From d25433c6c5fc2230a413b372fd7236a7c539ae8cb0eb7095b6031c83eff8e8be Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Thu, 29 Sep 2022 14:06:49 +0000 Subject: [PATCH] Accepting request 1006965 from home:jsegitz:branches:security:SELinux - Update fix_networkmanager.patch to ensure NetworkManager chrony dispatcher is properly labled and update fix_chronyd.patch to ensure chrony helper script has proper label to be used by NetworkManager (bsc#1203824) >>>>>>> ./selinux-policy.changes.new - Revamped rtorrent module OBS-URL: https://build.opensuse.org/request/show/1006965 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=147 --- fix_chronyd.patch | 15 ++++--- fix_networkmanager.patch | 12 +++++ rtorrent.fc | 2 +- rtorrent.if | 94 +++++++++++++++++----------------------- rtorrent.te | 85 ++++++++++++++++++------------------ selinux-policy.changes | 14 ++++++ 6 files changed, 118 insertions(+), 104 deletions(-) diff --git a/fix_chronyd.patch b/fix_chronyd.patch index 4ec73ce..a4daca5 100644 --- a/fix_chronyd.patch +++ b/fix_chronyd.patch @@ -1,7 +1,7 @@ -Index: fedora-policy-20211111/policy/modules/contrib/chronyd.te +Index: fedora-policy-20220714/policy/modules/contrib/chronyd.te =================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/chronyd.te -+++ fedora-policy-20211111/policy/modules/contrib/chronyd.te +--- fedora-policy-20220714.orig/policy/modules/contrib/chronyd.te ++++ fedora-policy-20220714/policy/modules/contrib/chronyd.te @@ -141,6 +141,14 @@ systemd_exec_systemctl(chronyd_t) userdom_dgram_send(chronyd_t) @@ -17,15 +17,16 @@ Index: fedora-policy-20211111/policy/modules/contrib/chronyd.te cron_dgram_send(chronyd_t) ') -Index: fedora-policy-20211111/policy/modules/contrib/chronyd.fc +Index: fedora-policy-20220714/policy/modules/contrib/chronyd.fc =================================================================== ---- fedora-policy-20211111.orig/policy/modules/contrib/chronyd.fc -+++ fedora-policy-20211111/policy/modules/contrib/chronyd.fc -@@ -6,6 +6,7 @@ +--- fedora-policy-20220714.orig/policy/modules/contrib/chronyd.fc ++++ fedora-policy-20220714/policy/modules/contrib/chronyd.fc +@@ -6,6 +6,8 @@ /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) /usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) +/usr/lib/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) ++/usr/libexec/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) /usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0) diff --git a/fix_networkmanager.patch b/fix_networkmanager.patch index 1db6e5c..d53de95 100644 --- a/fix_networkmanager.patch +++ b/fix_networkmanager.patch @@ -65,3 +65,15 @@ Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.if ######################################## ## ## Execute NetworkManager server in the NetworkManager domain. +Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.fc +=================================================================== +--- fedora-policy-20220714.orig/policy/modules/contrib/networkmanager.fc ++++ fedora-policy-20220714/policy/modules/contrib/networkmanager.fc +@@ -24,6 +24,7 @@ + /usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0) + /usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0) + /usr/lib/NetworkManager/dispatcher\.d/11-dhclient -- gen_context(system_u:object_r:NetworkManager_dispatcher_dhclient_script_t,s0) ++/usr/lib/NetworkManager/dispatcher\.d/20-chrony -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) + /usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) + /usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0) + /usr/lib/NetworkManager/dispatcher\.d/30-winbind -- gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0) diff --git a/rtorrent.fc b/rtorrent.fc index 24f879f..562f8ad 100644 --- a/rtorrent.fc +++ b/rtorrent.fc @@ -1 +1 @@ -/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0) +/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0) diff --git a/rtorrent.if b/rtorrent.if index 830e349..9ea4193 100644 --- a/rtorrent.if +++ b/rtorrent.if @@ -1,49 +1,14 @@ -## Policy for rtorrent. -############################################################ -## -## Role access for rtorrent -## -## -## -## Role allowed access -## -## -## -## -## User domain for the role -## -## -# -interface(`rtorrent_role',` - gen_require(` - attribute_role rtorrent_roles; - type rtorrent_t, rtorrent_exec_t; - ') - - roleattribute $1 rtorrent_roles; - - # transition from the userdomain to the derived domain - domtrans_pattern($2, rtorrent_exec_t, rtorrent_t) - - # allow ps to show rtorrent - ps_process_pattern($2, rtorrent_t) - allow $2 rtorrent_t:process { signull sigstop signal sigkill }; - - ifdef(`hide_broken_symptoms',` - #Leaked File Descriptors - dontaudit rtorrent_t $2:fifo_file rw_fifo_file_perms; - ') -') +## policy for rtorrent ######################################## ## -## Transition to a user torrent domain. +## Execute rtorrent_exec_t in the rtorrent domain. ## ## -## +## ## Domain allowed to transition. -## +## ## # interface(`rtorrent_domtrans',` @@ -51,12 +16,13 @@ interface(`rtorrent_domtrans',` type rtorrent_t, rtorrent_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, rtorrent_exec_t, rtorrent_t) ') ###################################### ## -## Execute torrent in the caller domain. +## Execute rtorrent in the caller domain. ## ## ## @@ -73,39 +39,57 @@ interface(`rtorrent_exec',` can_exec($1, rtorrent_exec_t) ') -###################################### +######################################## ## -## Make rtorrent an entrypoint for -## the specified domain. +## Execute rtorrent in the rtorrent domain, and +## allow the specified role the rtorrent domain. ## ## -## -## The domain for which cifs_t is an entrypoint. -## +## +## Domain allowed to transition +## +## +## +## +## The role to be allowed the rtorrent domain. +## ## # -interface(`rtorrent_entry_type',` - gen_require(` - type rtorrent_exec_t; - ') +interface(`rtorrent_run',` + gen_require(` + type rtorrent_t; + attribute_role rtorrent_roles; + ') - domain_entry_file($1, rtorrent_exec_t) + rtorrent_domtrans($1) + roleattribute $2 rtorrent_roles; ') ######################################## ## -## Send generic signals to user rtorrent processes. +## Role access for rtorrent ## +## +## +## Role allowed access +## +## ## ## -## Domain allowed access. +## User domain for the role ## ## # -interface(`rtorrent_signal',` +interface(`rtorrent_role',` gen_require(` type rtorrent_t; + attribute_role rtorrent_roles; ') - allow $1 rtorrent_t:process signal; + roleattribute $1 rtorrent_roles; + + rtorrent_domtrans($2) + + ps_process_pattern($2, rtorrent_t) + allow $2 rtorrent_t:process { signull signal sigkill }; ') diff --git a/rtorrent.te b/rtorrent.te index dcf4d43..996f7a7 100644 --- a/rtorrent.te +++ b/rtorrent.te @@ -1,4 +1,4 @@ -policy_module(rtorrent, 1.0.1) +policy_module(rtorrent, 1.0.0) ######################################## # @@ -18,81 +18,84 @@ gen_tunable(rtorrent_send_mails, false) ## gen_tunable(rtorrent_enable_rutorrent, false) -attribute rtorrentdomain; +## +##

+## Allow rtorrent to execute helper scripts in home directories +##

