From patchwork Wed May 27 10:19:03 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gargi Misra X-Patchwork-Id: 88819 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A0B07CD4F54 for ; Wed, 27 May 2026 10:19:34 +0000 (UTC) Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.17242.1779877165978728438 for ; Wed, 27 May 2026 03:19:26 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@qualcomm.com header.s=qcppdkim1 header.b=BWZmIc1a; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: qualcomm.com, ip: 205.220.168.131, mailfrom: gmisra@qualcomm.com) Received: from pps.filterd (m0279862.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64R8mT882152271 for ; Wed, 27 May 2026 10:19:25 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:message-id:mime-version :subject:to; s=qcppdkim1; bh=lvrP+cyCtpM/rf3MNgssa2G1vAL6jacvA08 tStaI4J8=; b=BWZmIc1aEkJ28E+nfV6JOriJ2dcqjkqG4wVPwMMUxjXMeAHWRps ef3Dtf8IAowRNv9hwvULfEPtQOZdnpJxOpSqIE1SIIdDdQvf9f0kSLtMcO8dWQmD 3ItrgdgLkEYFSpI+A+vKJEeEKpaxfJVkPqzVPxH2i1zPnryEALXk6aXbMCV/rgVg GfHcKvqq0Rx1gqcDRL/es6H/OyELKxUvXCoPp5cK3KVkPUTieR6MXeAcQtz7/+Bj sYXin5g6I7xBUIi+lNVw50nevOSHGt5waIta/8kRNaRtqRAu6POrp7bNSyOfWat/ 8SHVrZi+RiVSET7vTbuwncBdyCBCIkySx0Q== Received: from apblrppmta01.qualcomm.com (blr-bdr-fw-01_GlobalNAT_AllZones-Outside.qualcomm.com [103.229.18.19]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4edu6rgxfc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 27 May 2026 10:19:25 +0000 (GMT) Received: from pps.filterd (APBLRPPMTA01.qualcomm.com [127.0.0.1]) by APBLRPPMTA01.qualcomm.com (8.18.1.7/8.18.1.7) with ESMTP id 64RAJMpU003008; Wed, 27 May 2026 10:19:22 GMT Received: from pps.reinject (localhost [127.0.0.1]) by APBLRPPMTA01.qualcomm.com (PPS) with ESMTPS id 4eb5ajk8ju-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 27 May 2026 10:19:22 +0000 (GMT) Received: from APBLRPPMTA01.qualcomm.com (APBLRPPMTA01.qualcomm.com [127.0.0.1]) by pps.reinject (8.18.1.12/8.18.1.12) with ESMTP id 64RAJLsR003002 for ; Wed, 27 May 2026 10:19:21 GMT Received: from hu-devc-hyd-u24-a.qualcomm.com (hu-gmisra-hyd.qualcomm.com [10.213.99.33]) by APBLRPPMTA01.qualcomm.com (PPS) with ESMTPS id 64RAJLan003001 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 27 May 2026 10:19:21 +0000 (GMT) Received: by hu-devc-hyd-u24-a.qualcomm.com (Postfix, from userid 4467585) id 3A8A8214EF; Wed, 27 May 2026 15:49:21 +0530 (+0530) From: Gargi Misra To: yocto-patches@lists.yoctoproject.org Cc: Gargi Misra Subject: [meta-selinux][PATCH1/3] refpolicy: Addressing denial seen on alsa to allow write on event dev node Date: Wed, 27 May 2026 15:49:03 +0530 Message-ID: <20260527101903.1480413-2-gmisra@qti.qualcomm.