more selinux fixes

This commit is contained in:
Fredrik Eriksson 2020-05-17 20:31:52 +02:00
parent 42907ca795
commit d2c500c94a
Signed by: feffe
GPG Key ID: 18524638BE25530A
16 changed files with 291017 additions and 38 deletions

View File

@ -1,3 +1,2 @@
AUX icinga2.initd-3 2390 BLAKE2B 1ead1dd958d978324dfa043abcc58be7ed389207e2bf4dc4786bd2705f94c70a03b84f34a55435f6d9dfcc0483e35da60c1f536dec1060bdc232108c622e0615 SHA512 a43911717fe891e70690647daa57426f70d10f9cb02c721962be4c13cfe8a95bc3ff84b9ba2a293adafc8ddacf8ea6771bd66e7ff6dabe3e732176bf6e6e474a
DIST icinga2-2.11.3.tar.gz 7475785 BLAKE2B baabe8c90170a7b2ddb3ae7e95ef3cd042e64f68dbfdb50f5a981bc63ae5aa1e8ec4082729456d1b3fc02c0c74a98e15383cc56e56c53a2ab6181db94125365c SHA512 616e938fabaa6565fb9ac4824649c09801dd53b3517c0a9b5b62307293bc838377c18818cc13dd40e240902f02455c421d433b6ee54671403598c5b7aeb78ea1
EBUILD icinga2-2.11.3.ebuild 4615 BLAKE2B 15e2025925303b103de145a66ba3a04881cf6957e0f0ff6fcf5082ec5b47180cb06dcbc2f14dcf2bd9f0d1735c532a0980bb1d03f6ede46af07fdf7c3d064dff SHA512 2b365a8c1e5a14c528ea572e19a498f56389c32141a7e64d7e2af07095880986bc889fbc6a4b32ed1c71180b08579720c5bcfd6ec7ffd99abfa17fe8e59cb1a6

