From patchwork Fri Dec 8 08:43:32 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yi Zhao
X-Patchwork-Id: 35927
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id AD429C10DCE
for ; Fri, 8 Dec 2023 08:43:51 +0000 (UTC)
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
[205.220.166.238])
by mx.groups.io with SMTP id smtpd.web11.16040.1702025030003466567
for ;
Fri, 08 Dec 2023 00:43:50 -0800
Authentication-Results: mx.groups.io;
dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=jfMDWNfr;
spf=permerror,
err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}:
invalid domain name (domain: windriver.com, ip: 205.220.166.238,
mailfrom: prvs=0706306392=yi.zhao@windriver.com)
Received: from pps.filterd (m0250810.ppops.net [127.0.0.1])
by mx0a-0064b401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id
3B88JilJ021876;
Fri, 8 Dec 2023 00:43:48 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com;
h=from:to:subject:date:message-id:content-transfer-encoding
:content-type:mime-version; s=PPS06212021; bh=aOyVS2XaWs/zKR0smf
slf9KSpMUKeOp9TsrLQe7LP1Y=; b=jfMDWNfrQ6CnQ/XNVKR67lFI/PpyW4jPeo
dUfqCA1B92gbxZ39RgNsyNfCJfn/mDEEzlo3gWE2Ypir50OVjmt0vpyryOB0PuzL
QQqzr6bc8xxMgejrmCEHmA9BxEWlxKXN485jqidX/ZN+MywH1OkQtqT3N7D5Te6Q
Rn5NPqSw5QK5Ns7Cxz3K2tE5ST4c5G/IeS6jw4mxTJXVcV3HGjuKWFzkIQ6SnENS
y7/zSTbVsldyTqz1SJVdyllCW5qXiJc6NX7HF0FX+Seb/mEVmz0K83YEEAyuAXo4
SqFsWx4uIQxsXsbLq1gUQwB81/2eLHNpJ4Le6OCgggYCjZ2FhdNg==
Received: from nam11-bn8-obe.outbound.protection.outlook.com
(mail-bn8nam11lp2168.outbound.protection.outlook.com [104.47.58.168])
by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3utd2r2ks6-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
Fri, 08 Dec 2023 00:43:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Bn2RkzbU17rbFyETD4nxiBs8UBS2qTGGIENN1cA2ATZZN+2PGlxnX1P10DP6vUjregXiQlwtBMQFOk96pViwIFxM/3Pfmqco7d6N1aMGCDGMRqgwBsLhQW1iWGwk21KiJ2JHSpWhuYGxpgvkM8qcIBuZeMsC1O4zPAETcLi33PqWxzM7nqmGPaD2PLhjbagk3eFNqtftEP1L51sHMTp7T50ADAGrvBf5JZTP1kP4xzDEkrSDeogL6nSv6sN92memWBODSP0O45dJjB3AusschntsEo2SvD9VjxsWVXJuGFxPG/CkogAW0N1rKEQLSMK6blaLvBlWU5yXDcEhjphg/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=aOyVS2XaWs/zKR0smfslf9KSpMUKeOp9TsrLQe7LP1Y=;
b=OMBPJD6j6W3i5GywKstP2Z4qwNn78F4ni5O1iQaLfv30hzb+A9PrjFpsJH4mW5TC4KLNxiSXAeirbRom8sNTO64vbFcDrFpB0rLehHZ7rqOyAB9yloAOMl2mtvbf9H2jN31+Zq/R12uBT+dr7jQnayvY3CX93Hnw6tV9vE7xr0AlBbDhKSwFKHVxeZC3L8XRufsK2WZFeK1ocMVXv4fBc54vUJpRNxgxj9Wms5WI4CbuFAB+woKL6E9bm2xwCIJ71gV4f9v+dvzJsrwCgGhQfeFFZF5WZHRyLR3p860iZTQZNFdQhIpVSlujv8CYkCRXykcMPFvLhx8TQimPFaOxgQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=windriver.com; dmarc=pass action=none