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-QCInternal: smtphost X-QCInternal: smtphost X-Authority-Analysis: v=2.4 cv=MoJiLWae c=1 sm=1 tr=0 ts=6a16c52d cx=c_pps a=Ou0eQOY4+eZoSc0qltEV5Q==:117 a=Ou0eQOY4+eZoSc0qltEV5Q==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=_K5XuSEh1TEqbUxoQ0s3:22 a=NEAV23lmAAAA:8 a=EUspDBNiAAAA:8 a=COk6AnOGAAAA:8 a=RZau8XZcO4KK9KFBaN4A:9 a=TjNXssC_j7lpFel5tvFf:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI3MDA5OSBTYWx0ZWRfX8VlQlfrKgpQB gxmEZXz/F8+97zg7R1MbLPoetAgtKF8/xeEX1sg27odb2bHrhA7R1WSfA+By2ihkaiBCOzCAFVc xiOlzI3tiqsAPvIwOOyxlaGlpoKTBOMLlv2zfUTZFVWkk1KKGDMMmbv5G1HwlLUn6ic/pGrjic2 XgFBP5xvK9yrHWBZ/vq6fRG/ndu6FwWzP0P2coKBUgvFCA8g/sKhuGQNijgGBlobwk+O+7OGbn/ ja2Jmnp8bI4WexHIxoRwSbION2MR0nk0iF/zVa0tR4sLVjLK5UcMJAifAUGVliSLIQYt+BMtXee PPFKXg+h8OICZrVPUI2qFV7NcWkMpFDimXgrdbCA2krS+D4e1IvV+vPPnLoGGf4nuJ+ocO/EgHs PbT6yminlZefdrOlgHcOidkfZBqsQzSCK8b5g/oavQGPNPNcsV0Tu5zc20Rv74yUr7cjAM/BO1B 9F+33P3wG4n/pYqJqJQ== X-Proofpoint-GUID: MF8IlgzSbtN9_icshMlyLgIikspCosHz X-Proofpoint-ORIG-GUID: MF8IlgzSbtN9_icshMlyLgIikspCosHz X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-27_01,2026-05-26_03,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 lowpriorityscore=0 impostorscore=0 priorityscore=1501 clxscore=1015 bulkscore=0 adultscore=0 suspectscore=0 phishscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605130000 definitions=main-2605270099 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 27 May 2026 10:19:34 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/4069 avc: denied { write } for pid=792 comm="alsactl" name="controlC0" dev="devtmpfs" ino=1613 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 Upstream-Status: Backport [ https://github.com/SELinuxProject/refpolicy/pull/1117/changes/e0fd56a58954dc234b1a4d5ca30d4e80f84edd31 ] Signed-off-by: Gargi Misra --- ...olicy-Addressing-denial-seen-on-alsa.patch | 30 +++++++++++++++++++ .../refpolicy/refpolicy_common.inc | 1 + 2 files changed, 31 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0059-refpolicy-Addressing-denial-seen-on-alsa.patch diff --git a/recipes-security/refpolicy/refpolicy/0059-refpolicy-Addressing-denial-seen-on-alsa.patch b/recipes-security/refpolicy/refpolicy/0059-refpolicy-Addressing-denial-seen-on-alsa.patch new file mode 100644 index 0000000..04ca51e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0059-refpolicy-Addressing-denial-seen-on-alsa.patch @@ -0,0 +1,30 @@ +From 38b0116d8504a9c4cc7d9d322fe83ac689a295f6 Mon Sep 17 00:00:00 2001 +From: Gargi Misra +Date: Wed, 27 May 2026 13:49:35 +0530 +Subject: [PATCH] refpolicy: Addressing denial seen on alsa to allow write on + event dev node + +avc: denied { write } for pid=792 comm="alsactl" name="controlC0" dev="devtmpfs" ino=1613 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:event_device_t:s0 tclass=chr_file permissive=0 + +Upstream-Status: Backport [ https://github.com/SELinuxProject/refpolicy/pull/1117/changes/e0fd56a58954dc234b1a4d5ca30d4e80f84edd31 ] + +Signed-off-by: Gargi Misra +--- + policy/modules/admin/alsa.