From 7238b3d6e7fe937ab99a1cf6fdb37889d53c256d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 17 2020 18:33:42 +0000 Subject: import osbuild-18-3.el8 --- diff --git a/SOURCES/selinux-allow-nnp-and-nosuid-transitions.patch b/SOURCES/selinux-allow-nnp-and-nosuid-transitions.patch new file mode 100644 index 0000000..cda2234 --- /dev/null +++ b/SOURCES/selinux-allow-nnp-and-nosuid-transitions.patch @@ -0,0 +1,82 @@ +From 3c556c3386ffc2e4f722d90a723d9e97e9b72a66 Mon Sep 17 00:00:00 2001 +From: Christian Kellner +Date: Sun, 9 Aug 2020 13:09:06 +0200 +Subject: [PATCH] selinux: allow nnp and nosuid transitions + +Allow osbuild_t to no_new_privs (nnp) and nosuid domain transition +into setfiles_mac_t and install_t. nnp is a inheritable per-thread +flag (PR_SET_NO_NEW_PRIVS, see prctl(2)), whereby a promise is made +by execve(2) to not grant any new privileges that could not have +been done without the execv call. This is on contrast to what can +be done via SELinux rules, i.e. in our case `setfiles_mac_t` and +`install_t` can set arbitrary SELinux labels, but `osbuild_t` +itself can not; but `osbuild_t` enables the transitioning of +`setfiles_mac_t` for the `setfiles` binary via execve(2) from a +process with `osbuild_t`. Related, the nosuid mount flag, prevents +the suid, sgid bits to be interpreted and thus are in the same +spirit as nnp, i.e. no new privs during execve(2). + +Thus SELinux domain transitions stand in contrast with nnp and +nosuid transitions, and have therefore been de-coupled. See also +the corresponding kernel patch at [1] for more information. + +bubblewrap (bwrap) in contrast to `systemd-nspawn` always sets the +nnp flag, as well as the nosuid option for all bind-mounts. Since +we no use bwrap to contain processes we need to allow the nnp and +nosuid transitions from `osbuild_t` to `setfiles_mac_t` and +`install_t`. + +[1] https://patchwork.kernel.org/patch/9841441/ +--- + selinux/osbuild.if | 19 +++++++++++++++++++ + selinux/osbuild.te | 2 ++ + 2 files changed, 21 insertions(+) + +diff --git a/selinux/osbuild.if b/selinux/osbuild.if +index 815c691..48d099f 100644 +--- a/selinux/osbuild.if ++++ b/selinux/osbuild.if +@@ -93,3 +93,22 @@ interface(`osbuild_role',` + ps_process_pattern($2, osbuild_t) + allow $2 osbuild_t:process { signull signal sigkill }; + ') ++ ++######################################## ++## ++## osbuild nnp / nosuid transitions to domain ++## ++## ++## ++## Domain to be allowed to transition into. ++## ++## ++# ++interface(`osbuild_nnp_nosuid_trans',` ++ gen_require(` ++ type osbuild_t; ++ class process2 { nnp_transition nosuid_transition }; ++ ') ++ ++ allow osbuild_t $1:process2 {nnp_transition nosuid_transition}; ++') +diff --git a/selinux/osbuild.te b/selinux/osbuild.te +index 1a5f98d..e4a0c7d 100644 +--- a/selinux/osbuild.te ++++ b/selinux/osbuild.te +@@ -31,6 +31,7 @@ unconfined_domain(osbuild_t) + # execute setfiles in the setfiles_mac domain + # when in the osbuild_t domain + seutil_domtrans_setfiles_mac(osbuild_t) ++osbuild_nnp_nosuid_trans(setfiles_mac_t) + + # Allow sysadm and unconfined to run osbuild + optional_policy(` +@@ -63,4 +64,5 @@ optional_policy(` + # allow transitioning to install_t (for ostree) + optional_policy(` + anaconda_domtrans_install(osbuild_t) ++ osbuild_nnp_nosuid_trans(install_t) + ') +-- +2.26.2 + diff --git a/SPECS/osbuild.spec b/SPECS/osbuild.spec index 52fe41e..aef3b68 100644 --- a/SPECS/osbuild.spec +++ b/SPECS/osbuild.spec @@ -9,13 +9,14 @@ Version: 18 %global pkgdir %{_prefix}/lib/%{pypi_name} Name: %{pypi_name} -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 URL: %{forgeurl} Source0: %{forgesource} Patch0: no-floats-in-sources.patch +Patch1: selinux-allow-nnp-and-nosuid-transitions.patch BuildArch: noarch Summary: A build system for OS images @@ -81,6 +82,7 @@ containers it uses to build OS artifacts. %prep %forgesetup %patch0 -p1 +%patch1 -p1 %build %py3_build @@ -174,6 +176,10 @@ fi %changelog +* Thu Aug 13 2020 Christian Kellner - 18-3 +- Add patch to allow nnp and nosuid domain transitions + https://github.com/osbuild/osbuild/pull/495 + * Fri Jun 26 2020 Christian Kellner - 18-2 - Add patch to not pass floats to curl in the files source https://github.com/osbuild/osbuild/pull/459