header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none
Received: from DS0PR11MB7484.namprd11.prod.outlook.com (2603:10b6:8:14c::10)
by MN0PR11MB6160.namprd11.prod.outlook.com (2603:10b6:208:3c8::16) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7068.28; Fri, 8 Dec
2023 08:43:44 +0000
Received: from DS0PR11MB7484.namprd11.prod.outlook.com
([fe80::c56:aece:e7ef:6cb3]) by DS0PR11MB7484.namprd11.prod.outlook.com
([fe80::c56:aece:e7ef:6cb3%3]) with mapi id 15.20.7068.028; Fri, 8 Dec 2023
08:43:44 +0000
From: Yi Zhao
To: yocto@lists.yoctoproject.org, joe.macdonald@siemens.com, joe@deserted.net,
joe_macdonald@mentor.com
Subject: [meta-selinux][PATCH 1/2] refpolicy: update to latest git rev
Date: Fri, 8 Dec 2023 16:43:32 +0800
Message-Id: <20231208084333.3788390-1-yi.zhao@windriver.com>
X-Mailer: git-send-email 2.25.1
X-ClientProxiedBy: TYAPR01CA0106.jpnprd01.prod.outlook.com
(2603:1096:404:2a::22) To DS0PR11MB7484.namprd11.prod.outlook.com
(2603:10b6:8:14c::10)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS0PR11MB7484:EE_|MN0PR11MB6160:EE_
X-MS-Office365-Filtering-Correlation-Id: ed70e3b8-ec1e-4484-4865-08dbf7c9c8f9
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
LYjbF8PMcE9C3CgCshxDa1XJ2K6fvuhaPcjycP9BWf57KBF0KVngK4OrYM2UiZcvwSef+VIgrxbogaGmi/h6/y+fDeicIveS41vYbNBflrLIea8wy9hHbvmvKSyBy6jS5Lp3lFqEIuAkhufPJqN0YUJ5esWccmD3wq5bFs4HsypPR2CdcNjMQUx5P4HNd3oxmq9Vy+7F284Jtk8qNTjNJKQkDao32QSd06Pf3Pgc74dNaG2imltihpPpFpDiBZlwaqWUELPEOEnrmpJnvq7PXNHLSRm7DsaxDhq3kgUVAV3C7gNeZKn/9DZrIYIxnVYFKRXD5O8eq/KgUmvBGoyLYK5Ag8Eh7E4hKOWpJkgzK16SkAF33hsBB7utDeiFrFoIgPN9HDdAvYb5g/adYUQ0/X6KWBd6FTduYC192eV0DOpEA8EnnJJNCOhOiAYGtCrhKTVYmQWFfF4fgFsI9p4kNSrMPAmRkh6EIriv/uK7417gD0nMvCvlCQeszH/oSRGSxRDhd3on2jMW/lf8PpN6b1rhDQZ9kqhD6fpymRrBWGlo2fd3iVDdcbdzsm+1CpTtr45cxsX7Uh+anG20qTlIFGOs0vGmZoJe+d+x3GUM5o8=
X-Forefront-Antispam-Report:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS0PR11MB7484.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(136003)(396003)(366004)(346002)(376002)(39850400004)(230922051799003)(64100799003)(186009)(451199024)(1800799012)(86362001)(6666004)(66946007)(66476007)(52116002)(41300700001)(966005)(66556008)(316002)(6506007)(36756003)(38350700005)(1076003)(26005)(2616005)(6512007)(38100700002)(83380400001)(15650500001)(2906002)(8676002)(8936002)(478600001)(6486002)(44832011)(5660300002);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
