added patched and custom selinux policies
This commit is contained in:
parent
7bbb5e50fa
commit
e8ea1e9c3d
GPG Key ID:
18524638BE25530A
|
|
@ -0,0 +1,7 @@
|
|||
AUX init_paths.patch 427 BLAKE2B adaa31a8df2ba0ad77b58a0b1bddfd9bcbd48e19c8790ac51f2e679463413c237e12977363ad6156fe329da0b976d277d352db19429870a6df9a50da223c9e9f SHA512 8275af9ef8a1ad2bd57bde249b6d7e72518897e4acc864170c69274f08e410c9b888820c9c936b2e8a7682663c5311e5d2a47da20acf9297da64eae4875d142c
|
||||
AUX init_read_syslog_config.patch 422 BLAKE2B 41814137d275eec4e6d801a318586c4040e22a512187a91dea9440026e2dc01dacc46404b7592ca71970c886b2a99f7d98989bfffc9e4e096042f13738a3003e SHA512 11cbed7bda6992a292e88628598026f8b1703b7ae258188d43e98ae140463bb5e28cfa64a9cc3864356f34b9089f79f51db4b60f2faeb05c03f8246e81d06737
|
||||
AUX mta_user_mail_newaliases.patch 406 BLAKE2B b8b23b24790267f301de0d6e17f9a25ac455dc3f6f7dee9f291c1e122d39fa125e86a4c5d1b3a8ac575576eebc3683b15fa1f7b8dee3016a8f046bb644ac7f42 SHA512 1515d0d79e7f33c80cebc5bd0babc2731595f31105de86df84d4940167693a274ae2271de3607369956750f22ab469fea8b247ba34cc8bb61f6a0a15d56a9328
|
||||
AUX portage_paths.patch 1745 BLAKE2B ec0d213d13ac0e1d1d9bd52d2811b37814c00c2f385af4a074267144976634d2bce66fd0b530e61924c7f3fc0abd3b0c5a9c6aab72c2834ff1cf935dff91edae SHA512 31933e1f8588d16b4f336b571ce388bc2a6204db7c99f242826c172fe9417f88cc7c40030a0712315539b1dcc2b4a56d54a194852d6123d9ef5f58750fc87ef2
|
||||
DIST patchbundle-selinux-base-policy-2.20190609-r1.tar.bz2 407664 BLAKE2B e6b6b56f990389365c062522582e2177bc3b70040c99948efad25737e69178f9f72149cc443cb9edacfdd1aa6bc29f637cc61939f66e5cc3841f83298b33c41e SHA512 16195b51bb414ac82821f93756b3b5d0ec206b7035a50379c1f796082d9c53b11369e15086e1e26521808944266364470c43dcfdd1818ba079fda1613b7ef9bd
|
||||
DIST refpolicy-2.20190609.tar.bz2 555882 BLAKE2B abc45d9c906e0c880b7c47b0fb8e33f4a277c73244e20e8a95c44452db817241110127a5f8a3347cfbf5e30bf91f9dd4e5dd826426eb88b383fdbff5963f5fcd SHA512 f05ca08d31e62b7bf7203d7b243cce9ba87dd68d13b30067b99a44d5007449078fa82d591faa88c2955d370a346e69faedc850c02bd77c5624a8c746a13467f3
|
||||
EBUILD selinux-base-policy-2.20190609-r1.ebuild 3990 BLAKE2B a884c64c29bfea455af98463d44303ec6a81e2e62f9b9452617e7f28b1cc6505ab38317a1145d848e5751c4ceb87ff111f89336d5605906c53ee8f01630dc0f8 SHA512 bb3ceb178f4d4e081aae7954ae752e40e29b5921ccc898b4ad760b34535a2cec012b3b7c469553504b01186b93053ee9819f66cd40bc718e5dff4c7ba44f622a
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
--- work/refpolicy/policy/modules/system/init.fc.orig 2020-05-17 10:44:45.078522121 +0200
|
||||
+++ work/refpolicy/policy/modules/system/init.fc 2020-05-17 10:45:24.000525118 +0200
|
||||
@@ -104,6 +104,7 @@
|
||||
# /var
|
||||
#
|
||||
/var/lib/ip6?tables(/.*)? gen_context(system_u:object_r:initrc_tmp_t,s0)
|
||||
+/var/lib/ipset(/.*)? gen_context(system_u:object_r:initrc_tmp_t,s0)
|
||||
|
||||
/run/openrc(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
|
||||
')
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
--- work/refpolicy/policy/modules/system/init.te.orig 2020-05-17 11:15:23.079663661 +0200
|
||||
+++ work/refpolicy/policy/modules/system/init.te 2020-05-17 11:16:09.014667199 +0200
|
||||
@@ -1527,3 +1527,8 @@
|
||||
userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
|
||||
userdom_dontaudit_write_user_tmp_files(systemprocess)
|
||||
')
|
||||
+
|
||||
+# allow openrc to read syslog config
|
||||
+optional_policy(`
|
||||
+ logging_read_syslog_config(initrc_t)
|
||||
+')
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
--- work/refpolicy/policy/modules/services/mta.te.orig 2020-05-17 11:00:52.011596582 +0200
|
||||
