Misc updates

.github/workflows/lint-policy.yml

@@ -71,3 +71,17 @@ jobs:
 
     - name: Run file context checker
       run: python${{ inputs.python-version }} -t -t -E -W error testing/check_fc_files.py
+
+  codespell:
+    runs-on: ubuntu-22.04
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Install dependencies
+      run: |
+        sudo apt-get update -q
+        sudo apt-get install -qy codespell
+
+    - name: Run codespell
+      run: codespell --skip Changelog,Changelog.contrib,Changelog.old --ignore-words-list busses,chage,doesnt,lik,msdos,nd,racoon,shouldnt,startd,te,thats,xwindows --context 1 .

policy/mls

@@ -2,7 +2,7 @@ ifdef(`enable_mls',`
 #
 # Define sensitivities
 #
-# Domination of sensitivities is in increasin
+# Domination of sensitivities is in increasing
 # numerical order, with s0 being the lowest
 
 gen_sens(mls_num_sens)

policy/modules/admin/bootloader.te

@@ -43,7 +43,7 @@ dev_node(bootloader_tmp_t)
 
 allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
 dontaudit bootloader_t self:capability { net_admin sys_resource };
-allow bootloader_t self:process { execmem signal_perms };
+allow bootloader_t self:process { execmem getsched signal_perms };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
 
 allow bootloader_t bootloader_etc_t:file read_file_perms;

policy/modules/apps/uml.te

@@ -32,7 +32,7 @@ type uml_switch_t;
 type uml_switch_exec_t;
 init_daemon_domain(uml_switch_t, uml_switch_exec_t)
 
-type uml_switch_runtime_t alias uml_swich_var_run_t;
+type uml_switch_runtime_t alias uml_switch_var_run_t;
 files_runtime_file(uml_switch_runtime_t)
 
 ########################################

policy/modules/kernel/corenetwork.if.in

@@ -1612,7 +1612,7 @@ interface(`corenet_tcp_bind_all_ports',`
 
 ########################################
 ## <summary>
-##	Do not audit attepts to bind TCP sockets to any ports.
+##	Do not audit attempts to bind TCP sockets to any ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1667,7 +1667,7 @@ interface(`corenet_sctp_connect_generic_port',`
 
 ########################################
 ## <summary>
-##	Do not audit attepts to bind UDP sockets to any ports.
+##	Do not audit attempts to bind UDP sockets to any ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1881,7 +1881,7 @@ interface(`corenet_tcp_connect_reserved_port',`
 
 ########################################
 ## <summary>
-##	Do not audit attepts to bind SCTP sockets to any ports.
+##	Do not audit attempts to bind SCTP sockets to any ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2474,7 +2474,7 @@ interface(`corenet_tcp_recvfrom_netlabel',`
 
 ########################################
 ## <summary>
-##	Receive TCP packets from an unlabled connection.
+##	Receive TCP packets from an unlabeled connection.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -3325,7 +3325,7 @@ interface(`corenet_relabelto_all_server_packets',`
 
 ########################################
 ## <summary>
-##	Receive SCTP packets from an unlabled connection.
+##	Receive SCTP packets from an unlabeled connection.
 ## </summary>
 ## <param name="domain">
 ##	<summary>

policy/modules/kernel/corenetwork.te.m4

@@ -125,7 +125,7 @@ ifelse(`$5',`',`',`declare_ibpkeycons($1,shiftn(4,$*))')dnl
 ')
 
 #
-# ib_pkey(nam, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]])
+# ib_pkey(name, subnet_prefix, pkey_num, mls_sensitivity [,subnet_prefix, pkey_num, mls_sensitivity[,...]])
 #
 define(`ib_pkey',`
 type $1_ibpkey_t, ibpkey_type;

policy/modules/kernel/devices.if

@@ -5628,6 +5628,25 @@ interface(`dev_rw_vsock',`
 	rw_chr_files_pattern($1, device_t, vsock_device_t)
 ')
 
+########################################
+## <summary>
+##	Automatic type transition to the type
+##	for the vsock device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_vsock_dev',`
+	gen_require(`
+		type device_t, vsock_device_t;
+	')
+
+	filetrans_pattern($1, device_t, vsock_device_t, chr_file, "vsock")
+')
+
 ########################################
 ## <summary>
 ##	Read from watchdog devices.

policy/modules/kernel/devices.te

@@ -86,7 +86,7 @@ genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_onli
 type crash_device_t;
 dev_node(crash_device_t)
 
