prepare for SELinuxIndependentPolicy

https://fedoraproject.org/wiki/SELinux/IndependentPolicy

drivedb.h

@@ -68,7 +68,7 @@
 /*
 const drive_settings builtin_knowndrives[] = {
  */
-  { "VERSION: 7.2/5170 2021-01-17 16:11:20 $Id: drivedb.h 5171 2021-01-17 17:17:19Z chrfranke $",
+  { "VERSION: 7.2/5211 2021-03-08 18:07:28 $Id$",
     "-", "-",
     "Version information",
     ""
@@ -3675,12 +3675,13 @@ const drive_settings builtin_knowndrives[] = {
     "TOSHIBA MG03ACA[1234]00Y?",
     "", "", ""
   },
-  { "Toshiba 3.5\" MD04ACA... Enterprise HDD", // tested with TOSHIBA MD04ACA500/FP1A
+  { "Toshiba MG04ACA... Enterprise HDD", // tested with TOSHIBA MD04ACA500/FP1A,
-    "TOSHIBA MD04ACA[2345]00",
+      // TOSHIBA MG04ACA600A/FS2B, TOSHIBA MG04ACA400NY/FK5D (Dell)
+    "TOSHIBA MG04ACA[23456]00([AEN].?)?",
     "", "", ""
   },
-  { "Toshiba 3.5\" MG04ACA... Enterprise HDD", // tested with TOSHIBA MG04ACA600A/FS2B
+  { "Toshiba MG05ACA... Enterprise Capacity HDD", // tested with TOSHIBA MG05ACA800E/GX2A
-    "TOSHIBA MG04ACA[23456]00[AE].?",
+    "TOSHIBA MG05ACA800[AE]",
     "", "", ""
   },
   { "Toshiba MG06ACA... Enterprise Capacity HDD", // tested with TOSHIBA MG06ACA800E/4303,
@@ -3694,6 +3695,12 @@ const drive_settings builtin_knowndrives[] = {
     "-v 23,raw48,Helium_Condition_Lower "
     "-v 24,raw48,Helium_Condition_Upper"
   },
+  { "Toshiba MG08ACA... Enterprise Capacity HDD", // tested with TOSHIBA MG08ACA16TE/0102
+    "TOSHIBA MG08ACA16T[AE]Y?",
+    "", "",
+    "-v 23,raw48,Helium_Condition_Lower "
+    "-v 24,raw48,Helium_Condition_Upper"
+  },
   { "Toshiba 3.5\" DT01ABA... Desktop HDD", // tested with TOSHIBA DT01ABA300/MZ6OABB0
     "TOSHIBA DT01ABA(100|150|200|300)",
     "", "", ""
@@ -3703,14 +3710,27 @@ const drive_settings builtin_knowndrives[] = {
     "TOSHIBA DT01ACA(025|032|050|075|100|150|200|300)",
     "", "", ""
   },
-  { "Toshiba X300", // tested with TOSHIBA HDWE160/FS2A
+  { "Toshiba N300 NAS HDD", // tested with TOSHIBA HDWQ140/FJ1M, TOSHIBA HDWN180/GX2M,
-    "TOSHIBA HDWE1[456]0",
+      // TOSHIBA HDWN160/FS1M, TOSHIBA HDWG11A/0603, TOSHIBA HDWG21C/0601, TOSHIBA HDWG21E/0601
+    "TOSHIBA HDW([GNQ]1[468]0|G(11A|21[CE]|31G))",  // 11A:10TB, 21C:12TB, 21E:14TB, 31G: 16TB
+    "", "",
+    "-v 23,raw48,Helium_Condition_Lower " // ] >= 12TB
+    "-v 24,raw48,Helium_Condition_Upper"  // ]
+  },
+  { "Toshiba P300 (CMR)", // tested with TOSHIBA HDWD120/MX4OACF0
+    "TOSHIBA HDWD1(05|10|20|30)",
     "", "", ""
   },
-  { "Toshiba P300", // tested with TOSHIBA HDWD120/MX4OACF0
+  { "Toshiba P300 (SMR)", // tested with TOSHIBA HDWD240/KQ000A
-    "TOSHIBA HDWD1(30|20|10|05)",
+    "TOSHIBA HDWD2[246]0",
     "", "", ""
   },
+  { "Toshiba X300", // tested with TOSHIBA HDWE160/FS2A, TOSHIBA HDWF180/GX0B
+    "TOSHIBA HDW(E1[456]0|[FR]180|R(11A|21[CE]|31G))",  // 11A:10TB, 21C:12TB, 21E:14TB, 31G: 16TB
+    "", "",
+    "-v 23,raw48,Helium_Condition_Lower " // ] >= 12TB
+    "-v 24,raw48,Helium_Condition_Upper"  // ]
+  },
   { "Toshiba L200 (CMR)",
     "TOSHIBA HDW[JK]1(05|10)",
     "", "", ""

