From aa665df74fda7375c3256a8b1ab31b75fec07f03 Mon Sep 17 00:00:00 2001 From: zcfsite Date: Tue, 26 Aug 2025 09:44:50 +0800 Subject: [PATCH] backport upstream bugfixs --- ...t-Add-additions-to-dnsmasq-interface.patch | 78 +++++++++++++++++++ ...-write-only-access-to-NetworkManager.patch | 49 ++++++++++++ ...th_t-connect-to-postgresql-using-UNI.patch | 37 +++++++++ ...t-write-access-to-NetworkManager_etc.patch | 32 ++++++++ ...ate-and-use-netlink-netfilter-socket.patch | 32 ++++++++ ...t-read-all-non-security-socket-files.patch | 73 +++++++++++++++++ ...ed_t-to-use-sys_ptrace-of-cap_userns.patch | 30 +++++++ ...t-create-and-use-netlink-kobject-uev.patch | 31 ++++++++ ...Allow-qatlib-read-write-vfio-devices.patch | 27 +++++++ ...t-Allow-some-domains-use-sd_notify_1.patch | 32 ++++++++ ...eep-send-a-message-to-syslog-over-a-.patch | 29 +++++++ ...he-sysadm-user-use-the-secretmem-API.patch | 31 ++++++++ ...bel-etc-redis.conf-with-redis_conf_t.patch | 20 +++++ backport-Update-kernel_secretmem_use.patch | 54 +++++++++++++ selinux-policy.spec | 19 ++++- 15 files changed, 573 insertions(+), 1 deletion(-) create mode 100644 backport-Add-additions-to-dnsmasq-interface.patch create mode 100644 backport-Add-interface-for-write-only-access-to-NetworkManager.patch create mode 100644 backport-Allow-dovecot_auth_t-connect-to-postgresql-using-UNI.patch create mode 100644 backport-Allow-hypervkvp_t-write-access-to-NetworkManager_etc.patch create mode 100644 backport-Allow-init-create-and-use-netlink-netfilter-socket.patch create mode 100644 backport-Allow-init-read-all-non-security-socket-files.patch create mode 100644 backport-Allow-keepalived_t-to-use-sys_ptrace-of-cap_userns.patch create mode 100644 backport-Allow-nvme_stas_t-create-and-use-netlink-kobject-uev.patch create mode 100644 backport-Allow-qatlib-read-write-vfio-devices.patch create mode 100644 backport-Allow-some-domains-use-sd_notify_1.patch create mode 100644 backport-Allow-systemd-sleep-send-a-message-to-syslog-over-a-.patch create mode 100644 backport-Allow-the-sysadm-user-use-the-secretmem-API.patch create mode 100644 backport-Label-etc-redis.conf-with-redis_conf_t.patch create mode 100644 backport-Update-kernel_secretmem_use.patch diff --git a/backport-Add-additions-to-dnsmasq-interface.patch b/backport-Add-additions-to-dnsmasq-interface.patch new file mode 100644 index 0000000..61c6764 --- /dev/null +++ b/backport-Add-additions-to-dnsmasq-interface.patch @@ -0,0 +1,78 @@ +From 591191b91f59e6f0cdd0283b4b11b3038fb8ca7e Mon Sep 17 00:00:00 2001 +From: georou +Date: Fri, 8 Sep 2023 13:21:25 +1000 +Subject: [PATCH] Add additions to dnsmasq interface + +Allow reading the dnsmasq.d directory that stores additional config files. +Add a new manage_config interface for dnsmasq config files and directory +Misc comment clean up of dnsmasq.if + +Signed-off-by: georou +--- + policy/modules/contrib/dnsmasq.if | 32 ++++++++++++++++++++++++++++--- + 1 file changed, 29 insertions(+), 3 deletions(-) + +diff --git a/policy/modules/contrib/dnsmasq.if b/policy/modules/contrib/dnsmasq.if +index a79982cd6e..8dc7e65e54 100644 +--- a/policy/modules/contrib/dnsmasq.if ++++ b/policy/modules/contrib/dnsmasq.if +@@ -177,7 +177,8 @@ interface(`dnsmasq_kill',` + + ######################################## + ## +-## Read dnsmasq config files. ++## Allow the specified domain to read ++## dnsmasq configuration files. + ## + ## + ## +@@ -190,13 +191,37 @@ interface(`dnsmasq_read_config',` + type dnsmasq_etc_t; + ') + ++ files_search_etc($1) ++ allow $1 dnsmasq_etc_t:dir list_dir_perms; + read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) ++') ++ ++######################################## ++## ++## Allow the specified domain to manage ++## dnsmasq configuration files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dnsmasq_manage_config',` ++ gen_require(` ++ type dnsmasq_etc_t; ++ ') ++ + files_search_etc($1) ++ allow $1 dnsmasq_etc_t:dir manage_dir_perms; ++ allow $1 dnsmasq_etc_t:file