t) + # + + allow conntrackd_t self:capability { sys_nice net_admin }; ++allow conntrackd_t self:capability2 { bpf }; + allow conntrackd_t self:netlink_route_socket rw_netlink_socket_perms; + allow conntrackd_t self:netlink_netfilter_socket create_socket_perms; + allow conntrackd_t self:udp_socket create_socket_perms; +-- +2.43.0 + diff --git a/backport-Allow-dbus-broker-read-write-inherited-user-ttys.patch b/backport-Allow-dbus-broker-read-write-inherited-user-ttys.patch new file mode 100644 index 0000000000000000000000000000000000000000..fbbc520e0a52a5e086b5800ddf0107115d193cc2 --- /dev/null +++ b/backport-Allow-dbus-broker-read-write-inherited-user-ttys.patch @@ -0,0 +1,33 @@ +From cf4b3896ae3f44b81b34ca844e3f63cf0a8cb549 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 29 Apr 2024 14:58:30 +0200 +Subject: [PATCH] Allow dbus-broker read/write inherited user ttys + +This permission is required to allow systemd-run start a transient unit +over D-Bus on a serial console. + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(04/29/24 11:09:59.878:348) : proctitle=dbus-broker --log 4 --controller 9 --machine-id 010dea9d856a4caf9801faa7f613bcf3 --max-bytes 536870912 --max-fds 4096 --max-matc +type=SYSCALL msg=audit(04/29/24 11:09:59.878:348) : arch=x86_64 syscall=recvmsg success=yes exit=576 a0=0x2e a1=0x7ffddaff68a0 a2=MSG_DONTWAIT|MSG_CMSG_CLOEXEC a3=0x55ced19b6b00 items=0 ppid=772 pid=791 auid=unset uid=dbus gid=dbus euid=dbus suid=dbus fsuid=dbus egid=dbus sgid=dbus fsgid=dbus tty=(none) ses=unset comm=dbus-broker exe=/usr/bin/dbus-broker subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(04/29/24 11:09:59.878:348) : avc: denied { read write } for pid=791 comm=dbus-broker path=/dev/tty1 dev="devtmpfs" ino=20 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file permissive=0 + +Resolves: rhbz#2277599 +--- + policy/modules/contrib/dbus.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te +index fa4b4d8d7..73a0373ab 100644 +--- a/policy/modules/contrib/dbus.te ++++ b/policy/modules/contrib/dbus.te +@@ -249,6 +249,7 @@ optional_policy(` + + optional_policy(` + userdom_rw_stream(system_dbusd_t) ++ userdom_use_inherited_user_ttys(system_dbusd_t) + ') + + optional_policy(` +-- +2.43.0 + diff --git a/backport-Allow-dhcpc-read-run-netns-files.patch b/backport-Allow-dhcpc-read-run-netns-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..103d9e890a7d2903e8dbf49a1abecb2c9d470982 --- /dev/null +++ b/backport-Allow-dhcpc-read-run-netns-files.patch @@ -0,0 +1,33 @@ +From d76da17e4289cac7d11730d706966ce96bb38087 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 15 Mar 2024 16:32:34 +0100 +Subject: [PATCH] Allow dhcpc read /run/netns files + +The commit addresses the following AVC denial which appears +every time the service is restarted: + +type=PROCTITLE msg=audit(03/15/2024 10:52:30.995:633) : proctitle=/usr/sbin/dhcpcd -q --nobackground +type=PATH msg=audit(03/15/2024 10:52:30.995:633) : item=0 name=/var/run/netns inode=1401 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:ifconfig_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(03/15/2024 10:52:30.995:633) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55d4418543ae a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=2900 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=dhcpcd exe=/usr/sbin/dhcpcd subj=system_u:system_r:dhcpc_t:s0 key=(null) +type=AVC msg=audit(03/15/2024 10:52:30.995:633) : avc: denied { read } for pid=2900 comm=dhcpcd name=netns dev="tmpfs" ino=1401 scontext=system_u:system_r:dhcpc_t:s0 tcontext=unconfined_u:object_r:ifconfig_var_run_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2269708 +--- + policy/modules/system/sysnetwork.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te +index 5c9513087..abdb3710d 100644 +--- a/policy/modules/system/sysnetwork.te ++++ b/policy/modules/system/sysnetwork.te +@@ -181,6 +181,7 @@ miscfiles_read_generic_certs(dhcpc_t) + + modutils_run_kmod(dhcpc_t, dhcpc_roles) + ++sysnet_read_ifconfig_run_files(dhcpc_t) + sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) + + userdom_stream_connect(dhcpc_t) +-- +2.43.0 + diff --git a/backport-Allow-dhcpcd-use-unix_stream_socket.patch b/backport-Allow-dhcpcd-use-unix_stream_socket.patch new file mode 100644 index 0000000000000000000000000000000000000000..7b9937c67e8c8c58aaa26d7b69995f73c6a7618f --- /dev/null +++ b/backport-Allow-dhcpcd-use-unix_stream_socket.patch @@ -0,0 +1,28 @@ +From 40912d06ea8434dc0e4a2b454bcb41dcb459aeae Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 20 Mar 2024 15:23:14 +0100 +Subject: [PATCH] Allow dhcpcd use unix_stream_socket + +The commit addresses the following AVC denial: +AVC avc: denied { connectto } for pid=769 comm="dhcpcd" path="/run/dhcpcd/eth0-4.unpriv.sock" scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=unix_stream_socket permissive=0 + +Resolves: rhbz#2270461 +--- + policy/modules/system/sysnetwork.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te +index abdb3710d..02961b81a 100644 +--- a/policy/modules/system/sysnetwork.te ++++ b/policy/modules/system/sysnetwork.te +@@ -77,6 +77,7 @@ allow dhcpc_t self:netlink_generic_socket create_socket_perms; + allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write }; + allow dhcpc_t self:netlink_kobject_uevent_socket create_socket_perms; + allow dhcpc_t self:unix_dgram_socket sendto; ++allow dhcpc_t self:unix_stream_socket connectto; + + allow dhcpc_t dhcp_etc_t:dir list_dir_perms; + read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t) +-- +2.43.0 + diff --git a/backport-Allow-gpg-manage-rpm-cache.patch b/backport-Allow-gpg-manage-rpm-cache.patch new file mode 100644 index 0000000000000000000000000000000000000000..96a8af731d425a8a1cef8b89c05d7aecb5bcffe6 --- /dev/null +++ b/backport-Allow-gpg-manage-rpm-cache.patch @@ -0,0 +1,35 @@ +From 9ae55b82321c1fab7ae1dd4103e2385d3f311287 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 2 Feb 2024 15:55:08 +0100 +Subject: [PATCH] Allow gpg manage rpm cache + +Instead of reading all rpm data, gpg needs permissions to manage, +but only for cache files. + +The commit addresses the following AVC denial example: +type=PROCTITLE msg=audit(01/29/2024 07:58:45.089:80) : proctitle=gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/cache/dnf/RHEL6421-290d60badb0765d7/pubring --status-fd 1 +type=PATH msg=audit(01/29/2024 07:58:45.089:80) : item=0 name=/var/cache/dnf/RHEL6421-290d60badb0765d7/pubring/ inode=258138 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpm_var_cache_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root" +type=SYSCALL msg=audit(01/29/2024 07:58:45.089:80) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55fedc65d0e0 a2=O_WRONLY|O_CREAT|O_EXCL a3=0x1a4 items=1 ppid=1 pid=2179 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=gpg exe=/usr/bin/gpg subj=system_u:system_r:gpg_t:s0 key=(null) SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" +type=AVC msg=audit(01/29/2024 07:58:45.089:80) : avc: denied { write } for pid=2179 comm=gpg name=pubring dev="dm-1" ino=258138 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:rpm_var_cache_t:s0 tclass=dir permissive=0 + +Resolves: RHEL-11249 +--- + policy/modules/contrib/gpg.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te +index 82f10f6bf..ddc0f8d81 100644 +--- a/policy/modules/contrib/gpg.te ++++ b/policy/modules/contrib/gpg.te +@@ -197,7 +197,7 @@ optional_policy(` + ') + + optional_policy(` +- rpm_read_db(gpg_t) ++ rpm_manage_cache(gpg_t) + ') + + optional_policy(` +-- +2.43.0 + diff --git a/backport-Allow-httpd-work-with-PrivateTmp.patch b/backport-Allow-httpd-work-with-PrivateTmp.patch new file mode 100644 index 0000000000000000000000000000000000000000..4859dab5b2ce5e416e6ae1557b4bcb233665c7b6 --- /dev/null +++ b/backport-Allow-httpd-work-with-PrivateTmp.patch @@ -0,0 +1,33 @@ +From a655e9a31d3153bf2ca66565fe261a1338f27da2 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 18 Jan 2024 20:54:32 +0100 +Subject: [PATCH] Allow httpd work with PrivateTmp + +In particular, assign httpd_tmp_t to the systemd_private_tmp_type attribute. + +The commit addresses the following AVC denial example: +type=AVC msg=audit(1705486932.024:438): avc: denied { remove_name } for pid=8044 comm="(sd-rmrf)" name="test" dev="tmpfs" ino=169 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2258637 +--- + policy/modules/contrib/apache.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te +index a3b15cf89..7ebcdc71f 100644 +--- a/policy/modules/contrib/apache.te ++++ b/policy/modules/contrib/apache.te +@@ -1372,6 +1372,10 @@ optional_policy(` + ') + ') + ++optional_policy(` ++ systemd_private_tmp(httpd_php_tmp_t) ++') ++ + ######################################## + # + # Apache suexec local policy +-- +2.43.0 + diff --git a/backport-Allow-init-to-inherit-fds-from-syslogd.patch b/backport-Allow-init-to-inherit-fds-from-syslogd.patch new file mode 100644 index 0000000000000000000000000000000000000000..c4e46fb6ac970ffdaa8490f3a094c1d3cfce7e09 --- /dev/null +++ b/backport-Allow-init-to-inherit-fds-from-syslogd.patch @@ -0,0 +1,54 @@ +From 06e629e915fff1f2711a6fe93d302f78123e4c37 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Thu, 8 Feb 2024 12:41:03 +0100 +Subject: [PATCH] Allow init to inherit fds from syslogd + +This is required by systemd when domain_fd_use is turned off. + +Signed-off-by: Ondrej Mosnacek +--- + policy/modules/system/init.te | 1 + + policy/modules/system/logging.if | 18 ++++++++++++++++++ + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 6931f72df..1bf95a531 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -399,6 +399,7 @@ logging_manage_audit_config(init_t) + logging_create_syslog_netlink_audit_socket(init_t) + logging_write_var_log_dirs(init_t) + logging_manage_var_log_symlinks(init_t) ++logging_fd_use(init_t) + + seutil_read_config(init_t) + seutil_read_login_config(init_t) +diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if +index 85b997c35..d413e49f3 100644 +--- a/policy/modules/system/logging.if ++++ b/policy/modules/system/logging.if +@@ -1806,3 +1806,21 @@ interface(`logging_dgram_send',` + + allow $1 syslogd_t:unix_dgram_socket sendto; + ') ++ ++####################################### ++## ++## Use file descriptors from syslogd. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`logging_fd_use',` ++ gen_require(` ++ type syslogd_t; ++ ') ++ ++ allow $1 syslogd_t:fd use; ++') +-- +2.43.0 + diff --git a/backport-Allow-init-to-inherit-system-DBus-file-descriptors.patch b/backport-Allow-init-to-inherit-system-DBus-file-descriptors.patch new file mode 100644 index 0000000000000000000000000000000000000000..7333421dce280bad70ad14cddce6fd3906955531 --- /dev/null +++ b/backport-Allow-init-to-inherit-system-DBus-file-descriptors.patch @@ -0,0 +1,27 @@ +From fdc45d2eec987bdeccd16dd015e024bbdc571dd9 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Thu, 8 Feb 2024 12:50:52 +0100 +Subject: [PATCH] Allow init to inherit system DBus file descriptors + +Required by systemd when domain_fd_use is turned off. + +Signed-off-by: Ondrej Mosnacek +--- + policy/modules/system/init.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 1bf95a531..312e76d28 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -805,6 +805,7 @@ optional_policy(` + dbus_manage_session_tmp_dirs(init_t) + dbus_read_pid_sock_files(init_t) + dbus_watch_pid_sock_files(init_t) ++ dbus_use_system_bus_fds(init_t) + + optional_policy(` + devicekit_dbus_chat_power(init_t) +-- +2.43.0 + diff --git a/backport-Allow-journalctl_t-read-filesystem-sysctls.patch b/backport-Allow-journalctl_t-read-filesystem-sysctls.patch new file mode 100644 index 0000000000000000000000000000000000000000..c4942f942daa64ee3e06c42174ad2624e96cb86d --- /dev/null +++ b/backport-Allow-journalctl_t-read-filesystem-sysctls.patch @@ -0,0 +1,33 @@ +From aa2ab0bbf31e3252df917b82a30e9e72dceaa58f Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 12 Mar 2024 18:53:59 +0100 +Subject: [PATCH] Allow journalctl_t read filesystem sysctls + +This permission is required for journalctl run by confined users +in the user_r, staff_r, or sysadm_r roles. + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(6.3.2024 08:45:58.914:3044) : proctitle=(pager) +type=PATH msg=audit(6.3.2024 08:45:58.914:3044) : item=0 name=/proc/sys/fs/nr_open inode=7329 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_fs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(6.3.2024 08:45:58.914:3044) : arch=x86_64 syscall=openat success=yes exit=36 a0=AT_FDCWD a1=0x7f18a1f1b0e0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=467120 pid=467121 auid=user uid=user gid=user euid=user suid=user fsuid=user egid=user sgid=user fsgid=user tty=pts13 ses=7 comm=(pager) exe=/usr/bin/journalctl subj=staff_u:staff_r:journalctl_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(6.3.2024 08:45:58.914:3044) : avc: denied { open } for pid=467121 comm=(pager) path=/proc/sys/fs/nr_open dev="proc" ino=7329 scontext=staff_u:staff_r:journalctl_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 +type=AVC msg=audit(6.3.2024 08:45:58.914:3044) : avc: denied { read } for pid=467121 comm=(pager) name=nr_open dev="proc" ino=7329 scontext=staff_u:staff_r:journalctl_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=1 +--- + policy/modules/contrib/journalctl.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/journalctl.te b/policy/modules/contrib/journalctl.te +index c301a9314..73e32e723 100644 +--- a/policy/modules/contrib/journalctl.te ++++ b/policy/modules/contrib/journalctl.te +@@ -24,6 +24,7 @@ allow journalctl_t self:process { fork setrlimit signal_perms }; + allow journalctl_t self:fifo_file manage_fifo_file_perms; + allow journalctl_t self:unix_stream_socket create_stream_socket_perms; + ++kernel_read_fs_sysctls(journalctl_t) + kernel_read_system_state(journalctl_t) + + corecmd_exec_bin(journalctl_t) +-- +2.43.0 + diff --git a/backport-Allow-journald-read-systemd-config-files-and-directo.patch b/backport-Allow-journald-read-systemd-config-files-and-directo.patch new file mode 100644 index 0000000000000000000000000000000000000000..89e1cdac411c8c4b85bfeff00caf8eacf501d723 --- /dev/null +++ b/backport-Allow-journald-read-systemd-config-files-and-directo.patch @@ -0,0 +1,76 @@ +From 1f7f05d908f1c93939d7eed9f24a826b0f3ae723 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Sun, 19 May 2024 22:42:20 +0200 +Subject: [PATCH] Allow journald read systemd config files and directories + +The commit addresses the following AVC denial: +type=AVC msg=audit(1716124222.645:387): avc: denied { read } for pid=7051 comm="systemd-journal" name="journald.conf" dev="dm-0" ino=3408555 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_conf_t:s0 tclass=file permissive=0 + +Resolves: rhbz#2281489 +--- + policy/modules/system/logging.te | 2 ++ + policy/modules/system/systemd.if | 38 ++++++++++++++++++++++++++++++++ + 2 files changed, 40 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 69ac2a5e4..c6787db1b 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -773,6 +773,8 @@ optional_policy(` + optional_policy(` + systemd_rw_bootchart_tmpfs_files(syslogd_t) + systemd_map_bootchart_tmpfs_files(syslogd_t) ++ systemd_list_conf_dirs(syslogd_t) ++ systemd_read_conf_files(syslogd_t) + ') + + optional_policy(` +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index b8a49eb37..26120efa7 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -2947,3 +2947,41 @@ interface(`systemd_connectto_socket_proxyd_unix_sockets', ` + + allow $1 systemd_socket_proxyd_t:unix_stream_socket connectto; + ') ++ ++####################################### ++## ++## List systemd config directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_list_conf_dirs', ` ++ gen_require(` ++ type systemd_conf_t; ++ ') ++ ++ files_search_etc($1) ++ list_dirs_pattern($1, systemd_conf_t, systemd_conf_t) ++') ++ ++####################################### ++## ++## Read systemd config files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_read_conf_files', ` ++ gen_require(` ++ type systemd_conf_t; ++ ') ++ ++ files_search_etc($1) ++ read_files_pattern($1, systemd_conf_t, systemd_conf_t) ++') +-- +2.43.0 + diff --git a/backport-Allow-keyutils-dns-resolver-connect-to-the-system-lo.patch b/backport-Allow-keyutils-dns-resolver-connect-to-the-system-lo.patch new file mode 100644 index 0000000000000000000000000000000000000000..e41ad3fc71cc901926a35885b7a2b03a46d1352b --- /dev/null +++ b/backport-Allow-keyutils-dns-resolver-connect-to-the-system-lo.patch @@ -0,0 +1,28 @@ +From dc98c54983569572791d0237989110a29ed7faa4 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 8 Apr 2024 13:59:50 +0200 +Subject: [PATCH] Allow keyutils-dns-resolver connect to the system log service + +The commit addresses the following AVC denial: +type=AVC msg=audit(1712345086.525:270): avc: denied { read } for pid=5751 comm="key.dns_resolve" name="log" dev="devtmpfs" ino=198 scontext=system_u:system_r:keyutils_dns_resolver_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=lnk_file permissive=0 + +Resolves: rhbz#2273707 +--- + policy/modules/contrib/keyutils.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/keyutils.te b/policy/modules/contrib/keyutils.te +index 57917e5e7..e35b30ae4 100644 +--- a/policy/modules/contrib/keyutils.te ++++ b/policy/modules/contrib/keyutils.te +@@ -44,3 +44,7 @@ sysnet_read_config(keyutils_dns_resolver_t) + optional_policy(` + avahi_stream_connect(keyutils_dns_resolver_t) + ') ++ ++optional_policy(` ++ logging_send_syslog_msg(keyutils_dns_resolver_t) ++') +-- +2.43.0 + diff --git a/backport-Allow-krb5kdc_t-map-krb5kdc_principal_t-files.patch b/backport-Allow-krb5kdc_t-map-krb5kdc_principal_t-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..f2a4c75c191f4e4e495c8ccbef250d3d2859569d --- /dev/null +++ b/backport-Allow-krb5kdc_t-map-krb5kdc_principal_t-files.patch @@ -0,0 +1,33 @@ +From 2b26946542c065cb5992a9b058890f3d3ee2a875 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 21 Feb 2024 19:37:18 +0100 +Subject: [PATCH] Allow krb5kdc_t map krb5kdc_principal_t files + +The krb5kdc daemon now uses LMDB database format instead of BDB +for MIT Kerberos data. Additionally, it uses the mmap() syscall +for the files, therefore it also requires the map SELinux permission. + +The commit addresses the following AVC denial: +type=AVC msg=audit(1708536086.456:512): avc: denied { map } for pid=1677 comm="krb5kdc" path="/var/kerberos/krb5kdc/principal.mdb-lock" dev="vda2" ino=262184 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=unconfined_u:object_r:krb5kdc_principal_t:s0 tclass=file permissive=1 + +Resolves: rhbz#2265378 +--- + policy/modules/contrib/kerberos.