selinux-policy/fix_entropyd.patch

Index: fedora-policy-20230206/policy/modules/contrib/entropyd.te
===================================================================
--- fedora-policy-20230206.orig/policy/modules/contrib/entropyd.te
+++ fedora-policy-20230206/policy/modules/contrib/entropyd.te
@@ -24,6 +24,9 @@ init_script_file(entropyd_initrc_exec_t)
 type entropyd_var_run_t;
 files_pid_file(entropyd_var_run_t)
 
+type entropyd_tmpfs_t;
+files_tmpfs_file(entropyd_tmpfs_t)
+
 ########################################
 #
 # Local policy
@@ -36,6 +39,10 @@ allow entropyd_t self:process signal_per
 manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)
 files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)
 
+manage_dirs_pattern(entropyd_t, entropyd_tmpfs_t, entropyd_tmpfs_t)
+manage_files_pattern(entropyd_t, entropyd_tmpfs_t, entropyd_tmpfs_t)
+fs_tmpfs_filetrans(entropyd_t, entropyd_tmpfs_t, { file })
+
 kernel_read_system_state(entropyd_t)
 kernel_rw_kernel_sysctl(entropyd_t)
 
@@ -47,6 +54,8 @@ dev_write_rand(entropyd_t)
 
 fs_getattr_all_fs(entropyd_t)
 fs_search_auto_mountpoints(entropyd_t)
+# not great, but necessary for now since I can't get sem.haveged_sem to have a proper label
+fs_rw_tmpfs_files(entropyd_t)
 
 domain_use_interactive_fds(entropyd_t)
 
Index: fedora-policy-20230206/policy/modules/contrib/entropyd.if
===================================================================
--- fedora-policy-20230206.orig/policy/modules/contrib/entropyd.if
+++ fedora-policy-20230206/policy/modules/contrib/entropyd.if
@@ -33,3 +33,22 @@ interface(`entropyd_admin',`
 	files_search_pids($1)
 	admin_pattern($1, entropyd_var_run_t)
 ')
+
+########################################
+## <summary>
+##	Transition kernel created semaphore to correct type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`entropyd_semaphore_filetrans',`
+	gen_require(`
+		type entropyd_tmpfs_t;
+	')
+
+	fs_tmpfs_filetrans($1, entropyd_tmpfs_t, file, "sem.haveged_sem")
+')
Index: fedora-policy-20230206/policy/modules/kernel/kernel.te
===================================================================
--- fedora-policy-20230206.orig/policy/modules/kernel/kernel.te
+++ fedora-policy-20230206/policy/modules/kernel/kernel.te
@@ -401,6 +401,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+    entropyd_semaphore_filetrans(kernel_t)
+')
+
+optional_policy(`
     abrt_filetrans_named_content(kernel_t)
     abrt_dump_oops_domtrans(kernel_t)
 ')
Accepting request 1063441 from home:jsegitz:branches:security:SELinux - Update to version 20230206. Refreshed: * fix_entropyd.patch * fix_networkmanager.patch * fix_systemd_watch.patch * fix_unconfineduser.patch - Updated fix_kernel.patch to allow kernel_t access to xdm state. This is necessary as plymouth doesn't run in it's own domain in early boot OBS-URL: https://build.opensuse.org/request/show/1063441 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=172 2023-02-06 15:32:26 +00:00			`Index: fedora-policy-20230206/policy/modules/contrib/entropyd.te`
Accepting request 1061575 from home:jsegitz:branches:security:SELinux - Update to version 20230125. Refreshed: * distro_suse_to_distro_redhat.patch * fix_dnsmasq.patch * fix_init.patch * fix_ipsec.patch * fix_kernel_sysctl.patch * fix_logging.patch * fix_rpm.patch * fix_selinuxutil.patch * fix_systemd_watch.patch * fix_userdomain.patch - More flexible lib(exec) matching in fix_fwupd.patch - Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch - Dropped fix_container.patch, is now upstream - Added fix_entropyd.patch * Added new interface entropyd_semaphore_filetrans to properly transfer semaphore created during early boot. That doesn't work yet, so work around with next item * Allow reading tempfs files - Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace to allow kmod_tmpfs_t files to be executed. Necessary for firewalld - Added fix_rtkit.patch to fix labeling of binary - Modified fix_ntp.patch: * Proper labeling for start-ntpd * Fixed label rules for chroot path * Temporarily allow dac_override for ntpd_t (bsc#1207577) * Add interface ntp_manage_pid_files to allow management of pid files - Updated fix_networkmanager.patch to allow managing ntp pid files OBS-URL: https://build.opensuse.org/request/show/1061575 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=171 2023-01-27 14:51:33 +00:00			`===================================================================`
Accepting request 1063441 from home:jsegitz:branches:security:SELinux - Update to version 20230206. Refreshed: * fix_entropyd.patch * fix_networkmanager.patch * fix_systemd_watch.patch * fix_unconfineduser.patch - Updated fix_kernel.patch to allow kernel_t access to xdm state. This is necessary as plymouth doesn't run in it's own domain in early boot OBS-URL: https://build.opensuse.org/request/show/1063441 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=172 2023-02-06 15:32:26 +00:00			`--- fedora-policy-20230206.orig/policy/modules/contrib/entropyd.te`
			`+++ fedora-policy-20230206/policy/modules/contrib/entropyd.te`
Accepting request 1061575 from home:jsegitz:branches:security:SELinux - Update to version 20230125. Refreshed: * distro_suse_to_distro_redhat.patch * fix_dnsmasq.patch * fix_init.patch * fix_ipsec.patch * fix_kernel_sysctl.patch * fix_logging.patch * fix_rpm.patch * fix_selinuxutil.patch * fix_systemd_watch.patch * fix_userdomain.patch - More flexible lib(exec) matching in fix_fwupd.patch - Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch - Dropped fix_container.patch, is now upstream - Added fix_entropyd.patch * Added new interface entropyd_semaphore_filetrans to properly transfer semaphore created during early boot. That doesn't work yet, so work around with next item * Allow reading tempfs files - Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace to allow kmod_tmpfs_t files to be executed. Necessary for firewalld - Added fix_rtkit.patch to fix labeling of binary - Modified fix_ntp.patch: * Proper labeling for start-ntpd * Fixed label rules for chroot path * Temporarily allow dac_override for ntpd_t (bsc#1207577) * Add interface ntp_manage_pid_files to allow management of pid files - Updated fix_networkmanager.patch to allow managing ntp pid files OBS-URL: https://build.opensuse.org/request/show/1061575 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=171 2023-01-27 14:51:33 +00:00			`@@ -24,6 +24,9 @@ init_script_file(entropyd_initrc_exec_t)`
			`type entropyd_var_run_t;`
			`files_pid_file(entropyd_var_run_t)`

