Release 8.0.0

aosedge · Sep 10, 2024 · 7b7c615 · 7b7c615
2 parents 9956821 + a26487d
commit 7b7c615
Show file tree

Hide file tree

Showing 6 changed files with 91 additions and 18 deletions.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -3,21 +3,27 @@ name: Build tests
 on: [push, pull_request]
 
 env:
-  # Minimum userspace version to build refpolicy.
-  SELINUX_USERSPACE_VERSION: checkpolicy-3.1
+  # Minimum versions to build refpolicy.
+  PYTHON_VERSION: "3.10"
+  SELINUX_USERSPACE_VERSION: checkpolicy-3.2
+  USERSPACE_SRC: "selinux-src"
+  # branch for sechecker
+  SECHECKER_VERSION: "4.4"
+  SETOOLS_SRC: "setools-src"
 
 jobs:
   lint:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     # This version should be the minimum required to run the fc checker
+    # or the standard Python version on Ubuntu.
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
-        python-version: 3.7
+        python-version: "${{env.PYTHON_VERSION}}"
 
     - name: Install dependencies
       run: |
@@ -56,7 +62,7 @@ jobs:
         selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy
 
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     strategy:
       fail-fast: false
@@ -119,13 +125,29 @@ jobs:
           - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y}
 
     steps:
-    - uses: actions/checkout@v3
+    - name: Checkout Reference Policy
+      uses: actions/checkout@v4
+
+    - name: Checkout SELinux userspace tools and libs
+      uses: actions/checkout@v4
+      with:
+        repository: SELinuxProject/selinux
+        ref: "${{env.SELINUX_USERSPACE_VERSION}}"
+        path: "${{env.USERSPACE_SRC}}"
+
+    - name: Checkout setools
+      uses: actions/checkout@v4
+      with:
+        repository: SELinuxProject/setools
+        ref: "${{env.SECHECKER_VERSION}}"
+        path: "${{env.SETOOLS_SRC}}"
 
     # This should be the minimum required Python version to build refpolicy.
+    # or the standard Python version on Ubuntu.
     - name: Set up Python
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
-        python-version: 3.5
+        python-version: "${{env.PYTHON_VERSION}}"
 
     - name: Install dependencies
       run: |
@@ -144,7 +166,6 @@ jobs:
       run: |
         echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV
         echo "PYTHON=python" >> $GITHUB_ENV
-        echo "TEST_TOOLCHAIN_SRC=/tmp/selinux-src" >> $GITHUB_ENV
         echo "TEST_TOOLCHAIN=/tmp/selinux" >> $GITHUB_ENV
         echo "TYPE=${{matrix.build-opts.type}}" >> $GITHUB_ENV
         echo "DISTRO=${{matrix.build-opts.distro}}" >> $GITHUB_ENV
@@ -153,21 +174,25 @@ jobs:
         echo "APPS_OFF=${{matrix.build-opts.apps-off}}" >> $GITHUB_ENV
         echo "DIRECT_INITRC=${{matrix.build-opts.direct_initrc}}" >> $GITHUB_ENV
         echo "WERROR=y" >> $GITHUB_ENV
+        echo "CFLAGS=\"-O2\"" >> $GITHUB_ENV
 
     - name: Build toolchain
       run: |
-        # Download current SELinux userspace tools and libraries
-        git clone https://github.com/SELinuxProject/selinux.git ${TEST_TOOLCHAIN_SRC} -b ${SELINUX_USERSPACE_VERSION}
         # Drop secilc to break xmlto dependence (secilc isn't used here anyway)
-        sed -i -e 's/secilc//' ${TEST_TOOLCHAIN_SRC}/Makefile
+        sed -i -e 's/secilc//' ${USERSPACE_SRC}/Makefile
         # Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
-        sed -i -e 's/sepolicy//' ${TEST_TOOLCHAIN_SRC}/policycoreutils/Makefile
+        sed -i -e 's/sepolicy//' ${USERSPACE_SRC}/policycoreutils/Makefile
         # Drop restorecond to break glib dependence
-        sed -i -e 's/ restorecond//' ${TEST_TOOLCHAIN_SRC}/policycoreutils/Makefile
+        sed -i -e 's/ restorecond//' ${USERSPACE_SRC}/policycoreutils/Makefile
         # Drop sandbox to break libcap-ng dependence
-        sed -i -e 's/ sandbox//' ${TEST_TOOLCHAIN_SRC}/policycoreutils/Makefile
+        sed -i -e 's/ sandbox//' ${USERSPACE_SRC}/policycoreutils/Makefile
         # Compile and install SELinux toolchain
-        make OPT_SUBDIRS=semodule-utils DESTDIR=${TEST_TOOLCHAIN} -C ${TEST_TOOLCHAIN_SRC} install
+        make OPT_SUBDIRS=semodule-utils DESTDIR=${TEST_TOOLCHAIN} -C ${USERSPACE_SRC} install
+
+    - name: Build setools
+      run: |
+        cd ${SETOOLS_SRC}
+        pip install .
 
     - name: Build refpolicy
       run: |

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
@@ -713,6 +713,24 @@ interface(`fs_manage_bpf_files',`
 	manage_files_pattern($1, bpf_t, bpf_t)
 ')
 
+########################################
+## <summary>
+##	Manage bpf directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_bpf_dirs',`
+	gen_require(`
+		type bpf_t;
+	')
+
+	manage_dirs_pattern($1, bpf_t, bpf_t)
+')
+
 ########################################
 ## <summary>
 ##	Mount cgroup filesystems.

diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
@@ -148,6 +148,24 @@ interface(`term_mount_devpts',`
 	allow $1 devpts_t:filesystem mount;
 ')
 
+########################################
+## <summary>
+##	remount a devpts_t filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process to remount it
+##	</summary>
+## </param>
+#
+interface(`term_remount_devpts',`
+	gen_require(`
+		type devpts_t;
+	')
+
+	allow $1 devpts_t:filesystem remount;
+')
+
 ########################################
 ## <summary>
 ##	Create directory /dev/pts.

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
@@ -751,6 +751,8 @@ kernel_read_vm_overcommit_sysctl(container_engine_t)
 
 kernel_search_vm_sysctl(container_engine_t)
 
+term_remount_devpts(container_engine_t)
+
 ifdef(`init_systemd',`
 	# needed by runc, which is also invoked by other engines
 	init_run_bpf(container_engine_domain)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
@@ -220,6 +220,15 @@ userdom_use_inherited_user_terminals(lvm_t)
 
 manage_aos_sem(lvm_t)
 
+files_allow_manage_var_files(lvm_t)
+files_manage_var_dirs(lvm_t)
+fs_search_cgroup_dirs(lvm_t)
+
+miscfiles_manage_generic_cert_dirs(lvm_t)
+fs_manage_bpf_dirs(lvm_t)
+init_search_keys(lvm_t)
+miscfiles_manage_generic_cert_files(lvm_t)
+
 ifdef(`init_systemd',`
 	init_rw_stream_sockets(lvm_t)
 

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
@@ -332,6 +332,7 @@ kernel_search_network_sysctl(ifconfig_t)
 kernel_rw_net_sysctls(ifconfig_t)
 
 corenet_rw_tun_tap_dev(ifconfig_t)
+corecmd_exec_bin(ifconfig_t)
 
 dev_read_sysfs(ifconfig_t)
 dev_dontaudit_rw_cardmgr(ifconfig_t)