commit selinux-policy for openSUSE:Factory
![](https://seccdn.libravatar.org/avatar/128a7b98d536a9cf9b4d4d5a90d63475.jpg?s=120&d=mm&r=g)
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2024-06-06 12:30:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.24587 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "selinux-policy" Thu Jun 6 12:30:52 2024 rev:60 rq:1178674 version:20240411 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2024-03-22 15:28:25.598159722 +0100 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.24587/selinux-policy.changes 2024-06-06 12:30:58.876891299 +0200 @@ -1,0 +2,104 @@ +Mon Jun 3 13:42:13 UTC 2024 - Johannes Segitz <jsegitz@suse.com> + +- Remove "Reference" from the package description. It's not the + reference policy, but the Fedora branch of the policy + +------------------------------------------------------------------- +Tue May 28 11:12:57 UTC 2024 - Cathy Hu <cathy.hu@suse.com> + +- Use python311 tools in 15.4 and 15.5 when building selinux-policy to deprecate + python36 tooling + +------------------------------------------------------------------- +Wed May 8 11:06:43 UTC 2024 - Johannes Segitz <jsegitz@suse.com> + +- Fixed varrun-convert.sh script to not break because of duplicate + entries + +------------------------------------------------------------------- +Mon May 6 07:44:20 UTC 2024 - Johannes Segitz <jsegitz@suse.com> + +- Move to %posttrans to ensure selinux-policy got updated before + the commands run (bsc#1221720) + +------------------------------------------------------------------- +Mon Apr 15 13:23:40 UTC 2024 - Cathy Hu <cathy.hu@suse.com> + +- Add file contexts "forwarding" to file_contexts.sub_dist + to fix systemd-gpt-auto-generator and systemd-fstab-generator + (bsc#1222736): + * /run/systemd/generator.early /usr/lib/systemd/system + * /run/systemd/generator.late /usr/lib/systemd/system + +------------------------------------------------------------------- +Thu Apr 11 15:13:31 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240411: + * Remove duplicate in sysnetwork.fc + * Rename /var/run/wicked* to /run/wicked* + * Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc + * policy: support pidfs + * Confine selinux-autorelabel-generator.sh + * Allow logwatch_mail_t read/write to init over a unix stream socket + * Allow logwatch read logind sessions files + * files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it + * files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it + * Allow NetworkManager the sys_ptrace capability in user namespace + * dontaudit execmem for modemmanager + * Allow dhcpcd use unix_stream_socket + * Allow dhcpc read /run/netns files + * Update mmap_rw_file_perms to include the lock permission + * Allow plymouthd log during shutdown + * Add logging_watch_all_log_dirs() and logging_watch_all_log_files() + * Allow journalctl_t read filesystem sysctls + * Allow cgred_t to get attributes of cgroup filesystems + * Allow wdmd read hardware state information + * Allow wdmd list the contents of the sysfs directories + * Allow linuxptp configure phc2sys and chronyd over a unix domain socket + * Allow sulogin relabel tty1 + * Dontaudit sulogin the checkpoint_restore capability + * Modify sudo_role_template() to allow getpgid + * Allow userdomain get attributes of files on an nsfs filesystem + * Allow opafm create NFS files and directories + * Allow virtqemud create and unlink files in /etc/libvirt/ + * Allow virtqemud domain transition on swtpm execution + * Add the swtpm.if interface file for interactions with other domains + * Allow samba to have dac_override capability + * systemd: allow sys_admin capability for systemd_notify_t + * systemd: allow systemd_notify_t to send data to kernel_t datagram sockets + * Allow thumb_t to watch and watch_reads mount_var_run_t + * Allow krb5kdc_t map krb5kdc_principal_t files + * Allow unprivileged confined user dbus chat with setroubleshoot + * Allow login_userdomain map files in /var + * Allow wireguard work with firewall-cmd + * Differentiate between staff and sysadm when executing crontab with sudo + * Add crontab_admin_domtrans interface + * Allow abrt_t nnp domain transition to abrt_handle_event_t + * Allow xdm_t to watch and watch_reads mount_var_run_t + * Dontaudit subscription manager setfscreate and read file contexts + * Don't audit crontab_domain write attempts