+++ work/refpolicy/policy/modules/services/mta.te 2020-05-17 11:02:31.536604246 +0200
|
||||
@@ -425,3 +425,7 @@
|
||||
at_rw_inherited_job_log_files(system_mail_t)
|
||||
')
|
||||
')
|
||||
+
|
||||
+mta_manage_aliases(user_mail_t)
|
||||
+manage_dirs_pattern(user_mail_t, etc_mail_t, etc_mail_t)
|
||||
+manage_files_pattern(user_mail_t, etc_mail_t, etc_mail_t)
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
--- a/refpolicy/policy/modules/admin/portage.fc.orig 2020-05-17 10:29:05.060449732 +0200
|
||||
+++ b/refpolicy/policy/modules/admin/portage.fc 2020-05-17 10:34:15.237473618 +0200
|
||||
@@ -19,6 +19,15 @@
|
||||
/usr/lib/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
/usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
|
||||
+/var/db/repos(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
|
||||
+/var/cache/binpkg(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
|
||||
+/var/cache/distfiles(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
|
||||
+/var/cache/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
|
||||
+/var/cache/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
|
||||
+/var/cache/distfiles/git[0-9]-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
|
||||
+/var/cache/distfiles/go-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
|
||||
+/var/cache/distfiles/hg-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
|
||||
+/var/cache/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
|
||||
|
||||
/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
|
||||
/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
|
||||
@@ -48,3 +57,8 @@
|
||||
/usr/lib/python-exec/python[0-9]\.[0-9]*/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
|
||||
')
|
||||
+
|
||||
+# not strictly portage, maybe should have it's own policy?
|
||||
+/usr/bin/eix gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
+/usr/bin/eix-sync gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
+/usr/bin/eix-update gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
|
|
@ -0,0 +1,134 @@
|
|||
# Copyright 1999-2020 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI="6"
|
||||
|
||||
if [[ ${PV} == 9999* ]]; then
|
||||
EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
|
||||
EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
|
||||
EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy"
|
||||
|
||||
inherit git-r3
|
||||
else
|
||||
SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
|
||||
https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2"
|
||||
KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
|
||||
fi
|
||||
|
||||
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
|
||||
DESCRIPTION="SELinux policy for core modules"
|
||||
|
||||
IUSE="systemd +unconfined"
|
||||
|
||||
PDEPEND="unconfined? ( sec-policy/selinux-unconfined )"
|
||||
DEPEND="=sec-policy/selinux-base-${PVR}[systemd?]"
|
||||
RDEPEND="$DEPEND"
|
||||
|
||||
MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg"
|
||||
LICENSE="GPL-2"
|
||||
SLOT="0"
|
||||
S="${WORKDIR}/"
|
||||
|
||||
PATCHES=(
|
||||
${FILESDIR}/portage_paths.patch
|
||||
${FILESDIR}/init_read_syslog_config.patch
|
||||
${FILESDIR}/init_paths.patch
|
||||
${FILESDIR}/mta_user_mail_newaliases.patch
|
||||
)
|
||||
|
||||
# Code entirely copied from selinux-eclass (cannot inherit due to dependency on
|
||||
# itself), when reworked reinclude it. Only postinstall (where -b base.pp is
|
||||
# added) needs to remain then.
|
||||
|
||||
pkg_pretend() {
|
||||
for i in ${POLICY_TYPES}; do
|
||||
if [[ "${i}" == "targeted" ]] && ! use unconfined; then
|
||||
die "If you use POLICY_TYPES=targeted, then USE=unconfined is mandatory."
