diff mbox series

[meta-selinux,walnascar] refpolicy: ssh - allow sshd_t kernel_t:system module_request

Message ID 4650d415-3fb1-4610-9042-b0ee65990330@gmail.com
State New
Headers show
Series [meta-selinux,walnascar] refpolicy: ssh - allow sshd_t kernel_t:system module_request | expand

Commit Message

Clayton Casciato Oct. 20, 2025, 5:11 p.m. UTC 
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
---
 ...ervices-ssh-allow-sshd_t-kernel_t-sy.patch | 53 +++++++++++++++++++
 .../refpolicy/refpolicy_common.inc            |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy/0062-policy-modules-services-ssh-allow-sshd_t-kernel_t-sy.patch
diff mbox series

Patch

diff --git a/recipes-security/refpolicy/refpolicy/0062-policy-modules-services-ssh-allow-sshd_t-kernel_t-sy.patch b/recipes-security/refpolicy/refpolicy/0062-policy-modules-services-ssh-allow-sshd_t-kernel_t-sy.patch
new file mode 100644
index 0000000..5926e4f
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0062-policy-modules-services-ssh-allow-sshd_t-kernel_t-sy.patch
@@ -0,0 +1,53 @@ 
+From c4a3f53eb17ed483636456c0a7d6ac8b8e30a587 Mon Sep 17 00:00:00 2001
+From: Clayton Casciato <ccasciato@21sw.us>
+Date: Wed, 11 Jun 2025 07:51:24 -0600
+Subject: [PATCH] ssh: allow sshd_t kernel_t:system module_request
+
+type=PROCTITLE proctitle=sshd -G -f /etc/ssh/sshd_config
+
+type=SYSCALL arch=armeb syscall=socket per=PER_LINUX success=no
+exit=EAFNOSUPPORT(Address family not supported by protocol) a0=inet6
+a1=SOCK_DGRAM a2=ip a3=0x0 items=0 ppid=1333 pid=1334 auid=unset
+uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
+fsgid=root tty=(none) ses=unset comm=sshd exe=/usr/sbin/sshd
+subj=system_u:system_r:sshd_t:s0 key=(null)
+
+type=AVC avc:  denied  { module_request } for  pid=1334 comm=sshd
+kmod="net-pf-10" scontext=system_u:system_r:sshd_t:s0
+tcontext=system_u:system_r:kernel_t:s0 tclass=system
+
+--
+
+Issue background: https://access.redhat.com/solutions/6768131
+
+--
+
+Fedora:
+
+https://github.com/fedora-selinux/selinux-policy/blob/v41.43/policy/modules/services/ssh.if#L244
+
+$ sesearch -A --source sshd_t --target kernel_t --class system --perm module_request
+allow domain kernel_t:system module_request; [ domain_kernel_load_modules ]:True
+allow sshd_t kernel_t:system module_request;
+
+Signed-off-by: Clayton Casciato <ccasciato@21sw.us>
+
+Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/e3d3cd244f048304af882f00c56f48c3820bfe8d]
+
+Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
+---
+ policy/modules/services/ssh.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
+index 2d10ecb73..86fa0cf99 100644
+--- a/policy/modules/services/ssh.te
++++ b/policy/modules/services/ssh.te
+@@ -249,6 +249,7 @@ corecmd_exec_bin(sshd_t)
+ 
+ kernel_link_key(sshd_t)
+ kernel_search_key(sshd_t)
++kernel_request_load_module(sshd_t)
+ 
+ term_use_all_ptys(sshd_t)
+ term_setattr_all_ptys(sshd_t)
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 7bcb03b..5cd8cd0 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -77,6 +77,7 @@  SRC_URI += " \
         file://0059-policy-modules-system-systemd-allow-systemd_generato.patch \
         file://0060-policy-modules-system-unconfined-allow-firewalld_t-u.patch \
         file://0061-policy-modules-services-chronyd-allow-chronyd_t-kern.patch \
+        file://0062-policy-modules-services-ssh-allow-sshd_t-kernel_t-sy.patch \
         "
 
 S = "${WORKDIR}/refpolicy"