to user home + * Transition from sudodomains to crontab_t when executing crontab_exec_t + * Add crontab_domtrans interface + * Fix label of pseudoterminals created from sudodomain + * Allow utempter_t use ptmx + * Dontaudit rpmdb attempts to connect to sssd over a unix stream socket + * Allow admin user read/write on fixed_disk_device_t + * Only allow confined user domains to login locally without unconfined_login + * Add userdom_spec_domtrans_confined_admin_users interface + * Only allow admindomain to execute shell via ssh with ssh_sysadm_login + * Add userdom_spec_domtrans_admin_users interface + * Move ssh dyntrans to unconfined inside unconfined_login tunable policy + * Update ssh_role_template() for user ssh-agent type + * Allow init to inherit system DBus file descriptors + * Allow init to inherit fds from syslogd + * Allow any domain to inherit fds from rpm-ostree + * Update afterburn policy + * Allow init_t nnp domain transition to abrtd_t + * Rename all /var/lock file context entries to /run/lock + * Rename all /var/run file context entries to /run +- Add script varrun-convert.sh for locally existing modules + to be able to cope with the /var/run -> /run change +- Update embedded container-selinux to commit + a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e + +------------------------------------------------------------------- Old: ---- selinux-policy-20240321.tar.xz New: ---- selinux-policy-20240411.tar.xz varrun-convert.sh ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.BkNF2X/_old 2024-06-06 12:31:00.072934981 +0200 +++ /var/tmp/diff_new_pack.BkNF2X/_new 2024-06-06 12:31:00.076935127 +0200 @@ -33,7 +33,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20240321 +Version: 20240411 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc @@ -61,6 +61,9 @@ Source31: setrans-mls.conf Source32: setrans-minimum.conf +# Script to convert /var/run file context entries to /run +Source37: varrun-convert.sh + Source40: securetty_types-targeted Source41: securetty_types-mls Source42: securetty_types-minimum @@ -80,20 +83,26 @@ URL: https://github.com/fedora-selinux/selinux-policy.git BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch +%if 0%{?suse_version} < 1600 +%define python_for_executables python311 +BuildRequires: %{python_for_executables} +BuildRequires: %{python_for_executables}-policycoreutils +%else +BuildRequires: %primary_python +BuildRequires: %{python_module policycoreutils} +%endif BuildRequires: checkpolicy BuildRequires: gawk BuildRequires: libxml2-tools BuildRequires: m4 BuildRequires: policycoreutils BuildRequires: policycoreutils-devel -BuildRequires: python3 -BuildRequires: python3-policycoreutils # we need selinuxenabled Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): pam-config -Requires(post): pam-config -Requires(post): selinux-tools -Requires(post): /usr/bin/sha512sum +Requires(posttrans): pam-config +Requires(posttrans): selinux-tools +Requires(posttrans): /usr/bin/sha512sum Recommends: audit Recommends: selinux-tools # for audit2allow @@ -212,6 +221,7 @@ %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ +%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ %nil @@ -248,6 +258,7 @@ %define postInstall() \ . %{_sysconfdir}/selinux/config; \ +%{_libexecdir}/selinux/varrun-convert.sh %2; \ if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \ rm %{_sysconfdir}/selinux/%2/.rebuild; \ /usr/sbin/semodule -B -n -s %2; \ @@ -292,9 +303,8 @@ done; %description -SELinux Reference Policy. A complete SELinux policy that can be used -as the system policy for a variety of systems and used as the basis for -creating other policies. +A complete SELinux policy that can be used as the system policy for a variety +of systems and used as the basis for creating other policies. %files %defattr(-,root,root,-) @@ -305,6 +315,7 @@ %ghost %config(noreplace) %{_sysconfdir}/selinux/config %{_tmpfilesdir}/selinux-policy.conf %{_rpmconfigdir}/macros.d/macros.selinux-policy +%{_libexecdir}/selinux/varrun-convert.sh %package sandbox Summary: SELinux policy sandbox @@ -372,6 +383,9 @@ cp $i selinux_config done +mkdir -p %{buildroot}%{_libexecdir}/selinux +install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux + make clean %if %{BUILD_TARGETED} %makeCmds targeted mcs allow @@ -527,12 +541,12 @@ Requires: selinux-policy = %{version}-%{release} %description targeted -SELinux Reference policy targeted base module. +SELinux policy targeted base module. %pre targeted %preInstall targeted -%post targeted +%posttrans targeted %postInstall $1 targeted exit 0 @@ -562,7 +576,7 @@ Requires: selinux-policy = %{version}-%{release} %description minimum -SELinux Reference policy minimum base module. +SELinux policy minimum base module. %pre minimum %preInstall minimum @@ -623,12 +637,12 @@ Requires: selinux-policy = %{version}-%{release} %description mls -SELinux Reference policy mls base module. +SELinux policy mls base module. %pre mls %preInstall mls -%post mls +%posttrans mls %postInstall $1 mls %postun mls ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.BkNF2X/_old 2024-06-06 12:31:00.144937610 +0200 +++ /var/tmp/diff_new_pack.BkNF2X/_new 2024-06-06 12:31:00.148937757 +0200 @@ -1,10 +1,12 @@ <servicedata> <service name="tar_scm"> <param name="url">https://gitlab.suse.de/selinux/selinux-policy.git</param> - <param name="changesrevision">98a8f37af8bfa88f85287f21a38c10abb925c7f3</param></service><service name="tar_scm"> + <param name="changesrevision">7eb64de2191880e9d2207fa60c9605268d6fc8ce</param></service><service name="tar_scm"> <param name="url">https://github.com/containers/container-selinux.git</param> <param name="changesrevision">07b3034f6d9625ab84508a2f46515d8ff79b4204</param></service><service name="tar_scm"> <param name="url">https://gitlab.suse.de/jsegitz/selinux-policy.git</param> - <param name="changesrevision">3e2ff590e3c22e0782b38b938a367440431bae13</param></service></servicedata> + <param name="changesrevision">3e2ff590e3c22e0782b38b938a367440431bae13</param></service><service name="tar_scm"> + <param name="url">https://gitlab.suse.de/cahu/selinux-policy.git</param> + <param name="changesrevision">dd1ff3c6a1e2c1f22ddd13039191ea458d7fcc8d</param></service></servicedata> (No newline at EOF) ++++++ container.fc ++++++ --- /var/tmp/diff_new_pack.BkNF2X/_old 2024-06-06 12:31:00.228940678 +0200 +++ /var/tmp/diff_new_pack.BkNF2X/_new 2024-06-06 12:31:00.232940825 +0200 @@ -9,14 +9,19 @@ /usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) /usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) /usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) -/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) -/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/buildah -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) -/usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) -/usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) -/usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/lxc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/lxd -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/fuidshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0) @@ -117,7 +122,7 @@ /var/cache/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) -/var/run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0) +/run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0) /var/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0) /opt/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0) @@ -126,6 +131,7 @@ /var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0) /var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) @@ -136,26 +142,25 @@ /var/lib/docker-latest/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) -/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) +/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) /var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) -/var/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -/var/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -/var/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -/var/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) -/var/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -/var/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0) -/var/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0) -/var/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -/var/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0) +/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) +/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0) +/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0) +/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0) /srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0) -/var/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0) +/run/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0) /var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0) ++++++ container.if ++++++ --- /var/tmp/diff_new_pack.BkNF2X/_old 2024-06-06 12:31:00.248941409 +0200 +++ /var/tmp/diff_new_pack.BkNF2X/_new 2024-06-06 12:31:00.252941555 +0200 @@ -573,7 +573,7 @@ filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers") filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm") - files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes") + files_etc_filetrans($1, kubernetes_file_t, dir, "kubernetes") ') ######################################## ++++++ container.te ++++++ --- /var/tmp/diff_new_pack.BkNF2X/_old 2024-06-06 12:31:00.284942724 +0200 +++ /var/tmp/diff_new_pack.BkNF2X/_new 2024-06-06 12:31:00.288942870 +0200 @@ -1,4 +1,4 @@ -policy_module(container, 2.219.0) +policy_module(container, 2.230.0) gen_require(` class passwd rootok; @@ -39,6 +39,13 @@ gen_tunable(container_use_devices, false) ## <desc> +## <p> +## Allow containers to use any dri device volume mounted into container +## </p> +## </desc> +gen_tunable(container_use_dri_devices, true) + +## <desc> ## <p> ## Allow sandbox containers to manage cgroup (systemd) ## </p> @@ -136,6 +143,7 @@ term_pty(container_devpts_t) typealias container_ro_file_t alias { container_share_t docker_share_t }; +typeattribute container_ro_file_t container_file_type, user_home_type; files_mountpoint(container_ro_file_t) userdom_user_home_content(container_ro_file_t) @@ -568,7 +576,6 @@ fs_manage_nfs_symlinks(container_runtime_domain) fs_remount_nfs(container_runtime_domain) fs_mount_nfs(container_runtime_domain) - fs_unmount_nfs(container_runtime_domain) fs_exec_nfs_files(container_runtime_domain) kernel_rw_fs_sysctls(container_runtime_domain) allow container_runtime_domain nfs_t:file execmod; @@ -634,21 +641,16 @@ fs_manage_fusefs_files(container_runtime_domain) fs_manage_fusefs_symlinks(container_runtime_domain) fs_mount_fusefs(container_runtime_domain) -fs_unmount_fusefs(container_runtime_domain) fs_exec_fusefs_files(container_runtime_domain) storage_rw_fuse(container_runtime_domain) -optional_policy(` - files_search_all(container_domain) - container_read_share_files(container_domain) - container_exec_share_files(container_domain) - allow container_domain container_ro_file_t:file execmod; - container_lib_filetrans(container_domain,container_file_t, sock_file) - container_use_ptys(container_domain) - container_spc_stream_connect(container_domain) - fs_dontaudit_remount_tmpfs(container_domain) - dev_dontaudit_mounton_sysfs(container_domain) -') +files_search_all(container_domain) +container_read_share_files(container_domain) +container_exec_share_files(container_domain) +allow container_domain container_ro_file_t:file execmod; +container_lib_filetrans(container_domain,container_file_t, sock_file) +container_use_ptys(container_domain) +container_spc_stream_connect(container_domain) optional_policy(` apache_exec_modules(container_runtime_domain) @@ -746,7 +748,7 @@ # # spc local policy # -allow spc_t { container_file_t container_var_lib_t container_ro_file_t }:file entrypoint; +allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint; role system_r types spc_t; domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t) @@ -755,6 +757,7 @@ fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file }) allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition }; +allow spc_t container_file_type:file execmod; admin_pattern(spc_t, kubernetes_file_t) @@ -776,6 +779,10 @@ systemd_dbus_chat_logind(spc_t) ') +domain_transition_all(spc_t) + +anaconda_domtrans_install(spc_t) + optional_policy(` dbus_chat_system_bus(spc_t) dbus_chat_session_bus(spc_t) @@ -878,7 +885,7 @@ typeattribute container_file_t container_file_type, user_home_type; typeattribute container_t container_domain, container_net_domain, container_user_domain; allow container_user_domain self:process getattr; -allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint; +allow container_domain { container_var_lib_t container_ro_file_t container_file_t container_runtime_tmpfs_t}:file entrypoint; allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms; allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map }; allow container_domain container_runtime_t:unix_dgram_socket sendto; @@ -897,6 +904,7 @@ allow container_domain