Accepting request 914043 from home:akedroutek:branches:security:SELinux

- Added policy module for rebootmgr (jsc#SMO-28) OBS-URL: https://build.opensuse.org/request/show/914043 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=116
2021-08-24 14:50:15 +00:00 · 2021-08-24 14:50:15 +00:00 · 87ac70638e
commit 87ac70638e
parent e9e2930221
7 changed files with 111 additions and 2 deletions
--- a/modules-minimum-base.conf
+++ b/modules-minimum-base.conf
@ -412,4 +412,3 @@ packagekit = module
 # Name service cache daemon
 # 
 nscd = module
-
--- a/modules-targeted-base.conf
+++ b/modules-targeted-base.conf
@ -412,3 +412,10 @@ rtorrent = module
 # Policy for wicked
 #
 wicked = module
+
+# Layer: system
+# Module: rebootmgr
+#
+# Policy for rebootmgr
+#
+rebootmgr = module
--- a/rebootmgr.fc
+++ b/rebootmgr.fc
@ -0,0 +1 @@
+/usr/sbin/rebootmgrd		--	gen_context(system_u:object_r:rebootmgr_exec_t,s0)
--- a/rebootmgr.if
+++ b/rebootmgr.if
@ -0,0 +1,61 @@
+
+## <summary>policy for rebootmgr</summary>
+
+########################################
+## <summary>
+##	Execute rebootmgr_exec_t in the rebootmgr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`rebootmgr_domtrans',`
+	gen_require(`
+		type rebootmgr_t, rebootmgr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rebootmgr_exec_t, rebootmgr_t)
+')
+
+######################################
+## <summary>
+##	Execute rebootmgr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rebootmgr_exec',`
+	gen_require(`
+		type rebootmgr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, rebootmgr_exec_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	rebootmgr over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rebootmgr_dbus_chat',`
+	gen_require(`
+		type rebootmgr_t;
+		class dbus send_msg;
+	')
+
+	allow $1 rebootmgr_t:dbus send_msg;
+	allow rebootmgr_t $1:dbus send_msg;
+')
--- a/rebootmgr.te
+++ b/rebootmgr.te
@ -0,0 +1,33 @@
+policy_module(rebootmgr, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type rebootmgr_t;
+type rebootmgr_exec_t;
+init_daemon_domain(rebootmgr_t, rebootmgr_exec_t)
+
+permissive rebootmgr_t;
+
+########################################
+#
+# rebootmgr local policy
+#
+allow rebootmgr_t self:process { fork };
+allow rebootmgr_t self:fifo_file rw_fifo_file_perms;
+allow rebootmgr_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(rebootmgr_t)
+
+files_read_etc_files(rebootmgr_t)
+
+logging_send_syslog_msg(rebootmgr_t)
+
+miscfiles_read_localization(rebootmgr_t)
+
+optional_policy(`
+	dbus_system_bus_client(rebootmgr_t)
+	dbus_connect_system_bus(rebootmgr_t)
+')
--- a/selinux-policy.changes
+++ b/selinux-policy.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Aug 23 15:43:28 UTC 2021 - Ales Kedroutek <ales.kedroutek@suse.com>
+
+- Added policy module for rebootmgr (jsc#SMO-28) 
+
 -------------------------------------------------------------------
 Tue Aug 17 16:03:08 UTC 2021 - Ludwig Nussel <lnussel@suse.de>

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -81,6 +81,9 @@ Source125:      rtorrent.fc
 Source126:      wicked.te
 Source127:      wicked.if
 Source128:      wicked.fc
+Source129:      rebootmgr.te
+Source130:      rebootmgr.if
+Source131:      rebootmgr.fc

 Patch001:       fix_djbdns.patch
 Patch002:       fix_dbus.patch
@ -422,7 +425,7 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
 cp $i selinux_config
 done

-for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do
+for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128} %{SOURCE129} %{SOURCE130} %{SOURCE131}; do
 cp $i policy/modules/contrib
 done
				`@ -0,0 +1 @@`
				`/usr/sbin/rebootmgrd -- gen_context(system_u:object_r:rebootmgr_exec_t,s0)`