Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package selinux-policy for openSUSE:Factory
checked in at 2022-09-30 17:57:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
and /work/SRC/openSUSE:Factory/.selinux-policy.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy"
Fri Sep 30 17:57:06 2022 rev:32 rq:1007016 version:20220714
Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes
2022-09-03 23:18:42.583757638 +0200
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.2275/selinux-policy.changes
2022-09-30 17:57:12.433173292 +0200
@@ -1,0 +2,19 @@
+Thu Sep 29 12:54:15 UTC 2022 - Johannes Segitz <jseg...@suse.com>
+
+- Update fix_networkmanager.patch to ensure NetworkManager chrony
+ dispatcher is properly labled and update fix_chronyd.patch to ensure
+ chrony helper script has proper label to be used by NetworkManager.
+ Also allow NetworkManager_dispatcher_custom_t to query systemd status
+ (bsc#1203824)
+
+-------------------------------------------------------------------
+Tue Sep 27 13:00:35 UTC 2022 - Filippo Bonazzi <filippo.bona...@suse.com>
+
+- Update fix_xserver.patch to add greetd support (bsc#1198559)
+
+-------------------------------------------------------------------
+Mon Sep 12 06:47:56 UTC 2022 - Johannes Segitz <jseg...@suse.com>
+
+- Revamped rtorrent module
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ fix_chronyd.patch ++++++
--- /var/tmp/diff_new_pack.gm2vHj/_old 2022-09-30 17:57:13.589175764 +0200
+++ /var/tmp/diff_new_pack.gm2vHj/_new 2022-09-30 17:57:13.589175764 +0200
@@ -1,7 +1,7 @@
-Index: fedora-policy-20211111/policy/modules/contrib/chronyd.te
+Index: fedora-policy-20220714/policy/modules/contrib/chronyd.te
===================================================================
---- fedora-policy-20211111.orig/policy/modules/contrib/chronyd.te
-+++ fedora-policy-20211111/policy/modules/contrib/chronyd.te
+--- fedora-policy-20220714.orig/policy/modules/contrib/chronyd.te
++++ fedora-policy-20220714/policy/modules/contrib/chronyd.te
@@ -141,6 +141,14 @@ systemd_exec_systemctl(chronyd_t)
userdom_dgram_send(chronyd_t)
@@ -17,15 +17,16 @@
cron_dgram_send(chronyd_t)
')
-Index: fedora-policy-20211111/policy/modules/contrib/chronyd.fc
+Index: fedora-policy-20220714/policy/modules/contrib/chronyd.fc
===================================================================
---- fedora-policy-20211111.orig/policy/modules/contrib/chronyd.fc
-+++ fedora-policy-20211111/policy/modules/contrib/chronyd.fc
-@@ -6,6 +6,7 @@
+--- fedora-policy-20220714.orig/policy/modules/contrib/chronyd.fc
++++ fedora-policy-20220714/policy/modules/contrib/chronyd.fc
+@@ -6,6 +6,8 @@
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/usr/libexec/chrony-helper --
gen_context(system_u:object_r:chronyd_exec_t,s0)
+/usr/lib/chrony/helper --
gen_context(system_u:object_r:chronyd_exec_t,s0)
++/usr/libexec/chrony/helper --
gen_context(system_u:object_r:chronyd_exec_t,s0)
/usr/bin/chronyc -- gen_context(system_u:object_r:chronyc_exec_t,s0)
++++++ fix_networkmanager.patch ++++++
--- /var/tmp/diff_new_pack.gm2vHj/_old 2022-09-30 17:57:13.657175909 +0200
+++ /var/tmp/diff_new_pack.gm2vHj/_new 2022-09-30 17:57:13.661175918 +0200
@@ -36,6 +36,14 @@
')
optional_policy(`
+@@ -602,6 +615,7 @@ files_manage_etc_files(NetworkManager_di
+
+ init_status(NetworkManager_dispatcher_cloud_t)
+ init_status(NetworkManager_dispatcher_ddclient_t)
++init_status(NetworkManager_dispatcher_custom_t)
+ init_append_stream_sockets(networkmanager_dispatcher_plugin)
+ init_ioctl_stream_sockets(networkmanager_dispatcher_plugin)
+ init_stream_connect(networkmanager_dispatcher_plugin)
Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.if
===================================================================
--- fedora-policy-20220714.orig/policy/modules/contrib/networkmanager.if
@@ -65,4 +73,16 @@
########################################
## <summary>
## Execute NetworkManager server in the NetworkManager domain.
+Index: fedora-policy-20220714/policy/modules/contrib/networkmanager.fc
+===================================================================
+--- fedora-policy-20220714.orig/policy/modules/contrib/networkmanager.fc
++++ fedora-policy-20220714/policy/modules/contrib/networkmanager.fc
+@@ -24,6 +24,7 @@
+ /usr/lib/NetworkManager/dispatcher\.d/04-iscsi --
gen_context(system_u:object_r:NetworkManager_dispatcher_iscsid_script_t,s0)
+ /usr/lib/NetworkManager/dispatcher\.d/10-sendmail --
gen_context(system_u:object_r:NetworkManager_dispatcher_sendmail_script_t,s0)
+ /usr/lib/NetworkManager/dispatcher\.d/11-dhclient --
gen_context(system_u:object_r:NetworkManager_dispatcher_dhclient_script_t,s0)
++/usr/lib/NetworkManager/dispatcher\.d/20-chrony --
gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
+ /usr/lib/NetworkManager/dispatcher\.d/20-chrony-dhcp --
gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
+ /usr/lib/NetworkManager/dispatcher\.d/20-chrony-onoffline --
gen_context(system_u:object_r:NetworkManager_dispatcher_chronyc_script_t,s0)
+ /usr/lib/NetworkManager/dispatcher\.d/30-winbind --
gen_context(system_u:object_r:NetworkManager_dispatcher_winbind_script_t,s0)
++++++ fix_xserver.patch ++++++
--- /var/tmp/diff_new_pack.gm2vHj/_old 2022-09-30 17:57:13.721176046 +0200
+++ /var/tmp/diff_new_pack.gm2vHj/_new 2022-09-30 17:57:13.725176054 +0200
@@ -1,7 +1,7 @@
-Index: fedora-policy-20211111/policy/modules/services/xserver.fc
+Index: fedora-policy-20220714/policy/modules/services/xserver.fc
===================================================================
---- fedora-policy-20211111.orig/policy/modules/services/xserver.fc
-+++ fedora-policy-20211111/policy/modules/services/xserver.fc
+--- fedora-policy-20220714.orig/policy/modules/services/xserver.fc
++++ fedora-policy-20220714/policy/modules/services/xserver.fc
@@ -71,6 +71,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
/etc/X11/[wxg]dm/Xsession --
gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
@@ -18,7 +18,15 @@
/usr/bin/gpe-dm --
gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
/usr/bin/razor-lightdm-.* -- gen_context(system_u:object_r:xdm_exec_t,s0)
-@@ -137,6 +139,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
+@@ -114,6 +116,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
+ /usr/bin/Xwayland -- gen_context(system_u:object_r:xserver_exec_t,s0)
+ /usr/bin/x11vnc --
gen_context(system_u:object_r:xserver_exec_t,s0)
+ /usr/bin/nvidia.* -- gen_context(system_u:object_r:xserver_exec_t,s0)
++/usr/bin/greetd --
gen_context(system_u:object_r:xdm_exec_t,s0)
+
+ /usr/libexec/Xorg\.bin -- gen_context(system_u:object_r:xserver_exec_t,s0)
+ /usr/libexec/Xorg\.wrap -- gen_context(system_u:object_r:xserver_exec_t,s0)
+@@ -137,6 +140,7 @@ HOME_DIR/\.dmrc.* -- gen_context(system_
/usr/X11R6/lib/X11/xkb -d
gen_context(system_u:object_r:xkb_var_lib_t,s0)
/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0)
@@ -26,10 +34,27 @@
ifndef(`distro_debian',`
/usr/var/[xgkw]dm(/.*)?
gen_context(system_u:object_r:xserver_log_t,s0)
')
-Index: fedora-policy-20211111/policy/modules/services/xserver.te
+@@ -155,6 +159,7 @@ ifndef(`distro_debian',`
+ /var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+ /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+ /var/lib/xorg(/.*)?
gen_context(system_u:object_r:xserver_var_lib_t,s0)
++/var/lib/greetd(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+
+ /var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+ /var/cache/[mg]dm(/.*)?
gen_context(system_u:object_r:xdm_var_lib_t,s0)
+@@ -184,6 +189,8 @@ ifndef(`distro_debian',`
+ /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/greetd[^/]*\.sock -s
gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/greetd\.run --
gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+ /var/run/video.rom --
gen_context(system_u:object_r:xserver_var_run_t,s0)
+ /var/run/xorg(/.*)?
