commit selinux-policy for openSUSE:Factory

Source-Sync Thu, 15 Dec 2022 10:24:53 -0800

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package selinux-policy for openSUSE:Factory 
checked in at 2022-12-15 19:24:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old)
 and      /work/SRC/openSUSE:Factory/.selinux-policy.new.1835 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "selinux-policy"

Thu Dec 15 19:24:39 2022 rev:40 rq:1043074 version:20221019

Changes:
--------
--- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes    
2022-12-14 14:10:45.895421235 +0100
+++ /work/SRC/openSUSE:Factory/.selinux-policy.new.1835/selinux-policy.changes  
2022-12-15 19:24:43.119890216 +0100
@@ -1,0 +2,14 @@
+Wed Dec 14 15:40:12 UTC 2022 - Hu <cathy...@suse.com>
+
+- Added policy for wicked scripts under /etc/sysconfig/network/scripts
+  (bnc#1205770)
+
+-------------------------------------------------------------------
+Wed Dec 14 09:16:26 UTC 2022 - Johannes Segitz <jseg...@suse.com>
+
+- Add fix_sendmail.patch 
+  * fix context of custom sendmail startup helper
+  * fix context of /var/run/sendmail and add necessary rules to manage
+    content in there
+
+-------------------------------------------------------------------

New:
----
  fix_sendmail.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ selinux-policy.spec ++++++
--- /var/tmp/diff_new_pack.kocWgU/_old  2022-12-15 19:24:44.551898363 +0100
+++ /var/tmp/diff_new_pack.kocWgU/_new  2022-12-15 19:24:44.555898386 +0100
@@ -146,6 +146,7 @@
 Patch062:       fix_cloudform.patch
 Patch063:       fix_alsa.patch
 Patch064:       dontaudit_interface_kmod_tmpfs.patch
+Patch065:       fix_sendmail.patch
 
 Patch100:       sedoctool.patch
 

++++++ fix_sendmail.patch ++++++
Index: fedora-policy-20221019/policy/modules/contrib/sendmail.fc
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.fc
+++ fedora-policy-20221019/policy/modules/contrib/sendmail.fc
@@ -1,8 +1,9 @@
 
 /etc/rc\.d/init\.d/sendmail --  
gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
+/etc/mail/system/sm-client.pre --  
gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
 
 /var/log/sendmail\.st.*                --      
gen_context(system_u:object_r:sendmail_log_t,s0)
 /var/log/mail(/.*)?                    
gen_context(system_u:object_r:sendmail_log_t,s0)
 
-/var/run/sendmail\.pid         --      
gen_context(system_u:object_r:sendmail_var_run_t,s0)
+/var/run/sendmail(/.*)?                 
gen_context(system_u:object_r:sendmail_var_run_t,s0)
 /var/run/sm-client\.pid                --      
gen_context(system_u:object_r:sendmail_var_run_t,s0)
Index: fedora-policy-20221019/policy/modules/contrib/sendmail.te
===================================================================
--- fedora-policy-20221019.orig/policy/modules/contrib/sendmail.te
+++ fedora-policy-20221019/policy/modules/contrib/sendmail.te
@@ -60,8 +60,10 @@ manage_dirs_pattern(sendmail_t, sendmail
 manage_files_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
 files_tmp_filetrans(sendmail_t, sendmail_tmp_t, { file dir })
 
-allow sendmail_t sendmail_var_run_t:file manage_file_perms;
-files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
+manage_dirs_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t)
+manage_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t)
+manage_sock_files_pattern(sendmail_t, sendmail_var_run_t, sendmail_var_run_t)
+files_pid_filetrans(sendmail_t, sendmail_var_run_t,  { file dir })
 
 kernel_read_network_state(sendmail_t)
 kernel_read_kernel_sysctls(sendmail_t)


++++++ wicked.fc ++++++
--- /var/tmp/diff_new_pack.kocWgU/_old  2022-12-15 19:24:45.203902073 +0100
+++ /var/tmp/diff_new_pack.kocWgU/_new  2022-12-15 19:24:45.207902095 +0100
@@ -45,4 +45,7 @@
 #/etc/dbus-1/system.d/org.opensuse.Network.Nanny.conf
 #/etc/dbus-1/system.d/org.opensuse.Network.conf
 
