Accepting request 904732 from security:SELinux

OBS-URL: https://build.opensuse.org/request/show/904732 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=14
2021-07-11 23:24:43 +00:00 · 2021-07-11 23:24:43 +00:00 · 3baf5bcdf6
commit 3baf5bcdf6
parent aea4a827c0
6 changed files with 52 additions and 3 deletions
--- a/modules-targeted-base.conf
+++ b/modules-targeted-base.conf
@ -412,3 +412,10 @@ rtorrent = module
 # Policy for wicked
 #
 wicked = module
+
+# Layer: contrib
+# Module: tabrmd
+#
+# Policy for tabrmd
+#
+tabrmd = module
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Jul  6 13:55:19 UTC 2021 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Add tabrmd SELinux modules from upstream (bsc#1187925)
+  https://github.com/tpm2-software/tpm2-abrmd/tree/master/selinux
+- Automatic spec-cleaner to fix ordering and misaligned spaces
+
 -------------------------------------------------------------------
 Tue May 18 11:10:59 UTC 2021 - Ludwig Nussel <lnussel@suse.de>

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -81,6 +81,9 @@ Source125:      rtorrent.fc
 Source126:      wicked.te
 Source127:      wicked.if
 Source128:      wicked.fc
+Source129:      tabrmd.te
+Source130:      tabrmd.if
+Source131:      tabrmd.fc

 Patch001:       fix_djbdns.patch
 Patch002:       fix_dbus.patch
@ -156,8 +159,8 @@ Recommends:     audit
 Recommends:     selinux-tools
 # for audit2allow
 Recommends:     python3-policycoreutils
-Recommends:     policycoreutils-python-utils
 Recommends:     container-selinux
+Recommends:     policycoreutils-python-utils
 Recommends:     selinux-autorelabel

 %define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
@ -366,7 +369,7 @@ creating other policies.
 %package sandbox
 Summary:        SELinux policy sandbox
 Group:          System/Management
-Requires(pre): selinux-policy-targeted = %{version}-%{release}
+Requires(pre):  selinux-policy-targeted = %{version}-%{release}

 %description sandbox
 SELinux sandbox policy used for the policycoreutils-sandbox package
@ -421,7 +424,7 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
 cp $i selinux_config
 done

-for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do
+for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do
 cp $i policy/modules/contrib
 done

--- a/tabrmd.fc
+++ b/tabrmd.fc
@ -0,0 +1,2 @@
+/usr/sbin/tpm2-abrmd	--	gen_context(system_u:object_r:tabrmd_exec_t,s0)
+/usr/local/sbin/tpm2-abrmd	--	gen_context(system_u:object_r:tabrmd_exec_t,s0)
--- a/tabrmd.if
+++ b/tabrmd.if
@ -0,0 +1 @@
+## <summary></summary>
--- a/tabrmd.te
+++ b/tabrmd.te
@ -0,0 +1,29 @@
+policy_module(tabrmd, 0.0.2)
+
+########################################
+#
+# Declarations
+#
+
+gen_tunable(`tabrmd_connect_all_unreserved', false)
+
+type tabrmd_t;
+type tabrmd_exec_t;
+init_daemon_domain(tabrmd_t, tabrmd_exec_t)
+
+allow tabrmd_t self:unix_dgram_socket { create_socket_perms };
+
+dev_rw_tpm(tabrmd_t)
+logging_send_syslog_msg(tabrmd_t)
+sysnet_dns_name_resolve(tabrmd_t)
+
+optional_policy(`
+    dbus_stub()
+    dbus_system_domain(tabrmd_t, tabrmd_exec_t)
+    allow system_dbusd_t tabrmd_t:unix_stream_socket rw_stream_socket_perms;
+    fwupd_dbus_chat(tabrmd_t)
+')
+
+tunable_policy(`tabrmd_connect_all_unreserved',`
+    corenet_tcp_connect_all_unreserved_ports(tabrmd_t)
+')