selinux_smartmon.fc

@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/(smartd|smartmontools)	--	gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0)
+
+/usr/sbin/smartd	--	gen_context(system_u:object_r:fsdaemon_exec_t,s0)
+
+/var/run/smartd\.pid	--	gen_context(system_u:object_r:fsdaemon_var_run_t,s0)
+
+/var/lib/smartmontools(/.*)?	gen_context(system_u:object_r:fsdaemon_var_lib_t,s0)

selinux_smartmon.if

@@ -0,0 +1,65 @@
+## <summary>Smart disk monitoring daemon.</summary>
+
+#######################################
+## <summary>
+##	Read smartmon temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`smartmon_read_tmp_files',`
+	gen_require(`
+		type fsdaemon_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 fsdaemon_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an smartmon environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`smartmon_admin',`
+	gen_require(`
+		type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t;
+		type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t;
+	')
+
+	allow $1 fsdaemon_t:process signal_perms;
+	ps_process_pattern($1, fsdaemon_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 fsdaemon_t:process ptrace;
+	')
+
+	init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 fsdaemon_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, fsdaemon_tmp_t)
+
+	files_list_pids($1)
+	admin_pattern($1, fsdaemon_var_run_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, fsdaemon_var_lib_t)
+')

selinux_smartmon.te

@@ -0,0 +1,139 @@
+policy_module(smartmon, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether smartmon can support
+##	devices on 3ware controllers.
+##	</p>
+## </desc>
+gen_tunable(smartmon_3ware, false)
+
+type fsdaemon_t;
+type fsdaemon_exec_t;
+init_daemon_domain(fsdaemon_t, fsdaemon_exec_t)
+
+type fsdaemon_initrc_exec_t;
+init_script_file(fsdaemon_initrc_exec_t)
+
+type fsdaemon_var_run_t;
+files_pid_file(fsdaemon_var_run_t)
+
+type fsdaemon_var_lib_t;
+files_type(fsdaemon_var_lib_t)
+
+type fsdaemon_tmp_t;
+files_tmp_file(fsdaemon_tmp_t)
+
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh)
+')
+
+########################################
+#
+# Local policy
+#
+
+allow fsdaemon_t self:capability { dac_read_search dac_override kill setpcap setgid sys_rawio sys_admin };
+dontaudit fsdaemon_t self:capability sys_tty_config;
+allow fsdaemon_t self:process { getcap setcap signal_perms };
+allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
+allow fsdaemon_t self:unix_stream_socket { accept listen };
+
+manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
+manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t)
+files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir })
+
+manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t)
+files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file)
+
+manage_dirs_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t)
+manage_files_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t)
+files_var_lib_filetrans(fsdaemon_t, fsdaemon_var_lib_t, { dir file })
+
+kernel_read_kernel_sysctls(fsdaemon_t)
+kernel_read_network_state(fsdaemon_t)
+kernel_read_software_raid_state(fsdaemon_t)
+kernel_read_system_state(fsdaemon_t)
+
+auth_use_nsswitch(fsdaemon_t)
+
+corecmd_exec_all_executables(fsdaemon_t)
+
