Projects
openEuler:22.03:LTS:LoongArch
selinux-policy
_service:tar_scm_kernel_repo:backport-Fix-users...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:backport-Fix-users-for-SELinux-userspace-3.4.patch of Package selinux-policy
From e1e216b25df1bdb4eb7dbb8f73f32927ad6f3d1f Mon Sep 17 00:00:00 2001 From: Petr Lautrbach <plautrba@redhat.com> Date: Thu, 14 Apr 2022 12:07:40 +0200 Subject: [PATCH] Fix users for SELinux userspace 3.4 Latest yet to be released userspace version 3.4 added new validation and discovered several issues in current implementation. This patch tries to address them: - move guest and xguest module from contrib to roles - refpolicy did this change long time ago - roles guest_r and xguest_r need to be defined in kernel.te - gen_user() is supposed to be in policy/users, not in modules - drop role multiple definitions from userdom_base_user_template as it's and is supposed to be defined in kernel.te --- policy/modules/kernel/kernel.te | 3 +++ policy/modules/{contrib => roles}/guest.fc | 0 policy/modules/{contrib => roles}/guest.if | 0 policy/modules/{contrib => roles}/guest.te | 4 ++-- policy/modules/roles/unconfineduser.te | 3 +-- policy/modules/{contrib => roles}/xguest.fc | 0 policy/modules/{contrib => roles}/xguest.if | 0 policy/modules/{contrib => roles}/xguest.te | 4 ++-- policy/modules/system/userdomain.if | 3 +-- 9 files changed, 9 insertions(+), 8 deletions(-) rename policy/modules/{contrib => roles}/guest.fc (100%) rename policy/modules/{contrib => roles}/guest.if (100%) rename policy/modules/{contrib => roles}/guest.te (82%) rename policy/modules/{contrib => roles}/xguest.fc (100%) rename policy/modules/{contrib => roles}/xguest.if (100%) rename policy/modules/{contrib => roles}/xguest.te (98%) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index acbb2f74e6..73696bcb0a 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -39,6 +39,9 @@ role user_r; # here until order dependence is fixed: role unconfined_r; +role guest_r; +role xguest_r; + ifdef(`enable_mls',` role secadm_r; role auditadm_r; diff --git a/policy/modules/contrib/guest.fc b/policy/modules/roles/guest.fc similarity index 100% rename from policy/modules/contrib/guest.fc rename to policy/modules/roles/guest.fc diff --git a/policy/modules/contrib/guest.if b/policy/modules/roles/guest.if similarity index 100% rename from policy/modules/contrib/guest.if rename to policy/modules/roles/guest.if diff --git a/policy/modules/contrib/guest.te b/policy/modules/roles/guest.te similarity index 82% rename from policy/modules/contrib/guest.te rename to policy/modules/roles/guest.te index 0605776333..2e9505d1cc 100644 --- a/policy/modules/contrib/guest.te +++ b/policy/modules/roles/guest.te @@ -5,7 +5,7 @@ policy_module(guest, 1.3.0) # Declarations # -role guest_r; +# role guest_r; userdom_restricted_user_template(guest) @@ -20,4 +20,4 @@ optional_policy(` apache_role(guest_r, guest_t) ') -gen_user(guest_u, user, guest_r, s0, s0) +# gen_user(guest_u, user, guest_r, s0, s0) diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te index 55bca1e31e..5596e6f0ee 100644 --- a/policy/modules/roles/unconfineduser.te +++ b/policy/modules/roles/unconfineduser.te @@ -399,5 +399,4 @@ optional_policy(` xserver_xsession_entry_type(unconfined_t) ') -gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) - +# gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) diff --git a/policy/modules/contrib/xguest.fc b/policy/modules/roles/xguest.fc similarity index 100% rename from policy/modules/contrib/xguest.fc rename to policy/modules/roles/xguest.fc diff --git a/policy/modules/contrib/xguest.if b/policy/modules/roles/xguest.if similarity index 100% rename from policy/modules/contrib/xguest.if rename to policy/modules/roles/xguest.if diff --git a/policy/modules/contrib/xguest.te b/policy/modules/roles/xguest.te similarity index 98% rename from policy/modules/contrib/xguest.te rename to policy/modules/roles/xguest.te index 8d3ef540a7..e19bf40fc5 100644 --- a/policy/modules/contrib/xguest.te +++ b/policy/modules/roles/xguest.te @@ -26,7 +26,7 @@ gen_tunable(xguest_connect_network, true) ## </desc> gen_tunable(xguest_use_bluetooth, true) -role xguest_r; +# role xguest_r; userdom_restricted_xwindows_user_template(xguest) sysnet_dns_name_resolve(xguest_t) @@ -203,4 +203,4 @@ optional_policy(` role xguest_r types mozilla_t; ') -gen_user(xguest_u, user, xguest_r, s0, s0) +# gen_user(xguest_u, user, xguest_r, s0, s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index b16984dd82..d5be647e85 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -27,6 +27,7 @@ template(`userdom_base_user_template',` attribute userdomain; type user_devpts_t, user_tty_device_t; class context contains; + role $1_r; ') attribute $1_file_type; @@ -34,12 +35,10 @@ template(`userdom_base_user_template',` type $1_t, userdomain, $1_usertype; domain_type($1_t) - role $1_r; corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) ubac_constrained($1_t) - role $1_r; role $1_r types $1_t; allow system_r $1_r;
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.