self:file rw_file_perms; allow container_domain self:lnk_file read_file_perms; allow container_domain self:fifo_file create_fifo_file_perms; +allow container_domain self:fifo_file watch; allow container_domain self:filesystem associate; allow container_domain self:key manage_key_perms; allow container_domain self:netlink_route_socket r_netlink_socket_perms; @@ -916,28 +924,33 @@ allow container_domain self:unix_stream_socket create_stream_socket_perms; dontaudit container_domain self:capability2 block_suspend ; allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms }; -fs_rw_onload_sockets(container_domain) -fs_fusefs_entrypoint(container_domain) fs_fusefs_entrypoint(spc_t) container_read_share_files(container_domain) container_exec_share_files(container_domain) container_use_ptys(container_domain) container_spc_stream_connect(container_domain) -fs_dontaudit_remount_tmpfs(container_domain) + +dev_dontaudit_mounton_sysfs(container_domain) dev_dontaudit_mounton_sysfs(container_domain) dev_dontaudit_mounton_sysfs(container_domain) -fs_mount_tmpfs(container_domain) - -dontaudit container_domain container_runtime_tmpfs_t:dir read; -allow container_domain container_runtime_tmpfs_t:dir mounton; - dev_getattr_mtrr_dev(container_domain) dev_list_sysfs(container_domain) -allow container_domain sysfs_t:dir watch; - +dev_mounton_sysfs(container_t) +dev_read_mtrr(container_domain) +dev_read_rand(container_domain) +dev_read_sysfs(container_domain) +dev_read_urand(container_domain) +dev_rw_inherited_dri(container_domain) dev_rw_kvm(container_domain) dev_rwx_zero(container_domain) +dev_write_rand(container_domain) +dev_write_urand(container_domain) +allow container_domain sysfs_t:dir watch; + +dontaudit container_domain container_runtime_tmpfs_t:dir read; +allow container_domain container_runtime_tmpfs_t:dir mounton; +can_exec(container_domain, container_runtime_tmpfs_t) allow container_domain self:key manage_key_perms; dontaudit container_domain container_domain:key search; @@ -953,7 +966,7 @@ allow container_domain self:passwd rootok; allow container_domain self:filesystem associate; allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; -allow container_domain container_runtime_domain:socket_class_set { accept ioctl read getattr lock write append getopt setopt }; +allow container_domain container_runtime_domain:socket_class_set { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write }; kernel_getattr_proc(container_domain) kernel_list_all_proc(container_domain) @@ -970,16 +983,42 @@ kernel_read_irq_sysctls(container_domain) kernel_get_sysvipc_info(container_domain) +fs_dontaudit_getattr_all_dirs(container_domain) +fs_dontaudit_getattr_all_files(container_domain) +fs_dontaudit_remount_tmpfs(container_domain) +fs_dontaudit_remount_tmpfs(container_domain) +fs_exec_fusefs_files(container_domain) +fs_exec_hugetlbfs_files(container_domain) +fs_fusefs_entrypoint(container_domain) fs_getattr_all_fs(container_domain) -fs_rw_inherited_tmpfs_files(container_domain) -fs_read_tmpfs_symlinks(container_domain) -fs_search_tmpfs(container_domain) +fs_list_cgroup_dirs(container_domain) fs_list_hugetlbfs(container_domain) +fs_manage_bpf_files(container_domain) +fs_manage_fusefs_dirs(container_domain) +fs_manage_fusefs_files(container_domain) +fs_manage_fusefs_named_pipes(container_domain) +fs_manage_fusefs_named_sockets(container_domain) +fs_manage_fusefs_symlinks(container_domain) fs_manage_hugetlbfs_files(container_domain) -fs_exec_hugetlbfs_files(container_domain) -fs_dontaudit_getattr_all_dirs(container_domain) -fs_dontaudit_getattr_all_files(container_domain) +fs_mount_fusefs(container_domain) +fs_unmount_fusefs(container_domain) +fs_mount_tmpfs(container_domain) +fs_unmount_tmpfs(container_domain) +fs_mount_xattr_fs(container_domain) +fs_unmount_xattr_fs(container_domain) +fs_mounton_cgroup(container_domain) +fs_mounton_fusefs(container_domain) +fs_read_cgroup_files(container_domain) fs_read_nsfs_files(container_domain) +fs_read_tmpfs_symlinks(container_domain) +fs_remount_xattr_fs(container_domain) +fs_rw_inherited_tmpfs_files(container_domain) +fs_rw_onload_sockets(container_domain) +fs_search_tmpfs(container_domain) +fs_unmount_cgroup(container_domain) +fs_unmount_fusefs(container_domain) +fs_unmount_nsfs(container_domain) +fs_unmount_xattr_fs(container_domain) term_use_all_inherited_terms(container_domain) @@ -1003,18 +1042,6 @@ type cgroup_t; ') -dev_read_sysfs(container_domain) -dev_read_mtrr(container_domain) -dev_mounton_sysfs(container_t) - -fs_mounton_cgroup(container_t) -fs_unmount_cgroup(container_t) - -dev_read_rand(container_domain) -dev_write_rand(container_domain) -dev_read_urand(container_domain) -dev_write_urand(container_domain) - files_read_kernel_modules(container_domain) allow container_file_t cgroup_t:filesystem associate; @@ -1069,9 +1096,6 @@ ') dontaudit container_domain usermodehelper_t:file write; -fs_read_cgroup_files(container_domain) -fs_list_cgroup_dirs(container_domain) - sysnet_read_config(container_domain) allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; @@ -1099,20 +1123,6 @@ fs_manage_cgroup_files(container_domain) ') -fs_manage_fusefs_named_sockets(container_domain) -fs_manage_fusefs_named_pipes(container_domain) -fs_manage_fusefs_dirs(container_domain) -fs_manage_fusefs_files(container_domain) -fs_manage_fusefs_symlinks(container_domain) -fs_manage_fusefs_named_sockets(container_domain) -fs_manage_fusefs_named_pipes(container_domain) -fs_exec_fusefs_files(container_domain) -fs_mount_xattr_fs(container_domain) -fs_unmount_xattr_fs(container_domain) -fs_remount_xattr_fs(container_domain) -fs_mount_fusefs(container_domain) -fs_unmount_fusefs(container_domain) -fs_mounton_fusefs(container_domain) storage_rw_fuse(container_domain) allow container_domain fusefs_t:file { mounton execmod }; allow container_domain fusefs_t:filesystem remount; @@ -1187,6 +1197,7 @@ dev_mounton_sysfs(container_userns_t) fs_mount_tmpfs(container_userns_t) +fs_unmount_tmpfs(container_userns_t) fs_relabelfrom_tmpfs(container_userns_t) fs_remount_cgroup(container_userns_t) @@ -1383,6 +1394,10 @@ allow container_domain device_node:blk_file {rw_blk_file_perms map}; ') +tunable_policy(`container_use_dri_devices',` + dev_rw_dri(container_domain) +') + tunable_policy(`virt_sandbox_use_sys_admin',` allow container_init_t self:capability sys_admin; allow container_init_t self:cap_userns sys_admin; @@ -1399,19 +1414,24 @@ fs_unmount_cgroup(container_engine_t) fs_manage_cgroup_dirs(container_engine_t) fs_manage_cgroup_files(container_engine_t) -fs_mount_tmpfs(container_engine_t) fs_write_cgroup_files(container_engine_t) - -allow container_engine_t proc_t:file mounton; -allow container_engine_t sysctl_t:file mounton; -allow container_engine_t sysfs_t:filesystem remount; - +fs_remount_cgroup(container_engine_t) +fs_mount_all_fs(container_engine_t) +fs_remount_all_fs(container_engine_t) +fs_unmount_all_fs(container_engine_t) +kernel_mounton_all_sysctls(container_engine_t) kernel_mount_proc(container_engine_t) -kernel_mounton_core_if(container_engine_t) kernel_mounton_proc(container_engine_t) +kernel_mounton_core_if(container_engine_t) kernel_mounton_systemd_ProtectKernelTunables(container_engine_t) - term_mount_pty_fs(container_engine_t) +term_use_generic_ptys(container_engine_t) + +allow container_engine_t container_file_t:chr_file mounton; +allow container_engine_t filesystem_type:{dir file} mounton; +allow container_engine_t proc_kcore_t:file mounton; +allow container_engine_t proc_t:filesystem remount; +allow container_engine_t sysctl_t:{dir file} mounton; type kubelet_t, container_runtime_domain; domain_type(kubelet_t) @@ -1516,6 +1536,9 @@ role container_user_r types container_net_domain; role container_user_r types container_file_type; container_runtime_run(container_user_t, container_user_r) +unconfined_role_change_to(container_user_r) + +container_use_ptys(container_user_t) fs_manage_cgroup_dirs(container_user_t) fs_manage_cgroup_files(container_user_t) @@ -1524,6 +1547,12 @@ systemd_dbus_chat_hostnamed(container_user_t) systemd_start_systemd_services(container_user_t) +allow container_runtime_t container_user_t:process transition; +allow container_runtime_t container_user_t:process2 nnp_transition; +allow container_user_t container_runtime_t:fifo_file rw_fifo_file_perms; + +allow container_user_t container_file_t:chr_file manage_chr_file_perms; +allow container_user_t container_file_t:file entrypoint; allow container_domain container_file_t:file entrypoint; allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read }; @@ -1534,3 +1563,8 @@ allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; allow svirt_sandbox_domain mountpoint:file entrypoint; +tunable_policy(`deny_ptrace',`',` + allow container_domain