View File

@ -1,7 +1,11 @@
AUX cron_allow_watch_crontabs.patch 305 BLAKE2B bcc4c3663c7100c8c40531e5a5832efeaad3cfe8ba343dd29976f84e62676bf21a5e5aaf38edfb5e2e3fa960fcaa3f6b15bdf5ce8532ccc6c4c2d201b664e680 SHA512 8ddacea7990bdbfec2cbb4d542f739704fe6e8379877c3c6578f09f5a93aac1f57cfedc4e7d0ccf13eb9d4c9269fe5817b4b9ad74c8907831de353c06558e0fc
AUX git_portage_repo_fix.patch 366 BLAKE2B d78d6fe0913a51071ba4a594cbfdc2c665e98c14789e2bcd45a691c5d4a62ccfd6f4f802dd32e6792a346cc3f44fbd164b5a72eaf04efc75ea57b4d4f9c45d5a SHA512 ce4b013d7038a40f9dc25803fe7af94cfbab9cc071f8334c241f1704b1d410c3843c42c3c57fb0f2ef1e8274237fcaf355a168593b7fe6e9e14ba24c19d2e777
AUX init_paths.patch 427 BLAKE2B adaa31a8df2ba0ad77b58a0b1bddfd9bcbd48e19c8790ac51f2e679463413c237e12977363ad6156fe329da0b976d277d352db19429870a6df9a50da223c9e9f SHA512 8275af9ef8a1ad2bd57bde249b6d7e72518897e4acc864170c69274f08e410c9b888820c9c936b2e8a7682663c5311e5d2a47da20acf9297da64eae4875d142c
AUX init_read_syslog_config.patch 422 BLAKE2B 41814137d275eec4e6d801a318586c4040e22a512187a91dea9440026e2dc01dacc46404b7592ca71970c886b2a99f7d98989bfffc9e4e096042f13738a3003e SHA512 11cbed7bda6992a292e88628598026f8b1703b7ae258188d43e98ae140463bb5e28cfa64a9cc3864356f34b9089f79f51db4b60f2faeb05c03f8246e81d06737
AUX logging_init_read_config.patch 400 BLAKE2B 91899869ab8ba4923e4e26ec16317d4e23734043df0d27f7693e6445669fc21e3948cd3082a3193e01ef368a967ec2d43fd5d1e0ed3172637bce1a5dc3c1c495 SHA512 06b38922971178e45492bb1a29d0d18990b8e00cc492571d78b0aaca1514f5dc0540d692fe2159afe51c09717ec02f7ea2cf795f0cfe62f566a107092bd602a0
AUX mta_user_mail_newaliases.patch 406 BLAKE2B b8b23b24790267f301de0d6e17f9a25ac455dc3f6f7dee9f291c1e122d39fa125e86a4c5d1b3a8ac575576eebc3683b15fa1f7b8dee3016a8f046bb644ac7f42 SHA512 1515d0d79e7f33c80cebc5bd0babc2731595f31105de86df84d4940167693a274ae2271de3607369956750f22ab469fea8b247ba34cc8bb61f6a0a15d56a9328
AUX portage_paths.patch 1745 BLAKE2B ec0d213d13ac0e1d1d9bd52d2811b37814c00c2f385af4a074267144976634d2bce66fd0b530e61924c7f3fc0abd3b0c5a9c6aab72c2834ff1cf935dff91edae SHA512 31933e1f8588d16b4f336b571ce388bc2a6204db7c99f242826c172fe9417f88cc7c40030a0712315539b1dcc2b4a56d54a194852d6123d9ef5f58750fc87ef2
AUX sysadm_allow_watch.patch 317 BLAKE2B 5b54c9bcc242d6a8bc5ffb77d7774f325bb54dec9e370d25ce01b8597f91dee19b16aff9dd50bb12aa1420cb09ff463b3dc2ea6322c5fcc16f8f55274a438699 SHA512 730c9ad70817216f122ed4a7fad8931b6aec42e6dcc72f7e97ab1986b4d3900daeb1403380028db009c640fa4f1d1fff97e9c03913f24ba0023638b0782eb059
DIST patchbundle-selinux-base-policy-2.20190609-r1.tar.bz2 407664 BLAKE2B e6b6b56f990389365c062522582e2177bc3b70040c99948efad25737e69178f9f72149cc443cb9edacfdd1aa6bc29f637cc61939f66e5cc3841f83298b33c41e SHA512 16195b51bb414ac82821f93756b3b5d0ec206b7035a50379c1f796082d9c53b11369e15086e1e26521808944266364470c43dcfdd1818ba079fda1613b7ef9bd
DIST refpolicy-2.20190609.tar.bz2 555882 BLAKE2B abc45d9c906e0c880b7c47b0fb8e33f4a277c73244e20e8a95c44452db817241110127a5f8a3347cfbf5e30bf91f9dd4e5dd826426eb88b383fdbff5963f5fcd SHA512 f05ca08d31e62b7bf7203d7b243cce9ba87dd68d13b30067b99a44d5007449078fa82d591faa88c2955d370a346e69faedc850c02bd77c5624a8c746a13467f3
EBUILD selinux-base-policy-2.20190609-r1.ebuild 3990 BLAKE2B a884c64c29bfea455af98463d44303ec6a81e2e62f9b9452617e7f28b1cc6505ab38317a1145d848e5751c4ceb87ff111f89336d5605906c53ee8f01630dc0f8 SHA512 bb3ceb178f4d4e081aae7954ae752e40e29b5921ccc898b4ad760b34535a2cec012b3b7c469553504b01186b93053ee9819f66cd40bc718e5dff4c7ba44f622a
EBUILD selinux-base-policy-2.20190609-r1.ebuild 4113 BLAKE2B 6b340a9535c63ce7a9206a6929828ec5bda4e9bea2cfe9369d37332f4ccb48bea5cce7efd0bb20353d1e8572f0727944b207a494d00226660d240fcd602a7f66 SHA512 a2c75d9b362bb7f4f65aeb0cc3894f5df546c7cecc11bd7afa43e54873618eab799a678696fd672432944457f7269cde31975c0b2b9c8f980a4694c0a4709c84

View File

@ -0,0 +1,8 @@
--- work/refpolicy/policy/modules/services/cron.te.orig 2020-05-17 19:58:38.079815252 +0200
+++ work/refpolicy/policy/modules/services/cron.te 2020-05-17 20:12:21.892774990 +0200
@@ -779,3 +779,5 @@
optional_policy(`
unconfined_domain(unconfined_cronjob_t)
')
+
+allow crond_t cron_spool_t:dir watch;

