Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package himmelblau for openSUSE:Factory checked in at 2026-03-12 22:21:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/himmelblau (Old) and /work/SRC/openSUSE:Factory/.himmelblau.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "himmelblau" Thu Mar 12 22:21:08 2026 rev:45 rq:1338390 version:2.3.8+git0.dec3693 Changes: -------- --- /work/SRC/openSUSE:Factory/himmelblau/himmelblau.changes 2026-03-07 20:14:51.848113324 +0100 +++ /work/SRC/openSUSE:Factory/.himmelblau.new.8177/himmelblau.changes 2026-03-12 22:24:58.012863954 +0100 @@ -1,0 +2,22 @@ +Wed Mar 11 16:20:00 UTC 2026 - David Mulder <[email protected]> + +- Fix SELinux module packaging to use standard policy macros (bsc#1258236): + * Build and install precompiled himmelblaud.pp at package build time + * Replace custom semodule scriptlets with %selinux_modules_install/uninstall + +------------------------------------------------------------------- +Wed Mar 11 15:31:54 UTC 2026 - David Mulder <[email protected]> + +- Update to version 2.3.8+git0.dec3693 (CVE-2026-31979): + * Version 2.3.8 + * Add PrivateTmp back to Tasks Daemon + * Drop dead code + * Drop krb5 ccache dir code + * Add a TODO comment + * Drop non working packaged krb5 snippet file + * Write kerberos config snippet + * Extend resolver interface to return kerberos config together with TGTs + * Backport SELinux fixes from main + * Use libkrimes to store TGTs + +------------------------------------------------------------------- Old: ---- himmelblau-2.3.7+git0.81088cd.tar.bz2 New: ---- himmelblau-2.3.8+git0.dec3693.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ himmelblau.spec ++++++ --- /var/tmp/diff_new_pack.r7Ggkz/_old 2026-03-12 22:25:06.689222669 +0100 +++ /var/tmp/diff_new_pack.r7Ggkz/_new 2026-03-12 22:25:06.693222835 +0100 @@ -30,7 +30,7 @@ %endif Name: himmelblau -Version: 2.3.7+git0.81088cd +Version: 2.3.8+git0.dec3693 Release: 0 Summary: Interoperability suite for Microsoft Azure Entra Id License: GPL-3.0-or-later @@ -166,6 +166,11 @@ export HIMMELBLAU_ALLOW_MISSING_SELINUX=1 %endif %{cargo_build} --workspace --exclude himmelblau-fuzz +%if 0%{?suse_version} >= 1600 +pushd src/selinux/src +make -f %{_selinux_sharedir}/devel/Makefile NAME=himmelblaud +popd +%endif %if !0%{?suse_version} make authselect %endif @@ -217,7 +222,6 @@ strip --strip-unneeded target/release/broker strip --strip-unneeded target/release/aad-tool install -m 0644 src/config/himmelblau.conf.example %{buildroot}/%{_sysconfdir}/himmelblau/himmelblau.conf -install -m 0644 src/config/krb5_himmelblau.conf %{buildroot}/%{_sysconfdir}/krb5.conf.d/ install -m 0644 src/config/gdm3_service_override.conf %{buildroot}/%{_unitdir}/display-manager.service.d/override.conf install -m 0755 target/release/aad-tool %{buildroot}/%{_bindir}/ install -m 0644 platform/opensuse/himmelblaud-tasks.service %{buildroot}/%{_unitdir}/ @@ -237,6 +241,7 @@ %if 0%{?suse_version} >= 1600 install -D -d -m 0755 %{buildroot}/%{_selinux_pkgdir}/himmelblaud install -D -d -m 0755 %{buildroot}/%{_selinux_docdir} +install -m 0644 src/selinux/src/himmelblaud.pp %{buildroot}/%{_selinux_pkgdir}/himmelblaud.pp install -m 0644 src/selinux/src/himmelblaud.te %{buildroot}/%{_selinux_pkgdir}/himmelblaud/himmelblaud.te install -m 0644 src/selinux/src/himmelblaud.fc %{buildroot}/%{_selinux_pkgdir}/himmelblaud/himmelblaud.fc %endif @@ -478,11 +483,9 @@ %postun %service_del_postun himmelblaud.service himmelblaud-tasks.service -if [ "$1" -eq 0 ]; then - if command -v selinuxenabled >/dev/null 2>&1 && selinuxenabled; then - semodule -r himmelblaud || : - fi -fi +%if 0%{?suse_version} >= 1600 +%selinux_modules_uninstall himmelblaud +%endif %pre %service_add_pre himmelblaud.service himmelblaud-tasks.service @@ -491,32 +494,12 @@ %service_del_preun himmelblaud.service himmelblaud-tasks.service %posttrans -SELINUX_SRC_DIR="/usr/share/selinux/packages/himmelblaud" -SELINUX_MAKEFILE="/usr/share/selinux/devel/Makefile" - -if command -v selinuxenabled >/dev/null 2>&1 && selinuxenabled; then - # Check if SELinux development tools are available - if [ ! -f "$SELINUX_MAKEFILE" ]; then - echo "Warning: SELinux development Makefile not found at $SELINUX_MAKEFILE" - echo "Please install selinux-policy-devel and re-run this script" - exit 0 - fi - - # Compile the policy module from source - if [ -d "$SELINUX_SRC_DIR" ]; then - echo "Compiling SELinux policy module..." - cd "$SELINUX_SRC_DIR" - if make -f "$SELINUX_MAKEFILE" himmelblaud.pp; then - echo "Installing SELinux policy module..." - if semodule -i himmelblaud.pp; then - # Clean up compiled files (keep source for potential recompilation) - rm -f himmelblaud.pp tmp/*.