From 68df94f5e3114fcaa05209aabca3e008e5f4b167 Mon Sep 17 00:00:00 2001 From: HuaxinLuGitee <1539327763@qq.com> Date: Fri, 28 Aug 2020 22:45:33 +0800 Subject: [PATCH 1/4] add add_userman_access_run_dir.patch --- add_userman_access_run_dir.patch | 52 ++++++++++++++++++++++++++++++++ selinux-policy.spec | 6 +++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 add_userman_access_run_dir.patch diff --git a/add_userman_access_run_dir.patch b/add_userman_access_run_dir.patch new file mode 100644 index 0000000..8118121 --- /dev/null +++ b/add_userman_access_run_dir.patch @@ -0,0 +1,52 @@ +diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te +index e069cb5..43fed66 100644 +--- a/policy/modules/admin/usermanage.te ++++ b/policy/modules/admin/usermanage.te +@@ -250,6 +250,11 @@ files_relabel_etc_files(groupadd_t) + files_read_etc_files(groupadd_t) + files_read_etc_runtime_files(groupadd_t) + files_read_usr_symlinks(groupadd_t) ++files_search_pids(groupadd_t) ++files_create_var_run_dirs(groupadd_t) ++files_delete_all_pids(groupadd_t) ++allow groupadd_t var_run_t:file *; ++allow groupadd_t var_run_t:dir *; + + # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}. + corecmd_exec_bin(groupadd_t) +@@ -366,6 +371,11 @@ files_read_usr_files(passwd_t) + files_search_var(passwd_t) + files_dontaudit_search_pids(passwd_t) + files_relabel_etc_files(passwd_t) ++files_search_pids(passwd_t) ++files_create_var_run_dirs(passwd_t) ++files_delete_all_pids(passwd_t) ++allow passwd_t var_run_t:file *; ++allow passwd_t var_run_t:dir *; + + term_search_ptys(passwd_t) + +@@ -486,6 +496,12 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t) + # on user home dir + userdom_dontaudit_search_user_home_content(sysadm_passwd_t) + ++files_search_pids(sysadm_passwd_t) ++files_create_var_run_dirs(sysadm_passwd_t) ++files_delete_all_pids(sysadm_passwd_t) ++allow sysadm_passwd_t var_run_t:file *; ++allow sysadm_passwd_t var_run_t:dir *; ++ + optional_policy(` + nscd_run(sysadm_passwd_t, sysadm_passwd_roles) + ') +@@ -536,6 +552,10 @@ files_read_etc_runtime_files(useradd_t) + files_manage_etc_files(useradd_t) + files_create_var_lib_dirs(useradd_t) + files_rw_var_lib_dirs(useradd_t) ++files_search_pids(useradd_t) ++files_create_var_run_dirs(useradd_t) ++files_delete_all_pids(useradd_t) ++allow useradd_t var_run_t:file *; + + fs_search_auto_mountpoints(useradd_t) + fs_getattr_xattr_fs(useradd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 979ceed..bd5444b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 56 +Release: 57 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -63,6 +63,7 @@ Patch10: add-avc-for-systemd-journald.patch Patch11: add-avc-for-systemd-hostnamed-and-systemd-logind.patch Patch12: add-avc-for-systemd.patch Patch13: allow-systemd-to-mount-unlabeled-filesystemd.patch +Patch14: add_userman_access_run_dir.patch BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc @@ -728,6 +729,9 @@ exit 0 %endif %changelog +* Fri Aug 28 2020 openEuler Buildteam - 3.14.2-57 +- add add_userman_access_run_dir.patch + * Mon Jul 27 2020 openEuler Buildteam - 3.14.2-56 - update selinux -- Gitee From a739fb7124353d6614a83a27db5fa21114ee31f4 Mon Sep 17 00:00:00 2001 From: HuaxinLuGitee <1539327763@qq.com> Date: Thu, 10 Sep 2020 21:03:18 +0800 Subject: [PATCH 2/4] add patch for virt --- ...ned-create-userdbd-runtime-sock-file.patch | 54 +++++++++++++++++++ selinux-policy.spec | 6 ++- 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 allow-systemd-machined-create-userdbd-runtime-sock-file.patch diff --git a/allow-systemd-machined-create-userdbd-runtime-sock-file.patch