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
src_prepare() {
|
||||
local modfiles
|
||||
|
||||
if [[ ${PV} != 9999* ]]; then
|
||||
einfo "Applying SELinux policy updates ... "
|
||||
eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
|
||||
fi
|
||||
|
||||
default
|
||||
eapply_user
|
||||
|
||||
# Collect only those files needed for this particular module
|
||||
for i in ${MODS}; do
|
||||
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
|
||||
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
|
||||
done
|
||||
|
||||
for i in ${POLICY_TYPES}; do
|
||||
mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
|
||||
cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
|
||||
|| die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
|
||||
|
||||
cp ${modfiles} "${S}"/${i} \
|
||||
|| die "Failed to copy the module files to ${S}/${i}"
|
||||
done
|
||||
}
|
||||
|
||||
src_compile() {
|
||||
for i in ${POLICY_TYPES}; do
|
||||
emake NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux -C "${S}"/${i}
|
||||
done
|
||||
}
|
||||
|
||||
src_install() {
|
||||
local BASEDIR="/usr/share/selinux"
|
||||
|
||||
for i in ${POLICY_TYPES}; do
|
||||
for j in ${MODS}; do
|
||||
einfo "Installing ${i} ${j} policy package"
|
||||
insinto ${BASEDIR}/${i}
|
||||
doins "${S}"/${i}/${j}.pp
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
# Set root path and don't load policy into the kernel when cross compiling
|
||||
local root_opts=""
|
||||
if [[ "${ROOT%/}" != "" ]]; then
|
||||
root_opts="-p ${ROOT%/} -n"
|
||||
fi
|
||||
|
||||
# Override the command from the eclass, we need to load in base as well here
|
||||
local COMMAND="-i base.pp"
|
||||
if has_version "<sys-apps/policycoreutils-2.5"; then
|
||||
COMMAND="-b base.pp"
|
||||
fi
|
||||
|
||||
for i in ${MODS}; do
|
||||
COMMAND="${COMMAND} -i ${i}.pp"
|
||||
done
|
||||
|
||||
for i in ${POLICY_TYPES}; do
|
||||
einfo "Inserting the following modules, with base, into the $i module store: ${MODS}"
|
||||
|
||||
cd "${ROOT%/}/usr/share/selinux/${i}"
|
||||
|
||||
semodule ${root_opts} -s ${i} ${COMMAND}
|
||||
done
|
||||
|
||||
# Don't relabel when cross compiling
|
||||
if [[ "${ROOT%/}" == "" ]]; then
|
||||
# Relabel depending packages
|
||||
local PKGSET="";
|
||||
if [[ -x /usr/bin/qdepends ]] ; then
|
||||
PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-');
|
||||
elif [[ -x /usr/bin/equery ]] ; then
|
||||
PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-');
|
||||
fi
|
||||
if [[ -n "${PKGSET}" ]] ; then
|
||||
rlpkg ${PKGSET};
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
AUX feffe.fc 0 BLAKE2B 786a02f742015903c6c6fd852552d272912f4740e15847618a86e217f71f5419d25e1031afee585313896444934eb04b903a685b1448b755d56f701afe9be2ce SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
|
||||
AUX feffe.te 2775 BLAKE2B e99e4704905752c6d7a7a19ec86e5fa98fdeefb5ed4eabc5cacb028243d6abea7e5593a49a1f93edc0c45898b71de83c11fccdccf3d0346f98a3836a8c4120e2 SHA512 f5f2a643122e204fb0c44ea0fc4f91e518958b02c123fce4702dba267039c6d6392ef734ed255e847b068953b2a4e8f4d31763bf2ecd6bcc6fd68a5a3050da55
|
||||