+corenet_all_recvfrom_netlabel(fsdaemon_t)
+corenet_udp_sendrecv_generic_if(fsdaemon_t)
+corenet_udp_sendrecv_generic_node(fsdaemon_t)
+corenet_udp_sendrecv_all_ports(fsdaemon_t)
+
+dev_read_sysfs(fsdaemon_t)
+dev_read_urand(fsdaemon_t)
+
+domain_use_interactive_fds(fsdaemon_t)
+
+files_exec_etc_files(fsdaemon_t)
+files_read_etc_runtime_files(fsdaemon_t)
+
+fs_getattr_all_fs(fsdaemon_t)
+fs_search_auto_mountpoints(fsdaemon_t)
+fs_read_removable_files(fsdaemon_t)
+
+mls_file_read_all_levels(fsdaemon_t)
+
+storage_create_fixed_disk_dev(fsdaemon_t)
+storage_dev_filetrans_named_fixed_disk(fsdaemon_t)
+storage_raw_read_fixed_disk(fsdaemon_t)
+storage_raw_write_fixed_disk(fsdaemon_t)
+storage_raw_read_removable_device(fsdaemon_t)
+storage_read_scsi_generic(fsdaemon_t)
+storage_write_scsi_generic(fsdaemon_t)
+
+term_dontaudit_search_ptys(fsdaemon_t)
+
+domain_signull_all_domains(fsdaemon_t)
+
+auth_read_passwd(fsdaemon_t)
+
+init_read_utmp(fsdaemon_t)
+
+libs_exec_ld_so(fsdaemon_t)
+libs_exec_lib_files(fsdaemon_t)
+
+logging_send_syslog_msg(fsdaemon_t)
+
+seutil_sigchld_newrole(fsdaemon_t)
+
+sysnet_dns_name_resolve(fsdaemon_t)
+
+userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
+userdom_dontaudit_search_user_home_dirs(fsdaemon_t)
+userdom_dontaudit_manage_admin_dir(fsdaemon_t)
+userdom_use_user_terminals(fsdaemon_t)
+
+tunable_policy(`smartmon_3ware',`
+	allow fsdaemon_t self:process setfscreate;
+
+	storage_create_fixed_disk_dev(fsdaemon_t)
+	storage_delete_fixed_disk_dev(fsdaemon_t)
+	storage_dev_filetrans_fixed_disk(fsdaemon_t)
+
+	selinux_validate_context(fsdaemon_t)
+
+	seutil_read_file_contexts(fsdaemon_t)
+')
+
+optional_policy(`
+	mta_send_mail(fsdaemon_t)
+    mta_manage_home_rw(fsdaemon_t)
+')
+
+optional_policy(`
+	udev_read_db(fsdaemon_t)
+')
+
+optional_policy(`
+	virt_read_images(fsdaemon_t)
+')

smartmontools.spec

@@ -1,7 +1,13 @@
+# defining macros needed by SELinux
+%global with_selinux 1
+%global selinuxtype targeted
+%global moduletype contrib
+%global modulename smartmon
+
 Summary:	Tools for monitoring SMART capable hard disks
 Name:		smartmontools
 Version:	7.2
-Release:	4%{?dist}
+Release:	5%{?dist}
 Epoch:		1
 License:	GPLv2+
 URL:		http://smartmontools.sourceforge.net/
@@ -11,6 +17,9 @@ Source4:	smartdnotify
 #semi-automatic update of drivedb.h
 %global		UrlSource5	https://sourceforge.net/p/smartmontools/code/HEAD/tree/trunk/smartmontools/drivedb.h?format=raw
 Source5:	drivedb.h
+Source6:	selinux_%{modulename}.te
+Source7:	selinux_%{modulename}.if
+Source8:	selinux_%{modulename}.fc
 
 #fedora/rhel specific
 Patch1:		smartmontools-5.38-defaultconf.patch
@@ -19,7 +28,11 @@ BuildRequires: make
 BuildRequires:	gcc-c++ readline-devel ncurses-devel automake util-linux groff gettext
 BuildRequires:	libselinux-devel libcap-ng-devel
 BuildRequires:	systemd systemd-devel
-%{?systemd_requires}
+%if 0%{?with_selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not pulled
+# into containers and other systems that do not use SELinux
+Requires:	(%{name}-selinux if selinux-policy-%{selinuxtype})
+%endif
 
 %description
 The smartmontools package contains two utility programs (smartctl
@@ -29,10 +42,31 @@ into most modern ATA and SCSI hard disks. In many cases, these
 utilities will provide advanced warning of disk degradation and
 failure.
 
