!233 [sync] PR-232: 【轻量级 PR】：enforcing selinux

From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee

add-rule-for-hostnamed-to-rpmscript-dbus-chat.patch

@@ -0,0 +1,23 @@
+From ad87c8bd66e7625f87d15735ae4ada8466ff7e7e Mon Sep 17 00:00:00 2001
+From: lixiao <lixiaoemail2017@163.com>
+Date: Thu, 29 Dec 2022 16:37:42 +0800
+Subject: [PATCH] add rule for hostnamed to rpmscript dbus chat
+
+---
+ policy/modules/contrib/rpm.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
+index 91337e4..10ab605 100644
+--- a/policy/modules/contrib/rpm.te
++++ b/policy/modules/contrib/rpm.te
+@@ -465,6 +465,7 @@ optional_policy(`
+         systemd_dbus_chat_logind(rpm_script_t)
+         systemd_dbus_chat_timedated(rpm_script_t)
+         systemd_dbus_chat_localed(rpm_script_t)
++        systemd_dbus_chat_hostnamed(rpm_script_t)
+     ')
+ ')
+ 
+-- 
+2.27.0

allow-httpd-to-put-files-in-httpd-config-dir.patch

@@ -0,0 +1,29 @@
+From cf6c809927dfc258f44e55116556625b4ecc7b5d Mon Sep 17 00:00:00 2001
+From: luhuaxin <luhuaxin1@huawei.com>
+Date: Fri, 24 Jun 2022 15:03:25 +0800
+Subject: [PATCH] allow httpd to put files in httpd config dir
+
+Signed-off-by: luhuaxin <luhuaxin1@huawei.com>
+---
+ policy/modules/contrib/apache.te | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
+index 0e4d4bf..b264818 100644
+--- a/policy/modules/contrib/apache.te
++++ b/policy/modules/contrib/apache.te
+@@ -516,9 +516,8 @@ files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
+ allow httpd_t httpd_cache_t:file map;
+ 
+ # Allow the httpd_t to read the web servers config files
+-allow httpd_t httpd_config_t:dir list_dir_perms;
+-read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+-read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
++# and put files in /etc/httpd
++apache_manage_config(httpd_t)
+ allow httpd_t httpd_config_t:file map;
+ 
+ can_exec(httpd_t, httpd_exec_t)
+-- 
+1.8.3.1
+

backport-Add-file-context-for-.config-Yubico.patch

@@ -0,0 +1,53 @@
+From 1363710b88904f29915e39335fef0dfb673a0f70 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 24 Aug 2020 14:29:15 +0200
+Subject: [PATCH] Add file context for ~/.config/Yubico
+
+Add file context specification for ~/.config/Yubico in addition to
+existing ~/.yubico. Update the auth_filetrans_home_content() and
+auth_filetrans_admin_home_content() interfaces accordingly.
+
+Resolves: rhbz#1860888
+Signed-off-by: lujie42 <572084868@qq.com>
+---
+ policy/modules/system/authlogin.fc | 2 ++
+ policy/modules/system/authlogin.if | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
+index 009c156..58551ec 100644
+--- a/policy/modules/system/authlogin.fc
++++ b/policy/modules/system/authlogin.fc
+@@ -1,7 +1,9 @@
+ HOME_DIR/\.yubico(/.*)?				    gen_context(system_u:object_r:auth_home_t,s0)
++HOME_DIR/\.config/Yubico(/.*)?			    gen_context(system_u:object_r:auth_home_t,s0)
+ HOME_DIR/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
+ HOME_DIR/\.google_authenticator~		gen_context(system_u:object_r:auth_home_t,s0)
+ /root/\.yubico(/.*)?                    gen_context(system_u:object_r:auth_home_t,s0)
++/root/\.config/Yubico(/.*)?		gen_context(system_u:object_r:auth_home_t,s0)
+ /root/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
+ /root/\.google_authenticator~			gen_context(system_u:object_r:auth_home_t,s0)
+ 
+diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
+index 099166d..90ae5fe 100644
+--- a/policy/modules/system/authlogin.if
++++ b/policy/modules/system/authlogin.if
+@@ -2313,6 +2313,7 @@ interface(`auth_filetrans_admin_home_content',`
+ 	userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
+ 	userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
+ 	userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
++	userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico")
+ ')
+ 
+ 
+@@ -2377,6 +2378,7 @@ interface(`auth_filetrans_home_content',`
+ 	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
+ 	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
+ 	userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
++	userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico")
+ ')
+ 
+ ########################################
+-- 
+1.8.3.1
+

