commit selinux-policy for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2024-08-15 09:57:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.7232 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "selinux-policy" Thu Aug 15 09:57:36 2024 rev:70 rq:1193871 version:20240814 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2024-08-10 19:06:25.842370339 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.7232/selinux-policy.changes 2024-08-15 09:57:42.725431423 +0200 @@ -1,0 +2,49 @@ +Wed Aug 14 12:11:13 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240814: + * Dontaudit dac_override of fstab generator (bsc#1229127) + +------------------------------------------------------------------- +Wed Aug 14 07:00:34 UTC 2024 - Cathy Hu <cathy.hu@suse.com> + +- Drop varrun-convert.sh script as it causes issues with + container-selinux update (bsc#1228951) + +------------------------------------------------------------------- +Mon Aug 12 15:30:47 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240812: + * Update libvirt policy + * Add port 80/udp and 443/udp to http_port_t definition + * Additional updates stalld policy for bpf usage + * Label systemd-pcrextend and systemd-pcrlock properly + * Allow coreos_installer_t work with partitions + * Revert "Allow coreos-installer-generator work with partitions" + * Add policy for systemd-pcrextend + * Update policy for systemd-getty-generator + * Allow ip command write to ipsec's logs + * Allow virt_driver_domain read virtd-lxc files in /proc + * Revert "Allow svirt read virtqemud fifo files" + * Update virtqemud policy for libguestfs usage + * Allow virtproxyd create and use its private tmp files + * Allow virtproxyd read network state + * Allow virt_driver_domain create and use log files in /var/log + * Allow samba-dcerpcd work with ctdb cluster + * Allow NetworkManager_dispatcher_t send SIGKILL to plugins + * Allow setroubleshootd execute sendmail with a domain transition + * Allow key.dns_resolve set attributes on the kernel key ring + * Update qatlib policy for v24.02 with new features + * Label /var/lib/systemd/sleep with systemd_sleep_var_lib_t + * Allow tlp status power services + * Allow virtqemud domain transition on passt execution + * Allow virt_driver_domain connect to systemd-userdbd over a unix socket + * Allow boothd connect to systemd-userdbd over a unix socket + * Update policy for awstats scripts + * Allow bitlbee execute generic programs in system bin directories + * Allow login_userdomain read aliases file + * Allow login_userdomain read ipsec config files + * Allow login_userdomain read all pid files + * Allow rsyslog read systemd-logind session files + * Allow libvirt-dbus stream connect to virtlxcd + +------------------------------------------------------------------- Old: ---- selinux-policy-20240809.tar.xz varrun-convert.sh New: ---- selinux-policy-20240814.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.PgxxsG/_old 2024-08-15 09:57:43.497463734 +0200 +++ /var/tmp/diff_new_pack.PgxxsG/_new 2024-08-15 09:57:43.497463734 +0200 @@ -33,7 +33,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20240809 +Version: 20240814 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc @@ -61,9 +61,6 @@ Source31: setrans-mls.conf Source32: setrans-minimum.conf -# Script to convert /var/run file context entries to /run -Source37: varrun-convert.sh - Source40: securetty_types-targeted Source41: securetty_types-mls Source42: securetty_types-minimum @@ -221,7 +218,6 @@ %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ -%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ %nil @@ -258,7 +254,6 @@ %define postInstall() \ . %{_sysconfdir}/selinux/config; \ -%{_libexecdir}/selinux/varrun-convert.sh %2; \ if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \ rm %{_sysconfdir}/selinux/%2/.rebuild; \ /usr/sbin/semodule -B -n -s %2; \ @@ -315,7 +310,6 @@ %ghost %config(noreplace) %{_sysconfdir}/selinux/config %{_tmpfilesdir}/selinux-policy.conf %{_rpmconfigdir}/macros.d/macros.selinux-policy -%{_libexecdir}/selinux/varrun-convert.sh %package sandbox Summary: SELinux policy sandbox @@ -383,9 +377,6 @@ cp $i selinux_config done -mkdir -p %{buildroot}%{_libexecdir}/selinux -install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux - make clean %if %{BUILD_TARGETED} %makeCmds