From 60267a9888215565b82caf49b383e03f1f9d0264 Mon Sep 17 00:00:00 2001 From: ExtinctFire Date: Tue, 25 Nov 2025 22:05:07 +0800 Subject: [PATCH] backport upstream patches Signed-off-by: ExtinctFire --- ...ttributes-filesystems-with-extended-.patch | 30 +++++++++ ...low-bluetooth-devices-work-with-alsa.patch | 47 ++++++++++++++ ...mdadm-list-stratisd-data-directories.patch | 65 +++++++++++++++++++ ...llow-samba-dcerpcd-read-public-files.patch | 28 ++++++++ ...te_t-the-sys_ptrace-capability-in-us.patch | 29 +++++++++ ...nnp_transition-to-syslogd_unconfined.patch | 35 ++++++++++ ...eep-set-attributes-of-efivarfs-files.patch | 28 ++++++++ selinux-policy.spec | 12 +++- 8 files changed, 273 insertions(+), 1 deletion(-) create mode 100644 backport-Allow-alsa-get-attributes-filesystems-with-extended-.patch create mode 100644 backport-Allow-bluetooth-devices-work-with-alsa.patch create mode 100644 backport-Allow-mdadm-list-stratisd-data-directories.patch create mode 100644 backport-Allow-samba-dcerpcd-read-public-files.patch create mode 100644 backport-Allow-spamd_update_t-the-sys_ptrace-capability-in-us.patch create mode 100644 backport-Allow-syslogd_t-nnp_transition-to-syslogd_unconfined.patch create mode 100644 backport-Allow-systemd-sleep-set-attributes-of-efivarfs-files.patch diff --git a/backport-Allow-alsa-get-attributes-filesystems-with-extended-.patch b/backport-Allow-alsa-get-attributes-filesystems-with-extended-.patch new file mode 100644 index 0000000..8119d74 --- /dev/null +++ b/backport-Allow-alsa-get-attributes-filesystems-with-extended-.patch @@ -0,0 +1,30 @@ +From aa8dc82e86f0dcff4cb7ac0c637a7297d1900ee6 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 22 Dec 2023 17:25:53 +0100 +Subject: [PATCH] Allow alsa get attributes filesystems with extended + attributes + +The commit addresses the following AVC denial: +type=AVC msg=audit(1700102760.194:134): avc: denied { getattr } for pid=1349 comm="rm" name="/" dev="dm-0" ino=2 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 + +Resolves: rhbz#2249960 +--- + policy/modules/contrib/alsa.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te +index 3f1a7b0ef..fd5d24634 100644 +--- a/policy/modules/contrib/alsa.te ++++ b/policy/modules/contrib/alsa.te +@@ -88,6 +88,8 @@ dev_write_sound(alsa_t) + + files_search_var_lib(alsa_t) + ++fs_getattr_xattr_fs(alsa_t) ++ + modutils_domtrans_kmod(alsa_t) + + term_dontaudit_use_console(alsa_t) +-- +2.33.0 + diff --git a/backport-Allow-bluetooth-devices-work-with-alsa.patch b/backport-Allow-bluetooth-devices-work-with-alsa.patch new file mode 100644 index 0000000..eaecb8e --- /dev/null +++ b/backport-Allow-bluetooth-devices-work-with-alsa.patch @@ -0,0 +1,47 @@ +From d96e3c7555985a464e01931b07cf2d5a97feab58 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 22 Dec 2023 17:32:38 +0100 +Subject: [PATCH] Allow bluetooth devices work with alsa + +The commit addresses the following AVC denials: +type=AVC msg=audit(1702496797.273:128): avc: denied { search } for pid=1387 comm="bluetoothd" name="alsa" dev="nvme1n1p2" ino=141177 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:object_r:alsa_var_lib_t:s0 tclass=dir permissive=1 +type=SYSCALL msg=audit(1702496797.273:128): arch=x86_64 syscall=access success=no exit=ENOENT a0=56394639e0f0 a1=4 a2=0 a3=7c items=1 ppid=1 pid=1387 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=bluetoothd exe=/usr/libexec/bluetooth/bluetoothd subj=system_u:system_r:bluetooth_t:s0 key=(null) + +type=AVC msg=audit(1702496797.274:129): avc: denied { read write } for pid=1387 comm="bluetoothd" name="seq" dev="devtmpfs" ino=745 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file permissive=1 +type=AVC msg=audit(1702496797.274:129): avc: denied { open } for pid=1387 comm="bluetoothd" path="/dev/snd/seq" dev="devtmpfs" ino=745 scontext=system_u:system_r:bluetooth_t:s0 tcontext=system_u:object_r:sound_device_t:s0 tclass=chr_file permissive=1 +type=SYSCALL msg=audit(1702496797.274:129): arch=x86_64 syscall=openat success=yes exit=ETXTBSY a0=ffffff9c a1=7f28825ca24d a2=80002 a3=0 items=1 ppid=1 pid=1387 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=bluetoothd