5 files changed, 108 insertions, 141 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
deleted file mode 100644
index 073068e..0000000
--- a/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 8cbc09769a08cf3f5dcb611d471e5da298bde67c Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@windriver.com>
-Date: Wed, 1 Jul 2020 08:44:07 +0800
-Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create
- directory with label rpcbind_runtime_t
-Fixes:
-avc:  denied  { create } for  pid=136 comm="rpcbind" name="rpcbind"
-scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
-Upstream-Status: Inappropriate [embedded specific]
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- policy/modules/services/rpcbind.te | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
-index 137c21ece..2a712192b 100644
--- a/policy/modules/services/rpcbind.te
-+++ b/policy/modules/services/rpcbind.te
-@@ -25,7 +25,7 @@ files_type(rpcbind_var_lib_t)
- # Local policy
- #
- 
-allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
-+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown };
- # net_admin is for SO_SNDBUFFORCE
- dontaudit rpcbind_t self:capability net_admin;
- allow rpcbind_t self:fifo_file rw_fifo_file_perms;
-- 
-2.25.1
diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch
deleted file mode 100644
index 060b01b..0000000
--- a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From b5dae809f2b46b82b75abcb562974212b370aa39 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@windriver.com>
-Date: Fri, 8 Dec 2023 14:16:26 +0800
-Subject: [PATCH] policy/modules/system/authlogin: fix login errors after
- enabling systemd DynamicUser
-Allow domains using PAM to read /etc/shadow to fix login errors after
-enabling systemd DynamicUser.
-Fixes:
-avc:  denied  { read } for  pid=434 comm="login" name="shadow"
-dev="sda2" ino=26314
-scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-avc:  denied  { open } for  pid=434 comm="login" path="/etc/shadow"
-dev="sda2" ino=26314
-scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-avc:  denied  { getattr } for  pid=434 comm="login" path="/etc/shadow"
-dev="sda2" ino=26314
-scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-avc:  denied  { read } for  pid=457 comm="sshd" name="shadow" dev="sda2"
-ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-avc:  denied  { open } for  pid=457 comm="sshd" path="/etc/shadow"
-dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-avc:  denied  { getattr } for  pid=457 comm="sshd" path="/etc/shadow"
-dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
-tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
-Upstream-Status: Inappropriate [embedded specific]
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- policy/modules/admin/su.if           | 4 ++--
- policy/modules/system/authlogin.te   | 2 +-
- policy/modules/system/selinuxutil.te | 2 ++
- 3 files changed, 5 insertions(+), 3 deletions(-)
-diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index dce1a0ea9..c55cdfc09 100644
--- a/policy/modules/admin/su.if
-+++ b/policy/modules/admin/su.if
-@@ -76,7 +76,7 @@ template(`su_restricted_domain_template', `
-        selinux_compute_access_vector($1_su_t)
- 
-        auth_domtrans_chk_passwd($1_su_t)
-       auth_dontaudit_read_shadow($1_su_t)
-+       auth_read_shadow($1_su_t)
-        auth_use_nsswitch($1_su_t)
-        auth_create_faillog_files($1_su_t)
-        auth_rw_faillog($1_su_t)
-@@ -183,7 +183,7 @@ template(`su_role_template',`
-        selinux_use_status_page($1_su_t)
- 
-        auth_domtrans_chk_passwd($1_su_t)
-       auth_dontaudit_read_shadow($1_su_t)
-+       auth_read_shadow($1_su_t)
-        auth_use_nsswitch($1_su_t)
-        auth_create_faillog_files($1_su_t)
-        auth_rw_faillog($1_su_t)
-diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 5d675bc15..2ca79e95d 100644
--- a/policy/modules/system/authlogin.te
-+++ b/policy/modules/system/authlogin.te
-@@ -10,7 +10,7 @@ policy_module(authlogin)
- ## Allow PAM usage.  If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
- ## </p>
- ## </desc>
-gen_tunable(authlogin_pam, true)
-+gen_tunable(authlogin_pam, false)
- 
- ## <desc>
- ## <p>
-diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ebc1abc10..c6b2ec47a 100644
--- a/policy/modules/system/selinuxutil.te
-+++ b/policy/modules/system/selinuxutil.te
-@@ -251,6 +251,7 @@ allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re
- read_files_pattern(newrole_t, default_context_t, default_context_t)
- read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
- 
-+kernel_getattr_proc(newrole_t)
- kernel_read_system_state(newrole_t)
- kernel_read_kernel_sysctls(newrole_t)
- kernel_dontaudit_getattr_proc(newrole_t)
-@@ -295,6 +296,7 @@ auth_run_chk_passwd(newrole_t, newrole_roles)
- auth_run_upd_passwd(newrole_t, newrole_roles)
- auth_rw_faillog(newrole_t)
- auth_search_faillog(newrole_t)
-+auth_read_shadow(newrole_t)
- 
- # Write to utmp.