targeted mcs allow ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.PgxxsG/_old 2024-08-15 09:57:43.565466580 +0200 +++ /var/tmp/diff_new_pack.PgxxsG/_new 2024-08-15 09:57:43.569466747 +0200 @@ -1,7 +1,7 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">02657ab47aa16a1ed9638b511b4ed12298f2352b</param></service><service name="tar_scm"> + <param name="changesrevision">e9e6076cfc96d33de1645e596ab0061c755c95b2</param></service><service name="tar_scm"> <param name="url">https://github.com/containers/container-selinux.git</param> <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm"> <param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param> ++++++ selinux-policy-20240809.tar.xz -> selinux-policy-20240814.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/awstats.if new/selinux-policy-20240814/policy/modules/contrib/awstats.if --- old/selinux-policy-20240809/policy/modules/contrib/awstats.if 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/awstats.if 2024-08-14 14:05:47.000000000 +0200 @@ -36,6 +36,25 @@ ######################################## ## <summary> +## Execute the awstats scripts in the awstats scripts domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`awstats_domtrans_script',` + gen_require(` + type awstats_script_t, awstats_script_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, awstats_script_exec_t, awstats_script_t) +') + +######################################## +## <summary> ## Execute awstats cgi scripts in the caller domain. (Deprecated) ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/awstats.te new/selinux-policy-20240814/policy/modules/contrib/awstats.te --- old/selinux-policy-20240809/policy/modules/contrib/awstats.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/awstats.te 2024-08-14 14:05:47.000000000 +0200 @@ -41,7 +41,7 @@ manage_files_pattern(awstats_t, awstats_var_lib_t, awstats_var_lib_t) -allow awstats_t { awstats_content_t awstats_script_exec_t }:dir search_dir_perms; +allow awstats_t { awstats_content_t awstats_script_exec_t }:dir list_dir_perms; can_exec(awstats_t, { awstats_exec_t awstats_script_exec_t }) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/bitlbee.te new/selinux-policy-20240814/policy/modules/contrib/bitlbee.te --- old/selinux-policy-20240809/policy/modules/contrib/bitlbee.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/bitlbee.te 2024-08-14 14:05:47.000000000 +0200 @@ -78,6 +78,7 @@ kernel_read_system_state(bitlbee_t) kernel_read_kernel_sysctls(bitlbee_t) +corecmd_exec_bin(bitlbee_t) corecmd_exec_shell(bitlbee_t) corenet_all_recvfrom_unlabeled(bitlbee_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/boothd.te new/selinux-policy-20240814/policy/modules/contrib/boothd.te --- old/selinux-policy-20240809/policy/modules/contrib/boothd.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/boothd.te 2024-08-14 14:05:47.000000000 +0200 @@ -77,5 +77,9 @@ ') optional_policy(` + systemd_userdbd_stream_connect(boothd_t) +') + +optional_policy(` sysnet_read_config(boothd_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/coreos_installer.te new/selinux-policy-20240814/policy/modules/contrib/coreos_installer.te --- old/selinux-policy-20240809/policy/modules/contrib/coreos_installer.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/coreos_installer.te 2024-08-14 14:05:47.000000000 +0200 @@ -67,10 +67,18 @@ ') optional_policy(` + lvm_read_config(coreos_installer_generator_t) +') + +optional_policy(` miscfiles_read_localization(coreos_installer_t) ') optional_policy(` + raid_filetrans_named_content(coreos_installer_generator_t) +') + +optional_policy(` sysnet_dns_name_resolve(coreos_installer_t) ') @@ -117,14 +125,6 @@ ') optional_policy(` - lvm_read_config(coreos_installer_generator_t) -') - -optional_policy(` - raid_filetrans_named_content(coreos_installer_generator_t) -') - -optional_policy(` sssd_read_public_files(coreos_installer_generator_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/ctdb.if new/selinux-policy-20240814/policy/modules/contrib/ctdb.if --- old/selinux-policy-20240809/policy/modules/contrib/ctdb.if 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/ctdb.if 2024-08-14 14:05:47.000000000 +0200 @@ -172,6 +172,25 @@ ######################################## ## <summary> +## Map ctdbd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ctdbd_map_lib_files',` + gen_require(` + type ctdbd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 ctdbd_var_lib_t:file map; +') + +######################################## +## <summary> ## Manage ctdbd lib files. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/keyutils.te new/selinux-policy-20240814/policy/modules/contrib/keyutils.te --- old/selinux-policy-20240809/policy/modules/contrib/keyutils.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/keyutils.te 2024-08-14 14:05:47.000000000 +0200 @@ -42,6 +42,7 @@ kernel_read_key(keyutils_dns_resolver_t) kernel_view_key(keyutils_dns_resolver_t) +kernel_setattr_key(keyutils_dns_resolver_t) init_search_pid_dirs(keyutils_dns_resolver_t) sysnet_read_config(keyutils_dns_resolver_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/logrotate.te new/selinux-policy-20240814/policy/modules/contrib/logrotate.te --- old/selinux-policy-20240809/policy/modules/contrib/logrotate.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/logrotate.te 2024-08-14 14:05:47.000000000 +0200 @@ -245,6 +245,7 @@ optional_policy(` awstats_domtrans(logrotate_t) + awstats_domtrans_script(logrotate_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/networkmanager.te new/selinux-policy-20240814/policy/modules/contrib/networkmanager.te --- old/selinux-policy-20240809/policy/modules/contrib/networkmanager.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/networkmanager.te 2024-08-14 14:05:47.000000000 +0200 @@ -593,6 +593,8 @@ allow NetworkManager_dispatcher_tlp_t self:unix_dgram_socket { create_socket_perms sendto }; allow NetworkManager_dispatcher_custom_t self:unix_dgram_socket { create_socket_perms sendto }; +allow NetworkManager_dispatcher_t networkmanager_dispatcher_plugin:process sigkill; + allow NetworkManager_dispatcher_t NetworkManager_unit_file_t:file getattr; allow NetworkManager_dispatcher_cloud_t NetworkManager_unit_file_t:file getattr; allow NetworkManager_dispatcher_cloud_t NetworkManager_unit_file_t:service { start status stop }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/qatlib.te new/selinux-policy-20240814/policy/modules/contrib/qatlib.te --- old/selinux-policy-20240809/policy/modules/contrib/qatlib.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/qatlib.te 2024-08-14 14:05:47.000000000 +0200 @@ -40,11 +40,14 @@ kernel_load_module(qatlib_t) kernel_read_proc_files(qatlib_t) kernel_request_load_module(qatlib_t) +kernel_stream_connect(qatlib_t) corecmd_exec_shell(qatlib_t) corecmd_exec_bin(qatlib_t) dev_create_sysfs_files(qatlib_t) +dev_getattr_generic_chr_files(qatlib_t) + dev_rw_sysfs(qatlib_t) dev_rw_vfio_dev(qatlib_t) dev_setattr_vfio_dev(qatlib_t) @@ -59,6 +62,10 @@ ') optional_policy(` + gnome_read_generic_cache_files(qatlib_t) +') + +optional_policy(` miscfiles_read_hwdata(qatlib_t) miscfiles_read_localization(qatlib_t) ') @@ -75,5 +82,5 @@ optional_policy(` systemd_search_unit_dirs(qatlib_t) + systemd_userdbd_stream_connect(qatlib_t) ') - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/samba.te new/selinux-policy-20240814/policy/modules/contrib/samba.te --- old/selinux-policy-20240809/policy/modules/contrib/samba.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/samba.te 2024-08-14 14:05:47.000000000 +0200 @@ -1263,6 +1263,11 @@ ') optional_policy(` + ctdbd_stream_connect(winbind_rpcd_t) + ctdbd_map_lib_files(winbind_rpcd_t) +') + +optional_policy(` cups_read_config(winbind_rpcd_t) cups_stream_connect(winbind_rpcd_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/setroubleshoot.te new/selinux-policy-20240814/policy/modules/contrib/setroubleshoot.te --- old/selinux-policy-20240809/policy/modules/contrib/setroubleshoot.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/setroubleshoot.te 2024-08-14 14:05:47.000000000 +0200 @@ -195,6 +195,10 @@ rpm_use_script_fds(setroubleshootd_t) ') +optional_policy(` + sendmail_domtrans(setroubleshootd_t) +') + ######################################## # # setroubleshoot_fixit local policy diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/stalld.te new/selinux-policy-20240814/policy/modules/contrib/stalld.te --- old/selinux-policy-20240809/policy/modules/contrib/stalld.