* 2>/dev/null || : - rmdir tmp 2>/dev/null || : +%if 0%{?suse_version} >= 1600 +%selinux_modules_install %{_selinux_pkgdir}/himmelblaud.pp - # Relabel installed binaries +if command -v selinuxenabled >/dev/null 2>&1 && selinuxenabled && command -v restorecon >/dev/null 2>&1; then restorecon -Fv /usr/sbin/himmelblaud /usr/sbin/himmelblaud_tasks 2>/dev/null || : - # Relabel existing dirs (may not exist on fresh install) [ -d /etc/himmelblau ] && restorecon -RFv /etc/himmelblau || : [ -d /run/himmelblaud ] && restorecon -RFv /run/himmelblaud || : [ -d /var/run/himmelblaud ] && restorecon -RFv /var/run/himmelblaud || : @@ -525,18 +508,8 @@ [ -d /var/cache/nss-himmelblau ] && restorecon -RFv /var/cache/nss-himmelblau || : [ -d /var/lib/private/himmelblaud ] && restorecon -RFv /var/lib/private/himmelblaud || : [ -d /var/lib/himmelblaud ] && restorecon -RFv /var/lib/himmelblaud || : - - echo "SELinux policy module installed successfully" - else - echo "Warning: Failed to install SELinux policy module" - fi - else - echo "Warning: Failed to compile SELinux policy module" - fi - else - echo "Warning: SELinux source directory not found at $SELINUX_SRC_DIR" - fi fi +%endif %post -n himmelblau-sshd-config # Comment out the `KbdInteractiveAuthentication no` line if present @@ -578,7 +551,6 @@ %dir %{_unitdir}/display-manager.service.d %dir %{_datadir}/doc/himmelblau %config(noreplace) %{_sysconfdir}/himmelblau/himmelblau.conf -%config %{_sysconfdir}/krb5.conf.d/krb5_himmelblau.conf %{_unitdir}/display-manager.service.d/override.conf %{_bindir}/aad-tool %{_unitdir}/himmelblaud-tasks.service @@ -600,6 +572,7 @@ %dir %{_selinux_docdir} %dir %{_selinux_pkgdir} %dir %{_selinux_pkgdir}/himmelblaud +%{_selinux_pkgdir}/himmelblaud.pp %{_selinux_pkgdir}/himmelblaud/himmelblaud.te %{_selinux_pkgdir}/himmelblaud/himmelblaud.fc %endif ++++++ _service ++++++ --- /var/tmp/diff_new_pack.r7Ggkz/_old 2026-03-12 22:25:06.737224654 +0100 +++ /var/tmp/diff_new_pack.r7Ggkz/_new 2026-03-12 22:25:06.741224819 +0100 @@ -2,7 +2,7 @@ <service name="tar_scm" mode="manual"> <param name="url">https://github.com/himmelblau-idm/himmelblau.git</param> <param name="scm">git</param> - <param name="revision">2.3.7</param> + <param name="revision">2.3.8</param> <param name="versionformat">@PARENT_TAG@+git@TAG_OFFSET@.%h</param> <param name="versionrewrite-pattern">himmelblau-(.*)</param> <param name="versionrewrite-replacement">\1</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.r7Ggkz/_old 2026-03-12 22:25:06.773226142 +0100 +++ /var/tmp/diff_new_pack.r7Ggkz/_new 2026-03-12 22:25:06.777226308 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/himmelblau-idm/himmelblau.git</param> - <param name="changesrevision">81088cdec49a6ecedde520419466999280ae8f26</param></service></servicedata> + <param name="changesrevision">dec3693cbb151b4686b0d926b95379c71f391b1a</param></service></servicedata> (No newline at EOF) ++++++ himmelblau-2.3.7+git0.81088cd.tar.bz2 -> himmelblau-2.3.8+git0.dec3693.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-2.3.7+git0.81088cd/Cargo.lock new/himmelblau-2.3.8+git0.dec3693/Cargo.lock --- old/himmelblau-2.3.7+git0.81088cd/Cargo.lock 2026-03-04 23:22:49.000000000 +0100 +++ new/himmelblau-2.3.8+git0.dec3693/Cargo.lock 2026-03-11 00:55:58.000000000 +0100 @@ -4,7 +4,7 @@ [[package]] name = "aad-tool" -version = "2.3.7" +version = "2.3.8" dependencies = [ "anyhow", "broker-client", @@ -686,7 +686,7 @@ [[package]] name = "broker" -version = "2.3.7" +version = "2.3.8" dependencies = [ "dbus", "himmelblau_unix_common", @@ -697,7 +697,7 @@ [[package]] name = "broker-client" -version = "2.3.7" +version = "2.3.8" dependencies = [ "serde_json", "zbus", @@ -1968,7 +1968,7 @@ [[package]] name = "himmelblau-fuzz" -version = "2.3.7" +version = "2.3.8" dependencies = [ "arbitrary", "himmelblau_unix_common", @@ -1980,7 +1980,7 @@ [[package]] name = "himmelblau_policies" -version = "2.3.7" +version = "2.3.8" dependencies = [ "anyhow", "async-trait", @@ -2002,7 +2002,7 @@ [[package]] name = "himmelblau_unix_common" -version = "2.3.7" +version = "2.3.8" dependencies = [ "anyhow", "async-trait", @@ -2022,6 +2022,7 @@ "kanidm_utils_users", "libc", "libhimmelblau", + "libkrimes", "lru", "os-release", "pem", @@ -2043,7 +2044,7 @@ [[package]] name = "himmelblaud" -version = "2.3.7" +version = "2.3.8" dependencies = [ "async-trait", "base64 0.22.1", @@ -2060,6 +2061,7 @@ "kanidm_utils_users", "libc", "libhimmelblau", + "libkrimes", "notify-debouncer-full", "sd-notify", "serde", @@ -2430,7 +2432,7 @@ [[package]] name = "idmap" -version = "2.3.7" +version = "2.3.8" dependencies = [ "bindgen 0.72.1", "cc", @@ -3176,7 +3178,7 @@ [[package]] name = "nss_himmelblau" -version = "2.3.7" +version = "2.3.8" dependencies = [ "himmelblau_unix_common", "lazy_static", @@ -3282,7 +3284,7 @@ [[package]] name = "o365" -version = "2.3.7" +version = "2.3.8" dependencies = [ "anyhow", "reqwest 0.12.24", @@ -3501,7 +3503,7 @@ [[package]] name = "pam_himmelblau" -version = "2.3.7" +version = "2.3.8" dependencies = [ "himmelblau_unix_common", "libc", @@ -3984,7 +3986,7 @@ [[package]] name = "qr-greeter" -version = "2.3.7" +version = "2.3.8" [[package]] name = "quinn" @@ -4586,7 +4588,7 @@ [[package]] name = "selinux" -version = "2.3.7" +version = "2.3.8" [[package]] name = "semver" @@ -4872,7 +4874,7 @@ [[package]] name = "sshd-config" -version = "2.3.7" +version = "2.3.8" [[package]] name = "sshkey-attest" @@ -4883,7 +4885,7 @@ [[package]] name = "sso" -version = "2.3.7" +version = "2.3.8" dependencies = [ "broker-client", "clap", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-2.3.7+git0.81088cd/Cargo.toml new/himmelblau-2.3.8+git0.dec3693/Cargo.toml --- old/himmelblau-2.3.7+git0.81088cd/Cargo.toml 2026-03-04 23:22:49.000000000 +0100 +++ new/himmelblau-2.3.8+git0.dec3693/Cargo.toml 2026-03-11 00:55:58.000000000 +0100 @@ -33,7 +33,7 @@ picky-krb = { path = "src/picky-krb" } [workspace.package] -version = "2.3.7" +version = "2.3.8" authors = [ "David Mulder <[email protected]>" ] @@ -72,6 +72,7 @@ rustls = ">=0.23.19" # CVE-2024-11738 console-subscriber = "0.5.0" broker-client = { path = "src/broker-client" } +libkrimes = { version = "0.1.0", features = ["keyring"] } # Kanidm deps argon2 = { version = "0.5.2", features = ["alloc"] } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-2.3.7+git0.81088cd/scripts/gen_servicefiles.py new/himmelblau-2.3.8+git0.dec3693/scripts/gen_servicefiles.py --- old/himmelblau-2.3.7+git0.81088cd/scripts/gen_servicefiles.py 2026-03-04 23:22:49.000000000 +0100 +++ new/himmelblau-2.3.8+git0.dec3693/scripts/gen_servicefiles.py 2026-03-11 00:55:58.000000000 +0100 @@ -283,11 +283,12 @@ RestartSec=1s CacheDirectory=nss-himmelblau -CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH +CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_SETUID CAP_SETGID +AmbientCapabilities=CAP_SETUID CAP_SETGID # SystemCallFilter=@aio @basic-io @chown @file-system @io-event @network-io @sync { 'ProtectSystem=strict' if supported('ProtectSystemStrict') else '' } {rw_line} -{os.linesep.join([h for h in tasks_hardening if not h.startswith('ProtectSystem=') and not h.startswith('PrivateTmp=')])} +{os.linesep.join([h for h in tasks_hardening if not h.startswith('ProtectSystem=')])} {tasks_private_devices} [Install] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-2.3.7+git0.81088cd/src/common/Cargo.toml new/himmelblau-2.3.8+git0.dec3693/src/common/Cargo.toml --- old/himmelblau-2.3.7+git0.81088cd/src/common/Cargo.toml 2026-03-04 23:22:49.000000000 +0100 +++ new/himmelblau-2.3.8+git0.dec3693/src/common/Cargo.toml 2026-03-11 00:55:58.000000000 +0100 @@ -30,6 +30,7 @@ os-release = { workspace = true } zeroize = { workspace = true } idmap = { workspace = true } +libkrimes = { workspace = true } # Kanidm deps rusqlite = { workspace = true } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-2.3.7+git0.81088cd/src/common/src/constants.rs new/himmelblau-2.3.8+git0.dec3693/src/common/src/constants.rs --- old/himmelblau-2.3.7+git0.81088cd/src/common/src/constants.rs 2026-03-04 23:22:49.000000000 +0100 +++ new/himmelblau-2.3.8+git0.dec3693/src/common/src/constants.rs 2026-03-11 00:55:58.000000000 +0100 @@ -53,7 +53,7 @@ pub const CN_NAME_MAPPING: bool = true; pub const DEFAULT_HELLO_PIN_MIN_LEN: usize = 6; pub const DEFAULT_HELLO_PIN_RETRY_COUNT: u32 = 3; -pub const DEFAULT_CCACHE_DIR: &str = "/tmp/krb5cc_"; +pub const DEFAULT_KERBEROS_CONF_DIR: &str = "/etc/krb5.conf.d/"; pub const EDGE_BROWSER_CLIENT_ID: &str = "d7b530a4-7680-4c23-a8bf-c52c121d2e87"; pub const DEFAULT_TPM_TCTI_NAME: &str = "device:/dev/tpmrm0"; pub const CONFIDENTIAL_CLIENT_CERT_KEY_TAG: &str = "confidential_client_certificate_key"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-2.3.7+git0.81088cd/src/common/src/idprovider/himmelblau.rs new/himmelblau-2.3.8+git0.dec3693/src/common/src/idprovider/himmelblau.rs --- old/himmelblau-2.3.7+git0.81088cd/src/common/src/idprovider/himmelblau.rs 2026-03-04 23:22:49.000000000 +0100 +++ new/himmelblau-2.3.8+git0.dec3693/src/common/src/idprovider/himmelblau.rs 2026-03-11 00:55:58.000000000 +0100 @@ -48,6 +48,7 @@ structures::LoadableMsOapxbcRsaKey, structures::SealedData, PinValue, }; use libc::getpwnam; +use libkrimes::proto::KerberosCredentials; use regex::Regex; use reqwest; use reqwest::Url; @@ -406,18 +407,24 @@ .await } - async fn unix_user_ccaches( + async fn unix_user_tgts<D: KeyStoreTxn + Send>( &self, id: &Id, old_token: Option<&UserToken>, + keystore: &mut D, tpm: &mut tpm::provider::BoxedDynTpm, machine_key: &tpm::structures::StorageKey, - ) -> (Vec<u8>, Vec<u8>) { + ) -> ( + Option<Box<KerberosCredentials>>, + Option<Box<KerberosCredentials>>, + Option<String>, + Option<String>, + ) { let account_id = match old_token { Some(token) => token.spn.clone(), None => id.to_string().clone(), }; - let empty = (vec![], vec![]); + let empty = (None, None, None, None); let Ok(domain) = idp_get_domain_for_account(&account_id) else { return empty; }; @@ -428,7 +435,7 @@ }; provider - .unix_user_ccaches(id, old_token, tpm, machine_key) + .unix_user_tgts(id, old_token, keystore, tpm, machine_key) .await } @@ -848,23 +855,29 @@ } #[instrument(skip_all)] - async fn unix_user_ccaches( + async fn unix_user_tgts<D: KeyStoreTxn + Send>( &self, id: &Id, old_token: Option<&UserToken>, + _keystore: &mut D, tpm: &mut tpm::provider::BoxedDynTpm, machine_key: &tpm::structures::StorageKey, - ) -> (Vec<u8>, Vec<u8>) { + ) -> ( + Option<Box<KerberosCredentials>>, + Option<Box<KerberosCredentials>>, + Option<String>, + Option<String>, + ) { if (self.delayed_init().await).is_err() { // We can't fetch krb5 tgts when initialization hasn't // completed. This only happens when we're offline during first // startup. This should never happen! - return (vec![], vec![]); + return (None, None, None, None); } if !self.check_online(tpm, SystemTime::now()).await { // We can't fetch krb5 tgts when offline - return (vec![], vec![]); + return (None, None, None, None); } let account_id = match old_token { @@ -874,23 +887,40 @@ let prt = match self.refresh_cache.refresh_token(&account_id).await { Ok(prt) => prt, Err(e) => { - error!("Failed fetching PRT for Kerberos CCache: {:?}", e); - return (vec![], vec![]); + error!