diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf index f5bcc4c..3c380c0 100644 --- a/modules-targeted-base.conf +++ b/modules-targeted-base.conf @@ -412,3 +412,10 @@ rtorrent = module # Policy for wicked # wicked = module + +# Layer: contrib +# Module: tabrmd +# +# Policy for tabrmd +# +tabrmd = module diff --git a/selinux-policy.changes b/selinux-policy.changes index bdbda71..b4cf233 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Jul 6 13:55:19 UTC 2021 - Alberto Planas Dominguez + +- Add tabrmd SELinux modules from upstream (bsc#1187925) + https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux +- Automatic spec-cleaner to fix ordering and misaligned spaces + ------------------------------------------------------------------- Tue May 18 11:10:59 UTC 2021 - Ludwig Nussel diff --git a/selinux-policy.spec b/selinux-policy.spec index f3168b3..4687a5f 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -81,6 +81,9 @@ Source125: rtorrent.fc Source126: wicked.te Source127: wicked.if Source128: wicked.fc +Source129: tabrmd.te +Source130: tabrmd.if +Source131: tabrmd.fc Patch001: fix_djbdns.patch Patch002: fix_dbus.patch @@ -156,8 +159,8 @@ Recommends: audit Recommends: selinux-tools # for audit2allow Recommends: python3-policycoreutils -Recommends: policycoreutils-python-utils Recommends: container-selinux +Recommends: policycoreutils-python-utils Recommends: selinux-autorelabel %define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 @@ -366,7 +369,7 @@ creating other policies. %package sandbox Summary: SELinux policy sandbox Group: System/Management -Requires(pre): selinux-policy-targeted = %{version}-%{release} +Requires(pre): selinux-policy-targeted = %{version}-%{release} %description sandbox SELinux sandbox policy used for the policycoreutils-sandbox package @@ -421,7 +424,7 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} cp $i selinux_config done -for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do +for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do cp $i policy/modules/contrib done diff --git a/tabrmd.fc b/tabrmd.fc new file mode 100644 index 0000000..9f9ec1e --- /dev/null +++ b/tabrmd.fc @@ -0,0 +1,2 @@ +/usr/sbin/tpm2-abrmd -- gen_context(system_u:object_r:tabrmd_exec_t,s0) +/usr/local/sbin/tpm2-abrmd -- gen_context(system_u:object_r:tabrmd_exec_t,s0) diff --git a/tabrmd.if b/tabrmd.if new file mode 100644 index 0000000..5846dc1 --- /dev/null +++ b/tabrmd.if @@ -0,0 +1 @@ +## diff --git a/tabrmd.te b/tabrmd.te new file mode 100644 index 0000000..b0f8af4 --- /dev/null +++ b/tabrmd.te @@ -0,0 +1,29 @@ +policy_module(tabrmd, 0.0.2) + +######################################## +# +# Declarations +# + +gen_tunable(`tabrmd_connect_all_unreserved', false) + +type tabrmd_t; +type tabrmd_exec_t; +init_daemon_domain(tabrmd_t, tabrmd_exec_t) + +allow tabrmd_t self:unix_dgram_socket { create_socket_perms }; + +dev_rw_tpm(tabrmd_t) +logging_send_syslog_msg(tabrmd_t) +sysnet_dns_name_resolve(tabrmd_t) + +optional_policy(` + dbus_stub() + dbus_system_domain(tabrmd_t, tabrmd_exec_t) + allow system_dbusd_t tabrmd_t:unix_stream_socket rw_stream_socket_perms; + fwupd_dbus_chat(tabrmd_t) +') + +tunable_policy(`tabrmd_connect_all_unreserved',` + corenet_tcp_connect_all_unreserved_ports(tabrmd_t) +')