Skip to content

F39 backports #1924

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Nov 14, 2023
Merged

F39 backports #1924

merged 8 commits into from
Nov 14, 2023

Conversation

zpytela
Copy link
Contributor

@zpytela zpytela commented Nov 2, 2023

No description provided.

jhamlin96 and others added 8 commits November 2, 2023 16:46
@jhamlin96 @zpytela
Allow ntp to bind and connect to ntske port.
39f6b31 
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(10/30/2023 04:46:52.693:699) : proctitle=/usr/sbin/ntpd -g -N -u ntp:ntp
type=SOCKADDR msg=audit(10/30/2023 04:46:52.693:699) : saddr={ saddr_fam=inet6 laddr=2001:67c:2550:d::7 lport=4460 }
type=SYSCALL msg=audit(10/30/2023 04:46:52.693:699) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7fdc94003570 a2=0x1c a3=0x4000 items=0 ppid=1 pid=4646 auid=unset uid=ntp gid=ntp euid=ntp suid=ntp fsuid=ntp egid=ntp sgid=ntp fsgid=ntp tty=(none) ses=unset comm=ntpd exe=/usr/sbin/ntpd subj=system_u:system_r:ntpd_t:s0 key=(null)
type=AVC msg=audit(10/30/2023 04:46:52.693:699) : avc:  denied  { name_connect } for  pid=4646 comm=ntpd dest=4460 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntske_port_t:s0 tclass=tcp_socket permissive=0

The NTP daemon can be configured as a NTS-enabled client or server.
For client, appending "server add.rr.eee.ss nts [other options]" to ntp.conf for connecting to an NTS-enabled server will trigger the above AVC denial.
For server, append "nts enable" "nts key /path/to/key.pem" "nts cert /path/to/cert.pem" lines in ntp.conf to enable NTS server functionality, which triggers a similar AVC denial attempting to bind to TCP port 4460.

Resolves: #2246805, RHEL-15085
@wrabcak @zpytela
Allow winbind_rpcd_t processes access when samba_export_all_* is on
25442a1 
This commit expand the commit 7367896 to include winbind_rpcd_t process to access all samba shares when boolean
samba_export_all_rw or samba_export_all_ro is enabled.

Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
@zpytela
Allow fido-device-onboard (FDO) read the crack database
2100455 
FDO calls /usr/bin/pwmake (part of libpwquality) which links to libcrack
which needs to read its dictionaries. Currently, disk reencryption fails
with the following journal entries:
Oct 19 16:21:58 hostname fdo-client-linuxapp[1232]:  2023-10-19T16:21:58.175Z INFO  fdo_client_linuxapp::serviceinfo > Initiating disk re-encryption, disk-label: /dev/vda3, pin: tpm2, config: {}, reencrypt: true
Oct 19 16:21:58 hostname audit[1488]: AVC avc:  denied  { search } for  pid=1488 comm="pwmake" name="cracklib" dev="dm-1" ino=164196 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
Oct 19 16:21:58 hostname audit[1488]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffd0d8e1000 a2=0 a3=0 items=0 ppid=1477 pid=1488 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe="/usr/bin/pwmake" subj=system_u:>
Oct 19 16:21:58 hostname fdo-client-linuxapp[1232]:  2023-10-19T16:21:58.256Z ERROR fdo_client_linuxapp              > ServiceInfo failed, error: Error processing returned serviceinfo

Resolves: rhbz#2245935
@zpytela
Allow nfsd get attributes of all filesystems
64452e2 
The commit addresses the following AVC denial:
type=AVC msg=audit(1680632459.060:1061): avc:  denied  { getattr } for  pid=1635 comm="nfsd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0

Resolves: rhbz#2184456
@zpytela
Allow dovecot-auth work with PrivateTmp
28af2c1 
In particular, assign dovecot_auth_tmp_t
to the systemd_private_tmp_type attribute.

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(22.09.2023 08:55:07.987:16989) : proctitle=/usr/lib/systemd/systemd --switched-root --system --deserialize=35
type=PATH msg=audit(22.09.2023 08:55:07.987:16989) : item=1 name=krb5_97.rcache2 inode=1180153 dev=fd:02 mode=file,600 ouid=dovecot ogid=dovecot rdev=00:00 obj=system_u:object_r:dovecot_auth_tmp_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(22.09.2023 08:55:07.987:16989) : item=0 name=/ inode=1179778 dev=fd:02 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(22.09.2023 08:55:07.987:16989) : arch=x86_64 syscall=unlinkat success=no exit=EACCES(Prístup odmietnutý) a0=0x74 a1=0x7fe830008c83 a2=0x0 a3=0x4 items=2 ppid=0 pid=1 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(22.09.2023 08:55:07.987:16989) : avc:  denied  { unlink } for  pid=1 comm=systemd name=krb5_97.rcache2 dev="dm-2" ino=1180153 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:dovecot_auth_tmp_t:s0 tclass=file permissive=0

Resolves: rhbz#2216408
@zpytela
Allow kdump work with PrivateTmp
42b74e4 
In particular, assign kdumpctl_tmp_t
to the systemd_private_tmp_type attribute.

The commit addresses the following AVC denial:
AVC avc:  denied  { remove_name } for  pid=2386 comm="(sd-rmrf)" name="tmp" dev="vda5" ino=201741 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=dir permissive=0

Resolves: rhbz#2246046
@zpytela
Allow map xserver_tmpfs_t files when xserver_clients_write_xshm is on
a3bf298 
The xserver_clients_write_xshm boolean allows writing to xserver_tmpfs_t
files, this commit also adds the map permission.

The commit addresses the following AVC denial:
type=AVC msg=audit(1699352146.594:3256): avc:  denied  { map } for  pid=481494 comm="Xephyr" path=2F6D656D66643A786F7267202864656C6574656429 dev="tmpfs" ino=92915 scontext=unconfined_u:unconfined_r:sandbox_xserver_t:s0:c10,c580 tcontext=unconfined_u:object_r:xserver_tmpfs_t:s0 tclass=file permissive=1

Resolves: rhbz#2248488
@zpytela
Allow graphical applications work in Wayland
3306d24 
Resolves: rhbz#2248488
@zpytela zpytela merged commit 88bb752 into fedora-selinux:f39 Nov 14, 2023
@zpytela zpytela deleted the f39-backports branch November 14, 2023 20:10
@martinpitt
Copy link
Contributor

This was merged totally red..

make: *** No rule to make target 'coreos_installer.if', needed by 'tmp/all_interfaces.conf'. Stop.

@martinpitt martinpitt mentioned this pull request Nov 20, 2023
Closed
@zpytela
Copy link
Contributor Author

zpytela commented Nov 20, 2023

This was merged totally red..

make: *** No rule to make target 'coreos_installer.if', needed by 'tmp/all_interfaces.conf'. Stop.

Correct. There seems to be a mixup of rawhide and f39 sources, coreos_installer is available in F40+.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zpytela @martinpitt @jhamlin96 @wrabcak