From 567c1ec66bd026d82766a1406d6c1083ee26559c Mon Sep 17 00:00:00 2001 From: Michal Hlavinka Date: Thu, 20 Jul 2023 23:35:08 +0200 Subject: [PATCH] use different selinux context for notification scripts (#2139199) --- smartmon.fc | 2 ++ smartmon.if | 3 +++ smartmon.te | 63 ++++++++++++++++++++++++++++++++++++++++++---- smartmontools.spec | 5 +++- 4 files changed, 67 insertions(+), 6 deletions(-) diff --git a/smartmon.fc b/smartmon.fc index 36e908f..e218529 100644 --- a/smartmon.fc +++ b/smartmon.fc @@ -5,3 +5,5 @@ /var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0) /var/lib/smartmontools(/.*)? gen_context(system_u:object_r:fsdaemon_var_lib_t,s0) + +/etc/smartmontools/smartd_warning.(sh|d/.*) gen_context(system_u:object_r:smartdwarn_script_t,s0) diff --git a/smartmon.if b/smartmon.if index ea347cc..541a45a 100644 --- a/smartmon.if +++ b/smartmon.if @@ -40,6 +40,7 @@ interface(`smartmon_admin',` gen_require(` type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t; type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t; + type smartdwarn_t, smartdwarn_script_t; ') allow $1 fsdaemon_t:process signal_perms; @@ -54,6 +55,8 @@ interface(`smartmon_admin',` role_transition $2 fsdaemon_initrc_exec_t system_r; allow $2 system_r; + admin_pattern($1, smartdwarn_script_t) + files_list_tmp($1) admin_pattern($1, fsdaemon_tmp_t) diff --git a/smartmon.te b/smartmon.te index 1d806ce..598a12d 100644 --- a/smartmon.te +++ b/smartmon.te @@ -1,4 +1,4 @@ -policy_module(smartmon, 1.12.0) +policy_module(smartmon, 1.13.0) ######################################## # @@ -13,6 +13,11 @@ policy_module(smartmon, 1.12.0) ## gen_tunable(smartmon_3ware, false) +require { + class capability dac_override; + type tty_device_t, user_devpts_t; +} + type fsdaemon_t; type fsdaemon_exec_t; init_daemon_domain(fsdaemon_t, fsdaemon_exec_t) @@ -20,6 +25,53 @@ init_daemon_domain(fsdaemon_t, fsdaemon_exec_t) type fsdaemon_initrc_exec_t; init_script_file(fsdaemon_initrc_exec_t) +# runs smartd_warning.sh and smartd_warning.d/* +type smartdwarn_t; +type smartdwarn_script_t; +type_transition fsdaemon_t smartdwarn_script_t:process smartdwarn_t; +role system_r types smartdwarn_t; + +files_type(smartdwarn_script_t) + +application_domain(smartdwarn_t, smartdwarn_script_t) +domtrans_pattern(fsdaemon_t, smartdwarn_script_t, smartdwarn_t) + +corecmd_exec_bin(smartdwarn_t) +corecmd_exec_shell(smartdwarn_t) + +# reads list of users +auth_read_passwd_file(smartdwarn_t) + +hostname_exec(smartdwarn_t) + +# smartd_warning.sh to run smartd_warning.d/* scripts +allow smartdwarn_t smartdwarn_script_t:file execute_no_trans; + +# for wall cmd +init_read_utmp(smartdwarn_t) +allow smartdwarn_t tty_device_t:chr_file { open write }; +allow smartdwarn_t user_devpts_t:chr_file { open write }; +allow smartdwarn_t self:capability { setgid dac_override }; +files_manage_generic_tmp_files(smartdwarn_t) +term_open_unallocated_ttys(smartdwarn_t) +term_search_ptys(smartdwarn_t) +userdom_use_user_terminals(smartdwarn_t) + + +optional_policy(` + systemd_exec_systemctl(smartdwarn_t) +') + +optional_policy(` + mta_send_mail(smartdwarn_t) + mta_manage_home_rw(smartdwarn_t) +') + +# optional_policy(` +# unconfined_domain(smartdwarn_t) +# ') + + type fsdaemon_var_run_t; files_pid_file(fsdaemon_var_run_t) @@ -125,10 +177,11 @@ tunable_policy(`smartmon_3ware',` seutil_read_file_contexts(fsdaemon_t) ') -optional_policy(` - mta_send_mail(fsdaemon_t) - mta_manage_home_rw(fsdaemon_t) -') +# this should be no longer needed with smartdwarn_t +# optional_policy(` +# mta_send_mail(fsdaemon_t) +# mta_manage_home_rw(fsdaemon_t) +# ') optional_policy(` udev_read_db(fsdaemon_t) diff --git a/smartmontools.spec b/smartmontools.spec index 7d95bb9..8cbbd2c 100644 --- a/smartmontools.spec +++ b/smartmontools.spec @@ -7,7 +7,7 @@ Summary: Tools for monitoring SMART capable hard disks Name: smartmontools Version: 7.3 -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 1 License: GPL-2.0-or-later URL: http://smartmontools.sourceforge.net/ @@ -159,6 +159,9 @@ fi %changelog +* Thu Jul 20 2023 Michal Hlavinka - 1:7.3-7 +- use different selinux context for notification scripts (#2139199) + * Wed Apr 05 2023 Michal Hlavinka - 1:7.3-6 - update license tag format (SPDX migration) for https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1