From patchwork Thu Sep 12 09:18:36 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yi Zhao
X-Patchwork-Id: 49003
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id 53FE5EEB572
for ; Thu, 12 Sep 2024 09:19:01 +0000 (UTC)
Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com
[205.220.166.238])
by mx.groups.io with SMTP id smtpd.web10.43837.1726132733388105670
for ;
Thu, 12 Sep 2024 02:18:53 -0700
Authentication-Results: mx.groups.io;
dkim=none (message not signed);
spf=permerror,
err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}:
invalid domain name (domain: windriver.com, ip: 205.220.166.238,
mailfrom: prvs=998582a7bf=yi.zhao@windriver.com)
Received: from pps.filterd (m0250809.ppops.net [127.0.0.1])
by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
48C5E2om016531;
Thu, 12 Sep 2024 02:18:51 -0700
Received: from nam02-bn1-obe.outbound.protection.outlook.com
(mail-bn1nam02lp2045.outbound.protection.outlook.com [104.47.51.45])
by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 41gpbk5j3v-1
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
Thu, 12 Sep 2024 02:18:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
b=bMw1RNCnb6z4LCLXJfhq4EBZNLwc4l3SudYHhsPnMnuDmEUVVgLHP+yuV3Rc07JXbp1E5mxmGUItARsRbMls1azzBVW6hrC+A/f8+nc2321Fglihm2yU74pTjQqrdAFyTHWeR0ZwMZdYlh/XKO4uHsCtup0ydOeTy/GUKqpKDGMOH1odGY1EINw6SqOGlmWLmGQ4B1LEv3LX9+hZLnoeywI/3R6AKSZkDi06kg1qUVv+O3DxeGkyCm5YqDskeiQ92u4m8J7yoSibuu7g4q47JRSNR6QBI1f6ZiLGMlvaYVxBC16tc+Q6pYXqWIeEQw5jha4msBfHrkhjIplYk93y0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector10001;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=ukDRS/iMndFerbGs+HzHBqSq55RY4Dj0JvXIST+GQP8=;
b=KcA4/k8LUMcXv6xFRr3zDvaC/wUJ6ZNkC769U/7jPMlg38eaZ9CAVB9KydggZ5RD/19+8VGSGz9Skxt6REk5Ah/X/qfJnoxK29CmkIH9hUCbFqLVAqzmlyRt5ngmwEhz1IWtQ1D9XMyCivhkXaw/9T0Oqy0JONldIsvIVUvo6rz85T7mDdl8B6dtl2bpUz0XMWV8DdSz7WP3yiy3jvGjd47p1AuIUZCerfFEHKMZ/dyZ61/epjzV6tB4MKPW5Nj2e0Dt4SSMw06+2b/DAY9p2CnIGkOhTFFcG0K+L8VUvtdLDYiTnvsN0cYQLkIIquowa9O8p+bMGWVV6fnKeg/MKg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=windriver.com; dmarc=pass action=none
header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none
Received: from DS0PR11MB6399.namprd11.prod.outlook.com (2603:10b6:8:c8::5) by
CO1PR11MB4945.namprd11.prod.outlook.com (2603:10b6:303:9c::8) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.7962.17; Thu, 12 Sep 2024 09:18:47 +0000
Received: from DS0PR11MB6399.namprd11.prod.outlook.com
([fe80::2b44:787c:e7ee:bfad]) by DS0PR11MB6399.namprd11.prod.outlook.com
([fe80::2b44:787c:e7ee:bfad%5]) with mapi id 15.20.7962.017; Thu, 12 Sep 2024
09:18:47 +0000
From: Yi Zhao
To: yocto-patches@lists.yoctoproject.org, joe@deserted.net,
joe.macdonald@siemens.com
Subject: [meta-selinux][PATCH] refpolicy: update to latest git rev
Date: Thu, 12 Sep 2024 17:18:36 +0800
Message-Id: <20240912091836.179714-1-yi.zhao@windriver.com>
X-Mailer: git-send-email 2.25.1
X-ClientProxiedBy: TYXPR01CA0058.jpnprd01.prod.outlook.com
(2603:1096:403:a::28) To DS0PR11MB6399.namprd11.prod.outlook.com
