Merge pull request #917 from flatcar/tormath1/selinux-policy-update

selinux: update
flatcar · Sep 20, 2023 · 2337580 · 2337580
2 parents bc8261f + c3ba668
commit 2337580
Show file tree

Hide file tree

Showing 93 changed files with 607 additions and 1,535 deletions.
diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list
@@ -295,6 +295,7 @@ eclass/python-single-r1.eclass
 eclass/python-utils-r1.eclass
 eclass/readme.gentoo-r1.eclass
 eclass/savedconfig.eclass
+eclass/selinux-policy-2.eclass
 eclass/strip-linguas.eclass
 eclass/systemd.eclass
 eclass/tmpfiles.eclass
@@ -363,8 +364,17 @@ profiles
 #
 # scripts
 
+sec-policy/selinux-base
+sec-policy/selinux-base-policy
+sec-policy/selinux-container
+sec-policy/selinux-dbus
+sec-policy/selinux-sssd
+sec-policy/selinux-unconfined
+
+
 sys-apps/acl
 sys-apps/attr
+sys-apps/checkpolicy
 sys-apps/config-site
 sys-apps/coreutils
 sys-apps/debianutils
@@ -400,6 +410,7 @@ sys-apps/portage
 sys-apps/pv
 sys-apps/sandbox
 sys-apps/sed
+sys-apps/semodule-utils
 sys-apps/smartmontools
 sys-apps/texinfo
 sys-apps/usbutils
@@ -454,6 +465,8 @@ sys-libs/libcap
 sys-libs/libcap-ng
 sys-libs/libnvme
 sys-libs/libseccomp
+sys-libs/libselinux
+sys-libs/libsepol
 sys-libs/ncurses
 sys-libs/readline
 sys-libs/talloc

diff --git a/changelog/updates/2023-06-21-selinux.md b/changelog/updates/2023-06-21-selinux.md
@@ -0,0 +1,11 @@
+- libselinux ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5))
+- libsepol ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5))
+- semodule-utils ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5))
+- policycoreutils ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5))
+- libsemanage ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5))
+- checkpolicy ([3.5](https://github.com/SELinuxProject/selinux/releases/tag/3.5))
+- selinux-base ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101))
+- selinux-base-policy ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101))
+- selinux-container ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101))
+- selinux-sssd ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101))
+- selinux-unconfined ([2.20221101](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20221101))
diff --git a/...reos-base/coreos/coreos-0.0.1-r308.ebuild → ...reos-base/coreos/coreos-0.0.1-r309.ebuild b/...reos-base/coreos/coreos-0.0.1-r308.ebuild → ...reos-base/coreos/coreos-0.0.1-r309.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild
@@ -144,9 +144,10 @@ RDEPEND="${RDEPEND}
 	net-misc/wget
 	net-misc/whois
 	net-vpn/wireguard-tools
-	sec-policy/selinux-virt
 	sec-policy/selinux-base
 	sec-policy/selinux-base-policy
+	sec-policy/selinux-container
+	sec-policy/selinux-dbus
 	sec-policy/selinux-unconfined
 	sys-apps/acl
 	sys-apps/attr

diff --git a/...rlay/sec-policy/selinux-base/files/config → ...reos-base/misc-files/files/selinux-config b/...rlay/sec-policy/selinux-base/files/config → ...reos-base/misc-files/files/selinux-config
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0.ebuild
@@ -64,6 +64,9 @@ src_install() {
         ['/usr/share/skel/.bash_logout']='/usr/share/flatcar/etc/skel/.bash_logout'
         ['/usr/share/skel/.bash_profile']='/usr/share/flatcar/etc/skel/.bash_profile'
         ['/usr/share/skel/.bashrc']='/usr/share/flatcar/etc/skel/.bashrc'
+        ['/usr/lib/selinux/config']='/usr/share/flatcar/etc/selinux/config'
+        ['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs'
+        ['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf'
     )
 
     local link target
@@ -76,6 +79,9 @@ src_install() {
         fi
     done
 
+    insinto '/etc/selinux/'
+    newins "${FILESDIR}/selinux-config" config
+
     insinto '/etc/bash/bashrc.d'
     doins "${FILESDIR}/99-flatcar-bcc"
 

