From 4d169e751301a74788bb313294b244247f1d29d0 Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Fri, 21 Jul 2023 16:33:17 +0200 Subject: [PATCH] more selinux changes --- smartmon.te | 5 +- smartmon.te.f33 | 140 --------------------------------------------- smartmontools.spec | 6 +- 3 files changed, 8 insertions(+), 143 deletions(-) delete mode 100644 smartmon.te.f33 diff --git a/smartmon.te b/smartmon.te index 598a12d..c5045d8 100644 --- a/smartmon.te +++ b/smartmon.te @@ -15,7 +15,7 @@ gen_tunable(smartmon_3ware, false) require { class capability dac_override; - type tty_device_t, user_devpts_t; + type tty_device_t, user_devpts_t, system_mail_t; } type fsdaemon_t; @@ -182,6 +182,9 @@ tunable_policy(`smartmon_3ware',` # mta_send_mail(fsdaemon_t) # mta_manage_home_rw(fsdaemon_t) # ') +# still creator of the pipe (stdout, stderr) for smartd_warning and mail +allow system_mail_t fsdaemon_t:fifo_file { getattr read write append ioctl lock }; + optional_policy(` udev_read_db(fsdaemon_t) diff --git a/smartmon.te.f33 b/smartmon.te.f33 deleted file mode 100644 index a41734e..0000000 --- a/smartmon.te.f33 +++ /dev/null @@ -1,140 +0,0 @@ -policy_module(smartmon, 1.12.0) - -######################################## -# -# Declarations -# - -## -##

-## Determine whether smartmon can support -## devices on 3ware controllers. -##

-## -gen_tunable(smartmon_3ware, false) - -type fsdaemon_t; -type fsdaemon_exec_t; -init_daemon_domain(fsdaemon_t, fsdaemon_exec_t) - -type fsdaemon_initrc_exec_t; -init_script_file(fsdaemon_initrc_exec_t) - -type fsdaemon_var_run_t; -files_pid_file(fsdaemon_var_run_t) - -type fsdaemon_var_lib_t; -files_type(fsdaemon_var_lib_t) - -type fsdaemon_tmp_t; -files_tmp_file(fsdaemon_tmp_t) - -ifdef(`enable_mls',` - init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh) -') - -######################################## -# -# Local policy -# - -allow fsdaemon_t self:capability { dac_read_search dac_override kill setpcap setgid sys_rawio sys_admin }; -dontaudit fsdaemon_t self:capability sys_tty_config; -allow fsdaemon_t self:process { getcap setcap signal_perms }; -allow fsdaemon_t self:fifo_file rw_fifo_file_perms; -allow fsdaemon_t self:unix_stream_socket { accept listen }; - -manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) -manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) -files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir }) - -manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t) -files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file) - -manage_dirs_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t) -manage_files_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t) -files_var_lib_filetrans(fsdaemon_t, fsdaemon_var_lib_t, { dir file }) - -kernel_read_kernel_sysctls(fsdaemon_t) -kernel_read_network_state(fsdaemon_t) -kernel_read_software_raid_state(fsdaemon_t) -kernel_read_system_state(fsdaemon_t) - -auth_use_nsswitch(fsdaemon_t) - -corecmd_exec_all_executables(fsdaemon_t) - -corenet_all_recvfrom_netlabel(fsdaemon_t) -corenet_udp_sendrecv_generic_if(fsdaemon_t) -corenet_udp_sendrecv_generic_node(fsdaemon_t) -corenet_udp_sendrecv_all_ports(fsdaemon_t) - -dev_read_sysfs(fsdaemon_t) -dev_read_urand(fsdaemon_t) -dev_read_nvme(fsdaemon_t) - -domain_use_interactive_fds(fsdaemon_t) - -files_exec_etc_files(fsdaemon_t) -files_read_etc_runtime_files(fsdaemon_t) - -fs_getattr_all_fs(fsdaemon_t) -fs_search_auto_mountpoints(fsdaemon_t) -fs_read_removable_files(fsdaemon_t) - -mls_file_read_all_levels(fsdaemon_t) - -storage_create_fixed_disk_dev(fsdaemon_t) -storage_dev_filetrans_named_fixed_disk(fsdaemon_t) -storage_raw_read_fixed_disk(fsdaemon_t) -storage_raw_write_fixed_disk(fsdaemon_t) -storage_raw_read_removable_device(fsdaemon_t) -storage_read_scsi_generic(fsdaemon_t) -storage_write_scsi_generic(fsdaemon_t) - -term_dontaudit_search_ptys(fsdaemon_t) - -domain_signull_all_domains(fsdaemon_t) - -auth_read_passwd(fsdaemon_t) - -init_read_utmp(fsdaemon_t) - -libs_exec_ld_so(fsdaemon_t) -libs_exec_lib_files(fsdaemon_t) - -logging_send_syslog_msg(fsdaemon_t) - -seutil_sigchld_newrole(fsdaemon_t) - -sysnet_dns_name_resolve(fsdaemon_t) - -userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) -userdom_dontaudit_search_user_home_dirs(fsdaemon_t) -userdom_dontaudit_manage_admin_dir(fsdaemon_t) -userdom_use_user_terminals(fsdaemon_t) - -tunable_policy(`smartmon_3ware',` - allow fsdaemon_t self:process setfscreate; - - storage_create_fixed_disk_dev(fsdaemon_t) - storage_delete_fixed_disk_dev(fsdaemon_t) - storage_dev_filetrans_fixed_disk(fsdaemon_t) - - selinux_validate_context(fsdaemon_t) - - seutil_read_file_contexts(fsdaemon_t) -') - -optional_policy(` - mta_send_mail(fsdaemon_t) - mta_manage_home_rw(fsdaemon_t) -') - -optional_policy(` - udev_read_db(fsdaemon_t) -') - -optional_policy(` - virt_read_images(fsdaemon_t) -') diff --git a/smartmontools.spec b/smartmontools.spec index fea634a..5107466 100644 --- a/smartmontools.spec +++ b/smartmontools.spec @@ -7,7 +7,7 @@ Summary: Tools for monitoring SMART capable hard disks Name: smartmontools Version: 7.3 -Release: 8%{?dist} +Release: 9%{?dist} Epoch: 1 License: GPL-2.0-or-later URL: http://smartmontools.sourceforge.net/ @@ -20,7 +20,6 @@ Source5: drivedb.h Source6: %{modulename}.te Source7: %{modulename}.if Source8: %{modulename}.fc -Source9: %{modulename}.te.f33 #fedora/rhel specific Patch1: smartmontools-5.38-defaultconf.patch @@ -159,6 +158,9 @@ fi %changelog +* Fri Jul 21 2023 Michal Hlavinka - 1:7.3-9 +- more selinux changes + * Fri Jul 21 2023 Michal Hlavinka - 1:7.3-8 - use new selinux context for smartdnotify