manage_file_perms; ++ allow $1 dnsmasq_etc_t:lnk_file read_lnk_file_perms; + ') + + ######################################## + ## +-## Write dnsmasq config files. ++## Allow the specified domain to write ++## dnsmasq configuration files. + ## + ## + ## +@@ -209,8 +234,9 @@ interface(`dnsmasq_write_config',` + type dnsmasq_etc_t; + ') + +- write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) + files_search_etc($1) ++ allow $1 dnsmasq_etc_t:dir list_dir_perms; ++ write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) + ') + + ######################################## diff --git a/backport-Add-interface-for-write-only-access-to-NetworkManager.patch b/backport-Add-interface-for-write-only-access-to-NetworkManager.patch new file mode 100644 index 0000000..1415e31 --- /dev/null +++ b/backport-Add-interface-for-write-only-access-to-NetworkManager.patch @@ -0,0 +1,49 @@ +From e1b6447c4b3490149e1f7b57841102eac89fa986 Mon Sep 17 00:00:00 2001 +From: Juraj Marcin +Date: Tue, 19 Dec 2023 14:30:36 +0100 +Subject: [PATCH] Add interface for write-only access to NetworkManager rw conf + +Some applications (for example hypervkvp) need to load a new +NetworkManager configuration file. This is only possible from paths +where NetworkManager expects the configurations to reside. + +This patch adds a new interface which allows write only access to +NetworkManager_etc_rw_t to selected type. + +Resolves: RHEL-14505 +--- + policy/modules/contrib/networkmanager.if | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/policy/modules/contrib/networkmanager.if b/policy/modules/contrib/networkmanager.if +index 45fb5520ce..6c668c2880 100644 +--- a/policy/modules/contrib/networkmanager.if ++++ b/policy/modules/contrib/networkmanager.if +@@ -279,6 +279,27 @@ interface(`networkmanager_read_lib_files',` + allow $1 NetworkManager_var_lib_t:file map; + ') + ++####################################### ++## ++## Write NetworkManager rw conf files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_write_rw_conf',` ++ gen_require(` ++ type NetworkManager_etc_t; ++ type NetworkManager_etc_rw_t; ++ ') ++ ++ allow $1 NetworkManager_etc_t:dir list_dir_perms; ++ create_files_pattern($1, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) ++ write_files_pattern($1, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t) ++') ++ + ####################################### + ## + ## Read NetworkManager conf files. diff --git a/backport-Allow-dovecot_auth_t-connect-to-postgresql-using-UNI.patch b/backport-Allow-dovecot_auth_t-connect-to-postgresql-using-UNI.patch new file mode 100644 index 0000000..1233906 --- /dev/null +++ b/backport-Allow-dovecot_auth_t-connect-to-postgresql-using-UNI.patch @@ -0,0 +1,37 @@ +From db3a9e8c950194c27867791e88f605cc7448b104 Mon Sep 17 00:00:00 2001 +From: Juraj Marcin +Date: Wed, 13 Dec 2023 18:39:35 +0100 +Subject: [PATCH] Allow dovecot_auth_t connect to postgresql using UNIX socket + +Addreses following AVCs: + +type=AVC msg=audit(1700326791.924:28417): avc: denied { write } for pid=379029 comm="auth" name=".s.PGSQL.5432" dev="tmpfs" ino=21504 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:postgresql_var_run_t:s0 tclass=sock_file permissive=0 +type=SYSCALL msg=audit(1700326791.924:28417): arch=c000003e syscall=42 success=no exit=-13 a0=14 a1=5635d4b2bc20 a2=6e a3=7f06cf6a4c48 items=0 ppid=378824 pid=379029 auid=4294967295 uid=97 gid=97 euid=97 suid=97 fsuid=97 egid=97 sgid=97 fsgid=97 tty=(none) ses=4294967295 comm="auth" exe="/usr/libexec/dovecot/auth" subj=system_u:system_r:dovecot_auth_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID="unset" UID="dovecot" GID="dovecot" EUID="dovecot" SUID="dovecot" FSUID="dovecot" EGID="dovecot" SGID="dovecot" FSGID="dovecot" +type=PROCTITLE msg=audit(1700326791.924:28417): proctitle="dovecot/auth" +type=AVC msg=audit(1700326791.960:28418): avc: denied { write } for pid=379030 comm="auth" name=".s.PGSQL.5432" dev="tmpfs" ino=21504 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:postgresql_var_run_t:s0 