0rO5oSZG208YT/EEwxLhZ0fOjdjyfuIyV3CI76Qv16MORTbLEzDXdSys+yyG6/oSOm7cjdGtPcVD9RUqLpNs96E5Ev+vLtDyFlKNkEmle649tFtktaKU7SyvvyKzr72i9Sfr6t/5y8FBIx0Ci1qNRKe3NagKPS6llQJirHFPTVf5bLzsMeH+/9XmxNgLaJH099RWbo+4CnvLowqfMp9hn5taIEKC+FjRjTxxx0XiMdf7I8CTVUs0IY5zA719i5Vf5rRHg6vSzgSK6Qr9qk4gWQ+tQOwBZesfpgdEfl3Fx5U+Etjke6dyMyFiRB+RvqFTL7kHHt1CpaC67HVHWRydqL+faE7bc23fVi6tHelmcYhs1t+3DNXky3CX6EzXUCk4BBSgU7tQKCT+NQkP+qKR0EUESyNc3slolQTpjQoXhJcDhVS82jDFi41+qinjopy3BcN2Errb2lFGqNkzXjI0up7P5ZUUPkmMCEFifjJgbpsVyXWv7ME/0w930xxoBLYj57mILwn/d2cmcu3DS0m9AgVE4UEDyGnB+WfG8+VCRxR16gtuLnYHeqLf9vYghOhdPdYEgyohILxEo7EVg1g93OSJTj9Fs4grNEEIX/pWRLWgYosbNBX9wx9n9OYruEw/X9tkeTtLZSkYZxNB23itkSkcpAFmzKSEmXZr4CD4UVTSC5FoeHp9usoKcYc7tG57g2cbn2XhFKPpOHskycM4FwgO74UlyhGR2ien7vEcO7B4fwXSfJIKqe9SHUbs0LThtsYac9vNwweCWuwNsthGUSNJPA44G4YLFjAR+rWn2gaah6dPuTPiAAVvYHG5NVakxTywAXdw3RihsF3nXnHzRzpeRNPRSMDhgrkf/91FPo6zU66q1Wrw1O1shdrmABQhAfKjphLAO0KQDW874+3TgcUVt4D16c94t9y5+KVTSXXf+vjri43a8R4ez34qsP+PMdQnwevwSkE2vIGRAig+XzOCKGLfkLOCyb0fRiCm2KpafGMwBERCa65ANa/50bQLpi7QOOi8RgfkjN9cXd+5eWZa0ta3XvDoxUG2cnHjf5gq1hYwXWlJOGXu3Mx1W8SvGGc6BfdAwwwdReQZrlWEJaB4zy3NFjl2EDZPHs8Egt2b9YtVlpl4xMv8bhZivubZcr6uPIs8PO05FP0pfcrRYIfr/0VMLxvAII16SD0QrSysuhtYbXVGOVhO61w+4Ikwvy/oaPGdI4ijeXwGkTV09gemnXI2Dy07NT4Bk8l0Mqd2Lfk4EIC3vr13a/Sz6hFS+Rw1P8KL/ILL5hYOPW1ZbccKbCXzsFw/FXwrTsOyH2XFgrBmxPvj0qkAMjFlb8dY5F4qnG2CcqFMoQV6fvSoxrrK/Cl8pw6j4FvGEh9ucT8MQpWY9eQxDpQBsDZ78/bevgqFOBnvItK34soc5JJtY+PDB9X18Cwu/gBMcKAbmH2p9Ye1JRv5MjY3dgeXWa2duLrNVSlUkJUERtnr+z2dCGDSahPFljBzoO4KxCqda6mc8ru438MphPk9JxvNezh69K9hRD8O6dzrUdnV7mkg4PEU21b5nHwGwA29uWALs86FYYzscYP0xtTYZjFvnhTN
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id:
ed70e3b8-ec1e-4484-4865-08dbf7c9c8f9
X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB7484.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Dec 2023 08:43:43.7046
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName:
Nhlj+T0tlRexCAnnkPM84Xofldonp8XLEyFbtUI0mYgBvbZfKn2DGeMmo4m5MjQG3/lE3N90osn5mu6d0wRXmg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN0PR11MB6160
X-Proofpoint-ORIG-GUID: Xkv7TSESm6kKdeM8PxclbmbFqmxJpeJ_
X-Proofpoint-GUID: Xkv7TSESm6kKdeM8PxclbmbFqmxJpeJ_
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26
definitions=2023-11-16_25,2023-11-16_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
mlxscore=0 phishscore=0
priorityscore=1501 clxscore=1011 bulkscore=0 adultscore=0 spamscore=0
suspectscore=0 lowpriorityscore=0 malwarescore=0 mlxlogscore=999
impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1
engine=8.19.0-2311290000 definitions=main-2312080070
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Fri, 08 Dec 2023 08:43:51 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/61839
* 82b4448e1 Additional file context fix for:
* 65eed16b5 policy/modules/services/smartmon.te: make fstools optional
* 2e27be3c5 Let the certmonger module manage SSL Private Keys and CSR
used for example by the HTTP and/or Mail Transport daemons.