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te +index 37d04a9e5..fd967cb82 100644 +--- a/policy/modules/admin/alsa.te ++++ b/policy/modules/admin/alsa.te +@@ -87,6 +87,7 @@ dev_read_sound(alsa_t) + dev_read_sysfs(alsa_t) + dev_read_urand(alsa_t) + dev_write_sound(alsa_t) ++dev_rw_input_dev(alsa_t) + + files_read_usr_files(alsa_t) + files_search_var_lib(alsa_t) +-- +2.43.0 + diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 014714c..c43ff03 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -74,6 +74,7 @@ SRC_URI += " \ file://0056-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ file://0057-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ file://0058-policy-modules-system-logging-make-syslogd_runtime_t.patch \ + file://0059-refpolicy-Addressing-denial-seen-on-alsa.patch \ " S = "${UNPACKDIR}/refpolicy" From patchwork Wed May 27 10:21:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gargi Misra X-Patchwork-Id: 88820 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C6F31CD5BD5 for ; Wed, 27 May 2026 10:21:44 +0000 (UTC) Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.17389.1779877295219799539 for ; Wed, 27 May 2026 03:21:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@qualcomm.com header.s=qcppdkim1 header.b=ELVj+LDN; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: qualcomm.com, ip: 205.220.168.131, mailfrom: gmisra@qualcomm.com) Received: from pps.filterd (m0279867.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64RA6mY61149704 for ; Wed, 27 May 2026 10:21:34 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:message-id:mime-version :subject:to; s=qcppdkim1; bh=cerLIVt3UeoY1razZYncND9kcjbbVv9dzTL mAns2jz8=; b=ELVj+LDNJlygcR8TkCXsrJo8PsSxix0XnKmDKNjThcoMDQNooOp jKFDP9tCot2fgHKvQjSg3b1YZQ5zXFwlLTuOEgO59RYPxrXxX3FKp2kdsyRGXLvZ 2Po8l0E3K0kAZVT8eCLYmPIiIxdWywxRoTb5ujSdYVdOvz0dVe0kvI0H5oZbNjOL 7wuEk0KeB5EPOiNK9J61ee2cTWaBs+PrzmXq0zHPr/2Kq8pX9WpCLUzUT+3SJ5xL RSG4rnbOAn7B9AjuU02wPjn4jfruOP9JzbN8I6Q/3sQDx+BjtqQq6sXtJG1n+NB/ g2IEUOOIOQ4+mSraHJHIbaDlRpi3mQgFaVA== Received: from apblrppmta01.qualcomm.com (blr-bdr-fw-01_GlobalNAT_AllZones-Outside.qualcomm.com [103.229.18.19]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4edxjsg1hr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 27 May 2026 10:21:34 +0000 (GMT) Received: from pps.filterd (APBLRPPMTA01.qualcomm.com [127.0.0.1]) by APBLRPPMTA01.qualcomm.com (8.18.1.7/8.18.1.7) with ESMTP id 64RALVPr005067; Wed, 27 May 2026 10:21:31 GMT Received: from pps.reinject (localhost [127.0.0.1]) by APBLRPPMTA01.qualcomm.com (PPS) with ESMTPS id 4eb5ajk95w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 27 May 2026 10:21:31 +0000 (GMT) Received: from APBLRPPMTA01.qualcomm.com (APBLRPPMTA01.qualcomm.com [127.0.0.1]) by pps.reinject (8.18.1.12/8.18.1.12) with ESMTP id 64RALVG7005061 for ; Wed, 27 May 2026 10:21:31 GMT Received: from hu-devc-hyd-u24-a.qualcomm.com (hu-gmisra-hyd.qualcomm.com [10.213.99.33]) by APBLRPPMTA01.qualcomm.com (PPS) with ESMTPS id 64RALUSx005059 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 27 May 2026 10:21:31 +0000 (GMT) Received: by hu-devc-hyd-u24-a.qualcomm.com (Postfix, from userid 4467585) id 480D0214EF; Wed, 27 May 2026 15:51:30 +0530 (+0530) From: Gargi Misra To: yocto-patches@lists.yoctoproject.org Cc: Gargi Misra Subject: [meta-selinux][PATCH2/3] Subject: [PATCH] systemd-coredum: Added sepolicy permission to read namespace file type=AVC msg=audit(1776766842.302:2875): avc: denied { read open } for pid=6273 comm="systemd-coredum" path="pid:[4026531836]" dev="nsfs" ino=4026531836 scontext=system_u:system_r:systemd_coredump_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0 Date: Wed, 27 May 2026 15:51:28 +0530 Message-ID: <20260527102128.1485793-1-gmisra@qti.qualcomm.