selinux-policy: Clean up testing rules and add systemd fix. (#9911)

Signed-off-by: Chris PeBenito <[email protected]>

Author: pebenito

SPECS/selinux-policy/0017-various-Add-additional-logging-access-for-domains-ru.patch

@@ -1,70 +1,28 @@
-From 87a23a94731c5bb6979d27ef81e470b84cfc4bfe Mon Sep 17 00:00:00 2001
+From f6c4470e528370d5b6e8cf25b86e753c98022592 Mon Sep 17 00:00:00 2001
 From: Chris PeBenito <[email protected]>
 Date: Mon, 25 Mar 2024 09:50:17 -0400
-Subject: [PATCH 17/24] various: Add additional logging access for domains run
+Subject: [PATCH 17/33] various: Add additional logging access for domains run
  from cloud_init.
 
 Signed-off-by: Chris PeBenito <[email protected]>
 ---
- policy/modules/admin/bootloader.te   |  6 ++++++
- policy/modules/admin/cloudinit.if    | 19 +++++++++++++++++++
+ policy/modules/admin/bootloader.te   |  2 ++
  policy/modules/admin/rpm.if          |  2 +-
  policy/modules/system/selinuxutil.te | 10 ++++++++++
  policy/modules/system/udev.te        |  5 +++++
- 5 files changed, 41 insertions(+), 1 deletion(-)
+ 4 files changed, 18 insertions(+), 1 deletion(-)
 
 diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index 84b243c0c..4e097a1b9 100644
+index 84b243c0c..af162dd9b 100644
 --- a/policy/modules/admin/bootloader.te
 +++ b/policy/modules/admin/bootloader.te
-@@ -227,6 +227,10 @@ ifdef(`init_systemd',`
- 	init_rw_inherited_stream_socket(bootloader_t)
- ')
- 
-+optional_policy(`
-+	cloudinit_write_inherited_tmp_files(bootloader_t)
-+')
-+
- optional_policy(`
- 	fstools_exec(bootloader_t)
- ')
-@@ -258,4 +262,6 @@ optional_policy(`
+@@ -258,4 +258,6 @@ optional_policy(`
 
  optional_policy(`
  	rpm_rw_pipes(bootloader_t)
 +	rpm_read_inherited_tmp_files(bootloader_t)
 +	rpm_append_inherited_tmp_files(bootloader_t)
  ')
-diff --git a/policy/modules/admin/cloudinit.if b/policy/modules/admin/cloudinit.if
-index 6d427e771..e69698fae 100644
---- a/policy/modules/admin/cloudinit.if
-+++ b/policy/modules/admin/cloudinit.if
-@@ -181,6 +181,25 @@ interface(`cloudinit_getattr_state_files',`
- 	allow $1 cloud_init_state_t:file getattr;
- ')
- 
-+########################################
-+## <summary>
-+##	Append inherited cloud-init temporary files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`cloudinit_append_inherited_tmp_files',`
-+	gen_require(`
-+		type cloud_init_t, cloud_init_tmp_t;
-+	')
-+
-+	allow $1 cloud_init_t:fd use;
-+	allow $1 cloud_init_tmp_t:file append_inherited_file_perms;
-+')
-+
- ########################################
- ## <summary>
- ##	Write inherited cloud-init temporary files.
 diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
 index b20c3cd3d..19943a0ae 100644
 --- a/policy/modules/admin/rpm.if
@@ -120,5 +78,5 @@ index bebefdda8..8af0d90e0 100644
 +	rpm_append_inherited_tmp_files(udevadm_t)
 +')
 -- 
-2.44.0
+2.45.2
 

SPECS/selinux-policy/0033-cloud-init-and-kmod-fixes.patch

@@ -0,0 +1,26 @@
+From e02c2eb0ad3e43df71c27a8f9c5ae7150add310a Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <[email protected]>
+Date: Mon, 1 Jul 2024 09:27:04 -0400
+Subject: [PATCH 33/33] kmod fix for /run/modprobe.d.
+
+Signed-off-by: Chris PeBenito <[email protected]>
+---
+ policy/modules/system/modutils.fc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
+index 323120062..de9f88fa8 100644
+--- a/policy/modules/system/modutils.fc
++++ b/policy/modules/system/modutils.fc
+@@ -8,6 +8,8 @@ ifdef(`distro_gentoo',`
+ /etc/modprobe\.devfs.*		--	gen_context(system_u:object_r:modules_conf_t,s0)
+ ')
+ 
++/run/modprobe\.d(/.*)?			gen_context(system_u:object_r:modules_conf_t,s0)
++
+ ifdef(`init_systemd',`
+ /run/tmpfiles\.d/kmod\.conf	--	gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
+ /run/tmpfiles\.d/static-nodes\.conf --  gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
+-- 
+2.45.2
+

SPECS/selinux-policy/0033-kmod-fix-for-run-modprobe.d.patch

@@ -0,0 +1,27 @@
+From aff599f9d5186afad60703f3f9bc5ad75df63899 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <[email protected]>
+Date: Thu, 18 Jul 2024 15:51:20 -0400
+Subject: [PATCH 34/34] systemd: Fix dac_override use in
+ systemd-machine-id-setup.
+
+Signed-off-by: Chris PeBenito <[email protected]>
+---
+ policy/modules/system/systemd.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index f64c29cc3..664f4f31a 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -1170,7 +1170,7 @@ optional_policy(`
+ # machine-id-setup local policy
+ #
+ 
+-allow systemd_machine_id_setup_t self:capability { setgid sys_admin sys_chroot };
++allow systemd_machine_id_setup_t self:capability { dac_override setgid sys_admin sys_chroot };
+ 
+ files_list_var(systemd_machine_id_setup_t)
+ files_mounton_root(systemd_machine_id_setup_t)
+-- 
+2.45.2
+