(2603:10b6:8:c8::5)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS0PR11MB6399:EE_|CO1PR11MB4945:EE_
X-MS-Office365-Filtering-Correlation-Id: d97f9729-e1d7-4de3-bd39-08dcd30be7b9
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam:
BCL:0;ARA:13230040|366016|52116014|376014|1800799024|38350700014;
X-Microsoft-Antispam-Message-Info:
K+p/c5Talqc7qNI8tBAOqUXuCvg0SZKTpqx26aaNxkHGlxeTclNzquZSrFHaiRHawbczpgiePAk1J+WtZej8oJnXnnikSOsmxJVMoRf/9nB574wkFGTb2fyuJdG0gdHCrCfv7WXChf5XX7JNW+Rh7DsHSJ/7BB82oahW9u+EyqhmHqrRq6lUB1H8DMj8VWBC08RfY0Yut7AXaq1NDxoxGkzC0ASotTzinvtcmhfTRmyfS24hk/4UJ1jA8kc5gmJvoAbPrSL5dwVFOnaJPVutHL0MvkY4EDkYn87FwIdbnnAkin4ShzwMUAlshVW77JqUTRnYzXKl1YRUJsRBG/ugbw99qcpz+rGGvdTew1d/xHs4KhJhxVAxeOEbKPY6Si95rTnsENbBmDPYcToX4qg6ga/hBqVXiIjFvGysQFz/r66A9FOEx5VaOV9TUmH2ASxqAvBSIJK2AeykQbGP7/yPrmHmJ44yFPayGZdX58jjTFYVUVOdz9bDoz7I4va5s5F0SVqUbsy3Lwm4XwhrznDc9LI29bYDgsFwIUh1B0lco2jclUo2moDXzPR5uix0oj1AO2BcLnSWcaqsZK5V8R5D8/YyuYmuWjouyF8W4EoMZ5nnXYeKds/2siUMRbbRtsQOPf6htHyDxI2Bet3nbyHZM7q4XCZOpw20VZnxH7rs18dKGcwPyNeoYN51rphQw8t7qr7S92/LUSBx9hiQTBTaMuUCFcnmmm0+EEtyKWrlwb5LXvTZJIl6bWALqZ6svf1zEF4QqwPpHftDCLuwOqlZEyH6+Dsg+7kCZz88IuSFBXuqnsqUfDTBTqJB763rgfJyxjk1GUnXhpqWNeMP7d0Hy2lNtvLWtXvGwfQwD8CadmX/EemwmWto95QLiFl1wCnLTzJpqQlZGVtWbh8CtGCUcBBqjWoXy+5H/MghAICwPU9ot9KN/5Klqh7b8qfmuA7KiTx+clex1dBX0C0ypjeQV4WTUjjBQr6LeBmmKGYoxrmaNqt7t62u/2y4/EL1EpUxB9chjPyU7Pqep9dgOMT+nrmC1iQUZ3mSJKkVmjenhm8/cdmbHkgf+JzjXC2yESEL0CwE3OcAzvMupcY0m9yZMl6m4EhBLa+/6vqu0KzJo9G7oIKc3yLHESVWHqF6RmF9YswQxdrMY6i41bhKPA2L6SjScZX7jRQz/T9vdakJWIFXUiR3gw30sXyRNgPOG9+vOYbwd83gzkHU98w5xIKcNbDkiuX95wRhfTTZaXL68P3lPAN9FMISMQzD5nL9oY/dFgs8UQOlodS4Tne8dqeWzfMMcrWuYbSuwMrol2AXpUuXjXgWmYWTITGLwbyrFZzZFAhlV5wSaS6YaK/eiY1Kr84s8l6IuIPAJNafvL3Jv0Z5Ywa6Pjw/3o5gCP2OOVSTWQWH7n+adZiHjexMP88LJw==
X-Forefront-Antispam-Report:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS0PR11MB6399.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(52116014)(376014)(1800799024)(38350700014);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
OsfUs7ifskE+yN1JJNACaEucHsmZU962Zz7Nf1V0/sxARlDM6IrEnOiqwm5GszxDoU8HItYIY2IfPC4NL9gxC67Ki0OOJviPICRbsOVsY3rK3wDe1XVocWszBcpIf2GI+XNAjfaRCmzd5ybJlsEMW5PRkf/JsTr2BAzRL2/VjhFalI6ATTTZk5y/3ekp5QjgD4RlmZ0D4e4WTGuGfHQaPP+1GAb+lVBMq7S2jYzZoG1ULs5c5KlRYNQoHzadk0AXCjb4dzp4xbN6VpiorTDO6FNF/rLhqp3rWIBwOdC782A/aO0iuYkGvnVIH3YiceyCtm8MwLgKLCl9ZikVrWuKFkhULpy0UOA4vWw3wxgpSxtp69PfNOfpbdIjSUSXx4lQ/1nvPpbn6wYjY0KErcJPr9H8sYjyva4HcS4nxUtceUWztp/JuQcgg8Drb0Z9W1pS1gtmFQVFpjrV1HdNAJOPvxQFht+yOxmHHnuHJf8NRb0yix7ZoEaz9WKQudYuJMahgIXsRdI1c7L8Lws/zTK+1wOZKr992ZYL/z9Fv9aqKwiFrSGgV5OUBRxHidZHqxDnfFQhlKtiorpl0rWpeSCS11wLo2R+kiJTQ4KNjWrXv11oE99A0nzWpVDzy/uE6OOS26k3gEo17lsYo8zAbIclTCeiR4Lnu2Wx5KpoDeFnonDHdXOrvtGNJclZdkXyZV/yrzD89hsdEUoeakB6ZbfcT1l0VCZRX2c6eIeHwB4uxdU0T85QIGhhP39yzhhk9GFFnZvOhR+E3Hz4Pky0bLHdsIl2ucU5BFJLJKT9XIL+D1WowqCjqKzVzercXIHsM0lKqrh+dE0yN0UdqqpOLFHioR6/6njwbDj3rUeZb6uTgp9gY8rr//6IBxzLxySH/BNvVKkYqi36gUTLmNz3NYl4bm7QiEoFCuA7J9Hk+OX7lpTq7Zu9SzECX8WyV1IAT7qczbczUWWLTULRSSDe0i/aS2CKTln0bzs4ukfKnZlzEb3GlZO5