DIST patchbundle-selinux-base-policy-2.20190609-r1.tar.bz2 407664 BLAKE2B e6b6b56f990389365c062522582e2177bc3b70040c99948efad25737e69178f9f72149cc443cb9edacfdd1aa6bc29f637cc61939f66e5cc3841f83298b33c41e SHA512 16195b51bb414ac82821f93756b3b5d0ec206b7035a50379c1f796082d9c53b11369e15086e1e26521808944266364470c43dcfdd1818ba079fda1613b7ef9bd
|
||||
DIST refpolicy-2.20190609.tar.bz2 555882 BLAKE2B abc45d9c906e0c880b7c47b0fb8e33f4a277c73244e20e8a95c44452db817241110127a5f8a3347cfbf5e30bf91f9dd4e5dd826426eb88b383fdbff5963f5fcd SHA512 f05ca08d31e62b7bf7203d7b243cce9ba87dd68d13b30067b99a44d5007449078fa82d591faa88c2955d370a346e69faedc850c02bd77c5624a8c746a13467f3
|
||||
EBUILD selinux-feffe-policies-2.20190609-r1.ebuild 398 BLAKE2B 7bafc0298e6b5ac626897db6af7582f9d2ca91415601491c3c2df2310de1002321240268e381891dbc96b51f199c67968c049b8da4f8b4b64c5d2a693ed167b8 SHA512 653db292b47d94e6f39e8da102073100fbc41b28828b6550aca22ba9245329409e3a78b5c450e2fcfc9121a117c7c8021b99ff8c3d1dcb33d34173c06acfc687
|
||||
|
|
@ -0,0 +1,77 @@
|
|||
policy_module(feffe, 1.0)
|
||||
|
||||
gen_tunable(feffe_cron_sync_to_home, false)
|
||||
tunable_policy(`feffe_cron_sync_to_home',`
|
||||
gen_require(`
|
||||
type system_cronjob_t;
|
||||
')
|
||||
|
||||
xdg_read_config_files(system_cronjob_t)
|
||||
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
|
||||
corenet_tcp_sendrecv_generic_node(system_cronjob_t)
|
||||
corenet_tcp_connect_http_port(system_cronjob_t)
|
||||
corenet_sendrecv_http_client_packets(system_cronjob_t)
|
||||
miscfiles_read_generic_certs(system_cronjob_t)
|
||||
userdom_manage_user_home_content_dirs(system_cronjob_t)
|
||||
userdom_manage_user_home_content_files(system_cronjob_t)
|
||||
allow system_cronjob_t user_home_t:dir { relabelfrom relabelto };
|
||||
allow system_cronjob_t user_home_t:file { relabelfrom relabelto };
|
||||
')
|
||||
|
||||
|
||||
gen_tunable(feffe_use_xdm, false)
|
||||
tunable_policy(`feffe_use_xdm',`
|
||||
gen_require(`
|
||||
type system_dbusd_t;
|
||||
type user_dbusd_t;
|
||||
type file_context_t;
|
||||
type kmsg_device_t;
|
||||
type init_var_run_t;
|
||||
')
|
||||
dev_rw_dri(user_t)
|
||||
read_files_pattern(system_dbusd_t, file_context_t, file_context_t)
|
||||
allow system_dbusd_t kmsg_device_t:chr_file {open write};
|
||||
allow user_dbusd_t self:process getcap;
|
||||
allow system_dbusd_t file_context_t:file map;
|
||||
allow system_dbusd_t self:process setfscreate;
|
||||
manage_dirs_pattern(system_dbusd_t, init_var_run_t, init_var_run_t)
|
||||
read_files_pattern(system_dbusd_t, init_var_run_t, init_var_run_t)
|
||||
fs_manage_cgroup_dirs(system_dbusd_t)
|
||||
fs_manage_cgroup_files(system_dbusd_t)
|
||||
allow system_dbusd_t self:netlink_kobject_uevent_socket {create setopt bind getattr read};
|
||||
')
|
||||
|
||||
|
||||
gen_tunable(feffe_xscreensaver_read_home, false)
|
||||
tunable_policy(`feffe_xscreensaver_read_home',`
|
||||
gen_require(`
|
||||
type user_t;
|
||||
type xscreensaver_helper_t;
|
||||
type xscreensaver_t;
|
||||
type xdm_t;
|
||||
type lib_t;
|
||||
type tmpfs_t;
|
||||
type bin_t;
|
||||
type xscreensaver_helper_exec_t;
|
||||
type fs_t;
|
||||
')
|
||||
dev_rw_dri(xscreensaver_helper_t)
|
||||
dev_rw_dri(xscreensaver_t)
|
||||
allow xscreensaver_helper_t xdm_t:fd use;
|
||||
search_dirs_pattern(xscreensaver_helper_t, home_root_t, user_home_dir_t)
|
||||
