diff --git a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0001-systemd-Fixes-for-systemd-resolved.patch b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0001-systemd-Fixes-for-systemd-resolved.patch index c994bfd..c52cec4 100644 --- a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0001-systemd-Fixes-for-systemd-resolved.patch +++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0001-systemd-Fixes-for-systemd-resolved.patch @@ -1,4 +1,4 @@ -From 45fbe472c6d0b8ecf320b4f04ebf6c09ec85ba33 Mon Sep 17 00:00:00 2001 +From 057c4204fc49abd0d908c71aed8d33ea71d55862 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Fri, 3 Mar 2023 15:04:28 -0600 Subject: [PATCH] systemd: Fixes for systemd-resolved @@ -8,10 +8,10 @@ Subject: [PATCH] systemd: Fixes for systemd-resolved 1 file changed, 3 insertions(+) diff --git a/refpolicy/policy/modules/system/systemd.te b/refpolicy/policy/modules/system/systemd.te -index ef25974..78f2b07 100644 +index 7cd50f1..a296a7d 100644 --- a/refpolicy/policy/modules/system/systemd.te +++ b/refpolicy/policy/modules/system/systemd.te -@@ -228,6 +228,7 @@ init_system_domain(systemd_resolved_t, systemd_resolved_exec_t) +@@ -236,6 +236,7 @@ init_system_domain(systemd_resolved_t, systemd_resolved_exec_t) type systemd_resolved_runtime_t alias systemd_resolved_var_run_t; files_runtime_file(systemd_resolved_runtime_t) @@ -19,7 +19,7 @@ index ef25974..78f2b07 100644 type systemd_stdio_bridge_t; type systemd_stdio_bridge_exec_t; -@@ -1441,6 +1442,7 @@ corenet_tcp_bind_llmnr_port(systemd_resolved_t) +@@ -1500,6 +1501,7 @@ corenet_tcp_bind_llmnr_port(systemd_resolved_t) corenet_udp_bind_generic_node(systemd_resolved_t) corenet_udp_bind_dns_port(systemd_resolved_t) corenet_udp_bind_llmnr_port(systemd_resolved_t) @@ -27,7 +27,7 @@ index ef25974..78f2b07 100644 selinux_use_status_page(systemd_resolved_t) -@@ -1452,6 +1454,7 @@ files_list_runtime(systemd_resolved_t) +@@ -1511,6 +1513,7 @@ files_list_runtime(systemd_resolved_t) fs_getattr_all_fs(systemd_resolved_t) fs_search_cgroup_dirs(systemd_resolved_t) diff --git a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0002-mount-Allow-mounting-on-etc_t.patch b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0002-mount-Allow-mounting-on-etc_t.patch index dc38752..333a9db 100644 --- a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0002-mount-Allow-mounting-on-etc_t.patch +++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0002-mount-Allow-mounting-on-etc_t.patch @@ -1,4 +1,4 @@ -From c1510fe7d63665ea133da3b044c2c63a9b104a02 Mon Sep 17 00:00:00 2001 +From 2f9d6906d2b7bdb58bb83f13e476c7c6c1f8f6dd Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 4 Mar 2023 09:57:44 -0600 Subject: [PATCH] mount: Allow mounting on etc_t @@ -8,10 +8,10 @@ Subject: [PATCH] mount: Allow mounting on etc_t 1 file changed, 1 insertion(+) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te -index d028723..f73cd29 100644 +index a90273b..05da48a 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te -@@ -89,6 +89,7 @@ files_manage_etc_runtime_files(mount_t) +@@ -92,6 +92,7 @@ files_manage_etc_runtime_files(mount_t) files_etc_filetrans_etc_runtime(mount_t, file) files_mounton_all_mountpoints(mount_t) files_unmount_rootfs(mount_t) diff --git a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0003-kernel-Mark-unlabeled_t-as-mount-point-type.patch b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0003-kernel-Mark-unlabeled_t-as-mount-point-type.patch index 7906797..7f93636 100644 --- a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0003-kernel-Mark-unlabeled_t-as-mount-point-type.patch +++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0003-kernel-Mark-unlabeled_t-as-mount-point-type.patch @@ -1,4 +1,4 @@ -From 81e1ed4da36c7638f63e78969f70d77f87fb3600 Mon Sep 17 00:00:00 2001 +From 555b08294fccf2c9462ef2e2f61ad1ae730becad Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 4 Mar 2023 10:16:13 -0600 Subject: [PATCH] kernel: Mark unlabeled_t as mount point type @@ -8,7 +8,7 @@ Subject: [PATCH] kernel: Mark unlabeled_t as mount point type 1 file changed, 1 