backport-Change-transitions-for-.config-Yubico.patch

@@ -0,0 +1,95 @@
+From 099ea7b7bd113cac657f98d406c77839cce98859 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 25 Aug 2020 16:33:38 +0200
+Subject: [PATCH] Change transitions for ~/.config/Yubico
+
+Created the auth_filetrans_auth_home_content() interface which is used
+to allow the filename transition in gnome config directory for the
+login_pgm and userdomain attributes.
+
+This commit reverts the transitions introduced in
+commit 1363710b88904f29915e39335fef0dfb673a0f70.
+
+Signed-off-by: lujie42 <572084868@qq.com>
+---
+ policy/modules/system/authlogin.if  | 23 +++++++++++++++++++++--
+ policy/modules/system/authlogin.te  |  1 +
+ policy/modules/system/userdomain.te |  2 ++
+ 3 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
+index 90ae5fe..ab68d31 100644
+--- a/policy/modules/system/authlogin.if
++++ b/policy/modules/system/authlogin.if
+@@ -2313,7 +2313,6 @@ interface(`auth_filetrans_admin_home_content',`
+ 	userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
+ 	userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
+ 	userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
+-	userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico")
+ ')
+ 
+ 
+@@ -2378,7 +2377,27 @@ interface(`auth_filetrans_home_content',`
+ 	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
+ 	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
+ 	userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico")
+-	userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".config/Yubico")
++')
++
++########################################
++## <summary>
++##	Create auth directory in the config home directory
++##	with a correct label.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`auth_filetrans_auth_home_content',`
++	gen_require(`
++		type auth_home_t;
++	')
++
++	optional_policy(`
++		gnome_config_filetrans($1, auth_home_t, dir, "Yubico")
++	')
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index f3870d3..068caed 100644
+--- a/policy/modules/system/authlogin.te
++++ b/policy/modules/system/authlogin.te
+@@ -603,6 +603,7 @@ manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
+ manage_files_pattern(login_pgm, auth_home_t, auth_home_t)
+ auth_filetrans_admin_home_content(login_pgm)
+ auth_filetrans_home_content(login_pgm)
++auth_filetrans_auth_home_content(login_pgm)
+ 
+ # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
+ kernel_search_network_sysctl(login_pgm)
+diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
+index 756ac4a..196bcc0 100644
+--- a/policy/modules/system/userdomain.te
++++ b/policy/modules/system/userdomain.te
+@@ -147,6 +147,7 @@ dontaudit unpriv_userdomain self:dir setattr;
+ allow unpriv_userdomain self:file manage_file_perms;
+ allow unpriv_userdomain self:key manage_key_perms;
+ 
++auth_filetrans_auth_home_content(userdomain)
+ 
+ files_dontaudit_manage_boot_files(unpriv_userdomain)
+ 
+@@ -289,6 +290,7 @@ userdom_user_home_dir_filetrans(userdom_filetrans_type, user_tmp_t, dir, "tmp")
+ 
+ optional_policy(`
+ 	gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
++	gnome_config_filetrans(userdom_filetrans_type, auth_home_t, dir, "Yubico")
+ 	#gnome_admin_home_gconf_filetrans(userdom_filetrans_type, home_bin_t, dir, "bin")
+ ')
+ 
+-- 
+1.8.3.1
+

selinux-policy.spec

@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 3.14.2
-Release: 75
+Release: 81
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -110,12 +110,20 @@ Patch6035: backport-Create-chronyd_pid_filetrans-interface.patch
 Patch6036: backport-iptables.fc-Remove-duplicate-file-context-entries.patch
 Patch6037: backport-iptables.fc-Add-missing-legacy-entries.patch
 Patch6038: backport-iptables.fc-Add-missing-legacy-restore-and-legacy-sa.patch
+Patch6039: backport-Add-file-context-for-.config-Yubico.patch
+Patch6040: backport-Change-transitions-for-.config-Yubico.patch
+
+Patch9000: allow-httpd-to-put-files-in-httpd-config-dir.patch
+Patch9001: add-rule-for-hostnamed-to-rpmscript-dbus-chat.patch
 
