From a703c3f69a8542263ea1d5db84de7358169b1d6b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 2 Oct 2024 15:27:37 +0200
Subject: [PATCH 1/8] Confine iio-sensor-proxy

Resolves: RHEL-17346
---
 policy/modules.conf                      |  7 ++++++
 policy/modules/contrib/iiosensorproxy.fc |  1 +
 policy/modules/contrib/iiosensorproxy.if |  2 ++
 policy/modules/contrib/iiosensorproxy.te | 31 ++++++++++++++++++++++++
 4 files changed, 41 insertions(+)
 create mode 100644 policy/modules/contrib/iiosensorproxy.fc
 create mode 100644 policy/modules/contrib/iiosensorproxy.if
 create mode 100644 policy/modules/contrib/iiosensorproxy.te

diff --git a/policy/modules.conf b/policy/modules.conf
index 2ca1fa51ac..05c57e6201 100644
--- a/policy/modules.conf
+++ b/policy/modules.conf
@@ -3120,3 +3120,10 @@ coreos_installer = module
 #  bootupd - bootloader update daemon
 #
 bootupd = module
+
+# Layer: contrib
+# Module: iiosensorproxy
+#
+# Policy for iio-sensor-proxy - IIO sensors to D-Bus proxy
+#
+iiosensorproxy = module
diff --git a/policy/modules/contrib/iiosensorproxy.fc b/policy/modules/contrib/iiosensorproxy.fc
new file mode 100644
index 0000000000..c72c79a370
--- /dev/null
+++ b/policy/modules/contrib/iiosensorproxy.fc
@@ -0,0 +1 @@
+/usr/libexec/iio-sensor-proxy	--	gen_context(system_u:object_r:iiosensorproxy_exec_t,s0)
diff --git a/policy/modules/contrib/iiosensorproxy.if b/policy/modules/contrib/iiosensorproxy.if
new file mode 100644
index 0000000000..ecece40e03
--- /dev/null
+++ b/policy/modules/contrib/iiosensorproxy.if
@@ -0,0 +1,2 @@
+## <summary>IIO sensors to D-Bus proxy</summary>
+
diff --git a/policy/modules/contrib/iiosensorproxy.te b/policy/modules/contrib/iiosensorproxy.te
new file mode 100644
index 0000000000..9bd2f5536c
--- /dev/null
+++ b/policy/modules/contrib/iiosensorproxy.te
@@ -0,0 +1,31 @@
+policy_module(iiosensorproxy, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type iiosensorproxy_t;
+type iiosensorproxy_exec_t;
+init_daemon_domain(iiosensorproxy_t, iiosensorproxy_exec_t)
+
+allow iiosensorproxy_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+dev_read_sysfs(iiosensorproxy_t)
+
+optional_policy(`
+	dbus_connect_system_bus(iiosensorproxy_t)
+	dbus_system_bus_client(iiosensorproxy_t)
+
+	optional_policy(`
+		policykit_dbus_chat(iiosensorproxy_t)
+	')
+
+	optional_policy(`
+		unconfined_dbus_chat(unconfined_t)
+	')
+')
+
+optional_policy(`
+	udev_read_pid_files(iiosensorproxy_t)
+')

From 3f5fef1206c0ed030fb8b28fa698d6840504dace Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 4 Oct 2024 18:27:47 +0200
Subject: [PATCH 2/8] Label /dev/hfi1_[0-9]+ devices

Support for Cornelis Omni-Path Express Gen1 driver.

Resolves: RHEL-54996
---
 policy/modules/kernel/devices.fc |  1 +
 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 policy/modules/kernel/devices.te |  6 ++++++
 3 files changed, 25 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 10172a0172..8851152e72 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -46,6 +46,7 @@
 /dev/graphics		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/gtrsc.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/hfmodem		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/hfi1_[0-9]+	-c	gen_context(system_u:object_r:hfi1_device_t,s0)
 /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hidraw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 320b10ba64..1c73e2a9e8 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -6681,6 +6681,24 @@ interface(`dev_rw_papr_sysparm',`
 	rw_chr_files_pattern($1, device_t, papr_sysparm_device_t)
 ')
 
+########################################
+## <summary>
+##	Allow read the hfi1_[0-9]+ devices
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_hfi1',`
+	gen_require(`
+		type device_t, hfi1_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, hfi1_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Create all named devices with the correct label
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 390999270c..3fc17a0b3b 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -158,6 +158,12 @@ dev_node(gpfs_device_t)
 type gpio_device_t;
 dev_node(gpio_device_t)
 
+#
+# Type for /dev/hfi1_[0-9]+
+#
+type hfi1_device_t;
+dev_node(hfi1_device_t)
+
 #
 # Type for /dev/ipmi/0
 #

From ef9a9c12500ee7730c201a4968d9e996ce3c3b79 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 10 Oct 2024 16:14:41 +0200
Subject: [PATCH 3/8] Allow ptp4l the sys_admin capability

ptp4l uses the generic netlink socket to get information about virtual
PTP clocks for checking whether a PHC not matching the physical NIC PHC
is a virtual clock. Binding a generic netlink socket requires the
sys_admin capability.