tclass=sock_file permissive=0 +type=SYSCALL msg=audit(1700326791.960:28418): arch=c000003e syscall=42 success=no exit=-13 a0=d a1=56244e950630 a2=6e a3=7fe995ddbc48 items=0 ppid=378824 pid=379030 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="auth" exe="/usr/libexec/dovecot/auth" subj=system_u:system_r:dovecot_auth_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" +type=PROCTITLE msg=audit(1700326791.960:28418): proctitle=646F7665636F742F61757468002D77 +type=AVC msg=audit(1700326791.967:28419): avc: denied { write } for pid=379029 comm="auth" name=".s.PGSQL.5432" dev="tmpfs" ino=21504 scontext=system_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:postgresql_var_run_t:s0 tclass=sock_file permissive=0 +type=SYSCALL msg=audit(1700326791.967:28419): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=5635d4b38ae0 a2=6e a3=7f06cf6a4c48 items=0 ppid=378824 pid=379029 auid=4294967295 uid=97 gid=97 euid=97 suid=97 fsuid=97 egid=97 sgid=97 fsgid=97 tty=(none) ses=4294967295 comm="auth" exe="/usr/libexec/dovecot/auth" subj=system_u:system_r:dovecot_auth_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID="unset" UID="dovecot" GID="dovecot" EUID="dovecot" SUID="dovecot" FSUID="dovecot" EGID="dovecot" SGID="dovecot" FSGID="dovecot" +type=PROCTITLE msg=audit(1700326791.967:28419): proctitle="dovecot/auth" + +Resolves: RHEL-16850 +--- + policy/modules/contrib/dovecot.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te +index c7f2888352..e76e446c20 100644 +--- a/policy/modules/contrib/dovecot.te ++++ b/policy/modules/contrib/dovecot.te +@@ -328,6 +328,10 @@ optional_policy(` + systemd_private_tmp(dovecot_auth_tmp_t) + ') + ++optional_policy(` ++ postgresql_stream_connect(dovecot_auth_t) ++') ++ + ######################################## + # + # dovecot deliver local policy diff --git a/backport-Allow-hypervkvp_t-write-access-to-NetworkManager_etc.patch b/backport-Allow-hypervkvp_t-write-access-to-NetworkManager_etc.patch new file mode 100644 index 0000000..a692581 --- /dev/null +++ b/backport-Allow-hypervkvp_t-write-access-to-NetworkManager_etc.patch @@ -0,0 +1,32 @@ +From 48593ca48ec2df52a28d65cc3d87d95f393578fc Mon Sep 17 00:00:00 2001 +From: Juraj Marcin +Date: Tue, 19 Dec 2023 14:34:20 +0100 +Subject: [PATCH] Allow hypervkvp_t write access to NetworkManager_etc_rw_t + +Addresses following AVCs: + +type=AVC msg=audit(11/06/23 01:25:41.614:77) : avc: denied { search } for pid=1724 comm=cp name=system-connections dev="sda4" ino=17122767 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:NetworkManager_etc_rw_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(11/06/23 01:25:41.614:77) : avc: denied { search } for pid=1724 comm=cp name=NetworkManager dev="sda4" ino=17122764 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(11/06/23 01:25:41.615:78) : avc: denied { write open } for pid=1724 comm=cp path=/etc/NetworkManager/system-connections/eth0.nmconnection dev="sda4" ino=17123100 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:NetworkManager_etc_rw_t:s0 tclass=file permissive=1 +type=AVC msg=audit(11/06/23 01:25:41.615:78) : avc: denied { create } for pid=1724 comm=cp name=eth0.nmconnection scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:NetworkManager_etc_rw_t:s0 tclass=file permissive=1 +type=AVC msg=audit(11/06/23 01:25:41.615:78) : avc: denied { add_name } for pid=1724 comm=cp name=eth0.nmconnection scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:NetworkManager_etc_rw_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(11/06/23 01:25:41.615:78) : avc: denied { write } for pid=1724 comm=cp name=system-connections dev="sda4" ino=17122767 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:NetworkManager_etc_rw_t:s0 tclass=dir permissive=1 +type=AVC msg=audit(11/06/23 01:25:41.615:79) : avc: denied { ioctl } for pid=1724 comm=cp path=/etc/NetworkManager/system-connections/eth0.nmconnection dev="sda4" ino=17123100 ioctlcmd=0x9409 scontext=system_u:system_r:hypervkvp_t:s0 tcontext=system_u:object_r:NetworkManager_etc_rw_t:s0 tclass=file permissive=1 + +Resolves: RHEL-14505 +--- + policy/modules/contrib/hypervkvp.