Overview

File sysconfig_network_scripts.patch of Package selinux-policy.37503

Index: serefpolicy-20140730/policy/modules/system/sysnetwork.fc
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.fc	2015-07-21 16:52:51.913277147 +0200
+++ serefpolicy-20140730/policy/modules/system/sysnetwork.fc	2015-07-21 16:52:55.461333779 +0200
@@ -11,6 +11,15 @@ ifdef(`distro_debian',`
 /dev/shm/network(/.*)?		gen_context(system_u:object_r:net_conf_t,s0)
 ')
 
+# SUSE
+# sysconfig network files are stored in /dev/.sysconfig
+/dev/.sysconfig/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
+# label netconfig files in /var/adm and /var/lib and /var/run
+/var/adm/netconfig(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
+/var/lib/ntp/var(/.*)?		gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/netconfig(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
+
+
 #
 # /etc
 #
@@ -37,6 +46,10 @@ ifdef(`distro_redhat',`
 /var/run/systemd/network(/.*)?  gen_context(system_u:object_r:net_conf_t,s0)
 ')
 
+/etc/sysconfig/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/etc/sysconfig/network/scripts/.* gen_context(system_u:object_r:bin_t,s0)
+/etc/sysconfig/scripts/.* gen_context(system_u:object_r:bin_t,s0)
+
 #
 # /sbin
 #
Index: serefpolicy-20140730/policy/modules/system/sysnetwork.te
===================================================================
--- serefpolicy-20140730.orig/policy/modules/system/sysnetwork.te	2015-07-21 16:52:51.913277147 +0200
+++ serefpolicy-20140730/policy/modules/system/sysnetwork.te	2015-07-21 16:54:15.998619244 +0200
@@ -60,7 +60,8 @@ ifdef(`distro_debian',`
 #
 # DHCP client local policy
 #
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
+# need sys_admin to set hostname/domainname
+allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config sys_admin ipc_lock };
 dontaudit dhcpc_t self:capability sys_tty_config;
 # for access("/etc/bashrc", X_OK) on Red Hat
 dontaudit dhcpc_t self:capability { dac_read_search sys_module };
@@ -95,6 +96,12 @@ allow dhcpc_t net_conf_t:file relabel_fi
 sysnet_manage_config(dhcpc_t)
 files_etc_filetrans(dhcpc_t, net_conf_t, file)
 
+# allow relabel of /dev/.sysconfig
+dev_associate(net_conf_t)
+
+# allow mv /etc/resolv.conf.netconfig
+allow dhcpc_t etc_runtime_t:file unlink;
+
 # create temp files
 manage_dirs_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
 manage_files_pattern(dhcpc_t, dhcpc_tmp_t, dhcpc_tmp_t)
Index: serefpolicy-20140730/policy/modules/kernel/devices.fc
===================================================================
--- serefpolicy-20140730.orig/policy/modules/kernel/devices.fc	2015-07-21 16:52:51.913277147 +0200
+++ serefpolicy-20140730/policy/modules/kernel/devices.fc	2015-07-21 16:52:55.461333779 +0200
@@ -2,6 +2,7 @@
 /dev			-d	gen_context(system_u:object_r:device_t,s0)
 /dev/.*				gen_context(system_u:object_r:device_t,s0)
 
+/dev/.sysconfig(/.*)?	-d	gen_context(system_u:object_r:net_conf_t,s0)
 /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/[0-9].*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/3dfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
openSUSE Build Service is sponsored by
Places