diff --git a/_servicedata b/_servicedata index 19d9cd4..7f96451 100644 --- a/_servicedata +++ b/_servicedata @@ -1,8 +1,10 @@ https://gitlab.suse.de/selinux/selinux-policy.git - 98a8f37af8bfa88f85287f21a38c10abb925c7f3 + 7eb64de2191880e9d2207fa60c9605268d6fc8ce https://github.com/containers/container-selinux.git 07b3034f6d9625ab84508a2f46515d8ff79b4204 https://gitlab.suse.de/jsegitz/selinux-policy.git - 3e2ff590e3c22e0782b38b938a367440431bae13 \ No newline at end of file + 3e2ff590e3c22e0782b38b938a367440431bae13 + https://gitlab.suse.de/cahu/selinux-policy.git + dd1ff3c6a1e2c1f22ddd13039191ea458d7fcc8d \ No newline at end of file diff --git a/container.fc b/container.fc index 9127595..40b03d5 100644 --- a/container.fc +++ b/container.fc @@ -9,14 +9,19 @@ /usr/local/s?bin/kubelet.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) /usr/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) /usr/local/s?bin/hyperkube.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) -/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/kubenswrapper.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/kubensenter.* -- gen_context(system_u:object_r:kubelet_exec_t,s0) +/usr/local/s?bin/docker.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) -/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/containerd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/buildah -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) -/usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/s?bin/buildkitd.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) -/usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) -/usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/lxc-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/s?bin/lxd-.* -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/lxc -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/lxd -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/s?bin/fuidshift -- gen_context(system_u:object_r:container_runtime_exec_t,s0) @@ -117,7 +122,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u: /var/cache/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/kata-containers(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) -/var/run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0) +/run/kata-containers(/.*)? gen_context(system_u:object_r:container_kvm_var_run_t,s0) /var/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0) /opt/local-path-provisioner(/.*)? gen_context(system_u:object_r:container_file_t,s0) @@ -126,6 +131,7 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u: /var/lib/kubernetes/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/kubelet(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/kubelet/pod-resources/kubelet.sock gen_context(system_u:object_r:container_file_t,s0) /var/lib/docker-latest(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:container_log_t,s0) @@ -136,26 +142,25 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]*/.* gen_context(system_u: /var/lib/docker-latest/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) /var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) -/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) +/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) /var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) -/var/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -/var/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -/var/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -/var/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -/var/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) -/var/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -/var/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0) -/var/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0) -/var/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) -/var/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0) +/run/containers(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/crio(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/docker(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/containerd(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) +/run/buildkit(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/docker\.pid -- gen_context(system_u:object_r:container_var_run_t,s0) +/run/docker\.sock -s gen_context(system_u:object_r:container_var_run_t,s0) +/run/docker-client(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +/run/docker/plugins(/.