bPKx0Ehc69hQ9dw7QzChOSbUlm3Lc9qrFAC16ai46o5l/+W/NEnvRHbTlPIe2okIxWc4azvXrp+fSPRlhT1nq399Ek6RviMMdA2N64C4mhw/0EQIEDFWrBbLTsK3bkr6TCfzcRrFbVwGevlTR+c7rm6BoSGdKHoP4s56j7OH+uccxUMVOvLccpKR1wqG6470s7u1aOibPlwFAcghYvA68+GkHDQD1OjwjcH3RHjgaNyS4GwjVtgmb9d8Wku7Eq1djvap2aurvf/d8oXMqrD1GQxRxTC+VwS+6Hq8klfS5VVTWru2KiM42KbIQ1QK5CzrZSArC9IgpM9QmqeL8ovfcdp/jiPPPSZJK987TdskkPtd8v5YjcmImX/WdaLZ5jJDSgIta8iELxvlcTv1wN9Llw66GJ5/SlaWZJ/8WYTQpX3+w6aETsVvCaAzq7iHENqMf6OmxmwRNtthsGMvdKvoI+jQBCQ4jY1Wz8fidUV1j70WJhjgN69tbj0ZB/DY2iUF5wctfOdvbppSbyOnTygDURrAx4Eq4ao/kGE/zmz5bOQv5rlaHkS7TkV9MhTc7kBY5edCPZ0rpPF5KhGm
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id:
d97f9729-e1d7-4de3-bd39-08dcd30be7b9
X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB6399.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Sep 2024 09:18:47.0239
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName:
2ZhrjGTmwpM3K1eyS4shb8xaVIUyey4jJPY200bMRNyxUEDP1tMDSGJPY8RdIS3IQ98HvfSFhMm8oy3YntTyfA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB4945
X-Proofpoint-GUID: zM7v65sm_igDY2-xkhgRFtUs0mbhilif
X-Authority-Analysis: v=2.4 cv=Ye3v5BRf c=1 sm=1 tr=0 ts=66e2b1fa cx=c_pps
a=oYCWE2dcp7hbP1SgTdEJ+A==:117 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19
a=xqWC_Br6kY4A:10 a=EaEq8P2WXUwA:10 a=bRTqI5nwn0kA:10 a=t7CeM3EgAAAA:8
a=NEAV23lmAAAA:8 a=J3QT8kk37hbbpMvZlQEA:9
a=FdTzh2GWekK77mhwV6Dw:22
X-Proofpoint-ORIG-GUID: zM7v65sm_igDY2-xkhgRFtUs0mbhilif
X-Proofpoint-Virus-Version: vendor=baseguard
engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29
definitions=2024-09-12_02,2024-09-09_02,2024-09-02_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
impostorscore=0 adultscore=0
spamscore=0 mlxlogscore=999 clxscore=1015 bulkscore=0 malwarescore=0
mlxscore=0 lowpriorityscore=0 phishscore=0 suspectscore=0
priorityscore=1501 classifier=spam authscore=0 adjust=0 reason=mlx
scancount=1 engine=8.21.0-2408220000 definitions=main-2409120065
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Thu, 12 Sep 2024 09:19:01 -0000
X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/644
* Update policy for systemd-v256
c20cf2214 systemd: allow systemd-hostnamed to read vsock device
4f3437040 systemd: fix policy for systemd-ssh-generator
d852b7540 devices: add label vsock_device_t for /dev/vsock
a4a7b830f systemd: add policy for systemd-nsresourced
47081be47 systemd: allow system --user to create netlink_route_socket
78cacc708 systemd: allow systemd-networkd to manage sock files under
/run/systemd/netif
29d0bb8c3 systemd: set context to systemd_networkd_var_lib_t for
/var/lib/systemd/network
22fd3ddad Allow interactive user terminal output for the NetLabel
management tool.
c1284c601 bluetooth: Move line.
50a5555f2 Adding SE Policy rules to allow usage of unix stream sockets
by dbus and bluetooth contexts when Gatt notifications are
turned on by remote.
2b8fa2b4a kubernetes: allow kubelet to connect all TCP ports
9ab94df30 container: allow reading generic certs
7530dfa3c testing: add container_kvm_t to net admin exempt list
