c4556003bf
- Update to version 20230125. Refreshed:
* distro_suse_to_distro_redhat.patch
* fix_dnsmasq.patch
* fix_init.patch
* fix_ipsec.patch
* fix_kernel_sysctl.patch
* fix_logging.patch
* fix_rpm.patch
* fix_selinuxutil.patch
* fix_systemd_watch.patch
* fix_userdomain.patch
- More flexible lib(exec) matching in fix_fwupd.patch
- Removed sys_admin for systemd_gpt_generator_t in fix_systemd.patch
- Dropped fix_container.patch, is now upstream
- Added fix_entropyd.patch
* Added new interface entropyd_semaphore_filetrans to properly transfer
semaphore created during early boot. That doesn't work yet, so work
around with next item
* Allow reading tempfs files
- Added fix_kernel.patch. Added modutils_execute_kmod_tmpfs_files interace
to allow kmod_tmpfs_t files to be executed. Necessary for firewalld
- Added fix_rtkit.patch to fix labeling of binary
- Modified fix_ntp.patch:
* Proper labeling for start-ntpd
* Fixed label rules for chroot path
* Temporarily allow dac_override for ntpd_t (bsc#1207577)
* Add interface ntp_manage_pid_files to allow management of pid
files
- Updated fix_networkmanager.patch to allow managing ntp pid files
OBS-URL: https://build.opensuse.org/request/show/1061575
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=171
132 lines
5.1 KiB
Diff
132 lines
5.1 KiB
Diff
Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.te
|
|
===================================================================
|
|
--- fedora-policy-20230125.orig/policy/modules/contrib/networkmanager.te
|
|
+++ fedora-policy-20230125/policy/modules/contrib/networkmanager.te
|
|
@@ -260,6 +260,7 @@ sysnet_search_dhcp_state(NetworkManager_
|
|
sysnet_manage_config(NetworkManager_t)
|
|
sysnet_filetrans_named_content(NetworkManager_t)
|
|
sysnet_filetrans_net_conf(NetworkManager_t)
|
|
+sysnet_watch_config(NetworkManager_t)
|
|
|
|
systemd_login_watch_pid_dirs(NetworkManager_t)
|
|
systemd_login_watch_session_dirs(NetworkManager_t)
|
|
@@ -276,6 +277,9 @@ userdom_read_home_certs(NetworkManager_t
|
|
userdom_read_user_home_content_files(NetworkManager_t)
|
|
userdom_dgram_send(NetworkManager_t)
|
|
|
|
+hostname_exec(NetworkManager_t)
|
|
+networkmanager_systemctl(NetworkManager_t)
|
|
+
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_read_nfs_files(NetworkManager_t)
|
|
')
|
|
@@ -285,6 +289,14 @@ tunable_policy(`use_samba_home_dirs',`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ ntp_manage_pid_files(NetworkManager_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ nis_systemctl_ypbind(NetworkManager_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
avahi_domtrans(NetworkManager_t)
|
|
avahi_kill(NetworkManager_t)
|
|
avahi_signal(NetworkManager_t)
|
|
@@ -293,6 +305,14 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ packagekit_dbus_chat(NetworkManager_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ networkmanager_dbus_chat(NetworkManager_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
bind_domtrans(NetworkManager_t)
|
|
bind_manage_cache(NetworkManager_t)
|
|
bind_kill(NetworkManager_t)
|
|
@@ -420,6 +440,8 @@ optional_policy(`
|
|
nscd_kill(NetworkManager_t)
|
|
nscd_initrc_domtrans(NetworkManager_t)
|
|
nscd_systemctl(NetworkManager_t)
|
|
+ nscd_socket_use(NetworkManager_dispatcher_tlp_t)
|
|
+ nscd_socket_use(NetworkManager_dispatcher_custom_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -607,6 +629,7 @@ files_manage_etc_files(NetworkManager_di
|
|
|
|
init_status(NetworkManager_dispatcher_cloud_t)
|
|
init_status(NetworkManager_dispatcher_ddclient_t)
|
|
+init_status(NetworkManager_dispatcher_custom_t)
|
|
init_append_stream_sockets(networkmanager_dispatcher_plugin)
|
|
init_ioctl_stream_sockets(networkmanager_dispatcher_plugin)
|
|
init_stream_connect(networkmanager_dispatcher_plugin)
|
|
@@ -622,6 +645,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ nscd_shm_use(NetworkManager_dispatcher_chronyc_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t)
|
|
')
|
|
|
|
Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.if
|
|
===================================================================
|
|
--- fedora-policy-20230125.orig/policy/modules/contrib/networkmanager.if
|
|
+++ fedora-policy-20230125/policy/modules/contrib/networkmanager.if
|
|
@@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran
|
|
init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
|
|
')
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow reading of NetworkManager link files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to read the links
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`networkmanager_initrc_read_lnk_files',`
|
|
+ gen_require(`
|
|
+ type NetworkManager_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ read_lnk_files_pattern($1, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## Execute NetworkManager server in the NetworkManager domain.
|
|
Index: fedora-policy-20230125/policy/modules/contrib/networkmanager.fc
|
|
===================================================================
|
|
--- fedora-policy-20230125.orig/policy/modules/contrib/networkmanager.fc
|
|
+++ fedora-policy-20230125/policy/modules/contrib/networkmanager.fc
|
|
@@ -24,6 +24,7 @@
|
|
/usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0)
|
|
/usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0)
|
|
/usr/lib/NetworkManager/dispatcher\.d/11-dhclient -- gen_context(system_u:object_r:NetworkManager_dispatcher_dhclient_script_t,s0)
|
|
+/usr/lib/NetworkManager/dispatcher\.d/20-chrony -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
|
|
/usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
|
|
/usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
|
|
/usr/lib/NetworkManager/dispatcher\.d/30-winbind -- gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0)
|
|
@@ -37,6 +38,9 @@
|
|
|
|
/usr/libexec/nm-dispatcher -- gen_context(system_u:object_r:NetworkManager_dispatcher_exec_t,s0)
|
|
/usr/libexec/nm-priv-helper -- gen_context(system_u:object_r:NetworkManager_priv_helper_exec_t,s0)
|
|
+# bsc#1206355
|
|
+/usr/lib/nm-dispatcher -- gen_context(system_u:object_r:NetworkManager_dispatcher_exec_t,s0)
|
|
+/usr/lib/nm-priv-helper -- gen_context(system_u:object_r:NetworkManager_priv_helper_exec_t,s0)
|
|
|
|
/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
|
/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
|