Resolves: RHEL-55133
---
 policy/modules/contrib/linuxptp.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/linuxptp.te b/policy/modules/contrib/linuxptp.te
index eddc98a8f6..6525fb75b1 100644
--- a/policy/modules/contrib/linuxptp.te
+++ b/policy/modules/contrib/linuxptp.te
@@ -159,7 +159,7 @@ allow ptp4l_t self:packet_socket create_socket_perms;
 allow ptp4l_t self:unix_stream_socket create_stream_socket_perms;
 allow ptp4l_t self:shm create_shm_perms;
 allow ptp4l_t self:udp_socket create_socket_perms;
-allow ptp4l_t self:capability { net_admin net_raw sys_time };
+allow ptp4l_t self:capability { net_admin net_raw sys_admin sys_time };
 allow ptp4l_t self:capability2 { bpf wake_alarm };
 allow ptp4l_t self:netlink_route_socket rw_netlink_socket_perms;
 

From e57e3870b42c278d72b958565f92f3686d751f51 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 26 Jul 2024 14:23:53 +0200
Subject: [PATCH 4/8] Update stalld policy for bpf usage

The new stalld version makes use of bpf programs to monitor run queues
instead of parsing /sys/kernel/debug/sched/debug. For changing thread
scheduling policies, CAP_SYS_RESOURCE is required.

Resolves: RHEL-57075
---
 policy/modules/contrib/stalld.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/stalld.te b/policy/modules/contrib/stalld.te
index a849bef298..7c2a0d6175 100644
--- a/policy/modules/contrib/stalld.te
+++ b/policy/modules/contrib/stalld.te
@@ -19,8 +19,9 @@ files_pid_file(stalld_var_run_t)
 #
 # stalld local policy
 #
-allow stalld_t self:capability sys_nice;
-allow stalld_t self:process { fork setsched };
+allow stalld_t self:bpf { map_create map_read map_write prog_load prog_run };
+allow stalld_t self:capability { sys_nice sys_resource };
+allow stalld_t self:process { fork setsched setrlimit };
 allow stalld_t self:fifo_file rw_fifo_file_perms;
 allow stalld_t self:unix_stream_socket create_stream_socket_perms;
 

From 9a0e39f853152c34e3a97e676cb457b02f63cfe2 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 9 Aug 2024 09:25:56 +0200
Subject: [PATCH 5/8] Additional updates stalld policy for bpf usage

It turned up the previous commit b677f7300fbc ("Update stalld policy
for bpf usage") was incomplete and there are additional permissions
and capabilities needed.

Resolves: RHEL-57075
---
 policy/modules/contrib/stalld.te    |  4 ++++
 policy/modules/kernel/filesystem.if | 20 ++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/policy/modules/contrib/stalld.te b/policy/modules/contrib/stalld.te
index 7c2a0d6175..a1836d04cd 100644
--- a/policy/modules/contrib/stalld.te
+++ b/policy/modules/contrib/stalld.te
@@ -21,8 +21,10 @@ files_pid_file(stalld_var_run_t)
 #
 allow stalld_t self:bpf { map_create map_read map_write prog_load prog_run };
 allow stalld_t self:capability { sys_nice sys_resource };
+allow stalld_t self:capability2 { bpf perfmon };
 allow stalld_t self:process { fork setsched setrlimit };
 allow stalld_t self:fifo_file rw_fifo_file_perms;
+allow stalld_t self:process setrlimit;
 allow stalld_t self:unix_stream_socket create_stream_socket_perms;
 
 manage_dirs_pattern(stalld_t, stalld_var_run_t, stalld_var_run_t)
@@ -44,6 +46,8 @@ domain_use_interactive_fds(stalld_t)
 
 files_read_etc_files(stalld_t)
 
+fs_list_bpf_dirs(stalld_t)
+
 selinux_read_security_files(stalld_t)
 
 logging_send_syslog_msg(stalld_t)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 9d7adfb510..374dfbe47a 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -599,6 +599,26 @@ interface(`fs_register_binary_executable_type',`
 	rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t)
 ')
 
+########################################
+## <summary>
+##	List bpf directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_list_bpf_dirs',`
+	gen_require(`
+		type bpf_t;
+	')
+
+	list_dirs_pattern($1, bpf_t, bpf_t)
+	fs_search_tmpfs($1)
+	dev_search_sysfs($1)
+')
+
 ########################################
 ## <summary>
 ##	Manage bpf directories.

