Accepting request 1042948 from home:jsegitz:branches:security:SELinux

- Add fix_sendmail.patch * fix context of custom sendmail startup helper * fix context of /var/run/sendmail and add necessary rules to manage content in there OBS-URL: https://build.opensuse.org/request/show/1042948 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=163
2022-12-14 15:43:48 +00:00 · 2022-12-14 15:43:48 +00:00 · 48d925e070
commit 48d925e070
parent 9deff280f8
3 changed files with 41 additions and 0 deletions
--- a/fix_sendmail.patch
+++ b/fix_sendmail.patch
@ -0,0 +1,32 @@
+Index: fedora-policy-20221019/policy/modules/contrib/sendmail.fc
+===================================================================
+--- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.fc
+++ fedora-policy-20221019/policy/modules/contrib/sendmail.fc
+@@ -1,8 +1,9 @@
+ 
+ /etc/rc\.d/init\.d/sendmail --  gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
+/etc/mail/system/sm-client.pre --  gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
+ 
+ /var/log/sendmail\.st.*		--	gen_context(system_u:object_r:sendmail_log_t,s0)
+ /var/log/mail(/.*)?			gen_context(system_u:object_r:sendmail_log_t,s0)
+ 
+-/var/run/sendmail\.pid		--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/run/sendmail(/.*)?                 gen_context(system_u:object_r:sendmail_var_run_t,s0)
+ /var/run/sm-client\.pid		--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
+Index: fedora-policy-20221019/policy/modules/contrib/sendmail.te
+===================================================================
+--- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.te
+++ fedora-policy-20221019/policy/modules/contrib/sendmail.te
+@@ -60,8 +60,10 @@ manage_dirs_pattern(sendmail_t, sendmail
+ manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
+ files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
+ 
+-allow sendmail_t sendmail_var_run_t:file manage_file_perms;
+-files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
+manage_dirs_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t)
+manage_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t)
+manage_sock_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t)
+files_pid_filetrans(sendmail_t, sendmail_var_run_t,  { file dir })
+ 
+ kernel_read_network_state(sendmail_t)
+ kernel_read_kernel_sysctls(sendmail_t)
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Dec 14 09:16:26 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
+
+- Add fix_sendmail.patch 
+  * fix context of custom sendmail startup helper
+  * fix context of /var/run/sendmail and add necessary rules to manage
+    content in there
+
 -------------------------------------------------------------------
 Tue Dec 13 08:36:01 UTC 2022 - Johannes Segitz <jsegitz@suse.com>

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -146,6 +146,7 @@ Patch061:       fix_userdomain.patch
 Patch062:       fix_cloudform.patch
 Patch063:       fix_alsa.patch
 Patch064:       dontaudit_interface_kmod_tmpfs.patch
+Patch065:       fix_sendmail.patch

 Patch100:       sedoctool.patch