Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

C9s build 20241213 #2485

Merged
merged 8 commits into from
Dec 13, 2024
Merged

C9s build 20241213 #2485

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
ad7ff3f
Change /run/sysctl\.d(/.*)? fc entry to /var/run/sysctl\.d(/.*)?
zpytela Dec 13, 2024
6134ad5
Allow svirt_t the sys_rawio capability
zpytela Dec 9, 2024
199a3cb
Allow traceroute_t bind rawip sockets to unreserved ports
zpytela Dec 13, 2024
7cf301b
Allow irqbalance setpcap capability in the user namespace
zpytela Dec 11, 2024
201d188
Allow rpcd read network sysctls
zpytela Oct 24, 2024
ae11ff3
Dontaudit systemd-coredump the sys_resource capability
zpytela Dec 13, 2024
b27c984
Fix the cups_read_pid_files() interface to use read_files_pattern
zpytela Dec 12, 2024
57ebf79
Allow auditctl signal auditd
zpytela Dec 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions policy/modules/admin/netutils.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ corenet_tcp_sendrecv_all_ports(netutils_t)
corenet_udp_sendrecv_all_ports(netutils_t)
corenet_tcp_connect_all_ports(netutils_t)
corenet_sendrecv_all_client_packets(netutils_t)
corenet_rawip_bind_unreserved_port(netutils_t)
corenet_udp_bind_generic_node(netutils_t)

dev_read_sysfs(netutils_t)
Expand Down
2 changes: 1 addition & 1 deletion policy/modules/contrib/cups.if
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@ interface(`cups_read_pid_files',`
')

files_search_pids($1)
allow $1 cupsd_var_run_t:file read_file_perms;
read_files_pattern($1, cupsd_var_run_t, cupsd_var_run_t)
')

########################################
Expand Down
1 change: 1 addition & 0 deletions policy/modules/contrib/irqbalance.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ files_pid_file(irqbalance_var_run_t)

allow irqbalance_t self:capability { setpcap net_admin };
dontaudit irqbalance_t self:capability sys_tty_config;
allow irqbalance_t self:cap_userns setpcap;
allow irqbalance_t self:process { getcap getsched setcap signal_perms };
allow irqbalance_t self:udp_socket create_socket_perms;

Expand Down
1 change: 1 addition & 0 deletions policy/modules/contrib/rpc.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,7 @@ kernel_write_proc_files(rpcd_t)
kernel_read_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
kernel_read_net_sysctls(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
kernel_signal(rpcd_t)
Expand Down
1 change: 1 addition & 0 deletions policy/modules/contrib/virt.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -371,6 +371,7 @@ files_mountpoint(container_ro_file_t)
# svirt local policy
#

allow svirt_t self:capability sys_rawio;
allow svirt_t self:process ptrace;

allow svirt_t self:netlink_rdma_socket create_socket_perms;
Expand Down
18 changes: 18 additions & 0 deletions policy/modules/kernel/corenetwork.if.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1696,6 +1696,24 @@ interface(`corenet_udp_send_all_ports',`
allow $1 port_type:udp_socket send_msg;
')

########################################
## <summary>
## Bind rawip sockets to unreserved ports.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corenet_rawip_bind_unreserved_port',`
gen_require(`
type unreserved_port_t;
')

allow $1 unreserved_port_t:rawip_socket name_bind;
')

########################################
## <summary>
## Bind SCTP sockets to generic ports.
Expand Down
3 changes: 1 addition & 2 deletions policy/modules/kernel/files.fc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -202,8 +202,6 @@ ifdef(`distro_redhat',`
/run/.*\.*pid <<none>>
/run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)

/run/sysctl\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0)

/sandbox(/.*)? gen_context(system_u:object_r:tmp_t,s0)
#
# /selinux
Expand Down Expand Up @@ -320,6 +318,7 @@ ifndef(`distro_redhat',`
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
/var/run/lock/.* <<none>>
/var/run/sysctl\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0)

/run/cockpit/motd -- gen_context(system_u:object_r:etc_t,s0)

Expand Down
2 changes: 2 additions & 0 deletions policy/modules/system/logging.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,8 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;

allow auditctl_t self:process getcap;

allow auditctl_t auditd_t:process signal;

read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;
allow auditctl_t auditd_etc_t:file map;
Expand Down
3 changes: 2 additions & 1 deletion policy/modules/system/systemd.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1132,7 +1132,8 @@ systemd_read_efivarfs(systemd_sysctl_t)
# sys_ptrace - to read /proc/<pid>/exe of the dumped process
# setgid setuid - to set own credentials to match the dumped process credentials
# setpcap - to drop capabilities
allow systemd_coredump_t self:capability { dac_read_search net_admin setgid setpcap setuid sys_admin sys_chroot sys_ptrace sys_resource };
allow systemd_coredump_t self:capability { dac_read_search net_admin setgid setpcap setuid sys_admin sys_chroot sys_ptrace };
dontaudit systemd_coredump_t self:capability sys_resource;
allow systemd_coredump_t self:cap_userns { dac_read_search dac_override sys_admin sys_ptrace };

# To set its capability set
Expand Down
Loading