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-QCInternal: smtphost X-QCInternal: smtphost X-Authority-Analysis: v=2.4 cv=C4PZDwP+ c=1 sm=1 tr=0 ts=6a16c5ae cx=c_pps a=Ou0eQOY4+eZoSc0qltEV5Q==:117 a=Ou0eQOY4+eZoSc0qltEV5Q==:17 a=Mv50RoFS4YoA:10 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=eoimf2acIAo5FJnRuUoq:22 a=NEAV23lmAAAA:8 a=EUspDBNiAAAA:8 a=COk6AnOGAAAA:8 a=CJ4_2vi5urt8MGC88WwA:9 a=TjNXssC_j7lpFel5tvFf:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI3MDEwMCBTYWx0ZWRfX86gIf58bS2Lq 6pV1Sv+yghHkA++GODVxlUhepcnI6Ps4oOL8KVChhPGdGJ+Q+Z+sz2S/cOxd958/zP7LtrIr6rT Vs3KQcsv8tTzWeoQiYQ3Vuuj/VdfIheW8Vxl9YvPClpxvqOQ71pEpGphDoQ8KJLICk+Nl7inAtJ nWW8JO5i6WoGHv+dqA9o2kRU75Itq7b7jePxGwHa5GW8CcPi3N7qGWVtSwHGWdkkiPWy/NWwbFC 9UZqymeM5X7ZfCdRjrYatK329BhY0KVlUCWTLvZT6DfHtlfrOpmJomy755J0WJFm5iXBMp/UUzN sNFQEw35xyPqPX4irxCDSOoYYDS5z0IXY1khbIBxDYTUWg+XSrKHzyH8gOqQH6QCo8Nx5Ld9drg o+Ub5AtMM5E/bSS4Z9ZBirGPhGqtBdBMwpA5rYpJf4mKU+IgjMaD0u29xfl9+1buRkIxNZn9eoS Ms/wVceXAJoqGes0+6w== X-Proofpoint-ORIG-GUID: S0jjtPkGu7L28IXp4_G9dPpkBrQObGHu X-Proofpoint-GUID: S0jjtPkGu7L28IXp4_G9dPpkBrQObGHu X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-27_01,2026-05-26_03,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 impostorscore=0 adultscore=0 lowpriorityscore=0 malwarescore=0 bulkscore=0 phishscore=0 spamscore=0 priorityscore=1501 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605130000 definitions=main-2605270100 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 27 May 2026 10:21:44 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/4070 Upstream-Status: Backport [ https://github.com/SELinuxProject/refpolicy/pull/1117/changes/75079752d1fb3cd8a394a4c470ec9b1144cec1bd ] Signed-off-by: Gargi Misra --- ...Added-sepolicy-permission-to-read-na.patch | 31 +++++++++++++++++++ .../refpolicy/refpolicy_common.inc | 1 + 2 files changed, 32 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0060-systemd-coredum-Added-sepolicy-permission-to-read-na.patch diff --git a/recipes-security/refpolicy/refpolicy/0060-systemd-coredum-Added-sepolicy-permission-to-read-na.patch b/recipes-security/refpolicy/refpolicy/0060-systemd-coredum-Added-sepolicy-permission-to-read-na.patch new file mode 100644 index 0000000..2ef8f67 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0060-systemd-coredum-Added-sepolicy-permission-to-read-na.patch @@ -0,0 +1,31 @@ +From 099c11e67498afaf28f424ca908ba44dd0c11c3d Mon Sep 17 00:00:00 2001 +From: Gargi Misra +Date: Wed, 27 May 2026 13:50:46 +0530 +Subject: [PATCH] systemd-coredum: Added sepolicy permission to read namespace + file type=AVC msg=audit(1776766842.302:2875): avc: denied { read open } for + pid=6273 comm="systemd-coredum" path="pid:[4026531836]" dev="nsfs" + ino=4026531836 scontext=system_u:system_r:systemd_coredump_t:s0 + tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0 + +Upstream-Status: Backport [ https://github.com/SELinuxProject/refpolicy/pull/1117/changes/75079752d1fb3cd8a394a4c470ec9b1144cec1bd ] + +Signed-off-by: Gargi Misra +--- + policy/modules/system/systemd.