exe=/usr/libexec/bluetooth/bluetoothd subj=system_u:system_r:bluetooth_t:s0 key=(null) +type=CWD msg=audit(1702496797.274:129): cwd=/ +type=PATH msg=audit(1702496797.274:129): item=0 name=/dev/snd/seq inode=745 dev=00:05 mode=020660 ouid=0 ogid=63 rdev=74:01 obj=system_u:object_r:sound_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 + +Resolves: rhbz#2254422 +--- + policy/modules/contrib/bluetooth.te | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/policy/modules/contrib/bluetooth.te b/policy/modules/contrib/bluetooth.te +index d866c8c84..4d2d6eeac 100644 +--- a/policy/modules/contrib/bluetooth.te ++++ b/policy/modules/contrib/bluetooth.te +@@ -124,6 +124,8 @@ corenet_udp_sendrecv_all_ports(bluetooth_t) + dev_rw_sysfs(bluetooth_t) + dev_rw_usbfs(bluetooth_t) + dev_rw_generic_usb_dev(bluetooth_t) ++dev_read_sound(bluetooth_t) ++dev_write_sound(bluetooth_t) + dev_read_urand(bluetooth_t) + dev_rw_input_dev(bluetooth_t) + dev_rw_wireless(bluetooth_t) +@@ -154,6 +156,10 @@ userdom_dontaudit_search_user_home_dirs(bluetooth_t) + systemd_hostnamed_read_config(bluetooth_t) + systemd_dbus_chat_hostnamed(bluetooth_t) + ++optional_policy(` ++ alsa_read_lib(bluetooth_t) ++') ++ + optional_policy(` + dbus_system_bus_client(bluetooth_t) + dbus_connect_system_bus(bluetooth_t) +-- +2.33.0 + diff --git a/backport-Allow-mdadm-list-stratisd-data-directories.patch b/backport-Allow-mdadm-list-stratisd-data-directories.patch new file mode 100644 index 0000000..a0324a0 --- /dev/null +++ b/backport-Allow-mdadm-list-stratisd-data-directories.patch @@ -0,0 +1,65 @@ +From b0a2582ca4f13fe2ed7745fa368c6687ea7102fa Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 11 Jan 2024 20:41:00 +0100 +Subject: [PATCH] Allow mdadm list stratisd data directories + +The permissions to list stratisd data directories and follow +symlinks were added. + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(01/11/2024 12:29:49.252:365) : proctitle=/usr/sbin/mdadm --detail --no-devices --export /dev/md0 +type=SYSCALL msg=audit(01/11/2024 12:29:49.252:365) : arch=x86_64 syscall=openat success=yes exit=5 a0=0x4 a1=0x55e65a174065 a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY a3=0x0 items=1 ppid=48598 pid=48600 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=mdadm exe=/usr/sbin/mdadm subj=system_u:system_r:mdadm_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(01/11/2024 12:29:49.252:365) : avc: denied { open } for pid=48600 comm=mdadm path=/dev/stratis dev="devtmpfs" ino=42187 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:stratisd_data_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(01/11/2024 12:29:49.252:365) : avc: denied { read } for pid=48600 comm=mdadm name=stratis dev="devtmpfs" ino=42187 scontext=system_u:system_r:mdadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:stratisd_data_t:s0 tclass=dir permissive=1 + +Resolves: RHEL-19276 +--- + policy/modules/contrib/raid.te | 5 +++++ + policy/modules/contrib/stratisd.if | 18 ++++++++++++++++++ + 2 files changed, 23 insertions(+) + +diff --git a/policy/modules/contrib/raid.te b/policy/modules/contrib/raid.te +index 82d0b822e..c4c8d4c55 100644 +--- a/policy/modules/contrib/raid.te ++++ b/policy/modules/contrib/raid.te +@@ -183,6 +183,11 @@ optional_policy(` + seutil_sigchld_newrole(mdadm_t) + ') + ++optional_policy(` ++ stratisd_data_list_dirs(mdadm_t) ++ stratisd_data_read_lnk_files(mdadm_t) ++') ++ + optional_policy(` + udev_read_db(mdadm_t) + ') +diff --git a/policy/modules/contrib/stratisd.if b/policy/modules/contrib/stratisd.if +index 32e7e66ef..31fcdc697 100644 +--- a/policy/modules/contrib/stratisd.if ++++ b/policy/modules/contrib/stratisd.if +@@ -133,3 +133,21 @@ interface(`stratisd_data_read_lnk_files',` + + allow $1 stratisd_data_t:lnk_file read_lnk_file_perms; + ') ++ ++######################################## ++## ++## Read stratisd data directories ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`stratisd_data_list_dirs',` ++ gen_require(` ++ type stratisd_data_t; ++ ') ++ ++ list_dirs_pattern($1, stratisd_data_t, stratisd_data_t) ++') +-- +2.33.0 + diff --git