			`+type entropyd_tmpfs_t;`
			`+files_tmpfs_file(entropyd_tmpfs_t)`
			`+`
			`########################################`
			`#`
			`# Local policy`
			`@@ -36,6 +39,10 @@ allow entropyd_t self:process signal_per`
			`manage_files_pattern(entropyd_t, entropyd_var_run_t, entropyd_var_run_t)`
			`files_pid_filetrans(entropyd_t, entropyd_var_run_t, file)`

			`+manage_dirs_pattern(entropyd_t, entropyd_tmpfs_t, entropyd_tmpfs_t)`
			`+manage_files_pattern(entropyd_t, entropyd_tmpfs_t, entropyd_tmpfs_t)`
			`+fs_tmpfs_filetrans(entropyd_t, entropyd_tmpfs_t, { file })`
			`+`
			`kernel_read_system_state(entropyd_t)`
			`kernel_rw_kernel_sysctl(entropyd_t)`

			`@@ -47,6 +54,8 @@ dev_write_rand(entropyd_t)`

			`fs_getattr_all_fs(entropyd_t)`
			`fs_search_auto_mountpoints(entropyd_t)`
			`+# not great, but necessary for now since I can't get sem.haveged_sem to have a proper label`
			`+fs_rw_tmpfs_files(entropyd_t)`