b/allow-systemd-machined-create-userdbd-runtime-sock-file.patch new file mode 100644 index 0000000..fcb2ce6 --- /dev/null +++ b/allow-systemd-machined-create-userdbd-runtime-sock-file.patch @@ -0,0 +1,54 @@ +From d4a034518393bd1c0277a4dd3e87c8e94b394317 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 11 Aug 2020 12:47:42 +0200 +Subject: [PATCH] Allow systemd-machined create userdbd runtime sock files + +Create the systemd_create_userdbd_runtime_sock_files() interface. + +Resolves: rhbz#1862686 +--- + policy/modules/system/systemd.if | 18 ++++++++++++++++++ + policy/modules/system/systemd.te | 1 + + 2 files changed, 19 insertions(+) + +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index c9d2ed7..a6d8bd0 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -2374,3 +2374,21 @@ interface(`systemd_userdbd_stream_connect',` + + allow $1 systemd_userdbd_t:unix_stream_socket connectto; + ') ++ ++####################################### ++## ++## Create a named socket in userdbd runtime directory ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_create_userdbd_runtime_sock_files',` ++ gen_require(` ++ type systemd_userdbd_runtime_t; ++ ') ++ ++ create_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) ++') +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 367758a..806b7d6 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -415,6 +415,7 @@ init_manage_config_transient_files(systemd_machined_t) + logging_dgram_send(systemd_machined_t) + + systemd_read_efivarfs(systemd_machined_t) ++systemd_create_userdbd_runtime_sock_files(systemd_machined_t) + + userdom_dbus_send_all_users(systemd_machined_t) + +-- +1.8.3.1 + diff --git a/selinux-policy.spec b/selinux-policy.spec index bd5444b..2a76bb1 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 57 +Release: 58 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -64,6 +64,7 @@ Patch11: add-avc-for-systemd-hostnamed-and-systemd-logind.patch Patch12: add-avc-for-systemd.patch Patch13: allow-systemd-to-mount-unlabeled-filesystemd.patch Patch14: add_userman_access_run_dir.patch +Patch15: allow-systemd-machined-create-userdbd-runtime-sock-file.patch BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc @@ -729,6 +730,9 @@ exit 0 %endif %changelog +* Wed Sep 10 2020 openEuler Buildteam - 3.14.2-58 +- add allow-systemd-machined-create-userdbd-runtime-sock-file.patch + * Fri Aug 28 2020 openEuler Buildteam - 3.14.2-57 - add add_userman_access_run_dir.patch -- Gitee From 06fcfa3a98a5ab9fecb8e4bbb310412abe9ccc1a Mon Sep 17 00:00:00 2001 From: HuaxinLuGitee <1539327763@qq.com> Date: Thu, 17 Sep 2020 17:21:33 +0800 Subject: [PATCH 3/4] add patches for machined to delete userdbd socket --- ...chined_t-delete-userdbd-runtime-sock.patch | 25 +++++++++++++++++++ selinux-policy.spec | 8 ++++-- 2 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 allow-systemd_machined_t-delete-userdbd-runtime-sock.patch diff --git a/allow-systemd_machined_t-delete-userdbd-runtime-sock.patch b/allow-systemd_machined_t-delete-userdbd-runtime-sock.patch new file mode 100644 index 0000000..cd964b8 --- /dev/null +++ b/allow-systemd_machined_t-delete-userdbd-runtime-sock.patch @@ -0,0 +1,25 @@ +From 99e2285e42bb9d06dbf1322b2990ccee974e1c92 Mon Sep 17 00:00:00 2001 +From: HuaxinLuGitee <1539327763@qq.com> +Date: Thu, 17 Sep 2020 14:27:25 +0800 +Subject: [PATCH] allow systemd_machined_t delete userdbd runtime sock file + +--- + policy/modules/system/systemd.