From fa07f7534f24f966474849a308d844ade311954a Mon Sep 17 00:00:00 2001 From: lyn1001 Date: Tue, 13 Aug 2024 15:21:24 +0800 Subject: [PATCH] Allow init_t nnp domain transition to abrtd_t --- ...t_t-nnp-domain-transition-to-abrtd_t.patch | 29 +++++++++++++++++++ selinux-policy.spec | 6 +++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 Allow-init_t-nnp-domain-transition-to-abrtd_t.patch diff --git a/Allow-init_t-nnp-domain-transition-to-abrtd_t.patch b/Allow-init_t-nnp-domain-transition-to-abrtd_t.patch new file mode 100644 index 0000000..c0e9784 --- /dev/null +++ b/Allow-init_t-nnp-domain-transition-to-abrtd_t.patch @@ -0,0 +1,29 @@ +From b9090951b8dc65f9e4bcf008aff9d353dd025f0a Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 7 Feb 2024 16:24:21 +0100 +Subject: [PATCH] Allow init_t nnp domain transition to abrtd_t + +The permission is required in abrt v2.17.2 which contains +miscellaneous service sandboxing features. + +The commit addresses the following AVC denial: +Feb 05 14:39:14 fedora audit[729]: AVC avc: denied { nnp_transition } for pid=729 comm="(abrtd)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=process2 permissive=0 +Feb 05 14:39:14 fedora audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 + +Resolves: rhbz#2263210 +--- + policy/modules/contrib/abrt.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te +index 463dd64a9c..59b9f114ab 100644 +--- a/policy/modules/contrib/abrt.te ++++ b/policy/modules/contrib/abrt.te +@@ -38,6 +38,7 @@ roleattribute system_r abrt_helper_roles; + + abrt_basic_types_template(abrt) + init_daemon_domain(abrt_t, abrt_exec_t) ++init_nnp_daemon_domain(abrt_t) + + type abrt_initrc_exec_t; + init_script_file(abrt_initrc_exec_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 6492c19..6dfdf84 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 40.7 -Release: 2 +Release: 3 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -73,6 +73,7 @@ Patch9005: add-rule-for-hostnamed-to-rpmscript-dbus-chat.patch Patch9006: allow-init_t-create-fifo-file-in-net_conf-dir.patch Patch9007: Revert-Don-t-allow-kernel_t-to-execute-bin_t-usr_t-binaries.patch Patch9008: Policy-for-restoring-kernel_t.patch +Patch9009: Allow-init_t-nnp-domain-transition-to-abrtd_t.patch BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc procps-ng @@ -742,6 +743,9 @@ exit 0 %endif %changelog +* Tue Aug 13 2024 liyanan - 40.7-3 +- Allow init_t nnp domain transition to abrtd_t + * Thu Apr 11 2024 jinlun - 40.7-2 - update modules-targeted-contrib.conf -- Gitee