rpm/selinux-policy
SHA256
1
0
Fork 0
forked from pool/selinux-policy
Code Pull Requests Activity
a50eda674e
selinux-policy/varrun-convert.sh
Johannes Segitz 2eaa3b6b79 Accepting request 1166915 from home:cahu:security:SELinux:policytest 
- Update to version 20240411:
  * Remove duplicate in sysnetwork.fc
  * Rename /var/run/wicked* to /run/wicked*
  * Remove /var/run/rsyslog/additional-log-sockets.conf from logging.fc
  * policy: support pidfs
  * Confine selinux-autorelabel-generator.sh
  * Allow logwatch_mail_t read/write to init over a unix stream socket
  * Allow logwatch read logind sessions files
  * files_dontaudit_getattr_tmpfs_files allowed the access and didn't dontaudit it
  * files_dontaudit_mounton_modules_object allowed the access and didn't dontaudit it
  * Allow NetworkManager the sys_ptrace capability in user namespace
  * dontaudit execmem for modemmanager
  * Allow dhcpcd use unix_stream_socket
  * Allow dhcpc read /run/netns files
  * Update mmap_rw_file_perms to include the lock permission
  * Allow plymouthd log during shutdown
  * Add logging_watch_all_log_dirs() and logging_watch_all_log_files()
  * Allow journalctl_t read filesystem sysctls
  * Allow cgred_t to get attributes of cgroup filesystems
  * Allow wdmd read hardware state information
  * Allow wdmd list the contents of the sysfs directories
  * Allow linuxptp configure phc2sys and chronyd over a unix domain socket
  * Allow sulogin relabel tty1
  * Dontaudit sulogin the checkpoint_restore capability
  * Modify sudo_role_template() to allow getpgid
  * Allow userdomain get attributes of files on an nsfs filesystem
  * Allow opafm create NFS files and directories
  * Allow virtqemud create and unlink files in /etc/libvirt/
  * Allow virtqemud domain transition on swtpm execution
  * Add the swtpm.if interface file for interactions with other domains
  * Allow samba to have dac_override capability
  * systemd: allow sys_admin capability for systemd_notify_t
  * systemd: allow systemd_notify_t to send data to kernel_t datagram sockets
  * Allow thumb_t to watch and watch_reads mount_var_run_t
  * Allow krb5kdc_t map krb5kdc_principal_t files
  * Allow unprivileged confined user dbus chat with setroubleshoot
  * Allow login_userdomain map files in /var
  * Allow wireguard work with firewall-cmd
  * Differentiate between staff and sysadm when executing crontab with sudo
  * Add crontab_admin_domtrans interface
  * Allow abrt_t nnp domain transition to abrt_handle_event_t
  * Allow xdm_t to watch and watch_reads mount_var_run_t
  * Dontaudit subscription manager setfscreate and read file contexts
  * Don't audit crontab_domain write attempts to user home
  * Transition from sudodomains to crontab_t when executing crontab_exec_t
  * Add crontab_domtrans interface
  * Fix label of pseudoterminals created from sudodomain
  * Allow utempter_t use ptmx
  * Dontaudit rpmdb attempts to connect to sssd over a unix stream socket
  * Allow admin user read/write on fixed_disk_device_t
  * Only allow confined user domains to login locally without unconfined_login
  * Add userdom_spec_domtrans_confined_admin_users interface
  * Only allow admindomain to execute shell via ssh with ssh_sysadm_login
  * Add userdom_spec_domtrans_admin_users interface
  * Move ssh dyntrans to unconfined inside unconfined_login tunable policy
  * Update ssh_role_template() for user ssh-agent type
  * Allow init to inherit system DBus file descriptors
  * Allow init to inherit fds from syslogd
  * Allow any domain to inherit fds from rpm-ostree
  * Update afterburn policy
  * Allow init_t nnp domain transition to abrtd_t
  * Rename all /var/lock file context entries to /run/lock
  * Rename all /var/run file context entries to /run
- Add script varrun-convert.sh for locally existing modules
  to be able to cope with the /var/run -> /run change
- Update embedded container-selinux to commit
  a8e389dbcd3f9b6ed0a7e495c6f559c0383dc49e

OBS-URL: https://build.opensuse.org/request/show/1166915
OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=217
2024-04-12 07:02:14 +00:00

96 lines
3.2 KiB
Bash
Raw Blame History

#!/bin/bash
### varrun-convert.sh
### convert legacy filecontext entries containing /var/run to /run
### and load an extra selinux module with the new content
### the script takes a policy name as an argument
# Set DEBUG=yes before running the script to get more verbose output
# on the terminal and to the $LOG file
if [ "${DEBUG}" = "yes" ]; then
set -x
fi
# Auxiliary and log files will be created in OUTPUTDIR
OUTPUTDIR="/run/selinux-policy"
LOG="$OUTPUTDIR/log"
mkdir -p ${OUTPUTDIR}
if [ -z ${1} ]; then
[ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG
exit
fi
SEMODULEOPT="-s ${1}"
[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}"
# Take current file_contexts and unify whitespace separators
FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts"
FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified"
if [ ! -f ${FILE_CONTEXTS} ]; then
[ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG
exit
fi
if ! grep -q ^/var/run ${FILE_CONTEXTS}; then
[ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG
exit 0
fi
EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt"
EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt"
EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil"
# Print only /var/run entries
grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP}
# Unify whitespace separators
sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP}
sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED}
# Deduplicate already existing /var/run=/run entries
while read line
do
subline="${line#/var}"
if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then
echo "$line"
fi
done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES}
# Change /var/run to /run
sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES}
# Exception handling: packages with already duplicate entries
sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES}
sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES}
sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES}
# Change format to cil
sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES}
sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES}
# Handle entries with <<none>> which do not match previous regexps
sed -i s'/ <<none>>$/ ())/' ${EXTRA_VARRUN_ENTRIES}
# Wrap each line with an optional block
i=1
while read line
do
echo "(optional extra_var_run_${i}"
echo " $line"
echo ")"
((i++))
done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL}
# Load module
[ -s ${EXTRA_VARRUN_CIL} ] &&
/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL}
View Git Blame Copy Permalink