a/backport-Allow-samba-dcerpcd-read-public-files.patch b/backport-Allow-samba-dcerpcd-read-public-files.patch new file mode 100644 index 0000000..fd561c3 --- /dev/null +++ b/backport-Allow-samba-dcerpcd-read-public-files.patch @@ -0,0 +1,28 @@ +From fd4b3d80c8dae1ad144e16b351c1a26312ee528d Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 2 Jan 2024 15:06:12 +0100 +Subject: [PATCH] Allow samba-dcerpcd read public files + +The commit addresses the following AVC denial: +type=AVC msg=audit(1704134675.693:18923): avc: denied { read write } for pid=3960899 comm="samba-dcerpcd" path=2F7372762F70726976646174612F4D6F6E65792F47544C2F54617865732042442F42696E676E696E6720546178657320323032322D323032332E6F6473 dev="dm-2" ino=3146018 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:public_content_rw_t:s0 tclass=file permissive=0 + +Related: rhbz#2122904 +--- + policy/modules/contrib/samba.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te +index c43a4529e..5eed73a50 100644 +--- a/policy/modules/contrib/samba.te ++++ b/policy/modules/contrib/samba.te +@@ -1272,6 +1272,7 @@ optional_policy(` + + optional_policy(` + miscfiles_read_generic_certs(winbind_rpcd_t) ++ miscfiles_read_public_files(winbind_rpcd_t) + ') + + optional_policy(` +-- +2.33.0 + diff --git a/backport-Allow-spamd_update_t-the-sys_ptrace-capability-in-us.patch b/backport-Allow-spamd_update_t-the-sys_ptrace-capability-in-us.patch new file mode 100644 index 0000000..329ffe9 --- /dev/null +++ b/backport-Allow-spamd_update_t-the-sys_ptrace-capability-in-us.patch @@ -0,0 +1,29 @@ +From bd5e92bdebcb58c1536dbf73ba7146d049f90a0e Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 21 Dec 2023 17:33:14 +0100 +Subject: [PATCH] Allow spamd_update_t the sys_ptrace capability in user + namespace + +The commit addresses the following AVC denial: +type=AVC msg=audit(1702854015.017:42859): avc: denied { sys_ptrace } for pid=1077477 comm="pgrep" capability=19 scontext=system_u:system_r:spamd_update_t:s0 tcontext=system_u:system_r:spamd_update_t:s0 tclass=cap_userns permissive=1 + +Resolves: rhbz#2252484 +--- + policy/modules/contrib/spamassassin.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te +index 2d3ccb1fc..6059c8837 100644 +--- a/policy/modules/contrib/spamassassin.te ++++ b/policy/modules/contrib/spamassassin.te +@@ -610,6 +610,7 @@ allow spamd_update_t self:fifo_file manage_fifo_file_perms; + allow spamd_update_t self:unix_dgram_socket create_socket_perms; + allow spamd_update_t self:unix_stream_socket create_stream_socket_perms; + allow spamd_update_t self:capability { dac_read_search dac_override }; ++allow spamd_update_t self:cap_userns sys_ptrace; + + manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) + manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t) +-- +2.33.0 + diff --git a/backport-Allow-syslogd_t-nnp_transition-to-syslogd_unconfined.patch b/backport-Allow-syslogd_t-nnp_transition-to-syslogd_unconfined.patch new file mode 100644 index 0000000..284fe52 --- /dev/null +++ b/backport-Allow-syslogd_t-nnp_transition-to-syslogd_unconfined.patch @@ -0,0 +1,35 @@ +From be44e1402614fed1c53975138fc3d810c4eae734 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 10 Jan 2024 17:33:21 +0100 +Subject: [PATCH] Allow syslogd_t nnp_transition to syslogd_unconfined_script_t + +The commit addresses the following AVC denial: +type=AVC msg=audit(01/09/2024 05:11:04.592:9926) : avc: denied { nnp_transition } for pid=538886 comm=rs:main Q:Reg scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:system_r:syslogd_unconfined_script_t:s0 tclass=process2 permissive=0 +type=SELINUX_ERR msg=audit(01/09/2024 05:11:04.592:9926) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:syslogd_t:s0 newcontext=system_u:system_r:syslogd_unconfined_script_t:s0 +type=SYSCALL msg=audit(01/09/2024 05:11:04.592:9926) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x559639ba78b0 a1=0x0 a2=0x559639b81a90 a3=0x8 items=3 ppid=538750 pid=538886 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=log_rotate.sh exe=/usr/bin/bash subj=system_u:system_r:syslogd_t:s0 key=(null) +type=BPRM_FCAPS msg=audit(01/09/2024 05:11:04.592:9926) : fver=0 fp=none