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te +index 0eecd224e..9a210233d 100644 +--- a/policy/modules/contrib/kerberos.te ++++ b/policy/modules/contrib/kerberos.te +@@ -242,7 +242,7 @@ allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms }; + allow krb5kdc_t krb5kdc_log_t:file manage_file_perms; + logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) + +-allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms; ++allow krb5kdc_t krb5kdc_principal_t:file mmap_rw_file_perms; + + manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) + manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) +-- +2.43.0 + diff --git a/backport-Allow-linuxptp-configure-phc2sys-and-chronyd-over-a-.patch b/backport-Allow-linuxptp-configure-phc2sys-and-chronyd-over-a-.patch new file mode 100644 index 0000000000000000000000000000000000000000..72c2275868e88ce5cfc24ddde7dfb1cff72718b1 --- /dev/null +++ b/backport-Allow-linuxptp-configure-phc2sys-and-chronyd-over-a-.patch @@ -0,0 +1,107 @@ +From 6053f6cacc10f72591a09726d571a4e491b40649 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 7 Mar 2024 16:13:03 +0100 +Subject: [PATCH] Allow linuxptp configure phc2sys and chronyd over a unix + domain socket + +For phc2sys and chronyd configuration, linuxptp since v4.2 uses unix +domain socket instead of shared memory segment with predictable address. +This requires to be backed by appropriate SELinux policy changes. + +The commit addresses the following AVC denial example: +type=PROCTITLE msg=audit(02/29/2024 13:33:47.174:396) : proctitle=/usr/sbin/chronyd -n -f /var/run/timemaster/chrony.conf +type=PATH msg=audit(02/29/2024 13:33:47.174:396) : item=1 name=/var/run/timemaster/chrony.SOCK0 inode=125930 dev=00:18 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:timemaster_var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(02/29/2024 13:33:47.174:396) : item=0 name=/var/run/timemaster/ inode=71605 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:timemaster_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SOCKADDR msg=audit(02/29/2024 13:33:47.174:396) : saddr={ saddr_fam=local path=/var/run/timemaster/chrony.SOCK0 } +type=SYSCALL msg=audit(02/29/2024 13:33:47.174:396) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x4 a1=0x7ffdb7fdb0f0 a2=0x6e a3=0x55630dab7640 items=2 ppid=96180 pid=96181 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null) +type=AVC msg=audit(02/29/2024 13:33:47.174:396) : avc: denied { create } for pid=96181 comm=chronyd name=chrony.SOCK0 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:timemaster_var_run_t:s0 tclass=sock_file permissive=1 +type=AVC msg=audit(02/29/2024 13:33:47.174:396) : avc: denied { add_name } for pid=96181 comm=chronyd name=chrony.SOCK0 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:timemaster_var_run_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(02/29/2024 13:33:47.174:396) : avc: denied { write } for pid=96181 comm=chronyd name=timemaster dev="tmpfs" ino=71605 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:timemaster_var_run_t:s0 tclass=dir permissive=1 + +Resolves: RHEL-26660 +--- + policy/modules/contrib/chronyd.te | 1 + + policy/modules/contrib/linuxptp.if | 18 ++++++++++++++++++ + policy/modules/contrib/linuxptp.te | 4 ++++ + 3 files changed, 23 insertions(+) + +diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te +index c5dfdffec..804bb7170 100644 +--- a/policy/modules/contrib/chronyd.te ++++ b/policy/modules/contrib/chronyd.te +@@ -170,6 +170,7 @@ optional_policy(` + optional_policy(` + timemaster_stream_connect(chronyd_t) + timemaster_read_pid_files(chronyd_t) ++ timemaster_manage_pid_sock_files(chronyd_t) + timemaster_rw_shm(chronyd_t) + ') + +diff --git a/policy/modules/contrib/linuxptp.if b/policy/modules/contrib/linuxptp.if +index e2c96f4a8..cddf96b96 100644 +--- a/policy/modules/contrib/linuxptp.if ++++ b/policy/modules/contrib/linuxptp.if +@@ -75,6 +75,24 @@ interface(`timemaster_read_pid_files',` + read_files_pattern($1, timemaster_var_run_t, timemaster_var_run_t) + ') + ++######################################## ++## ++## Manage timemaster pid files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`timemaster_manage_pid_sock_files',` ++ gen_require(` ++ type timemaster_var_run_t; ++ ') ++ ++ manage_sock_files_pattern($1, timemaster_var_run_t, timemaster_var_run_t) ++') ++ + ######################################## + ## + ## Read and write timemaster shared memory. +diff --git a/policy/modules/contrib/linuxptp.te b/policy/modules/contrib/linuxptp.te +index 397191385..0eb7fffc2 100644 +--- a/policy/modules/contrib/linuxptp.te ++++ b/policy/modules/contrib/linuxptp.te +@@ -78,6 +78,7 @@ optional_policy(` + ') + + optional_policy(` ++ chronyd_dgram_send(timemaster_t) + chronyd_domtrans(timemaster_t) + chronyd_rw_shm(timemaster_t) + ') +@@ -129,6 +130,7 @@ dev_rw_realtime_clock(phc2sys_t) + logging_send_syslog_msg(phc2sys_t) + + optional_policy(` ++ chronyd_dgram_send(phc2sys_t) + chronyd_rw_shm(phc2sys_t) + ') + +@@ -150,6 +152,7 @@ optional_policy(` + # + + allow ptp4l_t self:fifo_file rw_fifo_file_perms; ++allow ptp4l_t self:netlink_generic_socket create_socket_perms; + allow ptp4l_t self:packet_socket create_socket_perms; + allow ptp4l_t self:unix_stream_socket create_stream_socket_perms; + allow ptp4l_t self:shm create_shm_perms; +@@ -184,6 +187,7 @@ logging_send_syslog_msg(ptp4l_t) + userdom_users_dgram_send(ptp4l_t) + + optional_policy(` ++ chronyd_dgram_send(ptp4l_t) + chronyd_rw_shm(ptp4l_t) + ') + +-- +2.43.0 + diff --git a/backport-Allow-load_policy-read-and-write-generic-ptys.patch b/backport-Allow-load_policy-read-and-write-generic-ptys.patch new file mode 100644 index 0000000000000000000000000000000000000000..9c25f2e81e72662305a7de052fa6770fe3c23688 --- /dev/null +++ b/backport-Allow-load_policy-read-and-write-generic-ptys.patch @@ -0,0 +1,35 @@ +From 37e695bcd2ba3fdbb139fc961340b34ba47beb87 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 2 Feb 2024 16:02:53 +0100 +Subject: [PATCH] Allow load_policy read and write generic ptys + +This permission is required when user in the sysadm role executes +"load_policy --help" in a pty terminal. + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(02/02/2024 14:32:51.308:1070) : proctitle=load_policy --help +type=PATH msg=audit(02/02/2024 14:32:51.308:1070) : item=0 name=/lib64/ld-linux-x86-64.so.2 inode=257286 dev=00:1f mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=EXECVE msg=audit(02/02/2024 14:32:51.308:1070) : argc=2 a0=load_policy a1=--help +type=SYSCALL msg=audit(02/02/2024 14:32:51.308:1070) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5565827f9eb0 a1=0x5565827fa230 a2=0x5565827dd390 a3=0x5565827fa230 items=1 ppid=10176 pid=10237 auid=staff uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=16 comm=load_policy exe=/usr/sbin/load_policy subj=staff_u:sysadm_r:load_policy_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(02/02/2024 14:32:51.308:1070) : avc: denied { read write } for pid=10237 comm=load_policy path=/dev/pts/3 dev="devpts" ino=6 scontext=staff_u:sysadm_r:load_policy_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:devpts_t:s0 tclass=chr_file permissive=0 + +Resolves: rhbz#2262392 +--- + policy/modules/system/selinuxutil.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te +index 66bd4f523..19f3b6796 100644 +--- a/policy/modules/system/selinuxutil.te ++++ b/policy/modules/system/selinuxutil.te +@@ -208,6 +208,7 @@ selinux_load_policy(load_policy_t) + selinux_set_all_booleans(load_policy_t) + + term_use_console(load_policy_t) ++term_use_generic_ptys(load_policy_t) + term_list_ptys(load_policy_t) + term_write_unallocated_ttys(load_policy_t) + +-- +2.43.0 + diff --git a/backport-Allow-login_userdomain-delete-session-dbusd-tmp-sock.patch b/backport-Allow-login_userdomain-delete-session-dbusd-tmp-sock.patch new file mode 100644 index 0000000000000000000000000000000000000000..7ac9d6dee08251b4d775cf2042abdb930c39a1a4 --- /dev/null +++ b/backport-Allow-login_userdomain-delete-session-dbusd-tmp-sock.patch @@ -0,0 +1,30 @@ +From 79dba25124b5353a646cff6546df9ac22f97aa22 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 25 Jan 2024 11:54:54 +0100 +Subject: [PATCH] Allow login_userdomain delete session dbusd tmp socket files + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(01/24/2024 21:14:21.706:7485) : proctitle=(systemd) +type=PATH msg=audit(01/24/2024 21:14:21.706:7485) : item=1 name=/run/user/1002/bus inode=35 dev=00:36 mode=socket,666 ouid=user12424 ogid=user12424 rdev=00:00 obj=staff_u:object_r:session_dbusd_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(01/24/2024 21:14:21.706:7485) : item=0 name=/run/user/1002/ inode=1 dev=00:36 mode=dir,700 ouid=user12424 ogid=user12424 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(01/24/2024 21:14:21.706:7485) : arch=x86_64 syscall=unlink success=no exit=EACCES(Permission denied) a0=0x55f03a905302 a1=0x55f03a937ea0 a2=0x55f56590dc97 a3=0x55f03a937eb0 items=2 ppid=1 pid=144007 auid=user12424 uid=user12424 gid=user12424 euid=user12424 suid=user12424 fsuid=user12424 egid=user12424 sgid=user12424 fsgid=user12424 tty=(none) ses=37 comm=systemd exe=/usr/lib/systemd/systemd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(01/24/2024 21:14:21.706:7485) : avc: denied { unlink } for pid=144007 comm=systemd name=bus dev="tmpfs" ino=35 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0 +--- + policy/modules/system/userdomain.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 28f09b625..fc419ada0 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -433,6 +433,7 @@ optional_policy(` + + optional_policy(` + dbus_create_session_tmp_sock_files(login_userdomain) ++ dbus_delete_session_tmp_sock_files(login_userdomain) + dbus_write_session_tmp_sock_files(login_userdomain) + ') + +-- +2.43.0 + diff --git a/backport-Allow-login_userdomain-map-files-in-var.patch b/backport-Allow-login_userdomain-map-files-in-var.patch new file mode 100644 index 0000000000000000000000000000000000000000..cc30f837a36ba2c0b9d4ab3dd0d87b38995a8712 --- /dev/null +++ b/backport-Allow-login_userdomain-map-files-in-var.patch @@ -0,0 +1,59 @@ +From 15a394d804cc5912d478f4119399b85435a534be Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 19 Feb 2024 16:42:25 +0100 +Subject: [PATCH] Allow login_userdomain map files in /var + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(02/19/2024 16:12:10.631:242) : proctitle=/usr/libexec/DiscoverNotifier +type=MMAP msg=audit(02/19/2024 16:12:10.631:242) : fd=16 flags=MAP_PRIVATE +type=SYSCALL msg=audit(02/19/2024 16:12:10.631:242) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0xc9f9bb a2=PROT_READ a3=MAP_PRIVATE items=0 ppid=1231 pid=1993 auid=user uid=user gid=user euid=user suid=user fsuid=user egid=user sgid=user fsgid=user tty=(none) ses=5 comm=DiscoverNotifie exe=/usr/libexec/DiscoverNotifier subj=user_u:user_r:user_t:s0 key=(null) +type=AVC msg=audit(02/19/2024 16:12:10.631:242) : avc: denied { map } for pid=1993 comm=DiscoverNotifie path=/var/cache/swcatalog/cache/en-US-os-catalog.xb dev="vda3" ino=761212 scontext=user_u:user_r:user_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0 +--- + policy/modules/kernel/files.if | 18 ++++++++++++++++++ + policy/modules/system/userdomain.te | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index 634ba050c..146b2d5aa 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -7921,6 +7921,24 @@ interface(`files_read_var_files',` + read_files_pattern($1, var_t, var_t) + ') + ++######################################## ++## ++## Map and read files in the /var directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_map_read_var_files',` ++ gen_require(` ++ type var_t; ++ ') ++ ++ mmap_read_files_pattern($1, var_t, var_t) ++') ++ + ######################################## + ## + ## Append files in the /var directory. +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 44350943e..b9c147d03 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -398,6 +398,7 @@ corecmd_watch_bin_dirs(login_userdomain) + dev_watch_generic_dirs(login_userdomain) + dev_watch_video_dev(login_userdomain) + ++files_map_read_var_files(login_userdomain) + files_map_var_lib_files(login_userdomain) + files_read_var_lib_symlinks(login_userdomain) + files_watch_etc_dirs(login_userdomain) +-- +2.43.0 + diff --git a/backport-Allow-login_userdomain-name_bind-to-howl-and-xmsg-ud.patch b/backport-Allow-login_userdomain-name_bind-to-howl-and-xmsg-ud.patch new file mode 100644 index 0000000000000000000000000000000000000000..7f99f124cb156b7e63c6d34b9a519c84b701c176 --- /dev/null +++ b/backport-Allow-login_userdomain-name_bind-to-howl-and-xmsg-ud.patch @@ -0,0 +1,34 @@ +From 8086956514f4433b6d1ca73338b96637f1d75eda Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 2 Feb 2024 18:48:25 +0100 +Subject: [PATCH] Allow login_userdomain name_bind to howl and xmsg udp ports + +The commit addresses the following AVC denials: +type=PROCTITLE msg=audit(02/02/2024 14:26:09.032:995) : proctitle=/usr/libexec/kdeconnectd +type=SYSCALL msg=audit(02/02/2024 14:26:09.032:995) : arch=x86_64 syscall=bind success=yes exit=0 a0=0xf a1=0x7ffe54a0a910 a2=0x1c a3=0x7ffe54a0a8f0 items=0 ppid=6578 pid=9350 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=16 comm=kdeconnectd exe=/usr/libexec/kdeconnectd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(02/02/2024 14:26:09.032:995) : avc: denied { name_bind } for pid=9350 comm=kdeconnectd src=1716 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xmsg_port_t:s0 tclass=udp_socket permissive=1 + +type=PROCTITLE msg=audit(02/02/2024 14:26:09.125:996) : proctitle=/usr/libexec/kdeconnectd +type=SYSCALL msg=audit(02/02/2024 14:26:09.125:996) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x11 a1=0x7ffe54a0a970 a2=0x10 a3=0x7ffe54a0a974 items=0 ppid=6578 pid=9350 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=16 comm=kdeconnectd exe=/usr/libexec/kdeconnectd subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(02/02/2024 14:26:09.125:996) : avc: denied { name_bind } for pid=9350 comm=kdeconnectd src=5353 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket permissive=1 +--- + policy/modules/system/userdomain.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 2f79fa198..44350943e 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -375,7 +375,9 @@ optional_policy(` + allow login_userdomain self:service status; + allow login_userdomain self:user_namespace create; + ++corenet_udp_bind_howl_port(login_userdomain) + corenet_tcp_bind_xmsg_port(login_userdomain) ++corenet_udp_bind_xmsg_port(login_userdomain) + + create_blk_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) + create_chr_files_pattern(login_userdomain, user_tmp_t, user_tmp_t ) +-- +2.43.0 + diff --git a/backport-Allow-logwatch-read-logind-sessions-files.patch b/backport-Allow-logwatch-read-logind-sessions-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..f5c7f3c55d891f8d9850300478c4dbb63e89d824 --- /dev/null +++ b/backport-Allow-logwatch-read-logind-sessions-files.patch @@ -0,0 +1,35 @@ +From 62365ef6d8f924dea0c0984b26af21f0cea59766 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 20 Mar 2024 16:38:54 +0100 +Subject: [PATCH] Allow logwatch read logind sessions files + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(03/20/2024 10:36:55.005:657) : proctitle=uptime +type=PATH msg=audit(03/20/2024 10:36:55.005:657) : item=0 name=/run/systemd/sessions/ inode=81 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_logind_sessions_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(03/20/2024 10:36:55.005:657) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f18e19bb970 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=1 ppid=2011 pid=2012 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=uptime exe=/usr/bin/uptime subj=system_u:system_r:logwatch_t:s0 key=(null) +type=AVC msg=audit(03/20/2024 10:36:55.005:657) : avc: denied { read } for pid=2012 comm=uptime name=sessions dev="tmpfs" ino=81 scontext=system_u:system_r:logwatch_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2270484 +--- + policy/modules/contrib/logwatch.te | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te +index ea6db4680..debee6fc8 100644 +--- a/policy/modules/contrib/logwatch.te ++++ b/policy/modules/contrib/logwatch.te +@@ -182,6 +182,11 @@ optional_policy(` + samba_read_share_files(logwatch_t) + ') + ++optional_policy(` ++ systemd_read_logind_sessions_files(logwatch_t) ++') ++ ++ + ######################################## + # + # Mail local policy +-- +2.43.0 + diff --git a/backport-Allow-logwatch_mail_t-read-write-to-init-over-a-unix.patch b/backport-Allow-logwatch_mail_t-read-write-to-init-over-a-unix.patch new file mode 100644 index 0000000000000000000000000000000000000000..a90789f84a46a340fec1d32c76a36beb605a51a3 --- /dev/null +++ b/backport-Allow-logwatch_mail_t-read-write-to-init-over-a-unix.patch @@ -0,0 +1,35 @@ +From 1132949d7a8c6ab7fbb0849499de56e214a92bd5 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 21 Mar 2024 16:35:33 +0100 +Subject: [PATCH] Allow logwatch_mail_t read/write to init over a unix stream + socket + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(03/21/2024 11:32:44.115:178) : proctitle=/usr/sbin/sendmail -t +type=PATH msg=audit(03/21/2024 11:32:44.115:178) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=9425 dev=00:1f mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(03/21/2024 11:32:44.115:178) : item=0 name=/usr/sbin/sendmail inode=107481 dev=00:1f mode=file,sgid,755 ouid=root ogid=smmsp rdev=00:00 obj=system_u:object_r:sendmail_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=EXECVE msg=audit(03/21/2024 11:32:44.115:178) : argc=2 a0=/usr/sbin/sendmail a1=-t +type=SYSCALL msg=audit(03/21/2024 11:32:44.115:178) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55881f10ea90 a1=0x55881f0dd480 a2=0x55881f10aee0 a3=0x8 items=2 ppid=2597 pid=2611 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=smmsp sgid=smmsp fsgid=smmsp tty=(none) ses=unset comm=sendmail exe=/usr/sbin/sendmail.sendmail subj=system_u:system_r:logwatch_mail_t:s0 key=(null) +type=AVC msg=audit(03/21/2024 11:32:44.115:178) : avc: denied { read write } for pid=2611 comm=sendmail path=socket:[19924] dev="sockfs" ino=19924 scontext=system_u:system_r:logwatch_mail_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0 + +Resolves: rhbz#2270484 +--- + policy/modules/contrib/logwatch.