fedora-selinux · zpytela · Oct 2, 2024 · Jul 30, 2024 · Sep 2, 2024 · Sep 2, 2024
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
@@ -11,6 +11,7 @@
 /usr/bin/lft		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/bin/mtr		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/bin/nmap		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/bin/n?oping 	--	gen_context(system_u:object_r:ping_exec_t,s0)
 /usr/bin/ping.* 	--	gen_context(system_u:object_r:ping_exec_t,s0)
 /usr/bin/tracepath.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/bin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)

diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
@@ -591,6 +591,10 @@ logging_watch_journal_dir(abrt_dump_oops_t)
 
 init_read_var_lib_files(abrt_dump_oops_t)
 
+optional_policy(`
+	samba_stream_connect_winbind(abrt_dump_oops_t)
+')
+
 optional_policy(`
     sssd_read_public_files(abrt_dump_oops_t)
     sssd_stream_connect(abrt_dump_oops_t)

diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
@@ -256,6 +256,7 @@ allow chronyc_t self:unix_dgram_socket create_socket_perms;
 allow chronyc_t self:netlink_route_socket create_netlink_socket_perms;
 
 allow chronyc_t chronyd_t:unix_dgram_socket sendto;
+allow chronyc_t chronyd_restricted_t:unix_dgram_socket sendto;
 
 allow chronyc_t chronyd_keys_t:file manage_file_perms;
 

diff --git a/policy/modules/contrib/cups.te b/policy/modules/contrib/cups.te
@@ -141,6 +141,7 @@ optional_policy(`
 allow cupsd_t self:capability { ipc_lock sys_admin dac_read_search dac_override kill fsetid fowner chown  sys_resource sys_tty_config };
 dontaudit cupsd_t self:capability { sys_tty_config net_admin };
 allow cupsd_t self:capability2 { block_suspend bpf wake_alarm };
+allow cupsd_t self:cap_userns sys_ptrace;
 allow cupsd_t self:process { getpgid setpgid setsched };
 allow cupsd_t self:unix_stream_socket { accept connectto listen };
 allow cupsd_t self:netlink_selinux_socket create_socket_perms;

diff --git a/policy/modules/contrib/nut.te b/policy/modules/contrib/nut.te
@@ -105,11 +105,8 @@ init_rw_utmp(nut_upsmon_t)
 init_telinit(nut_upsmon_t)
 fs_getattr_xattr_fs(nut_upsmon_t)
 
-
 mta_send_mail(nut_upsmon_t)
 
-systemd_start_power_services(nut_upsmon_t)
-
 optional_policy(`
 	shutdown_domtrans(nut_upsmon_t)
 ')
@@ -119,6 +116,11 @@ optional_policy(`
 	systemd_dbus_chat_logind(nut_upsmon_t)
 ')
 
+optional_policy(`
+	systemd_read_logind_sessions_files(nut_upsmon_t)
+	systemd_start_power_services(nut_upsmon_t)
+')
+
 ########################################
 #
 # Local policy for upsdrvctl

diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
@@ -372,6 +372,7 @@ allow smbd_t winbind_t:process { signal signull };
 
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
+kernel_io_uring_use(smbd_t)
 kernel_read_network_state(smbd_t)
 kernel_read_net_sysctls(smbd_t)
 kernel_read_fs_sysctls(smbd_t)

diff --git a/policy/modules/contrib/thumb.te b/policy/modules/contrib/thumb.te
@@ -77,6 +77,7 @@ corecmd_exec_shell(thumb_t)
 corenet_tcp_connect_xserver_port(thumb_t)
 corenet_dontaudit_tcp_connect_all_ports(thumb_t)
 
+dev_map_dri(thumb_t)
 dev_read_sysfs(thumb_t)
 dev_read_urand(thumb_t)
 dev_dontaudit_rw_dri(thumb_t)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
@@ -2263,22 +2263,35 @@ manage_files_pattern(virtstoraged_t, virt_var_lib_t, virt_var_lib_t)
 
 manage_lnk_files_pattern(virtstoraged_t, virt_etc_rw_t, virt_etc_rw_t)
 
