From 3fb2472fe52ac0cab12afebc3d3fffd618fa6ebaf2c90cb3e4c9c0bc183e5986 Mon Sep 17 00:00:00 2001 From: Richard Brown Date: Fri, 30 Sep 2022 15:57:06 +0000 Subject: [PATCH] Accepting request 1007016 from security:SELinux - Update fix_networkmanager.patch to ensure NetworkManager chrony dispatcher is properly labled and update fix_chronyd.patch to ensure chrony helper script has proper label to be used by NetworkManager. Also allow NetworkManager_dispatcher_custom_t to query systemd status (bsc#1203824) - Update fix_xserver.patch to add greetd support (bsc#1198559) - Revamped rtorrent module OBS-URL: https://build.opensuse.org/request/show/1007016 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/selinux-policy?expand=0&rev=32 --- fix_chronyd.patch | 15 ++++--- fix_networkmanager.patch | 20 +++++++++ fix_xserver.patch | 39 ++++++++++++++--- rtorrent.fc | 2 +- rtorrent.if | 94 +++++++++++++++++----------------------- rtorrent.te | 85 ++++++++++++++++++------------------ selinux-policy.changes | 19 ++++++++ 7 files changed, 163 insertions(+), 111 deletions(-) diff --git a/fix_chronyd.patch b/fix_chronyd.patch index 4ec73ce..a4daca5 100644 --- a/fix_chronyd.patch +++ b/fix_chronyd.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20211111/policy/modules/contrib/chronyd.te +Index: fedora-policy-20220714/policy/modules/contrib/chronyd.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/chronyd.te -+++ fedora-policy-20211111/policy/modules/contrib/chronyd.te +--- fedora-policy-20220714.orig/policy/modules/contrib/chronyd.te ++++ fedora-policy-20220714/policy/modules/contrib/chronyd.te @@ -141,6 +141,14 @@ systemd_exec_systemctl(chronyd_t) userdom_dgram_send(chronyd_t) @@ -17,15 +17,16 @@ Index: fedora-policy-20211111/policy/modules/contrib/chronyd.te cron_dgram_send(chronyd_t) ') -Index: fedora-policy-20211111/policy/modules/contrib/chronyd.fc +Index: fedora-policy-20220714/policy/modules/contrib/chronyd.fc =================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/chronyd.fc -+++ fedora-policy-20211111/policy/modules/contrib/chronyd.fc -@@ -6,6 +6,7 @@ +--- fedora-policy-20220714.orig/policy/modules/contrib/chronyd.fc ++++ fedora-policy-20220714/policy/modules/contrib/chronyd.fc +@@ -6,6 +6,8 @@ /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) /usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) +/usr/lib/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) ++/usr/libexec/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) /usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0) diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index 1db6e5c..3553e85 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -36,6 +36,14 @@ Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.te ') optional_policy(` +@@ -602,6 +615,7 @@ files_manage_etc_files(NetworkManager_di + + init_status(NetworkManager_dispatcher_cloud_t) + init_status(NetworkManager_dispatcher_ddclient_t) ++init_status(NetworkManager_dispatcher_custom_t) + init_append_stream_sockets(networkmanager_dispatcher_plugin) + init_ioctl_stream_sockets(networkmanager_dispatcher_plugin) + init_stream_connect(networkmanager_dispatcher_plugin) Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.if =================================================================== --- fedora-policy-20220714.orig/policy/modules/contrib/networkmanager.if @@ -65,3 +73,15 @@ Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.if ######################################## ## ## Execute NetworkManager server in the NetworkManager domain. +Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.fc +=================================================================== +--- fedora-policy-20220714.orig/policy/modules/contrib/networkmanager.fc ++++ fedora-policy-20220714/policy/modules/contrib/networkmanager.fc +@@ -24,6 +24,7 @@ + /usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0) + /usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0) + /usr/lib/NetworkManager/dispatcher\.d/11-dhclient -- gen_context(system_u:object_r:NetworkManager_dispatcher_dhclient_script_t,s0) ++/usr/lib/NetworkManager/dispatcher\.d/20-chrony -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) + /usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) + /usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) + /usr/lib/NetworkManager/dispatcher\.d/30-winbind -- gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0) diff --git a/fix_xserver.patch b/fix_xserver.patch index 686a68d..f969707 100644 --- a/fix_xserver.patch +++ b/fix_xserver.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20211111/policy/modules/services/xserver.fc +Index: fedora-policy-20220714/policy/modules/services/xserver.fc =================================================================== ---- fedora-policy-20211111.orig/policy/modules/services/xserver.fc -+++ fedora-policy-20211111/policy/modules/services/xserver.fc +--- fedora-policy-20220714.orig/policy/modules/services/xserver.fc ++++ fedora-policy-20220714/policy/modules/services/xserver.fc @@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) /etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0) @@ -18,7 +18,15 @@ Index: fedora-policy-20211111/policy/modules/services/xserver.fc /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) /usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0) -@@ -137,6 +139,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ +@@ -114,6 +116,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ + /usr/bin/Xwayland -- gen_context(system_u:object_r:xserver_exec_t,s0) + /usr/bin/x11vnc -- gen_context(system_u:object_r:xserver_exec_t,s0) + /usr/bin/nvidia.* -- gen_context(system_u:object_r:xserver_exec_t,s0) ++/usr/bin/greetd -- gen_context(system_u:object_r:xdm_exec_t,s0) + + /usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0) + /usr/libexec/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0) +@@ -137,6 +140,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_ /usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0) /usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0) @@ -26,10 +34,27 @@ Index: fedora-policy-20211111/policy/modules/services/xserver.fc ifndef(`distro_debian',` /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) ') -Index: fedora-policy-20211111/policy/modules/services/xserver.te +@@ -155,6 +159,7 @@ ifndef(`distro_debian',` + /var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) + /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) + /var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0) ++/var/lib/greetd(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) + + /var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) + /var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) +@@ -184,6 +189,8 @@ ifndef(`distro_debian',` + /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) + /var/run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/greetd[^/]*\.sock -s gen_context(system_u:object_r:xdm_var_run_t,s0) ++/var/run/greetd\.run -- gen_context(system_u:object_r:xdm_var_run_t,s0) + + /var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0) + /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0) +Index: fedora-policy-20220714/policy/modules/services/xserver.