-
Notifications
You must be signed in to change notification settings - Fork 549
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
selinux-policy: Clean up testing rules and add systemd fix. (#9911)
Signed-off-by: Chris PeBenito <[email protected]>
- Loading branch information
1 parent
1bf3f8b
commit d42aff8
Showing
6 changed files
with
178 additions
and
108 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,70 +1,28 @@ | ||
| From 87a23a94731c5bb6979d27ef81e470b84cfc4bfe Mon Sep 17 00:00:00 2001 | ||
| From f6c4470e528370d5b6e8cf25b86e753c98022592 Mon Sep 17 00:00:00 2001 | ||
| From: Chris PeBenito <[email protected]> | ||
| Date: Mon, 25 Mar 2024 09:50:17 -0400 | ||
| Subject: [PATCH 17/24] various: Add additional logging access for domains run | ||
| Subject: [PATCH 17/33] various: Add additional logging access for domains run | ||
| from cloud_init. | ||
|
|
||
| Signed-off-by: Chris PeBenito <[email protected]> | ||
| --- | ||
| policy/modules/admin/bootloader.te | 6 ++++++ | ||
| policy/modules/admin/cloudinit.if | 19 +++++++++++++++++++ | ||
| policy/modules/admin/bootloader.te | 2 ++ | ||
| policy/modules/admin/rpm.if | 2 +- | ||
| policy/modules/system/selinuxutil.te | 10 ++++++++++ | ||
| policy/modules/system/udev.te | 5 +++++ | ||
| 5 files changed, 41 insertions(+), 1 deletion(-) | ||
| 4 files changed, 18 insertions(+), 1 deletion(-) | ||
|
|
||
| diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te | ||
| index 84b243c0c..4e097a1b9 100644 | ||
| index 84b243c0c..af162dd9b 100644 | ||
| --- a/policy/modules/admin/bootloader.te | ||
| +++ b/policy/modules/admin/bootloader.te | ||
| @@ -227,6 +227,10 @@ ifdef(`init_systemd',` | ||
| init_rw_inherited_stream_socket(bootloader_t) | ||
| ') | ||
|
|
||
| +optional_policy(` | ||
| + cloudinit_write_inherited_tmp_files(bootloader_t) | ||
| +') | ||
| + | ||
| optional_policy(` | ||
| fstools_exec(bootloader_t) | ||
| ') | ||
| @@ -258,4 +262,6 @@ optional_policy(` | ||
| @@ -258,4 +258,6 @@ optional_policy(` | ||
|
|
||
| optional_policy(` | ||
| rpm_rw_pipes(bootloader_t) | ||
| + rpm_read_inherited_tmp_files(bootloader_t) | ||
| + rpm_append_inherited_tmp_files(bootloader_t) | ||
| ') | ||
| diff --git a/policy/modules/admin/cloudinit.if b/policy/modules/admin/cloudinit.if | ||
| index 6d427e771..e69698fae 100644 | ||
| --- a/policy/modules/admin/cloudinit.if | ||
| +++ b/policy/modules/admin/cloudinit.if | ||
| @@ -181,6 +181,25 @@ interface(`cloudinit_getattr_state_files',` | ||
| allow $1 cloud_init_state_t:file getattr; | ||
| ') | ||
|
|
||
| +######################################## | ||
| +## <summary> | ||
| +## Append inherited cloud-init temporary files. | ||
| +## </summary> | ||
| +## <param name="domain"> | ||
| +## <summary> | ||
| +## Domain allowed access. | ||
| +## </summary> | ||
| +## </param> | ||
| +# | ||
| +interface(`cloudinit_append_inherited_tmp_files',` | ||
| + gen_require(` | ||
| + type cloud_init_t, cloud_init_tmp_t; | ||
| + ') | ||
| + | ||
| + allow $1 cloud_init_t:fd use; | ||
| + allow $1 cloud_init_tmp_t:file append_inherited_file_perms; | ||
| +') | ||
| + | ||
| ######################################## | ||
| ## <summary> | ||
| ## Write inherited cloud-init temporary files. | ||
| diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if | ||
| index b20c3cd3d..19943a0ae 100644 | ||
| --- a/policy/modules/admin/rpm.if | ||
|
|
@@ -120,5 +78,5 @@ index bebefdda8..8af0d90e0 100644 | |
| + rpm_append_inherited_tmp_files(udevadm_t) | ||
| +') | ||
| -- | ||
| 2.44.0 | ||
| 2.45.2 | ||
|
|
||
This file was deleted.
Oops, something went wrong.