			`domain_use_interactive_fds(entropyd_t)`

Accepting request 1063441 from home:jsegitz:branches:security:SELinux - Update to version 20230206. Refreshed: * fix_entropyd.patch * fix_networkmanager.patch * fix_systemd_watch.patch * fix_unconfineduser.patch - Updated fix_kernel.patch to allow kernel_t access to xdm state. This is necessary as plymouth doesn't run in it's own domain in early boot OBS-URL: https://build.opensuse.org/request/show/1063441 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=172 2023-02-06 15:32:26 +00:00			`Index: fedora-policy-20230206/policy/modules/contrib/entropyd.if`
Accepting request 1061575 from home:jsegitz:branches:security:SELinux - Update to version 20230125. Refreshed: * distro_suse_to_distro_redhat.patch * fix_dnsmasq.patch * fix_init.patch * fix_ipsec.patch * fix_kernel_sysctl.patch * fix_logging.patch * fix_rpm.patch * fix_selinuxutil.patch * fix_systemd_watch.patch * fix_userdomain.patch - More flexible lib(exec) matching in fix_fwupd.patch - Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch - Dropped fix_container.patch, is now upstream - Added fix_entropyd.patch * Added new interface entropyd_semaphore_filetrans to properly transfer semaphore created during early boot. That doesn't work yet, so work around with next item * Allow reading tempfs files - Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace to allow kmod_tmpfs_t files to be executed. Necessary for firewalld - Added fix_rtkit.patch to fix labeling of binary - Modified fix_ntp.patch: * Proper labeling for start-ntpd * Fixed label rules for chroot path * Temporarily allow dac_override for ntpd_t (bsc#1207577) * Add interface ntp_manage_pid_files to allow management of pid files - Updated fix_networkmanager.patch to allow managing ntp pid files OBS-URL: https://build.opensuse.org/request/show/1061575 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=171 2023-01-27 14:51:33 +00:00			`===================================================================`
Accepting request 1063441 from home:jsegitz:branches:security:SELinux - Update to version 20230206. Refreshed: * fix_entropyd.patch * fix_networkmanager.patch * fix_systemd_watch.patch * fix_unconfineduser.patch - Updated fix_kernel.patch to allow kernel_t access to xdm state. This is necessary as plymouth doesn't run in it's own domain in early boot OBS-URL: https://build.opensuse.org/request/show/1063441 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=172 2023-02-06 15:32:26 +00:00			`--- fedora-policy-20230206.orig/policy/modules/contrib/entropyd.if`
			`+++ fedora-policy-20230206/policy/modules/contrib/entropyd.if`
Accepting request 1061575 from home:jsegitz:branches:security:SELinux - Update to version 20230125. Refreshed: * distro_suse_to_distro_redhat.patch * fix_dnsmasq.patch * fix_init.patch * fix_ipsec.patch * fix_kernel_sysctl.patch * fix_logging.patch * fix_rpm.patch * fix_selinuxutil.patch * fix_systemd_watch.patch * fix_userdomain.patch - More flexible lib(exec) matching in fix_fwupd.patch - Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch - Dropped fix_container.patch, is now upstream - Added fix_entropyd.patch * Added new interface entropyd_semaphore_filetrans to properly transfer semaphore created during early boot. That doesn't work yet, so work around with next item * Allow reading tempfs files - Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace to allow kmod_tmpfs_t files to be executed. Necessary for firewalld - Added fix_rtkit.patch to fix labeling of binary - Modified fix_ntp.patch: * Proper labeling for start-ntpd * Fixed label rules for chroot path * Temporarily allow dac_override for ntpd_t (bsc#1207577) * Add interface ntp_manage_pid_files to allow management of pid files - Updated fix_networkmanager.patch to allow managing ntp pid files OBS-URL: https://build.opensuse.org/request/show/1061575 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=171 2023-01-27 14:51:33 +00:00			@@ -33,3 +33,22 @@ interface(`entropyd_admin',`
			`files_search_pids($1)`
			`admin_pattern($1, entropyd_var_run_t)`
			`')`
			`+`
			`+########################################`
			`+## <summary>`
			`+## Transition kernel created semaphore to correct type`
			`+## </summary>`
			`+## <param name="domain">`
			`+## <summary>`
			`+## Domain allowed access.`
			`+## </summary>`
			`+## </param>`
