rpms / gpm

Clone
Source Code
GIT

#4 [RFE] Add selinux subpackage
Closed 2 years ago by zbyszek. Opened 3 years ago by jkucera.
rpms/ jkucera/gpm sepolicy  into  rawhide

file added
+11 
@@ -0,0 +1,11 @@ 
 

+ /dev/gpmctl	-s	gen_context(system_u:object_r:gpmctl_t,s0)
 

+ /dev/gpmdata	-p	gen_context(system_u:object_r:gpmctl_t,s0)
 

+ 

+ /etc/gpm(/.*)?	gen_context(system_u:object_r:gpm_conf_t,s0)
 

+ /etc/gpm-.*\.conf	--	gen_context(system_u:object_r:gpm_conf_t,s0)
 

+ 

+ /etc/rc\.d/init\.d/gpm	--	gen_context(system_u:object_r:gpm_initrc_exec_t,s0)

Not present anymore.

 
+ 

+ /usr/sbin/gpm	--	gen_context(system_u:object_r:gpm_exec_t,s0)
 

+ 

+ /var/run/gpm\.pid	--	gen_context(system_u:object_r:gpm_var_run_t,s0)

/run/
file added
+122 
@@ -0,0 +1,122 @@ 
 

+ ## <summary>General Purpose Mouse driver.</summary>
 

+ 

+ ########################################
 

+ ## <summary>
 

+ ##	Connect to GPM over a unix domain
 

+ ##	stream socket.
 

+ ## </summary>
 

+ ## <param name="domain">
 

+ ##	<summary>
 

+ ##	Domain allowed access.
 

+ ##	</summary>
 

+ ## </param>
 

+ #
 

+ interface(`gpm_stream_connect',`
 

+ 	gen_require(`
 

+ 		type gpmctl_t, gpm_t;
 

+ 	')
 

+ 

+ 	dev_list_all_dev_nodes($1)
 

+ 	stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t)
 

+ ')
 

+ 

+ ########################################
 

+ ## <summary>
 

+ ##	Get attributes of gpm control
 

+ ##	channel named sock files.
 

+ ## </summary>
 

+ ## <param name="domain">
 

+ ##	<summary>
 

+ ##	Domain allowed access.
 

+ ##	</summary>
 

+ ## </param>
 

+ #
 

+ interface(`gpm_getattr_gpmctl',`
 

+ 	gen_require(`
 

+ 		type gpmctl_t;
 

+ 	')
 

+ 

+ 	dev_list_all_dev_nodes($1)
 

+ 	allow $1 gpmctl_t:sock_file getattr_sock_file_perms;
 

+ ')
 

+ 

+ ########################################
 

+ ## <summary>
 

+ ##	Do not audit attempts to get
 

+ ##	attributes of gpm control channel
 

+ ##	named sock files.
 

+ ## </summary>
 

+ ## <param name="domain">
 

+ ##	<summary>
 

+ ##	Domain to not audit.
 

+ ##	</summary>
 

+ ## </param>
 

+ #
 

+ interface(`gpm_dontaudit_getattr_gpmctl',`
 

+ 	gen_require(`
 

+ 		type gpmctl_t;
 

+ 	')
 

+ 

+ 	dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
 

+ ')
 

+ 

+ ########################################
 

+ ## <summary>
 

+ ##	Set attributes of gpm control
 

+ ##	channel named sock files.
 

+ ## </summary>
 

+ ## <param name="domain">
 

+ ##	<summary>
 

+ ##	Domain allowed access.
 

+ ##	</summary>
 

+ ## </param>
 

+ #
 

+ interface(`gpm_setattr_gpmctl',`
 

+ 	gen_require(`
 

+ 		type gpmctl_t;
 

+ 	')
 

+ 

+ 	dev_list_all_dev_nodes($1)
 

+ 	allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
 

+ ')
 

+ 

+ ########################################
 

+ ## <summary>
 

+ ##	All of the rules required to
 

+ ##	administrate an gpm environment.
 