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te +index debee6fc8..c104f870a 100644 +--- a/policy/modules/contrib/logwatch.te ++++ b/policy/modules/contrib/logwatch.te +@@ -209,6 +209,8 @@ dev_read_rand(logwatch_mail_t) + dev_read_urand(logwatch_mail_t) + dev_read_sysfs(logwatch_mail_t) + ++init_rw_stream_sockets(logwatch_mail_t) ++ + logging_read_all_logs(logwatch_mail_t) + + mta_read_home(logwatch_mail_t) +-- +2.43.0 + diff --git a/backport-Allow-nut-to-statfs.patch b/backport-Allow-nut-to-statfs.patch new file mode 100644 index 0000000000000000000000000000000000000000..e44f059fcd2ce23feec8482bf0be90396bb4cc48 --- /dev/null +++ b/backport-Allow-nut-to-statfs.patch @@ -0,0 +1,42 @@ +From 5cc849d7839d43b7034b54fb08e75fcd1182fdae Mon Sep 17 00:00:00 2001 +From: Orion Poplawski +Date: Wed, 24 Apr 2024 10:25:12 -0600 +Subject: [PATCH] Allow nut to statfs() + +This resolves the following denials: +type=AVC msg=audit(1713892782.603:545): avc: denied { getattr } for pid=46128 comm="upsd" name="/" dev="dm-1" ino=128 scontext=system_u:system_r:nut_upsd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 +type=AVC msg=audit(1713894055.590:666): avc: denied { getattr } for pid=53147 comm="shutdown" name="/" dev="dm-1" ino=128 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 +--- + policy/modules/contrib/nut.te | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te +index e56b92969..ff95197ea 100644 +--- a/policy/modules/contrib/nut.te ++++ b/policy/modules/contrib/nut.te +@@ -1,4 +1,4 @@ +-policy_module(nut, 1.3.1) ++policy_module(nut, 1.3.2) + + ######################################## + # +@@ -59,6 +59,8 @@ corenet_tcp_bind_generic_port(nut_upsd_t) + corenet_tcp_bind_all_nodes(nut_upsd_t) + + fs_getattr_cgroup(nut_upsd_t) ++# NSS does a statfs() on the database to determine filesystem type ++fs_getattr_xattr_fs(nut_upsd_t) + + optional_policy(` + unconfined_stream_connect(nut_upsd_t) +@@ -101,6 +103,7 @@ term_write_all_terms(nut_upsmon_t) + # upsmon runs shutdown, probably need a shutdown domain + init_rw_utmp(nut_upsmon_t) + init_telinit(nut_upsmon_t) ++fs_getattr_xattr_fs(nut_upsmon_t) + + + mta_send_mail(nut_upsmon_t) +-- +2.43.0 + diff --git a/backport-Allow-plymouthd-log-during-shutdown.patch b/backport-Allow-plymouthd-log-during-shutdown.patch new file mode 100644 index 0000000000000000000000000000000000000000..e9376a5937e7d36dbef18262ddef63e4dcd3a1ec --- /dev/null +++ b/backport-Allow-plymouthd-log-during-shutdown.patch @@ -0,0 +1,42 @@ +From 95ac1bb0e4d0d6d0a339528ab32d4d99e5a95e23 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 12 Feb 2024 17:38:22 +0100 +Subject: [PATCH] Allow plymouthd log during shutdown + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(01/02/2024 10:27:30.470:537) : proctitle=/usr/sbin/plymouthd --mode=reboot --attach-to-session +type=PATH msg=audit(01/02/2024 10:27:30.470:537) : item=0 name=/dev/kmsg inode=10 dev=00:05 mode=character,644 ouid=root ogid=root rdev=01:0b obj=system_u:object_r:kmsg_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(01/02/2024 10:27:30.470:537) : arch=x86_64 syscall=openat success=yes exit=9 a0=AT_FDCWD a1=0x7f20c822f50a a2=O_RDWR|O_NONBLOCK a3=0x0 items=1 ppid=22623 pid=22627 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=plymouthd exe=/usr/sbin/plymouthd subj=system_u:system_r:plymouthd_t:s0 key=(null) +type=AVC msg=audit(01/02/2024 10:27:30.470:537) : avc: denied { syslog_read } for pid=22627 comm=plymouthd scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1 +type=AVC msg=audit(01/02/2024 10:27:30.470:537) : avc: denied { open } for pid=22627 comm=plymouthd path=/dev/kmsg dev="devtmpfs" ino=10 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=1 +type=AVC msg=audit(01/02/2024 10:27:30.470:537) : avc: denied { read write } for pid=22627 comm=plymouthd name=kmsg dev="devtmpfs" ino=10 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file permissive=1 + +Resolves: rhbz#2256442 +--- + policy/modules/contrib/plymouthd.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te +index 08c7d278f..63bdff4c6 100644 +--- a/policy/modules/contrib/plymouthd.te ++++ b/policy/modules/contrib/plymouthd.te +@@ -57,6 +57,7 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) + manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t) + files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir }) + ++kernel_read_ring_buffer(plymouthd_t) + kernel_read_system_state(plymouthd_t) + kernel_request_load_module(plymouthd_t) + kernel_change_ring_buffer_level(plymouthd_t) +@@ -68,6 +69,8 @@ dev_read_sysfs(plymouthd_t) + dev_read_framebuffer(plymouthd_t) + dev_write_framebuffer(plymouthd_t) + dev_map_framebuffer(plymouthd_t) ++dev_read_kmsg(plymouthd_t) ++dev_write_kmsg(plymouthd_t) + dev_rw_xserver_misc(plymouthd_t) + + domain_use_interactive_fds(plymouthd_t) +-- +2.43.0 + diff --git a/backport-Allow-plymouthd-read-efivarfs-files.patch b/backport-Allow-plymouthd-read-efivarfs-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..44f31bacf8593916634795bb04da356c6ead1f0e --- /dev/null +++ b/backport-Allow-plymouthd-read-efivarfs-files.patch @@ -0,0 +1,31 @@ +From e1447f7b473cd76de91a6a82be8c39bf7585ca3c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 24 Apr 2024 20:09:35 +0200 +Subject: [PATCH] Allow plymouthd read efivarfs files + +The commit addresses the following AVC denial: +type=PATH msg=audit(1713905790.274:105): item=0 name=/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c inode=3360 dev=00:1e mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:efivarfs_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 +type=AVC msg=audit(1713905790.274:105): avc: denied { read } for pid=435 comm="plymouthd" name="SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" dev="efivarfs" ino=3360 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 +type=SYSCALL msg=audit(1713905790.274:105): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=7f3417ba4150 a2=0 a3=0 items=1 ppid=1 pid=435 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=plymouthd exe=/usr/sbin/plymouthd subj=system_u:system_r:plymouthd_t:s0 key=(null) + +Resolves: rhbz#2276729 +--- + policy/modules/contrib/plymouthd.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/plymouthd.te b/policy/modules/contrib/plymouthd.te +index 63bdff4c6..3923b7e75 100644 +--- a/policy/modules/contrib/plymouthd.te ++++ b/policy/modules/contrib/plymouthd.te +@@ -76,7 +76,7 @@ dev_rw_xserver_misc(plymouthd_t) + domain_use_interactive_fds(plymouthd_t) + + fs_getattr_all_fs(plymouthd_t) +-fs_search_efivarfs_dirs(plymouthd_t) ++fs_read_efivarfs_files(plymouthd_t) + + term_getattr_pty_fs(plymouthd_t) + term_use_all_terms(plymouthd_t) +-- +2.43.0 + diff --git a/backport-Allow-polkit-status-all-systemd-services.patch b/backport-Allow-polkit-status-all-systemd-services.patch new file mode 100644 index 0000000000000000000000000000000000000000..3fbcb8b6735f2c73a53d8b44e5bf5b4e12c773b0 --- /dev/null +++ b/backport-Allow-polkit-status-all-systemd-services.patch @@ -0,0 +1,48 @@ +From 72ce5db32d5cf0ceb9a63e1a1022ebd3a17c594c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 5 Feb 2024 14:34:47 +0100 +Subject: [PATCH] Allow polkit status all systemd services + +With the c122d7d08 ("Allow polkit status systemd services") commit, +polkit was allowed to status systemd services with the unspecific +systemd_unit_file_t type. It turns out polkit actually needs access to +all unit files to be able to pair every process requesting an +authorization with a particular systemd unit using the "GetUnitByPIDFD" +method: + + result = g_dbus_connection_call_with_unix_fd_list_sync (connection, + "org.freedesktop.systemd1", /* name */ + "/org/freedesktop/systemd1", /* object path */ + "org.freedesktop.systemd1.Manager", /* interface name */ + "GetUnitByPIDFD", /* method */ + g_variant_new ("(h)", fd_id), + G_VARIANT_TYPE ("(osay)"), + G_DBUS_CALL_FLAGS_NONE, + -1, + fd_list, + NULL, + NULL, + &error); + +The commit addresses the following USER_AVC denial: +type=USER_AVC msg=audit(02/01/2024 00:24:13.131:21233) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=unset uid=root gid=polkitd path=/usr/lib/systemd/system/systemd-networkd.service cmdline="/usr/lib/polkit-1/polkitd --no-debug" function="method_get_unit_by_pidfd" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:systemd_networkd_unit_file_t:s0 tclass=service permissive=0 exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' +--- + policy/modules/contrib/policykit.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te +index 7f3968cf2..b7c49ccad 100644 +--- a/policy/modules/contrib/policykit.te ++++ b/policy/modules/contrib/policykit.te +@@ -152,7 +152,7 @@ optional_policy(` + systemd_read_logind_sessions_files(policykit_t) + systemd_login_list_pid_dirs(policykit_t) + systemd_login_read_pid_files(policykit_t) +- systemd_status_systemd_services(policykit_t) ++ systemd_status_all_unit_files(policykit_t) + ') + + ######################################## +-- +2.43.0 + diff --git a/backport-Allow-polkit-status-systemd-services.patch b/backport-Allow-polkit-status-systemd-services.patch new file mode 100644 index 0000000000000000000000000000000000000000..33993e1d19cbe81ffb2b61591374f2a4ca09f9d9 --- /dev/null +++ b/backport-Allow-polkit-status-systemd-services.patch @@ -0,0 +1,31 @@ +From c122d7d08781eb9e5d2fb05a5f59a4ad3c6d6c63 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 22 Jan 2024 14:27:26 +0100 +Subject: [PATCH] Allow polkit status systemd services + +To track processes, Polkit v124 uses method_get_unit_by_pidfd() +if available which checks the user-instance user@ service. +If the method fails, polkit falls back to legacy pid check. +https://github.com/polkit-org/polkit/commit/82f0924dc0eb23b9df68e88dbaf9e07c81940a5a + +The commit addresses the following USER_AVC denial: +type=USER_AVC msg=audit(1705928748.141:203): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=114 gid=114 path="/usr/lib/systemd/system/user@.service" cmdline="/usr/lib/polkit-1/polkitd --no-debug" function="method_get_unit_by_pidfd" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' +--- + policy/modules/contrib/policykit.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/policykit.te b/policy/modules/contrib/policykit.te +index 642630e63..7f3968cf2 100644 +--- a/policy/modules/contrib/policykit.te ++++ b/policy/modules/contrib/policykit.te +@@ -152,6 +152,7 @@ optional_policy(` + systemd_read_logind_sessions_files(policykit_t) + systemd_login_list_pid_dirs(policykit_t) + systemd_login_read_pid_files(policykit_t) ++ systemd_status_systemd_services(policykit_t) + ') + + ######################################## +-- +2.43.0 + diff --git a/backport-Allow-qemu-ga-read-vm-sysctls.patch b/backport-Allow-qemu-ga-read-vm-sysctls.patch new file mode 100644 index 0000000000000000000000000000000000000000..18c49b1271932e2450677437f7635da5ec059cda --- /dev/null +++ b/backport-Allow-qemu-ga-read-vm-sysctls.patch @@ -0,0 +1,32 @@ +From b7f8dd243f2b8cb7781921951e2b505cdd52dc80 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 5 Apr 2024 19:41:57 +0200 +Subject: [PATCH] Allow qemu-ga read vm sysctls + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(04/05/2024 08:35:35.512:92) : proctitle=/usr/bin/qemu-ga --method=virtio-serial --path=/dev/virtio-ports/org.qemu.guest_agent.0 --allow-rpcs=guest-sync-delimited,guest- +type=PATH msg=audit(04/05/2024 08:35:35.512:92) : item=0 name=/proc/sys/vm/max_map_count inode=19121 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(04/05/2024 08:35:35.512:92) : arch=aarch64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0xaaaae899c318 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=1448 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=qemu-ga exe=/usr/bin/qemu-ga subj=system_u:system_r:virt_qemu_ga_t:s0 key=(null) +type=AVC msg=audit(04/05/2024 08:35:35.512:92) : avc: denied { open } for pid=1448 comm=qemu-ga path=/proc/sys/vm/max_map_count dev="proc" ino=19121 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1 +type=AVC msg=audit(04/05/2024 08:35:35.512:92) : avc: denied { read } for pid=1448 comm=qemu-ga name=max_map_count dev="proc" ino=19121 scontext=system_u:system_r:virt_qemu_ga_t:s0 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1 + +Resolves: RHEL-31892 +--- + policy/modules/contrib/virt_supplementary.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/virt_supplementary.te b/policy/modules/contrib/virt_supplementary.te +index 54046edd3..f20a69096 100644 +--- a/policy/modules/contrib/virt_supplementary.te ++++ b/policy/modules/contrib/virt_supplementary.te +@@ -183,6 +183,7 @@ logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, { dir file }) + kernel_read_system_state(virt_qemu_ga_t) + kernel_read_network_state(virt_qemu_ga_t) + kernel_rw_kernel_sysctl(virt_qemu_ga_t) ++kernel_read_vm_sysctls(virt_qemu_ga_t) + + corecmd_exec_shell(virt_qemu_ga_t) + corecmd_exec_bin(virt_qemu_ga_t) +-- +2.43.0 + diff --git a/backport-Allow-samba-to-have-dac_override-capability.patch b/backport-Allow-samba-to-have-dac_override-capability.patch new file mode 100644 index 0000000000000000000000000000000000000000..3dca9b6d4e9566ff38559c21530119e24d93b3a1 --- /dev/null +++ b/backport-Allow-samba-to-have-dac_override-capability.patch @@ -0,0 +1,47 @@ +From 8d7c223b38ae0bc48b0f8ccc7aaf659b7deee6be Mon Sep 17 00:00:00 2001 +From: Anoop C S +Date: Thu, 4 Jan 2024 13:07:15 +0530 +Subject: [PATCH] Allow samba to have dac_override capability + +Previously commit cc5d0d7c98d06866f26dd1f54b34f70fd3b531f9 removed +dac_override capability from many SELinux modules. But with recent +changes[1] to Samba upstream it has become necessary to have this +capability to work under some special common configurations. + +One among those configurations require smbd to read ACLs stored in +extended attributes from security namespace which further calls for +additional privileges where dac_override would be the bare minimum +and least expensive capability to be acquired without becoming root. +You may find slighlty more details from the discussion around the +merge request[2] upstream. + +Therefore resurrect the dac_override capability for smbd_t to avoid +the following AVC denial. + +type=AVC msg=audit(1700643404.314:3644): avc: denied { dac_override } for pid=83444 comm="smbd[192.168.12" capability=1 scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:system_r:smbd_t:s0 tclass=capability permissive=0 +type=SYSCALL msg=audit(1700643404.314:3644): arch=c000003e syscall=191 success=no exit=-61 a0=7ffea4096890 a1=7f5809ce635a a2=561c6dfe9d90 a3=1000 items=1 ppid=76437 pid=83444 auid=4294967295 uid=2001 gid=0 euid=2001 suid=0 fsuid=2001 egid=2001 sgid=0 fsgid=2001 tty=(none) ses=4294967295 comm="smbd[192.168.12" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)ARCH=x86_64 SYSCALL=getxattr AUID="unset" UID="test1" GID="root" EUID="test1" SUID="root" FSUID="test1" EGID="test1" SGID="root" FSGID="test1" + +[1] https://git.samba.org/?p=samba.git;a=commit;h=a1738e8265dd256c5a1064482a6dfccbf9ca44f1 +[2] https://gitlab.com/samba-team/samba/-/merge_requests/3434 + +Signed-off-by: Anoop C S +--- + policy/modules/contrib/samba.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 4587846f2..d4ebd9bb6 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -286,7 +286,7 @@ optional_policy(` + # smbd Local policy + # + +-allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_read_search net_admin }; ++allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search net_admin }; + dontaudit smbd_t self:capability sys_tty_config; + dontaudit smbd_t self:capability2 block_suspend; + allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +-- +2.43.0 + diff --git a/backport-Allow-smbd_t-to-watch-user_home_dir_t-if-samba_enabl.patch b/backport-Allow-smbd_t-to-watch-user_home_dir_t-if-samba_enabl.patch new file mode 100644 index 0000000000000000000000000000000000000000..e888a19f0de9b25730393d5efb9ae5c930429bde --- /dev/null +++ b/backport-Allow-smbd_t-to-watch-user_home_dir_t-if-samba_enabl.patch @@ -0,0 +1,35 @@ +From 210bb812c1d727318cf8d977b5440437135f02a0 Mon Sep 17 00:00:00 2001 +From: Juraj Marcin +Date: Mon, 22 Jan 2024 16:30:21 +0100 +Subject: [PATCH] Allow smbd_t to watch user_home_dir_t if + samba_enable_home_dirs is on + +When samba is allowed to access home directory, it sometimes needs to +add watch on the whole home directory to respond to watch requests from +clients (for example from Windows). + +Addresses the following denial: +type=AVC msg=audit(1705933921.682:202): avc: denied { watch } for pid=11956 comm="smbd-notifyd" path="/home/test" dev="vda4" ino=912095 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 + +Resolves: RHEL-14735 +--- + policy/modules/contrib/samba.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index 5eed73a50..4587846f2 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -481,7 +481,9 @@ tunable_policy(`samba_domain_controller',` + + tunable_policy(`samba_enable_home_dirs',` + userdom_manage_user_home_content(smbd_t) ++ userdom_watch_user_home_dirs(smbd_t) + userdom_manage_user_home_content(winbind_rpcd_t) ++ userdom_watch_user_home_dirs(winbind_rpcd_t) + ') + + optional_policy(` +-- +2.43.0 + diff --git a/backport-Allow-sssd-create-and-use-io_uring.patch b/backport-Allow-sssd-create-and-use-io_uring.patch new file mode 100644 index 0000000000000000000000000000000000000000..9b11ff8346a237c553cad13f60c9ac127ded8f1c --- /dev/null +++ b/backport-Allow-sssd-create-and-use-io_uring.patch @@ -0,0 +1,30 @@ +From a4c9c9ba835c371a817590f3c8c4e894d3fb7d37 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 24 Apr 2024 21:40:43 +0200 +Subject: [PATCH] Allow sssd create and use io_uring + +The commit addresses the following AVC denials: +avc: denied { create } for pid=879 comm="nsupdate" anonclass=[io_uring] scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 +avc: denied { map } for pid=879 comm="nsupdate" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=11274 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 +avc: denied { read write } for pid=879 comm="nsupdate" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=11274 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 + +Resolves: rhbz#2276937 +--- + policy/modules/contrib/sssd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te +index 0592316b3..d240933c7 100644 +--- a/policy/modules/contrib/sssd.te ++++ b/policy/modules/contrib/sssd.te +@@ -102,6 +102,7 @@ manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) + manage_sock_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t) + files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir sock_file }) + ++kernel_io_uring_use(sssd_t) + kernel_read_network_state(sssd_t) + kernel_read_system_state(sssd_t) + kernel_request_load_module(sssd_t) +-- +2.43.0 + diff --git a/backport-Allow-staff_t-the-io_uring-sqpoll-permission.patch b/backport-Allow-staff_t-the-io_uring-sqpoll-permission.patch new file mode 100644 index 0000000000000000000000000000000000000000..d5d2175b8859ce0b72fea6c185252eca1c8f75f0 --- /dev/null +++ b/backport-Allow-staff_t-the-io_uring-sqpoll-permission.patch @@ -0,0 +1,28 @@ +From e6e2575cb4007540f4747aa6791c27de28dd413c Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 13 May 2024 10:42:14 +0200 +Subject: [PATCH] Allow staff_t the io_uring sqpoll permission + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(10.5.2024 18:11:00.485:871) : proctitle=/opt/app +type=SYSCALL msg=audit(10.5.2024 18:11:00.485:871) : arch=x86_64 syscall=io_uring_setup success=yes exit=7 a0=0x40 a1=0x7ffe85d540b0 a2=0x53 a3=0x1aa800238600 items=0 ppid=83930 pid=84132 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=(none) ses=3 comm=freetube exe=/opt/FreeTube/freetube subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(10.5.2024 18:11:00.485:871) : avc: denied { sqpoll } for pid=84132 comm=freetube scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=io_uring permissive=1 +--- + policy/modules/roles/staff.