diff --git a/fix_sendmail.patch b/fix_sendmail.patch new file mode 100644 index 0000000..c3fbc09 --- /dev/null +++ b/fix_sendmail.patch @@ -0,0 +1,32 @@ +Index: fedora-policy-20221019/policy/modules/contrib/sendmail.fc +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.fc ++++ fedora-policy-20221019/policy/modules/contrib/sendmail.fc +@@ -1,8 +1,9 @@ + + /etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) ++/etc/mail/system/sm-client.pre -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0) + + /var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0) + /var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0) + +-/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) ++/var/run/sendmail(/.*)? gen_context(system_u:object_r:sendmail_var_run_t,s0) + /var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0) +Index: fedora-policy-20221019/policy/modules/contrib/sendmail.te +=================================================================== +--- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.te ++++ fedora-policy-20221019/policy/modules/contrib/sendmail.te +@@ -60,8 +60,10 @@ manage_dirs_pattern(sendmail_t, sendmail + manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t) + files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir }) + +-allow sendmail_t sendmail_var_run_t:file manage_file_perms; +-files_pid_filetrans(sendmail_t, sendmail_var_run_t, file) ++manage_dirs_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t) ++manage_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t) ++manage_sock_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t) ++files_pid_filetrans(sendmail_t, sendmail_var_run_t, { file dir }) + + kernel_read_network_state(sendmail_t) + kernel_read_kernel_sysctls(sendmail_t) diff --git a/selinux-policy.changes b/selinux-policy.changes index 2703849..fe1e438 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Wed Dec 14 15:40:12 UTC 2022 - Hu + +- Added policy for wicked scripts under /etc/sysconfig/network/scripts + (bnc#1205770) + +------------------------------------------------------------------- +Wed Dec 14 09:16:26 UTC 2022 - Johannes Segitz + +- Add fix_sendmail.patch + * fix context of custom sendmail startup helper + * fix context of /var/run/sendmail and add necessary rules to manage + content in there + ------------------------------------------------------------------- Tue Dec 13 08:36:01 UTC 2022 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 5da319d..f27b5e0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -146,6 +146,7 @@ Patch061: fix_userdomain.patch Patch062: fix_cloudform.patch Patch063: fix_alsa.patch Patch064: dontaudit_interface_kmod_tmpfs.patch +Patch065: fix_sendmail.patch Patch100: sedoctool.patch diff --git a/wicked.fc b/wicked.fc index 95a44f8..8b84838 100644 --- a/wicked.fc +++ b/wicked.fc @@ -45,3 +45,6 @@ #/etc/dbus-1/system.d/org.opensuse.Network.Nanny.conf #/etc/dbus-1/system.d/org.opensuse.Network.conf +/etc/sysconfig/network/scripts(/.*)? gen_context(system_u:object_r:wicked_script_t,s0) +/etc/sysconfig/network/scripts/samba-winbindd -- gen_context(system_u:object_r:wicked_winbind_script_t,s0) +/etc/sysconfig/network/scripts/dhcpd-restart-hook -- gen_context(system_u:object_r:wicked_dhcp_script_t,s0) diff --git a/wicked.if b/wicked.if index 313ff5e..0246cda 100644 --- a/wicked.if +++ b/wicked.if @@ -652,3 +652,27 @@ interface(`wicked_filetrans_named_content',` files_etc_filetrans($1, wicked_var_lib_t, file, "state-8.xml") files_etc_filetrans($1, wicked_var_lib_t, file, "state-9.xml") ') + +######################################## +## +## Create a set of derived types for various wicked scripts +## +## +## +## The name to be used for deriving type names. +## +## +# +template(`wicked_script_template',` + gen_require(` + attribute wicked_plugin, wicked_script; + type wicked_t; + ') + + type wicked_$1_t, wicked_plugin; + type wicked_$1_script_t, wicked_script; + application_domain(wicked_$1_t, wicked_$1_script_t) + role system_r types wicked_$1_t; + + domtrans_pattern(wicked_t, wicked_$1_script_t, wicked_$1_t) +') diff --git a/wicked.te b/wicked.te index a5f49ed..8747b97 100644 --- a/wicked.te +++ b/wicked.te @@ -33,6 +33,20 @@ files_type(wicked_var_lib_t) type wicked_var_run_t; files_pid_file(wicked_var_run_t) + +# Wicked scripts + +attribute wicked_plugin; +attribute wicked_script; +type wicked_script_t, wicked_script; +type wicked_custom_t, wicked_plugin; +role system_r types wicked_custom_t; +application_domain(wicked_custom_t, wicked_script_t) +domtrans_pattern(wicked_t, wicked_script_t, wicked_custom_t) + +wicked_script_template(winbind); +wicked_script_template(dhcp); + #type wpa_cli_t; #type wpa_cli_exec_t; #init_system_domain(wpa_cli_t, wpa_cli_exec_t) @@ -240,6 +254,20 @@ wicked_systemctl(wicked_t) sysnet_manage_config_dirs(wicked_t) + +# Wicked scripts + +list_dirs_pattern(wicked_t, wicked_script_t, wicked_script) +read_files_pattern(wicked_t, wicked_script_t, wicked_script) +read_lnk_files_pattern(wicked_t, wicked_script_t, wicked_script) +list_dirs_pattern(wicked_plugin, wicked_script_t, wicked_script_t) +read_lnk_files_pattern(wicked_plugin, wicked_script_t, wicked_script) + +auth_read_passwd(wicked_plugin) + +corecmd_exec_bin(wicked_plugin) +corecmd_exec_shell(wicked_winbind_t) + #tunable_policy(`use_nfs_home_dirs',` # fs_read_nfs_files(wicked_t) #') @@ -498,6 +526,26 @@ optional_policy(` networkmanager_dbus_chat(wicked_t) ') +optional_policy(` + logging_send_syslog_msg(wicked_winbind_t) +') + +optional_policy(` + sysnet_exec_ifconfig(wicked_plugin) + sysnet_read_config(wicked_plugin) +') + +optional_policy(` + systemd_exec_systemctl(wicked_winbind_t) + systemd_exec_systemctl(wicked_dhcp_t) +') + +optional_policy(` + samba_domtrans_smbcontrol(wicked_winbind_t) + samba_read_config(wicked_winbind_t) + samba_service_status(wicked_winbind_t) +') + #tunable_policy(`use_ecryptfs_home_dirs',` #fs_manage_ecryptfs_files(wicked_t) #')