+kernel_get_sysvipc_info(virtstoraged_t)
 kernel_io_uring_use(virtstoraged_t)
 
 corecmd_exec_bin(virtstoraged_t)
 
 fs_getattr_all_fs(virtstoraged_t)
+fs_getattr_configfs_dirs(virtstoraged_t)
+
+storage_raw_read_fixed_disk(virtstoraged_t)
+storage_raw_write_fixed_disk(virtstoraged_t)
 
 userdom_read_user_home_content_files(virtstoraged_t)
 
 optional_policy(`
 	dnsmasq_filetrans_named_content_fromdir(virtstoraged_t, virtstoraged_var_run_t)
 ')
 
+optional_policy(`
+	fstools_domtrans(virtstoraged_t)
+')
+
 optional_policy(`
 	lvm_domtrans(virtstoraged_t)
 ')
 
+optional_policy(`
+	udev_domtrans(virtstoraged_t)
+')
+
 #######################################
 #
 # virtvboxd local policy

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
@@ -127,6 +127,9 @@
 /dev/(misc/)?rtc[0-9]*	-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/sequencer		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sequencer2		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/sgx_enclave	-c	gen_context(system_u:object_r:sgx_enclave_device_t,s0)
+/dev/sgx_provision	-c	gen_context(system_u:object_r:sgx_provision_device_t,s0)
+/dev/sgx_vepc		-c	gen_context(system_u:object_r:sgx_vepc_device_t,s0)
 /dev/smpte.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/smu		-c	gen_context(system_u:object_r:power_device_t,s0)
 /dev/srnd[0-7]		-c	gen_context(system_u:object_r:sound_device_t,s0)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
@@ -327,6 +327,16 @@ dev_node(random_device_t)
 type scanner_device_t;
 dev_node(scanner_device_t)
 
+#
+# Types for Software Guard eXtensions (SGX) Virtualization
+#
+type sgx_enclave_device_t;
+dev_node(sgx_enclave_device_t)
+type sgx_provision_device_t;
+dev_node(sgx_provision_device_t)
+type sgx_vepc_device_t;
+dev_node(sgx_vepc_device_t)
+
 #
 # Type for smartcards
 #

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
@@ -1974,6 +1974,24 @@ interface(`fs_dontaudit_write_configfs_dirs',`
 	dontaudit $1 configfs_t:dir write;
 ')
 
+#######################################
+## <summary>
+##	Getattr dirs on a configfs filesystem.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_getattr_configfs_dirs',`
+	gen_require(`
+		type configfs_t;
+	')
+
+	allow $1 configfs_t:dir getattr;
+')
+
 #######################################
 ## <summary>
 ##	Read dirs

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
@@ -15,6 +15,7 @@ allow sysadm_t self:netlink_generic_socket create_socket_perms;
 allow sysadm_t self:tipc_socket create_socket_perms;
 allow sysadm_t self:sctp_socket create_socket_perms;
 allow sysadm_t self:rawip_socket create_socket_perms;
+allow sysadm_t self:key_socket create_socket_perms;
 
 allow sysadm_t self:system all_system_perms;
 

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
@@ -482,6 +482,24 @@ interface(`ssh_signull',`
 	allow $1 sshd_t:process signull;
 ')
 
+########################################
+## <summary>
+##	Use fds from sshd processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_fd_use',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Read a ssh server unnamed pipe.

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
@@ -855,6 +855,9 @@ optional_policy(`
 
 optional_policy(`
 	ssh_getattr_server_keys(init_t)
+	# needed after systemd commit 76f2191d8eb5 ("logind:
+	# introduce CreateSessionWithPIDFD()")
+	ssh_fd_use(init_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
@@ -465,6 +465,12 @@ optional_policy(`
 	sosreport_dbus_chat(systemd_logind_t)
 ')
 
+optional_policy(`
+	# needed after systemd commit 76f2191d8eb5 ("logind:
+	# introduce CreateSessionWithPIDFD()")
+	ssh_fd_use(systemd_logind_t)
+')
+
 optional_policy(`
 	# It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
 	xserver_search_xdm_tmp_dirs(systemd_logind_t)