*)? gen_context(system_u:object_r:container_plugin_var_run_t,s0) /srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/srv/containers(/.*)? gen_context(system_u:object_r:container_file_t,s0) -/var/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0) +/run/lock/lxc(/.*)? gen_context(system_u:object_r:container_lock_t,s0) /var/log/lxc(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/lxd(/.*)? gen_context(system_u:object_r:container_log_t,s0) diff --git a/container.if b/container.if index 9609cd0..cf864df 100644 --- a/container.if +++ b/container.if @@ -573,7 +573,7 @@ interface(`container_filetrans_named_content',` filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers") filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm") - files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes") + files_etc_filetrans($1, kubernetes_file_t, dir, "kubernetes") ') ######################################## diff --git a/container.te b/container.te index 6f0c23b..32fbb61 100644 --- a/container.te +++ b/container.te @@ -1,4 +1,4 @@ -policy_module(container, 2.219.0) +policy_module(container, 2.230.0) gen_require(` class passwd rootok; @@ -38,6 +38,13 @@ gen_tunable(sshd_launch_containers, false) ## gen_tunable(container_use_devices, false) +## +##

+## Allow containers to use any dri device volume mounted into container +##

+## +gen_tunable(container_use_dri_devices, true) + ## ##

## Allow sandbox containers to manage cgroup (systemd) @@ -136,6 +143,7 @@ type container_devpts_t alias docker_devpts_t; term_pty(container_devpts_t) typealias container_ro_file_t alias { container_share_t docker_share_t }; +typeattribute container_ro_file_t container_file_type, user_home_type; files_mountpoint(container_ro_file_t) userdom_user_home_content(container_ro_file_t) @@ -568,7 +576,6 @@ tunable_policy(`virt_use_nfs',` fs_manage_nfs_symlinks(container_runtime_domain) fs_remount_nfs(container_runtime_domain) fs_mount_nfs(container_runtime_domain) - fs_unmount_nfs(container_runtime_domain) fs_exec_nfs_files(container_runtime_domain) kernel_rw_fs_sysctls(container_runtime_domain) allow container_runtime_domain nfs_t:file execmod; @@ -634,21 +641,16 @@ fs_manage_fusefs_dirs(container_runtime_domain) fs_manage_fusefs_files(container_runtime_domain) fs_manage_fusefs_symlinks(container_runtime_domain) fs_mount_fusefs(container_runtime_domain) -fs_unmount_fusefs(container_runtime_domain) fs_exec_fusefs_files(container_runtime_domain) storage_rw_fuse(container_runtime_domain) -optional_policy(` - files_search_all(container_domain) - container_read_share_files(container_domain) - container_exec_share_files(container_domain) - allow container_domain container_ro_file_t:file execmod; - container_lib_filetrans(container_domain,container_file_t, sock_file) - container_use_ptys(container_domain) - container_spc_stream_connect(container_domain) - fs_dontaudit_remount_tmpfs(container_domain) - dev_dontaudit_mounton_sysfs(container_domain) -') +files_search_all(container_domain) +container_read_share_files(container_domain) +container_exec_share_files(container_domain) +allow container_domain container_ro_file_t:file execmod; +container_lib_filetrans(container_domain,container_file_t, sock_file) +container_use_ptys(container_domain) +container_spc_stream_connect(container_domain) optional_policy(` apache_exec_modules(container_runtime_domain) @@ -746,7 +748,7 @@ tunable_policy(`container_connect_any',` # # spc local policy # -allow spc_t { container_file_t container_var_lib_t container_ro_file_t }:file entrypoint; +allow spc_t { container_file_t container_var_lib_t container_ro_file_t container_runtime_tmpfs_t}:file entrypoint; role system_r types spc_t; domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t) @@ -755,6 +757,7 @@ domtrans_pattern(container_runtime_domain, fusefs_t, spc_t) fs_tmpfs_filetrans(spc_t, container_file_t, { dir file lnk_file }) allow container_runtime_domain spc_t:process2 { nnp_transition nosuid_transition }; +allow spc_t container_file_type:file execmod; admin_pattern(spc_t, kubernetes_file_t) @@ -776,6 +779,10 @@ optional_policy(` systemd_dbus_chat_logind(spc_t) ') +domain_transition_all(spc_t) + +anaconda_domtrans_install(spc_t) + optional_policy(` dbus_chat_system_bus(spc_t) dbus_chat_session_bus(spc_t) @@ -878,7 +885,7 @@ container_manage_files_template(container, container) typeattribute container_file_t container_file_type, user_home_type; typeattribute container_t container_domain, container_net_domain, container_user_domain; allow container_user_domain self:process getattr; -allow container_domain { container_var_lib_t container_ro_file_t container_file_t }:file entrypoint; +allow container_domain { container_var_lib_t container_ro_file_t container_file_t container_runtime_tmpfs_t}:file entrypoint; allow container_runtime_domain container_domain:fifo_file rw_fifo_file_perms; allow container_domain container_runtime_domain:fifo_file { rw_fifo_file_perms map }; allow container_domain container_runtime_t:unix_dgram_socket sendto; @@ -897,6 +904,7 @@ dontaudit container_domain self:dir { write add_name }; allow container_domain self:file rw_file_perms; allow container_domain self:lnk_file read_file_perms; allow container_domain self:fifo_file create_fifo_file_perms; +allow container_domain self:fifo_file watch; allow container_domain self:filesystem associate; allow container_domain self:key manage_key_perms; allow container_domain self:netlink_route_socket r_netlink_socket_perms; @@ -916,28 +924,33 @@ allow container_domain self:unix_dgram_socket create_socket_perms; allow container_domain self:unix_stream_socket create_stream_socket_perms; dontaudit container_domain self:capability2 block_suspend ; allow container_domain self:unix_stream_socket { sendto create_stream_socket_perms }; -fs_rw_onload_sockets(container_domain) -fs_fusefs_entrypoint(container_domain) fs_fusefs_entrypoint(spc_t) container_read_share_files(container_domain) container_exec_share_files(container_domain) container_use_ptys(container_domain) container_spc_stream_connect(container_domain) -fs_dontaudit_remount_tmpfs(container_domain) + dev_dontaudit_mounton_sysfs(container_domain) dev_dontaudit_mounton_sysfs(container_domain) -fs_mount_tmpfs(container_domain) +dev_dontaudit_mounton_sysfs(container_domain) +dev_getattr_mtrr_dev(container_domain) +dev_list_sysfs(container_domain) +dev_mounton_sysfs(container_t) +dev_read_mtrr(container_domain) +dev_read_rand(container_domain) +dev_read_sysfs(container_domain) +dev_read_urand(container_domain) +dev_rw_inherited_dri(container_domain) +dev_rw_kvm(container_domain) +dev_rwx_zero(container_domain) +dev_write_rand(container_domain) +dev_write_urand(container_domain) +allow container_domain sysfs_t:dir watch; dontaudit container_domain container_runtime_tmpfs_t:dir read; allow container_domain container_runtime_tmpfs_t:dir mounton; - -dev_getattr_mtrr_dev(container_domain) -dev_list_sysfs(container_domain) -allow container_domain sysfs_t:dir watch; - -dev_rw_kvm(container_domain) -dev_rwx_zero(container_domain) +can_exec(container_domain, container_runtime_tmpfs_t) allow container_domain self:key manage_key_perms; dontaudit container_domain container_domain:key search; @@ -953,7 +966,7 @@ allow container_domain self:unix_dgram_socket { sendto create_socket_perms }; allow container_domain self:passwd rootok; allow container_domain self:filesystem associate; allow container_domain self:netlink_kobject_uevent_socket create_socket_perms; -allow container_domain container_runtime_domain:socket_class_set { accept ioctl read getattr lock write append getopt setopt }; +allow container_domain container_runtime_domain:socket_class_set { accept append getattr getopt ioctl lock map read recv_msg recvfrom send_msg sendto setopt shutdown write }; kernel_getattr_proc(container_domain) kernel_list_all_proc(container_domain) @@ -970,16 +983,42 @@ kernel_dontaudit_write_usermodehelper_state(container_domain) kernel_read_irq_sysctls(container_domain) kernel_get_sysvipc_info(container_domain) -fs_getattr_all_fs(container_domain) -fs_rw_inherited_tmpfs_files(container_domain) -fs_read_tmpfs_symlinks(container_domain) -fs_search_tmpfs(container_domain) -fs_list_hugetlbfs(container_domain) -fs_manage_hugetlbfs_files(container_domain) -fs_exec_hugetlbfs_files(container_domain) fs_dontaudit_getattr_all_dirs(container_domain) fs_dontaudit_getattr_all_files(container_domain) +fs_dontaudit_remount_tmpfs(container_domain) +fs_dontaudit_remount_tmpfs(container_domain) +fs_exec_fusefs_files(container_domain) +fs_exec_hugetlbfs_files(container_domain) +fs_fusefs_entrypoint(container_domain) +fs_getattr_all_fs(container_domain) +fs_list_cgroup_dirs(container_domain) +fs_list_hugetlbfs(container_domain) +fs_manage_bpf_files(container_domain) +fs_manage_fusefs_dirs(container_domain) +fs_manage_fusefs_files(container_domain) +fs_manage_fusefs_named_pipes(container_domain) +fs_manage_fusefs_named_sockets(container_domain) +fs_manage_fusefs_symlinks(container_domain) +fs_manage_hugetlbfs_files(container_domain) +fs_mount_fusefs(container_domain) +fs_unmount_fusefs(container_domain) +fs_mount_tmpfs(container_domain) +fs_unmount_tmpfs(container_domain) +fs_mount_xattr_fs(container_domain) +fs_unmount_xattr_fs(container_domain) +fs_mounton_cgroup(container_domain) +fs_mounton_fusefs(container_domain) +fs_read_cgroup_files(container_domain) fs_read_nsfs_files(container_domain) +fs_read_tmpfs_symlinks(container_domain) +fs_remount_xattr_fs(container_domain) +fs_rw_inherited_tmpfs_files(container_domain) +fs_rw_onload_sockets(container_domain) +fs_search_tmpfs(container_domain) +fs_unmount_cgroup(container_domain) +fs_unmount_fusefs(container_domain) +fs_unmount_nsfs(container_domain) +fs_unmount_xattr_fs(container_domain) term_use_all_inherited_terms(container_domain) @@ -1003,18 +1042,6 @@ gen_require(` type cgroup_t; ') -dev_read_sysfs(container_domain) -dev_read_mtrr(container_domain) -dev_mounton_sysfs(container_t) - -fs_mounton_cgroup(container_t) -fs_unmount_cgroup(container_t) - -dev_read_rand(container_domain) -dev_write_rand(container_domain) -dev_read_urand(container_domain) -dev_write_urand(container_domain) - files_read_kernel_modules(container_domain) allow container_file_t cgroup_t:filesystem associate; @@ -1069,9 +1096,6 @@ gen_require(` ') dontaudit container_domain usermodehelper_t:file write; -fs_read_cgroup_files(container_domain) -fs_list_cgroup_dirs(container_domain) - sysnet_read_config(container_domain) allow container_domain self:cap_userns { chown dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap }; @@ -1099,20 +1123,6 @@ tunable_policy(`container_manage_cgroup',` fs_manage_cgroup_files(container_domain) ') -fs_manage_fusefs_named_sockets(container_domain) -fs_manage_fusefs_named_pipes(container_domain) -fs_manage_fusefs_dirs(container_domain) -fs_manage_fusefs_files(container_domain) -fs_manage_fusefs_symlinks(container_domain) -fs_manage_fusefs_named_sockets(container_domain) -fs_manage_fusefs_named_pipes(container_domain) -fs_exec_fusefs_files(container_domain) -fs_mount_xattr_fs(container_domain) -fs_unmount_xattr_fs(container_domain) -fs_remount_xattr_fs(container_domain) -fs_mount_fusefs(container_domain) -fs_unmount_fusefs(container_domain) -fs_mounton_fusefs(container_domain) storage_rw_fuse(container_domain) allow container_domain fusefs_t:file { mounton execmod }; allow container_domain fusefs_t:filesystem remount; @@ -1187,6 +1197,7 @@ dev_mount_sysfs_fs(container_userns_t) dev_mounton_sysfs(container_userns_t) fs_mount_tmpfs(container_userns_t) +fs_unmount_tmpfs(container_userns_t) fs_relabelfrom_tmpfs(container_userns_t) fs_remount_cgroup(container_userns_t) @@ -1383,6 +1394,10 @@ tunable_policy(`container_use_devices',` allow container_domain device_node:blk_file {rw_blk_file_perms map}; ') +tunable_policy(`container_use_dri_devices',` + dev_rw_dri(container_domain) +') + tunable_policy(`virt_sandbox_use_sys_admin',` allow