47eced9be Makefile: drop duplicate quotes
b0b0d52dd various: rules required for DV manipulation in kubevirt
21e4a44c0 container: add container_kvm_t and supporting kubevirt rules
a9bd177bb iptables: allow reading container engine tmp files
af0b40824 container: allow spc various rules for kubevirt
d585f08c2 container, kubernetes: add supporting rules for kubevirt and
multus
9f37f86b2 dbus: dontaudit session bus domains the netadmin capability
d9ca32f5a container: allow super privileged containers to manage BPF
dirs
1900fbe68 kubernetes: allow kubelet to create unlabeled dirs
b9c8ba607 haproxy: allow interactive usage
846804c58 podman: allow managing init runtime units
8787b3d8d iptables: allow reading usr files
* Drop obsolete patches:
0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
0039-policy-modules-system-authlogin-fix-login-errors-aft.patch
Signed-off-by: Yi Zhao
---
...ervices-rpcbind-allow-rpcbind_t-to-c.patch | 34 ------
...ystem-authlogin-fix-login-errors-aft.patch | 104 -----------------
...-to-read-tmpfs-under-run-credentials.patch | 106 ++++++++++++++++++
.../refpolicy/refpolicy_common.inc | 3 +-
recipes-security/refpolicy/refpolicy_git.inc | 2 +-
5 files changed, 108 insertions(+), 141 deletions(-)
delete mode 100644 recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
delete mode 100644 recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch
create mode 100644 recipes-security/refpolicy/refpolicy/0057-Allow-services-to-read-tmpfs-under-run-credentials.patch
diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
deleted file mode 100644
index 073068e..0000000
--- a/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 8cbc09769a08cf3f5dcb611d471e5da298bde67c Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Wed, 1 Jul 2020 08:44:07 +0800
-Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create
- directory with label rpcbind_runtime_t
-
-Fixes:
-avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind"
-scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/services/rpcbind.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
-index 137c21ece..2a712192b 100644
---- a/policy/modules/services/rpcbind.te
-+++ b/policy/modules/services/rpcbind.te
-@@ -25,7 +25,7 @@ files_type(rpcbind_var_lib_t)
- # Local policy
- #
-
--allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
-+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown };
- # net_admin is for SO_SNDBUFFORCE
- dontaudit rpcbind_t self:capability net_admin;
- allow rpcbind_t self:fifo_file rw_fifo_file_perms;
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch
deleted file mode 100644
index 060b01b..0000000
--- a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From b5dae809f2b46b82b75abcb562974212b370aa39 Mon Sep 17 00:00:00 2001
-From: Yi Zhao
-Date: Fri, 8 Dec 2023 14:16:26 +0800
-Subject: [PATCH] policy/modules/system/authlogin: fix login errors after
- enabling systemd DynamicUser
-
-Allow domains using PAM to read /etc/shadow to fix login errors after
-enabling systemd DynamicUser.