SPECS/selinux-policy/0034-systemd-Fix-dac_override-use-in-systemd-machine-id-s.patch

@@ -0,0 +1,109 @@
+From 97b37cca000c83e0cbc36479fff5cf8491a67d43 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <[email protected]>
+Date: Fri, 19 Jul 2024 10:39:54 -0400
+Subject: [PATCH 35/35] rpm: Run systemd-sysctl from %post.
+
+Run commands such as:
+
+/usr/lib/systemd/systemd-sysctl /etc/sysctl.d/10-default-yama-scope.conf
+
+Signed-off-by: Chris PeBenito <[email protected]>
+---
+ policy/modules/admin/rpm.te      |  4 +++
+ policy/modules/system/systemd.if | 44 ++++++++++++++++++++++++++++++++
+ policy/modules/system/systemd.te |  2 ++
+ 3 files changed, 50 insertions(+)
+
+diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
+index 41253a4e2..809e8c573 100644
+--- a/policy/modules/admin/rpm.te
++++ b/policy/modules/admin/rpm.te
+@@ -416,6 +416,10 @@ optional_policy(`
+ 	ntp_domtrans(rpm_script_t)
+ ')
+ 
++optional_policy(`
++	systemd_run_sysctl(rpm_script_t, rpm_roles)
++')
++
+ optional_policy(`
+ 	tzdata_run(rpm_t, rpm_roles)
+ 	tzdata_run(rpm_script_t, rpm_roles)
+diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
+index b7a392a13..2cb5ae2ed 100644
+--- a/policy/modules/system/systemd.if
++++ b/policy/modules/system/systemd.if
+@@ -2629,6 +2629,50 @@ interface(`systemd_read_resolved_runtime',`
+ 	read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
+ ')
+ 
++########################################
++## <summary>
++##  Execute systemd-sysctl in the systemd sysctl domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`systemd_domtrans_sysctl', `
++	gen_require(`
++		type systemd_sysctl_t, systemd_sysctl_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, systemd_sysctl_exec_t, systemd_sysctl_t)
++')
++
++########################################
++## <summary>
++##  Run systemd-sysctl with a domain transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`systemd_run_sysctl', `
++	gen_require(`
++		attribute_role systemd_sysctl_roles;
++	')
++
++	systemd_domtrans_sysctl($1)
++	roleattribute $2 systemd_sysctl_roles;
++')
++
+ ########################################
+ ## <summary>
+ ##	Execute the systemctl program.
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index 664f4f31a..3ad5bb651 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -58,6 +58,7 @@ attribute systemd_user_session_type;
+ attribute systemd_user_activated_sock_file_type;
+ attribute systemd_user_unix_stream_activated_socket_type;
+ 
++attribute_role systemd_sysctl_roles;
+ attribute_role systemd_sysusers_roles;
+ 
+ type systemd_activate_t;
+@@ -288,6 +289,7 @@ init_unit_file(systemd_socket_proxyd_unit_file_t)
+ type systemd_sysctl_t;
+ type systemd_sysctl_exec_t;
+ init_daemon_domain(systemd_sysctl_t, systemd_sysctl_exec_t)
++role systemd_sysctl_roles types systemd_sysctl_t;
+ 
+ type systemd_sysusers_t;
+ type systemd_sysusers_exec_t;
+-- 
+2.45.2
+

SPECS/selinux-policy/0035-rpm-Run-systemd-sysctl-from-post.patch

@@ -9,7 +9,7 @@
 Summary:        SELinux policy
 Name:           selinux-policy
 Version:        %{refpolicy_major}.%{refpolicy_minor}
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -51,7 +51,9 @@ Patch29:        0029-filesystem-systemd-memory.pressure-fixes.patch
 Patch30:        0030-init-Add-homectl-dbus-access.patch
 Patch31:        0031-Temporary-workaround-for-memory.pressure-labeling-is.patch
 Patch32:        0032-rpm-Fixes-from-various-post-scripts.patch
-Patch33:        0033-cloud-init-and-kmod-fixes.patch
+Patch33:        0033-kmod-fix-for-run-modprobe.d.patch
+Patch34:        0034-systemd-Fix-dac_override-use-in-systemd-machine-id-s.patch
+Patch35:        0035-rpm-Run-systemd-sysctl-from-post.patch
 BuildRequires:  bzip2
 BuildRequires:  checkpolicy >= %{CHECKPOLICYVER}
 BuildRequires:  m4
@@ -335,6 +337,11 @@ exit 0
 selinuxenabled && semodule -nB
 exit 0
 %changelog
+* Thu Jul 18 2024 Chris PeBenito <[email protected]> - 2.20240226-6
+- Drop rules that are specific to AzureLinux testing systems.
+- Add fix for systemd-machine-id-setup CAP_DAC_OVERRIDE use.
+- Run systemd-sysctl from RPM scripts.
+
 * Tue Jul 16 2024 Chris PeBenito <[email protected]> - 2.20240226-5
 - Change unconfined to a separate module so it can be disabled.