* 912d3a687 Let the webadm role manage Private Keys and CSR for SSL
Certificates used by the HTTP daemon.
* 5c9038ec9 Create new TLS Private Keys file contexts for the Apache
HTTP server according to the default locations:
* b38583a79 The LDAP server only needs to read generic certificate
files, not manage them.
* 100a853c0 rpm: fixes for dnf
* 8839a7137 Modify the gpg module so that gpg and the gpg_agent can
manage gpg_runtime_t socket files.
* 780adb80a Simple patch for Brother printer drivers as described in:
https://etbe.coker.com.au/2023/10/22/brother-mfc-j4440dw-printer/
Signed-off-by: Yi Zhao
---
recipes-security/refpolicy/refpolicy_git.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index 1913ec8..d739522 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -2,7 +2,7 @@ PV = "2.20231002+git${SRCPV}"
SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy"
-SRCREV_refpolicy ?= "f3865abfc25a395c877a27074bd03c5fc22992dd"
+SRCREV_refpolicy ?= "d7d41288b162b8786de844bde6daac25e4485565"
UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P\d+_\d+)"
From patchwork Fri Dec 8 08:43:33 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yi Zhao
X-Patchwork-Id: 35928
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id C8764C10DC1
for ; Fri, 8 Dec 2023 08:43:51 +0000 (UTC)
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
[205.220.166.238])
by mx.groups.io with SMTP id smtpd.web11.16041.1702025030724501110
for ;
Fri, 08 Dec 2023 00:43:50 -0800
Authentication-Results: mx.groups.io;
dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=COUig7+A;
spf=permerror,
err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}:
invalid domain name (domain: windriver.com, ip: 205.220.166.238,
mailfrom: prvs=0706306392=yi.zhao@windriver.com)
Received: from pps.filterd (m0250810.ppops.net [127.0.0.1])
by mx0a-0064b401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id
3B88JilK021876;
Fri, 8 Dec 2023 00:43:49 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com;
h=from:to:subject:date:message-id:in-reply-to:references
:content-transfer-encoding:content-type:mime-version; s=
PPS06212021; bh=/aBmXCYWEo+N4KwLn2y5u32WrVixqrFLeA+o5M36QyY=; b=
COUig7+AkMMRs7gkBOPwqX00lv6N3J9fbsj4ldmtdHfLmRcYKgzhbb4t5ktf1Iyd
hO05SGLcIpmzfV/shNuboTGjIWGlAjrL9yXCE9Fhj1EjRZi+Evv01XK+ugbsaTh3
B8udX2rV0J5kUq/pObg6dUmdysr9E6xSDh1x6QLhq7Z1r8R/chHlWTG0Cy7frsXO
DLB3LjpEy9eGRIlb8+VoRihDGUR3NB+j5bJm5wocdb2P+iCQBEJGKb5m4kkY9GL/
R10HvFk4D7BwYEujq9X9fxPFKYLmtKbeYtqrGvC1rPZlXvhtRT572rg2zmjwbysF
RLrcii0Wyu0yH6h1Q8rQuA==