- init_rw_utmp(newrole_t)
-- 
-2.25.1
diff --git a/recipes-security/refpolicy/refpolicy/0057-Allow-services-to-read-tmpfs-under-run-credentials.patch b/recipes-security/refpolicy/refpolicy/0057-Allow-services-to-read-tmpfs-under-run-credentials.patch
new file mode 100644
index 0000000..629de01
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0057-Allow-services-to-read-tmpfs-under-run-credentials.patch
@@ -0,0 +1,106 @@
+From be681d155c6c62a2ec4939dedc921921fe73e277 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Fri, 30 Aug 2024 12:39:48 +0800
+Subject: [PATCH] Allow services to read tmpfs under /run/credentials/
+$ mount | grep credentials
+tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-udev-load-credentials.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-tmpfiles-setup-dev-early.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-sysctl.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-tmpfiles-setup-dev.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-vconsole-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-tmpfiles-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-resolved.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/systemd-networkd.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
+Fixes:
+avc:  denied  { search } for  pid=106 comm="systemd-journal" name="/"
+dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t:s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+avc:  denied  { read } for  pid=114 comm="udevadm" name="/" dev="tmpfs"
+ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+avc:  denied  { open } for  pid=114 comm="udevadm"
+path="/run/credentials/systemd-udev-load-credentials.service"
+dev="tmpfs" ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+avc:  denied  { read } for  pid=353 comm="agetty" name="/" dev="tmpfs"
+ino=1 scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+avc:  denied  { open } for  pid=353 comm="agetty"
+path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
+scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+avc:  denied  { getattr } for  pid=353 comm="agetty"
+path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
+scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
+Upstream-Status: Pending
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/getty.te   | 1 +
+ policy/modules/system/logging.te | 1 +
+ policy/modules/system/systemd.te | 1 +
+ policy/modules/system/udev.te    | 1 +
+ 4 files changed, 4 insertions(+)
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index a900226bf..75b94785b 100644
+--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
+@@ -75,6 +75,7 @@ fs_getattr_cgroup(getty_t)
+ fs_search_cgroup_dirs(getty_t)
+ # for error condition handling
+ fs_getattr_xattr_fs(getty_t)
+fs_list_tmpfs(getty_t)
+ 
+ mcs_process_set_categories(getty_t)
+ 
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index fc73825fa..d5878876b 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -495,6 +495,7 @@ files_read_kernel_symbol_table(syslogd_t)
+ files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
+ 
+ fs_getattr_all_fs(syslogd_t)
+fs_list_tmpfs(syslogd_t)
+ fs_search_auto_mountpoints(syslogd_t)
+ 
+ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 22a319c36..0440b4795 100644
+--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
+@@ -1303,6 +1303,7 @@ files_watch_root_dirs(systemd_networkd_t)
+ files_list_runtime(systemd_networkd_t)
+ 
+ fs_getattr_all_fs(systemd_networkd_t)
+fs_list_tmpfs(systemd_networkd_t)
+ fs_search_cgroup_dirs(systemd_networkd_t)
+ fs_read_nsfs_files(systemd_networkd_t)
+ fs_watch_memory_pressure(systemd_networkd_t)
+diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
+index b2e43aa7d..f543a48d2 100644
+--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
+@@ -142,6 +142,7 @@ files_dontaudit_getattr_tmp_dirs(udev_t)
+ 
+ fs_getattr_all_fs(udev_t)
+ fs_list_inotifyfs(udev_t)
+fs_list_tmpfs(udev_t)
+ fs_read_cgroup_files(udev_t)
+ fs_rw_anon_inodefs_files(udev_t)
+ fs_search_tracefs(udev_t)
+-- 
+2.25.1