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 7cb36c4..d0127f6 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -189,6 +189,8 @@ systemd_unit_file(systemd_userdbd_unit_file_t) + type systemd_userdbd_runtime_t; + files_pid_file(systemd_userdbd_runtime_t) + ++delete_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) ++ + ####################################### + # + # Systemd_logind local policy +-- +1.8.3.1 + diff --git a/selinux-policy.spec b/selinux-policy.spec index 2a76bb1..defb46d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 58 +Release: 59 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -65,6 +65,7 @@ Patch12: add-avc-for-systemd.patch Patch13: allow-systemd-to-mount-unlabeled-filesystemd.patch Patch14: add_userman_access_run_dir.patch Patch15: allow-systemd-machined-create-userdbd-runtime-sock-file.patch +Patch16: allow-systemd_machined_t-delete-userdbd-runtime-sock.patch BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc @@ -730,7 +731,10 @@ exit 0 %endif %changelog -* Wed Sep 10 2020 openEuler Buildteam - 3.14.2-58 +* Thu Sep 17 2020 openEuler Buildteam - 3.14.2-59 +- add allow-systemd_machined_t-delete-userdbd-runtime-sock.patch + +* Thu Sep 10 2020 openEuler Buildteam - 3.14.2-58 - add allow-systemd-machined-create-userdbd-runtime-sock-file.patch * Fri Aug 28 2020 openEuler Buildteam - 3.14.2-57 -- Gitee From 5298b813e1f9121faac34d0ffba13c18bad7e845 Mon Sep 17 00:00:00 2001 From: HuaxinLuGitee <1539327763@qq.com> Date: Tue, 22 Sep 2020 21:14:15 +0800 Subject: [PATCH 4/4] add patch for systemd hostnamed and logind --- ...emd-hostnamed-and-logind-read-policy.patch | 34 +++++++++++++++++++ selinux-policy.spec | 6 +++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 allow-systemd-hostnamed-and-logind-read-policy.patch diff --git a/allow-systemd-hostnamed-and-logind-read-policy.patch b/allow-systemd-hostnamed-and-logind-read-policy.patch new file mode 100644 index 0000000..9524c79 --- /dev/null +++ b/allow-systemd-hostnamed-and-logind-read-policy.patch @@ -0,0 +1,34 @@ +From 8b2179cbe385e4b67ab159ac7eee159a664888e3 Mon Sep 17 00:00:00 2001 +From: HuaxinLuGitee <1539327763@qq.com> +Date: Tue, 22 Sep 2020 20:44:36 +0800 +Subject: [PATCH] commit 2 + +--- + policy/modules/system/systemd.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 7cb36c4..a98d366 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -331,6 +331,8 @@ userdom_manage_user_tmp_chr_files(systemd_logind_t) + + xserver_dbus_chat(systemd_logind_t) + ++allow systemd_logind_t security_t:file mmap_read_file_perms; ++ + optional_policy(` + apache_read_tmp_files(systemd_logind_t) + ') +@@ -818,6 +820,8 @@ systemd_read_efivarfs(systemd_hostnamed_t) + userdom_read_all_users_state(systemd_hostnamed_t) + userdom_dbus_send_all_users(systemd_hostnamed_t) + ++allow systemd_hostnamed_t security_t:file mmap_read_file_perms; ++ + optional_policy(` + dbus_system_bus_client(systemd_hostnamed_t) + dbus_connect_system_bus(systemd_hostnamed_t) +-- +1.8.3.1 + diff --git a/selinux-policy.spec b/selinux-policy.spec index defb46d..040b590 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 59 +Release: 60 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -66,6 +66,7 @@ Patch13: allow-systemd-to-mount-unlabeled-filesystemd.patch Patch14: add_userman_access_run_dir.patch Patch15: allow-systemd-machined-create-userdbd-runtime-sock-file.patch Patch16: allow-systemd_machined_t-delete-userdbd-runtime-sock.patch +Patch17: allow-systemd-hostnamed-and-logind-read-policy.patch BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc @@ -731,6 +732,9 @@ exit 0 %endif %changelog +* Thu Sep 22 2020 openEuler Buildteam - 3.14.2-60 +- add allow-systemd-hostnamed-and-logind-read-policy.patch + * Thu Sep 17 2020 openEuler Buildteam - 3.14.2-59 - add allow-systemd_machined_t-delete-userdbd-runtime-sock.patch -- Gitee