-
-Fixes:
-avc: denied { read } for pid=434 comm="login" name="shadow"
-dev="sda2" ino=26314
-scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-
-avc: denied { open } for pid=434 comm="login" path="/etc/shadow"
-dev="sda2" ino=26314
-scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-
-avc: denied { getattr } for pid=434 comm="login" path="/etc/shadow"
-dev="sda2" ino=26314
-scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-
-avc: denied { read } for pid=457 comm="sshd" name="shadow" dev="sda2"
-ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-
-avc: denied { open } for pid=457 comm="sshd" path="/etc/shadow"
-dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-
-avc: denied { getattr } for pid=457 comm="sshd" path="/etc/shadow"
-dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-
-Upstream-Status: Inappropriate [embedded specific]
-
-Signed-off-by: Yi Zhao
----
- policy/modules/admin/su.if | 4 ++--
- policy/modules/system/authlogin.te | 2 +-
- policy/modules/system/selinuxutil.te | 2 ++
- 3 files changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index dce1a0ea9..c55cdfc09 100644
---- a/policy/modules/admin/su.if
-+++ b/policy/modules/admin/su.if
-@@ -76,7 +76,7 @@ template(`su_restricted_domain_template', `
- selinux_compute_access_vector($1_su_t)
-
- auth_domtrans_chk_passwd($1_su_t)
-- auth_dontaudit_read_shadow($1_su_t)
-+ auth_read_shadow($1_su_t)
- auth_use_nsswitch($1_su_t)
- auth_create_faillog_files($1_su_t)
- auth_rw_faillog($1_su_t)
-@@ -183,7 +183,7 @@ template(`su_role_template',`
- selinux_use_status_page($1_su_t)
-
- auth_domtrans_chk_passwd($1_su_t)
-- auth_dontaudit_read_shadow($1_su_t)
-+ auth_read_shadow($1_su_t)
- auth_use_nsswitch($1_su_t)
- auth_create_faillog_files($1_su_t)
- auth_rw_faillog($1_su_t)
-diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 5d675bc15..2ca79e95d 100644
---- a/policy/modules/system/authlogin.te
-+++ b/policy/modules/system/authlogin.te
-@@ -10,7 +10,7 @@ policy_module(authlogin)
- ## Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
- ##
- ##
--gen_tunable(authlogin_pam, true)
-+gen_tunable(authlogin_pam, false)
-
- ##
- ##
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ebc1abc10..c6b2ec47a 100644
---- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -251,6 +251,7 @@ allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re
- read_files_pattern(newrole_t, default_context_t, default_context_t)
- read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-
-+kernel_getattr_proc(newrole_t)
- kernel_read_system_state(newrole_t)
- kernel_read_kernel_sysctls(newrole_t)
- kernel_dontaudit_getattr_proc(newrole_t)
-@@ -295,6 +296,7 @@ auth_run_chk_passwd(newrole_t, newrole_roles)
- auth_run_upd_passwd(newrole_t, newrole_roles)
- auth_rw_faillog(newrole_t)
- auth_search_faillog(newrole_t)
-+auth_read_shadow(newrole_t)
-
- # Write to utmp.