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te +index f7147b819..be10299fa 100644 +--- a/policy/modules/roles/staff.te ++++ b/policy/modules/roles/staff.te +@@ -23,6 +23,7 @@ gen_tunable(staff_use_svirt, false) + # + + allow staff_t self:cap_userns { setpcap }; ++allow staff_t self:io_uring sqpoll; + allow staff_t self:netlink_generic_socket { create_socket_perms }; + + corenet_ib_access_unlabeled_pkeys(staff_t) +-- +2.43.0 + diff --git a/backport-Allow-staff_t-use-the-io_uring-API.patch b/backport-Allow-staff_t-use-the-io_uring-API.patch new file mode 100644 index 0000000000000000000000000000000000000000..1aaaf14e22af3f0f84b1347adbb53488ec9868c2 --- /dev/null +++ b/backport-Allow-staff_t-use-the-io_uring-API.patch @@ -0,0 +1,35 @@ +From 339a8aff140f19975235c05efd3defb7db7f4eb9 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 9 May 2024 16:18:14 +0200 +Subject: [PATCH] Allow staff_t use the io_uring API + +Required for handling qemu disk images by a user in the staff_t domain. + +The commit addresses the following AVC denials: +type=PROCTITLE msg=audit(9.5.2024 11:47:16.231:436) : proctitle=qemu-img create -qf qcow2 -F qcow2 -b /path/filename.qcow2 -o lazy +type=SYSCALL msg=audit(9.5.2024 11:47:16.231:436) : arch=x86_64 syscall=io_uring_setup success=yes exit=4 a0=0x80 a1=0x7ffc49b29840 a2=0x7ffc49b29840 a3=0x4 items=0 ppid=25793 pid=25872 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=pts11 ses=3 comm=qemu-img exe=/usr/bin/qemu-img subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(9.5.2024 11:47:16.231:436) : avc: denied { create } for pid=25872 comm=qemu-img anonclass=[io_uring] scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 +type=PROCTITLE msg=audit(9.5.2024 11:47:16.231:437) : proctitle=qemu-img create -qf qcow2 -F qcow2 -b /path/filename.qcow2 -o lazy +type=MMAP msg=audit(9.5.2024 11:47:16.231:437) : fd=4 flags=MAP_SHARED|MAP_POPULATE +type=SYSCALL msg=audit(9.5.2024 11:47:16.231:437) : arch=x86_64 syscall=mmap success=yes exit=139636585943040 a0=0x0 a1=0x1240 a2=PROT_READ|PROT_WRITE a3=MAP_SHARED|MAP_POPULATE items=0 ppid=25793 pid=25872 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=pts11 ses=3 comm=qemu-img exe=/usr/bin/qemu-img subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(9.5.2024 11:47:16.231:437) : avc: denied { read write } for pid=25872 comm=qemu-img path=anon_inode:[io_uring] dev="anon_inodefs" ino=318625 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 +type=AVC msg=audit(9.5.2024 11:47:16.231:437) : avc: denied { map } for pid=25872 comm=qemu-img path=anon_inode:[io_uring] dev="anon_inodefs" ino=318625 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 +--- + policy/modules/roles/staff.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te +index 9f67c92c1..f7147b819 100644 +--- a/policy/modules/roles/staff.te ++++ b/policy/modules/roles/staff.te +@@ -27,6 +27,7 @@ allow staff_t self:netlink_generic_socket { create_socket_perms }; + + corenet_ib_access_unlabeled_pkeys(staff_t) + ++kernel_io_uring_use(staff_t) + kernel_read_ring_buffer(staff_t) + kernel_getattr_core_if(staff_t) + kernel_getattr_message_if(staff_t) +-- +2.43.0 + diff --git a/backport-Allow-su-domains-write-login-records.patch b/backport-Allow-su-domains-write-login-records.patch new file mode 100644 index 0000000000000000000000000000000000000000..b51909a33d94a9450a00ba176bc79d00c2c8af8c --- /dev/null +++ b/backport-Allow-su-domains-write-login-records.patch @@ -0,0 +1,30 @@ +From 2d6a2accaac137e9513ffd9e5565a00885515264 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 25 Jan 2024 21:35:06 +0100 +Subject: [PATCH] Allow su domains write login records + +The commit addresses the following AVC denial: +type=SYSCALL msg=audit(12/31/1969 19:00:08.000:0) : arch=unknown-elf-type(x86_64) syscall=read success=no exit=EACCES(Permission denied) a0=0x0xffffff9c a1=0x0x7fa86f9fea59 a2=0xO_WRONLY a3=0x0x0 items=1 ppid=44644 pid=44645 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=su exe=/usr/bin/su subj=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 key=perm_access +type=PATH msg=audit(12/31/1969 19:00:08.000:0) : item=0 name=/var/log/wtmp inode=25 dev=08:0a mode=000,000 664 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:wtmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=AVC msg=audit(12/31/1969 19:00:08.000:0) : avc: denied { write } for pid=44645 comm=su name=wtmp dev="sda10" ino=25 scontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=0 + +Resolves: RHEL-2606 +--- + policy/modules/admin/su.if | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if +index 307221f94..669afba14 100644 +--- a/policy/modules/admin/su.if ++++ b/policy/modules/admin/su.if +@@ -80,6 +80,7 @@ template(`su_restricted_domain_template', ` + auth_dontaudit_read_shadow($1_su_t) + auth_use_nsswitch($1_su_t) + auth_rw_faillog($1_su_t) ++ auth_write_login_records($1_su_t) + + domain_use_interactive_fds($1_su_t) + +-- +2.43.0 + diff --git a/backport-Allow-sudodomain-list-files-in-var.patch b/backport-Allow-sudodomain-list-files-in-var.patch new file mode 100644 index 0000000000000000000000000000000000000000..3a762cfe15ebfedd3b79bdc085e6317550cf3492 --- /dev/null +++ b/backport-Allow-sudodomain-list-files-in-var.patch @@ -0,0 +1,33 @@ +From a026c04a0b71aa2145600a82e1e7336dd959d7a6 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 13 May 2024 17:01:16 +0200 +Subject: [PATCH] Allow sudodomain list files in /var + +This permission is required when the iolog_dir directive is configured +in the sudoers file for the sudo command input/output log directory. + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(11/09/2023 08:46:34.833:368) : proctitle=sudo dmidecode +type=SYSCALL msg=audit(11/09/2023 08:46:34.833:368) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fff7f989ef0 a2=O_RDONLY|O_NONBLOCK a3=0x0 items=0 ppid=4561 pid=29408 auid=sysadm uid=sysadm gid=sysadm euid=root suid=root fsuid=root egid=root sgid=sysadm fsgid=root tty=pts1 ses=8 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(11/09/2023 08:46:34.833:368) : avc: denied { read } for pid=29408 comm=sudo name=var dev="dm-0" ino=33575046 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0 + +Resolves: RHEL-16104 +--- + policy/modules/admin/sudo.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te +index febc1e95b..51ed4ecd4 100644 +--- a/policy/modules/admin/sudo.te ++++ b/policy/modules/admin/sudo.te +@@ -70,6 +70,7 @@ domain_sigchld_interactive_fds(sudodomain) + domain_getattr_all_entry_files(sudodomain) + + files_read_etc_files(sudodomain) ++files_list_var(sudodomain) + files_read_var_files(sudodomain) + files_read_usr_files(sudodomain) + # for some PAM modules and for cwd +-- +2.43.0 + diff --git a/backport-Allow-sulogin-relabel-tty1.patch b/backport-Allow-sulogin-relabel-tty1.patch new file mode 100644 index 0000000000000000000000000000000000000000..b8b28cf8c787ce6049c58d9156461b24a6ba3d7f --- /dev/null +++ b/backport-Allow-sulogin-relabel-tty1.patch @@ -0,0 +1,68 @@ +From 2280f1d61922c3827b7b39ead8121531eae683b1 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 4 Mar 2024 16:26:59 +0100 +Subject: [PATCH] Allow sulogin relabel tty1 + +Permissions to relabel from tty_device_t to user_tty_device_t and +backwards were allowed for sulogin which is executed e.g. from the +emergency.target system service. + +The commit addresses the following AVC denial: +Mar 04 14:02:36 localhost audit[661]: AVC avc: denied { relabelfrom } for pid=661 comm="sulogin" name="tty1" dev="devtmpfs" ino=20 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=1 +Mar 04 14:02:36 localhost audit[661]: AVC avc: denied { relabelto } for pid=661 comm="sulogin" name="tty1" dev="devtmpfs" ino=20 scontext=system_u:system_r:sulogin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tty_device_t:s0 tclass=chr_file permissive=1 +--- + policy/modules/system/locallogin.te | 3 +++ + policy/modules/system/userdomain.if | 19 +++++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te +index 55dfd74fc..790f5cee9 100644 +--- a/policy/modules/system/locallogin.te ++++ b/policy/modules/system/locallogin.te +@@ -257,10 +257,13 @@ logging_send_syslog_msg(sulogin_t) + seutil_read_config(sulogin_t) + seutil_read_default_contexts(sulogin_t) + ++term_relabel_unallocated_ttys(sulogin_t) ++ + userdom_use_unpriv_users_fds(sulogin_t) + + userdom_search_admin_dir(sulogin_t) + userdom_search_user_home_dirs(sulogin_t) ++userdom_relabel_user_ttys(sulogin_t) + userdom_use_user_ptys(sulogin_t) + + term_use_console(sulogin_t) +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index 937915bbe..c3d0b0a98 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -4728,6 +4728,25 @@ interface(`userdom_dontaudit_use_user_ttys',` + dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; + ') + ++####################################### ++## ++## Relabel from and to user ttys. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`userdom_relabel_user_ttys',` ++ gen_require(` ++ type user_tty_device_t; ++ ') ++ ++ dev_list_all_dev_nodes($1) ++ allow $1 user_tty_device_t:chr_file relabel_chr_file_perms; ++') ++ + ######################################## + ## + ## Read the process state of all user domains. +-- +2.43.0 + diff --git a/backport-Allow-svirt_t-read-vm-sysctls.patch b/backport-Allow-svirt_t-read-vm-sysctls.patch new file mode 100644 index 0000000000000000000000000000000000000000..9da8065d2052c0b5b8659b8739a10b97c1ccf51d --- /dev/null +++ b/backport-Allow-svirt_t-read-vm-sysctls.patch @@ -0,0 +1,32 @@ +From 6f928dcfc5a6ccd19887763148aed7c53dd0fadb Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Sat, 4 May 2024 21:45:42 +0200 +Subject: [PATCH] Allow svirt_t read vm sysctls + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(04/10/2024 04:54:54.905:788) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra +type=PATH msg=audit(04/10/2024 04:54:54.905:788) : item=0 name=/proc/sys/vm/max_map_count inode=68303 dev=00:14 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(04/10/2024 04:54:54.905:788) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x557ed6d62074 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=23797 auid=unset uid=qemu gid=qemu euid=qemu suid=qemu fsuid=qemu egid=qemu sgid=qemu fsgid=qemu tty=(none) ses=unset comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c475,c934 key=(null) +type=AVC msg=audit(04/10/2024 04:54:54.905:788) : avc: denied { open } for pid=23797 comm=qemu-kvm path=/proc/sys/vm/max_map_count dev="proc" ino=68303 scontext=system_u:system_r:svirt_t:s0:c475,c934 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1 +type=AVC msg=audit(04/10/2024 04:54:54.905:788) : avc: denied { read } for pid=23797 comm=qemu-kvm name=max_map_count dev="proc" ino=68303 scontext=system_u:system_r:svirt_t:s0:c475,c934 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1 + +Resolves: RHEL-32296 +--- + policy/modules/contrib/virt.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te +index 162130536..06d073ae8 100644 +--- a/policy/modules/contrib/virt.te ++++ b/policy/modules/contrib/virt.te +@@ -468,6 +468,7 @@ allow svirt_t virtqemud_var_run_t:file write; + read_files_pattern(svirt_t, virtqemud_t, virtqemud_t) + + kernel_request_load_module(svirt_t) ++kernel_read_vm_sysctls(svirt_t) + + corenet_udp_sendrecv_generic_if(svirt_t) + corenet_udp_sendrecv_generic_node(svirt_t) +-- +2.43.0 + diff --git a/backport-Allow-sysadm-execute-dmidecode-using-sudo.patch b/backport-Allow-sysadm-execute-dmidecode-using-sudo.patch new file mode 100644 index 0000000000000000000000000000000000000000..9e15f00208a27101ac90b46490b2a13ae525138b --- /dev/null +++ b/backport-Allow-sysadm-execute-dmidecode-using-sudo.patch @@ -0,0 +1,32 @@ +From c7eaa7fd99e7c46a17656785b0f113e4d0f29d92 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 13 May 2024 17:01:58 +0200 +Subject: [PATCH] Allow sysadm execute dmidecode using sudo + +When an unprivileged user in the sysadm_r role executes dmidecode +through sudo, it transitions into sysadm_sudo_t domain by default. +With this commit, the process transitions to dmidecode_t. + +Resolves: RHEL-16104 +--- + policy/modules/admin/sudo.if | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if +index 7dba6630a..17aeead9c 100644 +--- a/policy/modules/admin/sudo.if ++++ b/policy/modules/admin/sudo.if +@@ -96,6 +96,10 @@ template(`sudo_role_template',` + rpm_run($1_sudo_t, $2) + ') + ++ optional_policy(` ++ dmidecode_domtrans($1_sudo_t) ++ ') ++ + optional_policy(` + kerberos_manage_host_rcache($1_sudo_t) + kerberos_read_config($1_sudo_t) +-- +2.43.0 + diff --git a/backport-Allow-system-dbusd-service-status-systemd-services.patch b/backport-Allow-system-dbusd-service-status-systemd-services.patch new file mode 100644 index 0000000000000000000000000000000000000000..1fe57e9edd23deb9b414811c48d3dff1a45a224b --- /dev/null +++ b/backport-Allow-system-dbusd-service-status-systemd-services.patch @@ -0,0 +1,26 @@ +From 9fa441a93005dacf6a3a711725e5a5ad30073069 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 15 Apr 2024 09:21:48 +0200 +Subject: [PATCH] Allow system dbusd service status systemd services + +The commit addresses the following USER_AVC denial: +Apr 14 03:33:32 hostname audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=81 path="/usr/lib/systemd/system/systemd-logind.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="reply_unit_path" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' +--- + policy/modules/contrib/dbus.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te +index cedf71169..fa4b4d8d7 100644 +--- a/policy/modules/contrib/dbus.te ++++ b/policy/modules/contrib/dbus.te +@@ -229,6 +229,7 @@ optional_policy(` + ') + + optional_policy(` ++ systemd_status_systemd_services(system_dbusd_t) + systemd_use_fds_logind(system_dbusd_t) + systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) + systemd_write_inhibit_pipes(system_dbusd_t) +-- +2.43.0 + diff --git a/backport-Allow-system_cronjob_t-dbus-chat-with-avahi_t.patch b/backport-Allow-system_cronjob_t-dbus-chat-with-avahi_t.patch new file mode 100644 index 0000000000000000000000000000000000000000..0fd9f7aa78b080d5a84ac711bc938ca59ec223a9 --- /dev/null +++ b/backport-Allow-system_cronjob_t-dbus-chat-with-avahi_t.patch @@ -0,0 +1,31 @@ +From ffde9842e384c461715e3d1bc1ab6cda40e52efc Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 13 May 2024 17:19:24 +0200 +Subject: [PATCH] Allow system_cronjob_t dbus chat with avahi_t + +The commit addresses the following USER_AVC denial: +type=USER_AVC msg=audit(04/10/2024 03:09:01.517:310) : pid=553 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe=/usr/bin/dbus-broker sauid=dbus hostname=? addr=? terminal=?' + +Resolves: RHEL-32290 +--- + policy/modules/contrib/cron.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te +index 91da141fc..20eac0207 100644 +--- a/policy/modules/contrib/cron.te ++++ b/policy/modules/contrib/cron.te +@@ -573,6 +573,10 @@ optional_policy(` + apache_delete_cache_files(system_cronjob_t) + ') + ++optional_policy(` ++ avahi_dbus_chat(system_cronjob_t) ++') ++ + optional_policy(` + bind_read_config(system_cronjob_t) + ') +-- +2.43.0 + diff --git a/backport-Allow-systemd-domains-watch-system-dbus-pid-socket-f.patch b/backport-Allow-systemd-domains-watch-system-dbus-pid-socket-f.patch new file mode 100644 index 0000000000000000000000000000000000000000..cf580e693d4022bdc6cb276f34e2d221ca1b50f9 --- /dev/null +++ b/backport-Allow-systemd-domains-watch-system-dbus-pid-socket-f.patch @@ -0,0 +1,51 @@ +From bdaa4aee5c11bb66f609991d77aecbf4f936af1b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 16 Jan 2024 22:28:19 +0100 +Subject: [PATCH] Allow systemd domains watch system dbus pid socket files + +With the 569208d534 commit ("Allow systemd services watch dbusd pid +directory and its parents"), 5 systemd domains were allowed to watch +/run/dbus and all its parents in path, but only 2 of the domains were +already allowed to watch the "/run/dbus/system_bus_socket" socket file. +This commit adds the socket file watch rule also for the rest of the +domains: systemd_machined_t, systemd_networkd_t, systemd_hostnamed_t. + +The commit addresses the following AVC denial: +Jan 08 11:52:41 fedora audit[374]: AVC avc: denied { watch } for pid=374 comm="systemd-network" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=143 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 + +Resolves: https://github.com/fedora-selinux/selinux-policy/issues/1991 +--- + policy/modules/system/systemd.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 2e5b94fb0..ad0e0178b 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -505,6 +505,7 @@ optional_policy(` + dbus_connect_system_bus(systemd_machined_t) + dbus_system_bus_client(systemd_machined_t) + dbus_watch_pid_dir_path(systemd_machined_t) ++ dbus_watch_pid_sock_files(systemd_machined_t) + ') + + optional_policy(` +@@ -595,6 +596,7 @@ optional_policy(` + dbus_system_bus_client(systemd_networkd_t) + dbus_connect_system_bus(systemd_networkd_t) + dbus_watch_pid_dir_path(systemd_networkd_t) ++ dbus_watch_pid_sock_files(systemd_networkd_t) + dbus_read_pid_files(systemd_networkd_t) + dbus_read_pid_sock_files(systemd_networkd_t) + systemd_dbus_chat_logind(systemd_networkd_t) +@@ -929,6 +931,7 @@ optional_policy(` + dbus_system_bus_client(systemd_hostnamed_t) + dbus_connect_system_bus(systemd_hostnamed_t) + dbus_watch_pid_dir_path(systemd_hostnamed_t) ++ dbus_watch_pid_sock_files(systemd_hostnamed_t) + + optional_policy(` + init_dbus_chat_script(systemd_hostnamed_t) +-- +2.43.0 + diff --git a/backport-Allow-systemd-hostnamed-read-the-vsock-device.patch b/backport-Allow-systemd-hostnamed-read-the-vsock-device.patch new file mode 100644 index 0000000000000000000000000000000000000000..ae69d43f1dc63bbbfa5c18a480c49ba8050c62fe --- /dev/null +++ b/backport-Allow-systemd-hostnamed-read-the-vsock-device.patch @@ -0,0 +1,29 @@ +From 32938af534c77d1e4201019b7a183c73d53ba141 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 10 May 2024 22:33:52 +0200 +Subject: [PATCH] Allow systemd-hostnamed read the vsock device + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(05/10/2024 14:57:37.213:1388) : proctitle=/usr/lib/systemd/systemd-hostnamed +type=PATH msg=audit(05/10/2024 14:57:37.213:1388) : item=0 name=/dev/vsock inode=346 dev=00:06 mode=character,666 ouid=root ogid=root rdev=0a:7a obj=system_u:object_r:vsock_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(05/10/2024 14:57:37.213:1388) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fc898b3e5be a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=17773 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) +type=AVC msg=audit(05/10/2024 14:57:37.213:1388) : avc: denied { open } for pid=17773 comm=systemd-hostnam path=/dev/vsock dev="devtmpfs" ino=346 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0 +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 7f4d872a7..d30677d36 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -920,6 +920,7 @@ kernel_dgram_send(systemd_hostnamed_t) + kernel_read_xen_state(systemd_hostnamed_t) + kernel_read_sysctl(systemd_hostnamed_t) + ++dev_read_vsock(systemd_hostnamed_t) + dev_write_kmsg(systemd_hostnamed_t) + dev_read_sysfs(systemd_hostnamed_t) + dev_rw_crypto(systemd_hostnamed_t) +-- +2.43.0 + diff --git a/backport-Allow-systemd-networkd-manage-its-runtime-socket-fil.patch b/backport-Allow-systemd-networkd-manage-its-runtime-socket-fil.patch new file mode 100644 index 0000000000000000000000000000000000000000..9af84645a804a73ceb7a7376cd066196f0356937 --- /dev/null +++ b/backport-Allow-systemd-networkd-manage-its-runtime-socket-fil.patch @@ -0,0 +1,31 @@ +From 50460e24f1301e0ebe21fcdd2cc67f359aae48a9 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 22 Jan 2024 17:20:23 +0100 +Subject: [PATCH] Allow systemd-networkd manage its runtime socket files + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(01/22/2024 06:21:29.729:1150) : proctitle=/usr/lib/systemd/systemd-networkd +type=PATH msg=audit(01/22/2024 06:21:29.729:1150) : item=1 name=/run/systemd/netif/io.systemd.Network nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(01/22/2024 06:21:29.729:1150) : item=0 name=/run/systemd/netif/ inode=1543 dev=00:1a mode=dir,755 ouid=systemd-network ogid=systemd-network rdev=00:00 obj=system_u:object_r:systemd_networkd_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SOCKADDR msg=audit(01/22/2024 06:21:29.729:1150) : saddr={ saddr_fam=local path=/run/systemd/netif/io.systemd.Network } +type=SYSCALL msg=audit(01/22/2024 06:21:29.729:1150) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0xb a1=0x7ffe6c667700 a2=0x28 a3=0x50 items=2 ppid=1 pid=49658 auid=unset uid=systemd-network gid=systemd-network euid=systemd-network suid=systemd-network fsuid=systemd-network egid=systemd-network