diff --git a/allow-all-users-to-connect-to-systemd-userdbd.patch b/allow-all-users-to-connect-to-systemd-userdbd.patch new file mode 100644 index 0000000000000000000000000000000000000000..b0774f7ab4d2fe714f716810cb80c82f08722790 --- /dev/null +++ b/allow-all-users-to-connect-to-systemd-userdbd.patch @@ -0,0 +1,31 @@ +From 5e9918310dccf6d6dd1da52c19ce2a2927d0a96e Mon Sep 17 00:00:00 2001 +From: Richard Filo +Date: Mon, 24 Aug 2020 10:55:10 +0200 +Subject: [PATCH] Allow all users to connect to systemd-userdbd with a unix + socket + +Add interface systemd_userdbd_stream_connect() to allow communication using userdb sockets. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1835630 +--- + policy/modules/system/userdomain.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 89b4867..756ac4a 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -209,6 +209,10 @@ optional_policy(` + xserver_filetrans_home_content(userdomain) + ') + ++optional_policy(` ++ systemd_userdbd_stream_connect(userdomain) ++') ++ + # rules for types which can read home certs + allow userdom_home_reader_certs_type home_cert_t:dir list_dir_perms; + read_files_pattern(userdom_home_reader_certs_type, home_cert_t, home_cert_t) +-- +1.8.3.1 + diff --git a/allow-nsswitch_domain-to-connect-to-systemd-machined.patch b/allow-nsswitch_domain-to-connect-to-systemd-machined.patch new file mode 100644 index 0000000000000000000000000000000000000000..4979ad81b2d1ac37c33dcd424e16af3d5c12016a --- /dev/null +++ b/allow-nsswitch_domain-to-connect-to-systemd-machined.patch @@ -0,0 +1,59 @@ +From 6fe205674f9cd1face5e2cf1aeb90d265ef89ba8 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 12 Aug 2020 12:09:21 +0200 +Subject: [PATCH] Allow nsswitch_domain to connect to systemd-machined using a + unix socket + +Create the systemd_machined_stream_connect() interface. + +Resolves: rhbz#1865748 +--- + policy/modules/system/authlogin.te | 1 + + policy/modules/system/systemd.if | 19 +++++++++++++++++++ + 2 files changed, 20 insertions(+) + +diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te +index 25d1691..6043c45 100644 +--- a/policy/modules/system/authlogin.te ++++ b/policy/modules/system/authlogin.te +@@ -563,6 +563,7 @@ optional_policy(` + + optional_policy(` + systemd_userdbd_stream_connect(nsswitch_domain) ++ systemd_machined_stream_connect(nsswitch_domain) + ') + + optional_policy(` +diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if +index a6d8bd0..dbc8fc9 100644 +--- a/policy/modules/system/systemd.if ++++ b/policy/modules/system/systemd.if +@@ -2001,6 +2001,25 @@ interface(`systemd_machined_rw_devpts_chr_files',` + + ######################################## + ## ++## Allow the specified domain to connect to ++## systemd_machined with a unix socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`systemd_machined_stream_connect',` ++ gen_require(` ++ type systemd_machined_t; ++ ') ++ ++ allow $1 systemd_machined_t:unix_stream_socket connectto; ++') ++ ++######################################## ++## + ## Send and receive messages from + ## systemd machined over dbus. + ## +-- +1.8.3.1 + diff --git a/allow-systemd-domain-read-security-file.patch b/allow-systemd-domain-read-security-file.patch new file mode 100644 index 0000000000000000000000000000000000000000..4f9859dfdbdea799aacf958edad02f81ab063916 --- /dev/null +++ b/allow-systemd-domain-read-security-file.patch @@ -0,0 +1,24 @@ +From ac696de1e2425cc774377cff570e916611b13a5c Mon Sep 17 00:00:00 2001 +From: HuaxinLuGitee <1539327763@qq.com> +Date: Fri, 25 Sep 2020 16:34:18 +0800 +Subject: [PATCH] 2 + +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index 7cb36c4..69b4d36 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1091,6 +1091,7 @@ optional_policy(` + allow systemd_domain self:process { setfscreate signal_perms }; + allow systemd_domain self:unix_dgram_socket { create_socket_perms sendto }; + dontaudit systemd_domain self:capability net_admin; ++allow systemd_domain security_t:file mmap_read_file_perms; + + dev_read_urand(systemd_domain) + +-- +1.8.3.1 + diff --git a/allow-systemd-hostnamed-and-logind-read-policy.patch b/allow-systemd-hostnamed-and-logind-read-policy.patch deleted file mode 100644 index 9524c7995d6b6eead465d1e71b9567e80d01f888..0000000000000000000000000000000000000000 --- a/allow-systemd-hostnamed-and-logind-read-policy.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 8b2179cbe385e4b67ab159ac7eee159a664888e3 Mon Sep 17 00:00:00 2001 -From: HuaxinLuGitee <1539327763@qq.com> -Date: Tue, 22 Sep 2020 20:44:36 +0800 -Subject: [PATCH] commit 2 - ---- - policy/modules/system/systemd.te | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te -index 7cb36c4..a98d366 100644 ---- a/policy/modules/system/systemd.te -+++ b/policy/modules/system/systemd.te -@@ -331,6 +331,8 @@ userdom_manage_user_tmp_chr_files(systemd_logind_t) - - xserver_dbus_chat(systemd_logind_t) - -+allow systemd_logind_t security_t:file mmap_read_file_perms; -+ - optional_policy(` - apache_read_tmp_files(systemd_logind_t) - ') -@@ -818,6 +820,8 @@ systemd_read_efivarfs(systemd_hostnamed_t) - userdom_read_all_users_state(systemd_hostnamed_t) - userdom_dbus_send_all_users(systemd_hostnamed_t) - -+allow systemd_hostnamed_t security_t:file mmap_read_file_perms; -+ - optional_policy(` - dbus_system_bus_client(systemd_hostnamed_t) - dbus_connect_system_bus(systemd_hostnamed_t) --- -1.8.3.1 - diff --git a/selinux-policy.spec b/selinux-policy.spec index 617050e45efb43c9a04f09d8725c7ca9395ec376..75f59241dda3ca535d8553b362bc9465b983fcb7 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 62 +Release: 63 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -66,8 +66,10 @@ Patch13: allow-systemd-to-mount-unlabeled-filesystemd.patch Patch14: add_userman_access_run_dir.patch Patch15: allow-systemd-machined-create-userdbd-runtime-sock-file.patch Patch16: allow-systemd_machined_t-delete-userdbd-runtime-sock.patch -Patch17: allow-systemd-hostnamed-and-logind-read-policy.patch -Patch18: add-firewalld-fc.patch +Patch17: add-firewalld-fc.patch +Patch18: allow-systemd-domain-read-security-file.patch +Patch19: allow-nsswitch_domain-to-connect-to-systemd-machined.patch +Patch20: allow-all-users-to-connect-to-systemd-userdbd.patch BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc @@ -733,6 +735,9 @@ exit 0 %endif %changelog +* Fri Sep 25 2020 openEuler Buildteam - 3.14.2-63 +- add rules for systemd + * Fri Sep 25 2020 openEuler Buildteam - 3.14.2-62 - set default SELinux mode to permissive