container_init_t self:capability sys_admin; allow container_init_t self:cap_userns sys_admin; @@ -1399,19 +1414,24 @@ fs_mounton_cgroup(container_engine_t) fs_unmount_cgroup(container_engine_t) fs_manage_cgroup_dirs(container_engine_t) fs_manage_cgroup_files(container_engine_t) -fs_mount_tmpfs(container_engine_t) fs_write_cgroup_files(container_engine_t) - -allow container_engine_t proc_t:file mounton; -allow container_engine_t sysctl_t:file mounton; -allow container_engine_t sysfs_t:filesystem remount; - +fs_remount_cgroup(container_engine_t) +fs_mount_all_fs(container_engine_t) +fs_remount_all_fs(container_engine_t) +fs_unmount_all_fs(container_engine_t) +kernel_mounton_all_sysctls(container_engine_t) kernel_mount_proc(container_engine_t) -kernel_mounton_core_if(container_engine_t) kernel_mounton_proc(container_engine_t) +kernel_mounton_core_if(container_engine_t) kernel_mounton_systemd_ProtectKernelTunables(container_engine_t) - term_mount_pty_fs(container_engine_t) +term_use_generic_ptys(container_engine_t) + +allow container_engine_t container_file_t:chr_file mounton; +allow container_engine_t filesystem_type:{dir file} mounton; +allow container_engine_t proc_kcore_t:file mounton; +allow container_engine_t proc_t:filesystem remount; +allow container_engine_t sysctl_t:{dir file} mounton; type kubelet_t, container_runtime_domain; domain_type(kubelet_t) @@ -1516,6 +1536,9 @@ role container_user_r types container_user_domain; role container_user_r types container_net_domain; role container_user_r types container_file_type; container_runtime_run(container_user_t, container_user_r) +unconfined_role_change_to(container_user_r) + +container_use_ptys(container_user_t) fs_manage_cgroup_dirs(container_user_t) fs_manage_cgroup_files(container_user_t) @@ -1524,6 +1547,12 @@ selinux_compute_access_vector(container_user_t) systemd_dbus_chat_hostnamed(container_user_t) systemd_start_systemd_services(container_user_t) +allow container_runtime_t container_user_t:process transition; +allow container_runtime_t container_user_t:process2 nnp_transition; +allow container_user_t container_runtime_t:fifo_file rw_fifo_file_perms; + +allow container_user_t container_file_t:chr_file manage_chr_file_perms; +allow container_user_t container_file_t:file entrypoint; allow container_domain container_file_t:file entrypoint; allow container_domain container_ro_file_t:file { entrypoint execmod execute execute_no_trans getattr ioctl lock map open read }; @@ -1533,3 +1562,8 @@ allow container_domain fusefs_t:file { append create entrypoint execmod execute corecmd_entrypoint_all_executables(container_kvm_t) allow svirt_sandbox_domain exec_type:file { entrypoint execute execute_no_trans getattr ioctl lock map open read }; allow svirt_sandbox_domain mountpoint:file entrypoint; + +tunable_policy(`deny_ptrace',`',` + allow container_domain self:process ptrace; + allow spc_t self:process ptrace; +') diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist index beaff36..7d7fca7 100644 --- a/file_contexts.subs_dist +++ b/file_contexts.subs_dist @@ -1,5 +1,5 @@ -/run /var/run -/run/lock /var/lock +/var/run /run +/var/lock /run/lock /var/run/lock /var/lock /lib /usr/lib /lib64 /usr/lib @@ -10,6 +10,8 @@ /etc/systemd/system /usr/lib/systemd/system /run/systemd/system /usr/lib/systemd/system /run/systemd/generator /usr/lib/systemd/system +/run/systemd/generator.early /usr/lib/systemd/system +/run/systemd/generator.late /usr/lib/systemd/system /var/lib/xguest/home /home /var/run/netconfig /etc /var/adm/netconfig/md5/etc /etc diff --git a/selinux-policy-20240321.tar.xz b/selinux-policy-20240321.tar.xz deleted file mode 100644 index e61a0a9..0000000 --- a/selinux-policy-20240321.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ed0bad67b8e0c601abcebefc191e3c0b97b05d6090d63e83e61f9fcda36f4903 -size 767332 diff --git a/selinux-policy-20240411.tar.xz b/selinux-policy-20240411.tar.xz new file mode 100644 index 0000000..7127a19 --- /dev/null +++ b/selinux-policy-20240411.