sgid=systemd-network fsgid=systemd-network tty=(none) ses=unset comm=systemd-network exe=/usr/lib/systemd/systemd-networkd subj=system_u:system_r:systemd_networkd_t:s0 key=(null) +type=AVC msg=audit(01/22/2024 06:21:29.729:1150) : avc: denied { create } for pid=49658 comm=systemd-network name=io.systemd.Network scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=sock_file permissive=0 +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index ad0e0178b..d521b5bfd 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -558,6 +558,7 @@ allow init_t systemd_networkd_t:netlink_route_socket create_netlink_socket_perms + + manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) + manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) ++manage_sock_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) + manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) + + kernel_dgram_send(systemd_networkd_t) +-- +2.43.0 + diff --git a/backport-Allow-systemd-sleep-read-raw-disk-data.patch b/backport-Allow-systemd-sleep-read-raw-disk-data.patch new file mode 100644 index 0000000000000000000000000000000000000000..aacb10108617054f4a2b8bfd9e3ee3de14e52038 --- /dev/null +++ b/backport-Allow-systemd-sleep-read-raw-disk-data.patch @@ -0,0 +1,37 @@ +From 4a8403ba3e72ef128cd841c915004b4af913691a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 12 Apr 2024 15:28:23 +0200 +Subject: [PATCH] Allow systemd-sleep read raw disk data + +The commit addresses the following issue: +audit[5317]: AVC avc: denied { read } for pid=5317 comm="systemd-sleep" name="dm-1" dev="devtmpfs" ino=423 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 +systemd-sleep[5317]: Failed to find location to hibernate to: Permission denied +systemd[1]: systemd-hibernate.service: Main process exited, code=exited, status=1/FAILURE +systemd[1]: systemd-hibernate.service: Failed with result 'exit-code'. +systemd[1]: Failed to start systemd-hibernate.service - System Hibernate. + +Resolves: rhbz#2273959 +--- + policy/modules/system/systemd.te | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index b023d5607..713f79a70 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1620,9 +1620,9 @@ fstools_rw_swap_files(systemd_sleep_t) + + init_search_var_lib_dirs(systemd_sleep_t) + +-# systemd-sleep needs to getattr swap partitions +-storage_getattr_fixed_disk_dev(systemd_sleep_t) +-storage_getattr_removable_dev(systemd_sleep_t) ++# systemd-sleep needs to read swap partitions ++storage_raw_read_fixed_disk(systemd_sleep_t) ++storage_raw_read_removable_device(systemd_sleep_t) + + optional_policy(` + logging_dgram_send(systemd_sleep_t) +-- +2.43.0 + diff --git a/backport-Allow-systemd-timedated-get-the-timemaster-service-s.patch b/backport-Allow-systemd-timedated-get-the-timemaster-service-s.patch new file mode 100644 index 0000000000000000000000000000000000000000..01e54fbb76588d2de5346d5e6ca8285ce5ad94d9 --- /dev/null +++ b/backport-Allow-systemd-timedated-get-the-timemaster-service-s.patch @@ -0,0 +1,55 @@ +From 6028f0a8fec45f86d211393c37e5c933c1ccd3aa Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 15 Apr 2024 11:11:12 +0200 +Subject: [PATCH] Allow systemd-timedated get the timemaster service status + +Resolves: RHEL-25978 +--- + policy/modules/contrib/linuxptp.if | 18 ++++++++++++++++++ + policy/modules/system/systemd.te | 4 ++++ + 2 files changed, 22 insertions(+) + +diff --git a/policy/modules/contrib/linuxptp.if b/policy/modules/contrib/linuxptp.if +index cddf96b96..ab8cda53a 100644 +--- a/policy/modules/contrib/linuxptp.if ++++ b/policy/modules/contrib/linuxptp.if +@@ -158,3 +158,21 @@ interface(`phc2sys_rw_shm',` + read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) + fs_search_tmpfs($1) + ') ++ ++####################################### ++## ++## Get timemaster services status ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`timemaster_service_status',` ++ gen_require(` ++ type timemaster_unit_file_t; ++ ') ++ ++ allow $1 timemaster_unit_file_t:service status; ++') +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index d1b677078..d516b5e9b 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1115,6 +1115,10 @@ optional_policy(` + policykit_read_reload(systemd_timedated_t) + ') + ++optional_policy(` ++ timemaster_service_status(systemd_timedated_t) ++') ++ + optional_policy(` + xserver_manage_config(systemd_timedated_t) + xserver_read_state_xdm(systemd_timedated_t) +-- +2.43.0 + diff --git a/backport-Allow-unix-dgram-sendto-between-exim-processes.patch b/backport-Allow-unix-dgram-sendto-between-exim-processes.patch new file mode 100644 index 0000000000000000000000000000000000000000..455696fc81e4fb9abc81ce094436b1d8ac26a5f5 --- /dev/null +++ b/backport-Allow-unix-dgram-sendto-between-exim-processes.patch @@ -0,0 +1,31 @@ +From e6dd2f166d2608f60505aaf30c5c022fc6195dca Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 26 Jan 2024 16:24:13 +0100 +Subject: [PATCH] Allow unix dgram sendto between exim processes + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(01/14/2024 13:24:32.626:977) : proctitle=/usr/sbin/exim -bd -q1h +type=SOCKADDR msg=audit(01/14/2024 13:24:32.626:977) : saddr={ saddr_fam=local path=/var/spool/exim/exim_daemon_notify } +type=SYSCALL msg=audit(01/14/2024 13:24:32.626:977) : arch=x86_64 syscall=sendto success=no exit=EACCES(Permission denied) a0=0x3 a1=0x55fa5b7e21f8 a2=0x11 a3=0x0 items=0 ppid=185680 pid=185770 auid=unset uid=exim gid=exim euid=exim suid=exim fsuid=exim egid=exim sgid=exim fsgid=exim tty=(none) ses=unset comm=exim exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null) +type=AVC msg=audit(01/14/2024 13:24:32.626:977) : avc: denied { sendto } for pid=185770 comm=exim path=/var/spool/exim/exim_daemon_notify scontext=system_u:system_r:exim_t:s0 tcontext=system_u:system_r:exim_t:s0 tclass=unix_dgram_socket permissive=0 + +Resolves: RHEL-21903 +--- + policy/modules/contrib/exim.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te +index 8ca4e2504..3e2d832c2 100644 +--- a/policy/modules/contrib/exim.te ++++ b/policy/modules/contrib/exim.te +@@ -75,6 +75,7 @@ ifdef(`distro_debian',` + allow exim_t self:capability { chown dac_read_search dac_override fowner setuid setgid sys_resource }; + allow exim_t self:process { setrlimit setpgid }; + allow exim_t self:fifo_file rw_fifo_file_perms; ++allow exim_t self:unix_dgram_socket sendto; + allow exim_t self:unix_stream_socket { accept listen }; + allow exim_t self:tcp_socket { accept listen }; + +-- +2.43.0 + diff --git a/backport-Allow-userdomain-get-attributes-of-files-on-an-nsfs-.patch b/backport-Allow-userdomain-get-attributes-of-files-on-an-nsfs-.patch new file mode 100644 index 0000000000000000000000000000000000000000..e27560428c7c80b146931f7f46523802f49f4231 --- /dev/null +++ b/backport-Allow-userdomain-get-attributes-of-files-on-an-nsfs-.patch @@ -0,0 +1,31 @@ +From a3eca1d9f096c0e178c78e629bb129b178c85f95 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 22 Feb 2024 23:45:11 +0100 +Subject: [PATCH] Allow userdomain get attributes of files on an nsfs + filesystem + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(22.2.2024 23:42:03.003:742) : proctitle=pstree +type=PATH msg=audit(22.2.2024 23:42:03.003:742) : item=0 name=/proc/4139/ns/cgroup inode=4026531835 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(22.2.2024 23:42:03.003:742) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x7ffc200aed00 a2=0x7ffc200aed40 a3=0x0 items=1 ppid=7788 pid=55219 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=pts13 ses=7 comm=pstree exe=/usr/bin/pstree subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(22.2.2024 23:42:03.003:742) : avc: denied { getattr } for pid=55219 comm=pstree path=cgroup:[4026531835] dev="nsfs" ino=4026531835 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1 +--- + policy/modules/system/userdomain.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index b9c147d03..82ce1b945 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -151,6 +151,8 @@ auth_filetrans_auth_home_content(userdomain) + + files_dontaudit_manage_boot_files(unpriv_userdomain) + ++fs_getattr_nsfs_files(userdomain) ++ + mount_dontaudit_write_mount_pid(unpriv_userdomain) + mount_entry_type(unpriv_userdomain) + +-- +2.43.0 + diff --git a/backport-Allow-utempter_t-use-ptmx.patch b/backport-Allow-utempter_t-use-ptmx.patch new file mode 100644 index 0000000000000000000000000000000000000000..19e9bf2a5d05b81bd04e424a1cf43f92445017e8 --- /dev/null +++ b/backport-Allow-utempter_t-use-ptmx.patch @@ -0,0 +1,36 @@ +From 92c23b833c139b71cab9a549b7eda882018caab5 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 12 Feb 2024 11:08:08 +0100 +Subject: [PATCH] Allow utempter_t use ptmx + +This permission is required when a confined user runs tlog-rec +to record a terminal session. + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(02/12/2024 10:57:55.073:386) : proctitle=/usr/libexec/utempter/utempter add +type=PATH msg=audit(02/12/2024 10:57:55.073:386) : item=0 name=/lib64/ld-linux-x86-64.so.2 inode=16817307 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=EXECVE msg=audit(02/12/2024 10:57:55.073:386) : argc=2 a0=/usr/libexec/utempter/utempter a1=add +type=SYSCALL msg=audit(02/12/2024 10:57:55.073:386) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ff2467eceb0 a1=0x7ffcd6caddb0 a2=0x7ffcd6cae4d8 a3=0x7ff247d9d980 items=1 ppid=37949 pid=37951 auid=staff uid=root gid=root euid=root suid=root fsuid=root egid=utmp sgid=utmp fsgid=utmp tty=pts0 ses=8 comm=utempter exe=/usr/libexec/utempter/utempter subj=staff_u:sysadm_r:utempter_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(02/12/2024 10:57:55.073:386) : avc: denied { read write } for pid=37951 comm=utempter path=/dev/ptmx dev="devtmpfs" ino=1114 scontext=staff_u:sysadm_r:utempter_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file permissive=0 + +Resolves: RHEL-24946 +--- + policy/modules/system/authlogin.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index 2c3628a31..9607f513a 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -413,7 +413,7 @@ term_getattr_all_ttys(utempter_t) + term_getattr_all_ptys(utempter_t) + term_dontaudit_use_all_ttys(utempter_t) + term_dontaudit_use_all_ptys(utempter_t) +-term_dontaudit_use_ptmx(utempter_t) ++term_use_ptmx(utempter_t) + + auth_use_nsswitch(utempter_t) + +-- +2.43.0 + diff --git a/backport-Allow-various-services-read-and-write-z90crypt-devic.patch b/backport-Allow-various-services-read-and-write-z90crypt-devic.patch new file mode 100644 index 0000000000000000000000000000000000000000..1df8d7d972773abd8b3569d9a25cc8bcbc398410 --- /dev/null +++ b/backport-Allow-various-services-read-and-write-z90crypt-devic.patch @@ -0,0 +1,122 @@ +From 01507d2fe7c62f7710e0b0a81141de244ed1ca39 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 14 May 2024 19:35:56 +0200 +Subject: [PATCH] Allow various services read and write z90crypt device + +This permission is required on s390x systems with the Crypto Express +adapter card. The z90crypt device driver acts as the interface to the +PCI cryptography hardware and performs asynchronous encryption +operations (RSA) as used during the SSL handshake. + +In this commit, services executing the following executables were +allowed the access: +- /usr/bin/ssh-keygen +- /usr/bin/systemctl +- /usr/sbin/sm-notify +- /usr/lib/systemd/systemd-executor +- /usr/lib/systemd/systemd-hostnamed +- /usr/lib/systemd/systemd-random-seed +- /usr/lib/systemd/systemd-update-utmp +- /usr/lib/systemd/systemd-user-sessions +- /usr/lib/systemd/systemd-user-runtime-dir + +and systemd generators. + +Resolves: RHEL-33361 +--- + policy/modules/contrib/bind.te | 1 + + policy/modules/contrib/rpc.te | 2 ++ + policy/modules/services/ssh.te | 1 + + policy/modules/system/init.te | 1 + + policy/modules/system/systemd.te | 5 +++++ + 5 files changed, 10 insertions(+) + +diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te +index 88aa48784..71e6038a8 100644 +--- a/policy/modules/contrib/bind.te ++++ b/policy/modules/contrib/bind.te +@@ -162,6 +162,7 @@ corenet_udp_bind_all_ephemeral_ports(named_t) + dev_read_sysfs(named_t) + dev_read_rand(named_t) + dev_read_urand(named_t) ++dev_rw_crypto(named_t) + dev_dontaudit_write_urand(named_t) + + domain_use_interactive_fds(named_t) +diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te +index d353e2753..1bf25c41b 100644 +--- a/policy/modules/contrib/rpc.te ++++ b/policy/modules/contrib/rpc.te +@@ -167,6 +167,8 @@ kernel_signal(rpcd_t) + + corecmd_exec_bin(rpcd_t) + ++dev_rw_crypto(rpcd_t) ++ + files_manage_mounttab(rpcd_t) + files_getattr_all_dirs(rpcd_t) + +diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te +index 134b291db..972428680 100644 +--- a/policy/modules/services/ssh.te ++++ b/policy/modules/services/ssh.te +@@ -576,6 +576,7 @@ fs_search_auto_mountpoints(ssh_keygen_t) + dev_read_sysfs(ssh_keygen_t) + dev_read_rand(ssh_keygen_t) + dev_read_urand(ssh_keygen_t) ++dev_rw_crypto(ssh_keygen_t) + + term_dontaudit_use_console(ssh_keygen_t) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 312e76d28..0309f3b15 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -287,6 +287,7 @@ dev_rw_generic_chr_files(init_t) + dev_filetrans_all_named_dev(init_t) + dev_write_watchdog(init_t) + dev_rw_inherited_input_dev(init_t) ++dev_rw_crypto(init_t) + dev_rw_dri(init_t) + dev_rw_tpm(init_t) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 713f79a70..7f4d872a7 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -299,6 +299,7 @@ dev_getattr_all_blk_files(systemd_logind_t) + dev_rw_sysfs(systemd_logind_t) + dev_rw_input_dev(systemd_logind_t) + dev_rw_dri(systemd_logind_t) ++dev_rw_crypto(systemd_logind_t) + dev_setattr_all_chr_files(systemd_logind_t) + dev_setattr_dri_dev(systemd_logind_t) + dev_setattr_generic_usb_dev(systemd_logind_t) +@@ -921,6 +922,7 @@ kernel_read_sysctl(systemd_hostnamed_t) + + dev_write_kmsg(systemd_hostnamed_t) + dev_read_sysfs(systemd_hostnamed_t) ++dev_rw_crypto(systemd_hostnamed_t) + + fs_read_xenfs_files(systemd_hostnamed_t) + +@@ -1139,6 +1141,7 @@ kernel_write_security_state(systemd_sysctl_t) + files_read_system_conf_files(systemd_sysctl_t) + + dev_write_kmsg(systemd_sysctl_t) ++dev_rw_crypto(systemd_sysctl_t) + + domain_use_interactive_fds(systemd_sysctl_t) + +@@ -1215,6 +1218,8 @@ allow systemd_generator self:unix_dgram_socket { create_socket_perms sendto }; + + kernel_dgram_send(systemd_generator) + ++dev_rw_crypto(systemd_generator) ++ + fs_getattr_all_fs(systemd_generator) + fs_search_all(systemd_generator) + +-- +2.43.0 + diff --git a/backport-Allow-virt_domain-read-and-write-usb-devices-conditi.patch b/backport-Allow-virt_domain-read-and-write-usb-devices-conditi.patch new file mode 100644 index 0000000000000000000000000000000000000000..77fbdff979ef3b7f345c0a1bd9c3ef22a52ded63 --- /dev/null +++ b/backport-Allow-virt_domain-read-and-write-usb-devices-conditi.patch @@ -0,0 +1,30 @@ +From 66aa26d0ce49a9255366594a103067a4ba0500e7 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 3 May 2024 16:51:53 +0200 +Subject: [PATCH] Allow virt_domain read and write usb devices conditionally + +The permissions are allowed when the virt_use_usb boolean is turned on. + +The commit addresses the following AVC denial: +type=AVC msg=audit(1714717414.882:227): avc: denied { read write } for pid=7286 comm="qemu-system-x86" name="005" dev="devtmpfs" ino=1044 scontext=unconfined_u:unconfined_r:svirt_t:s0:c492,c519 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0 + +Resolves: rhbz#2278803 +--- + policy/modules/contrib/virt.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te +index 039b1a344..10cbb246e 100644 +--- a/policy/modules/contrib/virt.te ++++ b/policy/modules/contrib/virt.te +@@ -1171,6 +1171,7 @@ tunable_policy(`virt_use_samba',` + ') + + tunable_policy(`virt_use_usb',` ++ dev_rw_generic_usb_dev(virt_domain) + dev_rw_usbfs(virt_domain) + dev_read_sysfs(virt_domain) + fs_getattr_dos_fs(virt_domain) +-- +2.43.0 + diff --git a/backport-Allow-virtnodevd_t-map-var-lib-files.patch b/backport-Allow-virtnodevd_t-map-var-lib-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..68018e0c2ff154dfce43be510f6b0f2494e7630e --- /dev/null +++ b/backport-Allow-virtnodevd_t-map-var-lib-files.patch @@ -0,0 +1,28 @@ +From ced017b6e399cdebc2afba77bdc3a37aeaaa29f0 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 2 May 2024 12:49:49 +0200 +Subject: [PATCH] Allow virtnodevd_t map /var/lib files + +The commit addresses the following AVC denial: +type=AVC msg=audit(1713915556.702:327): avc: denied { map } for pid=6585 comm="daemon-init" path="/var/lib/flatpak/exports/share/mime/mime.cache" dev="dm-0" ino=23772517 scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=0 + +Resolves: rhbz#2276779 +--- + policy/modules/contrib/virt.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te +index 945b4db86..c266c71c1 100644 +--- a/policy/modules/contrib/virt.te ++++ b/policy/modules/contrib/virt.te +@@ -1933,6 +1933,7 @@ corecmd_exec_shell(virtnodedevd_t) + + dev_rw_mtrr(virtnodedevd_t) + ++files_map_var_lib_files(virtnodedevd_t) + files_watch_etc_dirs(virtnodedevd_t) + + miscfiles_read_hwdata(virtnodedevd_t) +-- +2.43.0 + diff --git a/backport-Allow-virtqemud-create-and-unlink-files-in-etc-libvi.patch b/backport-Allow-virtqemud-create-and-unlink-files-in-etc-libvi.patch new file mode 100644 index 0000000000000000000000000000000000000000..60c265c859e7e3775327cc4e79934026e23ff5eb --- /dev/null +++ b/backport-Allow-virtqemud-create-and-unlink-files-in-etc-libvi.patch @@ -0,0 +1,32 @@ +From e41f5ff38ec7691652ec28f022db2506b392a9a6 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 3 May 2024 17:42:08 +0200 +Subject: [PATCH] Allow virtqemud create and unlink files in /etc/libvirt/ + +With the 4d8d0154a097 ("Allow virtqemud create and unlink files in +/etc/libvirt/") commit, permissions were expected to add for virtqemud, +but were actually added for virtnetworkd by mistake. + +Resolves: rhbz#2245233 +--- + policy/modules/contrib/virt.te | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te +index 061476471..162130536 100644 +--- a/policy/modules/contrib/virt.te ++++ b/policy/modules/contrib/virt.te +@@ -2040,8 +2040,8 @@ allow virtqemud_t virt_var_run_t:file map; + allow virtqemud_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; + allow virtqemud_t virtlogd_t:unix_stream_socket connectto; + +-create_lnk_files_pattern(virtnetworkd_t, virt_etc_rw_t, virt_etc_rw_t) +-delete_lnk_files_pattern(virtnetworkd_t, virt_etc_rw_t, virt_etc_rw_t) ++create_lnk_files_pattern(virtqemud_t, virt_etc_rw_t, virt_etc_rw_t) ++delete_lnk_files_pattern(virtqemud_t, virt_etc_rw_t, virt_etc_rw_t) + + manage_files_pattern(virtqemud_t, virtqemud_lock_t, virtqemud_lock_t) + files_lock_filetrans(virtqemud_t, virtqemud_lock_t, file) +-- +2.43.0 + diff --git a/backport-Allow-virtqemud-create-and-unlink-files-in-etc-libvirt.patch b/backport-Allow-virtqemud-create-and-unlink-files-in-etc-libvirt.patch new file mode 100644 index 0000000000000000000000000000000000000000..1ba5b54eb6ea8c181334d2b9c637605fb35977c3 --- /dev/null +++ b/backport-Allow-virtqemud-create-and-unlink-files-in-etc-libvirt.patch @@ -0,0 +1,34 @@ +From 4d8d0154a097d6842a7e823312b357b432e0eecf Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 19 Feb 2024 15:06:19 +0100 +Subject: [PATCH] Allow virtqemud create and unlink files in /etc/libvirt/ + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(10/20/2023 11:35:10.850:2280) : proctitle=/usr/sbin/virtqemud --timeout 120 +type=SYSCALL msg=audit(10/20/2023 11:35:10.850:2280) : arch=x86_64 syscall=symlink success=yes exit=0 a0=0x5628c87a0380 a1=0x5628c8797fe0 a2=0x0 a3=0x0 items=3 ppid=1 pid=8945 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc-virtqemud exe=/usr/sbin/virtqemud subj=system_u:system_r:virtqemud_t:s0 key=(null) +type=PATH msg=audit(10/20/2023 11:35:10.850:2280) : item=0 name=/etc/libvirt/qemu/autostart/ inode=125830244 dev=fd:00 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:virt_etc_rw_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(10/20/2023 11:35:10.850:2280) : item=1 name=/etc/libvirt/qemu/g1.xml nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(10/20/2023 11:35:10.850:2280) : item=2 name=/etc/libvirt/qemu/autostart/g1.xml inode=125830255 dev=fd:00 mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:virt_etc_rw_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 + +Resolves: rhbz#2245233 +--- + policy/modules/contrib/virt.