Received: from nam11-bn8-obe.outbound.protection.outlook.com
(mail-bn8nam11lp2168.outbound.protection.outlook.com [104.47.58.168])
by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3utd2r2ks6-2
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
Fri, 08 Dec 2023 00:43:49 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=T99JpqogF9aWqzk2bbBORfKwg+P9RW3Ulhme+3hKRX/K1by1El8PE7uORrecrZfOrC4gfZf+7uW2akKgI/+6K60AW19qg1zV7+Jv+wtrnxzg+aIsZHHnbDk7nq5tDuZSZMsoHvQ4wXwywxI6d6mi1nCaw8E+iWNbkJ+iUu78x8yQesREUy2XrnSxLnF8I8JYbdzx+CA/01ClnsWnAIgB72E1yOD0A0oLR3sZh+XiC6H6HZCQ5hp3ytvpkUHn85R5H5ZJUnEcwBKDpmn0nnR5rBu7dNT2VPKiDojxAsgNzzq58/mPrBu/GXK9QLH0IgfUuFhm/0qemTifDdjkIoopog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=/aBmXCYWEo+N4KwLn2y5u32WrVixqrFLeA+o5M36QyY=;
b=AkPTKVTT6/0z/i9yjkHLu5Z49ZABMzsTlLLu5RR6w+ar3q/kK7BdZSKL5T0tkUkwU4GPhWMc1idoZ/nRsTQKr7nvuZRUXXm9rBuNZh/mNZjY+fQ+HRXhIzSBVfUvkjU5Szgw7gJFmkfMIKJD+AmVZSk5OrYNjYg9mJ9yitI9DZGtfPUSd2qt2RP2NZLaICun9aUmTYKUdsuiiQgkrZhe9nW47ddrTMNTNAOPHzd0g7IsYfiQtVAGQZjbFa5ZntIniwdfncJNJ3Pmjt5bPYovcDTWA0PICEP2s7Ogravz95de5n38KH3yhVIvOguNHEMngqjNRzvjxZEmJOEDpy9KXQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=windriver.com; dmarc=pass action=none
header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none
Received: from DS0PR11MB7484.namprd11.prod.outlook.com (2603:10b6:8:14c::10)
by MN0PR11MB6160.namprd11.prod.outlook.com (2603:10b6:208:3c8::16) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7068.28; Fri, 8 Dec
2023 08:43:45 +0000
Received: from DS0PR11MB7484.namprd11.prod.outlook.com
([fe80::c56:aece:e7ef:6cb3]) by DS0PR11MB7484.namprd11.prod.outlook.com
([fe80::c56:aece:e7ef:6cb3%3]) with mapi id 15.20.7068.028; Fri, 8 Dec 2023
08:43:45 +0000
From: Yi Zhao
To: yocto@lists.yoctoproject.org, joe.macdonald@siemens.com, joe@deserted.net,
joe_macdonald@mentor.com
Subject: [meta-selinux][PATCH 2/2] refpolicy: fix login errors after enabling
systemd DynamicUser
Date: Fri, 8 Dec 2023 16:43:33 +0800
Message-Id: <20231208084333.3788390-2-yi.zhao@windriver.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20231208084333.3788390-1-yi.zhao@windriver.com>
References: <20231208084333.3788390-1-yi.zhao@windriver.com>
X-ClientProxiedBy: TYAPR01CA0106.jpnprd01.prod.outlook.com
(2603:1096:404:2a::22) To DS0PR11MB7484.namprd11.prod.outlook.com
(2603:10b6:8:14c::10)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS0PR11MB7484:EE_|MN0PR11MB6160:EE_
X-MS-Office365-Filtering-Correlation-Id: 5f10ea52-7c04-49e3-9f4f-08dbf7c9ca12