-# for the IBM zSeries z90crypt hardware ssl accelorator
+# for the IBM zSeries z90crypt hardware ssl accelerator
 type crypt_device_t;
 dev_node(crypt_device_t)
 

policy/modules/kernel/domain.if

@@ -417,7 +417,7 @@ interface(`domain_dontaudit_use_interactive_fds',`
 ########################################
 ## <summary>
 ##	Send a SIGCHLD signal to domains whose file
-##	discriptors are widely inheritable.
+##	descriptors are widely inheritable.
 ## </summary>
 ## <param name="domain">
 ##	<summary>

policy/modules/kernel/files.if

@@ -3838,7 +3838,7 @@ interface(`files_dontaudit_read_etc_runtime_files',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to execuite files
+##	Do not audit attempts to execute files
 ##	in /etc that are dynamically
 ##	created on boot, such as mtab.
 ## </summary>
@@ -3848,14 +3848,31 @@ interface(`files_dontaudit_read_etc_runtime_files',`
 ##	</summary>
 ## </param>
 #
-interface(`files_dontaudit_execuite_etc_runtime_files',`
+interface(`files_dontaudit_exec_etc_runtime_files',`
 	gen_require(`
 		type etc_runtime_t;
 	')
 
 	dontaudit $1 etc_runtime_t:file execute;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to execute files
+##	in /etc that are dynamically
+##	created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_execuite_etc_runtime_files',`
+	refpolicywarn(`$0($*) has been deprecated, please use files_dontaudit_exec_etc_runtime_files() instead.')
+	files_dontaudit_exec_etc_runtime_files($1)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read files

policy/modules/kernel/kernel.te

@@ -388,6 +388,7 @@ ifdef(`init_systemd',`
 	optional_policy(`
 		dev_manage_input_dev(kernel_t)
 		dev_filetrans_input_dev(kernel_t)
+		dev_filetrans_vsock_dev(kernel_t)
 	')
 
 	optional_policy(`

policy/modules/kernel/selinux.te

@@ -15,7 +15,7 @@ gen_bool(secure_mode_policyload,false)
 
 ## <desc>
 ## <p>
-## Boolean to determine whether the system permits setting Booelan values.
+## Boolean to determine whether the system permits setting Boolean values.
 ## </p>
 ## </desc>
 gen_bool(secure_mode_setbool,false)

policy/modules/services/cockpit.if

@@ -54,7 +54,7 @@ template(`cockpit_role_template',`
 	dev_dontaudit_execute_dev_nodes($2)
 
 	files_dontaudit_execute_default_files($2)
-	files_dontaudit_execuite_etc_runtime_files($2)
+	files_dontaudit_exec_etc_runtime_files($2)
 	files_dontaudit_exec_runtime($2)
 	files_watch_etc_files($2)
 	files_watch_root_dirs($2)

policy/modules/services/container.te

@@ -1009,7 +1009,7 @@ allow spc_t self:process { getcap setexec setrlimit };
 # Normally triggered when rook-ceph executes lvm tools which creates noise.
 # This can be allowed if actually needed.
 dontaudit spc_t self:process setfscreate;
-allow spc_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setuid setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
+allow spc_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
 allow spc_t self:capability2 { bpf perfmon };
 allow spc_t self:bpf { map_create map_read map_write prog_load prog_run };
 allow spc_t self:key manage_key_perms;

policy/modules/services/corosync.te

@@ -37,7 +37,7 @@ logging_log_file(corosync_var_log_t)
 #
 
 allow corosync_t self:capability { dac_override fowner ipc_lock setgid setuid sys_admin sys_nice sys_resource };
-# for hearbeat
+# for heartbeat
 allow corosync_t self:capability { chown net_raw };
 allow corosync_t self:process { setpgid setrlimit setsched signal signull };
 allow corosync_t self:fifo_file rw_fifo_file_perms;

policy/modules/services/gssproxy.if

@@ -2,7 +2,7 @@
 
 ########################################
 ## <summary>
-##	Execute gssproxy in the gssproxy domin.
+##	Execute gssproxy in the gssproxy domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>

policy/modules/services/haproxy.te

@@ -62,7 +62,7 @@ files_tmpfs_file(haproxy_tmpfs_t)
 #
 
 allow haproxy_t self:process { getsched setrlimit signal };
-allow haproxy_t self:capability { kill setuid setgid };
+allow haproxy_t self:capability { kill setgid setuid };
 dontaudit haproxy_t self:capability net_admin;
 allow haproxy_t self:fifo_file rw_fifo_file_perms;
 allow haproxy_t self:tcp_socket create_stream_socket_perms;