+/etc/sysconfig/network/scripts(/.*)?   
gen_context(system_u:object_r:wicked_script_t,s0)
+/etc/sysconfig/network/scripts/samba-winbindd  --      
gen_context(system_u:object_r:wicked_winbind_script_t,s0)
+/etc/sysconfig/network/scripts/dhcpd-restart-hook      --      
gen_context(system_u:object_r:wicked_dhcp_script_t,s0)
 

++++++ wicked.if ++++++
--- /var/tmp/diff_new_pack.kocWgU/_old  2022-12-15 19:24:45.223902186 +0100
+++ /var/tmp/diff_new_pack.kocWgU/_new  2022-12-15 19:24:45.223902186 +0100
@@ -653,3 +653,27 @@
        files_etc_filetrans($1, wicked_var_lib_t, file, "state-9.xml")
 ')
 
+########################################
+## <summary>
+##     Create a set of derived types for various wicked scripts
+## </summary>
+## <param name="prefix">
+##     <summary>
+##     The name to be used for deriving type names.
+##     </summary>
+## </param>
+#
+template(`wicked_script_template',`
+       gen_require(`
+               attribute wicked_plugin, wicked_script;
+               type wicked_t;
+       ')
+
+       type wicked_$1_t, wicked_plugin;
+       type wicked_$1_script_t, wicked_script;
+       application_domain(wicked_$1_t, wicked_$1_script_t)
+       role system_r types wicked_$1_t;
+
+       domtrans_pattern(wicked_t, wicked_$1_script_t, wicked_$1_t)
+')
+

++++++ wicked.te ++++++
--- /var/tmp/diff_new_pack.kocWgU/_old  2022-12-15 19:24:45.251902345 +0100
+++ /var/tmp/diff_new_pack.kocWgU/_new  2022-12-15 19:24:45.255902368 +0100
@@ -33,6 +33,20 @@
 type wicked_var_run_t;
 files_pid_file(wicked_var_run_t)
 
+
+# Wicked scripts
+
+attribute wicked_plugin;
+attribute wicked_script;
+type wicked_script_t, wicked_script;
+type wicked_custom_t, wicked_plugin;
+role system_r types wicked_custom_t;
+application_domain(wicked_custom_t, wicked_script_t)
+domtrans_pattern(wicked_t, wicked_script_t, wicked_custom_t)
+
+wicked_script_template(winbind);
+wicked_script_template(dhcp);
+
 #type wpa_cli_t;
 #type wpa_cli_exec_t;
 #init_system_domain(wpa_cli_t, wpa_cli_exec_t)
@@ -240,6 +254,20 @@
 
 sysnet_manage_config_dirs(wicked_t)
 
+
+# Wicked scripts
+
+list_dirs_pattern(wicked_t, wicked_script_t, wicked_script)
+read_files_pattern(wicked_t, wicked_script_t, wicked_script)
+read_lnk_files_pattern(wicked_t, wicked_script_t, wicked_script)
+list_dirs_pattern(wicked_plugin, wicked_script_t, wicked_script_t)
+read_lnk_files_pattern(wicked_plugin, wicked_script_t, wicked_script)
+
+auth_read_passwd(wicked_plugin)
+
+corecmd_exec_bin(wicked_plugin)
+corecmd_exec_shell(wicked_winbind_t)
+
 #tunable_policy(`use_nfs_home_dirs',`
 #    fs_read_nfs_files(wicked_t)
 #')
@@ -498,6 +526,26 @@
        networkmanager_dbus_chat(wicked_t)
 ')
 
+optional_policy(`
+       logging_send_syslog_msg(wicked_winbind_t)
+')
+
+optional_policy(`
+       sysnet_exec_ifconfig(wicked_plugin)
+       sysnet_read_config(wicked_plugin)
+')
+
+optional_policy(`
+       systemd_exec_systemctl(wicked_winbind_t)
+       systemd_exec_systemctl(wicked_dhcp_t)
+')
+
+optional_policy(`
+       samba_domtrans_smbcontrol(wicked_winbind_t)
+       samba_read_config(wicked_winbind_t)
+       samba_service_status(wicked_winbind_t)
+')
+
 #tunable_policy(`use_ecryptfs_home_dirs',`
 #fs_manage_ecryptfs_files(wicked_t)
 #')

commit selinux-policy for openSUSE:Factory

Reply via email to