diff --git a/file_contexts.subs_dist b/file_contexts.subs_dist index 10c5abe..767073d 100644 --- a/file_contexts.subs_dist +++ b/file_contexts.subs_dist @@ -12,3 +12,5 @@ /run/systemd/generator /usr/lib/systemd/system /var/lib/xguest/home /home /var/run/netconfig /etc +/var/adm/netconfig/md5/etc /etc +/var/adm/netconfig/md5/var /var diff --git a/fix_apache.patch b/fix_apache.patch new file mode 100644 index 0000000..e097a03 --- /dev/null +++ b/fix_apache.patch @@ -0,0 +1,30 @@ +Index: fedora-policy/policy/modules/contrib/apache.if +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/apache.if ++++ fedora-policy/policy/modules/contrib/apache.if +@@ -1967,3 +1967,25 @@ interface(`apache_ioctl_stream_sockets', + + allow $1 httpd_t:unix_stream_socket ioctl; + ') ++ ++####################################### ++## ++## Allow the specified domain to execute ++## httpd_sys_content_t and manage httpd_sys_rw_content_t ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`apache_exec_sys_content',` ++ gen_require(` ++ type httpd_sys_content_t; ++ type httpd_sys_rw_content_t; ++ ') ++ ++ apache_manage_sys_content_rw($1) ++ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file }) ++ can_exec($1, httpd_sys_content_t) ++') diff --git a/fix_authlogin.patch b/fix_authlogin.patch new file mode 100644 index 0000000..a91f07d --- /dev/null +++ b/fix_authlogin.patch @@ -0,0 +1,12 @@ +Index: fedora-policy/policy/modules/system/authlogin.fc +=================================================================== +--- fedora-policy.orig/policy/modules/system/authlogin.fc ++++ fedora-policy/policy/modules/system/authlogin.fc +@@ -47,6 +47,7 @@ ifdef(`distro_gentoo', ` + /usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0) + + /usr/libexec/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) ++/usr/lib/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0) + + /var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0) + diff --git a/fix_chronyd.patch b/fix_chronyd.patch index 49d5345..5521738 100644 --- a/fix_chronyd.patch +++ b/fix_chronyd.patch @@ -1,15 +1,31 @@ Index: fedora-policy/policy/modules/contrib/chronyd.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/chronyd.te 2020-02-19 09:36:31.776283304 +0000 -+++ fedora-policy/policy/modules/contrib/chronyd.te 2020-02-25 10:33:09.169920838 +0000 -@@ -136,6 +136,10 @@ systemd_exec_systemctl(chronyd_t) +--- fedora-policy.orig/policy/modules/contrib/chronyd.te ++++ fedora-policy/policy/modules/contrib/chronyd.te +@@ -136,6 +136,14 @@ systemd_exec_systemctl(chronyd_t) userdom_dgram_send(chronyd_t) optional_policy(` + networkmanager_read_pid_files(chronyd_t) +') + ++optional_policy(` ++ wicked_read_pid_files(chronyd_t) ++') ++ +optional_policy(` cron_dgram_send(chronyd_t) ') +Index: fedora-policy/policy/modules/contrib/chronyd.fc +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/chronyd.fc ++++ fedora-policy/policy/modules/contrib/chronyd.fc +@@ -6,6 +6,7 @@ + + /usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0) + /usr/libexec/chrony-helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) ++/usr/lib/chrony/helper -- gen_context(system_u:object_r:chronyd_exec_t,s0) + + /usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0) + diff --git a/fix_nscd.patch b/fix_nscd.patch index 8830f9a..1bea723 100644 --- a/fix_nscd.patch +++ b/fix_nscd.patch @@ -1,7 +1,7 @@ Index: fedora-policy/policy/modules/contrib/nscd.fc =================================================================== ---- fedora-policy.orig/policy/modules/contrib/nscd.fc 2020-02-25 10:33:52.706658487 +0000 -+++ fedora-policy/policy/modules/contrib/nscd.fc 2020-02-25 10:33:56.314719506 +0000 +--- fedora-policy.orig/policy/modules/contrib/nscd.fc ++++ fedora-policy/policy/modules/contrib/nscd.fc @@ -8,8 +8,10 @@ /var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0) @@ -16,15 +16,19 @@ Index: fedora-policy/policy/modules/contrib/nscd.fc + Index: fedora-policy/policy/modules/contrib/nscd.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/nscd.te 2020-02-19 09:36:31.804283750 +0000 -+++ fedora-policy/policy/modules/contrib/nscd.te 2020-02-25 10:34:18.611090097 +0000 -@@ -127,6 +127,10 @@ userdom_dontaudit_use_unpriv_user_fds(ns +--- fedora-policy.orig/policy/modules/contrib/nscd.te ++++ fedora-policy/policy/modules/contrib/nscd.te +@@ -127,6 +127,14 @@ userdom_dontaudit_use_unpriv_user_fds(ns userdom_dontaudit_search_user_home_dirs(nscd_t) optional_policy(` + networkmanager_read_pid_files(nscd_t) +') + ++optional_policy(` ++ wicked_read_pid_files(nscd_t) ++') ++ +optional_policy(` accountsd_dontaudit_rw_fifo_file(nscd_t) ') diff --git a/fix_postfix.patch b/fix_postfix.patch index ef8f91c..392cf71 100644 --- a/fix_postfix.patch +++ b/fix_postfix.patch @@ -84,3 +84,18 @@ Index: fedora-policy/policy/modules/contrib/postfix.te optional_policy(` locallogin_dontaudit_use_fds(postfix_map_t) ') +@@ -687,6 +694,14 @@ corenet_tcp_connect_spamd_port(postfix_m + files_search_all_mountpoints(postfix_smtp_t) + + optional_policy(` ++ networkmanager_read_pid_files(postfix_smtp_t) ++') ++ ++optional_policy(` ++ wicked_read_pid_files(postfix_smtp_t) ++') ++ ++optional_policy(` + cyrus_stream_connect(postfix_smtp_t) + ') + diff --git a/fix_rpm.patch b/fix_rpm.patch new file mode 100644 index 0000000..6dc895d --- /dev/null +++ b/fix_rpm.patch @@ -0,0 +1,51 @@ +Index: fedora-policy/policy/modules/contrib/rpm.fc +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/rpm.fc ++++ fedora-policy/policy/modules/contrib/rpm.fc +@@ -17,6 +17,10 @@ + /usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0) + /usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0) + ++/usr/sbin/zypp-refresh -- gen_context(system_u:object_r:rpm_exec_t,s0) ++/usr/bin/zypper -- gen_context(system_u:object_r:rpm_exec_t,s0) ++ ++ + /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) + /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0) + /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0) +@@ -54,6 +58,8 @@ ifdef(`distro_redhat', ` + /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) + /var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) + ++/var/cache/zypp(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) ++ + /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) + /var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) + /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) +Index: fedora-policy/policy/modules/contrib/rpm.if +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/rpm.if ++++ fedora-policy/policy/modules/contrib/rpm.if +@@ -431,8 +431,10 @@ interface(`rpm_named_filetrans',` + logging_log_named_filetrans($1, rpm_log_t, file, "yum.log") + logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log") + logging_log_named_filetrans($1, rpm_log_t, file, "up2date") ++ logging_log_named_filetrans($1, rpm_log_t, file, "zypper.log") + files_var_filetrans($1, rpm_var_cache_t, dir, "dnf") + files_var_filetrans($1, rpm_var_cache_t, dir, "yum") ++ files_var_filetrans($1, rpm_var_cache_t, dir, "zypp") + files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf") + files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum") + files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm") +Index: fedora-policy/policy/modules/kernel/files.fc +=================================================================== +--- fedora-policy.orig/policy/modules/kernel/files.fc ++++ fedora-policy/policy/modules/kernel/files.fc +@@ -67,6 +67,7 @@ ifdef(`distro_suse',` + /etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0) + /etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0) + /etc/yum\.repos\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0) ++/etc/zypp(/.*)? gen_context(system_u:object_r:system_conf_t,s0) + /etc/ostree/remotes.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0) + + /ostree/repo(/.*)? gen_context(system_u:object_r:system_conf_t,s0) diff --git a/fix_screen.patch b/fix_screen.patch new file mode 100644 index 0000000..efc3cdb --- /dev/null +++ b/fix_screen.patch @@ -0,0 +1,22 @@ +Index: fedora-policy/policy/modules/contrib/screen.if +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/screen.if ++++ fedora-policy/policy/modules/contrib/screen.if +@@ -45,6 +45,7 @@ template(`screen_role_template',` + + userdom_list_user_home_dirs($1_screen_t) + userdom_home_reader($1_screen_t) ++ userdom_read_user_home_content_symlinks($1_screen_t) + + domtrans_pattern($3, screen_exec_t, $1_screen_t) + allow $3 $1_screen_t:process { signal sigchld }; +Index: fedora-policy/policy/modules/contrib/screen.fc +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/screen.fc ++++ fedora-policy/policy/modules/contrib/screen.fc +@@ -8,4 +8,5 @@ HOME_DIR/\.tmux\.conf -- gen_context(sys + /usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0) + + /var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) ++/var/run/uscreens(/.*)?' gen_context(system_u:object_r:screen_var_run_t,s0) + /var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) diff --git a/fix_snapper.patch b/fix_snapper.patch index ba4b6f0..e52343a 100644 --- a/fix_snapper.patch +++ b/fix_snapper.patch @@ -1,8 +1,29 @@ Index: fedora-policy/policy/modules/contrib/snapper.te =================================================================== ---- fedora-policy.orig/policy/modules/contrib/snapper.te 2020-02-19 09:36:31.880284960 +0000 -+++ fedora-policy/policy/modules/contrib/snapper.te 2020-02-24 10:57:10.311792681 +0000 -@@ -73,6 +73,10 @@ storage_raw_read_fixed_disk(snapperd_t) +--- fedora-policy.orig/policy/modules/contrib/snapper.te ++++ fedora-policy/policy/modules/contrib/snapper.te +@@ -18,6 +18,9 @@ files_config_file(snapperd_conf_t) + type snapperd_data_t; + files_type(snapperd_data_t) + ++type snapperd_tmp_t; ++files_tmp_file(snapperd_tmp_t) ++ + ######################################## + # + # snapperd local policy +@@ -43,6 +46,10 @@ allow snapperd_t snapperd_data_t:dir { r + allow snapperd_t snapperd_data_t:file relabelfrom; + snapper_filetrans_named_content(snapperd_t) + ++allow snapperd_t snapperd_tmp_t:file manage_file_perms; ++allow snapperd_t snapperd_tmp_t:dir manage_dir_perms; ++files_tmp_filetrans(snapperd_t, snapperd_tmp_t, { file dir }) ++ + kernel_setsched(snapperd_t) + + domain_read_all_domains_state(snapperd_t) +@@ -73,6 +80,10 @@ storage_raw_read_fixed_disk(snapperd_t) auth_use_nsswitch(snapperd_t) optional_policy(` @@ -13,3 +34,31 @@ Index: fedora-policy/policy/modules/contrib/snapper.te cron_system_entry(snapperd_t, snapperd_exec_t) ') +Index: fedora-policy/policy/modules/contrib/snapper.fc +=================================================================== +--- fedora-policy.orig/policy/modules/contrib/snapper.fc ++++ fedora-policy/policy/modules/contrib/snapper.fc +@@ -7,9 +7,17 @@ + + /var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0) + +-/mnt/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) +-/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) +-/usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) +-/var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) +-/etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) +-HOME_ROOT/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) ++/mnt/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) ++/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) ++/usr/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) ++/var/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) ++/etc/\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) ++HOME_ROOT/(.*/)?\.snapshots(/.*)? gen_context(system_u:object_r:snapperd_data_t,s0) ++ ++# ensure that the snapshots itself aren't relabled ++/mnt/(.*/)?\.snapshots/[^/]*/snapshot(/.*)? <> ++/\.snapshots/[^/]*/snapshot(/.*)? <> ++/usr/\.snapshots/[^/]*/snapshot(/.*)? <> ++/var/\.snapshots/[^/]*/snapshot(/.*)? <> ++/etc/\.snapshots/[^/]*/snapshot(/.*)? <> ++HOME_ROOT/(.*/)?\.snapshots/[^/]*/snapshot(/.