From 329ecf3889d1585ba6a5ff357f107ba03bdab07d Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 4 Oct 2023 11:26:53 +0200
Subject: [PATCH 1/2] Deprecate common_anon_inode_perms usage

---
 policy/support/obj_perm_sets.spt | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 13f78c1d9d..88f17c876b 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -284,10 +284,14 @@ define(`watch_reads_chr_file_perms',`{ getattr watch_reads }')
 #
 define(`userfaultfd_anon_inode_perms',`
 	# deprecated 2022.02.07
-	refpolicywarn(`userfaultfd_anon_inode_perms() is deprecated, please use common_inode_perms() instead.')
+	refpolicywarn(`userfaultfd_anon_inode_perms() is deprecated, enumerate the needed permissions instead.')
 	{ create getattr ioctl read write }
 ')
-define(`common_anon_inode_perms',`{ create getattr ioctl map read write }')
+define(`common_anon_inode_perms',`
+	# deprecated 2023.10.04
+	refpolicywarn(`common_anon_inode_perms() is deprecated, enumerate the needed permissions instead.')
+	{ create getattr ioctl map read write }
+')
 
 ########################################
 #

From bd9f35fc87aa3c483562a955097bb3e027a1e1db Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 4 Oct 2023 11:45:54 +0200
Subject: [PATCH 2/2] Allow named and ndc use the io_uring api

The commit addresses the following AVC denial example:
type=PROCTITLE msg=audit(10/04/2023 04:16:04.679:782) : proctitle=/usr/sbin/named -u named -c /etc/named.conf
type=SYSCALL msg=audit(10/04/2023 04:16:04.679:782) : arch=x86_64 syscall=io_uring_setup success=no exit=EACCES(Permission denied) a0=0x40 a1=0x7ffd3bdefe90 a2=0x0 a3=0x55a930c09bc0 items=0 ppid=1 4266 pid=14268 auid=unset uid=named gid=named euid=named suid=named fsuid=named egid=named sgid=named fsgid=named tty=(none) ses=unset comm=named exe=/usr/sbin/named subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(10/04/2023 04:16:04.679:782) : avc:  denied  { create } for  pid=14268 comm=named anonclass=[io_uring] scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=0
---
 policy/modules/contrib/bind.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
index fa107dc6a4..dcccb24ad2 100644
--- a/policy/modules/contrib/bind.te
+++ b/policy/modules/contrib/bind.te
@@ -116,6 +116,7 @@ read_files_pattern(named_t, named_zone_t, named_zone_t)
 read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
 allow named_t named_zone_t:file map;
 
+kernel_io_uring_use(named_t)
 kernel_read_kernel_sysctls(named_t)
 kernel_read_system_state(named_t)
 kernel_read_network_state(named_t)
@@ -280,6 +281,7 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
 
 allow ndc_t named_zone_t:dir search_dir_perms;
 
+kernel_io_uring_use(ndc_t)
 kernel_read_system_state(ndc_t)
 kernel_read_kernel_sysctls(ndc_t)