26 changes: 26 additions & 0 deletions
26
SPECS/selinux-policy/0033-kmod-fix-for-run-modprobe.d.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| From e02c2eb0ad3e43df71c27a8f9c5ae7150add310a Mon Sep 17 00:00:00 2001 | ||
| From: Chris PeBenito <[email protected]> | ||
| Date: Mon, 1 Jul 2024 09:27:04 -0400 | ||
| Subject: [PATCH 33/33] kmod fix for /run/modprobe.d. | ||
|
|
||
| Signed-off-by: Chris PeBenito <[email protected]> | ||
| --- | ||
| policy/modules/system/modutils.fc | 2 ++ | ||
| 1 file changed, 2 insertions(+) | ||
|
|
||
| diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc | ||
| index 323120062..de9f88fa8 100644 | ||
| --- a/policy/modules/system/modutils.fc | ||
| +++ b/policy/modules/system/modutils.fc | ||
| @@ -8,6 +8,8 @@ ifdef(`distro_gentoo',` | ||
| /etc/modprobe\.devfs.* -- gen_context(system_u:object_r:modules_conf_t,s0) | ||
| ') | ||
|
|
||
| +/run/modprobe\.d(/.*)? gen_context(system_u:object_r:modules_conf_t,s0) | ||
| + | ||
| ifdef(`init_systemd',` | ||
| /run/tmpfiles\.d/kmod\.conf -- gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0) | ||
| /run/tmpfiles\.d/static-nodes\.conf -- gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0) | ||
| -- | ||
| 2.45.2 | ||
|
|
27 changes: 27 additions & 0 deletions
27
SPECS/selinux-policy/0034-systemd-Fix-dac_override-use-in-systemd-machine-id-s.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| From aff599f9d5186afad60703f3f9bc5ad75df63899 Mon Sep 17 00:00:00 2001 | ||
| From: Chris PeBenito <[email protected]> | ||
| Date: Thu, 18 Jul 2024 15:51:20 -0400 | ||
| Subject: [PATCH 34/34] systemd: Fix dac_override use in | ||
| systemd-machine-id-setup. | ||
|
|
||
| Signed-off-by: Chris PeBenito <[email protected]> | ||
| --- | ||
| policy/modules/system/systemd.te | 2 +- | ||
| 1 file changed, 1 insertion(+), 1 deletion(-) | ||
|
|
||
| diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
| index f64c29cc3..664f4f31a 100644 | ||
| --- a/policy/modules/system/systemd.te | ||
| +++ b/policy/modules/system/systemd.te | ||
| @@ -1170,7 +1170,7 @@ optional_policy(` | ||
| # machine-id-setup local policy | ||
| # | ||
|
|
||
| -allow systemd_machine_id_setup_t self:capability { setgid sys_admin sys_chroot }; | ||
| +allow systemd_machine_id_setup_t self:capability { dac_override setgid sys_admin sys_chroot }; | ||
|
|
||
| files_list_var(systemd_machine_id_setup_t) | ||
| files_mounton_root(systemd_machine_id_setup_t) | ||
| -- | ||
| 2.45.2 | ||
|
|
109 changes: 109 additions & 0 deletions
109
SPECS/selinux-policy/0035-rpm-Run-systemd-sysctl-from-post.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| From 97b37cca000c83e0cbc36479fff5cf8491a67d43 Mon Sep 17 00:00:00 2001 | ||
| From: Chris PeBenito <[email protected]> | ||
| Date: Fri, 19 Jul 2024 10:39:54 -0400 | ||
| Subject: [PATCH 35/35] rpm: Run systemd-sysctl from %post. | ||
|
|
||
| Run commands such as: | ||
|
|
||
| /usr/lib/systemd/systemd-sysctl /etc/sysctl.d/10-default-yama-scope.conf | ||
|
|
||
| Signed-off-by: Chris PeBenito <[email protected]> | ||
| --- | ||
| policy/modules/admin/rpm.te | 4 +++ | ||
| policy/modules/system/systemd.if | 44 ++++++++++++++++++++++++++++++++ | ||
| policy/modules/system/systemd.te | 2 ++ | ||
| 3 files changed, 50 insertions(+) | ||
|
|
||
| diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te | ||
| index 41253a4e2..809e8c573 100644 | ||
| --- a/policy/modules/admin/rpm.te | ||
| +++ b/policy/modules/admin/rpm.te | ||
| @@ -416,6 +416,10 @@ optional_policy(` | ||
| ntp_domtrans(rpm_script_t) | ||
| ') | ||
|
|
||
| +optional_policy(` | ||
| + systemd_run_sysctl(rpm_script_t, rpm_roles) | ||
| +') | ||
| + | ||
| optional_policy(` | ||
| tzdata_run(rpm_t, rpm_roles) | ||
| tzdata_run(rpm_script_t, rpm_roles) | ||
| diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if | ||
| index b7a392a13..2cb5ae2ed 100644 | ||
| --- a/policy/modules/system/systemd.if | ||
