deleted file mode 100644
@@ -1,34 +0,0 @@
-From 8cbc09769a08cf3f5dcb611d471e5da298bde67c Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@windriver.com>
-Date: Wed, 1 Jul 2020 08:44:07 +0800
-Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create
- directory with label rpcbind_runtime_t
-
-Fixes:
-avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind"
-scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- policy/modules/services/rpcbind.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
-index 137c21ece..2a712192b 100644
---- a/policy/modules/services/rpcbind.te
-+++ b/policy/modules/services/rpcbind.te
-@@ -25,7 +25,7 @@ files_type(rpcbind_var_lib_t)
- # Local policy
- #
-
--allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
-+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown };
- # net_admin is for SO_SNDBUFFORCE
- dontaudit rpcbind_t self:capability net_admin;
- allow rpcbind_t self:fifo_file rw_fifo_file_perms;
-2.25.1
-
deleted file mode 100644
@@ -1,104 +0,0 @@
-From b5dae809f2b46b82b75abcb562974212b370aa39 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@windriver.com>
-Date: Fri, 8 Dec 2023 14:16:26 +0800
-Subject: [PATCH] policy/modules/system/authlogin: fix login errors after
- enabling systemd DynamicUser
-
-Allow domains using PAM to read /etc/shadow to fix login errors after
-enabling systemd DynamicUser.
-
-Fixes:
-avc: denied { read } for pid=434 comm="login" name="shadow"
-dev="sda2" ino=26314
-scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-
-avc: denied { open } for pid=434 comm="login" path="/etc/shadow"
-dev="sda2" ino=26314
-scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-
-avc: denied { getattr } for pid=434 comm="login" path="/etc/shadow"
-dev="sda2" ino=26314
-scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-
-avc: denied { read } for pid=457 comm="sshd" name="shadow" dev="sda2"
-ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-
-avc: denied { open } for pid=457 comm="sshd" path="/etc/shadow"
-dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-
-avc: denied { getattr } for pid=457 comm="sshd" path="/etc/shadow"
-dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- policy/modules/admin/su.if | 4 ++--
- policy/modules/system/authlogin.te | 2 +-
- policy/modules/system/selinuxutil.te | 2 ++
- 3 files changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index dce1a0ea9..c55cdfc09 100644
---- a/policy/modules/admin/su.if
-+++ b/policy/modules/admin/su.if
-@@ -76,7 +76,7 @@ template(`su_restricted_domain_template', `
- selinux_compute_access_vector($1_su_t)
-
- auth_domtrans_chk_passwd($1_su_t)
-- auth_dontaudit_read_shadow($1_su_t)
-+ auth_read_shadow($1_su_t)
- auth_use_nsswitch($1_su_t)
- auth_create_faillog_files($1_su_t)
- auth_rw_faillog($1_su_t)
-@@ -183,7 +183,7 @@ template(`su_role_template',`
- selinux_use_status_page($1_su_t)
-
- auth_domtrans_chk_passwd($1_su_t)
-- auth_dontaudit_read_shadow($1_su_t)
-+ auth_read_shadow($1_su_t)
- auth_use_nsswitch($1_su_t)
- auth_create_faillog_files($1_su_t)
- auth_rw_faillog($1_su_t)
-diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 5d675bc15..2ca79e95d 100644
---- a/policy/modules/system/authlogin.te
-+++ b/policy/modules/system/authlogin.te
-@@ -10,7 +10,7 @@ policy_module(authlogin)
- ## Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
- ## </p>
- ## </desc>
--gen_tunable(authlogin_pam, true)
-+gen_tunable(authlogin_pam, false)
-
- ## <desc>
- ## <p>
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ebc1abc10..c6b2ec47a 100644
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -251,6 +251,7 @@ allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re
- read_files_pattern(newrole_t, default_context_t, default_context_t)
- read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-
-+kernel_getattr_proc(newrole_t)
- kernel_read_system_state(newrole_t)
- kernel_read_kernel_sysctls(newrole_t)
- kernel_dontaudit_getattr_proc(newrole_t)
-@@ -295,6 +296,7 @@ auth_run_chk_passwd(newrole_t, newrole_roles)
- auth_run_upd_passwd(newrole_t, newrole_roles)
- auth_rw_faillog(newrole_t)
- auth_search_faillog(newrole_t)
-+auth_read_shadow(newrole_t)
-
- # Write to utmp.