list_dirs_pattern(xscreensaver_helper_t, user_home_dir_t, user_home_t)
|
||||
read_files_pattern(xscreensaver_helper_t, user_home_t, user_home_t)
|
||||
exec_files_pattern(xscreensaver_t, lib_t, lib_t)
|
||||
dev_read_sysfs(xscreensaver_t)
|
||||
xserver_rw_mesa_shader_cache(xscreensaver_t)
|
||||
xserver_rw_mesa_shader_cache(xscreensaver_helper_t)
|
||||
manage_files_pattern(xscreensaver_t, tmpfs_t, tmpfs_t)
|
||||
allow xscreensaver_t tmpfs_t:file map;
|
||||
search_dirs_pattern(xscreensaver_helper_t, bin_t, bin_t)
|
||||
exec_files_pattern(xscreensaver_helper_t, xscreensaver_helper_exec_t, xscreensaver_helper_exec_t)
|
||||
exec_files_pattern(xscreensaver_helper_t, bin_t, bin_t)
|
||||
|
||||
allow xscreensaver_t fs_t:filesystem getattr;
|
||||
xdg_manage_cache(xscreensaver_helper_t)
|
||||
')
|
||||
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
# Copyright 2020 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=6
|
||||
|
||||
DESCRIPTION="SELinux policies required by feffe for various reasons"
|
||||
HOMEPAGE="https://fulh.ax/feffe"
|
||||
|
||||
LICENSE="BSD"
|
||||
SLOT="0"
|
||||
KEYWORDS="~amd64 ~x86"
|
||||
IUSE=""
|
||||
|
||||
DEPEND=""
|
||||
RDEPEND="${DEPEND}"
|
||||
BDEPEND=""
|
||||
|
||||
MODS="feffe"
|
||||
BASEPOL="${PVR}"
|
||||
POLICY_FILES="feffe.te feffe.fc"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
AUX gentoonize.patch 3362 BLAKE2B b65ba85436b73a5f98e1d2a54462cea1d22c3ea2ded4628cf22763cc62b19f1e29b5e5e919b101efb7d3aaa67c2932ea78077007a8c3619eb4fcd515153b537e SHA512 9e1485d39f090d6387b905e2577dadf6de2720b576d413c719f9579547fcfba7a3e7ea1cd782b3df09debc673612913daa8975d6e256e17f38487073d854d918
|
||||
AUX gentoonize.patch.orig 3450 BLAKE2B 0ccfd97b9653da38af0da7c482962f36ad0d9a4bf4213c7adf4e0c942366e946e154cd049fff7d55ff73d1a32a37a3d1f6eadac9b3cbe88772d0f143d3763335 SHA512 a5fbdb7797cfc03b407741b82640f5cd08c4b50e85830f0d8c30aa9249f61af6f8cbb9dcaf61cb65f78b5198b118bdfd78026982e595598b303c67bf46562412
|
||||
DIST patchbundle-selinux-base-policy-2.20190609-r1.tar.bz2 407664 BLAKE2B e6b6b56f990389365c062522582e2177bc3b70040c99948efad25737e69178f9f72149cc443cb9edacfdd1aa6bc29f637cc61939f66e5cc3841f83298b33c41e SHA512 16195b51bb414ac82821f93756b3b5d0ec206b7035a50379c1f796082d9c53b11369e15086e1e26521808944266364470c43dcfdd1818ba079fda1613b7ef9bd
|
||||
DIST refpolicy-2.20190609.tar.bz2 555882 BLAKE2B abc45d9c906e0c880b7c47b0fb8e33f4a277c73244e20e8a95c44452db817241110127a5f8a3347cfbf5e30bf91f9dd4e5dd826426eb88b383fdbff5963f5fcd SHA512 f05ca08d31e62b7bf7203d7b243cce9ba87dd68d13b30067b99a44d5007449078fa82d591faa88c2955d370a346e69faedc850c02bd77c5624a8c746a13467f3
|
||||
EBUILD selinux-puppet-2.20190609-r1.ebuild 329 BLAKE2B f6eda1b32e30ef32db8b6b0f49a4d159d956035f269255fbcaf18e56cad743e339ddc54b019aaf43106074f919a7a36bfb7cdf197a75f9e0e060d80f53e4e403 SHA512 248a7d43033b24e41d000305e1452991682223d9010b8de190a429d20eacbe5240de4e73b68b3f58021da7f28bb4e964eddcbdab4ca3040fce9d408f7b1ae73e
|
||||
|
|
@ -0,0 +1,96 @@
|
|||
--- modules/admin/puppet.te.orig 2020-05-17 13:12:40.896205630 +0200
|
||||
+++ modules/admin/puppet.te 2020-05-17 13:27:57.725276233 +0200
|
||||
@@ -407,4 +407,69 @@
|
||||
portage_read_ebuild(puppet_t)
|
||||
portage_run(puppet_t, system_r)
|
||||
')
|
||||
+
|
||||
+')
