From 87ac70638e3fbc8e63f2b43b607ebc6e618da2706d7e2e780ef786fc3ff858d7 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Tue, 24 Aug 2021 14:50:15 +0000 Subject: [PATCH 1/4] Accepting request 914043 from home:akedroutek:branches:security:SELinux - Added policy module for rebootmgr (jsc#SMO-28) OBS-URL: https://build.opensuse.org/request/show/914043 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=116 --- modules-minimum-base.conf | 1 - modules-targeted-base.conf | 7 +++++ rebootmgr.fc | 1 + rebootmgr.if | 61 ++++++++++++++++++++++++++++++++++++++ rebootmgr.te | 33 +++++++++++++++++++++ selinux-policy.changes | 5 ++++ selinux-policy.spec | 5 +++- 7 files changed, 111 insertions(+), 2 deletions(-) create mode 100644 rebootmgr.fc create mode 100644 rebootmgr.if create mode 100644 rebootmgr.te diff --git a/modules-minimum-base.conf b/modules-minimum-base.conf index d90e3cb..853e975 100644 --- a/modules-minimum-base.conf +++ b/modules-minimum-base.conf @@ -412,4 +412,3 @@ packagekit = module # Name service cache daemon # nscd = module - diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf index f5bcc4c..5e255b5 100644 --- a/modules-targeted-base.conf +++ b/modules-targeted-base.conf @@ -412,3 +412,10 @@ rtorrent = module # Policy for wicked # wicked = module + +# Layer: system +# Module: rebootmgr +# +# Policy for rebootmgr +# +rebootmgr = module diff --git a/rebootmgr.fc b/rebootmgr.fc new file mode 100644 index 0000000..156f78f --- /dev/null +++ b/rebootmgr.fc @@ -0,0 +1 @@ +/usr/sbin/rebootmgrd -- gen_context(system_u:object_r:rebootmgr_exec_t,s0) diff --git a/rebootmgr.if b/rebootmgr.if new file mode 100644 index 0000000..bb42f80 --- /dev/null +++ b/rebootmgr.if @@ -0,0 +1,61 @@ + +## policy for rebootmgr + +######################################## +## +## Execute rebootmgr_exec_t in the rebootmgr domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`rebootmgr_domtrans',` + gen_require(` + type rebootmgr_t, rebootmgr_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t) +') + +###################################### +## +## Execute rebootmgr in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`rebootmgr_exec',` + gen_require(` + type rebootmgr_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, rebootmgr_exec_t) +') + +######################################## +## +## Send and receive messages from +## rebootmgr over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`rebootmgr_dbus_chat',` + gen_require(` + type rebootmgr_t; + class dbus send_msg; + ') + + allow $1 rebootmgr_t:dbus send_msg; + allow rebootmgr_t $1:dbus send_msg; +') diff --git a/rebootmgr.te b/rebootmgr.te new file mode 100644 index 0000000..46878c5 --- /dev/null +++ b/rebootmgr.te @@ -0,0 +1,33 @@ +policy_module(rebootmgr, 1.0.0) + +######################################## +# +# Declarations +# + +type rebootmgr_t; +type rebootmgr_exec_t; +init_daemon_domain(rebootmgr_t, rebootmgr_exec_t) + +permissive rebootmgr_t; + +######################################## +# +# rebootmgr local policy +# +allow rebootmgr_t self:process { fork }; +allow rebootmgr_t self:fifo_file rw_fifo_file_perms; +allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms; + +domain_use_interactive_fds(rebootmgr_t) + +files_read_etc_files(rebootmgr_t) + +logging_send_syslog_msg(rebootmgr_t) + +miscfiles_read_localization(rebootmgr_t) + +optional_policy(` + dbus_system_bus_client(rebootmgr_t) + dbus_connect_system_bus(rebootmgr_t) +') diff --git a/selinux-policy.changes b/selinux-policy.changes index 2c52444..81a5bfc 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Aug 23 15:43:28 UTC 2021 - Ales Kedroutek + +- Added policy module for rebootmgr (jsc#SMO-28) + ------------------------------------------------------------------- Tue Aug 17 16:03:08 UTC 2021 - Ludwig Nussel diff --git a/selinux-policy.spec b/selinux-policy.spec index dce81b7..22171f3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -81,6 +81,9 @@ Source125: rtorrent.fc Source126: wicked.te Source127: wicked.if Source128: wicked.fc +Source129: rebootmgr.te +Source130: rebootmgr.if +Source131: rebootmgr.fc Patch001: fix_djbdns.patch Patch002: fix_dbus.patch @@ -422,7 +425,7 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} cp $i selinux_config done -for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do +for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do cp $i policy/modules/contrib done From ae9139e375462eb8b22f3a73a91809188267d203e920f1be5b52782ef28d4789 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Thu, 26 Aug 2021 08:36:34 +0000 Subject: [PATCH 2/4] Accepting request 914371 from home:jsegitz:branches:security:SELinux - Properly label cockpit files - Allow wicked to communicate with network manager on DBUS (bsc#1188331) OBS-URL: https://build.opensuse.org/request/show/914371 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=117 --- fix_cockpit.patch | 28 +++++++++++++++++++++++++--- selinux-policy.changes | 6 ++++++ wicked.te | 4 ++++ 3 files changed, 35 insertions(+), 3 deletions(-) diff --git a/fix_cockpit.patch b/fix_cockpit.patch index d4eae49..99c363e 100644 --- a/fix_cockpit.patch +++ b/fix_cockpit.patch @@ -9,10 +9,10 @@ cockpit.socket fails to start if kerberos_enabled=false policy/modules/contrib/cockpit.te | 2 ++ 1 file changed, 2 insertions(+) -Index: fedora-policy-20210628/policy/modules/contrib/cockpit.te +Index: fedora-policy-20210716/policy/modules/contrib/cockpit.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/contrib/cockpit.te -+++ fedora-policy-20210628/policy/modules/contrib/cockpit.te +--- fedora-policy-20210716.orig/policy/modules/contrib/cockpit.te ++++ fedora-policy-20210716/policy/modules/contrib/cockpit.te @@ -51,7 +51,9 @@ can_exec(cockpit_ws_t,cockpit_session_ex dev_read_urand(cockpit_ws_t) # for authkey dev_read_rand(cockpit_ws_t) # for libssh @@ -23,3 +23,25 @@ Index: fedora-policy-20210628/policy/modules/contrib/cockpit.te # cockpit-ws can connect to other hosts via ssh corenet_tcp_connect_ssh_port(cockpit_ws_t) +Index: fedora-policy-20210716/policy/modules/contrib/cockpit.fc +=================================================================== +--- fedora-policy-20210716.orig/policy/modules/contrib/cockpit.fc ++++ fedora-policy-20210716/policy/modules/contrib/cockpit.fc +@@ -3,12 +3,12 @@ + /usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) + /etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0) + +-/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) +-/usr/libexec/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) +-/usr/libexec/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) ++/usr/lib(exec)?/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) ++/usr/lib(exec)?/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) ++/usr/lib(exec)?/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) + +-/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) +-/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) ++/usr/lib(exec)?/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) ++/usr/lib(exec)?/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0) + + /usr/share/cockpit/motd/update-motd -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0) + diff --git a/selinux-policy.changes b/selinux-policy.changes index 81a5bfc..6bd4e8d 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Aug 26 07:37:05 UTC 2021 - Johannes Segitz + +- Properly label cockpit files +- Allow wicked to communicate with network manager on DBUS (bsc#1188331) + ------------------------------------------------------------------- Mon Aug 23 15:43:28 UTC 2021 - Ales Kedroutek diff --git a/wicked.te b/wicked.te index 8441a29..a5f49ed 100644 --- a/wicked.te +++ b/wicked.te @@ -494,6 +494,10 @@ optional_policy(` virt_dbus_chat(wicked_t) ') +optional_policy(` + networkmanager_dbus_chat(wicked_t) +') + #tunable_policy(`use_ecryptfs_home_dirs',` #fs_manage_ecryptfs_files(wicked_t) #') From ec4c74f73a3b17a0f61bdd28da914ffe343d3aef052dcb3d35788ff7afe36f85 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Tue, 31 Aug 2021 13:53:41 +0000 Subject: [PATCH 3/4] Accepting request 915205 from home:akedroutek:branches:security:SELinux - fix rebootmgr does not trigger the reboot properly (boo#1189878) * fix managing /etc/rebootmgr.conf * allow rebootmgr_t to cope with systemd and dbus messaging OBS-URL: https://build.opensuse.org/request/show/915205 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=118 --- rebootmgr.te | 10 +++++++--- selinux-policy.changes | 7 +++++++ 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/rebootmgr.te b/rebootmgr.te index 46878c5..4b4e6ab 100644 --- a/rebootmgr.te +++ b/rebootmgr.te @@ -9,8 +9,6 @@ type rebootmgr_t; type rebootmgr_exec_t; init_daemon_domain(rebootmgr_t, rebootmgr_exec_t) -permissive rebootmgr_t; - ######################################## # # rebootmgr local policy @@ -21,12 +19,18 @@ allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms; domain_use_interactive_fds(rebootmgr_t) -files_read_etc_files(rebootmgr_t) +files_manage_etc_files(rebootmgr_t) logging_send_syslog_msg(rebootmgr_t) miscfiles_read_localization(rebootmgr_t) +systemd_start_power_services(rebootmgr_t) + +systemd_dbus_chat_logind(rebootmgr_t) + +unconfined_dbus_chat(rebootmgr_t) + optional_policy(` dbus_system_bus_client(rebootmgr_t) dbus_connect_system_bus(rebootmgr_t) diff --git a/selinux-policy.changes b/selinux-policy.changes index 6bd4e8d..40d5a02 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Aug 27 13:07:54 UTC 2021 - Ales Kedroutek + +- fix rebootmgr does not trigger the reboot properly (boo#1189878) + * fix managing /etc/rebootmgr.conf + * allow rebootmgr_t to cope with systemd and dbus messaging + ------------------------------------------------------------------- Thu Aug 26 07:37:05 UTC 2021 - Johannes Segitz From 23c83e5de52d31990737a5aed54ceac03262f358cd783062cc6b30ac45385145 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Thu, 2 Sep 2021 09:14:04 +0000 Subject: [PATCH 4/4] Accepting request 915716 from home:jsegitz:branches:security:SELinux - Modified fix_systemd.patch to allow systemd gpt generator access to udev files (bsc#1189280) OBS-URL: https://build.opensuse.org/request/show/915716 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=119 --- fix_systemd.patch | 19 ++++++++++++++----- selinux-policy.changes | 6 ++++++ 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/fix_systemd.patch b/fix_systemd.patch index 02f834e..bdab982 100644 --- a/fix_systemd.patch +++ b/fix_systemd.patch @@ -1,8 +1,8 @@ -Index: fedora-policy-20210628/policy/modules/system/systemd.te +Index: fedora-policy-20210716/policy/modules/system/systemd.te =================================================================== ---- fedora-policy-20210628.orig/policy/modules/system/systemd.te -+++ fedora-policy-20210628/policy/modules/system/systemd.te -@@ -347,6 +347,10 @@ userdom_manage_user_tmp_chr_files(system +--- fedora-policy-20210716.orig/policy/modules/system/systemd.te ++++ fedora-policy-20210716/policy/modules/system/systemd.te +@@ -352,6 +352,10 @@ userdom_manage_user_tmp_chr_files(system xserver_dbus_chat(systemd_logind_t) optional_policy(` @@ -13,7 +13,7 @@ Index: fedora-policy-20210628/policy/modules/system/systemd.te apache_read_tmp_files(systemd_logind_t) ') -@@ -854,6 +858,10 @@ optional_policy(` +@@ -859,6 +863,10 @@ optional_policy(` udev_read_pid_files(systemd_hostnamed_t) ') @@ -24,3 +24,12 @@ Index: fedora-policy-20210628/policy/modules/system/systemd.te ####################################### # # rfkill policy +@@ -1097,6 +1105,8 @@ systemd_unit_file_filetrans(systemd_gpt_ + systemd_create_unit_file_dirs(systemd_gpt_generator_t) + systemd_create_unit_file_lnk(systemd_gpt_generator_t) + ++udev_read_pid_files(systemd_gpt_generator_t) ++ + ####################################### + # + # systemd_resolved domain diff --git a/selinux-policy.changes b/selinux-policy.changes index 40d5a02..7f72bd1 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Sep 2 08:45:24 UTC 2021 - Johannes Segitz + +- Modified fix_systemd.patch to allow systemd gpt generator access to + udev files (bsc#1189280) + ------------------------------------------------------------------- Fri Aug 27 13:07:54 UTC 2021 - Ales Kedroutek