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/stalld.te 2024-08-14 14:05:47.000000000 +0200 @@ -21,8 +21,10 @@ # allow stalld_t self:bpf { map_create map_read map_write prog_load prog_run }; allow stalld_t self:capability { sys_nice sys_resource }; +allow stalld_t self:capability2 { bpf perfmon }; allow stalld_t self:process { fork setsched setrlimit }; allow stalld_t self:fifo_file rw_fifo_file_perms; +allow stalld_t self:process setrlimit; allow stalld_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(stalld_t, stalld_var_run_t, stalld_var_run_t) @@ -44,6 +46,8 @@ files_read_etc_files(stalld_t) +fs_list_bpf_dirs(stalld_t) + selinux_read_security_files(stalld_t) logging_send_syslog_msg(stalld_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/tlp.te new/selinux-policy-20240814/policy/modules/contrib/tlp.te --- old/selinux-policy-20240809/policy/modules/contrib/tlp.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/tlp.te 2024-08-14 14:05:47.000000000 +0200 @@ -111,6 +111,7 @@ systemd_exec_systemctl(tlp_t) systemd_read_unit_files(tlp_t) systemd_search_unit_dirs(tlp_t) + systemd_status_power_services(tlp_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/virt.fc new/selinux-policy-20240814/policy/modules/contrib/virt.fc --- old/selinux-policy-20240809/policy/modules/contrib/virt.fc 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/virt.fc 2024-08-14 14:05:47.000000000 +0200 @@ -48,7 +48,16 @@ /var/lib/libvirt/lockd(/.*)? gen_context(system_u:object_r:virt_var_lockd_t,s0) /var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh) -/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) +/var/log/virtinterfaced.log -- gen_context(system_u:object_r:virt_log_t,s0) +/var/log/virtnetworkd.log -- gen_context(system_u:object_r:virt_log_t,s0) +/var/log/virtnodedevd.log -- gen_context(system_u:object_r:virt_log_t,s0) +/var/log/virtnwfilterd.log -- gen_context(system_u:object_r:virt_log_t,s0) +/var/log/virtproxyd.log -- gen_context(system_u:object_r:virt_log_t,s0) +/var/log/virtqemud.log -- gen_context(system_u:object_r:virt_log_t,s0) +/var/log/virtsecretd.log -- gen_context(system_u:object_r:virt_log_t,s0) +/var/log/virtstoraged.log -- gen_context(system_u:object_r:virt_log_t,s0) + /run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0) # Use parentheses so that "interface" is not recognized as a keyword by M4 /run/libvirt/interfac(e)(/.*)? gen_context(system_u:object_r:virtinterfaced_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/virt.if new/selinux-policy-20240814/policy/modules/contrib/virt.if --- old/selinux-policy-20240809/policy/modules/contrib/virt.if 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/virt.if 2024-08-14 14:05:47.000000000 +0200 @@ -398,6 +398,24 @@ allow $1 svirt_t:unix_stream_socket { getopt read setopt write }; ') +####################################### +## <summary> +## Connect to lxc process over a unix domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_stream_connect_lxc',` + gen_require(` + type virtd_lxc_t, virt_lxc_var_run_t; + ') + + stream_connect_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t) +') + ######################################## ## <summary> ## Allow domain to attach to virt TUN devices @@ -646,6 +664,25 @@ ') ######################################## +## <summary> +## Manage virt pid sock files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`virt_manage_pid_sock_files',` + gen_require(` + type virt_var_run_t; + ') + + files_search_pids($1) + manage_sock_files_pattern($1, virt_var_run_t, virt_var_run_t) +') + +######################################## ## <summary> ## Create objects in the pid directory ## with a private type with a type transition. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/contrib/virt.te new/selinux-policy-20240814/policy/modules/contrib/virt.te --- old/selinux-policy-20240809/policy/modules/contrib/virt.