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te +index 7c5a63143..9a2f43202 100644 +--- a/policy/modules/contrib/virt.te ++++ b/policy/modules/contrib/virt.te +@@ -2037,6 +2037,9 @@ allow virtqemud_t virt_var_run_t:file map; + allow virtqemud_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; + allow virtqemud_t virtlogd_t:unix_stream_socket connectto; + ++create_lnk_files_pattern(virtnetworkd_t, virt_etc_rw_t, virt_etc_rw_t) ++delete_lnk_files_pattern(virtnetworkd_t, virt_etc_rw_t, virt_etc_rw_t) ++ + manage_files_pattern(virtqemud_t, virtqemud_lock_t, virtqemud_lock_t) + files_lock_filetrans(virtqemud_t, virtqemud_lock_t, file) + +-- +2.43.0 + diff --git a/backport-Allow-virtqemud-get-attributes-of-NFS-filesystems.patch b/backport-Allow-virtqemud-get-attributes-of-NFS-filesystems.patch new file mode 100644 index 0000000000000000000000000000000000000000..7682d80a07dbcd3685c1c6789d4ead3628a0086e --- /dev/null +++ b/backport-Allow-virtqemud-get-attributes-of-NFS-filesystems.patch @@ -0,0 +1,28 @@ +From 07ead8f4d8427fa4c23722eea7191d3ac932df62 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 3 May 2024 16:56:13 +0200 +Subject: [PATCH] Allow virtqemud get attributes of NFS filesystems + +The commit addresses the following AVC denial: +type=AVC msg=audit(1711018627.816:636): avc: denied { getattr } for pid=176437 comm="rpc-virtqemud" name="/" dev="0:74" ino=2 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=filesystem permissive=1 + +Resolves: rhbz#2270668 +--- + policy/modules/contrib/virt.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te +index 10cbb246e..b0407c204 100644 +--- a/policy/modules/contrib/virt.te ++++ b/policy/modules/contrib/virt.te +@@ -2109,6 +2109,7 @@ files_read_all_symlinks(virtqemud_t) + + fs_getattr_cgroup(virtqemud_t) + fs_getattr_hugetlbfs(virtqemud_t) ++fs_getattr_nfs(virtqemud_t) + fs_delete_tmpfs_files(virtqemud_t) + fs_manage_hugetlbfs_dirs(virtqemud_t) + fs_manage_cgroup_dirs(virtqemud_t) +-- +2.43.0 + diff --git a/backport-Allow-virtqemud-get-attributes-of-a-tmpfs-filesystem.patch b/backport-Allow-virtqemud-get-attributes-of-a-tmpfs-filesystem.patch new file mode 100644 index 0000000000000000000000000000000000000000..35eaa4591a26c9bf083009c0492abb71815b1c57 --- /dev/null +++ b/backport-Allow-virtqemud-get-attributes-of-a-tmpfs-filesystem.patch @@ -0,0 +1,26 @@ +From 136880d1ef402ca0d3b3625c38d90eef54e521b5 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Sat, 4 May 2024 22:54:21 +0200 +Subject: [PATCH] Allow virtqemud get attributes of a tmpfs filesystem + +The commit addresses the following AVC denial: +type=AVC msg=audit(04/05/24 17:01:42.403:360) : avc: denied { getattr } for pid=8259 comm=qemu-system-x86 name=/ dev="tmpfs" ino=1 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1 +--- + policy/modules/contrib/virt.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te +index 06d073ae8..6c4111b77 100644 +--- a/policy/modules/contrib/virt.te ++++ b/policy/modules/contrib/virt.te +@@ -2112,6 +2112,7 @@ files_read_all_symlinks(virtqemud_t) + fs_getattr_cgroup(virtqemud_t) + fs_getattr_hugetlbfs(virtqemud_t) + fs_getattr_nfs(virtqemud_t) ++fs_getattr_tmpfs(virtqemud_t) + fs_getattr_xattr_fs(virtqemud_t) + fs_delete_tmpfs_files(virtqemud_t) + fs_manage_hugetlbfs_dirs(virtqemud_t) +-- +2.43.0 + diff --git a/backport-Allow-virtqemud-get-attributes-of-cifs-files.patch b/backport-Allow-virtqemud-get-attributes-of-cifs-files.patch new file mode 100644 index 0000000000000000000000000000000000000000..cc059d47debe8eea67ccf1459bd9d4cf1a3135bf --- /dev/null +++ b/backport-Allow-virtqemud-get-attributes-of-cifs-files.patch @@ -0,0 +1,28 @@ +From e9edc9950b22da858dcb17d9753164a398b742e9 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 3 May 2024 17:05:25 +0200 +Subject: [PATCH] Allow virtqemud get attributes of cifs files + +The commit addresses the following AVC denial: +Apr 23 16:40:36 xps13a.happyassassin.net audit[6908]: AVC avc: denied { getattr } for pid=6908 comm="rpc-virtqemud" name="/" dev="cifs" ino=137234957 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:cifs_t:s0 tclass=filesystem permissive=1 + +Resolves: rhbz#2274414 +--- + policy/modules/contrib/virt.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te +index 3f12125bd..061476471 100644 +--- a/policy/modules/contrib/virt.te ++++ b/policy/modules/contrib/virt.te +@@ -2108,6 +2108,7 @@ files_mounton_non_security(virtqemud_t) + files_read_all_symlinks(virtqemud_t) + + fs_getattr_cgroup(virtqemud_t) ++fs_getattr_cifs(virtqemud_t) + fs_getattr_hugetlbfs(virtqemud_t) + fs_getattr_nfs(virtqemud_t) + fs_getattr_tmpfs(virtqemud_t) +-- +2.43.0 + diff --git a/backport-Allow-virtqemud-get-attributes-of-filesystems-with-e.patch b/backport-Allow-virtqemud-get-attributes-of-filesystems-with-e.patch new file mode 100644 index 0000000000000000000000000000000000000000..ae135b424d7f0eeb73708cacfc2adac5a542b529 --- /dev/null +++ b/backport-Allow-virtqemud-get-attributes-of-filesystems-with-e.patch @@ -0,0 +1,29 @@ +From 1f6c3093b7fdd569e45a8ae4dbd009a2b1d389f0 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 3 May 2024 16:57:10 +0200 +Subject: [PATCH] Allow virtqemud get attributes of filesystems with extended + attributes + +The commit addresses the following AVC denial: +type=AVC msg=audit(1711545603.763:248): avc: denied { getattr } for pid=3395 comm="rpc-virtqemud" name="/" dev="dm-0" ino=256 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 + +Resolves: rhbz#2271831 +--- + policy/modules/contrib/virt.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te +index b0407c204..3f12125bd 100644 +--- a/policy/modules/contrib/virt.te ++++ b/policy/modules/contrib/virt.te +@@ -2110,6 +2110,7 @@ files_read_all_symlinks(virtqemud_t) + fs_getattr_cgroup(virtqemud_t) + fs_getattr_hugetlbfs(virtqemud_t) + fs_getattr_nfs(virtqemud_t) ++fs_getattr_xattr_fs(virtqemud_t) + fs_delete_tmpfs_files(virtqemud_t) + fs_manage_hugetlbfs_dirs(virtqemud_t) + fs_manage_cgroup_dirs(virtqemud_t) +-- +2.43.0 + diff --git a/backport-Allow-virtqemud-read-vfio-devices.patch b/backport-Allow-virtqemud-read-vfio-devices.patch new file mode 100644 index 0000000000000000000000000000000000000000..6b4332175136581faeb5608f32661407af5bbdd3 --- /dev/null +++ b/backport-Allow-virtqemud-read-vfio-devices.patch @@ -0,0 +1,26 @@ +From 28c2ee5fb5dfba79004bfa8dece14dfb62967319 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Sat, 4 May 2024 22:51:53 +0200 +Subject: [PATCH] Allow virtqemud read vfio devices + +The commit addresses the following AVC denial: +type=AVC msg=audit(04/05/24 17:01:42.433:362) : avc: denied { read write } for pid=8259 comm=qemu-system-x86 name=21 dev="tmpfs" ino=8 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file permissive=1 +--- + policy/modules/contrib/virt.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te +index 6c4111b77..836dff446 100644 +--- a/policy/modules/contrib/virt.te ++++ b/policy/modules/contrib/virt.te +@@ -2100,6 +2100,7 @@ dev_delete_urand(virtqemud_t) + dev_read_cpuid(virtqemud_t) + dev_read_sysfs(virtqemud_t) + dev_read_urand(virtqemud_t) ++dev_rw_vfio_dev(virtqemud_t) + dev_relabel_all_dev_nodes(virtqemud_t) + dev_rw_kvm(virtqemud_t) + dev_rw_lvm_control(virtqemud_t) +-- +2.43.0 + diff --git a/backport-Allow-virtstoraged-execute-lvm-programs-in-the-lvm-d.patch b/backport-Allow-virtstoraged-execute-lvm-programs-in-the-lvm-d.patch new file mode 100644 index 0000000000000000000000000000000000000000..3e34b8f63e5c91f61a82691ce36edfdab72667d2 --- /dev/null +++ b/backport-Allow-virtstoraged-execute-lvm-programs-in-the-lvm-d.patch @@ -0,0 +1,31 @@ +From 888c9a4ce611bf97739243cb8da6d24499a2bf83 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 2 May 2024 13:03:21 +0200 +Subject: [PATCH] Allow virtstoraged execute lvm programs in the lvm domain + +The commit addresses the following AVC denial: +type=AVC msg=audit(1713910708.990:1840): avc: denied { unlink } for pid=40570 comm="lvs" name="V_vm-pool:aux" dev="tmpfs" ino=5836 scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:lvm_lock_t:s0 tclass=file permissive=1 + +Resolves: rhbz#2276768 +--- + policy/modules/contrib/virt.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te +index c266c71c1..81a416e5c 100644 +--- a/policy/modules/contrib/virt.te ++++ b/policy/modules/contrib/virt.te +@@ -2214,6 +2214,10 @@ optional_policy(` + dnsmasq_filetrans_named_content_fromdir(virtstoraged_t, virtstoraged_var_run_t) + ') + ++optional_policy(` ++ lvm_domtrans(virtstoraged_t) ++') ++ + ####################################### + # + # virtvboxd local policy +-- +2.43.0 + diff --git a/backport-Allow-virtstoraged-use-the-io_uring-API.patch b/backport-Allow-virtstoraged-use-the-io_uring-API.patch new file mode 100644 index 0000000000000000000000000000000000000000..33ab8a03acc2305cabfdec9dc63721988984a067 --- /dev/null +++ b/backport-Allow-virtstoraged-use-the-io_uring-API.patch @@ -0,0 +1,29 @@ +From 11828f16e3f852874fd72882eeed7076d33d0e3b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 2 May 2024 13:55:45 +0200 +Subject: [PATCH] Allow virtstoraged use the io_uring API + +The commit addresses the following AVC denial: +type=AVC msg=audit(04/24/2024 14:19:15.239:260) : avc: denied { create } for pid=4518 comm=qemu-img anonclass=[io_uring] scontext=system_u:system_r:virtstoraged_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1 + +Resolves: rhbz#2278123 +--- + policy/modules/contrib/virt.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te +index 81a416e5c..039b1a344 100644 +--- a/policy/modules/contrib/virt.te ++++ b/policy/modules/contrib/virt.te +@@ -2204,6 +2204,8 @@ manage_files_pattern(virtstoraged_t, virt_var_lib_t, virt_var_lib_t) + + manage_lnk_files_pattern(virtstoraged_t, virt_etc_rw_t, virt_etc_rw_t) + ++kernel_io_uring_use(virtstoraged_t) ++ + corecmd_exec_bin(virtstoraged_t) + + fs_getattr_all_fs(virtstoraged_t) +-- +2.43.0 + diff --git a/backport-Allow-wdmd-list-the-contents-of-the-sysfs-directorie.patch b/backport-Allow-wdmd-list-the-contents-of-the-sysfs-directorie.patch new file mode 100644 index 0000000000000000000000000000000000000000..6820888a6ffe17560201a6609a0d956166e250c0 --- /dev/null +++ b/backport-Allow-wdmd-list-the-contents-of-the-sysfs-directorie.patch @@ -0,0 +1,32 @@ +From 12885bb7c8fa210b51bfb7def2bb77d899a6ae3e Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 7 Mar 2024 20:25:07 +0100 +Subject: [PATCH] Allow wdmd list the contents of the sysfs directories + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(02/23/2024 23:59:13.212:1911) : proctitle=/usr/sbin/wdmd --probe +type=PATH msg=audit(02/23/2024 23:59:13.212:1911) : item=0 name=/sys/class/watchdog/watchdog0/identity nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(02/23/2024 23:59:13.212:1911) : cwd=/ +type=SYSCALL msg=audit(02/23/2024 23:59:13.212:1911) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffce5f5ed10 a2=O_RDONLY a3=0x0 items=1 ppid=182355 pid=182356 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wdmd exe=/usr/sbin/wdmd subj=system_u:system_r:wdmd_t:s0 key=(null) +type=AVC msg=audit(02/23/2024 23:59:13.212:1911) : avc: denied { read } for pid=182356 comm=wdmd name=watchdog0 dev="sysfs" ino=22335 scontext=system_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 + +Resolves: RHEL-26663 +--- + policy/modules/contrib/wdmd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te +index 54cb3f698..905094ba5 100644 +--- a/policy/modules/contrib/wdmd.te ++++ b/policy/modules/contrib/wdmd.te +@@ -42,6 +42,7 @@ kernel_read_system_state(wdmd_t) + corecmd_exec_bin(wdmd_t) + corecmd_exec_shell(wdmd_t) + ++dev_list_sysfs(wdmd_t) + dev_read_watchdog(wdmd_t) + dev_write_watchdog(wdmd_t) + +-- +2.43.0 + diff --git a/backport-Allow-wdmd-read-hardware-state-information.patch b/backport-Allow-wdmd-read-hardware-state-information.patch new file mode 100644 index 0000000000000000000000000000000000000000..cb5f62a4cc24029fea61014951a0676ed89ca345 --- /dev/null +++ b/backport-Allow-wdmd-read-hardware-state-information.patch @@ -0,0 +1,39 @@ +From 3519777d1696dec0db7d36bb20ae7c1b52e7d80a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 8 Mar 2024 17:27:47 +0100 +Subject: [PATCH] Allow wdmd read hardware state information + +The previous 12885bb7c8fa ("Allow wdmd list the contents of the sysfs +directories") commit was not sufficient as apart from reading the +/sys/class/watchdog/watchdog0 symlink, reading the +/sys/class/watchdog/watchdog0/identity file is also needed. + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(02/26/2024 09:44:20.607:565) : proctitle=/usr/sbin/wdmd --probe +type=PATH msg=audit(02/26/2024 09:44:20.607:565) : item=0 name=/sys/class/watchdog/watchdog0/identity inode=14577 dev=00:14 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(02/26/2024 09:44:20.607:565) : arch=s390x syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x3ffde0f91a8 a2=O_RDONLY a3=0x0 items=1 ppid=46918 pid=46920 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wdmd exe=/usr/sbin/wdmd subj=system_u:system_r:wdmd_t:s0 key=(null) +type=AVC msg=audit(02/26/2024 09:44:20.607:565) : avc: denied { open } for pid=46920 comm=wdmd path=/sys/devices/virtual/watchdog/watchdog0/identity dev="sysfs" ino=14577 scontext=system_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 +type=AVC msg=audit(02/26/2024 09:44:20.607:565) : avc: denied { read } for pid=46920 comm=wdmd name=identity dev="sysfs" ino=14577 scontext=system_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 +type=AVC msg=audit(02/26/2024 09:44:20.607:565) : avc: denied { read } for pid=46920 comm=wdmd name=watchdog0 dev="sysfs" ino=14575 scontext=system_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1 + +Resolves: RHEL-26663 +--- + policy/modules/contrib/wdmd.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/wdmd.te b/policy/modules/contrib/wdmd.te +index 905094ba5..3b25214e4 100644 +--- a/policy/modules/contrib/wdmd.te ++++ b/policy/modules/contrib/wdmd.te +@@ -42,7 +42,7 @@ kernel_read_system_state(wdmd_t) + corecmd_exec_bin(wdmd_t) + corecmd_exec_shell(wdmd_t) + +-dev_list_sysfs(wdmd_t) ++dev_read_sysfs(wdmd_t) + dev_read_watchdog(wdmd_t) + dev_write_watchdog(wdmd_t) + +-- +2.43.0 + diff --git a/backport-Define-transitions-for-run-libvirt-common-and-run-li.patch b/backport-Define-transitions-for-run-libvirt-common-and-run-li.patch new file mode 100644 index 0000000000000000000000000000000000000000..4f256e5437d89eed10491d69889e497366ff60d9 --- /dev/null +++ b/backport-Define-transitions-for-run-libvirt-common-and-run-li.patch @@ -0,0 +1,38 @@ +From 471437a05d18a759a7d675c29b42839c1b7d72a4 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 11 Apr 2024 21:27:57 +0200 +Subject: [PATCH] Define transitions for /run/libvirt/common and + /run/libvirt/qemu + +These particular changes were applied: +- virtlxcd can create the /run/libvirt/common directory with the correct label +- virtqemud can create the /run/libvirt/qemu directory with the correct label + +Resolves: rhbz#2262587 +--- + policy/modules/contrib/virt.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te +index 9a2f43202..67737d9c9 100644 +--- a/policy/modules/contrib/virt.te ++++ b/policy/modules/contrib/virt.te +@@ -1473,6 +1473,7 @@ manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) + manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t) + files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir }) + filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc") ++filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_common_var_run_t, dir, "common") + + manage_dirs_pattern(virtd_lxc_t, container_file_t, container_file_t) + manage_files_pattern(virtd_lxc_t, container_file_t, container_file_t) +@@ -2058,6 +2059,7 @@ files_tmp_filetrans(virtqemud_t, virtqemud_tmp_t, { file dir sock_file}) + manage_dirs_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t) + manage_files_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t) + manage_sock_files_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t) ++filetrans_pattern(virtqemud_t, virt_var_run_t, qemu_var_run_t, dir, "qemu") + + manage_dirs_pattern(virtqemud_t, svirt_image_t, svirt_image_t) + manage_fifo_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t) +-- +2.43.0 + diff --git a/backport-Ensure-dbus-communication-is-allowed-bidirectionally.patch b/backport-Ensure-dbus-communication-is-allowed-bidirectionally.patch new file mode 100644 index 0000000000000000000000000000000000000000..09e5ff01509dea4bdc32f9792d86d875caaae8f6 --- /dev/null +++ b/backport-Ensure-dbus-communication-is-allowed-bidirectionally.patch @@ -0,0 +1,133 @@ +From bd6c524b11eaa3129789c40efd989c48e84f5ce7 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 26 Apr 2024 17:55:52 +0200 +Subject: [PATCH] Ensure dbus communication is allowed bidirectionally + +In some interfaces, only one-way communication over dbus is allowed. +This is not correct, it may result in timeouting the dbus request or +response and possibly also make the service, which uses dbus +communication, fail. +--- + policy/modules/contrib/cron.if | 3 +++ + policy/modules/contrib/dbus.if | 9 +++++++-- + policy/modules/contrib/vmtools.if | 1 + + policy/modules/system/init.if | 1 + + policy/modules/system/lvm.if | 4 ++-- + policy/modules/system/userdomain.if | 1 + + 6 files changed, 15 insertions(+), 4 deletions(-) + +diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if +index 821121b9a..f8733f4c4 100644 +--- a/policy/modules/contrib/cron.if ++++ b/policy/modules/contrib/cron.if +@@ -131,6 +131,7 @@ interface(`cron_role',` + dbus_stub(cronjob_t) + + allow cronjob_t $2_t:dbus send_msg; ++ allow $2_t cronjob_t:dbus send_msg; + ') + ') + +@@ -213,6 +214,7 @@ interface(`cron_unconfined_role',` + + dbus_stub(unconfined_cronjob_t) + allow unconfined_cronjob_t $2_t:dbus send_msg; ++ allow $2_t unconfined_cronjob_t:dbus send_msg; + ') + ') + +@@ -307,6 +309,7 @@ interface(`cron_admin_role',` + dbus_stub(admin_cronjob_t) + + allow cronjob_t $2_t:dbus send_msg; ++ allow $2_t cronjob_t:dbus send_msg; + ') + ') + +diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if +index ba78957af..6c8750f5d 100644 +--- a/policy/modules/contrib/dbus.if ++++ b/policy/modules/contrib/dbus.if +@@ -91,7 +91,9 @@ template(`dbus_role_template',` + + # SE-DBus specific permissions + allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc }; ++ allow $1_dbusd_t { dbusd_unconfined $3 }:dbus send_msg; + allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; ++ allow