rpm/selinux-policy
SHA256
1
0
Fork 0
forked from pool/selinux-policy
Code Pull Requests Activity

Accepting request 915717 from security:SELinux

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/915717
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=17
This commit is contained in:
Dominique Leuenberger 2021-09-02 21:20:08 +00:00 committed by Git OBS Bridge
commit 377bd6dbf3
10 changed files with 177 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
fix_cockpit.patch
View File

@ -9,10 +9,10 @@ cockpit.socket fails to start if kerberos_enabled=false
policy/modules/contrib/cockpit.te | 2 ++ policy/modules/contrib/cockpit.te | 2 ++
1 file changed, 2 insertions(+) 1 file changed, 2 insertions(+)
Index: fedora-policy-20210628/policy/modules/contrib/cockpit.te Index: fedora-policy-20210716/policy/modules/contrib/cockpit.te
=================================================================== ===================================================================
--- fedora-policy-20210628.orig/policy/modules/contrib/cockpit.te --- fedora-policy-20210716.orig/policy/modules/contrib/cockpit.te
+++ fedora-policy-20210628/policy/modules/contrib/cockpit.te +++ fedora-policy-20210716/policy/modules/contrib/cockpit.te
@@ -51,7 +51,9 @@ can_exec(cockpit_ws_t,cockpit_session_ex @@ -51,7 +51,9 @@ can_exec(cockpit_ws_t,cockpit_session_ex
dev_read_urand(cockpit_ws_t) # for authkey dev_read_urand(cockpit_ws_t) # for authkey
dev_read_rand(cockpit_ws_t) # for libssh dev_read_rand(cockpit_ws_t) # for libssh
@ -23,3 +23,25 @@ Index: fedora-policy-20210628/policy/modules/contrib/cockpit.te
# cockpit-ws can connect to other hosts via ssh # cockpit-ws can connect to other hosts via ssh
corenet_tcp_connect_ssh_port(cockpit_ws_t) corenet_tcp_connect_ssh_port(cockpit_ws_t)
Index: fedora-policy-20210716/policy/modules/contrib/cockpit.fc
===================================================================
--- fedora-policy-20210716.orig/policy/modules/contrib/cockpit.fc
+++ fedora-policy-20210716/policy/modules/contrib/cockpit.fc
@@ -3,12 +3,12 @@
/usr/lib/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
/etc/systemd/system/cockpit.* -- gen_context(system_u:object_r:cockpit_unit_file_t,s0)
-/usr/libexec/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
-/usr/libexec/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
-/usr/libexec/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+/usr/lib(exec)?/cockpit-ws -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+/usr/lib(exec)?/cockpit-tls -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
+/usr/lib(exec)?/cockpit-wsinstance-factory -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)
-/usr/libexec/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
-/usr/libexec/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+/usr/lib(exec)?/cockpit-session -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
+/usr/lib(exec)?/cockpit-ssh -- gen_context(system_u:object_r:cockpit_session_exec_t,s0)
/usr/share/cockpit/motd/update-motd -- gen_context(system_u:object_r:cockpit_ws_exec_t,s0)

19
fix_systemd.patch
View File

@ -1,8 +1,8 @@
Index: fedora-policy-20210628/policy/modules/system/systemd.te Index: fedora-policy-20210716/policy/modules/system/systemd.te
=================================================================== ===================================================================
--- fedora-policy-20210628.orig/policy/modules/system/systemd.te --- fedora-policy-20210716.orig/policy/modules/system/systemd.te
+++ fedora-policy-20210628/policy/modules/system/systemd.te +++ fedora-policy-20210716/policy/modules/system/systemd.te
@@ -347,6 +347,10 @@ userdom_manage_user_tmp_chr_files(system @@ -352,6 +352,10 @@ userdom_manage_user_tmp_chr_files(system
xserver_dbus_chat(systemd_logind_t) xserver_dbus_chat(systemd_logind_t)
optional_policy(` optional_policy(`
@ -13,7 +13,7 @@ Index: fedora-policy-20210628/policy/modules/system/systemd.te
apache_read_tmp_files(systemd_logind_t) apache_read_tmp_files(systemd_logind_t)
') ')
@@ -854,6 +858,10 @@ optional_policy(` @@ -859,6 +863,10 @@ optional_policy(`
udev_read_pid_files(systemd_hostnamed_t) udev_read_pid_files(systemd_hostnamed_t)
') ')
@ -24,3 +24,12 @@ Index: fedora-policy-20210628/policy/modules/system/systemd.te
####################################### #######################################
# #
# rfkill policy # rfkill policy
@@ -1097,6 +1105,8 @@ systemd_unit_file_filetrans(systemd_gpt_
systemd_create_unit_file_dirs(systemd_gpt_generator_t)
systemd_create_unit_file_lnk(systemd_gpt_generator_t)
+udev_read_pid_files(systemd_gpt_generator_t)
+
#######################################
#
# systemd_resolved domain