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/services/xserver.te -+++ fedora-policy-20211111/policy/modules/services/xserver.te +--- fedora-policy-20220714.orig/policy/modules/services/xserver.te ++++ fedora-policy-20220714/policy/modules/services/xserver.te @@ -473,6 +473,10 @@ userdom_delete_user_home_content_files(x userdom_signull_unpriv_users(xdm_t) userdom_dontaudit_read_admin_home_lnk_files(xdm_t) diff --git a/rtorrent.fc b/rtorrent.fc index 24f879f..562f8ad 100644 --- a/rtorrent.fc +++ b/rtorrent.fc @@ -1 +1 @@ -/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0) +/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0) diff --git a/rtorrent.if b/rtorrent.if index 830e349..9ea4193 100644 --- a/rtorrent.if +++ b/rtorrent.if @@ -1,49 +1,14 @@ -## Policy for rtorrent. -############################################################ -## -## Role access for rtorrent -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`rtorrent_role',` - gen_require(` - attribute_role rtorrent_roles; - type rtorrent_t, rtorrent_exec_t; - ') - - roleattribute $1 rtorrent_roles; - - # transition from the userdomain to the derived domain - domtrans_pattern($2, rtorrent_exec_t, rtorrent_t) - - # allow ps to show rtorrent - ps_process_pattern($2, rtorrent_t) - allow $2 rtorrent_t:process { signull sigstop signal sigkill }; - - ifdef(`hide_broken_symptoms',` - #Leaked File Descriptors - dontaudit rtorrent_t $2:fifo_file rw_fifo_file_perms; - ') -') +## policy for rtorrent ######################################## ## -## Transition to a user torrent domain. +## Execute rtorrent_exec_t in the rtorrent domain. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`rtorrent_domtrans',` @@ -51,12 +16,13 @@ interface(`rtorrent_domtrans',` type rtorrent_t, rtorrent_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, rtorrent_exec_t, rtorrent_t) ') ###################################### ## -## Execute torrent in the caller domain. +## Execute rtorrent in the caller domain. ## ## ## @@ -73,39 +39,57 @@ interface(`rtorrent_exec',` can_exec($1, rtorrent_exec_t) ') -###################################### +######################################## ## -## Make rtorrent an entrypoint for -## the specified domain. +## Execute rtorrent in the rtorrent domain, and +## allow the specified role the rtorrent domain. ## ## -## -## The domain for which cifs_t is an entrypoint. -## +## +## Domain allowed to transition +## +## +## +## +## The role to be allowed the rtorrent domain. +## ## # -interface(`rtorrent_entry_type',` - gen_require(` - type rtorrent_exec_t; - ') +interface(`rtorrent_run',` + gen_require(` + type rtorrent_t; + attribute_role rtorrent_roles; + ') - domain_entry_file($1, rtorrent_exec_t) + rtorrent_domtrans($1) + roleattribute $2 rtorrent_roles; ') ######################################## ## -## Send generic signals to user rtorrent processes. +## Role access for rtorrent ## +## +## +## Role allowed access +## +## ## ## -## Domain allowed access. +## User domain for the role ## ## # -interface(`rtorrent_signal',` +interface(`rtorrent_role',` gen_require(` type rtorrent_t; + attribute_role rtorrent_roles; ') - allow $1 rtorrent_t:process signal; + roleattribute $1 rtorrent_roles; + + rtorrent_domtrans($2) + + ps_process_pattern($2, rtorrent_t) + allow $2 rtorrent_t:process { signull signal sigkill }; ') diff --git a/rtorrent.te b/rtorrent.te index dcf4d43..996f7a7 100644 --- a/rtorrent.te +++ b/rtorrent.te @@ -1,4 +1,4 @@ -policy_module(rtorrent, 1.0.1) +policy_module(rtorrent, 1.0.0) ######################################## # @@ -18,81 +18,84 @@ gen_tunable(rtorrent_send_mails, false) ## gen_tunable(rtorrent_enable_rutorrent, false) -attribute rtorrentdomain; +## +##

+## Allow rtorrent to execute helper scripts in home directories +##

