diff --git a/backport-Fix-users-for-SELinux-userspace-3.4.patch b/backport-Fix-users-for-SELinux-userspace-3.4.patch new file mode 100644 index 0000000000000000000000000000000000000000..e9909306ab7a013c4992a58cd9e32018409165df --- /dev/null +++ b/backport-Fix-users-for-SELinux-userspace-3.4.patch @@ -0,0 +1,146 @@ +From e1e216b25df1bdb4eb7dbb8f73f32927ad6f3d1f Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 14 Apr 2022 12:07:40 +0200 +Subject: [PATCH] Fix users for SELinux userspace 3.4 + +Latest yet to be released userspace version 3.4 added new validation and +discovered several issues in current implementation. This patch tries to +address them: + +- move guest and xguest module from contrib to roles - refpolicy did +this change long time ago + +- roles guest_r and xguest_r need to be defined in kernel.te + +- gen_user() is supposed to be in policy/users, not in modules + +- drop role multiple definitions from userdom_base_user_template as it's +and is supposed to be defined in kernel.te +--- + policy/modules/kernel/kernel.te | 3 +++ + policy/modules/{contrib => roles}/guest.fc | 0 + policy/modules/{contrib => roles}/guest.if | 0 + policy/modules/{contrib => roles}/guest.te | 4 ++-- + policy/modules/roles/unconfineduser.te | 3 +-- + policy/modules/{contrib => roles}/xguest.fc | 0 + policy/modules/{contrib => roles}/xguest.if | 0 + policy/modules/{contrib => roles}/xguest.te | 4 ++-- + policy/modules/system/userdomain.if | 3 +-- + 9 files changed, 9 insertions(+), 8 deletions(-) + rename policy/modules/{contrib => roles}/guest.fc (100%) + rename policy/modules/{contrib => roles}/guest.if (100%) + rename policy/modules/{contrib => roles}/guest.te (82%) + rename policy/modules/{contrib => roles}/xguest.fc (100%) + rename policy/modules/{contrib => roles}/xguest.if (100%) + rename policy/modules/{contrib => roles}/xguest.te (98%) + +diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te +index acbb2f74e6..73696bcb0a 100644 +--- a/policy/modules/kernel/kernel.te ++++ b/policy/modules/kernel/kernel.te +@@ -39,6 +39,9 @@ role user_r; + # here until order dependence is fixed: + role unconfined_r; + ++role guest_r; ++role xguest_r; ++ + ifdef(`enable_mls',` + role secadm_r; + role auditadm_r; +diff --git a/policy/modules/contrib/guest.fc b/policy/modules/roles/guest.fc +similarity index 100% +rename from policy/modules/contrib/guest.fc +rename to policy/modules/roles/guest.fc +diff --git a/policy/modules/contrib/guest.if b/policy/modules/roles/guest.if +similarity index 100% +rename from policy/modules/contrib/guest.if +rename to policy/modules/roles/guest.if +diff --git a/policy/modules/contrib/guest.te b/policy/modules/roles/guest.te +similarity index 82% +rename from policy/modules/contrib/guest.te +rename to policy/modules/roles/guest.te +index 0605776333..2e9505d1cc 100644 +--- a/policy/modules/contrib/guest.te ++++ b/policy/modules/roles/guest.te +@@ -5,7 +5,7 @@ policy_module(guest, 1.3.0) + # Declarations + # + +-role guest_r; ++# role guest_r; + + userdom_restricted_user_template(guest) + +@@ -20,4 +20,4 @@ optional_policy(` + apache_role(guest_r, guest_t) + ') + +-gen_user(guest_u, user, guest_r, s0, s0) ++# gen_user(guest_u, user, guest_r, s0, s0) +diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te +index 55bca1e31e..5596e6f0ee 100644 +--- a/policy/modules/roles/unconfineduser.te ++++ b/policy/modules/roles/unconfineduser.te +@@ -399,5 +399,4 @@ optional_policy(` + xserver_xsession_entry_type(unconfined_t) + ') + +-gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +- ++# gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +diff --git a/policy/modules/contrib/xguest.fc b/policy/modules/roles/xguest.fc +similarity index 100% +rename from policy/modules/contrib/xguest.fc +rename to policy/modules/roles/xguest.fc +diff --git a/policy/modules/contrib/xguest.if b/policy/modules/roles/xguest.if +similarity index 100% +rename from policy/modules/contrib/xguest.if +rename to policy/modules/roles/xguest.if +diff --git a/policy/modules/contrib/xguest.te b/policy/modules/roles/xguest.te +similarity index 98% +rename from policy/modules/contrib/xguest.te +rename to policy/modules/roles/xguest.te +index 8d3ef540a7..e19bf40fc5 100644 +--- a/policy/modules/contrib/xguest.te ++++ b/policy/modules/roles/xguest.te +@@ -26,7 +26,7 @@ gen_tunable(xguest_connect_network, true) + ## + gen_tunable(xguest_use_bluetooth, true) + +-role xguest_r; ++# role xguest_r; + + userdom_restricted_xwindows_user_template(xguest) + sysnet_dns_name_resolve(xguest_t) +@@ -203,4 +203,4 @@ optional_policy(` + role xguest_r types mozilla_t; + ') + +-gen_user(xguest_u, user, xguest_r, s0, s0) ++# gen_user(xguest_u, user, xguest_r, s0, s0) +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index b16984dd82..d5be647e85 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -27,6 +27,7 @@ template(`userdom_base_user_template',` + attribute userdomain; + type user_devpts_t, user_tty_device_t; + class context contains; ++ role $1_r; + ') + + attribute $1_file_type; +@@ -34,12 +35,10 @@ template(`userdom_base_user_template',` + + type $1_t, userdomain, $1_usertype; + domain_type($1_t) +- role $1_r; + corecmd_shell_entry_type($1_t) + corecmd_bin_entry_type($1_t) + domain_user_exemption_target($1_t) + ubac_constrained($1_t) +- role $1_r; + role $1_r types $1_t; + allow system_r $1_r; + diff --git a/selinux-policy.spec b/selinux-policy.spec index 1c7f09383b544b3f789e92681fa896115c6c3f85..c3eb3cd3716436947f030eb4c753884a48e49d6e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 35.5 -Release: 21 +Release: 22 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -275,6 +275,7 @@ Patch6205: backport-Allow-pcscd-bpf-capability-to-run-bpf-programs.patch Patch6206: backport-Allow-logwatch_mail_t-read-network-sysctls.patch Patch6207: backport-Allow-exim-read-network-sysctls.patch Patch6208: backport-Allow-kernel-to-manage-its-own-BPF-objects.patch +Patch6209: backport-Fix-users-for-SELinux-userspace-3.4.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -951,6 +952,9 @@ exit 0 %endif %changelog +* Mon Mar 25 2024 gengqihu - 35.5-22 +- fix semodule_package fail + * Thu Aug 24 2023 wangqingsan - 35.5-21 - backport upstream patches diff --git a/users-minimum b/users-minimum index 8207eed482a0a21d7877bd22395646c7bae3ea35..66af86081a45eeebbb1b5f3e9141651e97ec3283 100644 --- a/users-minimum +++ b/users-minimum @@ -36,3 +36,4 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/users-mls b/users-mls index 05d26712efe0bd41abcea6464ff5f2c4c31b005f..8fad9ea21e122378c02559a46335daa10dca890c 100644 --- a/users-mls +++ b/users-mls @@ -36,3 +36,5 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/users-targeted b/users-targeted index 8207eed482a0a21d7877bd22395646c7bae3ea35..a875306f1258f02deacfcb82d3537c85f84988db 100644 --- a/users-targeted +++ b/users-targeted @@ -36,3 +36,6 @@ gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) # not in the sysadm_r. # gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(guest_u, user, guest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0)