From 60d1d0d29a3977b247050a322962b21eae38f7c502774a0b249817dfefa2ebfa Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Thu, 15 Dec 2022 09:32:29 +0000 Subject: [PATCH] Accepting request 1042962 from home:cahu:branches:security:SELinux - Added policy for wicked scripts under /etc/sysconfig/network/scripts (bnc#1205770) OBS-URL: https://build.opensuse.org/request/show/1042962 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=164 --- selinux-policy.changes | 6 ++++++ wicked.fc | 3 +++ wicked.if | 24 +++++++++++++++++++++ wicked.te | 48 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 81 insertions(+) diff --git a/selinux-policy.changes b/selinux-policy.changes index 0b441ea..fe1e438 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Dec 14 15:40:12 UTC 2022 - Hu + +- Added policy for wicked scripts under /etc/sysconfig/network/scripts + (bnc#1205770) + ------------------------------------------------------------------- Wed Dec 14 09:16:26 UTC 2022 - Johannes Segitz diff --git a/wicked.fc b/wicked.fc index 95a44f8..8b84838 100644 --- a/wicked.fc +++ b/wicked.fc @@ -45,3 +45,6 @@ #/etc/dbus-1/system.d/org.opensuse.Network.Nanny.conf #/etc/dbus-1/system.d/org.opensuse.Network.conf +/etc/sysconfig/network/scripts(/.*)? gen_context(system_u:object_r:wicked_script_t,s0) +/etc/sysconfig/network/scripts/samba-winbindd -- gen_context(system_u:object_r:wicked_winbind_script_t,s0) +/etc/sysconfig/network/scripts/dhcpd-restart-hook -- gen_context(system_u:object_r:wicked_dhcp_script_t,s0) diff --git a/wicked.if b/wicked.if index 313ff5e..0246cda 100644 --- a/wicked.if +++ b/wicked.if @@ -652,3 +652,27 @@ interface(`wicked_filetrans_named_content',` files_etc_filetrans($1, wicked_var_lib_t, file, "state-8.xml") files_etc_filetrans($1, wicked_var_lib_t, file, "state-9.xml") ') + +######################################## +## +## Create a set of derived types for various wicked scripts +## +## +## +## The name to be used for deriving type names. +## +## +# +template(`wicked_script_template',` + gen_require(` + attribute wicked_plugin, wicked_script; + type wicked_t; + ') + + type wicked_$1_t, wicked_plugin; + type wicked_$1_script_t, wicked_script; + application_domain(wicked_$1_t, wicked_$1_script_t) + role system_r types wicked_$1_t; + + domtrans_pattern(wicked_t, wicked_$1_script_t, wicked_$1_t) +') diff --git a/wicked.te b/wicked.te index a5f49ed..8747b97 100644 --- a/wicked.te +++ b/wicked.te @@ -33,6 +33,20 @@ files_type(wicked_var_lib_t) type wicked_var_run_t; files_pid_file(wicked_var_run_t) + +# Wicked scripts + +attribute wicked_plugin; +attribute wicked_script; +type wicked_script_t, wicked_script; +type wicked_custom_t, wicked_plugin; +role system_r types wicked_custom_t; +application_domain(wicked_custom_t, wicked_script_t) +domtrans_pattern(wicked_t, wicked_script_t, wicked_custom_t) + +wicked_script_template(winbind); +wicked_script_template(dhcp); + #type wpa_cli_t; #type wpa_cli_exec_t; #init_system_domain(wpa_cli_t, wpa_cli_exec_t) @@ -240,6 +254,20 @@ wicked_systemctl(wicked_t) sysnet_manage_config_dirs(wicked_t) + +# Wicked scripts + +list_dirs_pattern(wicked_t, wicked_script_t, wicked_script) +read_files_pattern(wicked_t, wicked_script_t, wicked_script) +read_lnk_files_pattern(wicked_t, wicked_script_t, wicked_script) +list_dirs_pattern(wicked_plugin, wicked_script_t, wicked_script_t) +read_lnk_files_pattern(wicked_plugin, wicked_script_t, wicked_script) + +auth_read_passwd(wicked_plugin) + +corecmd_exec_bin(wicked_plugin) +corecmd_exec_shell(wicked_winbind_t) + #tunable_policy(`use_nfs_home_dirs',` # fs_read_nfs_files(wicked_t) #') @@ -498,6 +526,26 @@ optional_policy(` networkmanager_dbus_chat(wicked_t) ') +optional_policy(` + logging_send_syslog_msg(wicked_winbind_t) +') + +optional_policy(` + sysnet_exec_ifconfig(wicked_plugin) + sysnet_read_config(wicked_plugin) +') + +optional_policy(` + systemd_exec_systemctl(wicked_winbind_t) + systemd_exec_systemctl(wicked_dhcp_t) +') + +optional_policy(` + samba_domtrans_smbcontrol(wicked_winbind_t) + samba_read_config(wicked_winbind_t) + samba_service_status(wicked_winbind_t) +') + #tunable_policy(`use_ecryptfs_home_dirs',` #fs_manage_ecryptfs_files(wicked_t) #')