Accepting request 1043074 from security:SELinux

OBS-URL: https://build.opensuse.org/request/show/1043074
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=40

fix_sendmail.patch

@@ -0,0 +1,32 @@
+Index: fedora-policy-20221019/policy/modules/contrib/sendmail.fc
+===================================================================
+--- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.fc
++++ fedora-policy-20221019/policy/modules/contrib/sendmail.fc
+@@ -1,8 +1,9 @@
+ 
+ /etc/rc\.d/init\.d/sendmail --  gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
++/etc/mail/system/sm-client.pre --  gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
+ 
+ /var/log/sendmail\.st.*		--	gen_context(system_u:object_r:sendmail_log_t,s0)
+ /var/log/mail(/.*)?			gen_context(system_u:object_r:sendmail_log_t,s0)
+ 
+-/var/run/sendmail\.pid		--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
++/var/run/sendmail(/.*)?                 gen_context(system_u:object_r:sendmail_var_run_t,s0)
+ /var/run/sm-client\.pid		--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
+Index: fedora-policy-20221019/policy/modules/contrib/sendmail.te
+===================================================================
+--- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.te
++++ fedora-policy-20221019/policy/modules/contrib/sendmail.te
+@@ -60,8 +60,10 @@ manage_dirs_pattern(sendmail_t, sendmail
+ manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
+ files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
+ 
+-allow sendmail_t sendmail_var_run_t:file manage_file_perms;
+-files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
++manage_dirs_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t)
++manage_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t)
++manage_sock_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t)
++files_pid_filetrans(sendmail_t, sendmail_var_run_t,  { file dir })
+ 
+ kernel_read_network_state(sendmail_t)
+ kernel_read_kernel_sysctls(sendmail_t)

selinux-policy.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Wed Dec 14 15:40:12 UTC 2022 - Hu <cathy.hu@suse.com>
+
+- Added policy for wicked scripts under /etc/sysconfig/network/scripts
+  (bnc#1205770)
+
+-------------------------------------------------------------------
+Wed Dec 14 09:16:26 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
+
+- Add fix_sendmail.patch 
+  * fix context of custom sendmail startup helper
+  * fix context of /var/run/sendmail and add necessary rules to manage
+    content in there
+
 -------------------------------------------------------------------
 Tue Dec 13 08:36:01 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
 

selinux-policy.spec

@@ -146,6 +146,7 @@ Patch061:       fix_userdomain.patch
 Patch062:       fix_cloudform.patch
 Patch063:       fix_alsa.patch
 Patch064:       dontaudit_interface_kmod_tmpfs.patch
+Patch065:       fix_sendmail.patch
 
 Patch100:       sedoctool.patch
 

wicked.fc

@@ -45,3 +45,6 @@
 #/etc/dbus-1/system.d/org.opensuse.Network.Nanny.conf
 #/etc/dbus-1/system.d/org.opensuse.Network.conf
 
+/etc/sysconfig/network/scripts(/.*)?	gen_context(system_u:object_r:wicked_script_t,s0)
+/etc/sysconfig/network/scripts/samba-winbindd	--	gen_context(system_u:object_r:wicked_winbind_script_t,s0)
+/etc/sysconfig/network/scripts/dhcpd-restart-hook	--	gen_context(system_u:object_r:wicked_dhcp_script_t,s0)

wicked.if

@@ -652,3 +652,27 @@ interface(`wicked_filetrans_named_content',`
 	files_etc_filetrans($1, wicked_var_lib_t, file, "state-8.xml")
 	files_etc_filetrans($1, wicked_var_lib_t, file, "state-9.xml")
 ')
+
+########################################
+## <summary>
+##	Create a set of derived types for various wicked scripts
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The name to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`wicked_script_template',`
+	gen_require(`
+		attribute wicked_plugin, wicked_script;
+		type wicked_t;
+	')
+
+	type wicked_$1_t, wicked_plugin;
+	type wicked_$1_script_t, wicked_script;
+	application_domain(wicked_$1_t, wicked_$1_script_t)
+	role system_r types wicked_$1_t;
+
+	domtrans_pattern(wicked_t, wicked_$1_script_t, wicked_$1_t)
+')

wicked.te

@@ -33,6 +33,20 @@ files_type(wicked_var_lib_t)
 type wicked_var_run_t;
 files_pid_file(wicked_var_run_t)
 
+
+# Wicked scripts
+
+attribute wicked_plugin;
+attribute wicked_script;
+type wicked_script_t, wicked_script;
+type wicked_custom_t, wicked_plugin;
+role system_r types wicked_custom_t;
+application_domain(wicked_custom_t, wicked_script_t)
+domtrans_pattern(wicked_t, wicked_script_t, wicked_custom_t)
+
+wicked_script_template(winbind);
+wicked_script_template(dhcp);
+
 #type wpa_cli_t;
 #type wpa_cli_exec_t;
 #init_system_domain(wpa_cli_t, wpa_cli_exec_t)
@@ -240,6 +254,20 @@ wicked_systemctl(wicked_t)
 
 sysnet_manage_config_dirs(wicked_t)
 
+
+# Wicked scripts
+
+list_dirs_pattern(wicked_t, wicked_script_t, wicked_script)
+read_files_pattern(wicked_t, wicked_script_t, wicked_script)
+read_lnk_files_pattern(wicked_t, wicked_script_t, wicked_script)
+list_dirs_pattern(wicked_plugin, wicked_script_t, wicked_script_t)
+read_lnk_files_pattern(wicked_plugin, wicked_script_t, wicked_script)
+
+auth_read_passwd(wicked_plugin)
+
+corecmd_exec_bin(wicked_plugin)
+corecmd_exec_shell(wicked_winbind_t)
+
 #tunable_policy(`use_nfs_home_dirs',`
 #    fs_read_nfs_files(wicked_t)
 #')
@@ -498,6 +526,26 @@ optional_policy(`
 	networkmanager_dbus_chat(wicked_t)
 ')
 
+optional_policy(`
+	logging_send_syslog_msg(wicked_winbind_t)
+')
+
+optional_policy(`
+	sysnet_exec_ifconfig(wicked_plugin)
+	sysnet_read_config(wicked_plugin)
+')
+
+optional_policy(`
+	systemd_exec_systemctl(wicked_winbind_t)
+	systemd_exec_systemctl(wicked_dhcp_t)
+')
+
+optional_policy(`
+	samba_domtrans_smbcontrol(wicked_winbind_t)
+	samba_read_config(wicked_winbind_t)
+	samba_service_status(wicked_winbind_t)
+')
+
 #tunable_policy(`use_ecryptfs_home_dirs',`
 #fs_manage_ecryptfs_files(wicked_t)
 #')