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
wERkhKAl6fNIlb6lPSn2WWbU0L4kKzHU6lbDNXu5Mf5eVE12FVDXocSbYAQuF8PCVzzzbe//vJvnV2E8Bdk8PPVfIyB8O5pvVxXQn8Hvw95ckxHy7Gl104/MLFy010TjOaYDA5FITP5OQs3Md6W8sbWGCKsGcgPWDUXLY5JqxZ0vy4cfY7FZaOYp2DQD/dijASfBBSzPtXwZr0XSMyPugLIZmG9iRxlhC69Zp3iZfF5qkS1EKSUcKkrnMac+Yir0Z93621w1VbbkSvny03fWUoavqZhmioNrwIYnY4GxKA6wKdkYaDD/FKpHMc0J8P5lPkr6TQRFsFVb2lmEDwu3zzGTx/OzN4LboXfEDZVsN/khb29N80WK2WnzjVD7FhASK3/03741HQRn0q7Fk7fVfH4qBFFJLXYfTg0nIKFZzqbTo25PzShjdCBjfDtHjqyGaMinFiYN0k2WI8oeU5jclMzBZTVyjkVxhTnMJGb4mwyELlWHlPTVOSVdAA/vg3b0lnQ2/aLWcLbICKrr7IAHmoqJxwNwKBFVSyy9lD8Q0VSmM+TMN1WWtGQQos6NjPpy/YvnWQOlfBRdr6t78dPwet8EoG+4Il8S1Z+/spzdSQ0=
X-Forefront-Antispam-Report:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS0PR11MB7484.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(136003)(396003)(366004)(346002)(376002)(39850400004)(230922051799003)(64100799003)(186009)(451199024)(1800799012)(86362001)(6666004)(66946007)(66476007)(52116002)(41300700001)(966005)(66556008)(316002)(6506007)(36756003)(38350700005)(1076003)(26005)(2616005)(6512007)(38100700002)(83380400001)(2906002)(8676002)(8936002)(478600001)(6486002)(44832011)(5660300002);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
OhxAgbseQKZqZ+8Cp7UJiVhWjiYB7VXqWg16UJEtY/5eHAD+euU9EZKkKItkv4Jk1pI/14fwiZs8k7U9TntzTEK0G9u05PrRuxjxCeCDwCCXrkmPuw24MThHKXzvRRbjD+hcXjzCXUmjGIOD4t/dA3dNE+QXqCQQSEaUI2d7towQKUIBK6ACpcSo9iksxQbvgFJDHty9n4rLg5cu5ZFYqpdhpbhHRwdqgPWB1zREWdx4W+gq9TD++iUt+Vj/5QKncM7NHRjyTJsSquDWV9Qf6MHtiQPZDMwMD53mzSkJnPhZxRdBsDwObHpmH2S7FqIlZO6eoxsS02uPaZa9/AP61EDlNLVh+sjdpbXhckQvBoRwDRTpFm0p9/vpOEm5Pzr3KSQTiTHi9XKeS3rlRAVXG21u19t6l5ZA1UMcys8XDYqW6QojF1NcKy6Hj5z9SLxaw6h/WCqYhXhsAwnGWMVrUdTYivFzG2hE7Wx03Rq/rJTSx52qMO+Sl2nGvyyvnQpaRo54FJI/0FNVBYieS5UF54l2lSGehawlEsm6vPVEgsFlypgX4ielIH8rfiz1uxw+I8o68DX6g0830LltFWsvu2ljlLFieDW+ybnPXaeyeWySoaSjNI0rWqapvG4UtxCq8+udbsqfflW7H/gadhZi/JRtR6f0+0LqAWCAwNG61h7EJ7YbZDB3S9YXL55g9fng3sGaorIVFd5PvkFbZGcnRkIuWsgQNkKy/sR2Cv8Cljcn64Ai3hmFibaiCtZ4AjyZljPLIWiQ4clT3sK4i7f+AlkIFwPa/xr0Hgs2mx3LcaLQOBOCEqf0TqsUG1YH8LkuEsO4if1RVdixpdIG7lSXENuA4smnlmizUl+dG5dPh8+lVB01EDgl8DOOLn/lt0DaO8WxHOjhnEly03y6fHPLLnS0vf60ElxKdYo3n+ckXEl7pg9ClVRGY1xt2K3LklGG5wLVa1aylRRumGZSrvhF/WxK49u3BeGMm+Hc74Mt+hWVkX0cTsLHTEVRAHHI8E3YIQIdzfxSBgWYjkLyzAjdbWobkwnV5NICcOEQlTKjlSw/rfjFaE7Ra6PuBSsLLWukwCLKbBXpiz7F3oSeE7gIW9rVOiBsqj/42zwM7bJaC4AipiUIEYhxNc7lk8feGvtdIokwu+969r5tzPZCkuVa1bwhHcOZriAvNWUHwCwDYk/YdRyI0nyGo9gvWh+yGta8q5ZeErIKWAaglXpzSK80g3D/QKCMcQ4+37gZ5duxgznvnFd+mbK+F5BF1b6nqP+Lb7EZA8obqB1aiGy5G3fftWMt/0madoj5XbyXD5NMCctudDUslYntXMtqaawS3ft435aE/uGAX7793VqbEnwF49rSk6WEJC5PjC1HQ9jYQwH9pdV3hnL5cS1qL5T8xLJmML1pUvEewlbt62PXI2bX5peYoL2etFOeSr4aXxEa4wpfWp/XipkkbV4ty6/zq2Jq7m9fYEDnA4BIt7Nphzcu96WLYI4fee1ZVUUOZag6moqJWraUFKhxyNhO0/fRhoUOYwYeaWxTyfRvdn04/wgLb9rteuUyM+tic7zH8hL88IyxaP1ZFoB/bfxp6Rx6UMnn