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sec-policy/selinux-base b/sdk_container/src/third_party/coreos-overlay/coreos/config/env/sec-policy/selinux-base
@@ -0,0 +1,2 @@
+PKG_INSTALL_MASK+=" /etc/selinux/config"
+INSTALL_MASK+=" /etc/selinux/config"
diff --git a/...licy/selinux-base-policy/files/init.patch → ...sec-policy/selinux-base-policy/init.patch b/...licy/selinux-base-policy/files/init.patch → ...sec-policy/selinux-base-policy/init.patch
@@ -1,7 +1,7 @@
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
 index dbd39cf8f..563559ca7 100644
---- refpolicy/policy/modules/system/init.te
-+++ refpolicy/policy/modules/system/init.te
+--- a/refpolicy/policy/modules/system/init.te
++++ b/refpolicy/policy/modules/system/init.te
 @@ -1503,3 +1503,6 @@ optional_policy(`
  	userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
  	userdom_dontaudit_write_user_tmp_files(systemprocess)

diff --git a/...elinux-base-policy/files/locallogin.patch → ...licy/selinux-base-policy/locallogin.patch b/...elinux-base-policy/files/locallogin.patch → ...licy/selinux-base-policy/locallogin.patch
@@ -1,9 +1,9 @@
 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
 index 109980e79..d5c4a5d95 100644
---- refpolicy/policy/modules/system/locallogin.te
-+++ refpolicy/policy/modules/system/locallogin.te
+--- a/refpolicy/policy/modules/system/locallogin.te
++++ b/refpolicy/policy/modules/system/locallogin.te
 @@ -34,7 +34,7 @@ role system_r types sulogin_t;
- 
+
  allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
  dontaudit local_login_t self:capability net_admin;
 -allow local_login_t self:process { getcap setcap setexec setrlimit setsched };

diff --git a/...y/selinux-base-policy/files/logging.patch → ...-policy/selinux-base-policy/logging.patch b/...y/selinux-base-policy/files/logging.patch → ...-policy/selinux-base-policy/logging.patch
@@ -1,18 +1,18 @@
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 7d713540d..d6cbc654d 100644
---- refpolicy/policy/modules/system/logging.te
-+++ refpolicy/policy/modules/system/logging.te
-@@ -516,11 +516,13 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
- userdom_dontaudit_search_user_home_dirs(syslogd_t)
+index abd61e6bd..fb5d69366 100644
+--- a/refpolicy/policy/modules/system/logging.te
++++ b/refpolicy/policy/modules/system/logging.te
+@@ -525,11 +525,13 @@ userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
  ifdef(`init_systemd',`
-+	require { type kernel_t; }
  	# for systemd-journal
++	require { type kernel_t; }
+ 	allow syslogd_t self:capability audit_control;
  	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
  	allow syslogd_t self:capability2 audit_read;
  	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
  	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
-+	allow syslogd_t kernel_t:netlink_audit_socket getattr; 
++	allow syslogd_t kernel_t:netlink_audit_socket getattr;
 