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index a18a584f4..1120e719a 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -574,6 +574,7 @@ fs_getattr_all_fs(systemd_coredump_t) + fs_getattr_nsfs_files(systemd_coredump_t) + fs_list_cgroup_dirs(systemd_coredump_t) + fs_search_tmpfs(systemd_coredump_t) ++fs_read_nsfs_files(systemd_coredump_t) + + init_list_var_lib_dirs(systemd_coredump_t) + init_read_state(systemd_coredump_t) +-- +2.43.0 + diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index c43ff03..2a2cc78 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -75,6 +75,7 @@ SRC_URI += " \ file://0057-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ file://0058-policy-modules-system-logging-make-syslogd_runtime_t.patch \ file://0059-refpolicy-Addressing-denial-seen-on-alsa.patch \ + file://0060-systemd-coredum-Added-sepolicy-permission-to-read-na.patch \ " S = "${UNPACKDIR}/refpolicy" From patchwork Wed May 27 10:24:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gargi Misra X-Patchwork-Id: 88822 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A55A5CD4F54 for ; Wed, 27 May 2026 10:24:54 +0000 (UTC) Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.17431.1779877486470154974 for ; Wed, 27 May 2026 03:24:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@qualcomm.com header.s=qcppdkim1 header.b=oH0sweUD; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: qualcomm.com, ip: 205.220.180.131, mailfrom: gmisra@qualcomm.com) Received: from pps.filterd (m0279868.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64R8mXc31176613 for ; Wed, 27 May 2026 10:24:45 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:message-id:mime-version :subject:to; s=qcppdkim1; bh=IHFa4SCoepReMUE7zRGoMdaMGU+AGcxtKDq 432maU0U=; b=oH0sweUD4LSIne1tgT97nOBJ/EYbCvit3S6zNAPmimcoywjnZFg /4PMLnFlYa2t4h+zQhFy+vmnX0zeCmpq2cgliW2M300bihEBYqBAIATEfL/kz6RE AW71xCcsI0Trh9RvfjcyqnurqpsGZBgerhDRKUaT7ke541CKR1+eE+aIDwKpVYYb fRjuMhgfAB+lKkV/yPfY9pkW6H8TpV90dU6iqBZz3P6n9AQnhe1uf1mpNSY9uDFK zhj7PgIULXre8grkoBEJQuKyIOr/A2Ob/vyVMwyt1nWZuAp6E4vipgPyeBFdRnAH g2r/KGlDAup9yN4/eaIXTtJJzShvq4wDxGw== Received: from apblrppmta01.qualcomm.com (blr-bdr-fw-01_GlobalNAT_AllZones-Outside.qualcomm.com [103.229.18.19]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4edndnj2fv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 27 May 2026 10:24:44 +0000 (GMT) Received: from pps.filterd (APBLRPPMTA01.qualcomm.com [127.0.0.1]) by APBLRPPMTA01.qualcomm.com (8.18.1.7/8.18.1.7) with ESMTP id 64RAOfMV008694; Wed, 27 May 2026 10:24:41 GMT Received: from pps.reinject (localhost [127.0.0.1]) by APBLRPPMTA01.qualcomm.com (PPS) with ESMTPS id 4eb5ajka2p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 27 May 2026 10:24:41 +0000 (GMT) Received: from APBLRPPMTA01.qualcomm.com (APBLRPPMTA01.qualcomm.com [127.0.0.1]) by pps.reinject (8.18.1.12/8.18.1.12) with ESMTP id 64RAOfRD008687 for ; Wed, 27 May 