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3570c8520464f6d7719a016ea1d7b65c1a276102d75fbdaf7be4e7decaa1307d +size 768484 diff --git a/selinux-policy.changes b/selinux-policy.changes index a48fb5d..d478761 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,107 @@ +------------------------------------------------------------------- +Mon Jun 3 13:42:13 UTC 2024 - Johannes Segitz + +- Remove "Reference" from the package description. It's not the + reference policy, but the Fedora branch of the policy + +------------------------------------------------------------------- +Tue May 28 11:12:57 UTC 2024 - Cathy Hu + +- Use python311 tools in 15.4 and 15.5 when building selinux-policy to deprecate + python36 tooling + +------------------------------------------------------------------- +Wed May 8 11:06:43 UTC 2024 - Johannes Segitz + +- Fixed varrun-convert.sh script to not break because of duplicate + entries + +------------------------------------------------------------------- +Mon May 6 07:44:20 UTC 2024 - Johannes Segitz + +- Move to %posttrans to ensure selinux-policy got updated before + the commands run (bsc#1221720) + +------------------------------------------------------------------- +Mon Apr 15 13:23:40 UTC 2024 - Cathy Hu + +- Add file contexts "forwarding" to file_contexts.sub_dist + to fix systemd-gpt-auto-generator and systemd-fstab-generator + (bsc#1222736): + * /run/systemd/generator.early /usr/lib/systemd/system + * /run/systemd/generator.late /usr/lib/systemd/system + +------------------------------------------------------------------- +Thu Apr 11 15:13:31 UTC 2024 - cathy.hu@suse.com + +- Update to version 20240411: + * Remove duplicate in sysnetwork.fc + * Rename /var/run/wicked* to /run/wicked* + * Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc + * policy: support pidfs + * Confine selinux-autorelabel-generator.sh + * Allow logwatch_mail_t read/write to init over a unix stream socket + * Allow logwatch read logind sessions files + * files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it + * files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it + * Allow NetworkManager the sys_ptrace capability in user namespace + * dontaudit execmem for modemmanager + * Allow dhcpcd use unix_stream_socket + * Allow dhcpc read /run/netns files + * Update mmap_rw_file_perms to include the lock permission + * Allow plymouthd log during shutdown + * Add logging_watch_all_log_dirs() and logging_watch_all_log_files() + * Allow journalctl_t read filesystem sysctls + * Allow cgred_t to get attributes of cgroup filesystems + * Allow wdmd read hardware state information + * Allow wdmd list the contents of the sysfs directories + * Allow linuxptp configure phc2sys and chronyd over a unix domain socket + * Allow sulogin relabel tty1 + * Dontaudit sulogin the checkpoint_restore capability + * Modify sudo_role_template() to allow getpgid + * Allow userdomain get attributes of files on an nsfs filesystem + * Allow opafm create NFS files and directories + * Allow virtqemud create and unlink files in /etc/libvirt/ + * Allow virtqemud domain transition on swtpm execution + * Add the swtpm.if interface file for interactions with other domains + * Allow samba to have dac_override capability + * systemd: allow sys_admin capability for systemd_notify_t + * systemd: allow systemd_notify_t to send data to kernel_t datagram sockets + * Allow thumb_t to watch and watch_reads mount_var_run_t + * Allow krb5kdc_t map krb5kdc_principal_t files + * Allow unprivileged confined user dbus chat with setroubleshoot + * Allow login_userdomain map files in /var + * Allow wireguard work with firewall-cmd + * Differentiate between staff and sysadm when executing crontab with sudo + * Add crontab_admin_domtrans interface + * Allow abrt_t nnp domain transition to abrt_handle_event_t + * Allow xdm_t to watch and watch_reads mount_var_run_t + * Dontaudit subscription manager setfscreate and read file contexts + * Don't audit crontab_domain write attempts to user home + * Transition from sudodomains to crontab_t when executing crontab_exec_t + * Add crontab_domtrans interface + * Fix label of pseudoterminals created from sudodomain + * Allow utempter_t