+## +gen_tunable(rtorrent_exec_scripts, false) attribute_role rtorrent_roles; roleattribute system_r rtorrent_roles; type rtorrent_t; type rtorrent_exec_t; -userdom_user_application_domain(rtorrent_t, rtorrent_exec_t) +application_domain(rtorrent_t, rtorrent_exec_t) role rtorrent_roles types rtorrent_t; ######################################## # # rtorrent local policy # +allow rtorrent_t self:process { fork signal_perms }; -corenet_tcp_bind_commplex_main_port(rtorrent_t) +allow rtorrent_t self:fifo_file manage_fifo_file_perms; +allow rtorrent_t self:unix_stream_socket create_stream_socket_perms; + +domain_use_interactive_fds(rtorrent_t) + +files_read_etc_files(rtorrent_t) + +miscfiles_read_localization(rtorrent_t) + +sysnet_dns_name_resolve(rtorrent_t) + +optional_policy(` + gen_require(` + type staff_t; + role staff_r; + ') + + rtorrent_run(staff_t, staff_r) +') type rtorrent_port_t; corenet_port(rtorrent_port_t) allow rtorrent_t rtorrent_port_t:tcp_socket name_bind; userdom_read_user_home_content_symlinks(rtorrent_t) +userdom_manage_user_home_content_files(rtorrent_t) +userdom_manage_user_home_content_dirs(rtorrent_t) -allow rtorrent_t self:process setpgid; -allow rtorrent_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; -allow rtorrent_t self:fifo_file rw_fifo_file_perms; -allow rtorrent_t self:tcp_socket create_stream_socket_perms; -allow rtorrent_t self:unix_stream_socket connectto; +allow rtorrent_t self:tcp_socket { accept listen }; -allow rtorrent_t self:netlink_route_socket { bind create nlmsg_read }; -allow rtorrent_t self:udp_socket { connect create getattr }; -nscd_shm_use(rtorrent_t) - -#corecmd_exec_shell(rtorrent_t) -corecmd_exec_bin(rtorrent_t) -# execute helper scripts -userdom_exec_user_bin_files(rtorrent_t) - -corenet_all_recvfrom_netlabel(rtorrent_t) -corenet_tcp_sendrecv_generic_if(rtorrent_t) -corenet_udp_sendrecv_generic_if(rtorrent_t) -corenet_tcp_sendrecv_generic_node(rtorrent_t) -corenet_udp_sendrecv_generic_node(rtorrent_t) -corenet_tcp_sendrecv_all_ports(rtorrent_t) -corenet_udp_sendrecv_all_ports(rtorrent_t) corenet_tcp_connect_all_ports(rtorrent_t) -corenet_sendrecv_all_client_packets(rtorrent_t) -corenet_udp_bind_all_unreserved_ports(rtorrent_t) -domain_use_interactive_fds(rtorrent_t) -auth_use_nsswitch(rtorrent_t) -miscfiles_map_generic_certs(rtorrent_t) fs_getattr_xattr_fs(rtorrent_t) userdom_use_inherited_user_terminals(rtorrent_t) -userdom_manage_user_home_content_files(rtorrent_t) -userdom_manage_user_home_content_dirs(rtorrent_t) +# this might be to much userdom_home_manager(rtorrent_t) userdom_filetrans_home_content(rtorrent_t) -userdom_stream_connect(rtorrent_t) optional_policy(` - tunable_policy(`rtorrent_send_mails',` - userdom_exec_user_bin_files(rtorrent_t) - userdom_exec_user_home_content_files(rtorrent_t) - files_manage_generic_tmp_files(rtorrent_t) - mta_send_mail(rtorrent_t) - ') + tunable_policy(`rtorrent_send_mails',` + userdom_exec_user_bin_files(rtorrent_t) + userdom_exec_user_home_content_files(rtorrent_t) + files_manage_generic_tmp_files(rtorrent_t) + mta_send_mail(rtorrent_t) + ') ') optional_policy(` - apache_manage_sys_content(rtorrent_t) - tunable_policy(`rtorrent_enable_rutorrent',` + apache_manage_sys_content(rtorrent_t) apache_exec_sys_content(rtorrent_t) ') ') +tunable_policy(`rtorrent_exec_scripts',` + # execute helper scripts + corecmd_exec_bin(rtorrent_t) + userdom_exec_user_bin_files(rtorrent_t) +') diff --git a/selinux-policy.changes b/selinux-policy.changes index e53d771..671e11c 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Thu Sep 29 12:54:15 UTC 2022 - Johannes Segitz + +- Update fix_networkmanager.patch to ensure NetworkManager chrony + dispatcher is properly labled and update fix_chronyd.patch to ensure + chrony helper script has proper label to be used by NetworkManager. + Also allow NetworkManager_dispatcher_custom_t to query systemd status + (bsc#1203824) + +------------------------------------------------------------------- +Tue Sep 27 13:00:35 UTC 2022 - Filippo Bonazzi + +- Update fix_xserver.patch to add greetd support (bsc#1198559) + +------------------------------------------------------------------- +Mon Sep 12 06:47:56 UTC 2022 - Johannes Segitz + +- Revamped rtorrent module + ------------------------------------------------------------------- Fri Aug 26 06:08:23 UTC 2022 - Thorsten Kukuk