- init_rw_utmp(newrole_t)
-2.25.1
-
new file mode 100644
@@ -0,0 +1,106 @@
+From be681d155c6c62a2ec4939dedc921921fe73e277 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 30 Aug 2024 12:39:48 +0800
+Subject: [PATCH] Allow services to read tmpfs under /run/credentials/
+
+$ mount | grep credentials
+tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-udev-load-credentials.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-tmpfiles-setup-dev-early.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-sysctl.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-tmpfiles-setup-dev.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-vconsole-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-tmpfiles-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-resolved.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-networkd.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+
+Fixes:
+avc: denied { search } for pid=106 comm="systemd-journal" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t:s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+
+avc: denied { read } for pid=114 comm="udevadm" name="/" dev="tmpfs"
+ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+
+avc: denied { open } for pid=114 comm="udevadm"
+path="/run/credentials/systemd-udev-load-credentials.service"
+dev="tmpfs" ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+
+avc: denied { read } for pid=353 comm="agetty" name="/" dev="tmpfs"
+ino=1 scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+
+avc: denied { open } for pid=353 comm="agetty"
+path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
+scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+
+avc: denied { getattr } for pid=353 comm="agetty"
+path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
+scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+
+Upstream-Status: Pending
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/getty.te | 1 +
+ policy/modules/system/logging.te | 1 +
+ policy/modules/system/systemd.te | 1 +
+ policy/modules/system/udev.te | 1 +
+ 4 files changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index a900226bf..75b94785b 100644
+--- a/policy/modules/system/getty.te
++++ b/policy/modules/system/getty.te
+@@ -75,6 +75,7 @@ fs_getattr_cgroup(getty_t)
+ fs_search_cgroup_dirs(getty_t)
+ # for error condition handling
+ fs_getattr_xattr_fs(getty_t)
++fs_list_tmpfs(getty_t)
+
+ mcs_process_set_categories(getty_t)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index fc73825fa..d5878876b 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -495,6 +495,7 @@ files_read_kernel_symbol_table(syslogd_t)
+ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+
+ fs_getattr_all_fs(syslogd_t)
++fs_list_tmpfs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
+
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 22a319c36..0440b4795 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1303,6 +1303,7 @@ files_watch_root_dirs(systemd_networkd_t)
+ files_list_runtime(systemd_networkd_t)
+
+ fs_getattr_all_fs(systemd_networkd_t)
++fs_list_tmpfs(systemd_networkd_t)
+ fs_search_cgroup_dirs(systemd_networkd_t)
+ fs_read_nsfs_files(systemd_networkd_t)
+ fs_watch_memory_pressure(systemd_networkd_t)
+diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
+index b2e43aa7d..f543a48d2 100644
+--- a/policy/modules/system/udev.te
++++ b/policy/modules/system/udev.te
+@@ -142,6 +142,7 @@ files_dontaudit_getattr_tmp_dirs(udev_t)
+
+ fs_getattr_all_fs(udev_t)
+ fs_list_inotifyfs(udev_t)
++fs_list_tmpfs(udev_t)
+ fs_read_cgroup_files(udev_t)
+ fs_rw_anon_inodefs_files(udev_t)
+ fs_search_tracefs(udev_t)
+--
+2.25.1
+
@@ -48,13 +48,11 @@ SRC_URI += " \
file://0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
file://0031-policy-modules-system-logging-fix-auditd-startup-fai.patch \
file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
- file://0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
file://0034-policy-modules-system-systemd-enable-support-for-sys.patch \
file://0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch \
file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \
file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \
file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \
- file://0039-policy-modules-system-authlogin-fix-login-errors-aft.patch \
file://0040-policy-modules-system-logging-grant-getpcap-capabili.patch \
file://0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
file://0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
@@ -72,6 +70,7 @@ SRC_URI += " \
file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \
+ file://0057-Allow-services-to-read-tmpfs-under-run-credentials.patch \
"
S = "${WORKDIR}/refpolicy"
@@ -2,7 +2,7 @@ PV = "2.20240226+git"
SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy"
-SRCREV_refpolicy ?= "71f4bd1992e05bcd79dc5234f8a30deeb141aa3d"
+SRCREV_refpolicy ?= "351a5a7f4dc959769aaa8fe47c6e77f94fe5b657"
UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"
* Update policy for systemd-v256 c20cf2214 systemd: allow systemd-hostnamed to read vsock device 4f3437040 systemd: fix policy for systemd-ssh-generator d852b7540 devices: add label vsock_device_t for /dev/vsock a4a7b830f systemd: add policy for systemd-nsresourced 47081be47 systemd: allow system --user to create netlink_route_socket 78cacc708 systemd: allow systemd-networkd to manage sock files under /run/systemd/netif 29d0bb8c3 systemd: set context to systemd_networkd_var_lib_t for /var/lib/systemd/network 22fd3ddad Allow interactive user terminal output for the NetLabel management tool. c1284c601 bluetooth: Move line. 50a5555f2 Adding SE Policy rules to allow usage of unix stream sockets by dbus and bluetooth contexts when Gatt notifications are turned on by remote. 2b8fa2b4a kubernetes: allow kubelet to connect all TCP ports 9ab94df30 container: allow reading generic certs 7530dfa3c testing: add container_kvm_t to net admin exempt list 47eced9be Makefile: drop duplicate quotes b0b0d52dd various: rules required for DV manipulation in kubevirt 21e4a44c0 container: add container_kvm_t and supporting kubevirt rules a9bd177bb iptables: allow reading container engine tmp files af0b40824 container: allow spc various rules for kubevirt d585f08c2 container, kubernetes: add supporting rules for kubevirt and multus 9f37f86b2 dbus: dontaudit session bus domains the netadmin capability d9ca32f5a container: allow super privileged containers to manage BPF dirs 1900fbe68 kubernetes: allow kubelet to create unlabeled dirs b9c8ba607 haproxy: allow interactive usage 846804c58 podman: allow managing init runtime units 8787b3d8d iptables: allow reading usr files * Drop obsolete patches: 0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch 0039-policy-modules-system-authlogin-fix-login-errors-aft.patch Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- ...ervices-rpcbind-allow-rpcbind_t-to-c.patch | 34 ------ ...ystem-authlogin-fix-login-errors-aft.patch | 104 ----------------- ...-to-read-tmpfs-under-run-credentials.patch | 106 ++++++++++++++++++ .../refpolicy/refpolicy_common.inc | 3 +- recipes-security/refpolicy/refpolicy_git.inc | 2 +- 5 files changed, 108 insertions(+), 141 deletions(-) delete mode 100644 recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch delete mode 100644 recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch create mode 100644 recipes-security/refpolicy/refpolicy/0057-Allow-services-to-read-tmpfs-under-run-credentials.patch