rpm/selinux-policy
SHA256
1
0
Fork 0
forked from pool/selinux-policy
Code Pull Requests Activity
83d1f9398e
selinux-policy/varrun-convert.sh
Hu fade960df6 - Update to version 20240808: 
* Use new kanidm interfaces
  * Initial module for kanidm
  * Update bootupd policy
  * Allow rhsmcertd read/write access to /dev/papr-sysparm
  * Label /dev/papr-sysparm and /dev/papr-vpd
  * Allow abrt-dump-journal-core connect to winbindd
  * Allow systemd-hostnamed shut down nscd
  * Allow systemd-pstore send a message to syslogd over a unix domain
  * Allow postfix_domain map postfix_etc_t files
  * Allow microcode create /sys/devices/system/cpu/microcode/reload
  * Allow rhsmcertd read, write, and map ica tmpfs files
  * Support SGX devices
  * Allow initrc_t transition to passwd_t
  * Update fstab and cryptsetup generators policy
  * Allow xdm_t read and write the dma device
  * Update stalld policy for bpf usage
  * Allow systemd_gpt_generator to getattr on DOS directories
  * Make cgroup_memory_pressure_t a part of the file_type attribute
  * Allow ssh_t to change role to system_r
  * Update policy for coreos generators
  * Allow init_t nnp domain transition to firewalld_t
  * Label /run/modprobe.d with modules_conf_t
  * Allow virtnodedevd run udev with a domain transition
  * Allow virtnodedev_t create and use virtnodedev_lock_t
  * Allow virtstoraged manage files with virt_content_t type
  * Allow virtqemud unmount a filesystem with extended attributes
  * Allow svirt_t connect to unconfined_t over a unix domain socket
  * Update afterburn file transition policy
  * Allow systemd_generator read attributes of all filesystems
  * Allow fstab-generator read and write cryptsetup-generator unit file
  * Allow cryptsetup-generator read and write fstab-generator unit file
  * Allow systemd_generator map files in /etc
  * Allow systemd_generator read init's process state
  * Allow coreos-installer-generator read sssd public files
  * Allow coreos-installer-generator work with partitions
  * Label /etc/mdadm.conf.d with mdadm_conf_t
  * Confine coreos generators
  * Label /run/metadata with afterburn_runtime_t
  * Allow afterburn list ssh home directory
  * Label samba certificates with samba_cert_t
  * Label /run/coreos-installer-reboot with coreos_installer_var_run_t
  * Allow virtqemud read virt-dbus process state
  * Allow staff user dbus chat with virt-dbus
  * Allow staff use watch /run/systemd
  * Allow systemd_generator to write kmsg
  * Allow virtqemud connect to sanlock over a unix stream socket
  * Allow virtqemud relabel virt_var_run_t directories
  * Allow svirt_tcg_t read vm sysctls
  * Allow virtnodedevd connect to systemd-userdbd over a unix socket
  * Allow svirt read virtqemud fifo files
  * Allow svirt attach_queue to a virtqemud tun_socket
  * Allow virtqemud run ssh client with a transition
  * Allow virt_dbus_t connect to virtqemud_t over a unix stream socket
  * Update keyutils policy
  * Allow sshd_keygen_t connect to userdbd over a unix stream socket
  * Allow postfix-smtpd read mysql config files
  * Allow locate stream connect to systemd-userdbd
  * Allow the staff user use wireshark
  * Allow updatedb connect to userdbd over a unix stream socket
  * Allow gpg_t set attributes of public-keys.d
  * Allow gpg_t get attributes of login_userdomain stream
  * Allow systemd_getty_generator_t read /proc/1/environ
  * Allow systemd_getty_generator_t to read and write to tty_device_t
  * Drop publicfile module
  * Remove permissive domain for systemd_nsresourced_t
  * Change fs_dontaudit_write_cgroup_files() to apply to cgroup_t
  * Label /usr/bin/samba-gpupdate with samba_gpupdate_exec_t
  * Allow to create and delete socket files created by rhsm.service
  * Allow virtnetworkd exec shell when virt_hooks_unconfined is on
  * Allow unconfined_service_t transition to passwd_t
  * Support /var is empty
  * Allow abrt-dump-journal read all non_security socket files
  * Allow timemaster write to sysfs files
  * Dontaudit domain write cgroup files
  * Label /usr/lib/node_modules/npm/bin with bin_t
  * Allow ip the setexec permission
  * Allow systemd-networkd write files in /var/lib/systemd/network
  * Fix typo in systemd_nsresourced_prog_run_bpf()

OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=248
2024-08-08 12:42:54 +00:00

106 lines
3.6 KiB
Bash
Raw Blame History

#!/bin/bash
### varrun-convert.sh
### convert legacy filecontext entries containing /var/run to /run
### and load an extra selinux module with the new content
### the script takes a policy name as an argument
# Set DEBUG=yes before running the script to get more verbose output
# on the terminal and to the $LOG file
if [ "${DEBUG}" = "yes" ]; then
set -x
fi
# Auxiliary and log files will be created in OUTPUTDIR
OUTPUTDIR="/run/selinux-policy"
LOG="$OUTPUTDIR/log"
mkdir -p ${OUTPUTDIR}
if [ -z ${1} ]; then
[ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
exit
fi
SEMODULEOPT="-s ${1}"
[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
# Take current file_contexts and unify whitespace separators
FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
if [ ! -f ${FILE_CONTEXTS} ]; then
[ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
exit
fi
if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
[ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
exit 0
fi
EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt"
EXTRA_VARRUN_ENTRIES_WITHDUP_TMP="$OUTPUTDIR/extra_varrun_entries_dup.tmp"
EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil"
# Print only /var/run entries
grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP}
# Unify whitespace separators
sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP}
sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
rm -f $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
touch $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
# Deduplicate already existing /var/run=/run entries
while read line
do
subline="${line#/var}"
if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
# check for overal duplicate entries
subline2=$(echo $line | sed -E -e 's/ \S+$//')
if ! grep -q "^${subline2}" ${EXTRA_VARRUN_ENTRIES_WITHDUP_TMP}; then
echo "$line"
echo "$line" >> $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP
else
>&2 echo "DUP: $line"
fi
fi
done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES}
# Change /var/run to /run
sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
# Exception handling: packages with already duplicate entries
sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
# Change format to cil
sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
# Handle entries with <<none>> which do not match previous regexps
sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
# Wrap each line with an optional block
i=1
while read line
do
echo "(optional extra_var_run_${i}"
echo " $line"
echo ")"
((i++))
done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
# Load module
[ -s ${EXTRA_VARRUN_CIL} ] &&
/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
View Git Blame Copy Permalink