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id:
5f10ea52-7c04-49e3-9f4f-08dbf7c9ca12
X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB7484.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Dec 2023 08:43:45.5498
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName:
pmWzKbCFkvGy1jRmgo2oqHG+8LT20IqaG2Q4vRd63kR5CeIhlIEA8B1ugkNXyUEuvzM3tFMnZEoMEknG7YbaJg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN0PR11MB6160
X-Proofpoint-ORIG-GUID: 5sPwtRwLdSumw4-LfRpYBDNZabj6BTeH
X-Proofpoint-GUID: 5sPwtRwLdSumw4-LfRpYBDNZabj6BTeH
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26
definitions=2023-11-16_25,2023-11-16_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
mlxscore=0 phishscore=0
priorityscore=1501 clxscore=1015 bulkscore=0 adultscore=0 spamscore=0
suspectscore=0 lowpriorityscore=0 malwarescore=0 mlxlogscore=999
impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1
engine=8.19.0-2311290000 definitions=main-2312080070
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Fri, 08 Dec 2023 08:43:51 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/61840
After oe-ocre commit ba3a78c0[1], domains using PAM need to read
/etc/shadow.
[1] https://git.openembedded.org/openembedded-core/commit/?id=ba3a78c08cb0ce08afde049610d3172b9e3b0695
Signed-off-by: Yi Zhao
---
...ystem-authlogin-fix-login-errors-aft.patch | 104 ++++++++++++++++++
.../refpolicy/refpolicy_common.inc | 1 +
2 files changed, 105 insertions(+)
create mode 100644 recipes-security/refpolicy/refpolicy/0055-policy-modules-system-authlogin-fix-login-errors-aft.patch
diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-authlogin-fix-login-errors-aft.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-authlogin-fix-login-errors-aft.patch
new file mode 100644
index 0000000..8a5dde6
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-authlogin-fix-login-errors-aft.patch
@@ -0,0 +1,104 @@
+From 2824a6c927bf6df4be997a138a27d159d533d08b Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Fri, 8 Dec 2023 14:16:26 +0800
+Subject: [PATCH] policy/modules/system/authlogin: fix login errors after
+ enabling systemd DynamicUser
+
+Allow domains using PAM to read /etc/shadow to fix login errors after
+enabling systemd DynamicUser.