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/hypervkvp.te b/policy/modules/contrib/hypervkvp.te +index 50a15b9fcb..213e650f21 100644 +--- a/policy/modules/contrib/hypervkvp.te ++++ b/policy/modules/contrib/hypervkvp.te +@@ -140,6 +140,7 @@ optional_policy(` + optional_policy(` + networkmanager_read_pid_files(hypervkvp_t) + networkmanager_dbus_chat(hypervkvp_t) ++ networkmanager_write_rw_conf(hypervkvp_t) + ') + + optional_policy(` diff --git a/backport-Allow-init-create-and-use-netlink-netfilter-socket.patch b/backport-Allow-init-create-and-use-netlink-netfilter-socket.patch new file mode 100644 index 0000000..596d006 --- /dev/null +++ b/backport-Allow-init-create-and-use-netlink-netfilter-socket.patch @@ -0,0 +1,32 @@ +From 03323582c0f9c0e843247d96969ef4d2e01453b0 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 18 Dec 2023 17:59:00 +0100 +Subject: [PATCH] Allow init create and use netlink netfilter socket + +systemd v255 [1] includes the "core: firewall integration of cgroups +with NFTSet=" [2] commit which makes systemd directly use the netlink +netfilter socket to work with firewall rules. + +[1] https://github.com/systemd/systemd/releases +[2] https://github.com/systemd/systemd/commit/dc7d69b3c1eb + +The commit addresses the following AVC denial: +type=AVC msg=audit(12/08/2023 06:07:03.373:259) : avc: denied { create } for pid=1 comm=systemd scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=1 + +Resolves: rhbz#2250935 +--- + policy/modules/system/init.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 3e7862ca81..6931f72dfa 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -175,6 +175,7 @@ ifdef(`enable_mls',` + allow init_t self:capability ~{ audit_control audit_write sys_module }; + allow init_t self:capability2 ~{ mac_admin mac_override }; + allow init_t self:cap_userns all_cap_userns_perms; ++allow init_t self:netlink_netfilter_socket create_socket_perms; + allow init_t self:tcp_socket { listen accept }; + allow init_t self:packet_socket create_socket_perms; + allow init_t self:vsock_socket create_socket_perms; diff --git a/backport-Allow-init-read-all-non-security-socket-files.patch b/backport-Allow-init-read-all-non-security-socket-files.patch new file mode 100644 index 0000000..3833e30 --- /dev/null +++ b/backport-Allow-init-read-all-non-security-socket-files.patch @@ -0,0 +1,73 @@ +From 52cbc15d014b7cbc457bf3c926a738b1e1d83053 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 27 Jan 2023 17:04:26 +0100 +Subject: [PATCH] Allow init read all non-security socket files + +Systemd uses the LoadCredential option to pass a credential to the unit. +Credentials here are small objects that may be passed to unit processes, +typically cryptographic keys or certificates, user account information +or identity information from host to services. +The credential files/IPC sockets must be accessible to the service manager, +but don't have to be directly accessible to the unit's processes: the +credential data is read and copied into separate, read-only copies for +the unit that are accessible to appropriately privileged processes. + +Consequently, when LoadCredential is set to point to a socket file, +systemd needs the read permission for the sock_file security class: + +LoadCredential=id:/run/wg-credentials.socket + +Systemd in its read_full_file_full() function checks exit code of +xfopenat() and in case of -ENXIO connects to the AF_UNIX socket. + +The files_read_non_security_sock_files() interface was added. + +Addresses the following AVC denial: +type=AVC msg=audit(1672210323.355:1362): avc: denied { read } for pid=4490 comm="(sd-mkdcreds)" name="wg-credentials.socket" dev="tmpfs" ino=1033 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 +--- + policy/modules/kernel/files.if | 19 +++++++++++++++++++ + policy/modules/system/init.te | 1 + + 2 files changed, 20 insertions(+) + +diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if +index 088102504a..d41ac6a30a 100644 +--- a/policy/modules/kernel/files.if ++++ b/policy/modules/kernel/files.if +@@ -1149,6 +1149,25 @@ interface(`files_read_non_security_files',` + read_lnk_files_pattern($1, non_security_file_type, non_security_file_type) + ') + ++######################################## ++## ++## Read all non-security socket files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`files_read_non_security_sock_files',` ++ gen_require(` ++ attribute non_security_file_type; ++ ') ++ ++ read_sock_files_pattern($1, non_security_file_type, non_security_file_type) ++') ++ + ######################################## + ## + ## Map all non-security files. +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index 6e6b171488..3e7862ca81 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -329,6 +329,7 @@ files_mounton_etc(init_t) + files_create_default_dir(init_t) + files_remount_rootfs(init_t) + files_create_var_dirs(init_t) ++files_read_non_security_sock_files(init_t) + files_watch_non_security_dirs(init_t) + files_watch_non_security_files(init_t) + files_watch_non_security_lnk_files(init_t) diff --git a/backport-Allow-keepalived_t-to-use-sys_ptrace-of-cap_userns.patch b/backport-Allow-keepalived_t-to-use-sys_ptrace-of-cap_userns.patch new file mode 100644 index 0000000..36d8fdc --- /dev/null +++ b/backport-Allow-keepalived_t-to-use-sys_ptrace-of-cap_userns.patch @@ -0,0 +1,30 @@ +From dd4669154ab176600d933f508b429cf116b23497 Mon Sep 17 00:00:00 2001 +From: Juraj Marcin +Date: Wed, 13 Dec 2023 18:09:58 +0100 +Subject: [PATCH] Allow keepalived_t to use sys_ptrace of cap_userns + +Addresses the following AVC: + +type=PROCTITLE msg=audit(12/08/2023 12:28:47.900:784) : proctitle=netstat -apn +type=PATH msg=audit(12/08/2023 12:28:47.900:784) : item=0 name=/proc/834/fd/0 inode=183233 dev=00:14 mode=link,500 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:devicekit_power_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(12/08/2023 12:28:47.900:784) : cwd=/ +type=SYSCALL msg=audit(12/08/2023 12:28:47.900:784) : arch=x86_64 syscall=readlink success=yes exit=9 a0=0x7ffd2369a070 a1=0x7ffd23699e50 a2=0x1d a3=0xe items=1 ppid=66687 pid=66689 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=netstat exe=/usr/bin/netstat subj=system_u:system_r:keepalived_t:s0 key=(null) +type=AVC msg=audit(12/08/2023 12:28:47.900:784) : avc: denied { sys_ptrace } for pid=66689 comm=netstat capability=sys_ptrace scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:system_r:keepalived_t:s0 tclass=cap_userns permissive=1 + +Resolves: RHEL-17156 +--- + policy/modules/contrib/keepalived.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/keepalived.te b/policy/modules/contrib/keepalived.te +index 750315cc25..143c3741d1 100644 +--- a/policy/modules/contrib/keepalived.te ++++ b/policy/modules/contrib/keepalived.te +@@ -39,6 +39,7 @@ files_tmpfs_file(keepalived_tmpfs_t) + + allow keepalived_t self:capability { net_admin net_raw kill dac_read_search setuid setgid sys_admin sys_nice sys_ptrace }; + allow keepalived_t self:capability2 bpf; ++allow keepalived_t self:cap_userns { sys_ptrace }; + allow keepalived_t self:process { signal_perms getpgid setpgid setsched setrlimit }; + allow keepalived_t self:icmp_socket create_socket_perms; + allow keepalived_t self:netlink_socket create_socket_perms; diff --git a/backport-Allow-nvme_stas_t-create-and-use-netlink-kobject-uev.patch b/backport-Allow-nvme_stas_t-create-and-use-netlink-kobject-uev.patch new file mode 100644 index 0000000..e798ec6 --- /dev/null +++ b/backport-Allow-nvme_stas_t-create-and-use-netlink-kobject-uev.patch @@ -0,0 +1,31 @@ +From 6bb335549d5b46078a8e62ad1b3d89b37af185fe Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 14 Dec 2023 09:16:29 +0100 +Subject: [PATCH] Allow nvme_stas_t create and use netlink kobject uevent + socket + +Some permissions were allowed, but not all for stafd be able to use +the netlink class socket from the kobject uevent family. + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(12/14/2023 03:16:43.776:934) : proctitle=/usr/bin/python3 /usr/sbin/stafd --syslog +type=SYSCALL msg=audit(12/14/2023 03:16:43.776:934) : arch=x86_64 syscall=getsockopt success=no exit=EACCES(Permission denied) a0=0x3 a1=SOL_SOCKET a2=SO_RCVBUF a3=0x7ffcc7b7384c items=0 ppid=1 pid=14412 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=stafd exe=/usr/bin/python3.12 subj=system_u:system_r:nvme_stas_t:s0 key=(null) +type=AVC msg=audit(12/14/2023 03:16:43.776:934) : avc: denied { getopt } for pid=14412 comm=stafd scontext=system_u:system_r:nvme_stas_t:s0 tcontext=system_u:system_r:nvme_stas_t:s0 tclass=netlink_kobject_uevent_socket permissive=0 +--- + policy/modules/contrib/nvme_stas.te | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/contrib/nvme_stas.te b/policy/modules/contrib/nvme_stas.te +index 44147fd1d4..9db9c8aabf 100644 +--- a/policy/modules/contrib/nvme_stas.te ++++ b/policy/modules/contrib/nvme_stas.te +@@ -33,7 +33,8 @@ allow nvme_stas_t self:capability { net_admin sys_admin }; + allow nvme_stas_t self:capability2 bpf; + allow nvme_stas_t self:dbus send_msg; + allow nvme_stas_t self:fifo_file rw_fifo_file_perms; +-allow nvme_stas_t self:netlink_kobject_uevent_socket { bind create getattr setopt }; ++allow nvme_stas_t self:netlink_kobject_uevent_socket create_socket_perms; ++ + allow nvme_stas_t self:process setsched; + allow nvme_stas_t self:tcp_socket create_stream_socket_perms; + allow nvme_stas_t self:unix_stream_socket create_stream_socket_perms; diff --git a/backport-Allow-qatlib-read-write-vfio-devices.patch b/backport-Allow-qatlib-read-write-vfio-devices.patch new file mode 100644 index 0000000..227caef --- /dev/null +++ b/backport-Allow-qatlib-read-write-vfio-devices.patch @@ -0,0 +1,27 @@ +From 5187234e444d5ae9d957678bf257ea21529b2818 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 21 Dec 2023 09:44:16 +0100 +Subject: [PATCH] Allow qatlib read/write vfio devices + +The commit addresses the following AVC denial: +type=PROCTITLE msg=audit(12.12.2023 09:16:26.851:299) : proctitle=/usr/sbin/qatmgr --policy=0 +type=SYSCALL msg=audit(12.12.2023 09:16:26.851:299) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x5 a1=0x3b69 a2=0x3 a3=0x70000000004 items=0 ppid=1 pid=63688 auid=unset uid=root gid=qat euid=root suid=root fsuid=root egid=qat sgid=qat fsgid=qat tty=(none) ses=unset comm=qatmgr exe=/usr/sbin/qatmgr subj=system_u:system_r:qatlib_t:s0 key=(null) +type=AVC msg=audit(12.12.2023 09:16:26.851:299) : avc: denied { ioctl } for pid=63688 comm=qatmgr path=/dev/vfio/465 dev="devtmpfs" ino=2030 ioctlcmd=0x3b69 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file permissive=1 + +Resolves: RHEL-19051 +--- + policy/modules/contrib/qatlib.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/qatlib.te b/policy/modules/contrib/qatlib.te +index 0e0cf2242d..23d8039ac7 100644 +--- a/policy/modules/contrib/qatlib.te ++++ b/policy/modules/contrib/qatlib.te +@@ -43,6 +43,7 @@ corecmd_exec_bin(qatlib_t) + + dev_create_sysfs_files(qatlib_t) + dev_rw_sysfs(qatlib_t) ++dev_rw_vfio_dev(qatlib_t) + dev_setattr_generic_dirs(qatlib_t) + + domain_use_interactive_fds(qatlib_t) diff --git a/backport-Allow-some-domains-use-sd_notify_1.patch b/backport-Allow-some-domains-use-sd_notify_1.patch new file mode 100644 index 0000000..dce0a40 --- /dev/null +++ b/backport-Allow-some-domains-use-sd_notify_1.patch @@ -0,0 +1,32 @@ +From ea76c5e8b5864a983737d2431d675b32db388823 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 14 Jul 2022 10:30:12 +0200 +Subject: [PATCH] Allow some domains use sd_notify() + +sd_notify() and a few similar systemd library functions may be called by +a service to notify the service manager about state changes. It can be +used to send arbitrary information. Most importantly, it can be used for +start-up