( + "Failed fetching refresh cache entry for Kerberos CCache: {:?}", + e + ); + return (None, None, None, None); } }; let cloud_ccache = self .client .read() .await - .fetch_cloud_ccache(&prt, tpm, machine_key) - .unwrap_or(vec![]); + .fetch_cloud_tgt(&prt, tpm, machine_key) + .ok(); let ad_ccache = self .client .read() .await - .fetch_ad_ccache(&prt, tpm, machine_key) - .unwrap_or(vec![]); - (cloud_ccache, ad_ccache) + .fetch_ad_tgt(&prt, tpm, machine_key) + .ok(); + let top_level_names = self + .client + .read() + .await + .unseal_prt_kerberos_top_level_names(&prt, tpm, machine_key) + .ok(); + let tenant_id = match old_token { + Some(t) => t.tenant_id.map(|u| u.to_string()), + None => match self.config.read().await.get_tenant_id(&self.domain) { + Some(t) => Some(t), + None => self.graph.tenant_id().await.ok(), + }, + }; + + (cloud_ccache, ad_ccache, top_level_names, tenant_id) } #[instrument(skip_all)] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-2.3.7+git0.81088cd/src/common/src/idprovider/interface.rs new/himmelblau-2.3.8+git0.dec3693/src/common/src/idprovider/interface.rs --- old/himmelblau-2.3.7+git0.81088cd/src/common/src/idprovider/interface.rs 2026-03-04 23:22:49.000000000 +0100 +++ new/himmelblau-2.3.8+git0.dec3693/src/common/src/idprovider/interface.rs 2026-03-11 00:55:58.000000000 +0100 @@ -12,6 +12,7 @@ use crate::unix_proto::{PamAuthRequest, PamAuthResponse}; use async_trait::async_trait; use himmelblau::{MFAAuthContinue, UserToken as UnixUserToken}; +use libkrimes::proto::KerberosCredentials; use serde::{Deserialize, Serialize}; use std::fmt; use std::time::SystemTime; @@ -220,13 +221,19 @@ _machine_key: &tpm::structures::StorageKey, ) -> Result<UnixUserToken, IdpError>; - async fn unix_user_ccaches( + async fn unix_user_tgts<D: KeyStoreTxn + Send>( &self, _id: &Id, _old_token: Option<&UserToken>, + _keystore: &mut D, _tpm: &mut tpm::provider::BoxedDynTpm, _machine_key: &tpm::structures::StorageKey, - ) -> (Vec<u8>, Vec<u8>); + ) -> ( + Option<Box<KerberosCredentials>>, + Option<Box<KerberosCredentials>>, + Option<String>, + Option<String>, + ); async fn unix_user_prt_cookie( &self, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-2.3.7+git0.81088cd/src/common/src/resolver.rs new/himmelblau-2.3.8+git0.dec3693/src/common/src/resolver.rs --- old/himmelblau-2.3.7+git0.81088cd/src/common/src/resolver.rs 2026-03-04 23:22:49.000000000 +0100 +++ new/himmelblau-2.3.8+git0.dec3693/src/common/src/resolver.rs 2026-03-11 00:55:58.000000000 +0100 @@ -11,6 +11,7 @@ // use async_trait::async_trait; use hashbrown::HashSet; use libc::uid_t; +use libkrimes::proto::KerberosCredentials; use std::collections::BTreeSet; use std::fmt::Display; use std::fs; @@ -622,10 +623,17 @@ } } - pub async fn get_user_ccaches( + pub async fn get_user_tgts( &self, account_id: Id, - ) -> Option<(uid_t, uid_t, Vec<u8>, Vec<u8>)> { + ) -> Option<( + uid_t, + uid_t, + Option<Box<KerberosCredentials>>, + Option<Box<KerberosCredentials>>, + Option<String>, + Option<String>, + )> { // Validate the user isn't in the nxset (aka, it's a local user or group). let (name, idnumber) = match account_id.clone() { Id::Name(name) => (Some(name), None), @@ -644,24 +652,32 @@ }; let mut hsm_lock = self.hsm.lock().await; + let mut dbtxn = self.db.write().await; - let (cloud_ccache, ad_ccache) = self + let (cloud_ccache, ad_ccache, top_level_names, tenant_id) = self .client - .unix_user_ccaches( + .unix_user_tgts( &account_id, Some(&token), + &mut dbtxn, hsm_lock.deref_mut(), &self.machine_key, ) .await; drop(hsm_lock); + if dbtxn.commit().is_err() { + error!("Failed to commit user token DB transaction"); + return None; + } Some(( token.gidnumber, token.real_gidnumber.unwrap_or(token.gidnumber), cloud_ccache, ad_ccache, + top_level_names, + tenant_id, )) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-2.3.7+git0.81088cd/src/common/src/unix_proto.rs new/himmelblau-2.3.8+git0.dec3693/src/common/src/unix_proto.rs --- old/himmelblau-2.3.7+git0.81088cd/src/common/src/unix_proto.rs 2026-03-04 23:22:49.000000000 +0100 +++ new/himmelblau-2.3.8+git0.dec3693/src/common/src/unix_proto.rs 2026-03-11 00:55:58.000000000 +0100 @@ -9,6 +9,7 @@ */ use libc::uid_t; +use libkrimes::proto::KerberosCredentials; use serde::{Deserialize, Serialize}; #[derive(Serialize, Deserialize, Debug)] @@ -160,7 +161,13 @@ HomeDirectory(HomeDirectoryInfo), LocalGroups(String, bool), LogonScript(String, String), - KerberosCCache(uid_t, uid_t, Vec<u8>, Vec<u8>), + KerberosConfig(Option<String>, Option<String>), + KerberosTGTs( + uid_t, + uid_t, + Option<Box<KerberosCredentials>>, + Option<Box<KerberosCredentials>>, + ), LoadProfilePhoto(String, String), ApplyPolicy(Option<String>, String, String, String, String), } @@ -172,8 +179,9 @@ TaskRequest::HomeDirectory(_) => "HomeDirectory(...)".to_string(), TaskRequest::LocalGroups(_, _) => "LocalGroups(...)".to_string(), TaskRequest::LogonScript(_, _) => "LogonScript(...)".to_string(), - TaskRequest::KerberosCCache(uid, gid, _, _) => { - format!("KerberosCCache({}, {}, ...)", uid, gid) + TaskRequest::KerberosConfig(..) => "KerberosConfig(...)".to_string(), + TaskRequest::KerberosTGTs(uid, gid, _, _) => { + format!