Accepting request 1042580 from security:SELinux

OBS-URL: https://build.opensuse.org/request/show/1042580 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=39
2022-12-14 13:10:41 +00:00 · 2022-12-14 13:10:41 +00:00 · 0fe33074d8
commit 0fe33074d8
parent d47fb333dd 9deff280f8
4 changed files with 81 additions and 10 deletions
--- a/fix_chronyd.patch
+++ b/fix_chronyd.patch
@ -2,11 +2,12 @@ Index: fedora-policy-20221019/policy/modules/contrib/chronyd.te
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/contrib/chronyd.te
 +++ fedora-policy-20221019/policy/modules/contrib/chronyd.te
-@@ -144,6 +144,14 @@ systemd_exec_systemctl(chronyd_t)
+@@ -144,6 +144,15 @@ systemd_exec_systemctl(chronyd_t)
 userdom_dgram_send(chronyd_t)
 optional_policy(`
 +	networkmanager_read_pid_files(chronyd_t)
 +	networkmanager_dispatcher_custom_dgram_send(chronyd_t)
 +')
 +
 +optional_policy(`
@ -30,3 +31,30 @@ Index: fedora-policy-20221019/policy/modules/contrib/chronyd.fc
 /usr/bin/chronyc	--	gen_context(system_u:object_r:chronyc_exec_t,s0)
 Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.if
 +++ fedora-policy-20221019/policy/modules/contrib/networkmanager.if
@@ -684,3 +684,22 @@ template(`networkmanager_dispatcher_plug
 	domtrans_pattern(NetworkManager_dispatcher_t, NetworkManager_dispatcher_$1_script_t, NetworkManager_dispatcher_$1_t)
 ')
 +
 +########################################
 +## <summary>
 +##      Send a message to NetworkManager_dispatcher_custom
 +##      over a unix domain datagram socket.
 +## </summary>
 +## <param name="domain">
 +##      <summary>
 +##      Domain allowed access.
 +##      </summary>
 +## </param>
 +#
 +interface(`networkmanager_dispatcher_custom_dgram_send',`
 +        gen_require(`
 +                type NetworkManager_dispatcher_custom_t;
 +        ')
 +
 +        allow $1 NetworkManager_dispatcher_custom_t:unix_dgram_socket sendto;
 +')
--- a/fix_dbus.patch
+++ b/fix_dbus.patch
@ -1,7 +1,7 @@
-Index: fedora-policy-20211111/policy/modules/contrib/dbus.te
+Index: fedora-policy-20221019/policy/modules/contrib/dbus.te
 ===================================================================
--- fedora-policy-20211111.orig/policy/modules/contrib/dbus.te
+--- fedora-policy-20221019.orig/policy/modules/contrib/dbus.te
-+++ fedora-policy-20211111/policy/modules/contrib/dbus.te
+++ fedora-policy-20221019/policy/modules/contrib/dbus.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(system_dbusd_t, syst
 manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
 manage_sock_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
@ -10,3 +10,12 @@ Index: fedora-policy-20211111/policy/modules/contrib/dbus.te
 manage_files_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
 manage_dirs_pattern(system_dbusd_t, system_dbusd_tmpfs_t, system_dbusd_tmpfs_t)
@@ -109,6 +110,8 @@ files_read_var_lib_symlinks(system_dbusd
 files_rw_inherited_non_security_files(system_dbusd_t)
 files_watch_usr_dirs(system_dbusd_t)
 files_watch_var_lib_dirs(system_dbusd_t)
 +# bsc#1205895
 +files_watch_lib_dirs(system_dbusd_t)
 fs_getattr_all_fs(system_dbusd_t)
 fs_search_auto_mountpoints(system_dbusd_t)
--- a/fix_networkmanager.patch
+++ b/fix_networkmanager.patch
@ -2,7 +2,15 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
 ===================================================================
 --- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.te
 +++ fedora-policy-20221019/policy/modules/contrib/networkmanager.te
-@@ -275,6 +275,9 @@ userdom_read_home_certs(NetworkManager_t
+@@ -259,6 +259,7 @@ sysnet_search_dhcp_state(NetworkManager_
 sysnet_manage_config(NetworkManager_t)
 sysnet_filetrans_named_content(NetworkManager_t)
