From: Clayton Casciato <majortomtosourcecontrol@gmail.com>
To: joe.macdonald@siemens.com, yi.zhao@windriver.com,
yocto-patches@lists.yoctoproject.org
Subject: [meta-selinux][styhead][PATCH] refpolicy: firewalld - fix firewalld_t firewalld_tmpfs_t exec
Date: Sat, 5 Apr 2025 08:10:18 -0600 [thread overview]
Message-ID: <f8d4dc67-e084-45b4-95e7-4174916dfc07@gmail.com> (raw)
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
---
...ervices-firewalld-fix-firewalld_t-fi.patch | 49 +++++++++++++++++++
.../refpolicy/refpolicy_common.inc | 1 +
2 files changed, 50 insertions(+)
create mode 100644 recipes-security/refpolicy/refpolicy/0061-policy-modules-services-firewalld-fix-firewalld_t-fi.patch
diff --git a/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-firewalld-fix-firewalld_t-fi.patch b/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-firewalld-fix-firewalld_t-fi.patch
new file mode 100644
index 0000000..9d66889
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-firewalld-fix-firewalld_t-fi.patch
@@ -0,0 +1,49 @@
+From f1129180e809c74b41ea928167265730fd64ae4c Mon Sep 17 00:00:00 2001
+From: Clayton Casciato <ccasciato@21sw.us>
+Date: Mon, 10 Mar 2025 14:15:39 -0600
+Subject: [PATCH] firewalld: fix firewalld_t firewalld_tmpfs_t exec
+
+type=PROCTITLE proctitle=/usr/bin/python3 /usr/sbin/firewalld --nofork
+--nopid
+type=MMAP fd=9 flags=MAP_SHARED
+type=SYSCALL arch=armeb syscall=mmap2 per=PER_LINUX success=yes
+exit=(null)(Unknown error 1238224896) a0=0x0 a1=0x1000 a2=0x5 a3=0x1
+items=0 ppid=1 pid=270 auid=unset uid=root gid=root euid=root suid=root
+fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
+comm=firewalld exe=/usr/bin/python3.12
+subj=system_u:system_r:firewalld_t:s0 key=(null)
+type=AVC avc: denied { execute } for pid=270 comm=firewalld
+path=/memfd:libffi (deleted) dev="tmpfs" ino=44
+scontext=system_u:system_r:firewalld_t:s0
+tcontext=system_u:object_r:firewalld_tmpfs_t:s0 tclass=file
+
+Fedora:
+$ sesearch -A --source firewalld_t --target firewalld_tmpfs_t --perm execute
+allow firewalld_t firewalld_tmpfs_t:file { append create execute getattr
+ioctl link lock map open read rename setattr unlink watch watch_reads
+write };
+
+https://github.com/fedora-selinux/selinux-policy/blob/v41.33/policy/modules/contrib/firewalld.te#L66
+
+Signed-off-by: Clayton Casciato <ccasciato@21sw.us>
+
+Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/c5a76add70965ae8c988310f79c8cb750afc9bc4]
+
+Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
+---
+ policy/modules/services/firewalld.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
+index f592cf4f6..7573f3cc0 100644
+--- a/policy/modules/services/firewalld.te
++++ b/policy/modules/services/firewalld.te
+@@ -62,7 +62,7 @@ files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file })
+
+ manage_dirs_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+ manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+-mmap_read_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
++mmap_exec_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+ fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, { dir file })
+
+ kernel_read_network_state(firewalld_t)
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index f037c0c..b433a1e 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -76,6 +76,7 @@ SRC_URI += " \
file://0058-policy-modules-services-chronyd-allow_dac_read_searc.patch \
file://0059-policy-modules-system-unconfined-fix-oddjob-security.patch \
file://0060-policy-modules-services-firewalld-fix-lib_t-python_c.patch \
+ file://0061-policy-modules-services-firewalld-fix-firewalld_t-fi.patch \
"
S = "${WORKDIR}/refpolicy"
reply other threads:[~2025-04-05 14:10 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f8d4dc67-e084-45b4-95e7-4174916dfc07@gmail.com \
--to=majortomtosourcecontrol@gmail.com \
--cc=joe.macdonald@siemens.com \
--cc=yi.zhao@windriver.com \
--cc=yocto-patches@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.