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 7b45882..8c9d046 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -48,13 +48,11 @@ SRC_URI += " \
        file://0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
        file://0031-policy-modules-system-logging-fix-auditd-startup-fai.patch \
        file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
-        file://0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
        file://0034-policy-modules-system-systemd-enable-support-for-sys.patch \
        file://0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch \
        file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \
        file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \
        file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \
-        file://0039-policy-modules-system-authlogin-fix-login-errors-aft.patch \
        file://0040-policy-modules-system-logging-grant-getpcap-capabili.patch \
        file://0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
        file://0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
@@ -72,6 +70,7 @@ SRC_URI += " \
        file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
        file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
        file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \
+        file://0057-Allow-services-to-read-tmpfs-under-run-credentials.patch \
        "
 S = "${WORKDIR}/refpolicy"
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc
index 80d92ac..4043005 100644
--- a/recipes-security/refpolicy/refpolicy_git.inc
+++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -2,7 +2,7 @@ PV = "2.20240226+git"
 SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy"
-SRCREV_refpolicy ?= "71f4bd1992e05bcd79dc5234f8a30deeb141aa3d"
+SRCREV_refpolicy ?= "351a5a7f4dc959769aaa8fe47c6e77f94fe5b657"
 UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"

diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch deleted file mode 100644 index 073068e..0000000 --- a/recipes-security/refpolicy/refpolicy/0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch +++ /dev/null
@@ -1,34 +0,0 @@
1	From 8cbc09769a08cf3f5dcb611d471e5da298bde67c Mon Sep 17 00:00:00 2001
2	From: Yi Zhao <yi.zhao@windriver.com>
3	Date: Wed, 1 Jul 2020 08:44:07 +0800
4	Subject: [PATCH] policy/modules/services/rpcbind: allow rpcbind_t to create
5	directory with label rpcbind_runtime_t
6
7	Fixes:
8	avc: denied { create } for pid=136 comm="rpcbind" name="rpcbind"
9	scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023
10	tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
11
12	Upstream-Status: Inappropriate [embedded specific]
13
14	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
15	---
16	policy/modules/services/rpcbind.te \| 2 +-
17	1 file changed, 1 insertion(+), 1 deletion(-)
18
19	diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
20	index 137c21ece..2a712192b 100644
21	--- a/policy/modules/services/rpcbind.te
22	+++ b/policy/modules/services/rpcbind.te
23	@@ -25,7 +25,7 @@ files_type(rpcbind_var_lib_t)
24	# Local policy
25	#
26
27	-allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
28	+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config chown };
29	# net_admin is for SO_SNDBUFFORCE
30	dontaudit rpcbind_t self:capability net_admin;
31	allow rpcbind_t self:fifo_file rw_fifo_file_perms;
32	--
33	2.25.1
34


diff --git a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch b/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch deleted file mode 100644 index 060b01b..0000000 --- a/recipes-security/refpolicy/refpolicy/0039-policy-modules-system-authlogin-fix-login-errors-aft.patch +++ /dev/null
@@ -1,104 +0,0 @@
1	From b5dae809f2b46b82b75abcb562974212b370aa39 Mon Sep 17 00:00:00 2001
2	From: Yi Zhao <yi.zhao@windriver.com>
3	Date: Fri, 8 Dec 2023 14:16:26 +0800
4	Subject: [PATCH] policy/modules/system/authlogin: fix login errors after
5	enabling systemd DynamicUser
6
7	Allow domains using PAM to read /etc/shadow to fix login errors after
8	enabling systemd DynamicUser.