+ ## </summary>
 

+ ## <param name="domain">
 

+ ##	<summary>
 

+ ##	Domain allowed access.
 

+ ##	</summary>
 

+ ## </param>
 

+ ## <param name="role">
 

+ ##	<summary>
 

+ ##	Role allowed access.
 

+ ##	</summary>
 

+ ## </param>
 

+ ## <rolecap/>
 

+ #
 

+ interface(`gpm_admin',`
 

+ 	gen_require(`
 

+ 		type gpm_t, gpm_conf_t, gpm_initrc_exec_t;
 

+ 		type gpm_var_run_t, gpmctl_t;
 

+ 	')
 

+ 

+ 	allow $1 gpm_t:process { ptrace signal_perms };
 

+ 	ps_process_pattern($1, gpm_t)
 

+ 

+ 	init_labeled_script_domtrans($1, gpm_initrc_exec_t)
 

+ 	domain_system_change_exemption($1)
 

+ 	role_transition $2 gpm_initrc_exec_t system_r;
 

+ 	allow $2 system_r;
 

+ 

+ 	files_search_etc($1)
 

+ 	admin_pattern($1, gpm_conf_t)
 

+ 

+ 	dev_list_all_dev_nodes($1)
 

+ 	admin_pattern($1, gpmctl_t)
 

+ 

+ 	files_search_pids($1)
 

+ 	admin_pattern($1, gpm_var_run_t)
 

+ ')

file modified
+77 -1 
@@ -1,7 +1,12 @@ 
 

+ # Defining macros needed by SELinux
 

+ %global with_selinux 1
 

+ %global modulename gpm
 

+ %global selinuxtype targeted
 

+ 

  Summary: A mouse server for the Linux console
 

  Name: gpm
 

  Version: 1.20.7
 

- Release: 27%{?dist}
 

+ Release: 28%{?dist}
 

  License: GPLv2 and OFSFDL
 

  URL: http://www.nico.schottelius.org/software/gpm/
 

  #URL2 : http://freecode.com/projects/gpm
 
@@ -17,6 +22,11 @@ 
 

  

  Source: %{name}-%{version}.tar.xz
 

  Source1: gpm.service
 

+ # selinux policy (extracted from
 

+ # https://github.com/fedora-selinux/selinux-policy/tree/rawhide/policy/modules/contrib)
 

+ Source100: %{modulename}.te
 

+ Source101: %{modulename}.if
 

+ Source102: %{modulename}.fc
 

  Patch0: https://github.com/telmich/gpm/compare/1.20.7...e82d1a653ca94aa4ed12441424da6ce780b1e530.diff
 

  Patch1: gpm-1.20.6-multilib.patch
 

  Patch2: gpm-1.20.1-lib-silent.patch
 
@@ -37,6 +47,11 @@ 
 

  BuildRequires: make
 

  Requires: linuxconsoletools
 

  Requires: %{name}-libs = %{version}-%{release}
 

+ %if 0%{?with_selinux}
 

+ # This ensures that the *-selinux package and all it’s dependencies are not pulled
 

+ # into containers and other systems that do not use SELinux
 

+ Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
 

+ %endif
 

  

  %description
 

  Gpm provides mouse support to text-based Linux applications like the
 
@@ -70,6 +85,19 @@ 
 

  The gpm-static package includes static libraries of gpm. The gpm provides
 

  mouse support to text-based Linux applications.
 