system_dbusd_t $3:dbus send_msg; + + # Permissions for dbus-broker running with systemd user sessions + allow $3 $1_dbusd_t:process { noatsecure rlimitinh siginh }; +@@ -157,7 +159,8 @@ interface(`dbus_system_bus_client',` + ') + + # SE-DBus specific permissions +- allow $1 { system_dbusd_t self }:dbus send_msg; ++ allow $1 self:dbus send_msg; ++ allow $1 { system_dbusd_t dbusd_unconfined }:dbus send_msg; + allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg; + + read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) +@@ -222,7 +225,9 @@ interface(`dbus_session_bus_client',` + ') + + # SE-DBus specific permissions +- allow $1 { session_bus_type self }:dbus send_msg; ++ allow $1 self:dbus send_msg; ++ allow $1 session_bus_type:dbus send_msg; ++ allow session_bus_type $1:dbus send_msg; + + # For connecting to the bus + allow $1 session_bus_type:unix_stream_socket connectto; +diff --git a/policy/modules/contrib/vmtools.if b/policy/modules/contrib/vmtools.if +index f94feab67..cd1966a84 100644 +--- a/policy/modules/contrib/vmtools.if ++++ b/policy/modules/contrib/vmtools.if +@@ -140,4 +140,5 @@ interface(`vmtools_unconfined_dbus_chat',` + ') + + allow $1 vmtools_unconfined_t:dbus send_msg; ++ allow vmtools_unconfined_t $1:dbus send_msg; + ') +diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if +index 95881f475..6df0cc824 100644 +--- a/policy/modules/system/init.if ++++ b/policy/modules/system/init.if +@@ -2020,6 +2020,7 @@ interface(`init_dbus_send_script',` + ') + + allow $1 initrc_t:dbus send_msg; ++ allow initrc_t $1:dbus send_msg; + ') + + ######################################## +diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if +index 01faf6177..c19f9df19 100644 +--- a/policy/modules/system/lvm.if ++++ b/policy/modules/system/lvm.if +@@ -503,8 +503,8 @@ interface(`lvm_dbus_send_msg',` + type lvm_t; + class dbus send_msg; + ') +- allow $1 lvm_t:dbus send_msg; +- ++ allow $1 lvm_t:dbus send_msg; ++ allow lvm_t $1:dbus send_msg; + ') + + ######################################## +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index c3d0b0a98..8faa25ebf 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -5001,6 +5001,7 @@ interface(`userdom_dbus_send_all_users',` + ') + + allow $1 userdomain:dbus send_msg; ++ allow userdomain $1:dbus send_msg; + ps_process_pattern($1, userdomain) + ') + +-- +2.43.0 + diff --git a/backport-Fix-label-of-pseudoterminals-created-from-sudodomain.patch b/backport-Fix-label-of-pseudoterminals-created-from-sudodomain.patch new file mode 100644 index 0000000000000000000000000000000000000000..1090a2a42dc5bbcda937e93e76c91e4873f1abfd --- /dev/null +++ b/backport-Fix-label-of-pseudoterminals-created-from-sudodomain.patch @@ -0,0 +1,41 @@ +From b3ca7065d555b0f228f88fbcb2c9f9e35bc5a1f5 Mon Sep 17 00:00:00 2001 +From: Juraj Marcin +Date: Thu, 8 Feb 2024 19:25:09 +0100 +Subject: [PATCH] Fix label of pseudoterminals created from sudodomain + +When sudo is configured with "Defaults use_pty" and ran as "sudo -i", +it creates a new pseudoterminal. However, when confined user runs sudo, +this pseudoterminal is created as devpts_t instead of user_devpts_t due +to missing transition from sudodomain types. It also allows setattr. + +Addresses this AVC: +type=PROCTITLE msg=audit(07/17/2023 10:38:01.277:528) : proctitle=crontab -l +type=EXECVE msg=audit(07/17/2023 10:38:01.277:528) : argc=2 a0=crontab a1=-l +type=SYSCALL msg=audit(07/17/2023 10:38:01.277:528) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x561829ebdd40 a1=0x561829ea0cd0 a2=0x561829ebf400 a3=0x8 items=0 ppid=4553 pid=4554 auid=staff uid=USER gid=USER euid=root suid=root fsuid=root egid=USER sgid=USER fsgid=USER tty=(none) ses=13 comm=crontab exe=/usr/bin/crontab subj=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(07/17/2023 10:38:01.277:528) : avc: denied { read write } for pid=4554 comm=crontab path=/dev/pts/3 dev="devpts" ino=6 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:devpts_t:s0 tclass=chr_file permissive=0 +type=AVC msg=audit(07/17/2023 10:38:01.277:528) : avc: denied { read write } for pid=4554 comm=crontab path=/dev/pts/3 dev="devpts" ino=6 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:devpts_t:s0 tclass=chr_file permissive=0 +type=AVC msg=audit(07/17/2023 10:38:01.277:528) : avc: denied { read write } for pid=4554 comm=crontab path=/dev/pts/3 dev="devpts" ino=6 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:devpts_t:s0 tclass=chr_file permissive=0 +type=AVC msg=audit(07/17/2023 10:38:01.277:528) : avc: denied { read write } for pid=4554 comm=crontab path=/dev/pts/3 dev="devpts" ino=6 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:devpts_t:s0 tclass=chr_file permissive=0 + +Resolves: RHEL-1388 +--- + policy/modules/admin/sudo.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te +index 23caf07e5..febc1e95b 100644 +--- a/policy/modules/admin/sudo.te ++++ b/policy/modules/admin/sudo.te +@@ -110,6 +110,9 @@ userdom_manage_user_home_content_symlinks(sudodomain) + userdom_manage_user_tmp_files(sudodomain) + userdom_manage_user_tmp_symlinks(sudodomain) + userdom_use_user_terminals(sudodomain) ++userdom_create_user_pty(sudodomain) ++userdom_setattr_user_ptys(sudodomain) ++userdom_setattr_user_ttys(sudodomain) + userdom_signal_all_users(sudodomain) + userdom_exec_user_home_content_files(sudodomain) + # for some PAM modules and for cwd +-- +2.43.0 + diff --git a/backport-Label-dev-iommu-with-iommu_device_t.patch b/backport-Label-dev-iommu-with-iommu_device_t.patch new file mode 100644 index 0000000000000000000000000000000000000000..27c6913de9277bc4e0b83ad2463b4db420718478 --- /dev/null +++ b/backport-Label-dev-iommu-with-iommu_device_t.patch @@ -0,0 +1,48 @@ +From 378eba1dc299b0c756cecb36e963dc7fbe617220 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 22 Jan 2024 10:16:48 +0100 +Subject: [PATCH] Label /dev/iommu with iommu_device_t + +The /dev/iommu framework provides an unified interface for managing +I/O page tables for passthrough devices. Existing passthrough +frameworks are expected to use this interface instead of continuing +their ad-hoc implementations. + +Resolves: RHEL-22063 +--- + policy/modules/kernel/devices.fc | 1 + + policy/modules/kernel/devices.te | 6 ++++++ + 2 files changed, 7 insertions(+) + +diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc +index 2ab822c42..99ae622ba 100644 +--- a/policy/modules/kernel/devices.fc ++++ b/policy/modules/kernel/devices.fc +@@ -206,6 +206,7 @@ ifdef(`distro_suse', ` + /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) + /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0) ++/dev/iommu -c gen_context(system_u:object_r:iommu_device_t,s0) + + /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) + +diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te +index 9153cb4ec..8d414cb71 100644 +--- a/policy/modules/kernel/devices.te ++++ b/policy/modules/kernel/devices.te +@@ -176,6 +176,12 @@ dev_node(infiniband_device_t) + type infiniband_mgmt_device_t; + dev_node(infiniband_mgmt_device_t) + ++# ++# Type for /dev/iommu devices ++# ++type iommu_device_t; ++dev_node(iommu_device_t) ++ + # + # Type for /dev/kmsg + # +-- +2.43.0 + diff --git a/backport-Label-run-systemd-machine-with-systemd_machined_var_.patch b/backport-Label-run-systemd-machine-with-systemd_machined_var_.patch new file mode 100644 index 0000000000000000000000000000000000000000..7ba1b7ed319f7e33040b8de46f850b3ad03d7d95 --- /dev/null +++ b/backport-Label-run-systemd-machine-with-systemd_machined_var_.patch @@ -0,0 +1,48 @@ +From 68f3d5a769bd91f5707aeb43d21903adcf18fb59 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 10 May 2024 22:35:05 +0200 +Subject: [PATCH] Label /run/systemd/machine with systemd_machined_var_run_t + +Along with that, a transition for systemd-machined for this +directory was defined. + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(05/10/2024 12:11:33.651:224) : proctitle=/usr/lib/systemd/systemd-machined +type=PATH msg=audit(05/10/2024 12:11:33.651:224) : item=1 name=/run/systemd/machine nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(05/10/2024 12:11:33.651:224) : item=0 name=/run/systemd/ inode=2 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=SYSCALL msg=audit(05/10/2024 12:11:33.651:224) : arch=x86_64 syscall=mkdirat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x5635d5a3cc21 a2=0755 a3=0x0 items=2 ppid=1 pid=4216 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-machine exe=/usr/lib/systemd/systemd-machined subj=system_u:system_r:systemd_machined_t:s0 key=(null) +type=AVC msg=audit(05/10/2024 12:11:33.651:224) : avc: denied { create } for pid=4216 comm=systemd-machine name=machine scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2279923 +--- + policy/modules/system/systemd.fc | 1 + + policy/modules/system/systemd.te | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc +index 08bb872df..1d81f94ef 100644 +--- a/policy/modules/system/systemd.fc ++++ b/policy/modules/system/systemd.fc +@@ -113,6 +1113,7 @@ HOME_DIR/\.config/systemd/user(/.*)? gen_context(system_u:object_r:systemd_unit + /var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0) + /var/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) + /var/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0) ++/run/systemd/machine(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) + /var/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0) + /var/run/systemd/machines.lock -- gen_context(system_u:object_r:systemd_machined_var_run_t,s0) + /var/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0) +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index d30677d36..761f1fba7 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -463,6 +463,7 @@ manage_dirs_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_mach + manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) + manage_lnk_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) + init_pid_filetrans(systemd_machined_t, systemd_machined_var_run_t, dir, "machines") ++init_pid_filetrans(systemd_machined_t, systemd_machined_var_run_t, dir, "machine") + + manage_dirs_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t) + manage_files_pattern(systemd_machined_t, systemd_machined_var_lib_t, systemd_machined_var_lib_t) +-- +2.43.0 + diff --git a/backport-Modify-sudo_role_template-to-allow-getpgid.patch b/backport-Modify-sudo_role_template-to-allow-getpgid.patch new file mode 100644 index 0000000000000000000000000000000000000000..4d048ae71455c3f672429924b7c4d43ff288a015 --- /dev/null +++ b/backport-Modify-sudo_role_template-to-allow-getpgid.patch @@ -0,0 +1,28 @@ +From 40513c5ff4fc9bff2390117dcb45677f887c9ac5 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 4 Mar 2024 14:20:20 +0100 +Subject: [PATCH] Modify sudo_role_template() to allow getpgid + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(03/04/2024 14:15:38.342:337) : proctitle=sudo -i +type=SYSCALL msg=audit(03/04/2024 14:15:38.342:337) : arch=x86_64 syscall=getpgid success=no exit=EACCES(Permission denied) a0=0x1062 a1=0x31e a2=0x0 a3=0x8 items=0 ppid=3187 pid=4256 auid=staff uid=staff gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=7 comm=sudo exe=/usr/bin/sudo subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(03/04/2024 14:15:38.342:337) : avc: denied { getpgid } for pid=4256 comm=sudo scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=process permissive=0 +--- + policy/modules/admin/sudo.if | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if +index 43fb688df..7dba6630a 100644 +--- a/policy/modules/admin/sudo.if ++++ b/policy/modules/admin/sudo.if +@@ -54,6 +54,7 @@ template(`sudo_role_template',` + allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms; + files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file) + ++ allow $1_sudo_t $3:process getpgid; + allow $1_sudo_t $3:dir search_dir_perms;; + allow $1_sudo_t $3:file read_file_perms;; + allow $1_sudo_t $3:key search; +-- +2.43.0 + diff --git a/backport-Replace-init-domtrans-rule-for-confined-users-to-all.patch b/backport-Replace-init-domtrans-rule-for-confined-users-to-all.patch new file mode 100644 index 0000000000000000000000000000000000000000..40b4799c0332ffa364c0de21ae72e0860a62a057 --- /dev/null +++ b/backport-Replace-init-domtrans-rule-for-confined-users-to-all.patch @@ -0,0 +1,31 @@ +From 20114105ce9cccef6775736565f449c27c4a669e Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 1 Feb 2024 20:32:32 +0100 +Subject: [PATCH] Replace init domtrans rule for confined users to allow exec + init + +This rule exists in the userdom_unpriv_user_template() template +and makes systemd user instance transition to init_t which is not +correct. + +Resolves: rhbz#2262409 +--- + policy/modules/system/userdomain.if | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index cf79937db..f51f2cd66 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -1519,7 +1519,7 @@ tunable_policy(`deny_bluetooth',`',` + corenet_tcp_bind_xserver_port($1_t) + corenet_tcp_bind_generic_node($1_usertype) + +- init_domtrans($1_t) ++ init_exec($1_t) + init_rw_stream_sockets($1_t) + + storage_rw_fuse($1_t) +-- +2.43.0 + diff --git a/backport-Transition-from-sudodomains-to-crontab_t-when-execut.patch b/backport-Transition-from-sudodomains-to-crontab_t-when-execut.patch new file mode 100644 index 0000000000000000000000000000000000000000..31917df4474a1dca08f126138c01e8974baf0430 --- /dev/null +++ b/backport-Transition-from-sudodomains-to-crontab_t-when-execut.patch @@ -0,0 +1,33 @@ +From 656aa7dee84d233c24e0be8f86ba8468bbaa05a4 Mon Sep 17 00:00:00 2001 +From: Juraj Marcin +Date: Fri, 9 Feb 2024 12:08:24 +0100 +Subject: [PATCH] Transition from sudodomains to crontab_t when executing + crontab_exec_t + +When confined user executes crontab with sudo (for example to edit the +crontab of an another user), the crontab would stay in the sudodomain, +which is incorrect. This patch add the necessary transition. + +Resolves: RHEL-1388 +--- + policy/modules/admin/sudo.if | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if +index 43fb688df..fb4b52cbe 100644 +--- a/policy/modules/admin/sudo.if ++++ b/policy/modules/admin/sudo.if +@@ -117,6 +117,10 @@ template(`sudo_role_template',` + optional_policy(` + usermanage_domtrans_passwd($1_sudo_t) + ') ++ ++ optional_policy(` ++ crontab_domtrans($1_sudo_t) ++ ') + ') + + ######################################## +-- +2.43.0 + diff --git a/backport-Update-afterburn-policy.patch b/backport-Update-afterburn-policy.patch new file mode 100644 index 0000000000000000000000000000000000000000..14a6db7d24f064d16bca535051f1a76f156566f1 --- /dev/null +++ b/backport-Update-afterburn-policy.patch @@ -0,0 +1,50 @@ +From 2ed432052a6e3e6ff3805077345853fbb0abd0f9 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 19 Jan 2024 18:44:05 +0100 +Subject: [PATCH] Update afterburn policy + +Resolves: rhbz#2254975 +--- + policy/modules/contrib/afterburn.te | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/policy/modules/contrib/afterburn.te b/policy/modules/contrib/afterburn.te +index 14abb2968..aff609cf8 100644 +--- a/policy/modules/contrib/afterburn.te ++++ b/policy/modules/contrib/afterburn.te +@@ -21,7 +21,9 @@ permissive afterburn_t; + allow afterburn_t self:capability { setgid setuid sys_admin }; + allow afterburn_t self:process { fork setpgid }; + allow afterburn_t self:fifo_file rw_fifo_file_perms; ++allow afterburn_t self:unix_dgram_socket create_socket_perms; + ++kernel_dgram_send(afterburn_t) + kernel_read_all_proc(afterburn_t) + + corenet_tcp_connect_http_port(afterburn_t) +@@ -34,10 +36,22 @@ optional_policy(` + auth_use_nsswitch(afterburn_t) + ') + ++optional_policy(` ++ logging_write_syslog_pid_socket(afterburn_t) ++') ++ + optional_policy(` + miscfiles_read_localization(afterburn_t) + ') + ++optional_policy(` ++ networkmanager_dbus_chat(afterburn_t) ++') ++ ++optional_policy(` ++ ssh_filetrans_home_content(afterburn_t) ++') ++ + optional_policy(` + sysnet_dns_name_resolve(afterburn_t) + ') +-- +2.43.0 + diff --git a/backport-Update-dbus_role_template-to-allow-user-service-stat.patch b/backport-Update-dbus_role_template-to-allow-user-service-stat.patch new file mode 100644 index 0000000000000000000000000000000000000000..f97c2cdbf345b2c2beb6a7e6660d49c1bbcbc46d --- /dev/null +++ b/backport-Update-dbus_role_template-to-allow-user-service-stat.patch @@ -0,0 +1,30 @@ +From 5ecdef001490a956f7f5cfa5d177b4062d205c64 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 5 Feb 2024 14:45:41 +0100 +Subject: [PATCH] Update dbus_role_template() to allow user service status + +Update dbus_role_template() so that the user dbusd type (e.g. staff_dbusd_t) +is allowed to status user unit type (e.g. staff_t). + +The commit addresses the following AVC denial: +Feb 05 13:38:08 fedora systemd[11867]: selinux: avc: denied { status } for auid=1001 uid=1001 gid=1001 cmdline="/usr/bin/dbus-broker-launch --config-file=/usr/share/defaults/at-spi2/accessibility.conf --scope user" function="reply_unit_path" scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=system permissive=0 +--- + policy/modules/contrib/dbus.if | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if +index 48f9a8481..ba78957af 100644 +--- a/policy/modules/contrib/dbus.if ++++ b/policy/modules/contrib/dbus.if +@@ -97,7 +97,7 @@ template(`dbus_role_template',` + allow $3 $1_dbusd_t:process { noatsecure rlimitinh siginh }; + allow $1_dbusd_t $3:dbus send_msg; + allow $3 $1_dbusd_t:dbus send_msg; +- allow $1_dbusd_t $3:system { start reload }; ++ allow $1_dbusd_t $3:system { reload start status }; + allow $1_dbusd_t session_dbusd_tmp_t:service { start stop }; + allow $3 session_dbusd_tmp_t:dir manage_dir_perms; + allow $3 session_dbusd_tmp_t:file manage_file_perms; +-- +2.43.0 + diff --git a/backport-Update-mmap_rw_file_perms-to-include-the-lock-permis.patch b/backport-Update-mmap_rw_file_perms-to-include-the-lock-permis.patch new file mode 100644 index 0000000000000000000000000000000000000000..11118650657b7effabb0db44f58fbf421f0b3708 --- /dev/null +++ b/backport-Update-mmap_rw_file_perms-to-include-the-lock-permis.patch @@ -0,0 +1,29 @@ +From 2cdf4e71dc3557b4a87b1430edffcddc82e5d835 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 14 Mar 2024 18:56:38 +0100 +Subject: [PATCH] Update mmap_rw_file_perms to include the lock permission + +The mmap_rw_file_perms permission set defined in obj_perm_sets.spt +does not include the lock permission while other similar sets do. +--- + policy/support/obj_perm_sets.spt | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt +index 88f17c876..74064d550 100644 +--- a/policy/support/obj_perm_sets.spt ++++ b/policy/support/obj_perm_sets.spt +@@ -171,8 +171,8 @@ define(`write_inherited_file_perms',`{ getattr write append lock ioctl }') + define(`write_file_perms',`{ open write_inherited_file_perms }') + define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }') + define(`rw_file_perms',`{ open rw_inherited_file_perms }') +-define(`mmap_rw_inherited_file_perms',`{ getattr map read write ioctl }') +-define(`mmap_rw_file_perms',`{ getattr open map read write ioctl }') ++define(`mmap_rw_inherited_file_perms',`{ map rw_inherited_file_perms }') ++define(`mmap_rw_file_perms',`{ map rw_file_perms }') + define(`create_file_perms',`{ getattr create open }') + define(`rename_file_perms',`{ getattr rename }') + define(`delete_file_perms',`{ getattr unlink }') +-- +2.43.0 + diff --git a/backport-Update-ssh_role_template-for-user-ssh-agent-type.patch