1
0

Accepting request 915717 from security:SELinux

OBS-URL: https://build.opensuse.org/request/show/915717
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=17
This commit is contained in:
Dominique Leuenberger 2021-09-02 21:20:08 +00:00 committed by Git OBS Bridge
commit 377bd6dbf3
10 changed files with 177 additions and 10 deletions

View File

@ -9,10 +9,10 @@ cockpit.socket fails to start if kerberos_enabled=false
policy/modules/contrib/cockpit.te | 2 ++
1 file changed, 2 insertions(+)
Index: fedora-policy-20210628/policy/modules/contrib/cockpit.te
Index: fedora-policy-20210716/policy/modules/contrib/cockpit.te
===================================================================
--- fedora-policy-20210628.orig/policy/modules/contrib/cockpit.te
+++ fedora-policy-20210628/policy/modules/contrib/cockpit.te
--- fedora-policy-20210716.orig/policy/modules/contrib/cockpit.te
+++ fedora-policy-20210716/policy/modules/contrib/cockpit.te
@@ -51,7 +51,9 @@ can_exec(cockpit_ws_t,cockpit_session_ex
dev_read_urand(cockpit_ws_t) # for authkey
dev_read_rand(cockpit_ws_t) # for libssh
@ -23,3 +23,25 @@ Index: fedora-policy-20210628/policy/modules/contrib/cockpit.te
# cockpit-ws can connect to other hosts via ssh
corenet_tcp_connect_ssh_port(cockpit_ws_t)
Index: fedora-policy-20210716/policy/modules/contrib/cockpit.fc
===================================================================
--- fedora-policy-20210716.orig/policy/modules/contrib/cockpit.fc
+++ fedora-policy-20210716/policy/modules/contrib/cockpit.fc
@@ -3,12 +3,12 @@
/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
/etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
-/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
-/usr/libexec/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
-/usr/libexec/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+/usr/lib(exec)?/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+/usr/lib(exec)?/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+/usr/lib(exec)?/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
-/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
-/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+/usr/lib(exec)?/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+/usr/lib(exec)?/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
/usr/share/cockpit/motd/update-motd -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)

View File

@ -1,8 +1,8 @@
Index: fedora-policy-20210628/policy/modules/system/systemd.te
Index: fedora-policy-20210716/policy/modules/system/systemd.te
===================================================================
--- fedora-policy-20210628.orig/policy/modules/system/systemd.te
+++ fedora-policy-20210628/policy/modules/system/systemd.te
@@ -347,6 +347,10 @@ userdom_manage_user_tmp_chr_files(system
--- fedora-policy-20210716.orig/policy/modules/system/systemd.te
+++ fedora-policy-20210716/policy/modules/system/systemd.te
@@ -352,6 +352,10 @@ userdom_manage_user_tmp_chr_files(system
xserver_dbus_chat(systemd_logind_t)
optional_policy(`
@ -13,7 +13,7 @@ Index: fedora-policy-20210628/policy/modules/system/systemd.te
apache_read_tmp_files(systemd_logind_t)
')
@@ -854,6 +858,10 @@ optional_policy(`
@@ -859,6 +863,10 @@ optional_policy(`
udev_read_pid_files(systemd_hostnamed_t)
')
@ -24,3 +24,12 @@ Index: fedora-policy-20210628/policy/modules/system/systemd.te
#######################################
#
# rfkill policy
@@ -1097,6 +1105,8 @@ systemd_unit_file_filetrans(systemd_gpt_
systemd_create_unit_file_dirs(systemd_gpt_generator_t)
systemd_create_unit_file_lnk(systemd_gpt_generator_t)
+udev_read_pid_files(systemd_gpt_generator_t)
+
#######################################
#
# systemd_resolved domain

View File

@ -412,4 +412,3 @@ packagekit = module
# Name service cache daemon
#
nscd = module

View File

@ -412,3 +412,10 @@ rtorrent = module
# Policy for wicked
#
wicked = module
# Layer: system
# Module: rebootmgr
#
# Policy for rebootmgr
#
rebootmgr = module

1
rebootmgr.fc Normal file
View File

@ -0,0 +1 @@
/usr/sbin/rebootmgrd -- gen_context(system_u:object_r:rebootmgr_exec_t,s0)

61
rebootmgr.if Normal file
View File

@ -0,0 +1,61 @@
## <summary>policy for rebootmgr</summary>
########################################
## <summary>
## Execute rebootmgr_exec_t in the rebootmgr domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rebootmgr_domtrans',`
gen_require(`
type rebootmgr_t, rebootmgr_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t)
')
######################################
## <summary>
## Execute rebootmgr in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rebootmgr_exec',`
gen_require(`
type rebootmgr_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rebootmgr_exec_t)
')
########################################
## <summary>
## Send and receive messages from
## rebootmgr over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rebootmgr_dbus_chat',`
gen_require(`
type rebootmgr_t;
class dbus send_msg;
')
allow $1 rebootmgr_t:dbus send_msg;
allow rebootmgr_t $1:dbus send_msg;
')

37
rebootmgr.te Normal file
View File

@ -0,0 +1,37 @@
policy_module(rebootmgr, 1.0.0)
########################################
#
# Declarations
#
type rebootmgr_t;
type rebootmgr_exec_t;
init_daemon_domain(rebootmgr_t, rebootmgr_exec_t)
########################################
#
# rebootmgr local policy
#
allow rebootmgr_t self:process { fork };
allow rebootmgr_t self:fifo_file rw_fifo_file_perms;
allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(rebootmgr_t)
files_manage_etc_files(rebootmgr_t)
logging_send_syslog_msg(rebootmgr_t)
miscfiles_read_localization(rebootmgr_t)
systemd_start_power_services(rebootmgr_t)
systemd_dbus_chat_logind(rebootmgr_t)
unconfined_dbus_chat(rebootmgr_t)
optional_policy(`
dbus_system_bus_client(rebootmgr_t)
dbus_connect_system_bus(rebootmgr_t)
')

View File

@ -1,3 +1,27 @@
-------------------------------------------------------------------
Thu Sep 2 08:45:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Modified fix_systemd.patch to allow systemd gpt generator access to
udev files (bsc#1189280)
-------------------------------------------------------------------
Fri Aug 27 13:07:54 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
- fix rebootmgr does not trigger the reboot properly (boo#1189878)
* fix managing /etc/rebootmgr.conf
* allow rebootmgr_t to cope with systemd and dbus messaging
-------------------------------------------------------------------
Thu Aug 26 07:37:05 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Properly label cockpit files
- Allow wicked to communicate with network manager on DBUS (bsc#1188331)
-------------------------------------------------------------------
Mon Aug 23 15:43:28 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
- Added policy module for rebootmgr (jsc#SMO-28)
-------------------------------------------------------------------
Tue Aug 17 16:03:08 UTC 2021 - Ludwig Nussel <lnussel@suse.de>

View File

@ -81,6 +81,9 @@ Source125: rtorrent.fc
Source126: wicked.te
Source127: wicked.if
Source128: wicked.fc
Source129: rebootmgr.te
Source130: rebootmgr.if
Source131: rebootmgr.fc
Patch001: fix_djbdns.patch
Patch002: fix_dbus.patch
@ -422,7 +425,7 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
cp $i selinux_config
done
for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do
for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do
cp $i policy/modules/contrib
done

View File

@ -494,6 +494,10 @@ optional_policy(`
virt_dbus_chat(wicked_t)
')
optional_policy(`
networkmanager_dbus_chat(wicked_t)
')
#tunable_policy(`use_ecryptfs_home_dirs',`
#fs_manage_ecryptfs_files(wicked_t)
#')