("KerberosTGTs({}, {}, ...)", uid, gid) } TaskRequest::LoadProfilePhoto(_, _) => "LoadProfilePhoto(...)".to_string(), TaskRequest::ApplyPolicy(intune_device_id, _, _, _, _) => { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-2.3.7+git0.81088cd/src/config/krb5_himmelblau.conf new/himmelblau-2.3.8+git0.dec3693/src/config/krb5_himmelblau.conf --- old/himmelblau-2.3.7+git0.81088cd/src/config/krb5_himmelblau.conf 2026-03-04 23:22:49.000000000 +0100 +++ new/himmelblau-2.3.8+git0.dec3693/src/config/krb5_himmelblau.conf 1970-01-01 01:00:00.000000000 +0100 @@ -1,10 +0,0 @@ -[libdefaults] - default_ccache_name = DIR:/tmp/krb5cc_%{uid} -[domain_realm] - .windows.net = KERBEROS.MICROSOFTONLINE.COM - .azure.net = KERBEROS.MICROSOFTONLINE.COM -[realm] - KERBEROS.MICROSOFTONLINE.COM = { - kdc = https://login.microsoftonline.com/common/kerberos - kpasswd_server = https://login.microsoftonline.com/common/kerberos - } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-2.3.7+git0.81088cd/src/daemon/Cargo.toml new/himmelblau-2.3.8+git0.dec3693/src/daemon/Cargo.toml --- old/himmelblau-2.3.7+git0.81088cd/src/daemon/Cargo.toml 2026-03-04 23:22:49.000000000 +0100 +++ new/himmelblau-2.3.8+git0.dec3693/src/daemon/Cargo.toml 2026-03-11 00:55:58.000000000 +0100 @@ -50,6 +50,7 @@ sd-notify = "0.4.5" libhimmelblau.workspace = true console-subscriber = { workspace = true, optional = true } +libkrimes = { workspace = true } [package.metadata.deb] name = "himmelblau" @@ -58,7 +59,6 @@ recommends = ["nss-himmelblau", "pam-himmelblau", "krb5-user", "cron", "tpm2-tools"] assets = [ ["../../platform/debian/himmelblau.conf.example", "etc/himmelblau/himmelblau.conf", "644"], - ["../../src/config/krb5_himmelblau.conf", "etc/krb5.conf.d/", "644"], ["../../src/config/gdm3_service_override.conf", "usr/lib/systemd/system/gdm3.service.d/himmelblau-override.conf", "644"], ["target/release/aad-tool", "usr/bin/", "755"], ["../../platform/debian/himmelblaud-tasks.service", "usr/lib/systemd/system/", "644"], @@ -83,7 +83,6 @@ maintainer = "David Mulder <[email protected]>" assets = [ { source = "../../src/config/himmelblau.conf.example", dest = "/etc/himmelblau/himmelblau.conf", mode = "644", config = "noreplace" }, - { source = "../../src/config/krb5_himmelblau.conf", dest = "/etc/krb5.conf.d/", mode = "644" }, { source = "../../src/config/gdm3_service_override.conf", dest = "/usr/lib/systemd/system/display-manager.service.d/override.conf", mode = "644" }, { source = "target/release/aad-tool", dest = "/usr/bin/", mode = "755" }, { source = "../../platform/opensuse/himmelblaud-tasks.service", dest = "/usr/lib/systemd/system/", mode = "644" }, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-2.3.7+git0.81088cd/src/daemon/src/daemon.rs new/himmelblau-2.3.8+git0.dec3693/src/daemon/src/daemon.rs --- old/himmelblau-2.3.7+git0.81088cd/src/daemon/src/daemon.rs 2026-03-04 23:22:49.000000000 +0100 +++ new/himmelblau-2.3.8+git0.dec3693/src/daemon/src/daemon.rs 2026-03-11 00:55:58.000000000 +0100 @@ -416,23 +416,61 @@ } // Initialize the user Kerberos ccache - if let Some((uid, gid, cloud_ccache, ad_ccache)) = + if let Some((uid, gid, tgt_cloud, tgt_ad, top_level_names, tenant_id)) = cachelayer - .get_user_ccaches(Id::Name( + .get_user_tgts(Id::Name( account_id.to_string(), )) .await { let (tx, rx) = oneshot::channel(); + match task_channel_tx + .send_timeout( + ( + TaskRequest::KerberosConfig(top_level_names, tenant_id), + tx, + ), + Duration::from_millis(100), + ) + .await + { + Ok(()) => { + // Now wait for the other end OR timeout. + match time::timeout_at( + time::Instant::now() + + Duration::from_secs(60), + rx, + ) + .await + { + Ok(Ok(status)) => { + if status != 0 { + error!("Kerberos config failed for {}: Status code: {}", account_id, status); + } + } + Ok(Err(e)) => { + error!("Kerberos config failed for {}: {:?}", account_id, e); + } + Err(e) => { + error!("Kerberos config failed for {}: {:?}", account_id, e); + } + } + } + Err(e) => { + error!("Kerberos config failed for {}: {:?}", account_id, e); + } + } + + let (tx, rx) = oneshot::channel(); match task_channel_tx .send_timeout( ( - TaskRequest::KerberosCCache( + TaskRequest::KerberosTGTs( uid, gid, - cloud_ccache, - ad_ccache, + tgt_cloud, + tgt_ad, ), tx, ), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-2.3.7+git0.81088cd/src/daemon/src/tasks_daemon.rs new/himmelblau-2.3.8+git0.dec3693/src/daemon/src/tasks_daemon.rs --- old/himmelblau-2.3.7+git0.81088cd/src/daemon/src/tasks_daemon.rs 2026-03-04 23:22:49.000000000 +0100 +++ new/himmelblau-2.3.8+git0.dec3693/src/daemon/src/tasks_daemon.rs 2026-03-11 00:55:58.000000000 +0100 @@ -22,8 +22,8 @@ use std::ffi::CString; use std::os::unix::ffi::OsStrExt; -use std::os::unix::fs::{symlink, DirBuilderExt, OpenOptionsExt}; -use std::path::Path; +use std::os::unix::fs::{symlink, OpenOptionsExt}; +use std::path::{Path, PathBuf}; use std::process::ExitCode; use std::str; use std::time::Duration; @@ -34,17 +34,18 @@ use himmelblau::graph::Graph; use himmelblau_policies::policies::apply_intune_policy; use himmelblau_unix_common::config::{split_username, HimmelblauConfig}; -use himmelblau_unix_common::constants::{DEFAULT_CCACHE_DIR, DEFAULT_CONFIG_PATH}; +use himmelblau_unix_common::constants::{DEFAULT_CONFIG_PATH, DEFAULT_KERBEROS_CONF_DIR}; use himmelblau_unix_common::unix_proto::{HomeDirectoryInfo, TaskRequest, TaskResponse}; use kanidm_utils_users::{get_effective_gid, get_effective_uid}; +use libc::uid_t; use libc::{lchown, umask}; -use