2026 10:24:41 GMT Received: from hu-devc-hyd-u24-a.qualcomm.com (hu-gmisra-hyd.qualcomm.com [10.213.99.33]) by APBLRPPMTA01.qualcomm.com (PPS) with ESMTPS id 64RAOf2o008686 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 27 May 2026 10:24:41 +0000 (GMT) Received: by hu-devc-hyd-u24-a.qualcomm.com (Postfix, from userid 4467585) id CC175214EF; Wed, 27 May 2026 15:54:40 +0530 (+0530) From: Gargi Misra To: yocto-patches@lists.yoctoproject.org Cc: Gargi Misra , Gargi Misra Subject: [meta-selinux][PATCH3/3] libvirt_leasesh: Added read and search permission on kernel sysctls avc: denied { search } for pid=1393 comm="libvirt_leasesh" name="kernel" dev="proc" ino=3693 scontext=system_u:system_r:virt_leaseshelper_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir permissive=0 avc: denied { read } for pid=1363 comm="libvirt_leasesh" name="cap_last_cap" dev="proc" ino=13638 scontext=system_u:system_r:virt_leaseshelper_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 avc: denied { open } for pid=1359 comm="libvirt_leasesh" path="/proc/sys/kernel/cap_last_cap" dev="proc" ino=2909 scontext=system_u:system_r:virt_leaseshelper_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 avc: denied { getattr } for pid=1375 comm="libvirt_leasesh" name="/" dev="proc" ino=1 scontext=system_u:system_r:virt_leaseshelper_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 Date: Wed, 27 May 2026 15:54:39 +0530 Message-ID: <20260527102439.1487755-1-gmisra@qti.qualcomm.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-QCInternal: smtphost X-QCInternal: smtphost X-Authority-Analysis: v=2.4 cv=PpSjqQM3 c=1 sm=1 tr=0 ts=6a16c66d cx=c_pps a=Ou0eQOY4+eZoSc0qltEV5Q==:117 a=Ou0eQOY4+eZoSc0qltEV5Q==:17 a=-vbZ1Io1qTe7wVCr:21 a=R8wtq3ddXiUA:10 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=ZpdpYltYx_vBUK5n70dp:22 a=NEAV23lmAAAA:8 a=COk6AnOGAAAA:8 a=KTATZuYoSMOckcxMRwEA:9 a=TjNXssC_j7lpFel5tvFf:22 X-Proofpoint-ORIG-GUID: Udb2EsLasdOsHaZnqlVWpxmGHDaoAYh3 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTI3MDEwMCBTYWx0ZWRfXxQguI2tZIMbh D4aZ28P+lxniaz6sQ8g4BXBMWuBeftbhwLgtZiPm807o9Hf5ImgmhKWXw0/PiZ+BU7sgF8BFqDJ PnZVUBDIv+hgQcp3nlSNE9w+oK5KKbndkHC5iygq+Vwj0L860+5SLxSEZzsyftj/WIdZ82ed0vG run8dxz0/PXlEvgjlJJTgOzQq8y5KENKqHT64wMHOL+WHfG2j8fSulc/3p6O6Nwy+zlPg3yoflP H5Ma4VFmwYB732DL7leQ595PtK5meZ0exJovIqIvidSQReKYQL4ybQbzGtphvCqOMpSqsNIKfcS zS/Vb2xtgkNilDbrYM+PEVx56In4y+9exocM6ZRsBxkyRRZMltb0OGk5bh6QGIxpvu8BZjD1j2a 1UdBxq74bDANsWnC85w4OcBXkPXcA7hsXVwScnnOoq6S0Oz3V6cVwhOSMupojuSWvlVPCHzdN0+ S9VZqENkWIcsOFUiv/A== X-Proofpoint-GUID: Udb2EsLasdOsHaZnqlVWpxmGHDaoAYh3 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.125,FMLib:17.12.100.49 definitions=2026-05-27_01,2026-05-26_03,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 priorityscore=1501 malwarescore=0 suspectscore=0 clxscore=1015 adultscore=0 phishscore=0 impostorscore=0 lowpriorityscore=0 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605130000 definitions=main-2605270100 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 27 May 2026 10:24:54 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/4072 