Accepting request 914043 from home:akedroutek:branches:security:SELinux

- Added policy module for rebootmgr (jsc#SMO-28)

OBS-URL: https://build.opensuse.org/request/show/914043
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=116

modules-minimum-base.conf

@@ -412,4 +412,3 @@ packagekit = module
 # Name service cache daemon
 # 
 nscd = module
-

modules-targeted-base.conf

@@ -412,3 +412,10 @@ rtorrent = module
 # Policy for wicked
 #
 wicked = module
+
+# Layer: system
+# Module: rebootmgr
+#
+# Policy for rebootmgr
+#
+rebootmgr = module

rebootmgr.fc

@@ -0,0 +1 @@
+/usr/sbin/rebootmgrd		--	gen_context(system_u:object_r:rebootmgr_exec_t,s0)

rebootmgr.if

@@ -0,0 +1,61 @@
+
+## <summary>policy for rebootmgr</summary>
+
+########################################
+## <summary>
+##	Execute rebootmgr_exec_t in the rebootmgr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rebootmgr_domtrans',`
+	gen_require(`
+		type rebootmgr_t, rebootmgr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t)
+')
+
+######################################
+## <summary>
+##	Execute rebootmgr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rebootmgr_exec',`
+	gen_require(`
+		type rebootmgr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, rebootmgr_exec_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	rebootmgr over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rebootmgr_dbus_chat',`
+	gen_require(`
+		type rebootmgr_t;
+		class dbus send_msg;
+	')
+
+	allow $1 rebootmgr_t:dbus send_msg;
+	allow rebootmgr_t $1:dbus send_msg;
+')

rebootmgr.te

@@ -0,0 +1,33 @@
+policy_module(rebootmgr, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rebootmgr_t;
+type rebootmgr_exec_t;
+init_daemon_domain(rebootmgr_t, rebootmgr_exec_t)
+
+permissive rebootmgr_t;
+
+########################################
+#
+# rebootmgr local policy
+#
+allow rebootmgr_t self:process { fork };
+allow rebootmgr_t self:fifo_file rw_fifo_file_perms;
+allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(rebootmgr_t)
+
+files_read_etc_files(rebootmgr_t)
+
+logging_send_syslog_msg(rebootmgr_t)
+
+miscfiles_read_localization(rebootmgr_t)
+
+optional_policy(`
+	dbus_system_bus_client(rebootmgr_t)
+	dbus_connect_system_bus(rebootmgr_t)
+')

selinux-policy.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Aug 23 15:43:28 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
+
+- Added policy module for rebootmgr (jsc#SMO-28) 
+
 -------------------------------------------------------------------
 Tue Aug 17 16:03:08 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
 

selinux-policy.spec

@@ -81,6 +81,9 @@ Source125:      rtorrent.fc
 Source126:      wicked.te
 Source127:      wicked.if
 Source128:      wicked.fc
+Source129:      rebootmgr.te
+Source130:      rebootmgr.if
+Source131:      rebootmgr.fc
 
 Patch001:       fix_djbdns.patch
 Patch002:       fix_dbus.patch
@@ -422,7 +425,7 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
  cp $i selinux_config
 done
 
-for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do
+for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do
  cp $i policy/modules/contrib
 done