From 7fc76cf77b007a3f79b7369ce578d11270aef9c2 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Mon, 4 Mar 2024 15:18:22 +0800 Subject: refpolicy: upgrade 20231002+git -> 20240226+git ChangeLog: https://github.com/SELinuxProject/refpolicy/blob/main/Changelog Notable Changes: Many systemd updates up to v255 RPM and dnf fixes Tighten private key handling for Apache Many container and kubernetes improvements Add support for Cilium Update object class definitions up to io_uring:cmd Add additional rules to cloud-init based on sysadm_t * Update to latest git rev. * Refresh patches. * Add a patch to fix reboot timeout error. Signed-off-by: Yi Zhao Signed-off-by: Joe MacDonald --- ...les-system-mount-make-mount_t-domain-MLS-.patch | 35 ++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch (limited to 'recipes-security/refpolicy/refpolicy/0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch') diff --git a/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch b/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch new file mode 100644 index 0000000..5ced4ae --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch @@ -0,0 +1,35 @@ +From 53a770736133d84be9cab23732811f96304bf737 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Sat, 15 Feb 2014 04:22:47 -0500 +Subject: [PATCH] policy/modules/system/mount: make mount_t domain MLS trusted + for writing to processes up to its clearance + +Fixes: +avc: denied { setsched } for pid=148 comm="mount" +scontext=system_u:system_r:mount_t:s0-s15:c0.c1023 +tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process +permissive=1 + +Upstream-Status: Inappropriate [embedded specific] + +Signen-off-by: Wenzong Fan +Signed-off-by: Yi Zhao +--- + policy/modules/system/mount.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te +index 8cd51d563..3fc37619e 100644 +--- a/policy/modules/system/mount.te ++++ b/policy/modules/system/mount.te +@@ -117,6 +117,7 @@ fs_dontaudit_write_all_image_files(mount_t) + + mls_file_read_all_levels(mount_t) + mls_file_write_all_levels(mount_t) ++mls_process_write_to_clearance(mount_t) + + selinux_get_enforce_mode(mount_t) + +-- +2.25.1 + -- cgit v1.2.3-54-g00ecf