			`+## <rolecap/>`
			`+#`
			+interface(`entropyd_semaphore_filetrans',`
			+ gen_require(`
			`+ type entropyd_tmpfs_t;`
			`+ ')`
			`+`
			`+ fs_tmpfs_filetrans($1, entropyd_tmpfs_t, file, "sem.haveged_sem")`
			`+')`
Accepting request 1063441 from home:jsegitz:branches:security:SELinux - Update to version 20230206. Refreshed: * fix_entropyd.patch * fix_networkmanager.patch * fix_systemd_watch.patch * fix_unconfineduser.patch - Updated fix_kernel.patch to allow kernel_t access to xdm state. This is necessary as plymouth doesn't run in it's own domain in early boot OBS-URL: https://build.opensuse.org/request/show/1063441 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=172 2023-02-06 15:32:26 +00:00			`Index: fedora-policy-20230206/policy/modules/kernel/kernel.te`
Accepting request 1061575 from home:jsegitz:branches:security:SELinux - Update to version 20230125. Refreshed: * distro_suse_to_distro_redhat.patch * fix_dnsmasq.patch * fix_init.patch * fix_ipsec.patch * fix_kernel_sysctl.patch * fix_logging.patch * fix_rpm.patch * fix_selinuxutil.patch * fix_systemd_watch.patch * fix_userdomain.patch - More flexible lib(exec) matching in fix_fwupd.patch - Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch - Dropped fix_container.patch, is now upstream - Added fix_entropyd.patch * Added new interface entropyd_semaphore_filetrans to properly transfer semaphore created during early boot. That doesn't work yet, so work around with next item * Allow reading tempfs files - Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace to allow kmod_tmpfs_t files to be executed. Necessary for firewalld - Added fix_rtkit.patch to fix labeling of binary - Modified fix_ntp.patch: * Proper labeling for start-ntpd * Fixed label rules for chroot path * Temporarily allow dac_override for ntpd_t (bsc#1207577) * Add interface ntp_manage_pid_files to allow management of pid files - Updated fix_networkmanager.patch to allow managing ntp pid files OBS-URL: https://build.opensuse.org/request/show/1061575 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=171 2023-01-27 14:51:33 +00:00			`===================================================================`
Accepting request 1063441 from home:jsegitz:branches:security:SELinux - Update to version 20230206. Refreshed: * fix_entropyd.patch * fix_networkmanager.patch * fix_systemd_watch.patch * fix_unconfineduser.patch - Updated fix_kernel.patch to allow kernel_t access to xdm state. This is necessary as plymouth doesn't run in it's own domain in early boot OBS-URL: https://build.opensuse.org/request/show/1063441 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=172 2023-02-06 15:32:26 +00:00			`--- fedora-policy-20230206.orig/policy/modules/kernel/kernel.te`
			`+++ fedora-policy-20230206/policy/modules/kernel/kernel.te`
			@@ -401,6 +401,10 @@ optional_policy(`
Accepting request 1061575 from home:jsegitz:branches:security:SELinux - Update to version 20230125. Refreshed: * distro_suse_to_distro_redhat.patch * fix_dnsmasq.patch * fix_init.patch * fix_ipsec.patch * fix_kernel_sysctl.patch * fix_logging.patch * fix_rpm.patch * fix_selinuxutil.patch * fix_systemd_watch.patch * fix_userdomain.patch - More flexible lib(exec) matching in fix_fwupd.patch - Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch - Dropped fix_container.patch, is now upstream - Added fix_entropyd.patch * Added new interface entropyd_semaphore_filetrans to properly transfer semaphore created during early boot. That doesn't work yet, so work around with next item * Allow reading tempfs files - Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace to allow kmod_tmpfs_t files to be executed. Necessary for firewalld - Added fix_rtkit.patch to fix labeling of binary - Modified fix_ntp.patch: * Proper labeling for start-ntpd * Fixed label rules for chroot path * Temporarily allow dac_override for ntpd_t (bsc#1207577) * Add interface ntp_manage_pid_files to allow management of pid files - Updated fix_networkmanager.patch to allow managing ntp pid files OBS-URL: https://build.opensuse.org/request/show/1061575 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=171 2023-01-27 14:51:33 +00:00			`')`

			optional_policy(`
			`+ entropyd_semaphore_filetrans(kernel_t)`
			`+')`
			`+`
			+optional_policy(`
			`abrt_filetrans_named_content(kernel_t)`
			`abrt_dump_oops_domtrans(kernel_t)`
			`')`