* Mon Jan 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-167

- Add fwupd policy for daemon to allow session software to update device firmware
- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
- Allow systemd services to use PrivateNetwork feature
- Add a type and genfscon for nsfs.
- Fix SELinux context for rsyslog unit file. BZ(1284173)
This commit is contained in:
Lukas Vrabec 2016-01-18 17:03:17 +01:00
parent 3852fc17ea
commit 6d3ee17c0b
4 changed files with 717 additions and 665 deletions

Binary file not shown.

File diff suppressed because it is too large Load Diff

View File

@ -29627,6 +29627,340 @@ index 36838c2..8bfc879 100644
- fs_read_nfs_files(sftpd_t)
- fs_read_nfs_symlinks(ftpd_t)
-')
diff --git a/fwupd.fc b/fwupd.fc
new file mode 100644
index 0000000..1f13f70
--- /dev/null
+++ b/fwupd.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/fwupd-offline-update.* -- gen_context(system_u:object_r:fwupd_unit_file_t,s0)
+/usr/lib/systemd/system/fwupd.* -- gen_context(system_u:object_r:fwupd_unit_file_t,s0)
+
+/usr/libexec/fwupd/fwupd -- gen_context(system_u:object_r:fwupd_exec_t,s0)
+
+/var/cache/app-info(/.*)? gen_context(system_u:object_r:fwupd_cache_t,s0)
+
+/var/lib/fwupd(/.*)? gen_context(system_u:object_r:fwupd_var_lib_t,s0)
diff --git a/fwupd.if b/fwupd.if
new file mode 100644
index 0000000..c4d2c2d
--- /dev/null
+++ b/fwupd.if
@@ -0,0 +1,260 @@
+
+## <summary>fwupd is a daemon to allow session software to update device firmware</summary>
+
+########################################
+## <summary>
+## Execute fwupd_exec_t in the fwupd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fwupd_domtrans',`
+ gen_require(`
+ type fwupd_t, fwupd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, fwupd_exec_t, fwupd_t)
+')
+
+######################################
+## <summary>
+## Execute fwupd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_exec',`
+ gen_require(`
+ type fwupd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, fwupd_exec_t)
+')
+
+########################################
+## <summary>
+## Search fwupd cache directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_search_cache',`
+ gen_require(`
+ type fwupd_cache_t;
+ ')
+
+ allow $1 fwupd_cache_t:dir search_dir_perms;
+ files_search_var($1)
+')
+
+########################################
+## <summary>
+## Read fwupd cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_read_cache_files',`
+ gen_require(`
+ type fwupd_cache_t;
+ ')
+
+ files_search_var($1)
+ read_files_pattern($1, fwupd_cache_t, fwupd_cache_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## fwupd cache files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_manage_cache_files',`
+ gen_require(`
+ type fwupd_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_files_pattern($1, fwupd_cache_t, fwupd_cache_t)
+')
+
+########################################
+## <summary>
+## Manage fwupd cache dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_manage_cache_dirs',`
+ gen_require(`
+ type fwupd_cache_t;
+ ')
+
+ files_search_var($1)
+ manage_dirs_pattern($1, fwupd_cache_t, fwupd_cache_t)
+')
+
+
+########################################
+## <summary>
+## Search fwupd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_search_lib',`
+ gen_require(`
+ type fwupd_var_lib_t;
+ ')
+
+ allow $1 fwupd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read fwupd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_read_lib_files',`
+ gen_require(`
+ type fwupd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage fwupd lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_manage_lib_files',`
+ gen_require(`
+ type fwupd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage fwupd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_manage_lib_dirs',`
+ gen_require(`
+ type fwupd_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t)
+')
+
+########################################
+## <summary>
+## Execute fwupd server in the fwupd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fwupd_systemctl',`