View File

@ -0,0 +1,9 @@
--- work/refpolicy/policy/modules/admin/portage.te.orig 2020-05-17 16:34:20.542137399 +0200
+++ work/refpolicy/policy/modules/admin/portage.te 2020-05-17 16:35:31.601142871 +0200
@@ -538,3 +538,6 @@
files_manage_etc_runtime_files(portage_eselect_domain)
')
+
+# required when using git to manage portage repositories
+allow portage_t portage_ebuild_t:file map;

View File

@ -0,0 +1,10 @@
--- work/refpolicy/policy/modules/system/logging.te.orig 2020-05-17 16:50:17.101211062 +0200
+++ work/refpolicy/policy/modules/system/logging.te 2020-05-17 16:51:46.283217930 +0200
@@ -631,4 +631,7 @@
manage_files_pattern(syslogd_t, syslogmanaged, syslogmanaged)
files_rw_var_lib_dirs(syslogd_t)
+
+ # openrc init script needs to read rsyslog config
+ logging_read_syslog_config(initrc_t)
')

View File

@ -0,0 +1,9 @@
--- work/refpolicy/policy/modules/roles/sysadm.te.orig 2020-05-17 20:18:02.631758336 +0200
+++ work/refpolicy/policy/modules/roles/sysadm.te 2020-05-17 20:18:42.373756394 +0200
@@ -1457,3 +1457,6 @@
vde_role(sysadm_r, sysadm_t)
')
')
+
+allow sysadm_t file_type:file watch;
+allow sysadm_t file_type:dir watch;

View File

@ -34,6 +34,9 @@ PATCHES=(
${FILESDIR}/init_read_syslog_config.patch
${FILESDIR}/init_paths.patch
${FILESDIR}/mta_user_mail_newaliases.patch
${FILESDIR}/git_portage_repo_fix.patch
${FILESDIR}/sysadm_allow_watch.patch
${FILESDIR}/cron_allow_watch_crontabs.patch
)
# Code entirely copied from selinux-eclass (cannot inherit due to dependency on

View File

@ -0,0 +1 @@
## <summary></summary>

Binary file not shown.

View File

@ -1,5 +1,23 @@
policy_module(feffe, 1.0)
gen_require(`
attribute file_type;
type devicekit_disk_t;
type etc_t;
type mozilla_t;
type xdg_cache_t;
type fs_t;
')
dontaudit user_t file_type:file watch;
dontaudit user_t file_type:dir watch;
dontaudit devicekit_disk_t etc_t:dir watch;
dontaudit mozilla_t xdg_cache_t:file { read write };
dontaudit mozilla_t fs_t:filesystem quotaget;
gen_tunable(feffe_cron_sync_to_home, false)
tunable_policy(`feffe_cron_sync_to_home',`
gen_require(`
@ -45,6 +63,9 @@ tunable_policy(`feffe_use_xdm',`
gen_tunable(feffe_xscreensaver_read_home, false)
tunable_policy(`feffe_xscreensaver_read_home',`
gen_require(`
attribute user_home_content_type;
attribute non_security_file_type;
type user_t;
type xscreensaver_helper_t;
type xscreensaver_t;
@ -54,11 +75,6 @@ tunable_policy(`feffe_xscreensaver_read_home',`
type bin_t;
type xscreensaver_helper_exec_t;
type fs_t;
type usr_t;
type var_t;
type xdg_data_t;
type xauth_home_t;
type xserver_t;
')
dev_rw_dri(xscreensaver_helper_t)
@ -76,22 +92,16 @@ tunable_policy(`feffe_xscreensaver_read_home',`
search_dirs_pattern(xscreensaver_helper_t, bin_t, bin_t)
exec_files_pattern(xscreensaver_helper_t, xscreensaver_helper_exec_t, xscreensaver_helper_exec_t)
exec_files_pattern(xscreensaver_helper_t, bin_t, bin_t)
allow xscreensaver_helper_t self:unix_stream_socket { create getattr connect write read shutdown };
read_files_pattern(xscreensaver_helper_t, user_home_content_type, user_home_content_type)
allow xscreensaver_t fs_t:filesystem getattr;
xdg_manage_cache(xscreensaver_helper_t)
allow xscreensaver_helper_t self:unix_stream_socket create_stream_socket_perms;
allow xscreensaver_helper_t xserver_t:fd use;
allow xscreensaver_t self:process execmem;
read_files_pattern(xscreensaver_helper_t, xauth_home_t, xauth_home_t)
dontaudit xscreensaver_helper_t usr_t:file map;
dontaudit xscreensaver_helper_t usr_t:dir search;
dontaudit xscreensaver_helper_t var_t:dir search;
dontaudit xscreensaver_helper_t xdg_data_t:dir search;
dontaudit xscreensaver_helper_t self:process setsched;
dontaudit xscreensaver_t xdg_config_t:dir search;
dontaudit xscreensaver_t xdg_data_t:dir search;
dontaudit xscreensaver_helper_t non_security_file_type:file map;
dontaudit xscreensaver_helper_t non_security_file_type:dir search;
dontaudit xscreensaver_helper_t xserver_t:fd use;
dontaudit xscreensaver_t self:process execmem;
dontaudit xscreensaver_t user_home_content_type:dir search;
')

