From e8ea1e9c3dec13bd79ffc388fdfa1b3512a803a1 Mon Sep 17 00:00:00 2001 From: Fredrik Eriksson Date: Sun, 17 May 2020 15:27:13 +0200 Subject: [PATCH] added patched and custom selinux policies --- sec-policy/selinux-base-policy/Manifest | 7 + .../files/init_paths.patch | 10 ++ .../files/init_read_syslog_config.patch | 11 ++ .../files/mta_user_mail_newaliases.patch | 10 ++ .../files/portage_paths.patch | 27 ++++ .../selinux-base-policy-2.20190609-r1.ebuild | 134 ++++++++++++++++++ sec-policy/selinux-feffe-policies/Manifest | 5 + .../selinux-feffe-policies/files/feffe.fc | 0 .../selinux-feffe-policies/files/feffe.te | 77 ++++++++++ ...elinux-feffe-policies-2.20190609-r1.ebuild | 23 +++ sec-policy/selinux-puppet/Manifest | 5 + .../selinux-puppet/files/gentoonize.patch | 96 +++++++++++++ .../selinux-puppet-2.20190609-r1.ebuild | 19 +++ sec-policy/selinux-stunnel/Manifest | 4 + .../selinux-stunnel/files/gentoonize.patch | 16 +++ .../selinux-stunnel-2.20190609-r1.ebuild | 19 +++ 16 files changed, 463 insertions(+) create mode 100644 sec-policy/selinux-base-policy/Manifest create mode 100644 sec-policy/selinux-base-policy/files/init_paths.patch create mode 100644 sec-policy/selinux-base-policy/files/init_read_syslog_config.patch create mode 100644 sec-policy/selinux-base-policy/files/mta_user_mail_newaliases.patch create mode 100644 sec-policy/selinux-base-policy/files/portage_paths.patch create mode 100644 sec-policy/selinux-base-policy/selinux-base-policy-2.20190609-r1.ebuild create mode 100644 sec-policy/selinux-feffe-policies/Manifest create mode 100644 sec-policy/selinux-feffe-policies/files/feffe.fc create mode 100644 sec-policy/selinux-feffe-policies/files/feffe.te create mode 100644 sec-policy/selinux-feffe-policies/selinux-feffe-policies-2.20190609-r1.ebuild create mode 100644 sec-policy/selinux-puppet/Manifest create mode 100644 sec-policy/selinux-puppet/files/gentoonize.patch create mode 100644 sec-policy/selinux-puppet/selinux-puppet-2.20190609-r1.ebuild create mode 100644 sec-policy/selinux-stunnel/Manifest create mode 100644 sec-policy/selinux-stunnel/files/gentoonize.patch create mode 100644 sec-policy/selinux-stunnel/selinux-stunnel-2.20190609-r1.ebuild diff --git a/sec-policy/selinux-base-policy/Manifest b/sec-policy/selinux-base-policy/Manifest new file mode 100644 index 0000000..a4131b7 --- /dev/null +++ b/sec-policy/selinux-base-policy/Manifest @@ -0,0 +1,7 @@ +AUX init_paths.patch 427 BLAKE2B adaa31a8df2ba0ad77b58a0b1bddfd9bcbd48e19c8790ac51f2e679463413c237e12977363ad6156fe329da0b976d277d352db19429870a6df9a50da223c9e9f SHA512 8275af9ef8a1ad2bd57bde249b6d7e72518897e4acc864170c69274f08e410c9b888820c9c936b2e8a7682663c5311e5d2a47da20acf9297da64eae4875d142c +AUX init_read_syslog_config.patch 422 BLAKE2B 41814137d275eec4e6d801a318586c4040e22a512187a91dea9440026e2dc01dacc46404b7592ca71970c886b2a99f7d98989bfffc9e4e096042f13738a3003e SHA512 11cbed7bda6992a292e88628598026f8b1703b7ae258188d43e98ae140463bb5e28cfa64a9cc3864356f34b9089f79f51db4b60f2faeb05c03f8246e81d06737 +AUX mta_user_mail_newaliases.patch 406 BLAKE2B b8b23b24790267f301de0d6e17f9a25ac455dc3f6f7dee9f291c1e122d39fa125e86a4c5d1b3a8ac575576eebc3683b15fa1f7b8dee3016a8f046bb644ac7f42 SHA512 1515d0d79e7f33c80cebc5bd0babc2731595f31105de86df84d4940167693a274ae2271de3607369956750f22ab469fea8b247ba34cc8bb61f6a0a15d56a9328 +AUX portage_paths.patch 1745 BLAKE2B ec0d213d13ac0e1d1d9bd52d2811b37814c00c2f385af4a074267144976634d2bce66fd0b530e61924c7f3fc0abd3b0c5a9c6aab72c2834ff1cf935dff91edae SHA512 31933e1f8588d16b4f336b571ce388bc2a6204db7c99f242826c172fe9417f88cc7c40030a0712315539b1dcc2b4a56d54a194852d6123d9ef5f58750fc87ef2 +DIST patchbundle-selinux-base-policy-2.20190609-r1.tar.bz2 407664 BLAKE2B e6b6b56f990389365c062522582e2177bc3b70040c99948efad25737e69178f9f72149cc443cb9edacfdd1aa6bc29f637cc61939f66e5cc3841f83298b33c41e SHA512 