completion notification. + +With this commit, all types in the daemon and login_userdomain +attributes and unconfined_service_t can connect to init (PID 1) and +init can write back to the fifo_file created by the domain. + +Resolves: rhbz#1903305 +--- + policy/modules/system/userdomain.te | 2 ++ + 1 files changed, 2 insertions(+) + +diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te +index 3ac8c12c11..098024756a 100644 +--- a/policy/modules/system/userdomain.te ++++ b/policy/modules/system/userdomain.te +@@ -400,6 +400,8 @@ files_watch_generic_tmp_dirs(login_userdomain) + fs_create_cgroup_files(login_userdomain) + fs_watch_cgroup_files(login_userdomain) + ++init_use_notify(login_userdomain) ++ + libs_watch_lib_dirs(login_userdomain) + + miscfiles_watch_fonts_dirs(login_userdomain) diff --git a/backport-Allow-systemd-sleep-send-a-message-to-syslog-over-a-.patch b/backport-Allow-systemd-sleep-send-a-message-to-syslog-over-a-.patch new file mode 100644 index 0000000..acaa9d6 --- /dev/null +++ b/backport-Allow-systemd-sleep-send-a-message-to-syslog-over-a-.patch @@ -0,0 +1,29 @@ +From 8c600db3483b0deaaba2ccc18cba74f2dfa5d680 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Fri, 15 Dec 2023 19:43:42 +0100 +Subject: [PATCH] Allow systemd-sleep send a message to syslog over a unix + dgram socket + +The commit addresses the following AVC denial: +type=AVC msg=audit(1702592947.333:248): avc: denied { sendto } for pid=7245 comm="systemd-sleep" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tclass=unix_dgram_socket permissive=0 + +Resolves: rhbz#2254628 +--- + policy/modules/system/systemd.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te +index b3512c726d..ab4cb05169 100644 +--- a/policy/modules/system/systemd.te ++++ b/policy/modules/system/systemd.te +@@ -1607,6 +1607,10 @@ init_search_var_lib_dirs(systemd_sleep_t) + storage_getattr_fixed_disk_dev(systemd_sleep_t) + storage_getattr_removable_dev(systemd_sleep_t) + ++optional_policy(` ++ logging_dgram_send(systemd_sleep_t) ++') ++ + optional_policy(` + sysstat_domtrans(systemd_sleep_t) + ') diff --git a/backport-Allow-the-sysadm-user-use-the-secretmem-API.patch b/backport-Allow-the-sysadm-user-use-the-secretmem-API.patch new file mode 100644 index 0000000..6e020a8 --- /dev/null +++ b/backport-Allow-the-sysadm-user-use-the-secretmem-API.patch @@ -0,0 +1,31 @@ +From c355b9d105730de54e9097e5afdc580d0d501e16 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 2 Sep 2024 16:24:45 +0200 +Subject: [PATCH] Allow the sysadm user use the secretmem API + +This is a follow-up commit to 41c4218e835a0 ("Add support for secretmem +anon inode") which allowed the necessary permission to unconfined +domain types. This commit allows it also for the sysadm_t domain. + +Note: Pages allocated with this method can never be swapped out of the +physical memory and the system hibernation is blocked as long as any +file descriptor created with this method exists, so this permission +should be allowed to a very limited set of domains only. + +Resolves: rhbz#2270895 +--- + policy/modules/roles/sysadm.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te +index 3b5373168c..a5489a8a67 100644 +--- a/policy/modules/roles/sysadm.te ++++ b/policy/modules/roles/sysadm.te +@@ -28,6 +28,7 @@ kernel_manage_perf_event(sysadm_t) + kernel_prog_run_bpf(sysadm_t) + kernel_read_fs_sysctls(sysadm_t) + kernel_read_all_proc(sysadm_t) ++kernel_secretmem_use(sysadm_t) + kernel_unconfined(sysadm_t) + + auth_manage_shadow(sysadm_t) diff --git a/backport-Label-etc-redis.conf-with-redis_conf_t.patch b/backport-Label-etc-redis.conf-with-redis_conf_t.patch new file mode 100644 index 0000000..e4657d7 --- /dev/null +++ b/backport-Label-etc-redis.conf-with-redis_conf_t.patch @@ -0,0 +1,20 @@ +From 736057fd513a64a21c3b75108da8d640c901eae8 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 18 Dec 2023 17:54:34 +0100 +Subject: [PATCH] Label /etc/redis.conf with redis_conf_t + +--- + policy/modules/contrib/redis.