policy/modules/services/iiosensorproxy.if

@@ -2,7 +2,7 @@
 ##
 ## <desc>
 ## Industrial I/O subsystem is intended to provide support for devices
-## that in some sense are analog to digital or digital to analog convertors
+## that in some sense are analog to digital or digital to analog converters
 ## .
 ## Devices that fall into this category are:
 ##  * ADCs

policy/modules/services/iiosensorproxy.te

@@ -5,7 +5,7 @@ policy_module(iiosensorproxy)
 # iio-sensor-proxy (Debian package iio-sensor-proxy)
 # IIO sensors to D-Bus proxy
 # Industrial I/O subsystem is intended to provide support for devices
-# that in some sense are analog to digital or digital to analog convertors
+# that in some sense are analog to digital or digital to analog converters
 # .
 # Devices that fall into this category are:
 #  * ADCs

policy/modules/services/lircd.if

@@ -1,4 +1,4 @@
-## <summary>Linux infared remote control daemon.</summary>
+## <summary>Linux infrared remote control daemon.</summary>
 
 ########################################
 ## <summary>

policy/modules/services/ppp.if

@@ -90,7 +90,7 @@ interface(`ppp_home_filetrans_ppp_home',`
 
 ########################################
 ## <summary>
-##	Inherit and use ppp file discriptors.
+##	Inherit and use ppp file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -109,7 +109,7 @@ interface(`ppp_use_fds',`
 ########################################
 ## <summary>
 ##	Do not audit attempts to inherit
-##	and use ppp file discriptors.
+##	and use ppp file descriptors.
 ## </summary>
 ## <param name="domain">
 ##	<summary>

policy/modules/services/ssh.fc

@@ -10,6 +10,7 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 
 /usr/lib/misc/sshd-session	--	gen_context(system_u:object_r:sshd_exec_t,s0)
 /usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/openssh/sshd-session	--	gen_context(system_u:object_r:sshd_exec_t,s0)
 /usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
 /usr/lib/systemd/system/ssh.*		--	gen_context(system_u:object_r:sshd_unit_t,s0)

policy/modules/services/tgtd.if

@@ -21,7 +21,7 @@ interface(`tgtd_rw_semaphores',`
 ######################################
 ## <summary>
 ##	Create, read, write, and delete
-##	tgtd sempaphores.
+##	tgtd semaphores.
 ## </summary>
 ## <param name="domain">
 ##	<summary>

policy/modules/services/virt.if

@@ -1083,7 +1083,7 @@ interface(`virt_lxc_sigchld',`
 
 ########################################
 ## <summary>
-##	Read and write virtd lxc unamed pipes.
+##	Read and write virtd lxc unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1195,7 +1195,7 @@ interface(`virt_virsh_sigchld',`
 
 ########################################
 ## <summary>
-##	Read and write virsh unamed pipes.
+##	Read and write virsh unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>

policy/modules/system/iscsi.if

@@ -22,7 +22,7 @@ interface(`iscsid_domtrans',`
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
-##	iscsid sempaphores.
+##	iscsid semaphores.
 ## </summary>
 ## <param name="domain">
 ##	<summary>

policy/modules/system/locallogin.te

@@ -34,7 +34,7 @@ role system_r types sulogin_t;
 
 allow local_login_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
 dontaudit local_login_t self:capability net_admin;
-allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
+allow local_login_t self:process { getcap setcap setexec setrlimit setsched signal };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_fifo_file_perms;
 allow local_login_t self:sock_file read_sock_file_perms;

policy/modules/system/systemd.te

@@ -585,8 +585,10 @@ kernel_use_fds(systemd_generator_t)
 kernel_read_system_state(systemd_generator_t)
 kernel_read_kernel_sysctls(systemd_generator_t)
 kernel_dontaudit_getattr_proc(systemd_generator_t)
-# Where an unlabeled mountpoint is encounted:
+# Where an unlabeled mountpoint is encountered:
 kernel_dontaudit_search_unlabeled(systemd_generator_t)
+# vmware_vsock
+kernel_request_load_module(systemd_generator_t)
 
 modutils_domtrans(systemd_generator_t)
 

policy/modules/system/unconfined.if

@@ -50,6 +50,9 @@ interface(`unconfined_domain_noaudit',`
 	# Write access is for setting attributes under /proc/self/attr.
 	allow $1 self:file rw_file_perms;
 
+	# io_uring
+	allow $1 self:anon_inode { create map read write };
+
 	# Userland object managers
 	allow $1 self:nscd { admin getgrp gethost getpwd getserv getstat shmemgrp shmemhost shmempwd shmemserv };
 	allow $1 self:dbus { acquire_svc send_msg };