  	# remove /run/log/journal when switching to permanent storage
  	allow syslogd_t var_log_t:dir rmdir;
diff --git a/...licy/selinux-base-policy/files/ping.patch → ...sec-policy/selinux-base-policy/ping.patch b/...licy/selinux-base-policy/files/ping.patch → ...sec-policy/selinux-base-policy/ping.patch
@@ -1,19 +1,19 @@
 diff -u -r refpolicy/policy/modules/admin/netutils.te refpolicy/policy/modules/admin/netutils.te
---- refpolicy/policy/modules/admin/netutils.te	2022-01-12 14:28:26.850809330 -0000
-+++ refpolicy/policy/modules/admin/netutils.te	2022-01-12 14:29:50.323880882 -0000
+--- a/refpolicy/policy/modules/admin/netutils.te	2022-01-12 14:28:26.850809330 -0000
++++ b/refpolicy/policy/modules/admin/netutils.te	2022-01-12 14:29:50.323880882 -0000
 @@ -117,6 +117,7 @@
  corenet_raw_sendrecv_generic_node(ping_t)
  corenet_tcp_sendrecv_generic_node(ping_t)
  corenet_raw_bind_generic_node(ping_t)
 +corenet_icmp_bind_generic_node(ping_t)
- 
+
  dev_read_urand(ping_t)
- 
+
 @@ -189,6 +190,7 @@
  corenet_tcp_connect_all_ports(traceroute_t)
  corenet_sendrecv_all_client_packets(traceroute_t)
  corenet_sendrecv_traceroute_server_packets(traceroute_t)
 +corenet_icmp_bind_generic_node(traceroute_t)
- 
+
  dev_read_rand(traceroute_t)
  dev_read_urand(traceroute_t)
diff --git a/...ches/sec-policy/selinux-base/0001-policy-modules-kernel-all-more-actions-for-kernel.patch b/...ches/sec-policy/selinux-base/0001-policy-modules-kernel-all-more-actions-for-kernel.patch
@@ -0,0 +1,16 @@
+diff --git refpolicy/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
+index 56dbd5af5..b5cf0e3c0 100644
+--- a/refpolicy/policy/modules/kernel/kernel.te
++++ b/refpolicy/policy/modules/kernel/kernel.te
+@@ -363,6 +363,11 @@ files_list_home(kernel_t)
+ files_read_usr_files(kernel_t)
+
+ mcs_process_set_categories(kernel_t)
++mcs_killall(kernel_t)
++mcs_file_read_all(kernel_t)
++mcs_file_write_all(kernel_t)
++mcs_ptrace_all(kernel_t)
++allow kernel_t self:user_namespace create;
+
+ mls_process_read_all_levels(kernel_t)
+ mls_process_write_all_levels(kernel_t)
diff --git a/...hird_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/files-relabel.patch b/...hird_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-base/files-relabel.patch
@@ -0,0 +1,44 @@
+diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
+index 495cbe2f4..a5605f866 100644
+--- a/refpolicy/policy/modules/kernel/files.if
++++ b/refpolicy/policy/modules/kernel/files.if
+@@ -7892,3 +7892,39 @@ interface(`files_unconfined',`
+
+ 	typeattribute $1 files_unconfined_type;
+ ')
++
++########################################
++## <summary>
++##	Relabel all files on the filesystem, except
++##	policy_config_t and exceptions.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="exception_types" optional="true">
++##	<summary>
++##	The types to be excluded.  Each type or attribute
++##	must be negated by the caller.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_relabel_all_non_policy_files',`
++	gen_require(`
++		attribute file_type;
++		type policy_config_t;
++	')
++
++	allow $1 { file_type -policy_config_t $2 }:dir list_dir_perms;
++	relabel_dirs_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabel_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabel_lnk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabel_fifo_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabel_sock_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	# this is only relabelfrom since there should be no
++	# device nodes with file types.
++	relabelfrom_blk_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++	relabelfrom_chr_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
++')
diff --git a/...policy/selinux-base/files/icmp-bind.patch → ...s/sec-policy/selinux-base/icmp-bind.patch b/...policy/selinux-base/files/icmp-bind.patch → ...s/sec-policy/selinux-base/icmp-bind.patch
@@ -1,8 +1,8 @@
 diff -u -r refpolicy/policy/modules/kernel/corenetwork.if.in refpolicy2/policy/modules/kernel/corenetwork.if.in
---- refpolicy/policy/modules/kernel/corenetwork.if.in	2022-01-12 16:59:47.572670384 -0000
-+++ refpolicy2/policy/modules/kernel/corenetwork.if.in	2022-01-12 17:01:54.974858982 -0000
+--- a/refpolicy/policy/modules/kernel/corenetwork.if.in	2022-01-12 16:59:47.572670384 -0000
++++ b/refpolicy2/policy/modules/kernel/corenetwork.if.in	2022-01-12 17:01:54.974858982 -0000
 @@ -879,6 +879,24 @@
- 
+
  ########################################
  ## <summary>
 +##	Bind ICMP sockets to generic nodes.
@@ -27,14 +27,14 @@ diff -u -r refpolicy/policy/modules/kernel/corenetwork.if.in refpolicy2/policy/m
  ## </summary>
  ## <desc>
 diff -u -r refpolicy/policy/modules/kernel/corenetwork.te.in refpolicy2/policy/modules/kernel/corenetwork.te.in
---- refpolicy/policy/modules/kernel/corenetwork.te.in	2022-01-12 16:59:47.573670362 -0000
-+++ refpolicy2/policy/modules/kernel/corenetwork.te.in	2022-01-12 17:03:12.754142616 -0000
+--- a/refpolicy/policy/modules/kernel/corenetwork.te.in	2022-01-12 16:59:47.573670362 -0000