libc::{mode_t, uid_t}; +use libkrimes::proto::KerberosCredentials; use sd_notify::NotifyState; use sketching::tracing_forest::traits::*; use sketching::tracing_forest::util::*; use sketching::tracing_forest::{self}; use std::fs::OpenOptions; -use std::fs::{DirBuilder, File}; +use std::fs::{File}; use std::io::Write; use std::process::Command; use tokio::net::UnixStream; @@ -345,51 +346,109 @@ } } -fn write_bytes_to_file(bytes: &[u8], filename: &Path, uid: uid_t, gid: uid_t, mode: mode_t) -> i32 { - let mut file = match OpenOptions::new() - .create(true) - .truncate(true) - .write(true) - .mode(mode) - .open(filename) - { - Ok(file) => file, - Err(_) => return 1, +fn store_tgt(tgt: &KerberosCredentials, uid: uid_t, gid: uid_t) -> Result<(), String> { + // Usually default_ccache_name in /etc/krb5.conf contains a %{uid} substitution, + // which will be '0' (root) for the tasks daemon because it runs as root. Force + // the ccache name. + // TODO: Add a new himmelblau.conf option to define the ccache name + let ccname = Some(format!("KEYRING:persistent:{}", uid)); + + debug!(?ccname, "Storing kerberos ticket in credential cache"); + + let guard = uzers::switch::switch_user_group(uid, gid) + .map_err(|e| format!("Failed to switch user/group: {}", e))?; + + let mut ccache = match libkrimes::ccache::resolve(ccname.as_deref()) { + Ok(ccache) => ccache, + Err(e) => { + drop(guard); + let msg = format!("Failed to resolve credential cache {:?}: {:?}", ccname, e); + return Err(msg); + } }; - if chown(filename, uid, gid).is_err() { - return 3; + match ccache.init(tgt.name(), None) { + Ok(_) => (), + Err(e) => { + drop(guard); + let msg = format!("Failed to init credential cache {:?}: {:?}", ccname, e); + return Err(msg); + } } - if file.write_all(bytes).is_err() { - return 2; + match ccache.store(tgt) { + Ok(_) => (), + Err(e) => { + drop(guard); + let msg = format!("Failed to store TGT in credential cache: {:?}", e); + return Err(msg); + } } - 0 + drop(guard); + + Ok(()) } -fn create_ccache_dir(ccache_dir: &Path, uid: uid_t, gid: uid_t) -> io::Result<()> { - DirBuilder::new() - .recursive(true) - .mode(0o700) - .create(ccache_dir) - .map_err(|e| { - error!( - "Failed to create the krb5 ccache directory '{}': {:?}", - ccache_dir.display(), - e - ); - e - })?; +fn write_kerberos_config_snippet( + top_level_names: Option<String>, + tenant_id: &str, +) -> Result<(), String> { + if tenant_id.is_empty() { + return Err("Failed to write Kerberos config snippet, empty tenant_id".to_string()); + } - std::os::unix::fs::chown(ccache_dir, Some(uid), Some(gid)).map_err(|e| { - error!( - "Failed to set the krb5 ccache directory '{}' owner and group: {:?}", - ccache_dir.display(), - e - ); - e - }) + // The tenant_id will be used in a file path. Validate it is really an UUID. + uuid::Uuid::try_parse(tenant_id).map_err(|x| format!("Failed to validate tenant ID: {x}"))?; + + let krb_conf_dir = PathBuf::from(DEFAULT_KERBEROS_CONF_DIR); + + trace!(?krb_conf_dir, "Check kerberos config dir exists"); + match std::fs::exists(&krb_conf_dir) { + Ok(true) => match &krb_conf_dir.is_dir() { + false => Err(format!("Path {krb_conf_dir:?} is not a directory")), + true => Ok(()), + }, + Ok(false) => Err(format!("Path {krb_conf_dir:?} does not exist")), + Err(e) => Err(format!("Failed to check if {krb_conf_dir:?} exists: {e}")), + }?; + + let krb_snippet = krb_conf_dir.join(format!("himmelblau_{tenant_id}.conf")); + let mut file = match OpenOptions::new() + .create(true) + .truncate(true) + .write(true) + .mode(0o644) + .open(&krb_snippet) + { + Ok(file) => file, + Err(e) => return Err(format!("Failed to open {krb_snippet:?}: {e}")), + }; + + let libdefs = "[libdefaults]\n\tdns_canonicalize_hostname = false\n"; + file.write_all(libdefs.as_bytes()) + .map_err(|e| format!("Failed to write to {krb_snippet:?}: {e}"))?; + + let realms = format!( + "[realms]\n\tKERBEROS.MICROSOFTONLINE.COM = {{\n\t\tkdc = https://login.microsoftonline.com/{tenant_id}/kerberos\n\t}}\n"; + ); + file.write_all(realms.as_bytes()) + .map_err(|e| format!("Failed to write to {krb_snippet:?}: {e}"))?; + + let domain_realms: Vec<String> = match top_level_names { + Some(s) => s + .split(",") + .map(|e| e.trim()) + .filter(|e| !e.contains(":")) + .map(|x| format!("\t{x} = KERBEROS.MICROSOFTONLINE.COM")) + .collect(), + None => vec![], + }; + let domain_realms = format!("[domain_realm]\n{}\n", domain_realms.join("\n")); + file.write_all(domain_realms.as_bytes()) + .map_err(|e| format!("Failed to write to {krb_snippet:?}: {e}"))?; + + Ok(()) } async fn handle_tasks(stream: UnixStream, cfg: &HimmelblauConfig) { @@ -460,47 +519,43 @@ return; } } - Some(Ok(TaskRequest::KerberosCCache(uid, gid, cloud_ccache, ad_ccache))) => { - debug!("Received task -> KerberosCCache({}, ...)", uid); - let ccache_dir_str = format!