From a697e85e1f4ca41e598b87277322ac3266a31aa8 Mon Sep 17 00:00:00 2001 From: beta Date: Sat, 25 Nov 2023 15:49:27 +0800 Subject: [PATCH] backport some upstream patches Signed-off-by: beta --- ...port-Label-etc-redis-as-redis_conf_t.patch | 48 +++++++++++++++++++ ...-sbin-charon-systemd-as-ipsec_exec_t.patch | 28 +++++++++++ selinux-policy.spec | 9 +++- 3 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 backport-Label-etc-redis-as-redis_conf_t.patch create mode 100644 backport-Relabel-usr-sbin-charon-systemd-as-ipsec_exec_t.patch diff --git a/backport-Label-etc-redis-as-redis_conf_t.patch b/backport-Label-etc-redis-as-redis_conf_t.patch new file mode 100644 index 0000000..af69d9e --- /dev/null +++ b/backport-Label-etc-redis-as-redis_conf_t.patch @@ -0,0 +1,48 @@ +From 2313c55d3f4f84df05368efc1ef5496dab8ff156 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 9 Apr 2021 20:35:09 +0200 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/2313c55d3f4f84df05368efc1ef5496dab8ff156 +Conflict: NA +Subject: [PATCH] Label /etc/redis as redis_conf_t + +With a new redis version, the configuration file in the /etc/redis +directory are used instead if individual configuration files in /etc. +This change needs to be backed with proper labeling of /etc/redis. + +Example of a denial which is being addresses by this commit: +---- +type=PROCTITLE msg=audit(04/09/2021 11:12:52.959:517) : +proctitle=/usr/bin/redis-sentinel *:26379 [sentinel] +type=PATH msg=audit(04/09/2021 11:12:52.959:517) : item=0 name=/etc/redis/sentinel.conf +inode=16824738 dev=fd:02 mode=file,640 ouid=redis ogid=root rdev=00:00 +obj=system_u:object_r:etc_t:s0 nametype=NORMAL +cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(04/09/2021 11:12:52.959:517) : cwd=/tmp +type=SYSCALL msg=audit(04/09/2021 11:12:52.959:517) : arch=x86_64 syscall=access +success=no exit=EACCES(Permission denied) a0=0x7f054ee0e2a1 a1=W_OK a2=0x0 a3=0x8 +items=1 ppid=1 pid=3747 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis +egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-sentinel +exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null) +type=AVC msg=audit(04/09/2021 11:12:52.959:517) : avc: denied { write } +for pid=3747 comm=redis-sentinel name=sentinel.conf dev="vda2" ino=16824738 +scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:etc_t:s0 +tclass=file permissive=0 +---- +--- + policy/modules/contrib/redis.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/redis.fc b/policy/modules/contrib/redis.fc +index 83edd1be2..53e58bacb 100644 +--- a/policy/modules/contrib/redis.fc ++++ b/policy/modules/contrib/redis.fc +@@ -1,5 +1,6 @@ + /etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0) + ++/etc/redis(/.*)? gen_context(system_u:object_r:redis_conf_t,s0) + /etc/redis-sentinel.* -- gen_context(system_u:object_r:redis_conf_t,s0) + + /usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0) +-- +2.27.0 + diff --git a/backport-Relabel-usr-sbin-charon-systemd-as-ipsec_exec_t.patch b/backport-Relabel-usr-sbin-charon-systemd-as-ipsec_exec_t.patch new file mode 100644 index 0000000..a704397 --- /dev/null +++ b/backport-Relabel-usr-sbin-charon-systemd-as-ipsec_exec_t.patch @@ -0,0 +1,28 @@ +From 55b2dfdddf231f35adda18174b6f9cd9488eff1b Mon Sep 17 00:00:00 2001 +From: Demi Marie Obenour +Date: Fri, 28 Aug 2020 09:49:11 -0400 +Reference: https://github.com/fedora-selinux/selinux-policy/commit/55b2dfdddf231f35adda18174b6f9cd9488eff1b +Conflict: NA +Subject: [PATCH] Relabel /usr/sbin/charon-systemd as ipsec_exec_t + +This causes StrongSwan to be run with the `ipsec_exec_t` context, which allows it to bind to its sockets. +--- + policy/modules/system/ipsec.fc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc +index e1a4f6822..c33edcced 100644 +--- a/policy/modules/system/ipsec.fc ++++ b/policy/modules/system/ipsec.fc +@@ -50,7 +50,7 @@ + /usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) + /usr/libexec/strongimcv/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) + +-/usr/sbin/charon-systemd -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) ++/usr/sbin/charon-systemd -- gen_context(system_u:object_r:ipsec_exec_t,s0) + /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) + /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) + /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) +-- +2.27.0 + diff --git a/selinux-policy.spec b/selinux-policy.spec index 472683f..e870d68 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 81 +Release: 82 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -112,6 +112,8 @@ Patch6037: backport-iptables.fc-Add-missing-legacy-entries.patch Patch6038: backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch Patch6039: backport-Add-file-context-for-.config-Yubico.patch Patch6040: backport-Change-transitions-for-.config-Yubico.patch +Patch6041: backport-Label-etc-redis-as-redis_conf_t.patch +Patch6042: backport-Relabel-usr-sbin-charon-systemd-as-ipsec_exec_t.patch Patch9000: allow-httpd-to-put-files-in-httpd-config-dir.patch Patch9001: add-rule-for-hostnamed-to-rpmscript-dbus-chat.patch @@ -784,6 +786,11 @@ exit 0 %endif %changelog +* Sat Nov 25 2023 beta - 3.14.2-82 +- backport some upstream patches + backport-Label-etc-redis-as-redis_conf_t.patch + backport-Relabel-usr-sbin-charon-systemd-as-ipsec_exec_t.patch + * Tue Nov 7 2023 jinlun - 3.14.2-81 - enforcing selinux -- Gitee