From 48d925e070b0e2906334d013ad32b31e65f885e2ef18ed2446f582ef34dd3f85 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Wed, 14 Dec 2022 15:43:48 +0000 Subject: [PATCH] Accepting request 1042948 from home:jsegitz:branches:security:SELinux - Add fix_sendmail.patch * fix context of custom sendmail startup helper * fix context of /var/run/sendmail and add necessary rules to manage content in there OBS-URL: https://build.opensuse.org/request/show/1042948 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=163 --- fix_sendmail.patch | 32 ++++++++++++++++++++++++++++++++ selinux-policy.changes | 8 ++++++++ selinux-policy.spec | 1 + 3 files changed, 41 insertions(+) create mode 100644 fix_sendmail.patch diff --git a/fix_sendmail.patch b/fix_sendmail.patch new file mode 100644 index 0000000..c3fbc09 --- /dev/null +++ b/fix_sendmail.patch @@ -0,0 +1,32 @@ +Index: fedora-policy-20221019/policy/modules/contrib/sendmail.fc +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.fc ++++ fedora-policy-20221019/policy/modules/contrib/sendmail.fc +@@ -1,8 +1,9 @@ + + /etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) ++/etc/mail/system/sm-client.pre -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) + + /var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0) + /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) + +-/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) ++/var/run/sendmail(/.*)? gen_context(system_u:object_r:sendmail_var_run_t,s0) + /var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +Index: fedora-policy-20221019/policy/modules/contrib/sendmail.te +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.te ++++ fedora-policy-20221019/policy/modules/contrib/sendmail.te +@@ -60,8 +60,10 @@ manage_dirs_pattern(sendmail_t, sendmail + manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) + files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir }) + +-allow sendmail_t sendmail_var_run_t:file manage_file_perms; +-files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) ++manage_dirs_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t) ++manage_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t) ++manage_sock_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t) ++files_pid_filetrans(sendmail_t, sendmail_var_run_t, { file dir }) + + kernel_read_network_state(sendmail_t) + kernel_read_kernel_sysctls(sendmail_t) diff --git a/selinux-policy.changes b/selinux-policy.changes index 2703849..0b441ea 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Dec 14 09:16:26 UTC 2022 - Johannes Segitz + +- Add fix_sendmail.patch + * fix context of custom sendmail startup helper + * fix context of /var/run/sendmail and add necessary rules to manage + content in there + ------------------------------------------------------------------- Tue Dec 13 08:36:01 UTC 2022 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 5da319d..f27b5e0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -146,6 +146,7 @@ Patch061: fix_userdomain.patch Patch062: fix_cloudform.patch Patch063: fix_alsa.patch Patch064: dontaudit_interface_kmod_tmpfs.patch +Patch065: fix_sendmail.patch Patch100: sedoctool.patch