("{}{}", DEFAULT_CCACHE_DIR, uid); - let ccache_dir = Path::new(&ccache_dir_str); - - let response = match create_ccache_dir(ccache_dir, uid, gid) { - Ok(()) => { - let primary_name = ccache_dir.join("primary"); - write_bytes_to_file(b"tkt\n", &primary_name, uid, gid, 0o600); - - let cloud_ret = if !cloud_ccache.is_empty() { - // The cloud_tkt is the primary only if the on-prem isn't - // present. - let name = if !ad_ccache.is_empty() { - "cloud_tkt" - } else { - "tkt" - }; - let cloud_ccache_name = ccache_dir.join(name); - write_bytes_to_file(&cloud_ccache, &cloud_ccache_name, uid, gid, 0o600) - * 10 - } else { - 0 - }; - - let ad_ret = if !ad_ccache.is_empty() { - // If the on-prem ad_tkt exists, it overrides the primary - let name = "tkt"; - let ad_ccache_name = ccache_dir.join(name); - write_bytes_to_file(&ad_ccache, &ad_ccache_name, uid, gid, 0o600) * 100 - } else { - 0 - }; - TaskResponse::Success(cloud_ret + ad_ret) - } - Err(_) => TaskResponse::Error( - "Failed to create credential cache directory".to_string(), + Some(Ok(TaskRequest::KerberosConfig(top_level_names, tenant_id))) => { + debug!("Received task -> KerberosConfig(...)"); + + let response = match tenant_id { + Some(t) => match write_kerberos_config_snippet(top_level_names, &t) { + Ok(_) => TaskResponse::Success(0), + Err(msg) => TaskResponse::Error(msg), + }, + None => TaskResponse::Error( + "Failed to write Kerberos config snippet, no tenant_id".to_string(), ), }; - // Indicate the status response + if let Err(e) = reqs.send(response).await { + error!("Error -> {:?}", e); + return; + } + } + Some(Ok(TaskRequest::KerberosTGTs(uid, gid, tgt_cloud, tgt_ad))) => { + debug!("Received task -> KerberosTGTs({}, {}, ...)", uid, gid); + + let cloud_ret = if let Some(tgt_cloud) = tgt_cloud { + store_tgt(tgt_cloud.as_ref(), uid, gid) + } else { + Ok(()) + }; + + let ad_ret = if let Some(tgt_ad) = tgt_ad { + store_tgt(tgt_ad.as_ref(), uid, gid) + } else { + Ok(()) + }; + + let response = match cloud_ret.and(ad_ret) { + Ok(_) => TaskResponse::Success(0), + Err(msg) => TaskResponse::Error(msg), + }; if let Err(e) = reqs.send(response).await { error!("Error -> {:?}", e); return; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/himmelblau-2.3.7+git0.81088cd/src/selinux/src/himmelblaud.te new/himmelblau-2.3.8+git0.dec3693/src/selinux/src/himmelblaud.te --- old/himmelblau-2.3.7+git0.81088cd/src/selinux/src/himmelblaud.te 2026-03-04 23:22:49.000000000 +0100 +++ new/himmelblau-2.3.8+git0.dec3693/src/selinux/src/himmelblaud.te 2026-03-11 00:55:58.000000000 +0100 @@ -187,7 +187,7 @@ allow himmelblaud_t proc_t:filesystem getattr; allow himmelblaud_t proc_t:lnk_file read; allow himmelblaud_t himmelblaud_t:dir search; - allow himmelblaud_t himmelblaud_t:file { getattr open read }; + allow himmelblaud_t himmelblaud_t:file { getattr ioctl open read }; allow himmelblaud_t self:process { fork getsched }; allow himmelblaud_t self:fifo_file { getattr read ioctl }; allow himmelblaud_t sysctl_t:dir search; @@ -199,6 +199,7 @@ allow himmelblaud_t sysfs_t:file { getattr open read }; allow himmelblaud_t security_t:filesystem getattr; allow himmelblaud_t var_lib_t:dir { getattr search }; + allow himmelblaud_t var_lib_t:lnk_file { getattr read }; allow himmelblaud_t null_device_t:chr_file { getattr open read write ioctl }; allow himmelblaud_t urandom_device_t:chr_file { getattr open read }; allow himmelblaud_t init_t:fd use; @@ -267,7 +268,7 @@ type tmpfs_t; class file { getattr open read }; } - allow himmelblaud_t tmpfs_t:file { getattr open read }; + allow himmelblaud_t tmpfs_t:file { getattr open read write map }; } optional { @@ -289,7 +290,7 @@ # himmelblaud_tasks_t (tasks daemon) permissions allow himmelblaud_tasks_t himmelblau_etc_t:dir { getattr open read search }; allow himmelblaud_tasks_t himmelblau_etc_t:file { getattr open read }; -allow himmelblaud_tasks_t himmelblau_nss_cache_t:dir { add_name remove_name search write }; +allow himmelblaud_tasks_t himmelblau_nss_cache_t:dir { add_name getattr open read remove_name search write }; allow himmelblaud_tasks_t himmelblau_nss_cache_t:file { create getattr lock open read setattr unlink write }; allow himmelblaud_tasks_t himmelblau_var_cache_t:dir { add_name create getattr open read remove_name rmdir search setattr write }; allow himmelblaud_tasks_t himmelblau_var_cache_t:file { create getattr lock open read setattr unlink write }; @@ -323,11 +324,16 @@ type xdm_var_run_t; type sysfs_t; type var_lib_t; + type selinux_config_t; + type security_t; + type urandom_device_t; class dir { add_name create getattr open read remove_name search setattr write }; class file { create getattr open read setattr unlink write execute execute_no_trans map }; class lnk_file read; class chr_file { getattr open read write ioctl }; + class filesystem getattr; class unix_stream_socket { connectto read write }; + class netlink_audit_socket { create nlmsg_relay read write }; class netlink_route_socket { bind create getattr nlmsg_read read write }; class udp_socket { connect create getattr read setopt write }; class fifo_file { getattr read ioctl }; @@ -338,6 +344,7 @@ class fd use; } allow himmelblaud_tasks_t proc_t:dir search; + allow himmelblaud_tasks_t proc_t:filesystem getattr; allow himmelblaud_tasks_t proc_t:lnk_file read; allow himmelblaud_tasks_t himmelblaud_tasks_t:dir search; allow himmelblaud_tasks_t himmelblaud_tasks_t:file { getattr open read write }; @@ -364,6 +371,9 @@ allow himmelblaud_tasks_t sysctl_t:dir search; allow himmelblaud_tasks_t sysctl_kernel_t:dir search; allow himmelblaud_tasks_t sysctl_kernel_t:file { getattr open read }; + allow himmelblaud_tasks_t selinux_config_t:dir search; + allow himmelblaud_tasks_t selinux_config_t:file { getattr open read }; + allow himmelblaud_tasks_t security_t:filesystem getattr; allow himmelblaud_tasks_t