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/contrib/virt.te 2024-08-14 14:05:47.000000000 +0200 @@ -306,6 +306,14 @@ init_daemon_domain(virt_dbus_t, virt_dbus_exec_t) init_nnp_daemon_domain(virt_dbus_t) +# common rules for virt_driver_domain; + +read_files_pattern(virt_driver_domain, virtd_lxc_t, virtd_lxc_t) + +optional_policy(` + systemd_userdbd_stream_connect(virt_driver_domain) +') + # virtinterfaced type virtinterfaced_t, virt_driver_domain; type virtinterfaced_exec_t, virt_driver_executable; @@ -361,6 +369,9 @@ virt_driver_template(virtproxyd_t) files_type(virtproxyd_t) +type virtproxyd_tmp_t; +files_tmp_file(virtproxyd_tmp_t) + type virtproxyd_var_run_t, virt_driver_var_run; files_pid_file(virtproxyd_var_run_t) @@ -483,7 +494,6 @@ allow svirt_t virtlogd_t:unix_stream_socket connectto; allow svirt_t virtqemud_t:tun_socket attach_queue; -allow svirt_t virtqemud_t:fifo_file read; allow svirt_t virtqemud_var_run_t:file write; read_files_pattern(svirt_t, virtqemud_t, virtqemud_t) @@ -521,6 +531,10 @@ allow svirt_tcg_t self:process { execmem execstack }; allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms; +allow svirt_tcg_t virtqemud_var_run_t: file write; + +read_files_pattern(svirt_tcg_t, virtqemud_t, virtqemud_t) + kernel_read_vm_sysctls(svirt_tcg_t) corenet_udp_sendrecv_generic_if(svirt_tcg_t) @@ -1267,7 +1281,8 @@ virt_write_qemu_pid_files(passt_t) virt_create_qemu_pid_files(passt_t) virt_manage_qemu_pid_sock_files(passt_t) - virt_read_pid_files(passt_t) + virt_manage_pid_files(passt_t) + virt_manage_pid_sock_files(passt_t) virt_svirt_write_tmp(passt_t) ') ') @@ -1861,6 +1876,12 @@ # virt_driver_domain local policy (common rules) # +manage_files_pattern(virt_driver_domain, virt_log_t, virt_log_t) + +optional_policy(` + logging_log_filetrans(virt_driver_domain, virt_log_t, file) +') + optional_policy(` policykit_dbus_chat(virt_driver_domain) ') @@ -1981,7 +2002,10 @@ corecmd_exec_bin(virtnodedevd_t) corecmd_exec_shell(virtnodedevd_t) +dev_read_vfio_dev(virtnodedevd_t) dev_rw_mtrr(virtnodedevd_t) +dev_rw_sysfs(virtnodedevd_t) +dev_write_sysfs_dirs(virtnodedevd_t) files_map_var_lib_files(virtnodedevd_t) files_watch_etc_dirs(virtnodedevd_t) @@ -1993,10 +2017,6 @@ ') optional_policy(` - systemd_userdbd_stream_connect(virtnodedevd_t) -') - -optional_policy(` udev_domtrans(virtnodedevd_t) udev_read_pid_files(virtnodedevd_t) ') @@ -2052,6 +2072,9 @@ allow virtproxyd_t virt_dbus_t:dir search_dir_perms; allow virtproxyd_t virt_dbus_t:file read_file_perms; +manage_files_pattern(virtproxyd_t, virtproxyd_tmp_t, virtproxyd_tmp_t) +files_tmp_filetrans(virtproxyd_t, virtproxyd_tmp_t, file) + manage_dirs_pattern(virtproxyd_t, virt_var_run_t, virt_var_run_t) manage_dirs_pattern(virtproxyd_t, virtproxyd_var_run_t, virtproxyd_var_run_t) manage_files_pattern(virtproxyd_t, virtproxyd_var_run_t, virtproxyd_var_run_t) @@ -2059,6 +2082,8 @@ files_pid_filetrans(virtproxyd_t, virtproxyd_var_run_t, { dir file sock_file } ) filetrans_pattern(virtproxyd_t, virt_var_run_t, virtproxyd_var_run_t, { file sock_file } ) +kernel_read_network_state(virtproxyd_t) + corenet_tcp_bind_generic_node(virtproxyd_t) corenet_tcp_bind_virt_port(virtproxyd_t) @@ -2068,16 +2093,12 @@ dnsmasq_filetrans_named_content_fromdir(virtproxyd_t, virtproxyd_var_run_t) ') -optional_policy(` - systemd_userdbd_stream_connect(virtproxyd_t) -') - ####################################### # # virtqemud local policy # allow virtqemud_t self:bpf { map_create map_read map_write prog_load prog_run }; -allow virtqemud_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid kill net_admin setgid setuid sys_admin sys_chroot sys_ptrace sys_rawio }; +allow virtqemud_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid kill net_admin setpcap setgid setuid sys_admin sys_chroot sys_ptrace sys_rawio sys_resource }; allow virtqemud_t self:capability2 { bpf perfmon }; allow virtqemud_t self:cap_userns kill; @@ -2087,11 +2108,14 @@ allow virtqemud_t self:tun_socket create; allow virtqemud_t self:udp_socket { connect create getattr }; +allow virtqemud_t qemu_var_run_t:dir relabelfrom; + allow virtqemud_t svirt_t:process { getattr setsched signal signull transition }; allow virtqemud_t svirt_t:unix_stream_socket { connectto create_stream_socket_perms }; allow virtqemud_t svirt_socket_t:unix_stream_socket connectto; - -allow virtqemud_t qemu_var_run_t:dir relabelfrom; +allow virtqemud_t svirt_tcg_t: process { setsched signal signull transition }; +allow virtqemud_t svirt_tcg_t: unix_stream_socket { connectto create_stream_socket_perms }; +allow virtqemud_t svirt_tmpfs_t:file { map write }; allow virtqemud_t virt_cache_t:file { relabelfrom relabelto }; @@ -2126,12 +2150,15 @@ manage_sock_files_pattern(virtqemud_t, qemu_var_run_t, qemu_var_run_t) filetrans_pattern(virtqemud_t, virt_var_run_t, qemu_var_run_t, dir, "qemu") +read_chr_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t) +setattr_chr_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t) manage_dirs_pattern(virtqemud_t, svirt_image_t, svirt_image_t) manage_fifo_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t) manage_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t) manage_sock_files_pattern(virtqemud_t, svirt_image_t, svirt_image_t) read_files_pattern(virtqemud_t, svirt_t, svirt_t) read_lnk_files_pattern(virtqemud_t, svirt_t, svirt_t) +read_files_pattern(virtqemud_t, svirt_tcg_t, svirt_tcg_t) manage_files_pattern(virtqemud_t, virt_content_t, virt_content_t) @@ -2149,6 +2176,7 @@ read_files_pattern(virtqemud_t, virtproxyd_t, virtproxyd_t) kernel_io_uring_use(virtqemud_t) +kernel_mount_proc(virtqemud_t) kernel_read_all_proc(virtqemud_t) kernel_read_network_state_symlinks(virtqemud_t) kernel_read_vm_sysctls(virtqemud_t) @@ -2170,6 +2198,8 @@ dev_rw_kvm(virtqemud_t) dev_rw_lvm_control(virtqemud_t) dev_rw_vhost(virtqemud_t) +dev_setattr_urand(virtqemud_t) +dev_unmount_fs(virtqemud_t) files_mounton_non_security(virtqemud_t) files_read_all_symlinks(virtqemud_t) @@ -2198,13 +2228,11 @@ init_stream_connect(virtqemud_t) init_stream_connect_script(virtqemud_t) +selinux_compute_create_context(virtqemud_t) + sysnet_exec_ifconfig(virtqemud_t) sysnet_manage_config(virtqemud_t) -userdom_read_all_users_state(virtqemud_t) -userdom_read_user_home_content_files(virtqemud_t) -userdom_relabel_user_home_files(virtqemud_t) - tunable_policy(`virtqemud_use_execmem',` allow virtqemud_t self:process { execmem execstack }; ') @@ -2226,6 +2254,10 @@ ') optional_policy(` + passt_domtrans(virtqemud_t) +') + +optional_policy(` policykit_dbus_chat(virtqemud_t) ') @@ -2245,7 +2277,14 @@ optional_policy(` systemd_dbus_chat_machined(virtqemud_t) - systemd_userdbd_stream_connect(virtqemud_t) +') + +optional_policy(` + userdom_manage_tmp_files(virtqemud_t) + userdom_manage_tmp_sockets(virtqemud_t) + userdom_read_all_users_state(virtqemud_t) + userdom_read_user_home_content_files(virtqemud_t) + userdom_relabel_user_home_files(virtqemud_t) ') ####################################### @@ -2499,6 +2538,7 @@ allow virt_dbus_t virtproxyd_t:unix_stream_socket connectto; allow virt_dbus_t virtqemud_t:unix_stream_socket connectto; allow virt_dbus_t virtqemud_var_run_t:sock_file write; +virt_stream_connect_lxc(virt_dbus_t) kernel_read_proc_files(virt_dbus_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/kernel/corenetwork.te.in new/selinux-policy-20240814/policy/modules/kernel/corenetwork.te.in --- old/selinux-policy-20240809/policy/modules/kernel/corenetwork.te.in 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/kernel/corenetwork.te.in 2024-08-14 14:05:47.000000000 +0200 @@ -193,7 +193,7 @@ network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) -network_port(http, tcp,80,s0, tcp,81,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0,tcp,9000, s0) #8443 is mod_nss default port +network_port(http, tcp,80,s0, udp,80,s0, tcp,81,s0, tcp,443,s0, udp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,9000,s0) #8443 is mod_nss default port network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy network_port(ibm_dt_2, tcp,1792,s0, udp,1792,s0) network_port(intermapper, tcp,8181,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/kernel/devices.if new/selinux-policy-20240814/policy/modules/kernel/devices.if --- old/selinux-policy-20240809/policy/modules/kernel/devices.if 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/kernel/devices.if 2024-08-14 14:05:47.000000000 +0200 @@ -110,6 +110,24 @@ ######################################## ## <summary> +## Unmount the device filesystems. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_unmount_fs',` + gen_require(` + type device_t; + ') + + allow $1 device_t:filesystem unmount; +') + +######################################## +## <summary> ## Mount a filesystem on /dev ## </summary> ## <param name="domain"> @@ -5426,6 +5444,24 @@ ') ######################################## +## <summary> +## Allow set attributes of dev/urandom. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_setattr_urand',` + gen_require(` + type urandom_device_t; + ') + + setattr_chr_files_pattern($1, device_t, urandom_device_t) +') + +######################################## ## <summary> ## Getattr generic the USB devices. ## </summary> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/kernel/filesystem.if new/selinux-policy-20240814/policy/modules/kernel/filesystem.if --- old/selinux-policy-20240809/policy/modules/kernel/filesystem.if 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/kernel/filesystem.if 2024-08-14 14:05:47.000000000 +0200 @@ -601,6 +601,26 @@ ######################################## ## <summary> +## List bpf directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fs_list_bpf_dirs',` + gen_require(` + type bpf_t; + ') + + list_dirs_pattern($1, bpf_t, bpf_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) +') + +######################################## +## <summary> ## Manage bpf directories. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/system/ipsec.if new/selinux-policy-20240814/policy/modules/system/ipsec.if --- old/selinux-policy-20240809/policy/modules/system/ipsec.if 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/system/ipsec.if 2024-08-14 14:05:47.000000000 +0200 @@ -170,6 +170,25 @@ ######################################## ## <summary> +## Allow the specified domain to write to ipsec's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ipsec_write_log',` + gen_require(` + type ipsec_log_t; + ') + + logging_search_logs($1) + write_files_pattern($1, ipsec_log_t, ipsec_log_t) +') + +######################################## +## <summary> ## Execute the IPSEC management program in the caller domain. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/system/logging.if new/selinux-policy-20240814/policy/modules/system/logging.if --- old/selinux-policy-20240809/policy/modules/system/logging.if 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/system/logging.if 2024-08-14 14:05:47.000000000 +0200 @@ -1809,6 +1809,24 @@ ####################################### ## <summary> +## Write to files in /run/log/journal/ directory. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`logging_write_journal_files',` + gen_require(` + type syslogd_var_run_t; + ') + + allow $1 syslogd_var_run_t:file { setattr write }; +') + +####################################### +## <summary> ## Watch the /run/log/journal directory. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/system/logging.te new/selinux-policy-20240814/policy/modules/system/logging.te --- old/selinux-policy-20240809/policy/modules/system/logging.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/system/logging.te 2024-08-14 14:05:47.000000000 +0200 @@ -777,6 +777,7 @@ systemd_map_bootchart_tmpfs_files(syslogd_t) systemd_list_conf_dirs(syslogd_t) systemd_read_conf_files(syslogd_t) + systemd_read_logind_sessions_files(syslogd_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/system/sysnetwork.te new/selinux-policy-20240814/policy/modules/system/sysnetwork.te --- old/selinux-policy-20240809/policy/modules/system/sysnetwork.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/system/sysnetwork.te 2024-08-14 14:05:47.000000000 +0200 @@ -479,6 +479,7 @@ ') optional_policy(` + ipsec_write_log(ifconfig_t) ipsec_write_pid(ifconfig_t) ipsec_setcontext_default_spd(ifconfig_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/system/systemd.fc new/selinux-policy-20240814/policy/modules/system/systemd.fc --- old/selinux-policy-20240809/policy/modules/system/systemd.fc 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/system/systemd.fc 2024-08-14 14:05:47.000000000 +0200 @@ -59,6 +59,8 @@ /usr/lib/systemd/systemd-mountwork -- gen_context(system_u:object_r:systemd_mountfsd_exec_t,s0) /usr/lib/systemd/systemd-nsresourced -- gen_context(system_u:object_r:systemd_nsresourced_exec_t,s0) /usr/lib/systemd/systemd-nsresourcework -- gen_context(system_u:object_r:systemd_nsresourced_exec_t,s0) +/usr/lib/systemd/systemd-pcrextend -- gen_context(system_u:object_r:systemd_pcrextend_exec_t,s0) +/usr/lib/systemd/systemd-pcrlock -- gen_context(system_u:object_r:systemd_pcrlock_exec_t,s0) /usr/lib/systemd/systemd-pstore -- gen_context(system_u:object_r:systemd_pstore_exec_t,s0) /usr/lib/systemd/systemd-rfkill -- gen_context(system_u:object_r:systemd_rfkill_exec_t,s0) /usr/lib/systemd/systemd-socket-proxyd -- gen_context(system_u:object_r:systemd_socket_proxyd_exec_t,s0) @@ -104,6 +106,7 @@ /var/lib/systemd/pstore(/.