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/contrib/redis.fc b/policy/modules/contrib/redis.fc +index 53e58bacb9..124846f428 100644 +--- a/policy/modules/contrib/redis.fc ++++ b/policy/modules/contrib/redis.fc +@@ -1,5 +1,6 @@ + /etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0) + ++/etc/redis\.conf -- gen_context(system_u:object_r:redis_conf_t,s0) + /etc/redis(/.*)? gen_context(system_u:object_r:redis_conf_t,s0) + /etc/redis-sentinel.* -- gen_context(system_u:object_r:redis_conf_t,s0) + diff --git a/backport-Update-kernel_secretmem_use.patch b/backport-Update-kernel_secretmem_use.patch new file mode 100644 index 0000000..15146d8 --- /dev/null +++ b/backport-Update-kernel_secretmem_use.patch @@ -0,0 +1,54 @@ +From 97b9903d8ddefcc0621f7d686e52b8052a58b4b8 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 15 Jul 2025 16:52:18 +0200 +Subject: [PATCH] Update kernel_secretmem_use() + +After the kernel commit cbe4134ea4bc ("fs: export +anon_inode_make_secure_inode() and fix secretmem LSM bypass"), +additional permissions are needed for secretmem anon_inode usage, +e.g. by the unconfined_t domain. The existing kernel_secretmem_use() +interface content was updated so that it now matches other anon_inode +types related interfaces. Also along with that, the +kernel_secretmem_use_inherited() interface was added. +--- + policy/modules/kernel/kernel.if | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if +index 3d5319fe46..3203c35bee 100644 +--- a/policy/modules/kernel/kernel.if ++++ b/policy/modules/kernel/kernel.if +@@ -4655,6 +4655,24 @@ interface(`kernel_secretmem_domtrans',` + type_transition $1 self:anon_inode secretmem_t "[secretmem]"; + ') + ++######################################## ++## ++## Allow the specified domain to use the secretmem API ++## via an inherited file descriptor. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`kernel_secretmem_use_inherited',` ++ gen_require(` ++ type secretmem_t; ++ ') ++ allow $1 secretmem_t:anon_inode { getattr read write map }; ++') ++ + ######################################## + ## + ## Allow the domain to use the secretmem API. +@@ -4669,5 +4687,7 @@ interface(`kernel_secretmem_use',` + gen_require(` + type secretmem_t; + ') ++ ++ kernel_secretmem_use_inherited($1) + allow $1 secretmem_t:anon_inode create; + ') + diff --git a/selinux-policy.spec b/selinux-policy.spec index 4bbbf74..8e3fb66 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 40.7 -Release: 4 +Release: 5 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -64,6 +64,20 @@ Patch8: allow-rpcbind-to-bind-all-port.patch Patch9: add-avc-for-systemd-journald.patch Patch10: add-avc-for-systemd.patch Patch11: backport-Add-support-for-secretmem-anon-inode.patch +Patch12: backport-Allow-some-domains-use-sd_notify_1.patch +Patch13: backport-Allow-dovecot_auth_t-connect-to-postgresql-using-UNI.patch +Patch14: backport-Allow-keepalived_t-to-use-sys_ptrace-of-cap_userns.patch +Patch15: backport-Allow-init-create-and-use-netlink-netfilter-socket.patch +Patch16: backport-Allow-qatlib-read-write-vfio-devices.patch +Patch17: backport-Label-etc-redis.conf-with-redis_conf_t.patch +Patch18: backport-Allow-init-read-all-non-security-socket-files.patch +Patch19: backport-Add-additions-to-dnsmasq-interface.patch +Patch20: backport-Allow-nvme_stas_t-create-and-use-netlink-kobject-uev.patch +Patch21: backport-Allow-systemd-sleep-send-a-message-to-syslog-over-a-.patch +Patch22: backport-Allow-hypervkvp_t-write-access-to-NetworkManager_etc.patch +Patch23: backport-Add-interface-for-write-only-access-to-NetworkManager.patch +Patch24: backport-Allow-the-sysadm-user-use-the-secretmem-API.patch +Patch25: backport-Update-kernel_secretmem_use.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -743,6 +757,9 @@ exit 0 %endif %changelog +* Tue Aug 26 2025 zcfsite - 40.7-5 +- backport upstream patches to add some interface for NM + * Wed Nov 27 2024 Linux_zhang - 40.7-4 - Recovering the SELinux Label -- Gitee