16195b51bb414ac82821f93756b3b5d0ec206b7035a50379c1f796082d9c53b11369e15086e1e26521808944266364470c43dcfdd1818ba079fda1613b7ef9bd +DIST refpolicy-2.20190609.tar.bz2 555882 BLAKE2B abc45d9c906e0c880b7c47b0fb8e33f4a277c73244e20e8a95c44452db817241110127a5f8a3347cfbf5e30bf91f9dd4e5dd826426eb88b383fdbff5963f5fcd SHA512 f05ca08d31e62b7bf7203d7b243cce9ba87dd68d13b30067b99a44d5007449078fa82d591faa88c2955d370a346e69faedc850c02bd77c5624a8c746a13467f3 +EBUILD selinux-base-policy-2.20190609-r1.ebuild 3990 BLAKE2B a884c64c29bfea455af98463d44303ec6a81e2e62f9b9452617e7f28b1cc6505ab38317a1145d848e5751c4ceb87ff111f89336d5605906c53ee8f01630dc0f8 SHA512 bb3ceb178f4d4e081aae7954ae752e40e29b5921ccc898b4ad760b34535a2cec012b3b7c469553504b01186b93053ee9819f66cd40bc718e5dff4c7ba44f622a diff --git a/sec-policy/selinux-base-policy/files/init_paths.patch b/sec-policy/selinux-base-policy/files/init_paths.patch new file mode 100644 index 0000000..b5b2871 --- /dev/null +++ b/sec-policy/selinux-base-policy/files/init_paths.patch @@ -0,0 +1,10 @@ +--- work/refpolicy/policy/modules/system/init.fc.orig 2020-05-17 10:44:45.078522121 +0200 ++++ work/refpolicy/policy/modules/system/init.fc 2020-05-17 10:45:24.000525118 +0200 +@@ -104,6 +104,7 @@ + # /var + # + /var/lib/ip6?tables(/.*)? gen_context(system_u:object_r:initrc_tmp_t,s0) ++/var/lib/ipset(/.*)? gen_context(system_u:object_r:initrc_tmp_t,s0) + + /run/openrc(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) + ') diff --git a/sec-policy/selinux-base-policy/files/init_read_syslog_config.patch b/sec-policy/selinux-base-policy/files/init_read_syslog_config.patch new file mode 100644 index 0000000..e382cdb --- /dev/null +++ b/sec-policy/selinux-base-policy/files/init_read_syslog_config.patch @@ -0,0 +1,11 @@ +--- work/refpolicy/policy/modules/system/init.te.orig 2020-05-17 11:15:23.079663661 +0200 ++++ work/refpolicy/policy/modules/system/init.te 2020-05-17 11:16:09.014667199 +0200 +@@ -1527,3 +1527,8 @@ + userdom_dontaudit_rw_all_users_stream_sockets(systemprocess) + userdom_dontaudit_write_user_tmp_files(systemprocess) + ') ++ ++# allow openrc to read syslog config ++optional_policy(` ++ logging_read_syslog_config(initrc_t) ++') diff --git a/sec-policy/selinux-base-policy/files/mta_user_mail_newaliases.patch b/sec-policy/selinux-base-policy/files/mta_user_mail_newaliases.patch new file mode 100644 index 0000000..306b990 --- /dev/null +++ b/sec-policy/selinux-base-policy/files/mta_user_mail_newaliases.patch @@ -0,0 +1,10 @@ +--- work/refpolicy/policy/modules/services/mta.te.orig 2020-05-17 11:00:52.011596582 +0200 ++++ work/refpolicy/policy/modules/services/mta.te 2020-05-17 11:02:31.536604246 +0200 +@@ -425,3 +425,7 @@ + at_rw_inherited_job_log_files(system_mail_t) + ') + ') ++ ++mta_manage_aliases(user_mail_t) ++manage_dirs_pattern(user_mail_t, etc_mail_t, etc_mail_t) ++manage_files_pattern(user_mail_t, etc_mail_t, etc_mail_t) diff --git a/sec-policy/selinux-base-policy/files/portage_paths.patch b/sec-policy/selinux-base-policy/files/portage_paths.patch new file mode 100644 index 0000000..3a2b657 --- /dev/null +++ b/sec-policy/selinux-base-policy/files/portage_paths.patch @@ -0,0 +1,27 @@ +--- a/refpolicy/policy/modules/admin/portage.fc.orig 2020-05-17 10:29:05.060449732 +0200 ++++ b/refpolicy/policy/modules/admin/portage.fc 2020-05-17 10:34:15.237473618 +0200 +@@ -19,6 +19,15 @@ + /usr/lib/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) + /usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) + ++/var/db/repos(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) ++/var/cache/binpkg(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) ++/var/cache/distfiles(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) ++/var/cache/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) ++/var/cache/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) ++/var/cache/distfiles/git[0-9]-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) ++/var/cache/distfiles/go-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) ++/var/cache/distfiles/hg-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) ++/var/cache/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) + + /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) + /usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) +@@ -48,3 +57,8 @@ + /usr/lib/python-exec/python[0-9]\.