Merge branch 'various/20240807' into next

0xC0ncord · Aug 9, 2024 · 3869f1f · 3869f1f
2 parents ed36477 + 567b29f
commit 3869f1f
Show file tree

Hide file tree

Showing 8 changed files with 63 additions and 2 deletions.
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
@@ -732,6 +732,24 @@ interface(`fs_create_bpf_dirs',`
 	create_dirs_pattern($1, bpf_t, bpf_t)
 ')
 
+########################################
+## <summary>
+##	Manage bpf directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_bpf_dirs',`
+	gen_require(`
+		type bpf_t;
+	')
+
+	manage_dirs_pattern($1, bpf_t, bpf_t)
+')
+
 ########################################
 ## <summary>
 ##	Manage bpf files.

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
@@ -2885,6 +2885,24 @@ interface(`kernel_rw_unlabeled_dirs',`
 	allow $1 unlabeled_t:dir rw_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Create unlabeled directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_create_unlabeled_dirs',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:dir create_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Delete unlabeled directories.

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
@@ -30,6 +30,13 @@ gen_tunable(container_manage_public_content, false)
 ## </desc>
 gen_tunable(container_read_public_content, false)
 
+## <desc>
+##	<p>
+##	Allow containers to read generic certs.
+##	</p>
+## </desc>
+gen_tunable(container_read_generic_certs, false)
+
 ## <desc>
 ##	<p>
 ##	Allow super privileged containers to create NFS servers.
@@ -405,6 +412,10 @@ tunable_policy(`container_read_public_content',`
 	miscfiles_watch_public_dirs(container_domain)
 ')
 
+tunable_policy(`container_read_generic_certs',`
+	miscfiles_read_generic_certs(container_domain)
+')
+
 tunable_policy(`container_use_dri',`
 	dev_rw_dri(container_domain)
 ')
@@ -1041,7 +1052,7 @@ fs_mounton_cgroup(spc_t)
 fs_manage_cgroup_dirs(spc_t)
 fs_manage_cgroup_files(spc_t)
 fs_mount_bpf(spc_t)
-fs_create_bpf_dirs(spc_t)
+fs_manage_bpf_dirs(spc_t)
 fs_manage_bpf_files(spc_t)
 fs_manage_bpf_symlinks(spc_t)
 fs_mounton_fusefs(spc_t)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
@@ -300,7 +300,7 @@ optional_policy(`
 # Common session bus local policy
 #
 
-dontaudit session_bus_type self:capability sys_resource;
+dontaudit session_bus_type self:capability { net_admin sys_resource };
 allow session_bus_type self:process { getattr sigkill signal };
 dontaudit session_bus_type self:process { ptrace setrlimit };
 allow session_bus_type self:file rw_inherited_file_perms;

diff --git a/policy/modules/services/haproxy.te b/policy/modules/services/haproxy.te
@@ -91,6 +91,8 @@ corecmd_search_bin(haproxy_t)
 
 dev_dontaudit_read_sysfs(haproxy_t)
 
+domain_use_interactive_fds(haproxy_t)
+
 kernel_read_kernel_sysctls(haproxy_t)
 kernel_read_state(haproxy_t)
 kernel_read_system_state(haproxy_t)
@@ -102,6 +104,8 @@ miscfiles_read_localization(haproxy_t)
 
 logging_send_syslog_msg(haproxy_t)
 
+userdom_use_user_terminals(haproxy_t)
+
 can_exec(haproxy_t, haproxy_exec_t)
 
 tunable_policy(`haproxy_bind_all_tcp_ports',`

diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
@@ -311,6 +311,9 @@ kernel_rw_vm_overcommit_sysctl(kubelet_t)
 # haven't been relabeled yet (fsGroup)
 kernel_list_unlabeled(kubelet_t)
 kernel_setattr_all_unlabeled(kubelet_t)
+# create subPath mountpoints in a volume that
+# hasn't been relabeled yet
+kernel_create_unlabeled_dirs(kubelet_t)
 
 storage_getattr_fixed_disk_dev(kubelet_t)
 storage_dontaudit_read_fixed_disk(kubelet_t)

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
@@ -93,6 +93,12 @@ ifdef(`init_systemd',`
 	# podman auto-update will restart the unit for
 	# the container when it is updated
 	container_start_units(podman_t)
+
+	# podman auto-update can restart containers created
+	# via quadlet as well, which are runtime units
+	init_get_runtime_units_status(podman_t)
+	init_start_runtime_units(podman_t)
+	init_stop_runtime_units(podman_t)
 ')
 
 ########################################

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
@@ -84,6 +84,7 @@ domain_use_interactive_fds(iptables_t)
 
 files_read_etc_files(iptables_t)
 files_read_etc_runtime_files(iptables_t)
+files_read_usr_files(iptables_t)
 
 auth_use_nsswitch(iptables_t)