self:process ptrace; + allow spc_t self:process ptrace; +') + ++++++ file_contexts.subs_dist ++++++ --- /var/tmp/diff_new_pack.BkNF2X/_old 2024-06-06 12:31:00.328944331 +0200 +++ /var/tmp/diff_new_pack.BkNF2X/_new 2024-06-06 12:31:00.332944477 +0200 @@ -1,5 +1,5 @@ -/run /var/run -/run/lock /var/lock +/var/run /run +/var/lock /run/lock /var/run/lock /var/lock /lib /usr/lib /lib64 /usr/lib @@ -10,6 +10,8 @@ /etc/systemd/system /usr/lib/systemd/system /run/systemd/system /usr/lib/systemd/system /run/systemd/generator /usr/lib/systemd/system +/run/systemd/generator.early /usr/lib/systemd/system +/run/systemd/generator.late /usr/lib/systemd/system /var/lib/xguest/home /home /var/run/netconfig /etc /var/adm/netconfig/md5/etc /etc ++++++ selinux-policy-20240321.tar.xz -> selinux-policy-20240411.tar.xz ++++++ ++++ 5562 lines of diff (skipped) ++++++ varrun-convert.sh ++++++ #!/bin/bash ### varrun-convert.sh ### convert legacy filecontext entries containing /var/run to /run ### and load an extra selinux module with the new content ### the script takes a policy name as an argument # Set DEBUG=yes before running the script to get more verbose output # on the terminal and to the $LOG file if [ "${DEBUG}" = "yes" ]; then set -x fi # Auxiliary and log files will be created in OUTPUTDIR OUTPUTDIR="/run/selinux-policy" LOG="$OUTPUTDIR/log" mkdir -p ${OUTPUTDIR} if [ -z ${1} ]; then [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG exit fi SEMODULEOPT="-s ${1}" [ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}" # Take current file_contexts and unify whitespace separators FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts" FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified" if [ ! -f ${FILE_CONTEXTS} ]; then [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG exit fi if ! grep -q ^/var/run ${FILE_CONTEXTS}; then [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG exit 0 fi EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt" EXTRA_VARRUN_ENTRIES_WITHDUP_TMP="$OUTPUTDIR/extra_varrun_entries_dup.tmp" EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt" EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil" # Print only /var/run entries grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP} # Unify whitespace separators sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP} sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED} rm -f $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP touch $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP # Deduplicate already existing /var/run=/run entries while read line do subline="${line#/var}" if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then # check for overal duplicate entries subline2=$(echo $line | sed -E -e 's/ \S+$//') if ! grep -q "^${subline2}" ${EXTRA_VARRUN_ENTRIES_WITHDUP_TMP}; then echo "$line" echo "$line" >> $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP else >&2 echo "DUP: $line" fi fi done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES} # Change /var/run to /run sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES} # Exception handling: packages with already duplicate entries sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES} sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES} sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES} # Change format to cil sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES} sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES} sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES} sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES} sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES} sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES} sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES} sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES} sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES} sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES} # Handle entries with <<none>> which do not match previous regexps sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES} # Wrap each line with an optional block i=1 while read line do echo "(optional extra_var_run_${i}" echo " $line" echo ")" ((i++)) done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL} # Load module [ -s ${EXTRA_VARRUN_CIL} ] && /usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
participants (1)
-
Source-Sync