Accepting request 1042962 from home:cahu:branches:security:SELinux

- Added policy for wicked scripts under /etc/sysconfig/network/scripts (bnc#1205770) OBS-URL: https://build.opensuse.org/request/show/1042962 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=164
2022-12-15 09:32:29 +00:00 · 2022-12-15 09:32:29 +00:00 · 60d1d0d29a
commit 60d1d0d29a
parent 48d925e070
4 changed files with 81 additions and 0 deletions
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Dec 14 15:40:12 UTC 2022 - Hu <cathy.hu@suse.com>
+
+- Added policy for wicked scripts under /etc/sysconfig/network/scripts
+  (bnc#1205770)
+
 -------------------------------------------------------------------
 Wed Dec 14 09:16:26 UTC 2022 - Johannes Segitz <jsegitz@suse.com>

--- a/wicked.fc
+++ b/wicked.fc
@ -45,3 +45,6 @@
 #/etc/dbus-1/system.d/org.opensuse.Network.Nanny.conf
 #/etc/dbus-1/system.d/org.opensuse.Network.conf

+/etc/sysconfig/network/scripts(/.*)?	gen_context(system_u:object_r:wicked_script_t,s0)
+/etc/sysconfig/network/scripts/samba-winbindd	--	gen_context(system_u:object_r:wicked_winbind_script_t,s0)
+/etc/sysconfig/network/scripts/dhcpd-restart-hook	--	gen_context(system_u:object_r:wicked_dhcp_script_t,s0)
--- a/wicked.if
+++ b/wicked.if
@ -652,3 +652,27 @@ interface(`wicked_filetrans_named_content',`
 	files_etc_filetrans($1, wicked_var_lib_t, file, "state-8.xml")
 	files_etc_filetrans($1, wicked_var_lib_t, file, "state-9.xml")
 ')
+
+########################################
+## <summary>
+##	Create a set of derived types for various wicked scripts
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The name to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`wicked_script_template',`
+	gen_require(`
+		attribute wicked_plugin, wicked_script;
+		type wicked_t;
+	')
+
+	type wicked_$1_t, wicked_plugin;
+	type wicked_$1_script_t, wicked_script;
+	application_domain(wicked_$1_t, wicked_$1_script_t)
+	role system_r types wicked_$1_t;
+
+	domtrans_pattern(wicked_t, wicked_$1_script_t, wicked_$1_t)
+')
--- a/wicked.te
+++ b/wicked.te
@ -33,6 +33,20 @@ files_type(wicked_var_lib_t)
 type wicked_var_run_t;
 files_pid_file(wicked_var_run_t)

+
+# Wicked scripts
+
+attribute wicked_plugin;
+attribute wicked_script;
+type wicked_script_t, wicked_script;
+type wicked_custom_t, wicked_plugin;
+role system_r types wicked_custom_t;
+application_domain(wicked_custom_t, wicked_script_t)
+domtrans_pattern(wicked_t, wicked_script_t, wicked_custom_t)
+
+wicked_script_template(winbind);
+wicked_script_template(dhcp);
+
 #type wpa_cli_t;
 #type wpa_cli_exec_t;
 #init_system_domain(wpa_cli_t, wpa_cli_exec_t)
@ -240,6 +254,20 @@ wicked_systemctl(wicked_t)

 sysnet_manage_config_dirs(wicked_t)

+
+# Wicked scripts
+
+list_dirs_pattern(wicked_t, wicked_script_t, wicked_script)
+read_files_pattern(wicked_t, wicked_script_t, wicked_script)
+read_lnk_files_pattern(wicked_t, wicked_script_t, wicked_script)
+list_dirs_pattern(wicked_plugin, wicked_script_t, wicked_script_t)
+read_lnk_files_pattern(wicked_plugin, wicked_script_t, wicked_script)
+
+auth_read_passwd(wicked_plugin)
+
+corecmd_exec_bin(wicked_plugin)
+corecmd_exec_shell(wicked_winbind_t)
+
 #tunable_policy(`use_nfs_home_dirs',`
 #    fs_read_nfs_files(wicked_t)
 #')
@ -498,6 +526,26 @@ optional_policy(`
 	networkmanager_dbus_chat(wicked_t)
 ')

+optional_policy(`
+	logging_send_syslog_msg(wicked_winbind_t)
+')
+
+optional_policy(`
+	sysnet_exec_ifconfig(wicked_plugin)
+	sysnet_read_config(wicked_plugin)
+')
+
+optional_policy(`
+	systemd_exec_systemctl(wicked_winbind_t)
+	systemd_exec_systemctl(wicked_dhcp_t)
+')
+
+optional_policy(`
+	samba_domtrans_smbcontrol(wicked_winbind_t)
+	samba_read_config(wicked_winbind_t)
+	samba_service_status(wicked_winbind_t)
+')
+
 #tunable_policy(`use_ecryptfs_home_dirs',`
 #fs_manage_ecryptfs_files(wicked_t)
 #')