Upstream-Status: Backport [ https://github.com/SELinuxProject/refpolicy/pull/1117/changes/a7d4c1333edee3ea6b532979ae6d940360489793 ] Signed-off-by: Gargi Misra --- ...Added-read-and-search-permission-on-.patch | 41 +++++++++++++++++++ .../refpolicy/refpolicy_common.inc | 1 + 2 files changed, 42 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0061-libvirt_leasesh-Added-read-and-search-permission-on-.patch diff --git a/recipes-security/refpolicy/refpolicy/0061-libvirt_leasesh-Added-read-and-search-permission-on-.patch b/recipes-security/refpolicy/refpolicy/0061-libvirt_leasesh-Added-read-and-search-permission-on-.patch new file mode 100644 index 0000000..1897335 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0061-libvirt_leasesh-Added-read-and-search-permission-on-.patch @@ -0,0 +1,41 @@ +From 977bd13b26fd697a1a01560908974f8a803deba3 Mon Sep 17 00:00:00 2001 +From: Gargi Misra +Date: Wed, 27 May 2026 14:35:23 +0530 +Subject: [PATCH] libvirt_leasesh: Added read and search permission on kernel + sysctls avc: denied { search } for pid=1393 comm="libvirt_leasesh" + name="kernel" dev="proc" ino=3693 + scontext=system_u:system_r:virt_leaseshelper_t:s0 + tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir permissive=0 avc: + denied { read } for pid=1363 comm="libvirt_leasesh" name="cap_last_cap" + dev="proc" ino=13638 scontext=system_u:system_r:virt_leaseshelper_t:s0 + tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 avc: + denied { open } for pid=1359 comm="libvirt_leasesh" + path="/proc/sys/kernel/cap_last_cap" dev="proc" ino=2909 + scontext=system_u:system_r:virt_leaseshelper_t:s0 + tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=0 avc: + denied { getattr } for pid=1375 comm="libvirt_leasesh" name="/" dev="proc" + ino=1 scontext=system_u:system_r:virt_leaseshelper_t:s0 + tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=0 + +Upstream-Status: Backport [ https://github.com/SELinuxProject/refpolicy/pull/1117/changes/a7d4c1333edee3ea6b532979ae6d940360489793 ] + +Signed-off-by: Gargi Misra +--- + policy/modules/services/virt.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te +index 2241a22b5..0f6dc341e 100644 +--- a/policy/modules/services/virt.te ++++ b/policy/modules/services/virt.te +@@ -1161,6 +1161,7 @@ manage_files_pattern(virt_leaseshelper_t, virt_runtime_t, virt_runtime_t) + files_runtime_filetrans(virt_leaseshelper_t, virt_runtime_t, file) + + kernel_dontaudit_read_system_state(virt_leaseshelper_t) ++kernel_read_kernel_sysctls(virt_leaseshelper_t) + + # Read /sys/devices/system/node/node*/meminfo + dev_list_sysfs(virt_leaseshelper_t) +-- +2.43.0 + diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 2a2cc78..23aadf6 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -76,6 +76,7 @@ SRC_URI += " \ file://0058-policy-modules-system-logging-make-syslogd_runtime_t.patch \ file://0059-refpolicy-Addressing-denial-seen-on-alsa.patch \ file://0060-systemd-coredum-Added-sepolicy-permission-to-read-na.patch \ + file://0061-libvirt_leasesh-Added-read-and-search-permission-on-.patch \ " S = "${UNPACKDIR}/refpolicy"