*)? gen_context(system_u:object_r:systemd_pstore_var_lib_t,s0) /var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0) /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,mls_systemhigh) +/var/lib/systemd/sleep(/.*)? gen_context(system_u:object_r:systemd_sleep_var_lib_t,s0) /var/lib/systemd/timesync(/.*)? gen_context(system_u:object_r:systemd_timedated_var_lib_t,s0) /var/lib/private/systemd/journal-upload(/.*)? gen_context(system_u:object_r:systemd_journal_upload_var_lib_t,s0) /var/lib/private/systemd/timesync(/.*)? gen_context(system_u:object_r:systemd_timedated_var_lib_t,s0) @@ -119,7 +122,6 @@ /run/systemd/default-hostname -- gen_context(system_u:object_r:hostname_etc_t,s0) /run/systemd/generator -d gen_context(system_u:object_r:systemd_unit_file_t,s0) -/run/systemd/generator/systemd-zram-setup@zram0\.service\.d(/.*)? gen_context(system_u:object_r:systemd_zram_generator_unit_file_t,s0) /run/systemd/generator/.+ <<none>> /run/systemd/io\.systemd\.NamespaceResource -s gen_context(system_u:object_r:systemd_nsresourced_runtime_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/system/systemd.te new/selinux-policy-20240814/policy/modules/system/systemd.te --- old/selinux-policy-20240809/policy/modules/system/systemd.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/system/systemd.te 2024-08-14 14:05:47.000000000 +0200 @@ -268,6 +268,8 @@ files_pid_file(systemd_userdbd_runtime_t) systemd_domain_template(systemd_sleep) +type systemd_sleep_var_lib_t; +files_type(systemd_sleep_var_lib_t) systemd_domain_template(systemd_pstore) type systemd_pstore_var_lib_t; @@ -280,6 +282,9 @@ systemd_domain_template(systemd_mountfsd) +systemd_domain_template(systemd_pcrextend) +systemd_domain_template(systemd_pcrlock) + ####################################### # # Systemd_logind local policy @@ -1298,7 +1303,7 @@ dev_write_kmsg(systemd_generator) dev_write_kmsg(systemd_generator) -files_map_etc_files(systemd_generator) +files_map_read_etc_files(systemd_generator) fs_getattr_all_fs(systemd_generator) fs_search_cgroup_dirs(systemd_generator) init_read_state(systemd_generator) @@ -1333,10 +1338,14 @@ ') ### getty generator +dontaudit systemd_getty_generator_t self:capability dac_override; dev_read_sysfs(systemd_getty_generator_t) -init_read_state(systemd_getty_generator_t) term_use_unallocated_ttys(systemd_getty_generator_t) +optional_policy(` + userdom_use_user_ttys(systemd_getty_generator_t) +') + ### gpt generator allow systemd_gpt_generator_t self:capability sys_rawio; dontaudit systemd_gpt_generator_t self:capability sys_admin; @@ -1781,6 +1790,8 @@ allow systemd_sleep_t systemd_unit_file_t:service { start stop }; +manage_files_pattern(systemd_sleep_t, systemd_sleep_var_lib_t, systemd_sleep_var_lib_t) + kernel_dgram_send(systemd_sleep_t) corecmd_exec_bin(systemd_sleep_t) @@ -1884,3 +1895,16 @@ init_named_pid_filetrans(systemd_nsresourced_t, systemd_nsresourced_runtime_t, dir, "nsresource") init_named_pid_filetrans(systemd_nsresourced_t, systemd_nsresourced_runtime_t, file, "io.systemd.NamespaceResource") + +######################################## +# +# systemd_pcrextend and systemd_pcrlock local policy +# + +permissive systemd_pcrextend_t; + +optional_policy(` + logging_write_journal_files(systemd_pcrextend_t) +') + +permissive systemd_pcrlock_t; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-policy-20240809/policy/modules/system/userdomain.te new/selinux-policy-20240814/policy/modules/system/userdomain.te --- old/selinux-policy-20240809/policy/modules/system/userdomain.te 2024-08-09 14:34:46.000000000 +0200 +++ new/selinux-policy-20240814/policy/modules/system/userdomain.te 2024-08-14 14:05:47.000000000 +0200 @@ -403,6 +403,7 @@ files_map_read_var_files(login_userdomain) files_map_var_lib_files(login_userdomain) files_read_var_lib_symlinks(login_userdomain) +files_read_all_pids(login_userdomain) files_watch_etc_dirs(login_userdomain) files_watch_etc_files(login_userdomain) files_watch_home(login_userdomain) @@ -451,6 +452,10 @@ ') optional_policy(` + ipsec_read_config(login_userdomain) +') + +optional_policy(` gnome_exec_atspi(login_userdomain) gnome_watch_generic_data_home_dirs(login_userdomain) gnome_watch_home_config_dirs(login_userdomain) @@ -463,6 +468,10 @@ ') optional_policy(` + mta_read_aliases(login_userdomain) +') + +optional_policy(` pkcs_tmpfs_named_filetrans(login_userdomain) ')
participants (1)
-
Source-Sync