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1 @@
ifdef(`__if_error',`m4exit(1)')

View File

@ -1,3 +1,3 @@
AUX gentoonize.patch 3569 BLAKE2B 74c61ba9ae303e2cc7eb6496ea16d6ba534879618b34021cee0d489b459ea92eb0bdc0df7a91e56660c26525ece2d401b600be62a05be82ded98557fc82e27ed SHA512 bcaedd688e81c0bcc92c3cc207680b59e3cead3bc5e6e5503fb3feacb073484215d1584574aa407e4889c4fded3d6010b7d49fa0a10ea6b96bd32cebe63c7b84
AUX gentoonize.patch 4876 BLAKE2B a096dbc55548da123ca15a0d4c49f243932b4ef123e9ce01618122e1eb8979b7d4050379487adfbef16ff02f14331213d7cc2b664fb6d9def1b6c7a585788d18 SHA512 1c276c82530adc64d12777632bbdbbb0213d59641635705559d837cb9926b7d8d41cadf553e673c686e622c193dcb67b1cb35d6324342261df0858ff47293a44
DIST icinga2-2.11.3.tar.gz 7475785 BLAKE2B baabe8c90170a7b2ddb3ae7e95ef3cd042e64f68dbfdb50f5a981bc63ae5aa1e8ec4082729456d1b3fc02c0c74a98e15383cc56e56c53a2ab6181db94125365c SHA512 616e938fabaa6565fb9ac4824649c09801dd53b3517c0a9b5b62307293bc838377c18818cc13dd40e240902f02455c421d433b6ee54671403598c5b7aeb78ea1
EBUILD selinux-icinga2-2.11.3.ebuild 1071 BLAKE2B e65ac5f13b2dc0bd4c78ca1234dc1e4f4fc62265f1e0fa6fb4cd5fadff5429255b29000277b49fc4d3e94db8b48f09d4c866854e6157f6fff8f5c32270ee58c6 SHA512 12e7311ba0a229e6f7872770693be2dd37e6ce2887f3f7a627cb3602b542faf14f51fe75f8faa2d5d990e1ebd175fa8682bb38499a774f6d6bd8183142a03f13
EBUILD selinux-icinga2-2.11.3.ebuild 1077 BLAKE2B 54fffd47616853ad07a35d996dbd2efe68d248fbfb05dd37de09c40fa18fb581ece81101595a03ec9f13a9c372a9dea2e1e9ae91f744a046bca5282d3c298d96 SHA512 8d170b5a8a414ff1bfa4aaaa862f872d739dba40154c715137c028c5699b5bae058e7ede17907fa5ed5f33d021bb3a99663f431ff07e0f15197c4be06f6f188d