From e6c33f243f7b68259ff07d4bbbbe7cf01379827f Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 5 Aug 2024 17:41:34 +0200
Subject: [PATCH 6/8] Allow boothd connect to systemd-userdbd over a unix
 socket

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(2.7.2024 15:31:59.064:1036) : proctitle=boothd daemon -c /etc/booth/booth.conf
type=AVC msg=audit(07/02/24 15:31:59.064:1036) : avc:  denied  { read } for  pid=13949 comm=boothd name=userdb dev="tmpfs" ino=47 scontext=system_u:system_r:boothd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(07/02/24 15:31:59.064:1036) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fe048ca39cf a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=13894 pid=13949 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=boothd exe=/usr/sbin/boothd subj=system_u:system_r:boothd_t:s0 key=(null)

Resolves: RHEL-57104
---
 policy/modules/contrib/boothd.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/boothd.te b/policy/modules/contrib/boothd.te
index 6f22df4cbf..143ab84774 100644
--- a/policy/modules/contrib/boothd.te
+++ b/policy/modules/contrib/boothd.te
@@ -76,6 +76,10 @@ optional_policy(`
 	rhcs_stream_connect_cluster(boothd_t)
 ')
 
+optional_policy(`
+       systemd_userdbd_stream_connect(boothd_t)
+')
+
 optional_policy(`
 	sysnet_read_config(boothd_t)
 ')

From 9250990ca159562ab3b1e8b09e2c822c3a8fdd5b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 10 Sep 2024 11:54:14 +0200
Subject: [PATCH 7/8] Allow boothd connect to kernel over a unix socket

It actually allows boothd connect to systemd-userdbd over a unix socket
when the socket is still labeled as kernel_t.

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(09/09/2024 15:21:42.512:2513) : proctitle=/usr/sbin/boothd daemon -S -c /etc/booth/booth.conf
type=PATH msg=audit(09/09/2024 15:21:42.512:2513) : item=0 name=/run/systemd/userdb/io.systemd.DynamicUser inode=43 dev=00:1b mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_userdbd_runtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SOCKADDR msg=audit(09/09/2024 15:21:42.512:2513) : saddr={ saddr_fam=local path=/run/systemd/userdb/io.systemd.DynamicUser }
type=SYSCALL msg=audit(09/09/2024 15:21:42.512:2513) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7fff90ca7ec0 a2=0x2d a3=0x55fe78f35430 items=1 ppid=1 pid=61596 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=boothd exe=/usr/sbin/boothd subj=system_u:system_r:boothd_t:s0 key=(null)
type=AVC msg=audit(09/09/2024 15:21:42.512:2513) : avc:  denied  { connectto } for  pid=61596 comm=boothd path=/systemd/userdb/io.systemd.DynamicUser scontext=system_u:system_r:boothd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0

Resolves: RHEL-57104
---
 policy/modules/contrib/boothd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/boothd.te b/policy/modules/contrib/boothd.te
index 143ab84774..f32aa1e262 100644
--- a/policy/modules/contrib/boothd.te
+++ b/policy/modules/contrib/boothd.te
@@ -43,6 +43,7 @@ files_pid_filetrans(boothd_t, boothd_var_run_t, { dir file} )
 manage_dirs_pattern(boothd_t, boothd_var_lib_t, boothd_var_lib_t)
 
 kernel_dgram_send(boothd_t)
+kernel_stream_connect(boothd_t)
 
 corecmd_exec_bin(boothd_t)
 corecmd_exec_shell(boothd_t)

From 1adc754e53f3e0bf60830b93db2f153e76a8e6b3 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 23 Jul 2024 13:26:44 +0200
Subject: [PATCH 8/8] Label /run/modprobe.d with modules_conf_t

Resolves: RHEL-61453
---
 policy/modules/system/modutils.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index 69b9bd160b..501722d681 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -34,5 +34,6 @@ ifdef(`distro_gentoo',`
 
 /usr/lib/modules/modprobe\.conf -- 	gen_context(system_u:object_r:modules_conf_t,s0)
 
+/var/run/modprobe\.d(/.*)?		gen_context(system_u:object_r:modules_conf_t,s0)
 /var/run/tmpfiles.d/kmod.conf --	gen_context(system_u:object_r:kmod_var_run_t,s0)
 /var/run/tmpfiles.d/static-nodes.conf --	gen_context(system_u:object_r:kmod_var_run_t,s0)