forked from pool/selinux-policy
Accepting request 915717 from security:SELinux
OBS-URL: https://build.opensuse.org/request/show/915717 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=17
This commit is contained in:
commit
377bd6dbf3
@ -9,10 +9,10 @@ cockpit.socket fails to start if kerberos_enabled=false
|
||||
policy/modules/contrib/cockpit.te | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
Index: fedora-policy-20210628/policy/modules/contrib/cockpit.te
|
||||
Index: fedora-policy-20210716/policy/modules/contrib/cockpit.te
|
||||
===================================================================
|
||||
--- fedora-policy-20210628.orig/policy/modules/contrib/cockpit.te
|
||||
+++ fedora-policy-20210628/policy/modules/contrib/cockpit.te
|
||||
--- fedora-policy-20210716.orig/policy/modules/contrib/cockpit.te
|
||||
+++ fedora-policy-20210716/policy/modules/contrib/cockpit.te
|
||||
@@ -51,7 +51,9 @@ can_exec(cockpit_ws_t,cockpit_session_ex
|
||||
dev_read_urand(cockpit_ws_t) # for authkey
|
||||
dev_read_rand(cockpit_ws_t) # for libssh
|
||||
@ -23,3 +23,25 @@ Index: fedora-policy-20210628/policy/modules/contrib/cockpit.te
|
||||
|
||||
# cockpit-ws can connect to other hosts via ssh
|
||||
corenet_tcp_connect_ssh_port(cockpit_ws_t)
|
||||
Index: fedora-policy-20210716/policy/modules/contrib/cockpit.fc
|
||||
===================================================================
|
||||
--- fedora-policy-20210716.orig/policy/modules/contrib/cockpit.fc
|
||||
+++ fedora-policy-20210716/policy/modules/contrib/cockpit.fc
|
||||
@@ -3,12 +3,12 @@
|
||||
/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
|
||||
/etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
|
||||
|
||||
-/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
|
||||
-/usr/libexec/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
|
||||
-/usr/libexec/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
|
||||
+/usr/lib(exec)?/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
|
||||
+/usr/lib(exec)?/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
|
||||
+/usr/lib(exec)?/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
|
||||
|
||||
-/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
|
||||
-/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
|
||||
+/usr/lib(exec)?/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
|
||||
+/usr/lib(exec)?/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
|
||||
|
||||
/usr/share/cockpit/motd/update-motd -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
|
||||
|
||||
|
@ -1,8 +1,8 @@
|
||||
Index: fedora-policy-20210628/policy/modules/system/systemd.te
|
||||
Index: fedora-policy-20210716/policy/modules/system/systemd.te
|
||||
===================================================================
|
||||
--- fedora-policy-20210628.orig/policy/modules/system/systemd.te
|
||||
+++ fedora-policy-20210628/policy/modules/system/systemd.te
|
||||
@@ -347,6 +347,10 @@ userdom_manage_user_tmp_chr_files(system
|
||||
--- fedora-policy-20210716.orig/policy/modules/system/systemd.te
|
||||
+++ fedora-policy-20210716/policy/modules/system/systemd.te
|
||||
@@ -352,6 +352,10 @@ userdom_manage_user_tmp_chr_files(system
|
||||
xserver_dbus_chat(systemd_logind_t)
|
||||
|
||||
optional_policy(`
|
||||
@ -13,7 +13,7 @@ Index: fedora-policy-20210628/policy/modules/system/systemd.te
|
||||
apache_read_tmp_files(systemd_logind_t)
|
||||
')
|
||||
|
||||
@@ -854,6 +858,10 @@ optional_policy(`
|
||||
@@ -859,6 +863,10 @@ optional_policy(`
|
||||
udev_read_pid_files(systemd_hostnamed_t)
|
||||
')
|
||||
|
||||
@ -24,3 +24,12 @@ Index: fedora-policy-20210628/policy/modules/system/systemd.te
|
||||
#######################################
|
||||
#
|
||||
# rfkill policy
|
||||
@@ -1097,6 +1105,8 @@ systemd_unit_file_filetrans(systemd_gpt_
|
||||
systemd_create_unit_file_dirs(systemd_gpt_generator_t)
|
||||
systemd_create_unit_file_lnk(systemd_gpt_generator_t)
|
||||
|
||||
+udev_read_pid_files(systemd_gpt_generator_t)
|
||||
+
|
||||
#######################################
|
||||
#
|
||||
# systemd_resolved domain
|
||||
|