9
10	Fixes:
11	avc: denied { read } for pid=434 comm="login" name="shadow"
12	dev="sda2" ino=26314
13	scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
14	tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
15
16	avc: denied { open } for pid=434 comm="login" path="/etc/shadow"
17	dev="sda2" ino=26314
18	scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
19	tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
20
21	avc: denied { getattr } for pid=434 comm="login" path="/etc/shadow"
22	dev="sda2" ino=26314
23	scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
24	tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
25
26	avc: denied { read } for pid=457 comm="sshd" name="shadow" dev="sda2"
27	ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
28	tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
29
30	avc: denied { open } for pid=457 comm="sshd" path="/etc/shadow"
31	dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
32	tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
33
34	avc: denied { getattr } for pid=457 comm="sshd" path="/etc/shadow"
35	dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
36	tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
37
38	Upstream-Status: Inappropriate [embedded specific]
39
40	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
41	---
42	policy/modules/admin/su.if \| 4 ++--
43	policy/modules/system/authlogin.te \| 2 +-
44	policy/modules/system/selinuxutil.te \| 2 ++
45	3 files changed, 5 insertions(+), 3 deletions(-)
46
47	diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
48	index dce1a0ea9..c55cdfc09 100644
49	--- a/policy/modules/admin/su.if
50	+++ b/policy/modules/admin/su.if
51	@@ -76,7 +76,7 @@ template(`su_restricted_domain_template', `
52	selinux_compute_access_vector($1_su_t)
53
54	auth_domtrans_chk_passwd($1_su_t)
55	- auth_dontaudit_read_shadow($1_su_t)
56	+ auth_read_shadow($1_su_t)
57	auth_use_nsswitch($1_su_t)
58	auth_create_faillog_files($1_su_t)
59	auth_rw_faillog($1_su_t)
60	@@ -183,7 +183,7 @@ template(`su_role_template',`
61	selinux_use_status_page($1_su_t)
62
63	auth_domtrans_chk_passwd($1_su_t)
64	- auth_dontaudit_read_shadow($1_su_t)
65	+ auth_read_shadow($1_su_t)
66	auth_use_nsswitch($1_su_t)
67	auth_create_faillog_files($1_su_t)
68	auth_rw_faillog($1_su_t)
69	diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
70	index 5d675bc15..2ca79e95d 100644
71	--- a/policy/modules/system/authlogin.te
72	+++ b/policy/modules/system/authlogin.te
73	@@ -10,7 +10,7 @@ policy_module(authlogin)
74	## Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
75	## </p>
76	## </desc>
77	-gen_tunable(authlogin_pam, true)
78	+gen_tunable(authlogin_pam, false)
79
80	## <desc>
81	## <p>
82	diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
83	index ebc1abc10..c6b2ec47a 100644
84	--- a/policy/modules/system/selinuxutil.te
85	+++ b/policy/modules/system/selinuxutil.te
86	@@ -251,6 +251,7 @@ allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re
87	read_files_pattern(newrole_t, default_context_t, default_context_t)
88	read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
89
90	+kernel_getattr_proc(newrole_t)
91	kernel_read_system_state(newrole_t)
92	kernel_read_kernel_sysctls(newrole_t)
93	kernel_dontaudit_getattr_proc(newrole_t)
94	@@ -295,6 +296,7 @@ auth_run_chk_passwd(newrole_t, newrole_roles)
95	auth_run_upd_passwd(newrole_t, newrole_roles)
96	auth_rw_faillog(newrole_t)
97	auth_search_faillog(newrole_t)
98	+auth_read_shadow(newrole_t)
99
100	# Write to utmp.
