rpm/selinux-policy
SHA256
1
0
Fork 0
forked from pool/selinux-policy
Code Pull Requests Activity
69818d8fec
selinux-policy/fix_networkmanager.patch
Johannes Segitz 9deff280f8 Accepting request 1042579 from home:jsegitz:branches:security:SELinux 
- Updated fix_networkmanager.patch to fixe labeling of nm-dispatcher and
  nm-priv-helper until the packaging is adjusted (bsc#1206355)
- Update fix_chronyd.patch to allow  sendto towards
  NetworkManager_dispatcher_custom_t. Added new interface
  networkmanager_dispatcher_custom_dgram_send for this (bsc#1206357)
- Update fix_dbus.patch to allow dbus to watch lib directories (bsc#1205895)

- Updated fix_networkmanager.patch to allow NetworkManager to watch
  net_conf_t (bsc#1206109)

OBS-URL: https://build.opensuse.org/request/show/1042579
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=161
2022-12-13 09:20:16 +00:00

128 lines
5.1 KiB
Diff
Raw Blame History

Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.te
+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.te
@@ -259,6 +259,7 @@ sysnet_search_dhcp_state(NetworkManager_
sysnet_manage_config(NetworkManager_t)
sysnet_filetrans_named_content(NetworkManager_t)
sysnet_filetrans_net_conf(NetworkManager_t)
+sysnet_watch_config(NetworkManager_t)
systemd_login_watch_pid_dirs(NetworkManager_t)
systemd_login_watch_session_dirs(NetworkManager_t)
@@ -275,6 +276,9 @@ userdom_read_home_certs(NetworkManager_t
userdom_read_user_home_content_files(NetworkManager_t)
userdom_dgram_send(NetworkManager_t)
+hostname_exec(NetworkManager_t)
+networkmanager_systemctl(NetworkManager_t)
+
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(NetworkManager_t)
')
@@ -284,6 +288,10 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
+ nis_systemctl_ypbind(NetworkManager_t)
+')
+
+optional_policy(`
avahi_domtrans(NetworkManager_t)
avahi_kill(NetworkManager_t)
avahi_signal(NetworkManager_t)
@@ -292,6 +300,14 @@ optional_policy(`
')
optional_policy(`
+ packagekit_dbus_chat(NetworkManager_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_chat(NetworkManager_t)
+')
+
+optional_policy(`
bind_domtrans(NetworkManager_t)
bind_manage_cache(NetworkManager_t)
bind_kill(NetworkManager_t)
@@ -419,6 +435,8 @@ optional_policy(`
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
nscd_systemctl(NetworkManager_t)
+ nscd_socket_use(NetworkManager_dispatcher_tlp_t)
+ nscd_socket_use(NetworkManager_dispatcher_custom_t)
')
optional_policy(`
@@ -606,6 +624,7 @@ files_manage_etc_files(NetworkManager_di
init_status(NetworkManager_dispatcher_cloud_t)
init_status(NetworkManager_dispatcher_ddclient_t)
+init_status(NetworkManager_dispatcher_custom_t)
init_append_stream_sockets(networkmanager_dispatcher_plugin)
init_ioctl_stream_sockets(networkmanager_dispatcher_plugin)
init_stream_connect(networkmanager_dispatcher_plugin)
@@ -621,6 +640,10 @@ optional_policy(`
')
optional_policy(`
+ nscd_shm_use(NetworkManager_dispatcher_chronyc_t)
+')
+
+optional_policy(`
cloudform_init_domtrans(NetworkManager_dispatcher_cloud_t)
')
Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.if
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.if
+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.if
@@ -132,6 +132,24 @@ interface(`networkmanager_initrc_domtran
init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
')
+#######################################
+## <summary>
+## Allow reading of NetworkManager link files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to read the links
+## </summary>
+## </param>
+#
+interface(`networkmanager_initrc_read_lnk_files',`
+ gen_require(`
+ type NetworkManager_initrc_exec_t;
+ ')
+
+ read_lnk_files_pattern($1, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
+')
+
########################################
## <summary>
## Execute NetworkManager server in the NetworkManager domain.
Index: fedora-policy-20221019/policy/modules/contrib/networkmanager.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/networkmanager.fc
+++ fedora-policy-20221019/policy/modules/contrib/networkmanager.fc
@@ -24,6 +24,7 @@
/usr/lib/NetworkManager/dispatcher\.d/04-iscsi -- gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0)
/usr/lib/NetworkManager/dispatcher\.d/10-sendmail -- gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0)
/usr/lib/NetworkManager/dispatcher\.d/11-dhclient -- gen_context(system_u:object_r:NetworkManager_dispatcher_dhclient_script_t,s0)
+/usr/lib/NetworkManager/dispatcher\.d/20-chrony -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
/usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
/usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline -- gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
/usr/lib/NetworkManager/dispatcher\.d/30-winbind -- gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0)
@@ -37,6 +38,9 @@
/usr/libexec/nm-dispatcher -- gen_context(system_u:object_r:NetworkManager_dispatcher_exec_t,s0)
/usr/libexec/nm-priv-helper -- gen_context(system_u:object_r:NetworkManager_priv_helper_exec_t,s0)
+# bsc#1206355
+/usr/lib/nm-dispatcher -- gen_context(system_u:object_r:NetworkManager_dispatcher_exec_t,s0)
+/usr/lib/nm-priv-helper -- gen_context(system_u:object_r:NetworkManager_priv_helper_exec_t,s0)
/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
View Git Blame Copy Permalink