From 9deff280f872fb31a335bd56e32840c2502b9b149a368096bd1e46bc667edbf7 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Tue, 13 Dec 2022 09:20:16 +0000 Subject: [PATCH] Accepting request 1042579 from home:jsegitz:branches:security:SELinux - Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and nm-priv-helper until the packaging is adjusted (bsc#1206355) - Update fix_chronyd.patch to allow sendto towards NetworkManager_dispatcher_custom_t. Added new interface networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357) - Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895) - Updated fix_networkmanager.patch to allow NetworkManager to watch net_conf_t (bsc#1206109) OBS-URL: https://build.opensuse.org/request/show/1042579 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=161 --- fix_chronyd.patch | 30 +++++++++++++++++++++++++++++- fix_dbus.patch | 15 ++++++++++++--- fix_networkmanager.patch | 30 ++++++++++++++++++++++++------ selinux-policy.changes | 16 ++++++++++++++++ 4 files changed, 81 insertions(+), 10 deletions(-) diff --git a/fix_chronyd.patch b/fix_chronyd.patch index beabc0d..1ea9a55 100644 --- a/fix_chronyd.patch +++ b/fix_chronyd.patch @@ -2,11 +2,12 @@ Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te =================================================================== --- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.te +++ fedora-policy-20221019/policy/modules/contrib/chronyd.te -@@ -144,6 +144,14 @@ systemd_exec_systemctl(chronyd_t) +@@ -144,6 +144,15 @@ systemd_exec_systemctl(chronyd_t) userdom_dgram_send(chronyd_t) optional_policy(` + networkmanager_read_pid_files(chronyd_t) ++ networkmanager_dispatcher_custom_dgram_send(chronyd_t) +') + +optional_policy(` @@ -30,3 +31,30 @@ Index: fedora-policy-20221019/policy/modules/contrib/chronyd.fc /usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0) +Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.if ++++ fedora-policy-20221019/policy/modules/contrib/networkmanager.if +@@ -684,3 +684,22 @@ template(`networkmanager_dispatcher_plug + + domtrans_pattern(NetworkManager_dispatcher_t, NetworkManager_dispatcher_$1_script_t, NetworkManager_dispatcher_$1_t) + ') ++ ++######################################## ++## ++## Send a message to NetworkManager_dispatcher_custom ++## over a unix domain datagram socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`networkmanager_dispatcher_custom_dgram_send',` ++ gen_require(` ++ type NetworkManager_dispatcher_custom_t; ++ ') ++ ++ allow $1 NetworkManager_dispatcher_custom_t:unix_dgram_socket sendto; ++') diff --git a/fix_dbus.patch b/fix_dbus.patch index 64ab643..00440bd 100644 --- a/fix_dbus.patch +++ b/fix_dbus.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20211111/policy/modules/contrib/dbus.te +Index: fedora-policy-20221019/policy/modules/contrib/dbus.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/dbus.te -+++ fedora-policy-20211111/policy/modules/contrib/dbus.te +--- fedora-policy-20221019.orig/policy/modules/contrib/dbus.te ++++ fedora-policy-20221019/policy/modules/contrib/dbus.te @@ -81,6 +81,7 @@ manage_dirs_pattern(system_dbusd_t, syst manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) manage_sock_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t) @@ -10,3 +10,12 @@ Index: fedora-policy-20211111/policy/modules/contrib/dbus.te manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t) +@@ -109,6 +110,8 @@ files_read_var_lib_symlinks(system_dbusd + files_rw_inherited_non_security_files(system_dbusd_t) + files_watch_usr_dirs(system_dbusd_t) + files_watch_var_lib_dirs(system_dbusd_t) ++# bsc#1205895 ++files_watch_lib_dirs(system_dbusd_t) + + fs_getattr_all_fs(system_dbusd_t) + fs_search_auto_mountpoints(system_dbusd_t) diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index 91a7087..85dc9f3 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -2,7 +2,15 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te =================================================================== --- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.te +++ fedora-policy-20221019/policy/modules/contrib/networkmanager.te -@@ -275,6 +275,9 @@ userdom_read_home_certs(NetworkManager_t +@@ -259,6 +259,7 @@ sysnet_search_dhcp_state(NetworkManager_ + sysnet_manage_config(NetworkManager_t) + sysnet_filetrans_named_content(NetworkManager_t) + sysnet_filetrans_net_conf(NetworkManager_t) ++sysnet_watch_config(NetworkManager_t) + + systemd_login_watch_pid_dirs(NetworkManager_t) + systemd_login_watch_session_dirs(NetworkManager_t) +@@ -275,6 +276,9 @@ userdom_read_home_certs(NetworkManager_t userdom_read_user_home_content_files(NetworkManager_t) userdom_dgram_send(NetworkManager_t) @@ -12,7 +20,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(NetworkManager_t) ') -@@ -284,6 +287,10 @@ tunable_policy(`use_samba_home_dirs',` +@@ -284,6 +288,10 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -23,7 +31,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te avahi_domtrans(NetworkManager_t) avahi_kill(NetworkManager_t) avahi_signal(NetworkManager_t) -@@ -292,6 +299,14 @@ optional_policy(` +@@ -292,6 +300,14 @@ optional_policy(` ') optional_policy(` @@ -38,7 +46,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te bind_domtrans(NetworkManager_t) bind_manage_cache(NetworkManager_t) bind_kill(NetworkManager_t) -@@ -419,6 +434,8 @@ optional_policy(` +@@ -419,6 +435,8 @@ optional_policy(` nscd_kill(NetworkManager_t) nscd_initrc_domtrans(NetworkManager_t) nscd_systemctl(NetworkManager_t) @@ -47,7 +55,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te ') optional_policy(` -@@ -606,6 +623,7 @@ files_manage_etc_files(NetworkManager_di +@@ -606,6 +624,7 @@ files_manage_etc_files(NetworkManager_di init_status(NetworkManager_dispatcher_cloud_t) init_status(NetworkManager_dispatcher_ddclient_t) @@ -55,7 +63,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te init_append_stream_sockets(networkmanager_dispatcher_plugin) init_ioctl_stream_sockets(networkmanager_dispatcher_plugin) init_stream_connect(networkmanager_dispatcher_plugin) -@@ -621,6 +639,10 @@ optional_policy(` +@@ -621,6 +640,10 @@ optional_policy(` ') optional_policy(` @@ -107,3 +115,13 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.fc /usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) /usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) /usr/lib/NetworkManager/dispatcher\.d/30-winbind -- gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0) +@@ -37,6 +38,9 @@ + + /usr/libexec/nm-dispatcher -- gen_context(system_u:object_r:NetworkManager_dispatcher_exec_t,s0) + /usr/libexec/nm-priv-helper -- gen_context(system_u:object_r:NetworkManager_priv_helper_exec_t,s0) ++# bsc#1206355 ++/usr/lib/nm-dispatcher -- gen_context(system_u:object_r:NetworkManager_dispatcher_exec_t,s0) ++/usr/lib/nm-priv-helper -- gen_context(system_u:object_r:NetworkManager_priv_helper_exec_t,s0) + + /usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) + /usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) diff --git a/selinux-policy.changes b/selinux-policy.changes index d6c8d64..2703849 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Tue Dec 13 08:36:01 UTC 2022 - Johannes Segitz + +- Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and + nm-priv-helper until the packaging is adjusted (bsc#1206355) +- Update fix_chronyd.patch to allow sendto towards + NetworkManager_dispatcher_custom_t. Added new interface + networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357) +- Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895) + +------------------------------------------------------------------- +Tue Dec 6 15:02:42 UTC 2022 - Johannes Segitz + +- Updated fix_networkmanager.patch to allow NetworkManager to watch + net_conf_t (bsc#1206109) + ------------------------------------------------------------------- Wed Nov 30 19:28:58 UTC 2022 - Filippo Bonazzi