|
||||
+## Feffestuff
|
||||
+#
|
||||
+gen_require(`
|
||||
+ type tmpfiles_t;
|
||||
+ type shadow_t;
|
||||
+ type sysadm_t;
|
||||
+ type auditd_initrc_exec_t;
|
||||
+ type syslogd_initrc_exec_t;
|
||||
+
|
||||
+ role sysadm_r;
|
||||
+')
|
||||
+# allow checkpath to create puppet log directory
|
||||
+allow tmpfiles_t self:capability { dac_override dac_read_search };
|
||||
+manage_dirs_pattern(tmpfiles_t, var_log_t, puppet_log_t)
|
||||
+
|
||||
+# and set its gid
|
||||
+allow puppet_t self:process setpgid;
|
||||
+
|
||||
+# allow puppet to inspect filesystems and block devices
|
||||
+fs_getattr_all_xattr_fs(puppet_t)
|
||||
+storage_getattr_fixed_disk_dev(puppet_t)
|
||||
+storage_getattr_removable_dev(puppet_t)
|
||||
+
|
||||
+# puppet needs to map etc_t files to start
|
||||
+mmap_rw_files_pattern(puppet_t, etc_t, etc_t)
|
||||
+
|
||||
+# required to check if password should change
|
||||
+auth_can_read_shadow_passwords(puppet_t)
|
||||
+read_files_pattern(puppet_t, etc_t, shadow_t)
|
||||
+
|
||||
+# allow puppet to execute some services
|
||||
+optional_policy(`
|
||||
+ iptables_domtrans(puppet_t)
|
||||
+')
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type sshd_exec_t;
|
||||
+ type sshd_t;
|
||||
+ ')
|
||||
+ domain_auto_transition_pattern(puppet_t, sshd_exec_t, sshd_t)
|
||||
+ can_exec(puppet_t, sshd_exec_t)
|
||||
+ allow sshd_t puppet_t:fd use;
|
||||
+')
|
||||
+
|
||||
+# allow sysadm to execute puppet without switching context (sysadm is not allowed to switch to system)
|
||||
+can_exec(sysadm_t, puppet_exec_t)
|
||||
+
|
||||
+# allow sysadm to read shadow, required to prevent unneccesary password changes
|
||||
+# when running puppet manually...
|
||||
+auth_can_read_shadow_passwords(sysadm_t)
|
||||
+read_files_pattern(sysadm_t, etc_t, shadow_t)
|
||||
+
|
||||
+init_startstop_service(sysadm_t, sysadm_r, auditd_t, auditd_initrc_exec_t, auditd_unit_t)
|
||||
+init_startstop_service(sysadm_t, sysadm_r, syslogd_t, syslogd_initrc_exec_t, syslogd_unit_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type sshd_exec_t;
|
||||
+ type sshd_t;
|
||||
+ ')
|
||||
+ domain_auto_transition_pattern(sysadm_t, sshd_exec_t, sshd_t)
|
||||
+ can_exec(sysadm_t, sshd_exec_t)
|
||||
+ allow sshd_t sysadm_t:fd use;
|
||||
')
|
||||
--- modules/admin/puppet.fc.orig 2020-05-17 13:09:11.849189531 +0200
|
||||
+++ modules/admin/puppet.fc 2020-05-17 13:12:10.462203286 +0200
|
||||
@@ -1,7 +1,7 @@
|
||||
/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
|
||||
|
||||
-/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
|
||||
-/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
|
||||
+/etc/(rc\.d/)?init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
|
||||
+/etc/(rc\.d/)?init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
|
||||
|
||||
/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
|
||||
/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
|
||||
@@ -13,6 +13,10 @@
|
||||
|
||||
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
|
||||
|
||||
-/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
|
||||
+/var/log/puppet(labs)?(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
|
||||
|
||||
/run/puppet(/.*)? gen_context(system_u:object_r:puppet_runtime_t,s0)
