forked from pool/selinux-policy
71 lines
3.1 KiB
Diff
71 lines
3.1 KiB
Diff
Index: refpolicy/policy/modules/system/sysnetwork.fc
|
|
===================================================================
|
|
--- refpolicy.orig/policy/modules/system/sysnetwork.fc 2018-11-27 16:09:33.159358187 +0100
|
|
+++ refpolicy/policy/modules/system/sysnetwork.fc 2018-11-27 16:09:36.851417892 +0100
|
|
@@ -6,6 +6,15 @@ ifdef(`distro_debian',`
|
|
/dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
|
')
|
|
|
|
+# SUSE
|
|
+# sysconfig network files are stored in /dev/.sysconfig
|
|
+/dev/.sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
|
+# label netconfig files in /var/adm and /var/lib and /var/run
|
|
+/var/adm/netconfig(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
|
+/var/lib/ntp/var(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
|
+/var/run/netconfig(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
|
+
|
|
+
|
|
#
|
|
# /etc
|
|
#
|
|
@@ -33,6 +42,10 @@ ifdef(`distro_redhat',`
|
|
/etc/sysconfig/network-scripts(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
|
')
|
|
|
|
+/etc/sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
|
|
+/etc/sysconfig/network/scripts/.* gen_context(system_u:object_r:bin_t,s0)
|
|
+/etc/sysconfig/scripts/.* gen_context(system_u:object_r:bin_t,s0)
|
|
+
|
|
#
|
|
# /usr
|
|
#
|
|
Index: refpolicy/policy/modules/system/sysnetwork.te
|
|
===================================================================
|
|
--- refpolicy.orig/policy/modules/system/sysnetwork.te 2018-11-27 16:09:33.163358252 +0100
|
|
+++ refpolicy/policy/modules/system/sysnetwork.te 2018-11-27 16:10:36.920389270 +0100
|
|
@@ -47,7 +47,8 @@ ifdef(`distro_debian',`
|
|
#
|
|
# DHCP client local policy
|
|
#
|
|
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config };
|
|
+# need sys_admin to set hostname/domainname
|
|
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config sys_admin };
|
|
dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
|
|
# for access("/etc/bashrc", X_OK) on Red Hat
|
|
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
|
|
@@ -79,6 +80,12 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_r
|
|
sysnet_manage_config(dhcpc_t)
|
|
files_etc_filetrans(dhcpc_t, net_conf_t, file)
|
|
|
|
+# allow relabel of /dev/.sysconfig
|
|
+dev_associate(net_conf_t)
|
|
+
|
|
+# allow mv /etc/resolv.conf.netconfig
|
|
+allow dhcpc_t etc_runtime_t:file unlink;
|
|
+
|
|
# create temp files
|
|
manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
|
|
manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
|
|
Index: refpolicy/policy/modules/kernel/devices.fc
|
|
===================================================================
|
|
--- refpolicy.orig/policy/modules/kernel/devices.fc 2018-11-27 16:09:33.163358252 +0100
|
|
+++ refpolicy/policy/modules/kernel/devices.fc 2018-11-27 16:09:36.851417892 +0100
|
|
@@ -2,6 +2,7 @@
|
|
/dev -d gen_context(system_u:object_r:device_t,s0)
|
|
/dev/.* gen_context(system_u:object_r:device_t,s0)
|
|
|
|
+/dev/.sysconfig(/.*)? -d gen_context(system_u:object_r:net_conf_t,s0)
|
|
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
|
|
/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
|
|
/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|