- init_rw_utmp(newrole_t)
---
-2.25.1
-
diff --git a/recipes-security/refpolicy/refpolicy/0057-Allow-services-to-read-tmpfs-under-run-credentials.patch b/recipes-security/refpolicy/refpolicy/0057-Allow-services-to-read-tmpfs-under-run-credentials.patch
new file mode 100644
index 0000000..629de01
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0057-Allow-services-to-read-tmpfs-under-run-credentials.patch
@@ -0,0 +1,106 @@
+From be681d155c6c62a2ec4939dedc921921fe73e277 Mon Sep 17 00:00:00 2001
+From: Yi Zhao
+Date: Fri, 30 Aug 2024 12:39:48 +0800
+Subject: [PATCH] Allow services to read tmpfs under /run/credentials/
+
+$ mount | grep credentials
+tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-udev-load-credentials.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-tmpfiles-setup-dev-early.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-sysctl.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-tmpfiles-setup-dev.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-vconsole-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-tmpfiles-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-resolved.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-networkd.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+
+Fixes:
+avc: denied { search } for pid=106 comm="systemd-journal" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t:s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+
+avc: denied { read } for pid=114 comm="udevadm" name="/" dev="tmpfs"
+ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+
+avc: denied { open } for pid=114 comm="udevadm"
+path="/run/credentials/systemd-udev-load-credentials.service"
+dev="tmpfs" ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+
+avc: denied { read } for pid=353 comm="agetty" name="/" dev="tmpfs"
+ino=1 scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+
+avc: denied { open } for pid=353 comm="agetty"
+path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
+scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+
+avc: denied { getattr } for pid=353 comm="agetty"
+path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
+scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+
+Upstream-Status: Pending
+
+Signed-off-by: Yi Zhao
+---
+ policy/modules/system/getty.te | 1 +
+ policy/modules/system/logging.te | 1 +
+ policy/modules/system/systemd.te | 1 +
+ policy/modules/system/udev.te | 1 +
+ 4 files changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index a900226bf..75b94785b 100644
+--- a/policy/modules/system/getty.te
++++ b/policy/modules/system/getty.te
+@@ -75,6 +75,7 @@ fs_getattr_cgroup(getty_t)
+ fs_search_cgroup_dirs(getty_t)
+ # for error condition handling
+ fs_getattr_xattr_fs(getty_t)
++fs_list_tmpfs(getty_t)
+
+ mcs_process_set_categories(getty_t)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index fc73825fa..d5878876b 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -495,6 +495,7 @@ files_read_kernel_symbol_table(syslogd_t)
+ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+
+ fs_getattr_all_fs(syslogd_t)
++fs_list_tmpfs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
+
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 22a319c36..0440b4795 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1303,6 +1303,7 @@ files_watch_root_dirs(systemd_networkd_t)
+ files_list_runtime(systemd_networkd_t)
+
+ fs_getattr_all_fs(systemd_networkd_t)
++fs_list_tmpfs(systemd_networkd_t)
+ fs_search_cgroup_dirs(systemd_networkd_t)
+ fs_read_nsfs_files(systemd_networkd_t)
+ fs_watch_memory_pressure(systemd_networkd_t)
+diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
+index b2e43aa7d..f543a48d2 100644
+--- a/policy/modules/system/udev.te
++++ b/policy/modules/system/udev.te
+@@ -142,6 +142,7 @@ files_dontaudit_getattr_tmp_dirs(udev_t)
+
+ fs_getattr_all_fs(udev_t)
+ fs_list_inotifyfs(udev_t)
++fs_list_tmpfs(udev_t)
+ fs_read_cgroup_files(udev_t)
+ fs_rw_anon_inodefs_files(udev_t)
+ fs_search_tracefs(udev_t)
+--
+2.25.1
+
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 7b45882..8c9d046 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -48,13 +48,11 @@ SRC_URI += " \
file://0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
file://0031-policy-modules-system-logging-fix-auditd-startup-fai.patch \
file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
- file://0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
file://0034-policy-modules-system-systemd-enable-support-for-sys.patch \
file://0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch \
file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \
file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \
file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \
- file://0039-policy-modules-system-authlogin-fix-login-errors-aft.patch \
file://0040-policy-modules-system-logging-grant-getpcap-capabili.patch \
file://0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
file://0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
@@ -72,6 +70,7 @@ SRC_URI += " \
file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \
+ file://0057-Allow-services-to-read-tmpfs-under-run-credentials.patch \
"
S = "${WORKDIR}/refpolicy"
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index 80d92ac..4043005 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -2,7 +2,7 @@ PV = "2.20240226+git"
SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy"
-SRCREV_refpolicy ?= "71f4bd1992e05bcd79dc5234f8a30deeb141aa3d"
+SRCREV_refpolicy ?= "351a5a7f4dc959769aaa8fe47c6e77f94fe5b657"
UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P\d+_\d+)"