*)? <> diff --git a/fix_systemd.patch b/fix_systemd.patch index c05508e..c7737e8 100644 --- a/fix_systemd.patch +++ b/fix_systemd.patch @@ -12,3 +12,15 @@ Index: fedora-policy/policy/modules/system/systemd.te +optional_policy(` apache_read_tmp_files(systemd_logind_t) ') + +@@ -817,6 +821,10 @@ optional_policy(` + dbus_connect_system_bus(systemd_hostnamed_t) + ') + ++optional_policy(` ++ nscd_unconfined(systemd_hostnamed_t) ++') ++ + ####################################### + # + # rfkill policy diff --git a/fix_unconfineduser.patch b/fix_unconfineduser.patch index 60ea74b..c542f6a 100644 --- a/fix_unconfineduser.patch +++ b/fix_unconfineduser.patch @@ -25,10 +25,14 @@ Index: fedora-policy/policy/modules/roles/unconfineduser.te chrome_role_notrans(unconfined_r, unconfined_t) tunable_policy(`unconfined_chrome_sandbox_transition',` -@@ -244,6 +253,10 @@ optional_policy(` +@@ -244,6 +253,14 @@ optional_policy(` dbus_stub(unconfined_t) optional_policy(` ++ networkmanager_dbus_chat(unconfined_dbusd_t) ++ ') ++ ++ optional_policy(` + systemd_dbus_chat_logind(unconfined_dbusd_t) + ') + diff --git a/fix_unprivuser.patch b/fix_unprivuser.patch new file mode 100644 index 0000000..7cbb3b4 --- /dev/null +++ b/fix_unprivuser.patch @@ -0,0 +1,18 @@ +Index: fedora-policy/policy/modules/roles/unprivuser.te +=================================================================== +--- fedora-policy.orig/policy/modules/roles/unprivuser.te ++++ fedora-policy/policy/modules/roles/unprivuser.te +@@ -281,6 +281,13 @@ ifndef(`distro_redhat',` + ') + + optional_policy(` ++ rtorrent_role(user_r, user_t) ++ # needed for tunable rtorrent_send_mails ++ mta_role_access_system_mail(user_r) ++') ++ ++ ++optional_policy(` + vmtools_run_helper(user_t, user_r) + ') + diff --git a/modules-targeted-base.conf b/modules-targeted-base.conf index 80f7c5d..202da6f 100644 --- a/modules-targeted-base.conf +++ b/modules-targeted-base.conf @@ -405,3 +405,17 @@ kdbus = module # Temporary permissive module for packagekit # packagekit = module + +# Layer: contrib +# Module: rtorrent +# +# Policy for rtorrent +# +rtorrent = module + +# Layer: contrib +# Module: wicked +# +# Policy for wicked +# +wicked = module diff --git a/rtorrent.fc b/rtorrent.fc new file mode 100644 index 0000000..24f879f --- /dev/null +++ b/rtorrent.fc @@ -0,0 +1 @@ +/usr/bin/rtorrent -- gen_context(system_u:object_r:rtorrent_exec_t,s0) diff --git a/rtorrent.if b/rtorrent.if new file mode 100644 index 0000000..830e349 --- /dev/null +++ b/rtorrent.if @@ -0,0 +1,111 @@ +## Policy for rtorrent. + +############################################################ +## +## Role access for rtorrent +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`rtorrent_role',` + gen_require(` + attribute_role rtorrent_roles; + type rtorrent_t, rtorrent_exec_t; + ') + + roleattribute $1 rtorrent_roles; + + # transition from the userdomain to the derived domain + domtrans_pattern($2, rtorrent_exec_t, rtorrent_t) + + # allow ps to show rtorrent + ps_process_pattern($2, rtorrent_t) + allow $2 rtorrent_t:process { signull sigstop signal sigkill }; + + ifdef(`hide_broken_symptoms',` + #Leaked File Descriptors + dontaudit rtorrent_t $2:fifo_file rw_fifo_file_perms; + ') +') + +######################################## +## +## Transition to a user torrent domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`rtorrent_domtrans',` + gen_require(` + type rtorrent_t, rtorrent_exec_t; + ') + + domtrans_pattern($1, rtorrent_exec_t, rtorrent_t) +') + +###################################### +## +## Execute torrent in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`rtorrent_exec',` + gen_require(` + type rtorrent_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, rtorrent_exec_t) +') + +###################################### +## +## Make rtorrent an entrypoint for +## the specified domain. +## +## +## +## The domain for which cifs_t is an entrypoint. +## +## +# +interface(`rtorrent_entry_type',` + gen_require(` + type rtorrent_exec_t; + ') + + domain_entry_file($1, rtorrent_exec_t) +') + +######################################## +## +## Send generic signals to user rtorrent processes. +## +## +## +## Domain allowed access. +## +## +# +interface(`rtorrent_signal',` + gen_require(` + type rtorrent_t; + ') + + allow $1 rtorrent_t:process signal; +') diff --git a/rtorrent.te b/rtorrent.te new file mode 100644 index 0000000..dcf4d43 --- /dev/null +++ b/rtorrent.te @@ -0,0 +1,98 @@ +policy_module(rtorrent, 1.0.1) + +######################################## +# +# Declarations +# +## +##

+## Allow rtorrent to use send mails +##

+## +gen_tunable(rtorrent_send_mails, false) + +## +##

+## Enable necessary permissions for rutorrent +##

+## +gen_tunable(rtorrent_enable_rutorrent, false) + +attribute rtorrentdomain; + +attribute_role rtorrent_roles; +roleattribute system_r rtorrent_roles; + +type rtorrent_t; +type rtorrent_exec_t; +userdom_user_application_domain(rtorrent_t, rtorrent_exec_t) +role rtorrent_roles types rtorrent_t; + +######################################## +# +# rtorrent local policy +# + +corenet_tcp_bind_commplex_main_port(rtorrent_t) + +type rtorrent_port_t; +corenet_port(rtorrent_port_t) +allow rtorrent_t rtorrent_port_t:tcp_socket name_bind; + +userdom_read_user_home_content_symlinks(rtorrent_t) + +allow rtorrent_t self:process setpgid; +allow rtorrent_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; +allow rtorrent_t self:fifo_file rw_fifo_file_perms; +allow rtorrent_t self:tcp_socket create_stream_socket_perms; +allow rtorrent_t self:unix_stream_socket connectto; + +allow rtorrent_t self:netlink_route_socket { bind create nlmsg_read }; +allow rtorrent_t self:udp_socket { connect create getattr }; +nscd_shm_use(rtorrent_t) + +#corecmd_exec_shell(rtorrent_t) +corecmd_exec_bin(rtorrent_t) +# execute helper scripts +userdom_exec_user_bin_files(rtorrent_t) + +corenet_all_recvfrom_netlabel(rtorrent_t) +corenet_tcp_sendrecv_generic_if(rtorrent_t) +corenet_udp_sendrecv_generic_if(rtorrent_t) +corenet_tcp_sendrecv_generic_node(rtorrent_t) +corenet_udp_sendrecv_generic_node(rtorrent_t) +corenet_tcp_sendrecv_all_ports(rtorrent_t) +corenet_udp_sendrecv_all_ports(rtorrent_t) +corenet_tcp_connect_all_ports(rtorrent_t) +corenet_sendrecv_all_client_packets(rtorrent_t) +corenet_udp_bind_all_unreserved_ports(rtorrent_t) + +domain_use_interactive_fds(rtorrent_t) +auth_use_nsswitch(rtorrent_t) +miscfiles_map_generic_certs(rtorrent_t) +fs_getattr_xattr_fs(rtorrent_t) + +userdom_use_inherited_user_terminals(rtorrent_t) +userdom_manage_user_home_content_files(rtorrent_t) +userdom_manage_user_home_content_dirs(rtorrent_t) +userdom_home_manager(rtorrent_t) +userdom_filetrans_home_content(rtorrent_t) +userdom_stream_connect(rtorrent_t) + +optional_policy(` + tunable_policy(`rtorrent_send_mails',` + userdom_exec_user_bin_files(rtorrent_t) + userdom_exec_user_home_content_files(rtorrent_t) + files_manage_generic_tmp_files(rtorrent_t) + mta_send_mail(rtorrent_t) + ') +') + +optional_policy(` + apache_manage_sys_content(rtorrent_t) + + tunable_policy(`rtorrent_enable_rutorrent',` + apache_exec_sys_content(rtorrent_t) + ') +') + diff --git a/sedoctool.patch b/sedoctool.patch index c905731..82b2eee 100644 --- a/sedoctool.patch +++ b/sedoctool.patch @@ -1,7 +1,7 @@ Index: fedora-policy/support/sedoctool.py =================================================================== ---- fedora-policy.orig/support/sedoctool.py 2019-08-21 13:54:02.175947408 +0200 -+++ fedora-policy/support/sedoctool.py 2019-08-21 13:57:57.323782524 +0200 +--- fedora-policy.orig/support/sedoctool.py ++++ fedora-policy/support/sedoctool.py @@ -810,7 +810,7 @@ if booleans: namevalue_list = [] if os.path.exists(booleans): diff --git a/selinux-policy.changes b/selinux-policy.changes index adb9157..f3b81c2 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Tue Jun 2 14:45:37 UTC 2020 - Johannes Segitz + +- Added module for wicked +- New patches: + * fix_authlogin.patch + * fix_screen.patch + * fix_unprivuser.patch + * fix_rpm.patch + * fix_apache.patch + +------------------------------------------------------------------- +Thu Mar 26 09:51:45 UTC 2020 - Johannes Segitz + +- Added module for rtorrent +- Enable snapper module in minimum policy to reduce issues on BTRFS + Updated fix_snapper.patch to prevent relabling of snapshot + ------------------------------------------------------------------- Mon Mar 9 09:01:22 UTC 2020 - Johannes Segitz diff --git a/selinux-policy.spec b/selinux-policy.spec index 49b2418..f4b739a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -106,6 +106,12 @@ Source94: file_contexts.subs_dist Source120: packagekit.te Source121: packagekit.if Source122: packagekit.fc +Source123: rtorrent.te +Source124: rtorrent.if +Source125: rtorrent.fc +Source126: wicked.te +Source127: wicked.if +Source128: wicked.fc Patch001: fix_djbdns.patch Patch002: fix_dbus.patch @@ -148,6 +154,11 @@ Patch040: fix_usermanage.patch Patch041: fix_smartmon.patch Patch042: fix_geoclue.patch Patch043: suse_specific.patch +Patch044: fix_authlogin.patch +Patch045: fix_screen.patch +Patch046: fix_unprivuser.patch +Patch047: fix_rpm.patch +Patch048: fix_apache.patch Patch100: sedoctool.patch @@ -398,6 +409,11 @@ systems and used as the basis for creating other policies. %patch041 -p1 %patch042 -p1 %patch043 -p1 +%patch044 -p1 +%patch045 -p1 +%patch046 -p1 +%patch047 -p1 +%patch048 -p1 %patch100 -p1 find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \; @@ -418,7 +434,7 @@ cp %{SOURCE60} %{buildroot}%{_usr}/lib/tmpfiles.d/ # Always create policy module package directories mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/ -for i in %{SOURCE120} %{SOURCE121} %{SOURCE122}; do +for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do cp $i policy/modules/contrib done @@ -584,7 +600,7 @@ if [ $1 -eq 1 ]; then for p in $contribpackages; do touch /var/lib/selinux/minimum/active/modules/disabled/$p done -for p in $basepackages dbus kerberos nscd rpm rtkit; do +for p in $basepackages snapper dbus kerberos nscd rpm rtkit; do rm -f /var/lib/selinux/minimum/active/modules/disabled/$p done /usr/sbin/semanage import -S minimum -f - << __eof @@ -598,7 +614,7 @@ instpackages=`cat /usr/share/selinux/minimum/instmodules.lst` for p in $contribpackages; do touch /var/lib/selinux/minimum/active/modules/disabled/$p done -for p in $instpackages dbus kerberos nscd rtkit; do +for p in $instpackages snapper dbus kerberos nscd rtkit; do rm -f /var/lib/selinux/minimum/active/modules/disabled/$p done /usr/sbin/semodule -B -s minimum diff --git a/wicked.fc b/wicked.fc new file mode 100644 index 0000000..1f98ad1 --- /dev/null +++ b/wicked.fc @@ -0,0 +1,46 @@ +# not used +#/etc/wicked/dispatcher\.d(/.*)? gen_context(system_u:object_r:wicked_initrc_exec_t,s0) +#/usr/lib/wicked/dispatcher\.d(/.*)? gen_context(system_u:object_r:wicked_initrc_exec_t,s0) + +/etc/wicked(/.*)? gen_context(system_u:object_r:wicked_etc_t,s0) +/etc/wicked/extensions/.* -- gen_context(system_u:object_r:wicked_exec_t,s0) + +#/etc/wicked/wicked\.conf gen_context(system_u:object_r:wicked_etc_rw_t,s0) +#/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:wicked_var_lib_t, s0) + +/usr/lib/systemd/system/wicked.* -- gen_context(system_u:object_r:wicked_unit_file_t,s0) + +/sbin/ifdown -- gen_context(system_u:object_r:wicked_exec_t,s0) +/sbin/ifprobe -- gen_context(system_u:object_r:wicked_exec_t,s0) +/sbin/ifstatus -- gen_context(system_u:object_r:wicked_exec_t,s0) +/sbin/ifup -- gen_context(system_u:object_r:wicked_exec_t,s0) +/usr/sbin/ifup -- gen_context(system_u:object_r:wicked_exec_t,s0) + +/usr/sbin/rcwicked.* -- gen_context(system_u:object_r:wicked_initrc_exec_t,s0) + +/usr/lib/wicked/bin(/.*)? gen_context(system_u:object_r:wicked_exec_t,s0) + +#/usr/lib64/libwicked-0.6.63.so + +/usr/sbin/wicked -- gen_context(system_u:object_r:wicked_exec_t,s0) +/usr/sbin/wickedd -- gen_context(system_u:object_r:wicked_exec_t,s0) +/usr/sbin/wickedd-nanny -- gen_context(system_u:object_r:wicked_exec_t,s0) +#/usr/share/wicked/schema/wireless.xml +/var/lib/wicked(/.*)? gen_context(system_u:object_r:wicked_var_lib_t,s0) +#/etc/sysconfig/network/ifcfg-lo + +#/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0) +#/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:wicked_exec_t,s0) +#/var/lib/wicd(/.*)? gen_context(system_u:object_r:wicked_var_lib_t,s0) +#/var/log/wicd.* -- gen_context(system_u:object_r:wicked_log_t,s0) + +/var/run/wicked(/.*)? gen_context(system_u:object_r:wicked_var_run_t,s0) + +#/etc/dbus-1 +#/etc/dbus-1/system.d +#/etc/dbus-1/system.d/org.opensuse.Network.AUTO4.conf +#/etc/dbus-1/system.d/org.opensuse.Network.DHCP4.conf +#/etc/dbus-1/system.d/org.opensuse.Network.DHCP6.conf +#/etc/dbus-1/system.d/org.opensuse.Network.Nanny.conf +#/etc/dbus-1/system.d/org.opensuse.Network.conf + diff --git a/wicked.if b/wicked.if new file mode 100644 index 0000000..313ff5e --- /dev/null +++ b/wicked.if @@ -0,0 +1,654 @@ +## Manager for dynamically switching between networks. + +######################################## +## +## Read and write wicked UDP sockets. +## +## +## +## Domain allowed access. +## +## +# +# cjp: added for named. +interface(`wicked_rw_udp_sockets',` + gen_require(` + type wicked_t; + ') + + allow $1 wicked_t:udp_socket { read write }; +') + +######################################## +## +## Read and write wicked packet sockets. +## +## +## +## Domain allowed access. +## +## +# +# cjp: added for named. +interface(`wicked_rw_packet_sockets',` + gen_require(` + type wicked_t; + ') + + allow $1 wicked_t:packet_socket { read write }; +') + +####################################### +## +## Allow caller to relabel tun_socket +## +## +## +## Domain allowed access. +## +## +# +interface(`wicked_attach_tun_iface',` + gen_require(` + type wicked_t; + ') + + allow $1 wicked_t:tun_socket relabelfrom; + allow $1 self:tun_socket relabelto; +') + +######################################## +## +## Read and write wicked netlink +## routing sockets. +## +## +## +## Domain allowed access. +## +## +# +# cjp: added for named. +interface(`wicked_rw_routing_sockets',` + gen_require(` + type wicked_t; + ') + + allow $1 wicked_t:netlink_route_socket { read write }; +') + +######################################## +## +## Execute wicked with a domain transition. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`wicked_domtrans',` + gen_require(` + type wicked_t, wicked_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, wicked_exec_t, wicked_t) +') + +####################################### +## +## Execute wicked scripts with an automatic domain transition to initrc. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`wicked_initrc_domtrans',` + gen_require(` + type wicked_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, wicked_initrc_exec_t) +') + +####################################### +## +## Allow reading of wicked link files +## +## +## +## Domain allowed to read the links +## +## +# +interface(`wicked_initrc_read_lnk_files',` + gen_require(` + type wicked_initrc_exec_t; + ') + + read_lnk_files_pattern($1, wicked_initrc_exec_t, wicked_initrc_exec_t) +') + +######################################## +## +## Execute wicked server in the wicked domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`wicked_systemctl',` + gen_require(` + type wicked_unit_file_t; + type wicked_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + allow $1 wicked_unit_file_t:file read_file_perms; + allow $1 wicked_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, wicked_t) +') + +######################################## +## +## Send and receive messages from +## wicked over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`wicked_dbus_chat',` + gen_require(` + type wicked_t; + class dbus send_msg; + ') + + allow $1 wicked_t:dbus send_msg; + allow wicked_t $1:dbus send_msg; +') + +####################################### +## +## Read metworkmanager process state files. +## +## +## +## Domain allowed access. +## +## +# +interface(`wicked_read_state',` + gen_require(` + type wicked_t; + ') + + allow $1 wicked_t:dir search_dir_perms; + allow $1 wicked_t:file read_file_perms; + allow $1 wicked_t:lnk_file read_lnk_file_perms; +') + +######################################## +## +## Do not audit attempts to send and +## receive messages from wicked +## over dbus. +## +## +## +## Domain to not audit. +## +## +# +interface(`wicked_dontaudit_dbus_chat',` + gen_require(` + type wicked_t; + class dbus send_msg; + ') + + dontaudit $1 wicked_t:dbus send_msg; + dontaudit wicked_t $1:dbus send_msg; +') + +######################################## +## +## Send a generic signal to wicked +## +## +## +## Domain allowed access. +## +## +# +interface(`wicked_signal',` + gen_require(` + type wicked_t; + ') + + allow $1 wicked_t:process signal; +') + +######################################## +## +## Create, read, and write +## wicked library files. +## +## +## +## Domain allowed access. +## +## +# +interface(`wicked_manage_lib_files',` + gen_require(` + type wicked_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t) + allow $1 wicked_var_lib_t:file map; +') + +######################################## +## +## Read wicked lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`wicked_read_lib_files',` + gen_require(` + type wicked_var_lib_t; + ') + + files_search_var_lib($1) + list_dirs_pattern($1, wicked_var_lib_t, wicked_var_lib_t) + read_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t) + allow $1 wicked_var_lib_t:file map; +') + +####################################### +## +## Read wicked conf files. +## +## +## +## Domain allowed access. +## +## +# +interface(`wicked_read_conf',` + gen_require(` + type wicked_etc_t; + type wicked_etc_rw_t; + ') + + allow $1 wicked_etc_t:dir list_dir_perms; + read_files_pattern($1,wicked_etc_t,wicked_etc_t) + read_files_pattern($1,wicked_etc_rw_t,wicked_etc_rw_t) +') + +######################################## +## +## Read wicked PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`wicked_read_pid_files',` + gen_require(` + type wicked_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, wicked_var_run_t, wicked_var_run_t) +') + +######################################## +## +## Manage wicked PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`wicked_manage_pid_files',` + gen_require(` + type wicked_var_run_t; + ') + + files_search_pids($1) + manage_dirs_pattern($1, wicked_var_run_t, wicked_var_run_t) + manage_files_pattern($1, wicked_var_run_t, wicked_var_run_t) +') + +######################################## +## +## Manage wicked PID sock files. +## +## +## +## Domain allowed access. +## +## +# +interface(`wicked_manage_pid_sock_files',` + gen_require(` + type wicked_var_run_t; + ') + + files_search_pids($1) + manage_sock_files_pattern($1, wicked_var_run_t, wicked_var_run_t) +') + +######################################## +## +## Create objects in /etc with a private +## type using a type_transition. +## +## +## +## Domain allowed access. +## +## +## +## +## Private file type. +## +## +## +## +## Object classes to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`wicked_pid_filetrans',` + gen_require(` + type wicked_var_run_t; + ') + + filetrans_pattern($1, wicked_var_run_t, $2, $3, $4) +') + +#################################### +## +## Connect to wicked over +## a unix domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`wicked_stream_connect',` + gen_require(` + type wicked_t, wicked_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, wicked_var_run_t, wicked_var_run_t, wicked_t) +') + +######################################## +## +## Delete wicked PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`wicked_delete_pid_files',` + gen_require(` + type wicked_var_run_t; + ') + + files_search_pids($1) + delete_files_pattern($1, wicked_var_run_t, wicked_var_run_t) +') + +######################################## +## +## Execute wicked in the wicked domain, and +## allow the specified role the wicked domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`wicked_run',` + gen_require(` + type wicked_t, wicked_exec_t; + ') + + wicked_domtrans($1) + role $2 types wicked_t; +') + +######################################## +## +## Allow the specified domain to append +## to Network Manager log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`wicked_append_log',` + gen_require(` + type wicked_log_t; + ') + + logging_search_logs($1) + allow $1 wicked_log_t:dir list_dir_perms; + append_files_pattern($1, wicked_log_t, wicked_log_t) + allow $1 wicked_log_t:file map; + +') + +####################################### +## +## Allow the specified domain to manage +## to Network Manager lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`wicked_manage_lib',` + gen_require(` + type wicked_var_lib_t; + ') + + manage_files_pattern($1, wicked_var_lib_t, wicked_var_lib_t) + allow $1 wicked_var_lib_t:file map; + +') + +####################################### +## +## Send to wicked with a unix dgram socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`wicked_dgram_send',` + gen_require(` + type wicked_t, wicked_var_run_t; + ') + + files_search_pids($1) + dgram_send_pattern($1, wicked_var_run_t, wicked_var_run_t, wicked_t) +') + +######################################## +## +## Send sigchld to wicked. +## +## +## +## Domain allowed access. +## +## +# +# +interface(`wicked_sigchld',` + gen_require(` + type wicked_t; + ') + + allow $1 wicked_t:process sigchld; +') + +######################################## +## +## Send signull to wicked. +## +## +## +## Domain allowed access. +## +## +# +# +interface(`wicked_signull',` + gen_require(` + type wicked_t; + ') + + allow $1 wicked_t:process signull; +') + +######################################## +## +## Send sigkill to wicked. +## +## +## +## Domain allowed access. +## +## +# +# +interface(`wicked_sigkill',` + gen_require(` + type wicked_t; + ') + + allow $1 wicked_t:process sigkill; +') + +######################################## +## +## Transition to wicked named content +## +## +## +## Domain allowed access. +## +## +# +interface(`wicked_filetrans_named_content',` + gen_require(` + type wicked_var_run_t; + type wicked_var_lib_t; + ') + + + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth0.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth1.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth2.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth3.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth4.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth5.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth6.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth7.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth8.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth9.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth0.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth1.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth2.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth3.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth4.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth5.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth6.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth7.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth8.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.eth9.dhcp.ipv6") + + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em0.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em1.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em2.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em3.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em4.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em5.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em6.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em7.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em8.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em9.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em0.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em1.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em2.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em3.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em4.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em5.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em6.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em7.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em8.dhcp.ipv6") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.em9.dhcp.ipv6") + + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.lo.dhcp.ipv4") + files_pid_filetrans($1, wicked_var_run_t, file, "leaseinfo.lo.dhcp.ipv6") + + files_pid_filetrans($1, wicked_var_run_t, dir, "extension") + files_pid_filetrans($1, wicked_var_run_t, dir, "nanny") + + files_etc_filetrans($1, wicked_var_lib_t, file, "state-1.xml") + files_etc_filetrans($1, wicked_var_lib_t, file, "state-2.xml") + files_etc_filetrans($1, wicked_var_lib_t, file, "state-3.xml") + files_etc_filetrans($1, wicked_var_lib_t, file, "state-4.xml") + files_etc_filetrans($1, wicked_var_lib_t, file, "state-5.xml") + files_etc_filetrans($1, wicked_var_lib_t, file, "state-6.xml") + files_etc_filetrans($1, wicked_var_lib_t, file, "state-7.xml") + files_etc_filetrans($1, wicked_var_lib_t, file, "state-8.xml") + files_etc_filetrans($1, wicked_var_lib_t, file, "state-9.xml") +') diff --git a/wicked.te b/wicked.te new file mode 100644 index 0000000..3e9849b --- /dev/null +++ b/wicked.te @@ -0,0 +1,524 @@ +policy_module(wicked, 1.0.0) + +######################################## +# +# Declarations +# + +type wicked_t; +type wicked_exec_t; +init_daemon_domain(wicked_t, wicked_exec_t) + +type wicked_initrc_exec_t; +init_script_file(wicked_initrc_exec_t) + +type wicked_unit_file_t; +systemd_unit_file(wicked_unit_file_t) + +type wicked_etc_t; +files_config_file(wicked_etc_t) + +type wicked_etc_rw_t; +files_config_file(wicked_etc_rw_t) + +#type wicked_log_t; +#logging_log_file(wicked_log_t) + +type wicked_tmp_t; +files_tmp_file(wicked_tmp_t) + +type wicked_var_lib_t; +files_type(wicked_var_lib_t) + +type wicked_var_run_t; +files_pid_file(wicked_var_run_t) + +#type wpa_cli_t; +#type wpa_cli_exec_t; +#init_system_domain(wpa_cli_t, wpa_cli_exec_t) + +######################################## +# +# Local policy +# + +# wicked will ptrace itself if gdb is installed +# and it receives a