+ gen_require(`
+ type fwupd_t;
+ type fwupd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_read_fifo_file_passwd_run($1)
+ allow $1 fwupd_unit_file_t:file read_file_perms;
+ allow $1 fwupd_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, fwupd_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an fwupd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fwupd_admin',`
+ gen_require(`
+ type fwupd_t;
+ type fwupd_cache_t;
+ type fwupd_var_lib_t;
+ type fwupd_unit_file_t;
+ ')
+
+ allow $1 fwupd_t:process { signal_perms };
+ ps_process_pattern($1, fwupd_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 fwupd_t:process ptrace;
+ ')
+
+ files_search_var($1)
+ admin_pattern($1, fwupd_cache_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, fwupd_var_lib_t)
+
+ fwupd_systemctl($1)
+ admin_pattern($1, fwupd_unit_file_t)
+ allow $1 fwupd_unit_file_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/fwupd.te b/fwupd.te
new file mode 100644
index 0000000..8937282
--- /dev/null
+++ b/fwupd.te
@@ -0,0 +1,48 @@
+policy_module(fwupd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type fwupd_t;
+type fwupd_exec_t;
+init_daemon_domain(fwupd_t, fwupd_exec_t)
+
+type fwupd_cache_t;
+files_type(fwupd_cache_t)
+
+type fwupd_var_lib_t;
+files_type(fwupd_var_lib_t)
+
+type fwupd_unit_file_t;
+systemd_unit_file(fwupd_unit_file_t)
+
+########################################
+#
+# fwupd local policy
+#
+allow fwupd_t self:fifo_file rw_fifo_file_perms;
+allow fwupd_t self:unix_stream_socket create_stream_socket_perms;
+allow fwupd_t self:netlink_kobject_uevent_socket create_socket_perms;;
+
+manage_dirs_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t)
+manage_files_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t)
+manage_lnk_files_pattern(fwupd_t, fwupd_cache_t, fwupd_cache_t)
+files_var_filetrans(fwupd_t, fwupd_cache_t, { dir })
+
+manage_dirs_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
+manage_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
+manage_lnk_files_pattern(fwupd_t, fwupd_var_lib_t, fwupd_var_lib_t)
+files_var_lib_filetrans(fwupd_t, fwupd_var_lib_t, { dir })
+
+auth_read_passwd(fwupd_t)
+
+dev_rw_sysfs(fwupd_t)
+dev_rw_generic_usb_dev(fwupd_t)
+
+udev_read_pid_files(fwupd_t)
+
+optional_policy(`
+ dbus_system_domain(fwupd_t,fwupd_exec_t)
+')
diff --git a/games.if b/games.if
index e2a3e0d..50ebd40 100644
--- a/games.if
@ -37269,16 +37603,17 @@ index 0000000..61f2003
+userdom_use_user_terminals(iotop_t)
diff --git a/ipa.fc b/ipa.fc
new file mode 100644
index 0000000..3a71430
index 0000000..ce135f3
--- /dev/null
+++ b/ipa.fc
@@ -0,0 +1,13 @@
@@ -0,0 +1,14 @@
+/usr/lib/systemd/system/ipa-otpd.* -- gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
+
+/usr/libexec/ipa-otpd -- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+
+/usr/libexec/ipa/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+/usr/libexec/ipa/oddjob/com\.redhat\.idm\.trust-fetch-domains -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+/usr/libexec/ipa/oddjob/org\.freeipa\.server\.conncheck -- gen_context(system_u:object_r:ipa_helper_exec_t,s0)
+
+/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
+

View File

@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
Release: 166%{?dist}
Release: 167%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -664,6 +664,13 @@ exit 0
%endif
%changelog
* Mon Jan 18 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-167
- Add fwupd policy for daemon to allow session software to update device firmware
- Label /usr/libexec/ipa/oddjob/org.freeipa.server.conncheck as ipa_helper_exec_t. BZ(1289930)
- Allow systemd services to use PrivateNetwork feature
- Add a type and genfscon for nsfs.
- Fix SELinux context for rsyslog unit file. BZ(1284173)
* Wed Jan 13 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-166
- Allow logrotate to systemctl rsyslog service. BZ(1284173)
- Allow condor_master_t domain capability chown. BZ(1297048)