101	init_rw_utmp(newrole_t)
102	--
103	2.25.1
104


diff --git a/recipes-security/refpolicy/refpolicy/0057-Allow-services-to-read-tmpfs-under-run-credentials.patch b/recipes-security/refpolicy/refpolicy/0057-Allow-services-to-read-tmpfs-under-run-credentials.patch new file mode 100644 index 0000000..629de01 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0057-Allow-services-to-read-tmpfs-under-run-credentials.patch
@@ -0,0 +1,106 @@
		1	From be681d155c6c62a2ec4939dedc921921fe73e277 Mon Sep 17 00:00:00 2001
		2	From: Yi Zhao <yi.zhao@windriver.com>
		3	Date: Fri, 30 Aug 2024 12:39:48 +0800
		4	Subject: [PATCH] Allow services to read tmpfs under /run/credentials/
		5
		6	$ mount \| grep credentials
		7	tmpfs on /run/credentials/systemd-journald.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
		8	tmpfs on /run/credentials/systemd-udev-load-credentials.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
		9	tmpfs on /run/credentials/systemd-tmpfiles-setup-dev-early.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
		10	tmpfs on /run/credentials/systemd-sysctl.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
		11	tmpfs on /run/credentials/systemd-tmpfiles-setup-dev.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
		12	tmpfs on /run/credentials/systemd-vconsole-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
		13	tmpfs on /run/credentials/systemd-tmpfiles-setup.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
		14	tmpfs on /run/credentials/systemd-resolved.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
		15	tmpfs on /run/credentials/systemd-networkd.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
		16	tmpfs on /run/credentials/getty@tty1.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,seclabel,size=1024k,nr_inodes=1024,mode=700,noswap)
		17
		18	Fixes:
		19	avc: denied { search } for pid=106 comm="systemd-journal" name="/"
		20	dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t:s15:c0.c1023
		21	tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
		22
		23	avc: denied { read } for pid=114 comm="udevadm" name="/" dev="tmpfs"
		24	ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
		25	tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
		26
		27	avc: denied { open } for pid=114 comm="udevadm"
		28	path="/run/credentials/systemd-udev-load-credentials.service"
		29	dev="tmpfs" ino=1 scontext=system_u:system_r:udev_t:s0-s15:c0.c1023
		30	tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
		31
		32	avc: denied { read } for pid=353 comm="agetty" name="/" dev="tmpfs"
		33	ino=1 scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
		34	tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
		35
		36	avc: denied { open } for pid=353 comm="agetty"
		37	path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
		38	scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
		39	tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
		40
		41	avc: denied { getattr } for pid=353 comm="agetty"
		42	path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
		43	scontext=system_u:system_r:getty_t:s0-s15:c0.c1023
		44	tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
		45
		46	Upstream-Status: Pending
		47
		48	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		49	---
		50	policy/modules/system/getty.te \| 1 +
		51	policy/modules/system/logging.te \| 1 +
		52	policy/modules/system/systemd.te \| 1 +
		53	policy/modules/system/udev.te \| 1 +
		54	4 files changed, 4 insertions(+)
		55
		56	diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
		57	index a900226bf..75b94785b 100644
		58	--- a/policy/modules/system/getty.te
		59	+++ b/policy/modules/system/getty.te
		60	@@ -75,6 +75,7 @@ fs_getattr_cgroup(getty_t)
		61	fs_search_cgroup_dirs(getty_t)
		62	# for error condition handling
		63	fs_getattr_xattr_fs(getty_t)
		64	+fs_list_tmpfs(getty_t)
		65
		66	mcs_process_set_categories(getty_t)
		67
		68	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
		69	index fc73825fa..d5878876b 100644
		70	--- a/policy/modules/system/logging.te
		71	+++ b/policy/modules/system/logging.te
		72	@@ -495,6 +495,7 @@ files_read_kernel_symbol_table(syslogd_t)
		73	files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