  

+ %if 0%{?with_selinux}
 

+ # SELinux subpackage
 

+ %package selinux
 

+ Summary: %{name} SELinux policy
 

+ BuildArch: noarch
 

+ Requires: selinux-policy-%{selinuxtype}
 

+ Requires(post): selinux-policy-%{selinuxtype}
 

+ BuildRequires: selinux-policy-devel
 

+ %{?selinux_requires}
 

+ 

+ %description selinux
 

+ Custom SELinux policy module
 

+ %endif
 

  

  %prep
 

  %setup -q
 
@@ -87,6 +115,16 @@ 
 

  %configure
 

  %make_build
 

  

+ %if 0%{?with_selinux}
 

+ # SELinux policy (originally from selinux-policy-contrib)
 

+ # this policy module will override the production module
 

+ mkdir selinux
 

+ cp -p %{SOURCE100} %{SOURCE101} %{SOURCE102} selinux/
 

+ 

+ make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
 

+ bzip2 -9 %{modulename}.pp
 

+ %endif
 

+ 

  %install
 

  %make_install
 

  
@@ -111,6 +149,10 @@ 
 

  rm -rf %{buildroot}%{_mandir}
 

  %endif
 

  

+ %if 0%{?with_selinux}
 

+ install -D -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
 

+ %endif
 

+ 

  %post
 

  %ifnarch s390 s390x
 

  %systemd_post gpm.service
 
@@ -128,6 +170,30 @@ 
 

  

  %ldconfig_scriptlets libs
 

  

+ %if 0%{?with_selinux}
 

+ # SELinux contexts are saved so that only affected files can be
 

+ # relabeled after the policy module installation
 

+ %pre selinux
 

+ %selinux_relabel_pre -s %{selinuxtype}
 

+ 

+ %post selinux
 

+ %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
 

+ %selinux_relabel_post -s %{selinuxtype}
 

+ 

+ if [ "$1" -le "1" ]; then # First install
 

+    # the daemon needs to be restarted for the custom label to be applied
 

+    %systemd_postun_with_restart %{modulename}.service
 

+ fi
 

+ 

+ %postun selinux
 

+ if [ $1 -eq 0 ]; then
 

+     %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
 

+     %selinux_relabel_post -s %{selinuxtype}
 

+     # the daemon needs to be restarted for the custom label to be removed
 

+     %systemd_postun_with_restart %{modulename}.service
 

+ fi
 

+ %endif
 

+ 

  %files
 

  %doc COPYING README TODO
 

  %doc doc/README* doc/FAQ doc/Announce doc/changelog
 
@@ -150,7 +216,17 @@ 
 

  %files static
 

  %{_libdir}/libgpm.a
 

  

+ %if 0%{?with_selinux}
 

+ %files selinux
 

+ %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
 

+ %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
 

+ %endif
 

+ 

  %changelog
 

+ * Wed Apr 28 2021 Jiri Kucera <jkucera@redhat.com> - 1.20.7-28
 

+ - Add selinux subpackage
 

+   See https://fedoraproject.org/wiki/SELinux/IndependentPolicy
 

+ 

  * Wed Mar 24 2021 Jiri Kucera <jkucera@redhat.com> - 1.20.7-27
 

  - Fix License tag

file added
+80 
@@ -0,0 +1,80 @@ 
 

+ policy_module(gpm, 1.9.0)
 

+ 

+ ########################################
 

+ #
 

+ # Declarations
 

+ #
 

+ 

+ type gpm_t;
 

+ type gpm_exec_t;
 

+ init_daemon_domain(gpm_t, gpm_exec_t)
 

+ 

+ type gpm_initrc_exec_t;
 

+ init_script_file(gpm_initrc_exec_t)
 

+ 

+ type gpm_conf_t;
 

+ files_config_file(gpm_conf_t)
 

+ 

+ type gpm_tmp_t;
 

+ files_tmp_file(gpm_tmp_t)
 

+ 

+ type gpm_var_run_t;
 

+ files_pid_file(gpm_var_run_t)
 

+ 

+ type gpmctl_t;
 

+ files_type(gpmctl_t)
 

+ 

+ ########################################
 

+ #
 

+ # Local policy
 

+ #
 

+ 

+ allow gpm_t self:capability { setpcap setuid dac_read_search  sys_admin sys_tty_config };
 

+ allow gpm_t self:process { signal signull getcap setcap };
 

+ allow gpm_t self:unix_stream_socket { accept listen };
 

+ 

+ allow gpm_t gpm_conf_t:dir list_dir_perms;
 

+ read_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t)
 

+ read_lnk_files_pattern(gpm_t, gpm_conf_t, gpm_conf_t)
 

+ 

+ manage_dirs_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t)
 

+ manage_files_pattern(gpm_t, gpm_tmp_t, gpm_tmp_t)
 

+ files_tmp_filetrans(gpm_t, gpm_tmp_t, { file dir })
 

+ 

+ allow gpm_t gpm_var_run_t:file manage_file_perms;
 

+ files_pid_filetrans(gpm_t, gpm_var_run_t, file)
 

+ 

+ allow gpm_t gpmctl_t:sock_file manage_sock_file_perms;
 

+ allow gpm_t gpmctl_t:fifo_file manage_fifo_file_perms;
 

+ dev_filetrans(gpm_t, gpmctl_t, { sock_file fifo_file })
 

+ 

+ kernel_read_kernel_sysctls(gpm_t)
 

+ kernel_list_proc(gpm_t)
 

+ kernel_read_proc_symlinks(gpm_t)
 

+ 

+ dev_read_sysfs(gpm_t)
 

+ # Access the mouse.
 

+ dev_rw_input_dev(gpm_t)
 

+ dev_rw_mouse(gpm_t)
 

+ 

+ 

+ fs_getattr_all_fs(gpm_t)
 

+ fs_search_auto_mountpoints(gpm_t)
 

+ 

+ term_use_unallocated_ttys(gpm_t)
 

+ 

+ domain_use_interactive_fds(gpm_t)
 

+ 

+ logging_send_syslog_msg(gpm_t)
 

+ 

+ userdom_dontaudit_use_unpriv_user_fds(gpm_t)
 

+ userdom_dontaudit_search_user_home_dirs(gpm_t)
 

+ userdom_use_inherited_user_terminals(gpm_t)
 

+ 

+ optional_policy(`
 

+ 	seutil_sigchld_newrole(gpm_t)
 

+ ')
 

+ 

+ optional_policy(`
 

+ 	udev_read_db(gpm_t)
 

+ ')

Distribute SELinux rules along with the package. This make the package independent on selinux-policy packages.

See https://fedoraproject.org/wiki/SELinux/IndependentPolicy.

@lvrabec please review.

Not present anymore.

/run/

@vmojzis - Vito please review.

LGTM

So... I'm looking at this, and I'm not convinced that this is all worth the trouble. Right now I have a spec file that is (ignoring the %changelog) 125 lines. It's mostly a bunch of manageable boilerplate. But this PR adds ~200 lines of selinux policy and a bunch of non-trivial code to the spec file. gpm is useful to have to be able to do c&p in a text terminal, so I'm fine with keeping the package building and handling very trivial bugs, but there's no way I can support something as complex as this policy.

Maybe the selinux policy should be replaced by a systemd policy which gives access to /dev/input/mice, some terminal stuff, moves /dev/gpmctl under /run/gpm/, and locks everything else down? gpm has some more functionality, but I think it's likely that nobody uses that anymore. And if they do use it, they could disable the sandbox and return to status quo. I think this would be more manageable, while still giving much better protection...

JFTR , I have no opinion on this matter as long as don't broke systems without selinux :smile:

I merged the pull request to add a systemd sandbox. I'll close this pull request. Feel free to drop the selinux policy for gpm.

Pull-Request has been closed by zbyszek
2 years ago
Metadata
None
No Tags
Changes Summary 4
+11
file added
gpm.fc
+122
file added
gpm.if
+77 -1
file changed
gpm.spec
+80
file added
gpm.te
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.