+## +gen_tunable(rtorrent_exec_scripts, false) attribute_role rtorrent_roles; roleattribute system_r rtorrent_roles; type rtorrent_t; type rtorrent_exec_t; -userdom_user_application_domain(rtorrent_t, rtorrent_exec_t) +application_domain(rtorrent_t, rtorrent_exec_t) role rtorrent_roles types rtorrent_t; ######################################## # # rtorrent local policy # +allow rtorrent_t self:process { fork signal_perms }; -corenet_tcp_bind_commplex_main_port(rtorrent_t) +allow rtorrent_t self:fifo_file manage_fifo_file_perms; +allow rtorrent_t self:unix_stream_socket create_stream_socket_perms; + +domain_use_interactive_fds(rtorrent_t) + +files_read_etc_files(rtorrent_t) + +miscfiles_read_localization(rtorrent_t) + +sysnet_dns_name_resolve(rtorrent_t) + +optional_policy(` + gen_require(` + type staff_t; + role staff_r; + ') + + rtorrent_run(staff_t, staff_r) +') type rtorrent_port_t; corenet_port(rtorrent_port_t) allow rtorrent_t rtorrent_port_t:tcp_socket name_bind; userdom_read_user_home_content_symlinks(rtorrent_t) +userdom_manage_user_home_content_files(rtorrent_t) +userdom_manage_user_home_content_dirs(rtorrent_t) -allow rtorrent_t self:process setpgid; -allow rtorrent_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; -allow rtorrent_t self:fifo_file rw_fifo_file_perms; -allow rtorrent_t self:tcp_socket create_stream_socket_perms; -allow rtorrent_t self:unix_stream_socket connectto; +allow rtorrent_t self:tcp_socket { accept listen }; -allow rtorrent_t self:netlink_route_socket { bind create nlmsg_read }; -allow rtorrent_t self:udp_socket { connect create getattr }; -nscd_shm_use(rtorrent_t) - -#corecmd_exec_shell(rtorrent_t) -corecmd_exec_bin(rtorrent_t) -# execute helper scripts -userdom_exec_user_bin_files(rtorrent_t) - -corenet_all_recvfrom_netlabel(rtorrent_t) -corenet_tcp_sendrecv_generic_if(rtorrent_t) -corenet_udp_sendrecv_generic_if(rtorrent_t) -corenet_tcp_sendrecv_generic_node(rtorrent_t) -corenet_udp_sendrecv_generic_node(rtorrent_t) -corenet_tcp_sendrecv_all_ports(rtorrent_t) -corenet_udp_sendrecv_all_ports(rtorrent_t) corenet_tcp_connect_all_ports(rtorrent_t) -corenet_sendrecv_all_client_packets(rtorrent_t) -corenet_udp_bind_all_unreserved_ports(rtorrent_t) -domain_use_interactive_fds(rtorrent_t) -auth_use_nsswitch(rtorrent_t) -miscfiles_map_generic_certs(rtorrent_t) fs_getattr_xattr_fs(rtorrent_t) userdom_use_inherited_user_terminals(rtorrent_t) -userdom_manage_user_home_content_files(rtorrent_t) -userdom_manage_user_home_content_dirs(rtorrent_t) +# this might be to much userdom_home_manager(rtorrent_t) userdom_filetrans_home_content(rtorrent_t) -userdom_stream_connect(rtorrent_t) optional_policy(` - tunable_policy(`rtorrent_send_mails',` - userdom_exec_user_bin_files(rtorrent_t) - userdom_exec_user_home_content_files(rtorrent_t) - files_manage_generic_tmp_files(rtorrent_t) - mta_send_mail(rtorrent_t) - ') + tunable_policy(`rtorrent_send_mails',` + userdom_exec_user_bin_files(rtorrent_t) + userdom_exec_user_home_content_files(rtorrent_t) + files_manage_generic_tmp_files(rtorrent_t) + mta_send_mail(rtorrent_t) + ') ') optional_policy(` - apache_manage_sys_content(rtorrent_t) - tunable_policy(`rtorrent_enable_rutorrent',` + apache_manage_sys_content(rtorrent_t) apache_exec_sys_content(rtorrent_t) ') ') +tunable_policy(`rtorrent_exec_scripts',` + # execute helper scripts + corecmd_exec_bin(rtorrent_t) + userdom_exec_user_bin_files(rtorrent_t) +') diff --git a/selinux-policy.changes b/selinux-policy.changes index 2dc52d7..4c2c0ba 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,8 +1,22 @@ +------------------------------------------------------------------- +Thu Sep 29 12:54:15 UTC 2022 - Johannes Segitz + +- Update fix_networkmanager.patch to ensure NetworkManager chrony + dispatcher is properly labled and update fix_chronyd.patch to ensure + chrony helper script has proper label to be used by NetworkManager + (bsc#1203824) + ------------------------------------------------------------------- Tue Sep 27 13:00:35 UTC 2022 - Filippo Bonazzi - Update fix_xserver.patch to add greetd support (bsc#1198559) +------------------------------------------------------------------- +>>>>>>> ./selinux-policy.changes.new +Mon Sep 12 06:47:56 UTC 2022 - Johannes Segitz + +- Revamped rtorrent module + ------------------------------------------------------------------- Fri Aug 26 06:08:23 UTC 2022 - Thorsten Kukuk