+%if 0%{?with_selinux}
+%package selinux
+Summary:	SELinux policies for smartmontools
+BuildArch:	noarch
+Requires:	selinux-policy-%{selinuxtype}
+Requires(post):	selinux-policy-%{selinuxtype}
+BuildRequires:	selinux-policy-devel
+%{?selinux_requires}
+
+%description selinux
+Custom SELinux policy module for smartmontools
+%endif
+
 %prep
 %setup -q 
 %patch1 -p1 -b .defaultconf
 cp %{SOURCE5} .
+%if 0%{?with_selinux}
+mkdir selinux
+for srcf in %{SOURCE6} %{SOURCE7} %{SOURCE8}
+do
+  dstf=${srcf##*/selinux_}
+  cp -p $srcf $dstf
+done
+%endif
 
 %build
 autoreconf -i
@@ -45,6 +79,12 @@ cp drivedb.h ../drivedb.h ||:
 
 %make_build CXXFLAGS="$RPM_OPT_FLAGS -fpie" LDFLAGS="-pie -Wl,-z,relro,-z,now"
 
+%if 0%{?with_selinux}
+make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
+bzip2 -9 %{modulename}.pp
+%endif
+
+
 %install
 %make_install
 
@@ -57,6 +97,34 @@ rm -rf $RPM_BUILD_ROOT/etc/{rc.d,init.d}
 rm -rf $RPM_BUILD_ROOT%{_docdir}/%{name}
 mkdir -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name}
 
+%if 0%{?with_selinux}
+install -D -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+%endif
+
+%if 0%{?with_selinux}
+# SELinux contexts are saved so that only affected files can be
+# relabeled after the policy module installation
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+
+if [ "$1" -le "1" ]; then # First install
+   # the daemon needs to be restarted for the custom label to be applied
+   %systemd_postun_with_restart smartd.service
+fi
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+    %selinux_relabel_post -s %{selinuxtype}
+    # the daemon needs to be restarted for the custom label to be removed
+    %systemd_postun_with_restart smartd.service
+fi
+%endif
+
 %preun
 %systemd_preun smartd.service
 
@@ -85,7 +153,14 @@ mkdir -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name}
 %{_datadir}/%{name}
 %{_sharedstatedir}/%{name}
 
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+
 %changelog
+* Mon Apr 19 2021 Michal Hlavinka <mhlavink@redhat.com> - 1:7.2-5
+- add selinux sub-package
+
 * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1:7.2-4
 - Rebuilt for updated systemd-rpm-macros
   See https://pagure.io/fesco/issue/2583.

tests/tests-DSP.yaml

@@ -0,0 +1,38 @@
+- hosts: localhost
+
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    repositories:
+      - repo: https://pagure.io/DSP_test.git
+        dest: DSP_test
+        version: master
+
+    tests:
+    - DSP_test
+    environment:
+      # RPM package containing the policy module
+      TEST_RPM: smartmontools-selinux
+      # policy module name
+      TEST_POLICY: smartmon
+      # policy sources will be extracted from corresponding .src.rpm
+      # policy tar filename regexp (e.g. "usbguard-selinux*.tar.gz") 
+      # or empty string if policy sources are not inside a tar archive
+      POLICY_TAR: ''
+      # path to policy sources (in of the tar archive) -- <POLICY_TAR>/<POLICY_PATH>/<TEST_POLICY>.(te|if|fc)
+      # or path in the src.rpm if there is no tar archive -- <src.rpm>/<POLICY_PATH>/<TEST_POLICY>.(te|if|fc)
+      # can contain wildcards (e.g. for versions etc.)
+      POLICY_PATH: .
+
+    required_packages:
+    - policycoreutils
+    - selinux-policy
+    - selinux-policy-targeted
+    - setools-console
+    - libselinux-utils
+    - rpm
+    - tar
+    - git
+    - smartmontools
+