net_conf_t:lnk_file read; allow himmelblaud_tasks_t net_conf_t:file { getattr open read }; allow himmelblaud_tasks_t systemd_resolved_var_run_t:dir search; @@ -387,7 +397,11 @@ allow himmelblaud_tasks_t sysfs_t:lnk_file read; allow himmelblaud_tasks_t sysfs_t:file { getattr open read }; allow himmelblaud_tasks_t var_lib_t:dir search; + allow himmelblaud_tasks_t urandom_device_t:chr_file { getattr open read }; + allow himmelblaud_tasks_t self:netlink_audit_socket { create nlmsg_relay read write }; allow himmelblaud_tasks_t self:capability chown; + allow himmelblaud_tasks_t self:key { read view search write create link setattr }; + allow himmelblaud_tasks_t self:capability { setuid setgid }; } optional { @@ -642,9 +656,12 @@ allow init_t himmelblaud_tasks_t:dir search; allow init_t himmelblaud_t:process { signull signal sigkill }; allow init_t himmelblaud_tasks_t:process { signull signal sigkill }; -allow init_t himmelblaud_t:file read; -allow init_t himmelblaud_tasks_t:file read; +allow init_t himmelblaud_t:process { noatsecure rlimitinh siginh }; +allow init_t himmelblaud_tasks_t:process { noatsecure rlimitinh siginh }; +allow init_t himmelblaud_t:file { getattr open read ioctl }; +allow init_t himmelblaud_tasks_t:file { getattr open read ioctl }; allow init_t himmelblaud_t:unix_stream_socket connectto; +allow init_t himmelblaud_t:fd use; # Optional: init_t access to cron spool (may not exist on all systems) optional { @@ -827,6 +844,7 @@ allow cupsd_t himmelblau_var_cache_t:lnk_file read; allow cupsd_t himmelblau_var_run_t:dir search; allow cupsd_t himmelblau_var_run_t:sock_file write; + allow cupsd_t himmelblaud_t:unix_stream_socket connectto; } #============= NetworkManager_t ============== @@ -861,8 +879,9 @@ allow policykit_t himmelblau_var_run_t:dir search; allow policykit_t himmelblau_var_run_t:sock_file write; allow policykit_t himmelblaud_t:dir search; - allow policykit_t himmelblaud_t:file read; + allow policykit_t himmelblaud_t:file { getattr open read ioctl }; allow policykit_t himmelblaud_t:unix_stream_socket connectto; + allow policykit_t himmelblaud_tasks_t:file ioctl; } #============= policykit_auth_t ============== @@ -926,6 +945,7 @@ allow sshd_session_t himmelblau_nss_cache_t:file { create getattr lock open read setattr unlink write }; allow sshd_session_t himmelblau_var_run_t:dir search; allow sshd_session_t himmelblau_var_run_t:sock_file write; + allow sshd_session_t himmelblaud_t:unix_stream_socket connectto; } #============= systemd_logind_t ============== @@ -1020,11 +1040,16 @@ allow unconfined_t himmelblaud_t:unix_stream_socket connectto; allow unconfined_t himmelblaud_t:dir { getattr search }; allow unconfined_t himmelblaud_tasks_t:dir { getattr search }; - allow unconfined_t himmelblaud_t:file { getattr open read }; - allow unconfined_t himmelblaud_tasks_t:file { getattr open read }; + allow unconfined_t himmelblaud_t:file { getattr ioctl open read }; + allow unconfined_t himmelblaud_t:lnk_file read; + allow unconfined_t himmelblaud_t:process getattr; + allow unconfined_t himmelblaud_tasks_t:file { getattr ioctl open read }; + allow unconfined_t himmelblaud_tasks_t:lnk_file read; + allow unconfined_t himmelblaud_tasks_t:process getattr; allow unconfined_t himmelblau_etc_t:dir { add_name create getattr open read remove_name search write setattr relabelto relabelfrom }; allow unconfined_t himmelblau_etc_t:file { append create getattr open read rename setattr unlink write relabelto relabelfrom }; + allow unconfined_t himmelblaud_tasks_t:key { link read search view }; } #============= syslogd_t ============== @@ -1043,6 +1068,23 @@ allow syslogd_t himmelblaud_tasks_t:lnk_file read; } +#============= auditd_t ============== +# auditd inspects daemon metadata and writes to our runtime socket when plugin hooks run +optional { + require { + type auditd_t; + } + allow auditd_t himmelblau_etc_t:dir search; + allow auditd_t himmelblau_etc_t:file { getattr open read }; + allow auditd_t himmelblau_var_cache_t:dir search; + allow auditd_t himmelblau_var_cache_t:lnk_file read; + allow auditd_t himmelblau_nss_cache_t:dir { getattr search setattr }; + allow auditd_t himmelblau_nss_cache_t:file getattr; + allow auditd_t himmelblau_var_run_t:dir search; + allow auditd_t himmelblau_var_run_t:sock_file write; + allow auditd_t himmelblaud_t:unix_stream_socket connectto; +} + #============= systemd_userdbd_t ============== # systemd_userdbd_t is for systemd-userdbd, may not exist on all distros optional { @@ -1059,6 +1101,7 @@ allow systemd_userdbd_t himmelblau_var_cache_t:lnk_file read; allow systemd_userdbd_t himmelblau_etc_t:file { getattr open read }; allow systemd_userdbd_t himmelblaud_t:unix_stream_socket connectto; + allow himmelblaud_tasks_t systemd_userdbd_t:unix_stream_socket connectto; } #============= systemd_machined_t ============== @@ -1137,6 +1180,13 @@ allow unconfined_dbusd_t himmelblaud_t:unix_stream_socket connectto; } +optional { + require { + type plymouthd_t; + } + allow plymouthd_t self:capability dac_override; +} + ############################ # Temporarily run Himmelblau domains permissive (still logs AVCs) permissive himmelblaud_t; ++++++ vendor.tar.zst ++++++ /work/SRC/openSUSE:Factory/himmelblau/vendor.tar.zst /work/SRC/openSUSE:Factory/.himmelblau.new.8177/vendor.tar.zst differ: char 7, line 1