1
modules-minimum-base.conf
View File

@ -412,4 +412,3 @@ packagekit = module
# Name service cache daemon # Name service cache daemon
# #
nscd = module nscd = module

7
modules-targeted-base.conf
View File

@ -412,3 +412,10 @@ rtorrent = module
# Policy for wicked # Policy for wicked
# #
wicked = module wicked = module
# Layer: system
# Module: rebootmgr
#
# Policy for rebootmgr
#
rebootmgr = module

1
rebootmgr.fc Normal file
View File

@ -0,0 +1 @@
/usr/sbin/rebootmgrd -- gen_context(system_u:object_r:rebootmgr_exec_t,s0)

61
rebootmgr.if Normal file
View File

@ -0,0 +1,61 @@
## <summary>policy for rebootmgr</summary>
########################################
## <summary>
## Execute rebootmgr_exec_t in the rebootmgr domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rebootmgr_domtrans',`
gen_require(`
type rebootmgr_t, rebootmgr_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t)
')
######################################
## <summary>
## Execute rebootmgr in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rebootmgr_exec',`
gen_require(`
type rebootmgr_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rebootmgr_exec_t)
')
########################################
## <summary>
## Send and receive messages from
## rebootmgr over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rebootmgr_dbus_chat',`
gen_require(`
type rebootmgr_t;
class dbus send_msg;
')
allow $1 rebootmgr_t:dbus send_msg;
allow rebootmgr_t $1:dbus send_msg;
')

37
rebootmgr.te Normal file
View File

@ -0,0 +1,37 @@
policy_module(rebootmgr, 1.0.0)
########################################
#
# Declarations
#
type rebootmgr_t;
type rebootmgr_exec_t;
init_daemon_domain(rebootmgr_t, rebootmgr_exec_t)
########################################
#
# rebootmgr local policy
#
allow rebootmgr_t self:process { fork };
allow rebootmgr_t self:fifo_file rw_fifo_file_perms;
allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms;
domain_use_interactive_fds(rebootmgr_t)
files_manage_etc_files(rebootmgr_t)
logging_send_syslog_msg(rebootmgr_t)
miscfiles_read_localization(rebootmgr_t)
systemd_start_power_services(rebootmgr_t)
systemd_dbus_chat_logind(rebootmgr_t)
unconfined_dbus_chat(rebootmgr_t)
optional_policy(`
dbus_system_bus_client(rebootmgr_t)
dbus_connect_system_bus(rebootmgr_t)
')

24
selinux-policy.changes
View File

@ -1,3 +1,27 @@
-------------------------------------------------------------------
Thu Sep 2 08:45:24 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Modified fix_systemd.patch to allow systemd gpt generator access to
udev files (bsc#1189280)
-------------------------------------------------------------------
Fri Aug 27 13:07:54 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
- fix rebootmgr does not trigger the reboot properly (boo#1189878)
* fix managing /etc/rebootmgr.conf
* allow rebootmgr_t to cope with systemd and dbus messaging
-------------------------------------------------------------------
Thu Aug 26 07:37:05 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Properly label cockpit files
- Allow wicked to communicate with network manager on DBUS (bsc#1188331)
-------------------------------------------------------------------
Mon Aug 23 15:43:28 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
- Added policy module for rebootmgr (jsc#SMO-28)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Aug 17 16:03:08 UTC 2021 - Ludwig Nussel <lnussel@suse.de> Tue Aug 17 16:03:08 UTC 2021 - Ludwig Nussel <lnussel@suse.de>

5
selinux-policy.spec
View File

@ -81,6 +81,9 @@ Source125: rtorrent.fc
Source126: wicked.te Source126: wicked.te
Source127: wicked.if Source127: wicked.if
Source128: wicked.fc Source128: wicked.fc
Source129: rebootmgr.te
Source130: rebootmgr.if
Source131: rebootmgr.fc
Patch001: fix_djbdns.patch Patch001: fix_djbdns.patch
Patch002: fix_dbus.patch Patch002: fix_dbus.patch
@ -422,7 +425,7 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
cp $i selinux_config cp $i selinux_config
done done
for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do
cp $i policy/modules/contrib cp $i policy/modules/contrib
done done

4
wicked.te
View File

@ -494,6 +494,10 @@ optional_policy(`
virt_dbus_chat(wicked_t) virt_dbus_chat(wicked_t)
') ')
optional_policy(`
networkmanager_dbus_chat(wicked_t)
')
#tunable_policy(`use_ecryptfs_home_dirs',` #tunable_policy(`use_ecryptfs_home_dirs',`
#fs_manage_ecryptfs_files(wicked_t) #fs_manage_ecryptfs_files(wicked_t)
#') #')