+
+Fixes:
+avc: denied { read } for pid=434 comm="login" name="shadow"
+dev="sda2" ino=26314
+scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
+
+avc: denied { open } for pid=434 comm="login" path="/etc/shadow"
+dev="sda2" ino=26314
+scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
+
+avc: denied { getattr } for pid=434 comm="login" path="/etc/shadow"
+dev="sda2" ino=26314
+scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
+
+avc: denied { read } for pid=457 comm="sshd" name="shadow" dev="sda2"
+ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
+
+avc: denied { open } for pid=457 comm="sshd" path="/etc/shadow"
+dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
+
+avc: denied { getattr } for pid=457 comm="sshd" path="/etc/shadow"
+dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/admin/su.if | 4 ++--
+ policy/modules/system/authlogin.te | 2 +-
+ policy/modules/system/selinuxutil.te | 2 ++
+ 3 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
+index cd34cd9dd..b867f58b9 100644
+--- a/policy/modules/admin/su.if
++++ b/policy/modules/admin/su.if
+@@ -75,7 +75,7 @@ template(`su_restricted_domain_template', `
+ selinux_compute_access_vector($1_su_t)
+
+ auth_domtrans_chk_passwd($1_su_t)
+- auth_dontaudit_read_shadow($1_su_t)
++ auth_read_shadow($1_su_t)
+ auth_use_nsswitch($1_su_t)
+ auth_rw_faillog($1_su_t)
+
+@@ -176,7 +176,7 @@ template(`su_role_template',`
+ selinux_use_status_page($1_su_t)
+
+ auth_domtrans_chk_passwd($1_su_t)
+- auth_dontaudit_read_shadow($1_su_t)
++ auth_read_shadow($1_su_t)
+ auth_use_nsswitch($1_su_t)
+ auth_rw_faillog($1_su_t)
+
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index 3a5d1ac3e..f9d50a8d4 100644
+--- a/policy/modules/system/authlogin.te
++++ b/policy/modules/system/authlogin.te
+@@ -10,7 +10,7 @@ policy_module(authlogin)
+ ## Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
+ ##
+ ##
+-gen_tunable(authlogin_pam, true)
++gen_tunable(authlogin_pam, false)
+
+ ##
+ ##
+diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
+index f9b735081..6ec5e2cd4 100644
+--- a/policy/modules/system/selinuxutil.te
++++ b/policy/modules/system/selinuxutil.te
+@@ -246,6 +246,7 @@ allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re
+ read_files_pattern(newrole_t, default_context_t, default_context_t)
+ read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
+
++kernel_getattr_proc(newrole_t)
+ kernel_read_system_state(newrole_t)
+ kernel_read_kernel_sysctls(newrole_t)
+
+@@ -288,6 +289,7 @@ auth_use_nsswitch(newrole_t)
+ auth_run_chk_passwd(newrole_t, newrole_roles)
+ auth_run_upd_passwd(newrole_t, newrole_roles)
+ auth_rw_faillog(newrole_t)
++auth_read_shadow(newrole_t)
+
+ # Write to utmp.
+ init_rw_utmp(newrole_t)
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index e9b0b1a..c6b964f 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -70,6 +70,7 @@ SRC_URI += " \
file://0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
file://0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
file://0054-policy-modules-system-logging-make-syslogd_runtime_t.patch \
+ file://0055-policy-modules-system-authlogin-fix-login-errors-aft.patch \
"
S = "${WORKDIR}/refpolicy"