Skip to content

Commit

Permalink
Merge remote-tracking branch 'tracking/main'
Browse files Browse the repository at this point in the history
  • Loading branch information
@SorenEricMent
SorenEricMent committed Apr 30, 2024
2 parents 98dbb85 + f889384 commit 4a5bc9e
Show file tree
Hide file tree
Showing 10 changed files with 96 additions and 7 deletions.
2 changes: 1 addition & 1 deletion build.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ MLS_SENS = 16
MLS_CATS = 1024

# Number of MCS Categories
# The categories will be c0 to c(MLS_CATS-1).
# The categories will be c0 to c(MCS_CATS-1).
MCS_CATS = 1024

# Set this to y to only display status messages
Expand Down
2 changes: 2 additions & 0 deletions policy/modules/admin/quota.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,8 @@ fs_getattr_xattr_fs(quota_t)
fs_remount_xattr_fs(quota_t)
fs_search_auto_mountpoints(quota_t)

miscfiles_read_localization(quota_t)

mls_file_read_all_levels(quota_t)

storage_raw_read_fixed_disk(quota_t)
Expand Down
1 change: 1 addition & 0 deletions policy/modules/admin/sosreport.fc
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
/usr/bin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)

/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
/usr/sbin/sos -- gen_context(system_u:object_r:sosreport_exec_t,s0)

/\.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0)
47 changes: 42 additions & 5 deletions policy/modules/admin/sosreport.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,10 @@ allow sosreport_t self:tcp_socket { accept listen };
allow sosreport_t self:unix_stream_socket { accept listen };

manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
manage_fifo_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
manage_sock_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })

Expand Down Expand Up @@ -91,20 +93,29 @@ files_read_kernel_modules(sosreport_t)
files_read_all_symlinks(sosreport_t)
files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
files_map_usr_files(sosreport_t)

fs_getattr_all_fs(sosreport_t)
fs_list_inotifyfs(sosreport_t)

selinux_compute_access_vector(sosreport_t)
selinux_compute_create_context(sosreport_t)
selinux_get_all_booleans(sosreport_t)
selinux_read_policy(sosreport_t)
selinux_validate_context(sosreport_t)

storage_dontaudit_read_fixed_disk(sosreport_t)
storage_dontaudit_read_removable_device(sosreport_t)

term_use_generic_ptys(sosreport_t)

auth_use_nsswitch(sosreport_t)

init_get_all_units_status(sosreport_t)
init_dbus_chat(sosreport_t)
init_domtrans_script(sosreport_t)

libs_domtrans_ldconfig(sosreport_t)
libs_run_ldconfig(sosreport_t, sosreport_roles)

logging_read_all_logs(sosreport_t)
logging_send_syslog_msg(sosreport_t)
Expand All @@ -113,6 +124,8 @@ miscfiles_read_localization(sosreport_t)

modutils_read_module_deps(sosreport_t)

userdom_use_inherited_user_terminals(sosreport_t)

optional_policy(`
abrt_manage_runtime_files(sosreport_t)
abrt_manage_cache(sosreport_t)
Expand All @@ -123,12 +136,21 @@ optional_policy(`
cups_stream_connect(sosreport_t)
')

optional_policy(`
devicekit_dbus_chat(sosreport_t)
devicekit_dbus_chat_disk(sosreport_t)
')

optional_policy(`
dmesg_domtrans(sosreport_t)
')

optional_policy(`
fstools_domtrans(sosreport_t)
firewalld_dbus_chat(sosreport_t)
')

optional_policy(`
fstools_run(sosreport_t, sosreport_roles)
')

optional_policy(`
Expand All @@ -140,11 +162,19 @@ optional_policy(`
')

optional_policy(`
lvm_domtrans(sosreport_t)
lvm_run(sosreport_t, sosreport_roles)
')

optional_policy(`
mount_domtrans(sosreport_t)
mount_run(sosreport_t, sosreport_roles)
')

optional_policy(`
networkmanager_dbus_chat(sosreport_t)
')

optional_policy(`
ntp_dbus_chat(sosreport_t)
')

optional_policy(`
Expand All @@ -158,7 +188,14 @@ optional_policy(`
')

optional_policy(`
setroubleshoot_signull(sosreport_t)
setroubleshoot_signull(sosreport_t)
')

optional_policy(`
systemd_dbus_chat_hostnamed(sosreport_t)
systemd_dbus_chat_logind(sosreport_t)
systemd_map_hwdb(sosreport_t)
systemd_read_journal_files(sosreport_t)
')

optional_policy(`
Expand Down
1 change: 1 addition & 0 deletions policy/modules/system/getty.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ files_tmp_file(getty_tmp_t)
# Use capabilities.
allow getty_t self:capability { chown dac_override fowner fsetid setgid sys_admin sys_resource sys_tty_config };
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:capability2 checkpoint_restore;
allow getty_t self:process { getpgid getsession setpgid signal_perms };
allow getty_t self:fifo_file rw_fifo_file_perms;

Expand Down
3 changes: 3 additions & 0 deletions policy/modules/system/selinuxutil.fc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)

/usr/share/system-config-selinux/selinux_server\.py -- gen_context(system_u:object_r:selinux_dbus_exec_t,s0)

/usr/libexec/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0)

#
Expand Down
21 changes: 21 additions & 0 deletions policy/modules/system/selinuxutil.if
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,26 @@
## <summary>Policy for SELinux policy and userland applications.</summary>

########################################
## <summary>
## Send and receive messages from
## selinux semanage dbus interface.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`seutil_semanage_dbus_chat',`
gen_require(`
type selinux_dbus_t;
class dbus send_msg;
')

allow $1 selinux_dbus_t:dbus send_msg;
allow selinux_dbus_t $1:dbus send_msg;
')

#######################################
## <summary>
## Execute checkpolicy in the checkpolicy domain.
Expand Down
23 changes: 23 additions & 0 deletions policy/modules/system/selinuxutil.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,10 @@ application_domain(run_init_t, run_init_exec_t)
domain_system_change_exemption(run_init_t)
role run_init_roles types run_init_t;

type selinux_dbus_t;
type selinux_dbus_exec_t;
dbus_system_domain(selinux_dbus_t, selinux_dbus_exec_t)

type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
Expand Down Expand Up @@ -507,6 +511,25 @@ optional_policy(`
daemontools_domtrans_start(run_init_t)
')

########################################
#
# selinux DBUS local policy
#

allow selinux_dbus_t self:fifo_file rw_inherited_fifo_file_perms;
allow selinux_dbus_t self:unix_stream_socket create_socket_perms;

corecmd_exec_bin(selinux_dbus_t)

files_read_etc_symlinks(selinux_dbus_t)
files_list_usr(selinux_dbus_t)

policykit_dbus_chat(selinux_dbus_t)

miscfiles_read_localization(selinux_dbus_t)

seutil_domtrans_semanage(selinux_dbus_t)

########################################
#
# semodule local policy
Expand Down
1 change: 1 addition & 0 deletions policy/modules/system/sysnetwork.fc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ ifdef(`distro_debian',`
/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/hostname -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/machine-info -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)

Expand Down
2 changes: 1 addition & 1 deletion policy/modules/system/systemd.if
View file
Original file line number Diff line number Diff line change
Expand Up @@ -529,7 +529,7 @@ interface(`systemd_write_notify_socket',`

init_list_runtime($1)
init_unix_stream_socket_sendto($1)
allow $1 systemd_runtime_notify_t:sock_file write;
allow $1 systemd_runtime_notify_t:sock_file write_sock_file_perms;
')

######################################
Expand Down

0 comments on commit 4a5bc9e

Please sign in to comment.