rpm/selinux-policy
SHA256
1
0
Fork 0
forked from pool/selinux-policy
Code Pull Requests Activity
5b345f822c
selinux-policy/dontaudit_interface_kmod_tmpfs.patch

42 lines
1.6 KiB
Diff
Raw Normal View History

Accepting request 1035580 from home:jsegitz:branches:security:SELinux - Update to version 20221019. Refreshed: * distro_suse_to_distro_redhat.patch * fix_apache.patch * fix_chronyd.patch * fix_cron.patch * fix_init.patch * fix_kernel_sysctl.patch * fix_networkmanager.patch * fix_rpm.patch * fix_sysnetwork.patch * fix_systemd.patch * fix_systemd_watch.patch * fix_unconfined.patch * fix_unconfineduser.patch * fix_unprivuser.patch * fix_xserver.patch - Dropped fix_cockpit.patch as this is now packaged with cockpit itself - Remove the ipa module, freeip ships their own module - Added fix_alsa.patch to allow reading of config files in home directories - Extended fix_networkmanager.patch and fix_postfix.patch to account for SUSE systems - Added dontaudit_interface_kmod_tmpfs.patch to prevent AVCs when startproc queries the running processes - Updated fix_snapper.patch to allow snapper to talk to rpm via dbus OBS-URL: https://build.opensuse.org/request/show/1035580 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=155
2022-11-14 09:27:42 +01:00
Index: fedora-policy-20221019/policy/modules/services/xserver.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/services/xserver.te
+++ fedora-policy-20221019/policy/modules/services/xserver.te
@@ -764,6 +764,10 @@ userdom_mounton_tmp_sockets(xdm_t)
userdom_nnp_transition_login_userdomain(xdm_t)
userdom_watch_user_home_dirs(xdm_t)
+# SUSE uses startproc to start the display manager. While checking for running processes
+# it goes over all running instances, triggering AVCs
+modutils_dontaudit_kmod_tmpfs_getattr(xdm_t)
+
#userdom_home_manager(xdm_t)
tunable_policy(`xdm_write_home',`
userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
Index: fedora-policy-20221019/policy/modules/system/modutils.if
===================================================================
--- fedora-policy-20221019.orig/policy/modules/system/modutils.if
+++ fedora-policy-20221019/policy/modules/system/modutils.if
@@ -507,3 +507,21 @@ interface(`modules_filetrans_named_conte
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols")
#files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
')
+
+#######################################
+## <summary>
+## Don't audit accesses to tmp file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`modutils_dontaudit_kmod_tmpfs_getattr',`
+ gen_require(`
+ type kmod_tmpfs_t;
+ ')
+
+ dontaudit $1 kmod_tmpfs_t:file { getattr };
+')
Copy Permalink