|
||||
+
|
||||
+/opt/puppetlabs/puppet/bin/wrapper.sh gen_context(system_u:object_r:puppet_exec_t,s0)
|
||||
+
|
||||
+/opt/puppetlabs/puppet/lib/virt-what/virt-what-cpuid-helper gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
# Copyright 1999-2020 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI="6"
|
||||
|
||||
IUSE=""
|
||||
MODS="puppet"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for puppet"
|
||||
|
||||
if [[ ${PV} != 9999* ]] ; then
|
||||
KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
|
||||
fi
|
||||
|
||||
POLICY_PATCH=(
|
||||
${FILESDIR}/gentoonize.patch
|
||||
)
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
AUX gentoonize.patch 680 BLAKE2B d050110d3ad641c8ece916141b65d16d7fdbc9d6b784f46fd43a5f32d8fd03cf517019f459bb3b76e1ac6e8476c284a4b4db94dfa974a65fbf63c17d82872ff3 SHA512 d0c709c13eae5c7d4eda9ef7607943dfd4bdfdc6e0df5154749845c2a7eb83f49df7b1bcda90109f8062bebf8ceb232afef8fce924fa5700105549d3758f4d2c
|
||||
DIST patchbundle-selinux-base-policy-2.20190609-r1.tar.bz2 407664 BLAKE2B e6b6b56f990389365c062522582e2177bc3b70040c99948efad25737e69178f9f72149cc443cb9edacfdd1aa6bc29f637cc61939f66e5cc3841f83298b33c41e SHA512 16195b51bb414ac82821f93756b3b5d0ec206b7035a50379c1f796082d9c53b11369e15086e1e26521808944266364470c43dcfdd1818ba079fda1613b7ef9bd
|
||||
DIST refpolicy-2.20190609.tar.bz2 555882 BLAKE2B abc45d9c906e0c880b7c47b0fb8e33f4a277c73244e20e8a95c44452db817241110127a5f8a3347cfbf5e30bf91f9dd4e5dd826426eb88b383fdbff5963f5fcd SHA512 f05ca08d31e62b7bf7203d7b243cce9ba87dd68d13b30067b99a44d5007449078fa82d591faa88c2955d370a346e69faedc850c02bd77c5624a8c746a13467f3
|
||||
EBUILD selinux-stunnel-2.20190609-r1.ebuild 331 BLAKE2B 0c168ea0e2563b72d5ec093022949ecce9afca9ab0bd16c62162950fa25eadfc48194ff51a27a2d9bd000a30833da0c80e156422c44018d8ef33b9165623ab9a SHA512 744685c5934045cb0eb08c2786dd1e2d1373d747f86bcbd0a9748bc03d37df0e2ad7298b4de5b23053497131e26a9968dd8544f8504964a34e039f6ace2b917c
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
--- modules/services/stunnel.te.orig 2020-05-17 13:43:58.025350184 +0200
|
||||
+++ modules/services/stunnel.te 2020-05-17 13:44:55.968354646 +0200
|
||||
@@ -26,6 +26,7 @@
|
||||
allow stunnel_t self:capability { setgid setuid sys_chroot };
|
||||
dontaudit stunnel_t self:capability sys_tty_config;
|
||||
allow stunnel_t self:process signal_perms;
|
||||
+allow stunnel_t self:process setsched;
|
||||
allow stunnel_t self:fifo_file rw_fifo_file_perms;
|
||||
allow stunnel_t self:tcp_socket { accept listen };
|
||||
allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
@@ -106,3 +107,5 @@
|
||||
type stunnel_port_t;
|
||||
')
|
||||
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
|
||||
+
|
||||
+read_files_pattern(stunnel_t, usr_t, usr_t)
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
# Copyright 1999-2020 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI="6"
|
||||
|
||||
IUSE=""
|
||||
MODS="stunnel"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for stunnel"
|
||||
|
||||
if [[ ${PV} != 9999* ]] ; then
|
||||
KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
|
||||
fi
|
||||
|
||||
POLICY_PATCH=(
|
||||
${FILESDIR}/gentoonize.patch
|
||||
)
|
||||
Loading…
Reference in New Issue