gen_context(system_u:object_r:xserver_var_run_t,s0)
+Index: fedora-policy-20220714/policy/modules/services/xserver.te
===================================================================
---- fedora-policy-20211111.orig/policy/modules/services/xserver.te
-+++ fedora-policy-20211111/policy/modules/services/xserver.te
+--- fedora-policy-20220714.orig/policy/modules/services/xserver.te
++++ fedora-policy-20220714/policy/modules/services/xserver.te
@@ -473,6 +473,10 @@ userdom_delete_user_home_content_files(x
userdom_signull_unpriv_users(xdm_t)
userdom_dontaudit_read_admin_home_lnk_files(xdm_t)
++++++ rtorrent.fc ++++++
--- /var/tmp/diff_new_pack.gm2vHj/_old 2022-09-30 17:57:13.913176456 +0200
+++ /var/tmp/diff_new_pack.gm2vHj/_new 2022-09-30 17:57:13.917176465 +0200
@@ -1,2 +1,2 @@
-/usr/bin/rtorrent --
gen_context(system_u:object_r:rtorrent_exec_t,s0)
+/usr/bin/rtorrent --
gen_context(system_u:object_r:rtorrent_exec_t,s0)
++++++ rtorrent.if ++++++
--- /var/tmp/diff_new_pack.gm2vHj/_old 2022-09-30 17:57:13.937176508 +0200
+++ /var/tmp/diff_new_pack.gm2vHj/_new 2022-09-30 17:57:13.945176525 +0200
@@ -1,49 +1,14 @@
-## <summary>Policy for rtorrent.</summary>
-############################################################
-## <summary>
-## Role access for rtorrent
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role
-## </summary>
-## </param>
-#
-interface(`rtorrent_role',`
- gen_require(`
- attribute_role rtorrent_roles;
- type rtorrent_t, rtorrent_exec_t;
- ')
-
- roleattribute $1 rtorrent_roles;
-
- # transition from the userdomain to the derived domain
- domtrans_pattern($2, rtorrent_exec_t, rtorrent_t)
-
- # allow ps to show rtorrent
- ps_process_pattern($2, rtorrent_t)
- allow $2 rtorrent_t:process { signull sigstop signal sigkill };
-
- ifdef(`hide_broken_symptoms',`
- #Leaked File Descriptors
- dontaudit rtorrent_t $2:fifo_file rw_fifo_file_perms;
- ')
-')
+## <summary>policy for rtorrent</summary>
########################################
## <summary>
-## Transition to a user torrent domain.
+## Execute rtorrent_exec_t in the rtorrent domain.
## </summary>
## <param name="domain">
-## <summary>
+## <summary>
## Domain allowed to transition.
-## </summary>
+## </summary>
## </param>
#
interface(`rtorrent_domtrans',`
@@ -51,12 +16,13 @@
type rtorrent_t, rtorrent_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, rtorrent_exec_t, rtorrent_t)
')
######################################
## <summary>
-## Execute torrent in the caller domain.
+## Execute rtorrent in the caller domain.
## </summary>
## <param name="domain">
## <summary>
@@ -73,40 +39,58 @@
can_exec($1, rtorrent_exec_t)
')
-######################################
+########################################
## <summary>
-## Make rtorrent an entrypoint for
-## the specified domain.
+## Execute rtorrent in the rtorrent domain, and
+## allow the specified role the rtorrent domain.
## </summary>
## <param name="domain">
-## <summary>
-## The domain for which cifs_t is an entrypoint.
-## </summary>
+## <summary>
+## Domain allowed to transition
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the rtorrent domain.
+## </summary>
## </param>
#
-interface(`rtorrent_entry_type',`
- gen_require(`
- type rtorrent_exec_t;
- ')
+interface(`rtorrent_run',`
+ gen_require(`
+ type rtorrent_t;
+ attribute_role rtorrent_roles;
+ ')
- domain_entry_file($1, rtorrent_exec_t)
+ rtorrent_domtrans($1)
+ roleattribute $2 rtorrent_roles;
')
########################################
## <summary>
-## Send generic signals to user rtorrent processes.
+## Role access for rtorrent
## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
## <param name="domain">
## <summary>
-## Domain allowed access.