 sysnet_filetrans_net_conf(NetworkManager_t)
 +sysnet_watch_config(NetworkManager_t)
 systemd_login_watch_pid_dirs(NetworkManager_t)
 systemd_login_watch_session_dirs(NetworkManager_t)
@@ -275,6 +276,9 @@ userdom_read_home_certs(NetworkManager_t
 userdom_read_user_home_content_files(NetworkManager_t)
 userdom_dgram_send(NetworkManager_t)
@ -12,7 +20,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
 tunable_policy(`use_nfs_home_dirs',`
     fs_read_nfs_files(NetworkManager_t)
 ')
-@@ -284,6 +287,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -284,6 +288,10 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 optional_policy(`
@ -23,7 +31,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
 	avahi_domtrans(NetworkManager_t)
 	avahi_kill(NetworkManager_t)
 	avahi_signal(NetworkManager_t)
-@@ -292,6 +299,14 @@ optional_policy(`
+@@ -292,6 +300,14 @@ optional_policy(`
 ')
 optional_policy(`
@ -38,7 +46,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
 	bind_domtrans(NetworkManager_t)
 	bind_manage_cache(NetworkManager_t)
 	bind_kill(NetworkManager_t)
-@@ -419,6 +434,8 @@ optional_policy(`
+@@ -419,6 +435,8 @@ optional_policy(`
 	nscd_kill(NetworkManager_t)
 	nscd_initrc_domtrans(NetworkManager_t)
 	nscd_systemctl(NetworkManager_t)
@ -47,7 +55,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
 ')
 optional_policy(`
-@@ -606,6 +623,7 @@ files_manage_etc_files(NetworkManager_di
+@@ -606,6 +624,7 @@ files_manage_etc_files(NetworkManager_di
 init_status(NetworkManager_dispatcher_cloud_t)
 init_status(NetworkManager_dispatcher_ddclient_t)
@ -55,7 +63,7 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
 init_append_stream_sockets(networkmanager_dispatcher_plugin)
 init_ioctl_stream_sockets(networkmanager_dispatcher_plugin)
 init_stream_connect(networkmanager_dispatcher_plugin)
-@@ -621,6 +639,10 @@ optional_policy(`
+@@ -621,6 +640,10 @@ optional_policy(`
 ')
 optional_policy(`
@ -107,3 +115,13 @@ Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.fc
 /usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp	--	gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
 /usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline	--	gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
 /usr/lib/NetworkManager/dispatcher\.d/30-winbind	--	gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0)
@@ -37,6 +38,9 @@
 /usr/libexec/nm-dispatcher --	gen_context(system_u:object_r:NetworkManager_dispatcher_exec_t,s0)
 /usr/libexec/nm-priv-helper  -- gen_context(system_u:object_r:NetworkManager_priv_helper_exec_t,s0)
 +# bsc#1206355
 +/usr/lib/nm-dispatcher --	gen_context(system_u:object_r:NetworkManager_dispatcher_exec_t,s0)
 +/usr/lib/nm-priv-helper  -- gen_context(system_u:object_r:NetworkManager_priv_helper_exec_t,s0)
 /usr/bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/bin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,19 @@
 -------------------------------------------------------------------
 Tue Dec 13 08:36:01 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and
  nm-priv-helper until the packaging is adjusted (bsc#1206355)
 - Update fix_chronyd.patch to allow  sendto towards
  NetworkManager_dispatcher_custom_t. Added new interface
  networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357)
 - Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895)
 -------------------------------------------------------------------
 Tue Dec  6 15:02:42 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 - Updated fix_networkmanager.patch to allow NetworkManager to watch
  net_conf_t (bsc#1206109)
 -------------------------------------------------------------------
 Wed Nov 30 19:28:58 UTC 2022 - Filippo Bonazzi <filippo.bonazzi@suse.com>