		74
		75	fs_getattr_all_fs(syslogd_t)
		76	+fs_list_tmpfs(syslogd_t)
		77	fs_search_auto_mountpoints(syslogd_t)
		78
		79	mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
		80	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
		81	index 22a319c36..0440b4795 100644
		82	--- a/policy/modules/system/systemd.te
		83	+++ b/policy/modules/system/systemd.te
		84	@@ -1303,6 +1303,7 @@ files_watch_root_dirs(systemd_networkd_t)
		85	files_list_runtime(systemd_networkd_t)
		86
		87	fs_getattr_all_fs(systemd_networkd_t)
		88	+fs_list_tmpfs(systemd_networkd_t)
		89	fs_search_cgroup_dirs(systemd_networkd_t)
		90	fs_read_nsfs_files(systemd_networkd_t)
		91	fs_watch_memory_pressure(systemd_networkd_t)
		92	diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
		93	index b2e43aa7d..f543a48d2 100644
		94	--- a/policy/modules/system/udev.te
		95	+++ b/policy/modules/system/udev.te
		96	@@ -142,6 +142,7 @@ files_dontaudit_getattr_tmp_dirs(udev_t)
		97
		98	fs_getattr_all_fs(udev_t)
		99	fs_list_inotifyfs(udev_t)
		100	+fs_list_tmpfs(udev_t)
		101	fs_read_cgroup_files(udev_t)
		102	fs_rw_anon_inodefs_files(udev_t)
		103	fs_search_tracefs(udev_t)
		104	--
		105	2.25.1
		106


diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 7b45882..8c9d046 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -48,13 +48,11 @@ SRC_URI += " \
48	file://0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch \	48	file://0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
49	file://0031-policy-modules-system-logging-fix-auditd-startup-fai.patch \	49	file://0031-policy-modules-system-logging-fix-auditd-startup-fai.patch \
50	file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \	50	file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
51	file://0033-policy-modules-services-rpcbind-allow-rpcbind_t-to-c.patch \
52	file://0034-policy-modules-system-systemd-enable-support-for-sys.patch \	51	file://0034-policy-modules-system-systemd-enable-support-for-sys.patch \
53	file://0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch \	52	file://0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch \
54	file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \	53	file://0036-policy-modules-system-systemd-allow-systemd_logind_t.patch \
55	file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \	54	file://0037-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \
56	file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \	55	file://0038-policy-modules-system-systemd-systemd-user-fixes.patch \
57	file://0039-policy-modules-system-authlogin-fix-login-errors-aft.patch \
58	file://0040-policy-modules-system-logging-grant-getpcap-capabili.patch \	56	file://0040-policy-modules-system-logging-grant-getpcap-capabili.patch \
59	file://0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \	57	file://0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
60	file://0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \	58	file://0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
@@ -72,6 +70,7 @@ SRC_URI += " \
72	file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \	70	file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
73	file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \	71	file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
74	file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \	72	file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \
		73	file://0057-Allow-services-to-read-tmpfs-under-run-credentials.patch \
75	"	74	"
76		75
77	S = "${WORKDIR}/refpolicy"	76	S = "${WORKDIR}/refpolicy"


diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index 80d92ac..4043005 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc
@@ -2,7 +2,7 @@ PV = "2.20240226+git"
2		2
3	SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy"	3	SRC_URI = "git://github.com/SELinuxProject/refpolicy.git;protocol=https;branch=main;name=refpolicy;destsuffix=refpolicy"
4		4
5	SRCREV_refpolicy ?= "71f4bd1992e05bcd79dc5234f8a30deeb141aa3d"	5	SRCREV_refpolicy ?= "351a5a7f4dc959769aaa8fe47c6e77f94fe5b657"
6		6
7	UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"	7	UPSTREAM_CHECK_GITTAGREGEX = "RELEASE_(?P<pver>\d+_\d+)"
8		8