[0-9]*/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) + /var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0) + ') ++ ++# not strictly portage, maybe should have it's own policy? ++/usr/bin/eix gen_context(system_u:object_r:portage_exec_t,s0) ++/usr/bin/eix-sync gen_context(system_u:object_r:portage_exec_t,s0) ++/usr/bin/eix-update gen_context(system_u:object_r:portage_exec_t,s0) diff --git a/sec-policy/selinux-base-policy/selinux-base-policy-2.20190609-r1.ebuild b/sec-policy/selinux-base-policy/selinux-base-policy-2.20190609-r1.ebuild new file mode 100644 index 0000000..7dd7db8 --- /dev/null +++ b/sec-policy/selinux-base-policy/selinux-base-policy-2.20190609-r1.ebuild @@ -0,0 +1,134 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" + +if [[ ${PV} == 9999* ]]; then + EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}" + EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}" + EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy" + + inherit git-r3 +else + SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2 + https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2" + KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86" +fi + +HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux" +DESCRIPTION="SELinux policy for core modules" + +IUSE="systemd +unconfined" + +PDEPEND="unconfined? ( sec-policy/selinux-unconfined )" +DEPEND="=sec-policy/selinux-base-${PVR}[systemd?]" +RDEPEND="$DEPEND" + +MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg" +LICENSE="GPL-2" +SLOT="0" +S="${WORKDIR}/" + +PATCHES=( + ${FILESDIR}/portage_paths.patch + ${FILESDIR}/init_read_syslog_config.patch + ${FILESDIR}/init_paths.patch + ${FILESDIR}/mta_user_mail_newaliases.patch +) + +# Code entirely copied from selinux-eclass (cannot inherit due to dependency on +# itself), when reworked reinclude it. Only postinstall (where -b base.pp is +# added) needs to remain then. + +pkg_pretend() { + for i in ${POLICY_TYPES}; do + if [[ "${i}" == "targeted" ]] && ! use unconfined; then + die "If you use POLICY_TYPES=targeted, then USE=unconfined is mandatory." + fi + done +} + +src_prepare() { + local modfiles + + if [[ ${PV} != 9999* ]]; then + einfo "Applying SELinux policy updates ... " + eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch" + fi + + default + eapply_user + + # Collect only those files needed for this particular module + for i in ${MODS}; do + modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles" + modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles" + done + + for i in ${POLICY_TYPES}; do + mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}" + cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \ + || die "Failed to copy Makefile.example to ${S}/${i}/Makefile" + + cp ${modfiles} "${S}"/${i} \ + || die "Failed to copy the module files to ${S}/${i}" + done +} + +src_compile() { + for i in ${POLICY_TYPES}; do + emake NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux -C "${S}"/${i} + done +} + +src_install() { + local BASEDIR="/usr/share/selinux" + + for i in ${POLICY_TYPES}; do + for j in ${MODS}; do + einfo "Installing ${i} ${j} policy package" + insinto ${BASEDIR}/${i} + doins "${S}"/${i}/${j}.pp + done + done +} + +pkg_postinst() { + # Set root path and don't load policy into the kernel when cross compiling + local root_opts="" + if [[ "${ROOT%/}" != "" ]]; then + root_opts="-p ${ROOT%/} -n" + fi + + # Override the command from the eclass, we need to load in base as well here + local COMMAND="-i base.pp" + if has_version "