1
0

Accepting request 904546 from home:aplanas:branches:security:SELinux

- Add tabrmd SELinux modules from upstream (bsc#1187925)
  https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux
- Automatic spec-cleaner to fix ordering and misaligned spaces

OBS-URL: https://build.opensuse.org/request/show/904546
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=112
This commit is contained in:
Johannes Segitz 2021-07-08 09:30:22 +00:00 committed by Git OBS Bridge
parent 4cc65efd18
commit 0b03ae6097
6 changed files with 52 additions and 3 deletions

View File

@ -412,3 +412,10 @@ rtorrent = module
# Policy for wicked # Policy for wicked
# #
wicked = module wicked = module
# Layer: contrib
# Module: tabrmd
#
# Policy for tabrmd
#
tabrmd = module

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Jul 6 13:55:19 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
- Add tabrmd SELinux modules from upstream (bsc#1187925)
https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux
- Automatic spec-cleaner to fix ordering and misaligned spaces
------------------------------------------------------------------- -------------------------------------------------------------------
Tue May 18 11:10:59 UTC 2021 - Ludwig Nussel <lnussel@suse.de> Tue May 18 11:10:59 UTC 2021 - Ludwig Nussel <lnussel@suse.de>

View File

@ -81,6 +81,9 @@ Source125: rtorrent.fc
Source126: wicked.te Source126: wicked.te
Source127: wicked.if Source127: wicked.if
Source128: wicked.fc Source128: wicked.fc
Source129: tabrmd.te
Source130: tabrmd.if
Source131: tabrmd.fc
Patch001: fix_djbdns.patch Patch001: fix_djbdns.patch
Patch002: fix_dbus.patch Patch002: fix_dbus.patch
@ -156,8 +159,8 @@ Recommends: audit
Recommends: selinux-tools Recommends: selinux-tools
# for audit2allow # for audit2allow
Recommends: python3-policycoreutils Recommends: python3-policycoreutils
Recommends: policycoreutils-python-utils
Recommends: container-selinux Recommends: container-selinux
Recommends: policycoreutils-python-utils
Recommends: selinux-autorelabel Recommends: selinux-autorelabel
%define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 %define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
@ -366,7 +369,7 @@ creating other policies.
%package sandbox %package sandbox
Summary: SELinux policy sandbox Summary: SELinux policy sandbox
Group: System/Management Group: System/Management
Requires(pre): selinux-policy-targeted = %{version}-%{release} Requires(pre): selinux-policy-targeted = %{version}-%{release}
%description sandbox %description sandbox
SELinux sandbox policy used for the policycoreutils-sandbox package SELinux sandbox policy used for the policycoreutils-sandbox package
@ -421,7 +424,7 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
cp $i selinux_config cp $i selinux_config
done done
for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do
cp $i policy/modules/contrib cp $i policy/modules/contrib
done done

2
tabrmd.fc Normal file
View File

@ -0,0 +1,2 @@
/usr/sbin/tpm2-abrmd -- gen_context(system_u:object_r:tabrmd_exec_t,s0)
/usr/local/sbin/tpm2-abrmd -- gen_context(system_u:object_r:tabrmd_exec_t,s0)

1
tabrmd.if Normal file
View File

@ -0,0 +1 @@
## <summary></summary>

29
tabrmd.te Normal file
View File

@ -0,0 +1,29 @@
policy_module(tabrmd, 0.0.2)
########################################
#
# Declarations
#
gen_tunable(`tabrmd_connect_all_unreserved', false)
type tabrmd_t;
type tabrmd_exec_t;
init_daemon_domain(tabrmd_t, tabrmd_exec_t)
allow tabrmd_t self:unix_dgram_socket { create_socket_perms };
dev_rw_tpm(tabrmd_t)
logging_send_syslog_msg(tabrmd_t)
sysnet_dns_name_resolve(tabrmd_t)
optional_policy(`
dbus_stub()
dbus_system_domain(tabrmd_t, tabrmd_exec_t)
allow system_dbusd_t tabrmd_t:unix_stream_socket rw_stream_socket_perms;
fwupd_dbus_chat(tabrmd_t)
')
tunable_policy(`tabrmd_connect_all_unreserved',`
corenet_tcp_connect_all_unreserved_ports(tabrmd_t)
')