View File

@ -1,6 +1,14 @@
--- icinga2-2.11.3/tools/selinux/icinga2.te.orig 2020-05-17 12:42:51.052067797 +0200
+++ icinga2-2.11.3/tools/selinux/icinga2.te 2020-05-17 12:51:19.989106989 +0200
@@ -58,7 +58,6 @@
--- icinga2-2.11.3/tools/selinux/icinga2.te.orig 2020-05-17 18:29:52.446884000 +0200
+++ icinga2-2.11.3/tools/selinux/icinga2.te 2020-05-17 18:39:00.603857209 +0200
@@ -41,7 +41,6 @@
type nagios_system_plugin_t; type nagios_system_plugin_exec_t;
type nagios_unconfined_plugin_t; type nagios_unconfined_plugin_exec_t;
type nagios_eventhandler_plugin_t; type nagios_eventhandler_plugin_exec_t;
- type nagios_openshift_plugin_t; type nagios_openshift_plugin_exec_t;
type httpd_t; type system_mail_t;
type devlog_t;
role staff_r;
@@ -58,7 +57,6 @@
init_script_file(icinga2_initrc_exec_t)
type icinga2_unit_file_t;
@ -8,7 +16,15 @@
type icinga2_etc_t;
files_config_file(icinga2_etc_t)
@@ -176,7 +175,6 @@
@@ -155,7 +153,6 @@
icinga2_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
icinga2_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
icinga2_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
-icinga2_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
# should be moved nagios.te
nagios_plugin_template(notification)
@@ -176,7 +173,6 @@
')
icinga2_dontaudit_leaks_fifo(system_mail_t)
# hipsaint notification
@ -16,7 +32,7 @@
sysnet_read_config(nagios_notification_plugin_t)
allow nagios_notification_plugin_t self:udp_socket create_stream_socket_perms;
allow nagios_notification_plugin_t self:tcp_socket create_stream_socket_perms;
@@ -216,20 +214,9 @@
@@ -216,19 +212,8 @@
selinux_compute_access_vector(icinga2_t)
dbus_send_system_bus(icinga2_t)
@ -24,22 +40,32 @@
- systemd_dbus_chat_logind(icinga2_t)
- # Without this it works but is very slow
- systemd_write_inherited_logind_sessions_pipes(icinga2_t)
-')
-
')
-optional_policy(`
- tunable_policy(`icinga2_run_sudo',`
- sudo_exec(icinga2_t)
- ')
')
-')
-
-
########################################
#
# Icinga Webinterfaces
@@ -273,3 +260,26 @@
@@ -254,6 +239,8 @@
# Icinga2 Admin Role
#
+role icinga2adm_r;
+
userdom_unpriv_user_template(icinga2adm)
icinga2_admin(icinga2adm_t, icinga2adm_r)
@@ -271,5 +258,27 @@
icinga2adm_execstrans(nagios_system_plugin_exec_t, nagios_system_plugin_t)
icinga2adm_execstrans(nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t)
icinga2adm_execstrans(nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_t)
icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
-icinga2adm_execstrans(nagios_openshift_plugin_exec_t, nagios_openshift_plugin_t)
icinga2adm_execstrans(nagios_notification_plugin_exec_t, nagios_notification_plugin_t)
+
+# Feffestuff
@ -64,8 +90,8 @@
+ postfix_exec_master(nagios_mail_plugin_t)
+ postfix_domtrans_postqueue(nagios_mail_plugin_t)
+')
--- icinga2-2.11.3/tools/selinux/icinga2.if.orig 2020-05-17 12:42:59.181068423 +0200
+++ icinga2-2.11.3/tools/selinux/icinga2.if 2020-05-17 12:44:26.659075160 +0200
--- icinga2-2.11.3/tools/selinux/icinga2.if.orig 2020-05-17 18:44:49.111840177 +0200
+++ icinga2-2.11.3/tools/selinux/icinga2.if 2020-05-17 18:45:18.317838749 +0200
@@ -40,30 +40,6 @@
########################################
@ -97,6 +123,15 @@
## Allow the specified domain to read
## icinga2 configuration files.
## </summary>
@@ -289,7 +265,7 @@
allow $1 icinga2_t:process { signal_perms };
ps_process_pattern($1, icinga2_t)
- tunable_policy(`deny_ptrace',`',`
+ tunable_policy(`allow_ptrace',`
allow $1 icinga2_t:process ptrace;
')
@@ -312,14 +288,8 @@
admin_pattern($1, icinga2_spool_t)
admin_pattern($1, icinga2_cache_t)

View File

@ -32,7 +32,7 @@ src_compile() {
src_install() {
for i in ${POLICY_TYPES}; do
mkdir -p "${D}/usr/share/selinux/${i}"
mv "${S}/selinux/icinga2-${i}.pp" "${D}/usr/share/selinux/${i}/icinga2.pp"
mv "${S}/tools/selinux/icinga2-${i}.pp" "${D}/usr/share/selinux/${i}/icinga2.pp"
done
}