insertion(+) diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te -index 5124ae0..b0d7e8f 100644 +index ae6222c..c24258f 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -267,6 +267,7 @@ allow kernel_t sysctl_kernel_ns_last_pid_t:file read_file_perms; diff --git a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0004-Allow-systemd-journald-list-cgroup-directories.patch b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0004-Allow-systemd-journald-list-cgroup-directories.patch index 74dc110..9f62121 100644 --- a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0004-Allow-systemd-journald-list-cgroup-directories.patch +++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0004-Allow-systemd-journald-list-cgroup-directories.patch @@ -1,4 +1,4 @@ -From 552ee711eaba5d9efff087feff23b2e6f6249743 Mon Sep 17 00:00:00 2001 +From 5f86b48aabef6e2c1a7aa2fdb99a49b27d0629fe Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Mon, 6 Mar 2023 12:10:19 -0600 Subject: [PATCH] Allow systemd-journald list cgroup directories @@ -8,7 +8,7 @@ Subject: [PATCH] Allow systemd-journald list cgroup directories 1 file changed, 1 insertion(+) diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te -index abd61e6..08f77b5 100644 +index 69b7aa4..196f3e0 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -500,6 +500,7 @@ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) diff --git a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0005-Allow-systemd-to-create-directories.patch b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0005-Allow-systemd-to-create-directories.patch index 5059391..a0d4d60 100644 --- a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0005-Allow-systemd-to-create-directories.patch +++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0005-Allow-systemd-to-create-directories.patch @@ -1,4 +1,4 @@ -From bb58cbda2f45ee5d25b44dd256bd3de52bfcc3d8 Mon Sep 17 00:00:00 2001 +From e33a70e7f5efc37b0b12fda775dd6d805ee5c0e1 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Fri, 10 Mar 2023 12:39:41 -0600 Subject: [PATCH] Allow systemd to create directories @@ -11,10 +11,10 @@ settings. 2 files changed, 32 insertions(+) diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if -index f7217b2..9966a21 100644 +index a895f37..9ec28ce 100644 --- a/refpolicy/policy/modules/kernel/files.if +++ b/refpolicy/policy/modules/kernel/files.if -@@ -608,6 +608,24 @@ interface(`files_manage_non_security_dirs',` +@@ -564,6 +564,24 @@ interface(`files_manage_non_security_dirs',` allow $1 non_security_file_type:dir manage_dir_perms; ') @@ -40,7 +40,7 @@ index f7217b2..9966a21 100644 ## ## Create non-security directories. diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te -index 97a75cf..7b44a43 100644 +index 7249dd1..1ed2e45 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -37,6 +37,13 @@ gen_tunable(init_daemons_use_tty, false) @@ -57,7 +57,7 @@ index 97a75cf..7b44a43 100644 attribute init_mountpoint_type; attribute init_path_unit_loc_type; attribute init_script_domain_type; -@@ -606,6 +613,13 @@ ifdef(`init_systemd',` +@@ -620,6 +627,13 @@ ifdef(`init_systemd',` unconfined_create_keys(init_t) unconfined_write_keys(init_t) ') diff --git a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0006-Allow-init-to-setattr-on-char-devices.patch b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0006-Allow-init-to-setattr-on-char-devices.patch index 12c8e84..c749cb9 100644 --- a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0006-Allow-init-to-setattr-on-char-devices.patch +++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0006-Allow-init-to-setattr-on-char-devices.patch @@ -1,4 +1,4 @@ -From eb787b0e9ad66e719d7eb2d4bc942118a457d0d1 Mon Sep 17 00:00:00 2001 +From bedc00b3dd5afaa8880f263bfa7c761b1445d204 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 14 Mar 2023 13:40:23 -0500 Subject: [PATCH] Allow init to setattr on char devices @@ -9,10 +9,10 @@ This is required for local logins to work. 1 file changed, 1 insertion(+) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te -index 7b44a43..bfa5d4d 100644 +index 1ed2e45..6ef0e31 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te -@@ -385,6 +385,7 @@ ifdef(`init_systemd',` +@@ -390,6 +390,7 @@ ifdef(`init_systemd',` dev_create_urand_dev(init_t) # systemd writes to /dev/watchdog on shutdown dev_write_watchdog(init_t) diff --git a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0007-podman-Allow-crun-to-chown-stdio-sockets.patch b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0007-podman-Allow-crun-to-chown-stdio-sockets.patch new file mode 100644 index 0000000..0486f42 --- /dev/null +++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0007-podman-Allow-crun-to-chown-stdio-sockets.patch @@ -0,0 +1,33 @@ +From f497660743a219a6e54c2982529e5a57742e196a Mon Sep 17 00:00:00 2001 +From: "Dustin C. Hatch" +Date: Thu, 23 Mar 2023 09:44:02 -0500 +Subject: [PATCH] podman: Allow crun to chown stdio sockets + +Podman (actually `crun`) fails to launch containers as systemd units +with this error: + + fchown std stream 1: Permission denied + +The error is caused by this AVC denial: + + AVC avc: denied { setattr } for pid=262 comm="crun" name="UNIX-STREAM" dev="sockfs" ino=9811 scontext=system_u:system_r:podman_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0 +--- + refpolicy/policy/modules/services/podman.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/refpolicy/policy/modules/services/podman.te b/refpolicy/policy/modules/services/podman.te +index 3d16e64..d06e9f9 100644 +--- a/refpolicy/policy/modules/services/podman.te ++++ b/refpolicy/policy/modules/services/podman.te +@@ -71,6 +71,8 @@ ifdef(`init_systemd',` + init_start_transient_units(podman_t) + init_stop_transient_units(podman_t) + ++ init_rw_stream_sockets(podman_t) ++ + # podman can read logs from containers which are + # sent to the system journal + logging_search_logs(podman_t) +-- +2.39.0 + diff --git a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0008-systemd-Allow-quadlet-to-read-container-configs.patch b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0008-systemd-Allow-quadlet-to-read-container-configs.patch new file mode 100644 index 0000000..20de437 --- /dev/null +++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-base/0008-systemd-Allow-quadlet-to-read-container-configs.patch @@ -0,0 +1,41 @@ +From 98c85f0633912a35b5d27417fa60ad213e843f97 Mon Sep 17 00:00:00 2001 +From: "Dustin C. Hatch" +Date: Thu, 23 Mar 2023 10:45:11 -0500 +Subject: [PATCH] systemd: Allow quadlet to read container configs + +--- + refpolicy/policy/modules/system/systemd.fc | 1 + + refpolicy/policy/modules/system/systemd.te | 5 +++++ + 2 files changed, 6 insertions(+) + +diff --git a/refpolicy/policy/modules/system/systemd.fc b/refpolicy/policy/modules/system/systemd.fc +index f4b5fa0..9538432 100644 +--- a/refpolicy/policy/modules/system/systemd.fc ++++ b/refpolicy/policy/modules/system/systemd.fc +@@ -23,6 +23,7 @@ + /usr/lib/systemd/system-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0) + /usr/lib/systemd/user-environment-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0) + /usr/lib/systemd/user-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0) ++/usr/libexec/podman/quadlet -- gen_context(system_u:object_r:systemd_generator_exec_t,s0) + + /usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0) + /usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0) +diff --git a/refpolicy/policy/modules/system/systemd.te b/refpolicy/policy/modules/system/systemd.te +index a296a7d..85157f8 100644 +--- a/refpolicy/policy/modules/system/systemd.te ++++ b/refpolicy/policy/modules/system/systemd.te +@@ -572,6 +572,11 @@ optional_policy(` + zfs_read_config(systemd_generator_t) + ') + ++optional_policy(` ++ # needed by podman-system-generator ++ container_read_config(systemd_generator_t) ++') ++ + ####################################### + # + # systemd-homed policy +-- +2.39.0 + diff --git a/yellow/portage/target/etc/portage/patches/sec-policy/selinux-podman b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-podman new file mode 120000 index 0000000..999e000 --- /dev/null +++ b/yellow/portage/target/etc/portage/patches/sec-policy/selinux-podman @@ -0,0 +1 @@ +selinux-base \ No newline at end of file