@ -412,4 +412,3 @@ packagekit = module
|
||||
# Name service cache daemon
|
||||
#
|
||||
nscd = module
|
||||
|
||||
|
@ -412,3 +412,10 @@ rtorrent = module
|
||||
# Policy for wicked
|
||||
#
|
||||
wicked = module
|
||||
|
||||
# Layer: system
|
||||
# Module: rebootmgr
|
||||
#
|
||||
# Policy for rebootmgr
|
||||
#
|
||||
rebootmgr = module
|
||||
|
1
rebootmgr.fc
Normal file
1
rebootmgr.fc
Normal file
@ -0,0 +1 @@
|
||||
/usr/sbin/rebootmgrd -- gen_context(system_u:object_r:rebootmgr_exec_t,s0)
|
61
rebootmgr.if
Normal file
61
rebootmgr.if
Normal file
@ -0,0 +1,61 @@
|
||||
|
||||
## <summary>policy for rebootmgr</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute rebootmgr_exec_t in the rebootmgr domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rebootmgr_domtrans',`
|
||||
gen_require(`
|
||||
type rebootmgr_t, rebootmgr_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute rebootmgr in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rebootmgr_exec',`
|
||||
gen_require(`
|
||||
type rebootmgr_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, rebootmgr_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## rebootmgr over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rebootmgr_dbus_chat',`
|
||||
gen_require(`
|
||||
type rebootmgr_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $1 rebootmgr_t:dbus send_msg;
|
||||
allow rebootmgr_t $1:dbus send_msg;
|
||||
')
|
37
rebootmgr.te
Normal file
37
rebootmgr.te
Normal file
@ -0,0 +1,37 @@
|
||||
policy_module(rebootmgr, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type rebootmgr_t;
|
||||
type rebootmgr_exec_t;
|
||||
init_daemon_domain(rebootmgr_t, rebootmgr_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# rebootmgr local policy
|
||||
#
|
||||
allow rebootmgr_t self:process { fork };
|
||||
allow rebootmgr_t self:fifo_file rw_fifo_file_perms;
|
||||
allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
domain_use_interactive_fds(rebootmgr_t)
|
||||
|
||||
files_manage_etc_files(rebootmgr_t)
|
||||
|
||||
logging_send_syslog_msg(rebootmgr_t)
|
||||
|
||||
miscfiles_read_localization(rebootmgr_t)
|
||||
|
||||
systemd_start_power_services(rebootmgr_t)
|
||||
|
||||
systemd_dbus_chat_logind(rebootmgr_t)
|
||||
|
||||
unconfined_dbus_chat(rebootmgr_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(rebootmgr_t)
|
||||
dbus_connect_system_bus(rebootmgr_t)
|
||||
')
|
@ -1,3 +1,27 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 2 08:45:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Modified fix_systemd.patch to allow systemd gpt generator access to
|
||||
udev files (bsc#1189280)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 27 13:07:54 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
|
||||
|
||||
- fix rebootmgr does not trigger the reboot properly (boo#1189878)
|
||||
* fix managing /etc/rebootmgr.conf
|
||||
* allow rebootmgr_t to cope with systemd and dbus messaging
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 26 07:37:05 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Properly label cockpit files
|
||||
- Allow wicked to communicate with network manager on DBUS (bsc#1188331)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 23 15:43:28 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
|
||||
|
||||
- Added policy module for rebootmgr (jsc#SMO-28)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 17 16:03:08 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
|
||||
|
||||
|
@ -81,6 +81,9 @@ Source125: rtorrent.fc
|
||||
Source126: wicked.te
|
||||
Source127: wicked.if
|
||||
Source128: wicked.fc
|
||||
Source129: rebootmgr.te
|
||||
Source130: rebootmgr.if
|
||||
Source131: rebootmgr.fc
|
||||
|
||||
Patch001: fix_djbdns.patch
|
||||
Patch002: fix_dbus.patch
|
||||
@ -422,7 +425,7 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
|
||||
cp $i selinux_config
|
||||
done
|
||||
|
||||
for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do
|
||||
for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do
|
||||
cp $i policy/modules/contrib
|
||||
done
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user