From d83171aa8c0e8f1ea8b7f93f84927e8f31809663 Mon Sep 17 00:00:00 2001 From: zcfsite Date: Thu, 30 Sep 2021 15:55:52 +0800 Subject: [PATCH] fix CVE-2020-24612 --- backport-CVE-2020-24612.patch | 52 +++++++++++++++++++++++++++++++++++ selinux-policy.spec | 6 +++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2020-24612.patch diff --git a/backport-CVE-2020-24612.patch b/backport-CVE-2020-24612.patch new file mode 100644 index 0000000..24f510c --- /dev/null +++ b/backport-CVE-2020-24612.patch @@ -0,0 +1,52 @@ +From 1363710b88904f29915e39335fef0dfb673a0f70 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 24 Aug 2020 14:29:15 +0200 +Subject: [PATCH] Add file context for ~/.config/Yubico + +Add file context specification for ~/.config/Yubico in addition to +existing ~/.yubico. Update the auth_filetrans_home_content() and +auth_filetrans_admin_home_content() interfaces accordingly. + +Resolves: rhbz#1860888 +--- + policy/modules/system/authlogin.fc | 2 ++ + policy/modules/system/authlogin.if | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc +index 009c156..58551ec 100644 +--- a/policy/modules/system/authlogin.fc ++++ b/policy/modules/system/authlogin.fc +@@ -1,7 +1,9 @@ + HOME_DIR/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) ++HOME_DIR/\.config/Yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) + HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) + HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) + /root/\.yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) ++/root/\.config/Yubico(/.*)? gen_context(system_u:object_r:auth_home_t,s0) + /root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0) + /root/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0) + +diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if +index 099166d..90ae5fe 100644 +--- a/policy/modules/system/authlogin.if ++++ b/policy/modules/system/authlogin.if +@@ -2313,6 +2313,7 @@ interface(`auth_filetrans_admin_home_content',` + userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") + userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") + userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico") ++ userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico") + ') + + +@@ -2377,6 +2378,7 @@ interface(`auth_filetrans_home_content',` + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") + userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") + userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico") ++ userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico") + ') + + ######################################## +-- +1.8.3.1 + diff --git a/selinux-policy.spec b/selinux-policy.spec index 2f50bae..33a15b2 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 76 +Release: 77 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -113,6 +113,7 @@ Patch6036: backport-iptables.fc-Remove-duplicate-file-context-entries.patch Patch6037: backport-iptables.fc-Add-missing-legacy-entries.patch Patch6038: backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch Patch6039: backport-Allow-systemd-hostnamed-read-udev-runtime-data.patch +Patch6040: backport-CVE-2020-24612.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: add-avc-for-systemd-selinux-page.patch @@ -783,6 +784,9 @@ exit 0 %endif %changelog +* Thu Sep 30 2021 zcfsite -3.14.2-77 +- fix CVE-2020-24612 + * Wed Sep 22 2021 lujie42 <572084868@qq.com> -3.14.2-76 - Set httpd_can_network_connect bool true -- Gitee