packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!234 backport some upstream patches

Browse Source 
From: @beta_dz 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
This commit is contained in:
openeuler-ci-bot 2025-05-16 15:30:04 +00:00 committed by Gitee
commit 7bfda238fe
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 84 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
backport-Label-etc-redis-as-redis_conf_t.patch Normal file
View File

@ -0,0 +1,48 @@
From 2313c55d3f4f84df05368efc1ef5496dab8ff156 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 9 Apr 2021 20:35:09 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/2313c55d3f4f84df05368efc1ef5496dab8ff156
Conflict: NA
Subject: [PATCH] Label /etc/redis as redis_conf_t
With a new redis version, the configuration file in the /etc/redis
directory are used instead if individual configuration files in /etc.
This change needs to be backed with proper labeling of /etc/redis.
Example of a denial which is being addresses by this commit:
----
type=PROCTITLE msg=audit(04/09/2021 11:12:52.959:517) :
proctitle=/usr/bin/redis-sentinel *:26379 [sentinel]
type=PATH msg=audit(04/09/2021 11:12:52.959:517) : item=0 name=/etc/redis/sentinel.conf
inode=16824738 dev=fd:02 mode=file,640 ouid=redis ogid=root rdev=00:00
obj=system_u:object_r:etc_t:s0 nametype=NORMAL
cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(04/09/2021 11:12:52.959:517) : cwd=/tmp
type=SYSCALL msg=audit(04/09/2021 11:12:52.959:517) : arch=x86_64 syscall=access
success=no exit=EACCES(Permission denied) a0=0x7f054ee0e2a1 a1=W_OK a2=0x0 a3=0x8
items=1 ppid=1 pid=3747 auid=unset uid=redis gid=redis euid=redis suid=redis fsuid=redis
egid=redis sgid=redis fsgid=redis tty=(none) ses=unset comm=redis-sentinel
exe=/usr/bin/redis-server subj=system_u:system_r:redis_t:s0 key=(null)
type=AVC msg=audit(04/09/2021 11:12:52.959:517) : avc: denied { write }
for pid=3747 comm=redis-sentinel name=sentinel.conf dev="vda2" ino=16824738
scontext=system_u:system_r:redis_t:s0 tcontext=system_u:object_r:etc_t:s0
tclass=file permissive=0
----
---
policy/modules/contrib/redis.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/redis.fc b/policy/modules/contrib/redis.fc
index 83edd1be2..53e58bacb 100644
--- a/policy/modules/contrib/redis.fc
+++ b/policy/modules/contrib/redis.fc
@@ -1,5 +1,6 @@
/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
+/etc/redis(/.*)? gen_context(system_u:object_r:redis_conf_t,s0)
/etc/redis-sentinel.* -- gen_context(system_u:object_r:redis_conf_t,s0)
/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
--
2.27.0

28
backport-Relabel-usr-sbin-charon-systemd-as-ipsec_exec_t.patch Normal file
View File

@ -0,0 +1,28 @@
From 55b2dfdddf231f35adda18174b6f9cd9488eff1b Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Fri, 28 Aug 2020 09:49:11 -0400
Reference: https://github.com/fedora-selinux/selinux-policy/commit/55b2dfdddf231f35adda18174b6f9cd9488eff1b
Conflict: NA
Subject: [PATCH] Relabel /usr/sbin/charon-systemd as ipsec_exec_t
This causes StrongSwan to be run with the `ipsec_exec_t` context, which allows it to bind to its sockets.
---
policy/modules/system/ipsec.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index e1a4f6822..c33edcced 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -50,7 +50,7 @@
/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/strongimcv/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/sbin/charon-systemd -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/sbin/charon-systemd -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
--
2.27.0

9
selinux-policy.spec
View File

@ -12,7 +12,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.14.2
Release: 81
Release: 82
License: GPLv2+
URL: https://github.com/fedora-selinux/selinux-policy/
@ -112,6 +112,8 @@ Patch6037: backport-iptables.fc-Add-missing-legacy-entries.patch
Patch6038: backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch
Patch6039: backport-Add-file-context-for-.config-Yubico.patch
Patch6040: backport-Change-transitions-for-.config-Yubico.patch
Patch6041: backport-Label-etc-redis-as-redis_conf_t.patch
Patch6042: backport-Relabel-usr-sbin-charon-systemd-as-ipsec_exec_t.patch
Patch9000: allow-httpd-to-put-files-in-httpd-config-dir.patch
Patch9001: add-rule-for-hostnamed-to-rpmscript-dbus-chat.patch
@ -784,6 +786,11 @@ exit 0
%endif
%changelog
* Sat Nov 25 2023 beta <beta@yfqm.date> - 3.14.2-82
- backport some upstream patches
backport-Label-etc-redis-as-redis_conf_t.patch
backport-Relabel-usr-sbin-charon-systemd-as-ipsec_exec_t.patch
* Tue Nov 7 2023 jinlun<jinlun@huawei.com> - 3.14.2-81
- enforcing selinux