 BuildArch: noarch
 BuildRequires:  python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc
 Requires(pre):  policycoreutils >= %{POLICYCOREUTILSVER}
 Requires(post): /bin/awk /usr/bin/sha512sum
 Requires: rpm-plugin-selinux
+Requires: selinux-policy-any = %{version}-%{release}
+Provides: selinux-policy-base = %{version}-%{release}
+Suggests: selinux-policy-targeted
 
 %description 
 SELinux Base package for SELinux Reference Policy - modular.
@@ -420,7 +428,7 @@ echo "
 #     enforcing - SELinux security policy is enforced.
 #     permissive - SELinux prints warnings instead of enforcing.
 #     disabled - No SELinux policy is loaded.
-SELINUX=disabled
+SELINUX=enforcing
 # SELINUXTYPE= can take one of these three values:
 #     targeted - Targeted processes are protected,
 #     minimum - Modification of targeted policy. Only selected processes are protected. 
@@ -488,6 +496,7 @@ exit 0
 
 %package devel
 Summary: SELinux policy devel
+Requires(pre): selinux-policy = %{version}-%{release}
 Requires: selinux-policy = %{version}-%{release} m4 checkpolicy >= %{CHECKPOLICYVER} /usr/bin/make
 Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
 
@@ -527,7 +536,7 @@ Summary:   SELinux targeted base policy
 Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} coreutils selinux-policy = %{version}-%{release}
 Requires:  selinux-policy = %{version}-%{release}
 
-Provides:  selinux-policy-base = %{version}-%{release}
+Provides: selinux-policy-any = %{version}-%{release}
 Obsoletes: selinux-policy-targeted-sources < 2
 Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
 Obsoletes: cachefilesd-selinux <= 0.10-1
@@ -612,7 +621,7 @@ Requires(pre):  coreutils selinux-policy = %{version}-%{release}
 Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER}
 Requires: selinux-policy = %{version}-%{release}
 
-Provides:  selinux-policy-base = %{version}-%{release}
+Provides: selinux-policy-any = %{version}-%{release}
 Conflicts: seedit
 Conflicts: container-selinux <= 1.9.0-9
 
@@ -711,9 +720,9 @@ exit 0
 %package mls 
 Summary: SELinux mls base policy
 Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd selinux-policy = %{version}-%{release}
-Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} coreutils
+Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} coreutils selinux-policy = %{version}-%{release}
 
-Provides:  selinux-policy-base = %{version}-%{release}
+Provides: selinux-policy-any = %{version}-%{release}
 Obsoletes: selinux-policy-mls-sources < 2
 Conflicts: seedit
 Conflicts: container-selinux <= 1.9.0-9
@@ -775,6 +784,24 @@ exit 0
 %endif
 
 %changelog
+* Tue Nov 7 2023 jinlun<jinlun@huawei.com> - 3.14.2-81
+- enforcing selinux
+
+* Thu Dec 29 2022 lixiao<lixiaoemail2017@163.com> - 3.14.2-80
+- add rule for hostnamed to rpmscript dbus chat
+
+* Sat Dec 24 2022 lixiao<lixiaoemail2017@163.com> - 3.14.2-79
+- add the dependency between packages
+
+* Fri Dec 23 2022 lixiao<lixiaoemail2017@163.com> - 3.14.2-78
+- add weak dep of selinux-policy-targeted
+
+* Sat Jun 25 2022 luhuaxin <luhuaxin1@huawei.com> - 3.14.2-77
+- allow httpd create files in /etc/httpd
+
+* Sat Dec 25 2021 gaoyusong <gaoyusong1@huawei.com> - 3.14.2-76
+- Fix CVE-2020-24612
+
 * Thu Jun 17 2021 luhuaxin <1539327763@qq.com> - 3.14.2-75
 - iptables.fc: Add missing legacy-restore and legacy-save entries