b/backport-Update-ssh_role_template-for-user-ssh-agent-type.patch new file mode 100644 index 0000000000000000000000000000000000000000..ba64c6ad2b2e0f9f725b6718bed5a5254dea430d --- /dev/null +++ b/backport-Update-ssh_role_template-for-user-ssh-agent-type.patch @@ -0,0 +1,31 @@ +From 875bea45e09f3f3fe8562e00a61ebcaf3fc3e665 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 5 Feb 2024 14:57:04 +0100 +Subject: [PATCH] Update ssh_role_template() for user ssh-agent type + +Update ssh_role_template() to allow user ssh agent type +(e.g. staff_ssh_agent_t) IPC with user type (e.g. staff_t) +over a unix stream socket. The other way of communication was +already allowed. + +The commit addresses the following AVC denial: +Feb 05 11:36:24 fedora audit[5067]: AVC avc: denied { read write } for pid=5067 comm="ssh-agent" path="socket:[38159]" dev="sockfs" ino=38159 scontext=staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 +--- + policy/modules/services/ssh.if | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if +index 179962f51..7f82b660f 100644 +--- a/policy/modules/services/ssh.if ++++ b/policy/modules/services/ssh.if +@@ -399,6 +399,7 @@ template(`ssh_role_template',` + + # for ssh-agent user service + allow $3 $1_ssh_agent_t:unix_stream_socket create_stream_socket_perms; ++ allow $1_ssh_agent_t $3:unix_stream_socket rw_socket_perms; + + # Allow the user shell to signal the ssh program. + allow $3 $1_ssh_agent_t:process signal_perms; +-- +2.43.0 + diff --git a/backport-fix-hibernate-on-btrfs-swapfile-F40.patch b/backport-fix-hibernate-on-btrfs-swapfile-F40.patch new file mode 100644 index 0000000000000000000000000000000000000000..e4c179cbf0b4f378c75b201d1f5addddab27fd0c --- /dev/null +++ b/backport-fix-hibernate-on-btrfs-swapfile-F40.patch @@ -0,0 +1,29 @@ +From 7d14b3522e90e617a3af24e126e59b3a4d3ac022 Mon Sep 17 00:00:00 2001 +From: dawg +Date: Tue, 9 Apr 2024 07:51:06 +0200 +Subject: [PATCH] fix hibernate on btrfs swapfile (F40) + +- https://github.com/systemd/systemd/pull/29382 double-checks the configured resume offset of the swapfile +- this needs CAP_SYS_ADMIN for [BTRFS_IOC_TREE_SEARCH](https://btrfs.readthedocs.io/en/latest/btrfs-ioctl.html) +- stopped working in Fedora 40 beta +--- + policy/modules/system/systemd.te | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index d516b5e9b..b023d5607 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1595,7 +1595,8 @@ systemd_read_efivarfs(systemd_userdbd_t) + # systemd_sleep local policy + # + +-allow systemd_sleep_t self:capability { linux_immutable sys_resource }; ++# systemd-sleep wants cap_sys_admin to check btrfs swapfile offset (https://github.com/systemd/systemd/pull/29382) ++allow systemd_sleep_t self:capability { linux_immutable sys_resource sys_admin }; + # systemd-sleep needs to set timer for suspend-then-hibernate + allow systemd_sleep_t self:capability2 wake_alarm; + dontaudit systemd_sleep_t self:capability sys_ptrace; +-- +2.43.0 + diff --git a/backport-policy-support-pidfs.patch b/backport-policy-support-pidfs.patch new file mode 100644 index 0000000000000000000000000000000000000000..b99851d5da397a2bfd03ec244767ee400e4f5b4b --- /dev/null +++ b/backport-policy-support-pidfs.patch @@ -0,0 +1,42 @@ +From 85bbb6d1bc69e84ea2440cff647e426b74f1b40a Mon Sep 17 00:00:00 2001 +From: Christian Brauner +Date: Fri, 23 Feb 2024 12:32:32 +0100 +Subject: [PATCH] policy: support pidfs + +pidfds are ported to a tiny in-kernel filesystem that is not mountable +in userspace. This is comparable to sockfs, pipefs, nsfs, or +anon_inodefs to name a few examples. + +Before pidfs it wasn't possible for selinux to manage them because they +didn't go through security_file_open(). They now do making it possible +for selinux to manage them. + +pidfds are used in systemd, dbus, LXC, polkit etc. and they currently +start failing because selinux denies pidfs: + +Feb 23 12:09:58 fed1 audit[353]: AVC avc: denied { read write open } for pid=353 comm="systemd-userdbd" path="pidfd:[709]" dev="pidfs" ino=709 scontext=system_u:system_r:systemd_userdbd_t:> + +Signed-off-by: Christian Brauner +--- + policy/modules/kernel/filesystem.te | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te +index 7e783399c..f9a561a4a 100644 +--- a/policy/modules/kernel/filesystem.te ++++ b/policy/modules/kernel/filesystem.te +@@ -169,6 +169,11 @@ type oprofilefs_t; + fs_type(oprofilefs_t) + genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) + ++type pidfs_t; ++fs_type(pidfs_t) ++files_mountpoint(pidfs_t) ++genfscon pidfs_t / gen_context(system_u:object_r:pidfs_t,s0) ++ + type pstore_t alias pstorefs_t; + fs_type(pstore_t) + files_mountpoint(pstore_t) +-- +2.43.0 + diff --git a/backport-postfix-allow-qmgr-to-delete-mails-in-bounce-directo.patch b/backport-postfix-allow-qmgr-to-delete-mails-in-bounce-directo.patch new file mode 100644 index 0000000000000000000000000000000000000000..a8a27f1d7521f74dcc85ddbcab365129b9bba6ce --- /dev/null +++ b/backport-postfix-allow-qmgr-to-delete-mails-in-bounce-directo.patch @@ -0,0 +1,51 @@ +From 8f7df9d4ab7cd7687fc8ad34e3ff637fd8955eba Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Mon, 25 Mar 2024 14:52:17 +0100 +Subject: [PATCH] postfix: allow qmgr to delete mails in bounce/ directory +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +See [RHEL-30271 - postfix qmgr cannot delete mails in bounce/ directory](https://issues.redhat.com/browse/RHEL-30271). + +AVC: +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- +... type=PROCTITLE msg=...: proctitle=qmgr-l-tunix-u +... type=PATH msg=...: item=1 name=bounce/E40A741281B ... obj=system_u:object_r:postfix_spool_bounce_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 +... type=PATH msg=...: item=0 name=bounce/ ... obj=system_u:object_r:postfix_spool_bounce_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 +... type=CWD msg=...: cwd=/var/spool/postfix +... type=SYSCALL msg=...: arch=c000003e syscall=87 success=no exit=-13 ... comm=qmgr exe=/usr/libexec/postfix/qmgr subj=system_u:system_r:postfix_qmgr_t:s0 key=(null) +... type=AVC msg=...: avc: denied { write } for pid=2012444 comm=qmgr name=bounce ... scontext=system_u:system_r:postfix_qmgr_t:s0 tcontext=system_u:object_r:postfix_spool_bounce_t:s0 tclass=dir permissive=0 +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- + +Signed-off-by: Renaud Métrich +--- + policy/modules/contrib/postfix.te | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te +index 36fa0589c..945c9822e 100644 +--- a/policy/modules/contrib/postfix.te ++++ b/policy/modules/contrib/postfix.te +@@ -632,14 +632,14 @@ manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) + manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) + files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) + +-allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; +-allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; +-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms; +- + manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) + allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms; + ++manage_dirs_pattern(postfix_qmgr_t, postfix_spool_bounce_t, postfix_spool_bounce_t) ++manage_files_pattern(postfix_qmgr_t, postfix_spool_bounce_t, postfix_spool_bounce_t) ++manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_bounce_t, postfix_spool_bounce_t) ++ + corecmd_exec_bin(postfix_qmgr_t) + + ######################################## +-- +2.43.0 + diff --git a/backport-systemd-allow-sys_admin-capability-for-systemd_notif.patch b/backport-systemd-allow-sys_admin-capability-for-systemd_notif.patch new file mode 100644 index 0000000000000000000000000000000000000000..2e4563cbae2fe689303aedf334c10f705ce5d5b5 --- /dev/null +++ b/backport-systemd-allow-sys_admin-capability-for-systemd_notif.patch @@ -0,0 +1,52 @@ +From 40266ea67915c736e19b69155a0bc71c9694caa0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Thu, 15 Feb 2024 12:32:17 +0100 +Subject: [PATCH] systemd: allow sys_admin capability for systemd_notify_t +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +See [RHEL-25605 - AVCs "sys_admin" when executing systemd-notify from a service unit](https://issues.redhat.com/browse/RHEL-25701). + +Reproducer: + +1. Create /etc/systemd/system/repro.service with content below + + [Service] + Type=notify + NotifyAccess=all + ExecStart=/bin/sh -c "sleep 3; systemd-notify --ready" + +2. Reload systemd and start the service + + # systemctl daemon-reload + # systemctl start repro + +AVC: +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- +type=PROCTITLE msg=audit(02/15/2024 10:55:23.848:260) : proctitle=systemd-notify --ready +type=SYSCALL msg=audit(02/15/2024 10:55:23.848:260) : arch=x86_64 syscall=sendmsg success=no exit=EPERM(Operation not permitted) a0=0x3 a1=0x7fff3972ed90 a2=MSG_NOSIGNAL a3=0x7fff3972ed14 items=0 ppid=25967 pid=25969 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-notify exe=/usr/bin/systemd-notify subj=system_u:system_r:systemd_notify_t:s0 key=(null) +type=AVC msg=audit(02/15/2024 10:55:23.848:260) : avc: denied { sys_admin } for pid=25969 comm=systemd-notify capability=sys_admin scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:system_r:systemd_notify_t:s0 tclass=capability permissive=0 +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- + +Signed-off-by: Renaud Métrich +--- + policy/modules/system/systemd.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 48f89e5a1..d1b677078 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -793,7 +793,7 @@ optional_policy(` + # + # systemd_notify local policy + # +-allow systemd_notify_t self:capability chown; ++allow systemd_notify_t self:capability { chown sys_admin }; + allow systemd_notify_t self:process { fork setfscreate setsockcreate }; + + allow systemd_notify_t self:fifo_file rw_fifo_file_perms; +-- +2.43.0 + diff --git a/backport-systemd-allow-systemd_notify_t-to-send-data-to-kerne.patch b/backport-systemd-allow-systemd_notify_t-to-send-data-to-kerne.patch new file mode 100644 index 0000000000000000000000000000000000000000..d9d95d3d145e585411b04f337e2fa08e75b11453 --- /dev/null +++ b/backport-systemd-allow-systemd_notify_t-to-send-data-to-kerne.patch @@ -0,0 +1,63 @@ +From 6fad839829ec97fc59013e21f8380f3658b772ec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Thu, 15 Feb 2024 12:53:16 +0100 +Subject: [PATCH] systemd: allow systemd_notify_t to send data to kernel_t + datagram sockets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is required because of systemd's notify socket is created while in +the initramfs, hence as kernel_t. +Once SELinux permits relabeling socket objects created before the policy +is loaded, this should be removed and systemd fixed to relabel the +socket appropriately. +Tracked by [systemd PR](https://github.com/systemd/systemd/pull/31336). + +Reproducer: + +1. Create /etc/systemd/system/repro.service with content below + + [Service] + Type=notify + NotifyAccess=all + ExecStart=/bin/sh -c "sleep 3; systemd-notify --ready" + +2. Reload systemd and start the service + + # systemctl daemon-reload + # systemctl start repro + +AVC: +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- +type=PROCTITLE msg=audit(02/14/2024 14:52:56.813:249) : proctitle=systemd-notify --ready +type=SYSCALL msg=audit(02/14/2024 14:52:56.813:249) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffe64bf5410 a2=MSG_NOSIGNAL a3=0x7ffe64bf5394 items=0 ppid=1798 pid=1802 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-notify exe=/usr/bin/systemd-notify subj=system_u:system_r:systemd_notify_t:s0 key=(null) +type=AVC msg=audit(02/14/2024 14:52:56.813:249) : avc: denied { sendto } for pid=1802 comm=systemd-notify path=/run/systemd/notify scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0 +-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- + +Signed-off-by: Renaud Métrich +--- + policy/modules/system/systemd.te | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index d521b5bfd..48f89e5a1 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -800,6 +800,13 @@ allow systemd_notify_t self:fifo_file rw_fifo_file_perms; + allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms; + allow systemd_notify_t self:unix_dgram_socket create_socket_perms; + ++# FIXME: this is required because of systemd's notify socket is created while ++# in the initramfs, hence as kernel_t. Once SELinux permits relabeling socket ++# objects created before the policy is loaded, this should be removed and ++# systemd fixed to relabel the socket appropriately. ++# Tracked by [systemd PR](https://github.com/systemd/systemd/pull/31336). ++allow systemd_notify_t kernel_t:unix_dgram_socket sendto; ++ + dev_write_kmsg(systemd_notify_t) + + domain_use_interactive_fds(systemd_notify_t) +-- +2.43.0 + diff --git a/selinux-policy.spec b/selinux-policy.spec index 1e5bf6349f6be24f954c48cbcae5693992946349..c9213195ab5019954cc6ca497e496eddc6d5a087 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 40.7 -Release: 6 +Release: 7 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -85,6 +85,91 @@ Patch29: backport-Allow-samba-dcerpcd-read-public-files.patch Patch30: backport-Allow-systemd-sleep-set-attributes-of-efivarfs-files.patch Patch31: backport-Allow-syslogd_t-nnp_transition-to-syslogd_unconfined.patch Patch32: backport-Allow-mdadm-list-stratisd-data-directories.patch +Patch33: backport-Allow-systemd-domains-watch-system-dbus-pid-socket-f.patch +Patch34: backport-Allow-httpd-work-with-PrivateTmp.patch +Patch35: backport-Allow-polkit-status-systemd-services.patch +Patch36: backport-Allow-systemd-networkd-manage-its-runtime-socket-fil.patch +Patch37: backport-Allow-conntrackd_t-to-use-bpf-capability2.patch +Patch38: backport-Allow-chronyd-restricted-read-chronyd-key-files.patch +Patch39: backport-Allow-smbd_t-to-watch-user_home_dir_t-if-samba_enabl.patch +Patch40: backport-Allow-su-domains-write-login-records.patch +Patch41: backport-Allow-unix-dgram-sendto-between-exim-processes.patch +Patch42: backport-Allow-login_userdomain-delete-session-dbusd-tmp-sock.patch +Patch43: backport-Label-dev-iommu-with-iommu_device_t.patch +Patch44: backport-Allow-login_userdomain-name_bind-to-howl-and-xmsg-ud.patch +Patch45: backport-Allow-gpg-manage-rpm-cache.patch +Patch46: backport-Allow-load_policy-read-and-write-generic-ptys.patch +Patch47: backport-Allow-polkit-status-all-systemd-services.patch +Patch48: backport-Update-dbus_role_template-to-allow-user-service-stat.patch +Patch49: backport-Replace-init-domtrans-rule-for-confined-users-to-all.patch +Patch50: backport-Update-afterburn-policy.patch +Patch51: backport-Allow-init-to-inherit-fds-from-syslogd.patch +Patch52: backport-Allow-init-to-inherit-system-DBus-file-descriptors.patch +Patch53: backport-Update-ssh_role_template-for-user-ssh-agent-type.patch +Patch54: backport-Allow-admin-user-read-write-on-fixed_disk_device_t.patch +Patch55: backport-Allow-utempter_t-use-ptmx.patch +Patch56: backport-Add-crontab_domtrans-interface.patch +Patch57: backport-Transition-from-sudodomains-to-crontab_t-when-execut.patch +Patch58: backport-Fix-label-of-pseudoterminals-created-from-sudodomain.patch +Patch59: backport-Add-crontab_admin_domtrans-interface.patch +Patch60: backport-Allow-login_userdomain-map-files-in-var.patch +Patch61: backport-Allow-krb5kdc_t-map-krb5kdc_principal_t-files.patch +Patch62: backport-systemd-allow-systemd_notify_t-to-send-data-to-kerne.patch +Patch63: backport-systemd-allow-sys_admin-capability-for-systemd_notif.patch +Patch64: backport-Allow-samba-to-have-dac_override-capability.patch +Patch65: backport-Allow-virtqemud-create-and-unlink-files-in-etc-libvirt.patch +Patch66: backport-Allow-userdomain-get-attributes-of-files-on-an-nsfs-.patch +Patch67: backport-Modify-sudo_role_template-to-allow-getpgid.patch +Patch68: backport-Allow-sulogin-relabel-tty1.patch +Patch69: backport-Allow-linuxptp-configure-phc2sys-and-chronyd-over-a-.patch +Patch70: backport-Allow-wdmd-list-the-contents-of-the-sysfs-directorie.patch +Patch71: backport-Allow-wdmd-read-hardware-state-information.patch +Patch72: backport-Allow-cgred_t-to-get-attributes-of-cgroup-filesystem.patch +Patch73: backport-Allow-journalctl_t-read-filesystem-sysctls.patch +Patch74: backport-Allow-plymouthd-log-during-shutdown.patch +Patch75: backport-Update-mmap_rw_file_perms-to-include-the-lock-permis.patch +Patch76: backport-Allow-dhcpc-read-run-netns-files.patch +Patch77: backport-Allow-dhcpcd-use-unix_stream_socket.patch +Patch78: backport-Allow-NetworkManager-the-sys_ptrace-capability-in-us.patch +Patch79: backport-Allow-logwatch-read-logind-sessions-files.patch +Patch80: backport-Allow-logwatch_mail_t-read-write-to-init-over-a-unix.patch +Patch81: backport-policy-support-pidfs.patch +Patch82: backport-postfix-allow-qmgr-to-delete-mails-in-bounce-directo.patch +Patch83: backport-Allow-qemu-ga-read-vm-sysctls.patch +Patch84: backport-Allow-keyutils-dns-resolver-connect-to-the-system-lo.patch +Patch85: backport-Allow-systemd-timedated-get-the-timemaster-service-s.patch +Patch86: backport-Allow-system-dbusd-service-status-systemd-services.patch +Patch87: backport-Allow-nut-to-statfs.patch +Patch88: backport-fix-hibernate-on-btrfs-swapfile-F40.patch +Patch89: backport-Allow-plymouthd-read-efivarfs-files.patch +Patch90: backport-Allow-abrt-dump-journal-core-connect-to-systemd-user.patch +Patch91: backport-Allow-systemd-sleep-read-raw-disk-data.patch +Patch92: backport-Define-transitions-for-run-libvirt-common-and-run-li.patch +Patch93: backport-Allow-dbus-broker-read-write-inherited-user-ttys.patch +Patch94: backport-Allow-sssd-create-and-use-io_uring.patch +Patch95: backport-Allow-abrt-dump-journal-core-connect-to-systemd-mach.patch +Patch96: backport-Allow-virtqemud-get-attributes-of-NFS-filesystems.patch +Patch97: backport-Allow-virtstoraged-use-the-io_uring-API.patch +Patch98: backport-Allow-virtnodevd_t-map-var-lib-files.patch +Patch99: backport-Allow-svirt_t-read-vm-sysctls.patch +Patch100: backport-Allow-virtstoraged-execute-lvm-programs-in-the-lvm-d.patch +Patch101: backport-Allow-virt_domain-read-and-write-usb-devices-conditi.patch +Patch102: backport-Allow-virtqemud-read-vfio-devices.patch +Patch103: backport-Allow-virtqemud-create-and-unlink-files-in-etc-libvi.patch +Patch104: backport-Allow-staff_t-use-the-io_uring-API.patch +Patch105: backport-Allow-staff_t-the-io_uring-sqpoll-permission.patch +Patch106: backport-Allow-system_cronjob_t-dbus-chat-with-avahi_t.patch +Patch107: backport-Allow-various-services-read-and-write-z90crypt-devic.patch +Patch108: backport-Allow-sudodomain-list-files-in-var.patch +Patch109: backport-Allow-sysadm-execute-dmidecode-using-sudo.patch +Patch110: backport-Allow-systemd-hostnamed-read-the-vsock-device.patch +Patch111: backport-Label-run-systemd-machine-with-systemd_machined_var_.patch +Patch112: backport-Ensure-dbus-communication-is-allowed-bidirectionally.patch +Patch113: backport-Allow-journald-read-systemd-config-files-and-directo.patch +Patch114: backport-Allow-virtqemud-get-attributes-of-filesystems-with-e.patch +Patch115: backport-Allow-virtqemud-get-attributes-of-a-tmpfs-filesystem.patch +Patch126: backport-Allow-virtqemud-get-attributes-of-cifs-files.patch +Patch127: backport-Add-interfaces-for-watching-and-reading-ifconfig_var.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -764,6 +849,9 @@ exit 0 %endif %changelog +* Mon Dec 1 2025 yanglongkang - 40.7-7 +- backport upstream patches + * Tue Nov 25 2025 ExtinctFire - 40.7-6 - backport upstream patches