| +++ b/policy/modules/system/systemd.if | ||
| @@ -2629,6 +2629,50 @@ interface(`systemd_read_resolved_runtime',` | ||
| read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t) | ||
| ') | ||
|
|
||
| +######################################## | ||
| +## <summary> | ||
| +## Execute systemd-sysctl in the systemd sysctl domain. | ||
| +## </summary> | ||
| +## <param name="domain"> | ||
| +## <summary> | ||
| +## Domain allowed access. | ||
| +## </summary> | ||
| +## </param> | ||
| +# | ||
| +interface(`systemd_domtrans_sysctl', ` | ||
| + gen_require(` | ||
| + type systemd_sysctl_t, systemd_sysctl_exec_t; | ||
| + ') | ||
| + | ||
| + corecmd_search_bin($1) | ||
| + domtrans_pattern($1, systemd_sysctl_exec_t, systemd_sysctl_t) | ||
| +') | ||
| + | ||
| +######################################## | ||
| +## <summary> | ||
| +## Run systemd-sysctl with a domain transition. | ||
| +## </summary> | ||
| +## <param name="domain"> | ||
| +## <summary> | ||
| +## Domain allowed access. | ||
| +## </summary> | ||
| +## </param> | ||
| +## <param name="role"> | ||
| +## <summary> | ||
| +## Role allowed access. | ||
| +## </summary> | ||
| +## </param> | ||
| +## <rolecap/> | ||
| +# | ||
| +interface(`systemd_run_sysctl', ` | ||
| + gen_require(` | ||
| + attribute_role systemd_sysctl_roles; | ||
| + ') | ||
| + | ||
| + systemd_domtrans_sysctl($1) | ||
| + roleattribute $2 systemd_sysctl_roles; | ||
| +') | ||
| + | ||
| ######################################## | ||
| ## <summary> | ||
| ## Execute the systemctl program. | ||
| diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
| index 664f4f31a..3ad5bb651 100644 | ||
| --- a/policy/modules/system/systemd.te | ||
| +++ b/policy/modules/system/systemd.te | ||
| @@ -58,6 +58,7 @@ attribute systemd_user_session_type; | ||
| attribute systemd_user_activated_sock_file_type; | ||
| attribute systemd_user_unix_stream_activated_socket_type; | ||
|
|
||
| +attribute_role systemd_sysctl_roles; | ||
| attribute_role systemd_sysusers_roles; | ||
|
|
||
| type systemd_activate_t; | ||
| @@ -288,6 +289,7 @@ init_unit_file(systemd_socket_proxyd_unit_file_t) | ||
| type systemd_sysctl_t; | ||
| type systemd_sysctl_exec_t; | ||
| init_daemon_domain(systemd_sysctl_t, systemd_sysctl_exec_t) | ||
| +role systemd_sysctl_roles types systemd_sysctl_t; | ||
|
|
||
| type systemd_sysusers_t; | ||
| type systemd_sysusers_exec_t; | ||
| -- | ||
| 2.45.2 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -9,7 +9,7 @@ | |
| Summary: SELinux policy | ||
| Name: selinux-policy | ||
| Version: %{refpolicy_major}.%{refpolicy_minor} | ||
| Release: 5%{?dist} | ||
| Release: 6%{?dist} | ||
| License: GPLv2 | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Azure Linux | ||
|
|
@@ -51,7 +51,9 @@ Patch29: 0029-filesystem-systemd-memory.pressure-fixes.patch | |
| Patch30: 0030-init-Add-homectl-dbus-access.patch | ||
| Patch31: 0031-Temporary-workaround-for-memory.pressure-labeling-is.patch | ||
| Patch32: 0032-rpm-Fixes-from-various-post-scripts.patch | ||
| Patch33: 0033-cloud-init-and-kmod-fixes.patch | ||
| Patch33: 0033-kmod-fix-for-run-modprobe.d.patch | ||
| Patch34: 0034-systemd-Fix-dac_override-use-in-systemd-machine-id-s.patch | ||
| Patch35: 0035-rpm-Run-systemd-sysctl-from-post.patch | ||
| BuildRequires: bzip2 | ||
| BuildRequires: checkpolicy >= %{CHECKPOLICYVER} | ||
| BuildRequires: m4 | ||
|
|
@@ -335,6 +337,11 @@ exit 0 | |
| selinuxenabled && semodule -nB | ||
| exit 0 | ||
| %changelog | ||
| * Thu Jul 18 2024 Chris PeBenito <[email protected]> - 2.20240226-6 | ||
| - Drop rules that are specific to AzureLinux testing systems. | ||
| - Add fix for systemd-machine-id-setup CAP_DAC_OVERRIDE use. | ||
| - Run systemd-sysctl from RPM scripts. | ||
|
|
||
| * Tue Jul 16 2024 Chris PeBenito <[email protected]> - 2.20240226-5 | ||
| - Change unconfined to a separate module so it can be disabled. | ||
|
|
||
|
|
||