fi=none fe=0 old_pp=chown,dac_override,setgid,setuid,net_bind_service,net_admin,net_raw,ipc_lock,sys_chroot,sys_admin,sys_resource,lease,syslog,block_suspend old_pi=none old_pe=chown,dac_override,setgid,setuid,net_bind_service,net_admin,net_raw,ipc_lock,sys_chroot,sys_admin,sys_resource,lease,syslog,block_suspend old_pa=none pp=dac_override pi=none pe=dac_override pa=none frootid=0 +type=EXECVE msg=audit(01/09/2024 05:11:04.592:9926) : argc=2 a0=/bin/bash a1=/usr/libexec/rsyslog/log_rotate.sh +type=PATH msg=audit(01/09/2024 05:11:04.592:9926) : item=0 name=/usr/libexec/rsyslog/log_rotate.sh inode=8964850 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:syslogd_unconfined_script_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(01/09/2024 05:11:04.592:9926) : item=1 name=/bin/bash inode=25167901 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(01/09/2024 05:11:04.592:9926) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=404 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 + +Resolves: RHEL-11174 +--- + policy/modules/system/logging.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 5923f444d..72282b9be 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -119,6 +119,7 @@ type syslogd_unconfined_script_exec_t; + role system_r types syslogd_unconfined_script_t; + application_domain(syslogd_unconfined_script_t, syslogd_unconfined_script_exec_t) + domtrans_pattern(syslogd_t, syslogd_unconfined_script_exec_t, syslogd_unconfined_script_t) ++allow syslogd_t syslogd_unconfined_script_t:process2 nnp_transition; + + type syslogd_tmp_t; + files_tmp_file(syslogd_tmp_t) +-- +2.33.0 + diff --git a/backport-Allow-systemd-sleep-set-attributes-of-efivarfs-files.patch b/backport-Allow-systemd-sleep-set-attributes-of-efivarfs-files.patch new file mode 100644 index 0000000..580bf2a --- /dev/null +++ b/backport-Allow-systemd-sleep-set-attributes-of-efivarfs-files.patch @@ -0,0 +1,28 @@ +From 369ff9260dcf3c57165813d89b89f42462909123 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 2 Jan 2024 11:12:05 +0100 +Subject: [PATCH] Allow systemd-sleep set attributes of efivarfs files + +The commit addresses the following AVC denial: +type=AVC msg=audit(1703311625.363:336): avc: denied { setattr } for pid=3817 comm="systemd-sleep" path="/sys/firmware/efi/efivars/HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67" dev="efivarfs" ino=510 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 + +Resolves: rhbz#2255693 +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index ab4cb0516..2e5b94fb0 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1597,6 +1597,7 @@ dev_rw_sysfs(systemd_sleep_t) + dev_write_kmsg(systemd_sleep_t) + + fs_create_efivarfs_files(systemd_sleep_t) ++fs_setattr_efivarfs_files(systemd_sleep_t) + fs_rw_efivarfs_files(systemd_sleep_t) + + fstools_rw_swap_files(systemd_sleep_t) +-- +2.33.0 + diff --git a/selinux-policy.spec b/selinux-policy.spec index 9f698f0..81c405f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 40.7 -Release: 5 +Release: 6 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -78,6 +78,13 @@ Patch22: backport-Allow-hypervkvp_t-write-access-to-NetworkManager_etc.patch Patch23: backport-Add-interface-for-write-only-access-to-NetworkManager.patch Patch24: backport-Allow-the-sysadm-user-use-the-secretmem-API.patch Patch25: backport-Update-kernel_secretmem_use.patch +Patch26: backport-Allow-alsa-get-attributes-filesystems-with-extended-.patch +Patch27: backport-Allow-bluetooth-devices-work-with-alsa.patch +Patch28: backport-Allow-spamd_update_t-the-sys_ptrace-capability-in-us.patch +Patch29: backport-Allow-samba-dcerpcd-read-public-files.patch +Patch30: backport-Allow-systemd-sleep-set-attributes-of-efivarfs-files.patch +Patch31: backport-Allow-syslogd_t-nnp_transition-to-syslogd_unconfined.patch +Patch32: backport-Allow-mdadm-list-stratisd-data-directories.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -757,6 +764,9 @@ exit 0 %endif %changelog +* Tue Nov 25 2025 ExtinctFire - 40.7-6 +- backport upstream patches + * Thu Aug 14 2025 yanglongkang - 40.7-5 - backport upstream patches to add some interface for NM -- Gitee