++++ b/refpolicy2/policy/modules/kernel/corenetwork.te.in	2022-01-12 17:03:12.754142616 -0000
 @@ -373,7 +373,7 @@
- 
+
  # Bind to any network address.
  allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind;
 -allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
 +allow corenet_unconfined_type node_type:{ icmp_socket tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
- 
+
  # Infiniband
  corenet_ib_access_all_pkeys(corenet_unconfined_type)
diff --git a/...ird_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-container/container.patch b/...ird_party/coreos-overlay/coreos/user-patches/sec-policy/selinux-container/container.patch
@@ -0,0 +1,77 @@
+diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
+index 056aa6023..e4bcada03 100644
+--- a/refpolicy/policy/modules/services/container.fc
++++ b/refpolicy/policy/modules/services/container.fc
+@@ -113,3 +113,5 @@ HOME_DIR/\.docker(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
+ /var/log/kube-controller-manager(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+ /var/log/kube-proxy(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
+ /var/log/kube-scheduler(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
++
++/usr/share/containerd(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
+index 5de421fc3..4a6c2760e 100644
+--- a/refpolicy/policy/modules/services/container.te
++++ b/refpolicy/policy/modules/services/container.te
+@@ -1007,3 +1007,62 @@ optional_policy(`
+        unconfined_domain_noaudit(spc_user_t)
+        domain_ptrace_all_domains(spc_user_t)
+ ')
++
++allow container_domain self:socket_class_set { accept ioctl read getattr lock write append getopt setopt };
++allow container_domain init_t:unix_stream_socket { accept ioctl read getattr lock write append getopt shutdown };
++
++# required for sharing /run for the etcd-wrapper
++files_mounton_runtime_dirs(container_engine_domain)
++
++# this is a hack while the system is not labelled. we need to authorize transition from kernel_t
++require {
++	type kernel_t;
++	type tmpfs_t;
++	type var_lib_t;
++	type unconfined_t;
++}
++allow kernel_t container_t:process transition;
++allow initrc_t container_t:process transition;
++allow kernel_t container_t:process2 nnp_transition;
++allow kernel_t unconfined_t:process transition;
++fs_manage_tmpfs_chr_files(container_t)
++fs_manage_tmpfs_dirs(container_t)
++fs_manage_tmpfs_files(container_t)
++fs_manage_tmpfs_sockets(container_t)
++fs_manage_tmpfs_symlinks(container_t)
++fs_remount_tmpfs(container_t)
++kernel_read_messages(container_t)
++kernel_sigchld(container_t)
++kernel_use_fds(container_t)
++allow container_t self:process getcap;
++files_read_var_lib_files(container_t)
++files_read_var_lib_symlinks(container_t)
++term_use_generic_ptys(container_t)
++term_setattr_generic_ptys(container_t)
++allow container_t tmpfs_t:chr_file { read write open };
++allow container_t container_file_t:chr_file { manage_file_perms };
++allow container_t self:capability sys_chroot;
++allow container_t self:process getpgid;
++allow container_t container_file_t:file { entrypoint mounton };
++allow container_t var_lib_t:file { entrypoint execute execute_no_trans };
++allow container_t kernel_t:fifo_file { getattr ioctl read write open append };
++allow container_t initrc_t:fifo_file { getattr ioctl read write open append };
++filetrans_pattern(kernel_t, etc_t, container_file_t, dir, "cni");
++
++# this is required by flanneld
++allow container_t kernel_t:system { module_request };
++
++# required by flanneld to write into /run/flannel/subnet.env
++filetrans_pattern(kernel_t, var_run_t, container_file_t, dir, "flannel");
++
++# required for cilium
++allow kernel_t spc_t:process transition;
++# required for cilium, can be upstreamed
++# Jun 20 08:01:43 localhost audit[3480]: AVC avc:  denied  { open } for  pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1
++# Jun 20 08:01:43 localhost audit[3480]: AVC avc:  denied  { kernel } for  pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1
++# Jun 20 08:01:43 localhost audit[3480]: AVC avc:  denied  { cpu } for  pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1
++# Jun 20 08:01:43 localhost audit[3480]: AVC avc:  denied  { read } for  pid=3480 comm="cilium-agent" scontext=system_u:system_r:spc_t:s0 tcontext=system_u:system_r:spc_t:s0 tclass=perf_event permissive=1
++allow spc_t self:perf_event { open cpu kernel read };
++# required for using cilium cgroup v1
++allow kernel_t self:perf_event { open cpu kernel read };
++allow unconfined_t container_file_t:file { entrypoint };
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/Manifest b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/Manifest
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/sshd.patch b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/sshd.patch
diff --git a/...ainer/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/unlabeled.patch b/...ainer/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/files/unlabeled.patch
diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest