2 files changed, 63 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch b/recipes-security/refpolicy/refpolicy/0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch
new file mode 100644
index 0000000..bb25790
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch
@@ -0,0 +1,62 @@
+From a80bd03836c75b0a9b4d0d342a0000ef20c5cd2d Mon Sep 17 00:00:00 2001
+From: Clayton Casciato <ccasciato@21sw.us>
+Date: Wed, 9 Apr 2025 17:34:10 -0600
+Subject: [PATCH] oddjob: allow oddjob_mkhomedir_t privfd:fd use
+type=PROCTITLE proctitle=mkhomedir_helper user123 0077
+type=EXECVE argc=3 a0=mkhomedir_helper a1=user123 a2=0077
+type=SYSCALL arch=armeb syscall=execve per=PER_LINUX success=yes exit=0
+a0=0x5b79d8 a1=0x5a64d0 a2=0x5b0f10 a3=0x0 items=0 ppid=429 pid=1369
+auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
+sgid=root fsgid=root tty=ttyAMA0 ses=unset comm=mkhomedir_helpe
+exe=/usr/sbin/mkhomedir_helper
+subj=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
+key=(null)
+type=AVC avc:  denied  { use } for  pid=1369 comm=mkhomedir_helpe
+path=/dev/ttyAMA0 dev="devtmpfs" ino=2
+scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
+tcontext=system_u:system_r:getty_t:s0 tclass=fd
+--
+Ref:
+https://github.com/SELinuxProject/refpolicy/blob/RELEASE_2_20250213/policy/modules/system/getty.te#L12
+https://danwalsh.livejournal.com/77728.html
+https://github.com/SELinuxProject/selinux-notebook/blob/20240430/src/type_statements.md#typeattribute
+--
+Fedora:
+$ sesearch -A --source oddjob_mkhomedir_t --target getty_t --class fd
+allow application_domain_type privfd:fd use;
+allow domain domain:fd use; [ domain_fd_use ]:True
+$ getsebool domain_fd_use
+domain_fd_use --> on
+Signed-off-by: Clayton Casciato <ccasciato@21sw.us>
+Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/a3a6b17045412be07f63581f6e10310175e82ddf]
+Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
+---
+ policy/modules/services/oddjob.te | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
+index 6ea785851..299077739 100644
+--- a/policy/modules/services/oddjob.te
+++ b/policy/modules/services/oddjob.te
+@@ -79,6 +79,8 @@ kernel_read_system_state(oddjob_mkhomedir_t)
+ 
+ auth_use_nsswitch(oddjob_mkhomedir_t)
+ 
+domain_use_interactive_fds(oddjob_mkhomedir_t)
+
+ logging_send_syslog_msg(oddjob_mkhomedir_t)
+ 
+ miscfiles_read_localization(oddjob_mkhomedir_t)
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 7b6822d..2eadeb7 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -81,6 +81,7 @@ SRC_URI += " \
        file://0063-policy-modules-system-locallogin-dontaudit-sulogin_t.patch \
        file://0064-policy-modules-system-locallogin-allow-sulogin_t-unc.patch \
        file://0065-policy-modules-system-locallogin-allow-sulogin_t-use.patch \
+        file://0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch \
        "
 S = "${WORKDIR}/refpolicy"

diff --git a/recipes-security/refpolicy/refpolicy/0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch b/recipes-security/refpolicy/refpolicy/0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch new file mode 100644 index 0000000..bb25790 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch
@@ -0,0 +1,62 @@
		1	From a80bd03836c75b0a9b4d0d342a0000ef20c5cd2d Mon Sep 17 00:00:00 2001
		2	From: Clayton Casciato <ccasciato@21sw.us>
		3	Date: Wed, 9 Apr 2025 17:34:10 -0600
		4	Subject: [PATCH] oddjob: allow oddjob_mkhomedir_t privfd:fd use
		5
		6	type=PROCTITLE proctitle=mkhomedir_helper user123 0077
		7
		8	type=EXECVE argc=3 a0=mkhomedir_helper a1=user123 a2=0077
		9
		10	type=SYSCALL arch=armeb syscall=execve per=PER_LINUX success=yes exit=0
		11	a0=0x5b79d8 a1=0x5a64d0 a2=0x5b0f10 a3=0x0 items=0 ppid=429 pid=1369
		12	auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
		13	sgid=root fsgid=root tty=ttyAMA0 ses=unset comm=mkhomedir_helpe
		14	exe=/usr/sbin/mkhomedir_helper
		15	subj=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
		16	key=(null)
		17
		18	type=AVC avc: denied { use } for pid=1369 comm=mkhomedir_helpe
		19	path=/dev/ttyAMA0 dev="devtmpfs" ino=2
		20	scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
		21	tcontext=system_u:system_r:getty_t:s0 tclass=fd
		22
		23	--
		24
		25	Ref:
		26	https://github.com/SELinuxProject/refpolicy/blob/RELEASE_2_20250213/policy/modules/system/getty.te#L12
		27
		28	https://danwalsh.livejournal.com/77728.html
		29	https://github.com/SELinuxProject/selinux-notebook/blob/20240430/src/type_statements.md#typeattribute
		30
		31	--
		32
		33	Fedora:
		34	$ sesearch -A --source oddjob_mkhomedir_t --target getty_t --class fd
		35	allow application_domain_type privfd:fd use;
		36	allow domain domain:fd use; [ domain_fd_use ]:True
		37
		38	$ getsebool domain_fd_use
		39	domain_fd_use --> on
		40
		41	Signed-off-by: Clayton Casciato <ccasciato@21sw.us>
		42
		43	Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/a3a6b17045412be07f63581f6e10310175e82ddf]
		44
		45	Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
		46	---
		47	policy/modules/services/oddjob.te \| 2 ++
		48	1 file changed, 2 insertions(+)
		49
		50	diff --git a/policy/modules/services/oddjob.te b/policy/modules/services/oddjob.te
		51	index 6ea785851..299077739 100644
		52	--- a/policy/modules/services/oddjob.te
		53	+++ b/policy/modules/services/oddjob.te
		54	@@ -79,6 +79,8 @@ kernel_read_system_state(oddjob_mkhomedir_t)
		55
		56	auth_use_nsswitch(oddjob_mkhomedir_t)
		57
		58	+domain_use_interactive_fds(oddjob_mkhomedir_t)
		59	+
		60	logging_send_syslog_msg(oddjob_mkhomedir_t)
		61
		62	miscfiles_read_localization(oddjob_mkhomedir_t)


diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 7b6822d..2eadeb7 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -81,6 +81,7 @@ SRC_URI += " \
81	file://0063-policy-modules-system-locallogin-dontaudit-sulogin_t.patch \	81	file://0063-policy-modules-system-locallogin-dontaudit-sulogin_t.patch \
82	file://0064-policy-modules-system-locallogin-allow-sulogin_t-unc.patch \	82	file://0064-policy-modules-system-locallogin-allow-sulogin_t-unc.patch \
83	file://0065-policy-modules-system-locallogin-allow-sulogin_t-use.patch \	83	file://0065-policy-modules-system-locallogin-allow-sulogin_t-use.patch \
		84	file://0066-policy-modules-services-oddjob-allow-oddjob_mkhomedi.patch \
84	"	85	"
85		86
86	S = "${WORKDIR}/refpolicy"	87	S = "${WORKDIR}/refpolicy"