unexpected signal (rh bug #204161) +allow wicked_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_read_search dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot }; +dontaudit wicked_t self:capability sys_tty_config; + +allow wicked_t self:bpf { map_create map_read map_write prog_load prog_run }; + +ifdef(`hide_broken_symptoms',` + # caused by some bogus kernel code + dontaudit wicked_t self:capability sys_module; +') +# alternatively allow with +# kernel_load_module( wicked_t ) + +allow wicked_t self:process { getcap setcap setpgid getsched setsched signal_perms }; + +allow wicked_t self:process setfscreate; +selinux_validate_context(wicked_t) + +tunable_policy(`deny_ptrace',`',` + allow wicked_t self:capability sys_ptrace; + allow wicked_t self:process ptrace; +') + +allow wicked_t self:fifo_file rw_fifo_file_perms; +allow wicked_t self:unix_dgram_socket { sendto create_socket_perms }; +allow wicked_t self:unix_stream_socket{ create_stream_socket_perms connectto }; +allow wicked_t self:netlink_generic_socket create_socket_perms; +allow wicked_t self:netlink_route_socket create_netlink_socket_perms; +allow wicked_t self:netlink_xfrm_socket create_netlink_socket_perms; +allow wicked_t self:netlink_socket create_socket_perms; +allow wicked_t self:netlink_kobject_uevent_socket create_socket_perms; +allow wicked_t self:tcp_socket create_stream_socket_perms; +allow wicked_t self:tun_socket { create_socket_perms relabelfrom relabelto }; +allow wicked_t self:udp_socket create_socket_perms; +allow wicked_t self:packet_socket create_socket_perms; +allow wicked_t self:rawip_socket create_socket_perms; +allow wicked_t self:socket create_socket_perms; + +tunable_policy(`deny_bluetooth',`',` + allow wicked_t self:bluetooth_socket create_stream_socket_perms; +') + +#allow wicked_t wpa_cli_t:unix_dgram_socket sendto; + +can_exec(wicked_t, wicked_exec_t) +#wicd +# can_exec(wicked_t, wpa_cli_exec_t) + +list_dirs_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t) +read_files_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t) +read_lnk_files_pattern(wicked_t, wicked_initrc_exec_t, wicked_initrc_exec_t) + +list_dirs_pattern(wicked_t, wicked_etc_t, wicked_etc_t) +read_files_pattern(wicked_t, wicked_etc_t, wicked_etc_t) +read_lnk_files_pattern(wicked_t, wicked_etc_t, wicked_etc_t) + +read_lnk_files_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t) +manage_dirs_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t) +manage_files_pattern(wicked_t, wicked_etc_rw_t, wicked_etc_rw_t) +filetrans_pattern(wicked_t, wicked_etc_t, wicked_etc_rw_t, { dir file }) + +#allow wicked_t wicked_log_t:dir setattr_dir_perms; +#append_files_pattern(wicked_t, wicked_log_t, wicked_log_t) +#create_files_pattern(wicked_t, wicked_log_t, wicked_log_t) +#setattr_files_pattern(wicked_t, wicked_log_t, wicked_log_t) +#logging_log_filetrans(wicked_t, wicked_log_t, file) + +can_exec(wicked_t, wicked_tmp_t) +manage_files_pattern(wicked_t, wicked_tmp_t, wicked_tmp_t) +manage_sock_files_pattern(wicked_t, wicked_tmp_t, wicked_tmp_t) +files_tmp_filetrans(wicked_t, wicked_tmp_t, { sock_file file }) + +manage_dirs_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t) +manage_files_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t) +manage_lnk_files_pattern(wicked_t, wicked_var_lib_t, wicked_var_lib_t) +files_var_lib_filetrans(wicked_t, wicked_var_lib_t, { dir file lnk_file }) + +manage_dirs_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t) +manage_files_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t) +manage_sock_files_pattern(wicked_t, wicked_var_run_t, wicked_var_run_t) +files_pid_filetrans(wicked_t, wicked_var_run_t, { dir file sock_file }) + +kernel_read_system_state(wicked_t) +kernel_read_network_state(wicked_t) +kernel_read_kernel_sysctls(wicked_t) +kernel_request_load_module(wicked_t) +kernel_read_debugfs(wicked_t) +kernel_rw_net_sysctls(wicked_t) +kernel_dontaudit_setsched(wicked_t) +kernel_signull(wicked_t) + +corenet_ib_manage_subnet_unlabeled_endports(wicked_t) +corenet_ib_access_unlabeled_pkeys(wicked_t) +corenet_all_recvfrom_netlabel(wicked_t) +corenet_tcp_sendrecv_generic_if(wicked_t) +corenet_udp_sendrecv_generic_if(wicked_t) +corenet_raw_sendrecv_generic_if(wicked_t) +corenet_tcp_sendrecv_generic_node(wicked_t) +corenet_udp_sendrecv_generic_node(wicked_t) +corenet_raw_sendrecv_generic_node(wicked_t) +corenet_tcp_sendrecv_all_ports(wicked_t) +corenet_udp_sendrecv_all_ports(wicked_t) +corenet_udp_bind_generic_node(wicked_t) +corenet_udp_bind_isakmp_port(wicked_t) +corenet_udp_bind_dhcpc_port(wicked_t) +corenet_tcp_connect_all_ports(wicked_t) +corenet_sendrecv_isakmp_server_packets(wicked_t) +corenet_sendrecv_dhcpc_server_packets(wicked_t) +corenet_sendrecv_all_client_packets(wicked_t) +corenet_rw_tun_tap_dev(wicked_t) +corenet_getattr_ppp_dev(wicked_t) + +dev_access_check_sysfs(wicked_t) +dev_rw_sysfs(wicked_t) +dev_write_sysfs_dirs(wicked_t) +dev_read_rand(wicked_t) +dev_read_urand(wicked_t) +dev_dontaudit_getattr_generic_blk_files(wicked_t) +dev_getattr_all_chr_files(wicked_t) +dev_rw_wireless(wicked_t) + +fs_getattr_all_fs(wicked_t) +fs_search_auto_mountpoints(wicked_t) +fs_list_inotifyfs(wicked_t) +fs_read_nsfs_files(wicked_t) + +mls_file_read_all_levels(wicked_t) + +selinux_dontaudit_search_fs(wicked_t) + +corecmd_exec_shell(wicked_t) +corecmd_exec_bin(wicked_t) + +domain_use_interactive_fds(wicked_t) +domain_read_all_domains_state(wicked_t) + +files_read_etc_runtime_files(wicked_t) +files_read_system_conf_files(wicked_t) +files_read_usr_src_files(wicked_t) +files_read_isid_type_files(wicked_t) + +storage_getattr_fixed_disk_dev(wicked_t) + +term_open_unallocated_ttys(wicked_t) + +init_read_utmp(wicked_t) +init_dontaudit_write_utmp(wicked_t) +init_domtrans_script(wicked_t) +init_signull_script(wicked_t) +init_signal_script(wicked_t) +init_sigkill_script(wicked_t) + +auth_use_nsswitch(wicked_t) + +libs_exec_ldconfig(wicked_t) + +logging_send_syslog_msg(wicked_t) +logging_send_audit_msgs(wicked_t) + +miscfiles_read_generic_certs(wicked_t) + +seutil_read_config(wicked_t) +seutil_run_setfiles(wicked_t, system_r) + +sysnet_domtrans_ifconfig(wicked_t) +sysnet_domtrans_dhcpc(wicked_t) +sysnet_signal_dhcpc(wicked_t) +sysnet_signull_dhcpc(wicked_t) +sysnet_read_dhcpc_pid(wicked_t) +sysnet_read_dhcp_config(wicked_t) +sysnet_delete_dhcpc_pid(wicked_t) +sysnet_kill_dhcpc(wicked_t) +sysnet_read_dhcpc_state(wicked_t) +sysnet_delete_dhcpc_state(wicked_t) +sysnet_search_dhcp_state(wicked_t) +# in /etc created by wicked will be labelled net_conf_t. +sysnet_manage_config(wicked_t) +sysnet_filetrans_named_content(wicked_t) +sysnet_filetrans_net_conf(wicked_t) + +systemd_machined_read_pid_files(wicked_t) + +term_use_unallocated_ttys(wicked_t) + +userdom_stream_connect(wicked_t) +userdom_dontaudit_use_unpriv_user_fds(wicked_t) +userdom_dontaudit_use_user_ttys(wicked_t) +# Read gnome-keyring +userdom_read_home_certs(wicked_t) +userdom_read_user_home_content_files(wicked_t) +userdom_dgram_send(wicked_t) + +hostname_exec(wicked_t) +wicked_systemctl(wicked_t) + +sysnet_manage_config_dirs(wicked_t) + +#tunable_policy(`use_nfs_home_dirs',` +# fs_read_nfs_files(wicked_t) +#') +# +#tunable_policy(`use_samba_home_dirs',` +# fs_read_cifs_files(wicked_t) +#') + +optional_policy(` + avahi_domtrans(wicked_t) + avahi_kill(wicked_t) + avahi_signal(wicked_t) + avahi_signull(wicked_t) + avahi_dbus_chat(wicked_t) +') + +optional_policy(` + packagekit_dbus_chat(wicked_t) +') + +optional_policy(` + firewalld_dbus_chat(wicked_t) +') + +optional_policy(` + wicked_dbus_chat(wicked_t) +') + +optional_policy(` + bind_domtrans(wicked_t) + bind_manage_cache(wicked_t) + bind_kill(wicked_t) + bind_signal(wicked_t) + bind_signull(wicked_t) +') + +optional_policy(` + bluetooth_dontaudit_read_helper_state(wicked_t) +') + +optional_policy(` + consoletype_exec(wicked_t) +') + +optional_policy(` + cron_read_system_job_lib_files(wicked_t) +') + +optional_policy(` + chronyd_domtrans_chronyc(wicked_t) + chronyd_domtrans(wicked_t) +') + +optional_policy(` + dbus_system_domain(wicked_t, wicked_exec_t) + + init_dbus_chat(wicked_t) + + optional_policy(` + consolekit_dbus_chat(wicked_t) + consolekit_read_pid_files(wicked_t) + ') +') + +optional_policy(` + dnsmasq_read_pid_files(wicked_t) + dnsmasq_dbus_chat(wicked_t) + dnsmasq_delete_pid_files(wicked_t) + dnsmasq_domtrans(wicked_t) + dnsmasq_initrc_domtrans(wicked_t) + dnsmasq_kill(wicked_t) + dnsmasq_signal(wicked_t) + dnsmasq_signull(wicked_t) + dnsmasq_systemctl(wicked_t) +') + +optional_policy(` + dnssec_trigger_domtrans(wicked_t) + dnssec_trigger_signull(wicked_t) + dnssec_trigger_sigkill(wicked_t) +') + +optional_policy(` + fcoe_dgram_send_fcoemon(wicked_t) +') + +optional_policy(` + hal_write_log(wicked_t) +') + +optional_policy(` + howl_signal(wicked_t) +') + +optional_policy(` + gnome_dontaudit_search_config(wicked_t) +') + +optional_policy(` + iscsid_domtrans(wicked_t) +') + +optional_policy(` + iodined_domtrans(wicked_t) +') + +optional_policy(` + ipsec_domtrans_mgmt(wicked_t) + ipsec_kill_mgmt(wicked_t) + ipsec_signal_mgmt(wicked_t) + ipsec_signull_mgmt(wicked_t) + ipsec_domtrans(wicked_t) + ipsec_kill(wicked_t) + ipsec_signal(wicked_t) + ipsec_signull(wicked_t) +') + +optional_policy(` + iptables_domtrans(wicked_t) +') + +optional_policy(` + l2tpd_domtrans(wicked_t) + l2tpd_sigkill(wicked_t) + l2tpd_signal(wicked_t) + l2tpd_signull(wicked_t) +') + +optional_policy(` + lldpad_dgram_send(wicked_t) +') + +optional_policy(` + kdump_dontaudit_inherited_kdumpctl_tmp_pipes(wicked_t) +') + +optional_policy(` + netutils_exec_ping(wicked_t) + netutils_exec(wicked_t) +') + +optional_policy(` + nscd_domtrans(wicked_t) + nscd_signal(wicked_t) + nscd_signull(wicked_t) + nscd_kill(wicked_t) + nscd_initrc_domtrans(wicked_t) + nscd_systemctl(wicked_t) +') + +optional_policy(` + # Dispatcher starting and stoping ntp + ntp_initrc_domtrans(wicked_t) + ntp_systemctl(wicked_t) +') + +optional_policy(` + modutils_domtrans_kmod(wicked_t) +') + +optional_policy(` + openvpn_read_config(wicked_t) + openvpn_domtrans(wicked_t) + openvpn_kill(wicked_t) + openvpn_signal(wicked_t) + openvpn_signull(wicked_t) + openvpn_stream_connect(wicked_t) + openvpn_noatsecure(wicked_t) +') + +optional_policy(` + policykit_dbus_chat(wicked_t) + policykit_domtrans_auth(wicked_t) + policykit_read_lib(wicked_t) + policykit_read_reload(wicked_t) + userdom_read_all_users_state(wicked_t) +') + +optional_policy(` + polipo_systemctl(wicked_t) +') + +optional_policy(` + ppp_initrc_domtrans(wicked_t) + ppp_domtrans(wicked_t) + ppp_manage_pid_files(wicked_t) + ppp_kill(wicked_t) + ppp_signal(wicked_t) + ppp_signull(wicked_t) + ppp_read_config(wicked_t) + ppp_systemctl(wicked_t) +') + +optional_policy(` + rpm_exec(wicked_t) + rpm_read_db(wicked_t) + rpm_dontaudit_manage_db(wicked_t) +') + +optional_policy(` + samba_service_status(wicked_t) +') + +optional_policy(` + seutil_sigchld_newrole(wicked_t) +') + +optional_policy(` + sysnet_manage_dhcpc_state(wicked_t) +') + +optional_policy(` + systemd_write_inhibit_pipes(wicked_t) + systemd_read_logind_sessions_files(wicked_t) + systemd_dbus_chat_logind(wicked_t) + systemd_dbus_chat_hostnamed(wicked_t) + systemd_hostnamed_manage_config(wicked_t) +') + +optional_policy(` + ssh_basic_client_template(wicked, wicked_t, system_r) + term_use_generic_ptys(wicked_ssh_t) + modutils_domtrans_kmod(wicked_ssh_t) + dbus_connect_system_bus(wicked_ssh_t) + dbus_system_bus_client(wicked_ssh_t) + + wicked_dbus_chat(wicked_ssh_t) +') + +optional_policy(` + udev_exec(wicked_t) + udev_read_db(wicked_t) + udev_read_pid_files(wicked_t) +') + +optional_policy(` + vpn_domtrans(wicked_t) + vpn_kill(wicked_t) + vpn_signal(wicked_t) + vpn_signull(wicked_t) + vpn_relabelfrom_tun_socket(wicked_t) +') + +optional_policy(` + openfortivpn_domtrans(wicked_t) + openfortivpn_sigkill(wicked_t) + openfortivpn_signal(wicked_t) + openfortivpn_signull(wicked_t) +') + +optional_policy(` + openvswitch_stream_connect(wicked_t) +') + +optional_policy(` + virt_dbus_chat(wicked_t) +') + +#tunable_policy(`use_ecryptfs_home_dirs',` +#fs_manage_ecryptfs_files(wicked_t) +#') + +######################################## +# +# wpa_cli local policy +# + +#allow wpa_cli_t self:capability { dac_read_search }; +#allow wpa_cli_t self:unix_dgram_socket create_socket_perms; +# +#allow wpa_cli_t wicked_t:unix_dgram_socket sendto; +# +#manage_sock_files_pattern(wpa_cli_t, wicked_tmp_t, wicked_tmp_t) +#files_tmp_filetrans(wpa_cli_t, wicked_tmp_t, sock_file) +# +#list_dirs_pattern(wpa_cli_t, wicked_var_run_t, wicked_var_run_t) +#rw_sock_files_pattern(wpa_cli_t, wicked_var_run_t, wicked_var_run_t) +# +#init_dontaudit_use_fds(wpa_cli_t) +#init_use_script_ptys(wpa_cli_t) +# +#term_dontaudit_use_console(wpa_cli_t)