use ptmx + * Dontaudit rpmdb attempts to connect to sssd over a unix stream socket + * Allow admin user read/write on fixed_disk_device_t + * Only allow confined user domains to login locally without unconfined_login + * Add userdom_spec_domtrans_confined_admin_users interface + * Only allow admindomain to execute shell via ssh with ssh_sysadm_login + * Add userdom_spec_domtrans_admin_users interface + * Move ssh dyntrans to unconfined inside unconfined_login tunable policy + * Update ssh_role_template() for user ssh-agent type + * Allow init to inherit system DBus file descriptors + * Allow init to inherit fds from syslogd + * Allow any domain to inherit fds from rpm-ostree + * Update afterburn policy + * Allow init_t nnp domain transition to abrtd_t + * Rename all /var/lock file context entries to /run/lock + * Rename all /var/run file context entries to /run +- Add script varrun-convert.sh for locally existing modules + to be able to cope with the /var/run -> /run change +- Update embedded container-selinux to commit + a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e + ------------------------------------------------------------------- Thu Mar 21 10:44:09 UTC 2024 - jsegitz@suse.com diff --git a/selinux-policy.spec b/selinux-policy.spec index 594e181..41e7962 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -33,7 +33,7 @@ Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20240321 +Version: 20240411 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: container.fc @@ -61,6 +61,9 @@ Source30: setrans-targeted.conf Source31: setrans-mls.conf Source32: setrans-minimum.conf +# Script to convert /var/run file context entries to /run +Source37: varrun-convert.sh + Source40: securetty_types-targeted Source41: securetty_types-mls Source42: securetty_types-minimum @@ -80,20 +83,26 @@ Source95: macros.selinux-policy URL: https://github.com/fedora-selinux/selinux-policy.git BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch +%if 0%{?suse_version} < 1600 +%define python_for_executables python311 +BuildRequires: %{python_for_executables} +BuildRequires: %{python_for_executables}-policycoreutils +%else +BuildRequires: %primary_python +BuildRequires: %{python_module policycoreutils} +%endif BuildRequires: checkpolicy BuildRequires: gawk BuildRequires: libxml2-tools BuildRequires: m4 BuildRequires: policycoreutils BuildRequires: policycoreutils-devel -BuildRequires: python3 -BuildRequires: python3-policycoreutils # we need selinuxenabled Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): pam-config -Requires(post): pam-config -Requires(post): selinux-tools -Requires(post): /usr/bin/sha512sum +Requires(posttrans): pam-config +Requires(posttrans): selinux-tools +Requires(posttrans): /usr/bin/sha512sum Recommends: audit Recommends: selinux-tools # for audit2allow @@ -212,6 +221,7 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ +%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ %nil @@ -248,6 +258,7 @@ fi; %define postInstall() \ . %{_sysconfdir}/selinux/config; \ +%{_libexecdir}/selinux/varrun-convert.sh %2; \ if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \ rm %{_sysconfdir}/selinux/%2/.rebuild; \ /usr/sbin/semodule -B -n -s %2; \ @@ -292,9 +303,8 @@ for i in $contrib_modules $base_modules; do \ done; %description -SELinux Reference Policy. A complete SELinux policy that can be used -as the system policy for a variety of systems and used as the basis for -creating other policies. +A complete SELinux policy that can be used as the system policy for a variety +of systems and used as the basis for creating other policies. %files %defattr(-,root,root,-) @@ -305,6 +315,7 @@ creating other policies. %ghost %config(noreplace) %{_sysconfdir}/selinux/config %{_tmpfilesdir}/selinux-policy.conf %{_rpmconfigdir}/macros.d/macros.selinux-policy +%{_libexecdir}/selinux/varrun-convert.sh %package sandbox Summary: SELinux policy sandbox @@ -372,6 +383,9 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} cp $i selinux_config done +mkdir -p %{buildroot}%{_libexecdir}/selinux +install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux + make clean %if %{BUILD_TARGETED} %makeCmds targeted mcs allow @@ -527,12 +541,12 @@ Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} %description targeted -SELinux Reference policy targeted base module. +SELinux policy targeted base module. %pre targeted %preInstall targeted -%post targeted +%posttrans targeted %postInstall $1 targeted exit 0 @@ -562,7 +576,7 @@ Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} %description minimum -SELinux Reference policy minimum base module. +SELinux policy minimum base module. %pre minimum %preInstall minimum @@ -623,12 +637,12 @@ Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} %description mls -SELinux Reference policy mls base module. +SELinux policy mls base module. %pre mls %preInstall mls -%post mls +%posttrans mls %postInstall $1 mls %postun mls diff --git a/varrun-convert.sh b/varrun-convert.sh new file mode 100644 index 0000000..270ce1e --- /dev/null +++ b/varrun-convert.sh @@ -0,0 +1,105 @@ +#!/bin/bash +### varrun-convert.sh +### convert legacy filecontext entries containing /var/run to /run +### and load an extra selinux module with the new content +### the script takes a policy name as an argument + +# Set DEBUG=yes before running the script to get more verbose output +# on the terminal and to the $LOG file +if [ "${DEBUG}" = "yes" ]; then + set -x +fi + +# Auxiliary and log files will be created in OUTPUTDIR +OUTPUTDIR="/run/selinux-policy" +LOG="$OUTPUTDIR/log" +mkdir -p ${OUTPUTDIR} + +if [ -z ${1} ]; then + [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG + exit +fi + +SEMODULEOPT="-s ${1}" +[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}" + +# Take current file_contexts and unify whitespace separators +FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts" +FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified" +if [ ! -f ${FILE_CONTEXTS} ]; then + [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG + exit +fi + +if ! grep -q ^/var/run ${FILE_CONTEXTS}; then + [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG + exit 0 +fi + +EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt" +EXTRA_VARRUN_ENTRIES_WITHDUP_TMP="$OUTPUTDIR/extra_varrun_entries_dup.tmp" +EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt" +EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil" + +# Print only /var/run entries +grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP} + +# Unify whitespace separators +sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP} +sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED} + +rm -f $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP +touch $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP +# Deduplicate already existing /var/run=/run entries +while read line +do + subline="${line#/var}" + if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then + # check for overal duplicate entries + subline2=$(echo $line | sed -E -e 's/ \S+$//') + if ! grep -q "^${subline2}" ${EXTRA_VARRUN_ENTRIES_WITHDUP_TMP}; then + echo "$line" + echo "$line" >> $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP + else + >&2 echo "DUP: $line" + fi + fi +done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES} + +# Change /var/run to /run +sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES} + +# Exception handling: packages with already duplicate entries +sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES} +sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES} +sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES} + +# Change format to cil +sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES} +sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES} + +# Handle entries with <> which do not match previous regexps +sed -i s'/ <>$/ ())/' ${EXTRA_VARRUN_ENTRIES} + +# Wrap each line with an optional block +i=1 +while read line +do + echo "(optional extra_var_run_${i}" + echo " $line" + echo ")" + ((i++)) +done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL} + +# Load module +[ -s ${EXTRA_VARRUN_CIL} ] && +/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL} +