+## User domain for the role
## </summary>
## </param>
#
-interface(`rtorrent_signal',`
+interface(`rtorrent_role',`
gen_require(`
type rtorrent_t;
+ attribute_role rtorrent_roles;
')
- allow $1 rtorrent_t:process signal;
+ roleattribute $1 rtorrent_roles;
+
+ rtorrent_domtrans($2)
+
+ ps_process_pattern($2, rtorrent_t)
+ allow $2 rtorrent_t:process { signull signal sigkill };
')
++++++ rtorrent.te ++++++
--- /var/tmp/diff_new_pack.gm2vHj/_old 2022-09-30 17:57:13.965176567 +0200
+++ /var/tmp/diff_new_pack.gm2vHj/_new 2022-09-30 17:57:13.969176576 +0200
@@ -1,4 +1,4 @@
-policy_module(rtorrent, 1.0.1)
+policy_module(rtorrent, 1.0.0)
########################################
#
@@ -18,82 +18,85 @@
## </desc>
gen_tunable(rtorrent_enable_rutorrent, false)
-attribute rtorrentdomain;
+## <desc>
+## <p>
+## Allow rtorrent to execute helper scripts in home directories
+## </p>
+## </desc>
+gen_tunable(rtorrent_exec_scripts, false)
attribute_role rtorrent_roles;
roleattribute system_r rtorrent_roles;
type rtorrent_t;
type rtorrent_exec_t;
-userdom_user_application_domain(rtorrent_t, rtorrent_exec_t)
+application_domain(rtorrent_t, rtorrent_exec_t)
role rtorrent_roles types rtorrent_t;
########################################
#
# rtorrent local policy
#
+allow rtorrent_t self:process { fork signal_perms };
+
+allow rtorrent_t self:fifo_file manage_fifo_file_perms;
+allow rtorrent_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(rtorrent_t)
+
+files_read_etc_files(rtorrent_t)
+
+miscfiles_read_localization(rtorrent_t)
-corenet_tcp_bind_commplex_main_port(rtorrent_t)
+sysnet_dns_name_resolve(rtorrent_t)
+
+optional_policy(`
+ gen_require(`
+ type staff_t;
+ role staff_r;
+ ')
+
+ rtorrent_run(staff_t, staff_r)
+')
type rtorrent_port_t;
corenet_port(rtorrent_port_t)
allow rtorrent_t rtorrent_port_t:tcp_socket name_bind;
userdom_read_user_home_content_symlinks(rtorrent_t)
+userdom_manage_user_home_content_files(rtorrent_t)
+userdom_manage_user_home_content_dirs(rtorrent_t)
+
+allow rtorrent_t self:tcp_socket { accept listen };
-allow rtorrent_t self:process setpgid;
-allow rtorrent_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
-allow rtorrent_t self:fifo_file rw_fifo_file_perms;
-allow rtorrent_t self:tcp_socket create_stream_socket_perms;
-allow rtorrent_t self:unix_stream_socket connectto;
-
-allow rtorrent_t self:netlink_route_socket { bind create nlmsg_read };
-allow rtorrent_t self:udp_socket { connect create getattr };
-nscd_shm_use(rtorrent_t)
-
-#corecmd_exec_shell(rtorrent_t)
-corecmd_exec_bin(rtorrent_t)
-# execute helper scripts
-userdom_exec_user_bin_files(rtorrent_t)
-
-corenet_all_recvfrom_netlabel(rtorrent_t)
-corenet_tcp_sendrecv_generic_if(rtorrent_t)
-corenet_udp_sendrecv_generic_if(rtorrent_t)
-corenet_tcp_sendrecv_generic_node(rtorrent_t)
-corenet_udp_sendrecv_generic_node(rtorrent_t)
-corenet_tcp_sendrecv_all_ports(rtorrent_t)
-corenet_udp_sendrecv_all_ports(rtorrent_t)
corenet_tcp_connect_all_ports(rtorrent_t)
-corenet_sendrecv_all_client_packets(rtorrent_t)
-corenet_udp_bind_all_unreserved_ports(rtorrent_t)
-domain_use_interactive_fds(rtorrent_t)
-auth_use_nsswitch(rtorrent_t)
-miscfiles_map_generic_certs(rtorrent_t)
fs_getattr_xattr_fs(rtorrent_t)
userdom_use_inherited_user_terminals(rtorrent_t)
-userdom_manage_user_home_content_files(rtorrent_t)
-userdom_manage_user_home_content_dirs(rtorrent_t)
+# this might be to much
userdom_home_manager(rtorrent_t)
userdom_filetrans_home_content(rtorrent_t)
-userdom_stream_connect(rtorrent_t)
optional_policy(`
- tunable_policy(`rtorrent_send_mails',`
- userdom_exec_user_bin_files(rtorrent_t)
- userdom_exec_user_home_content_files(rtorrent_t)
- files_manage_generic_tmp_files(rtorrent_t)
- mta_send_mail(rtorrent_t)
- ')
+ tunable_policy(`rtorrent_send_mails',`
+ userdom_exec_user_bin_files(rtorrent_t)
+ userdom_exec_user_home_content_files(rtorrent_t)
+ files_manage_generic_tmp_files(rtorrent_t)
+ mta_send_mail(rtorrent_t)
+ ')
')
optional_policy(`
- apache_manage_sys_content(rtorrent_t)
-
tunable_policy(`rtorrent_enable_rutorrent',`
+ apache_manage_sys_content(rtorrent_t)
apache_exec_sys_content(rtorrent_t)
')
')
+tunable_policy(`rtorrent_exec_scripts',`
+ # execute helper scripts
+ corecmd_exec_bin(rtorrent_t)
+ userdom_exec_user_bin_files(rtorrent_t)
+')
