[meta-selinux][styhead][PATCH] refpolicy: firewalld - fix firewalld_t firewalld_tmpfs_t exec

[meta-selinux][styhead][PATCH] refpolicy: firewalld - fix firewalld_t firewalld_tmpfs_t exec

[Clayton Casciato]

Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
---
 ...ervices-firewalld-fix-firewalld_t-fi.patch | 49 +++++++++++++++++++
 .../refpolicy/refpolicy_common.inc            |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy/0061-policy-modules-services-firewalld-fix-firewalld_t-fi.patch

diff --git a/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-firewalld-fix-firewalld_t-fi.patch b/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-firewalld-fix-firewalld_t-fi.patch
new file mode 100644
index 0000000..9d66889
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0061-policy-modules-services-firewalld-fix-firewalld_t-fi.patch
@@ -0,0 +1,49 @@
+From f1129180e809c74b41ea928167265730fd64ae4c Mon Sep 17 00:00:00 2001
+From: Clayton Casciato <ccasciato@21sw.us>
+Date: Mon, 10 Mar 2025 14:15:39 -0600
+Subject: [PATCH] firewalld: fix firewalld_t firewalld_tmpfs_t exec
+
+type=PROCTITLE proctitle=/usr/bin/python3 /usr/sbin/firewalld --nofork
+--nopid
+type=MMAP fd=9 flags=MAP_SHARED
+type=SYSCALL arch=armeb syscall=mmap2 per=PER_LINUX success=yes
+exit=(null)(Unknown error 1238224896) a0=0x0 a1=0x1000 a2=0x5 a3=0x1
+items=0 ppid=1 pid=270 auid=unset uid=root gid=root euid=root suid=root
+fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset
+comm=firewalld exe=/usr/bin/python3.12
+subj=system_u:system_r:firewalld_t:s0 key=(null)
+type=AVC avc:  denied  { execute } for  pid=270 comm=firewalld
+path=/memfd:libffi (deleted) dev="tmpfs" ino=44
+scontext=system_u:system_r:firewalld_t:s0
+tcontext=system_u:object_r:firewalld_tmpfs_t:s0 tclass=file
+
+Fedora:
+$ sesearch -A --source firewalld_t --target firewalld_tmpfs_t --perm execute
+allow firewalld_t firewalld_tmpfs_t:file { append create execute getattr
+ioctl link lock map open read rename setattr unlink watch watch_reads
+write };
+
+https://github.com/fedora-selinux/selinux-policy/blob/v41.33/policy/modules/contrib/firewalld.te#L66
+
+Signed-off-by: Clayton Casciato <ccasciato@21sw.us>
+
+Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/c5a76add70965ae8c988310f79c8cb750afc9bc4]
+
+Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
+---
+ policy/modules/services/firewalld.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
+index f592cf4f6..7573f3cc0 100644
+--- a/policy/modules/services/firewalld.te
++++ b/policy/modules/services/firewalld.te
+@@ -62,7 +62,7 @@ files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file })
+ 
+ manage_dirs_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+ manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+-mmap_read_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
++mmap_exec_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+ fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, { dir file })
+ 
+ kernel_read_network_state(firewalld_t)
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index f037c0c..b433a1e 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -76,6 +76,7 @@ SRC_URI += " \
         file://0058-policy-modules-services-chronyd-allow_dac_read_searc.patch \
         file://0059-policy-modules-system-unconfined-fix-oddjob-security.patch \
         file://0060-policy-modules-services-firewalld-fix-lib_t-python_c.patch \
+        file://0061-policy-modules-services-firewalld-fix-firewalld_t-fi.patch \
         "
 
 S = "${WORKDIR}/refpolicy"