From 1374c7bd45913172aa65bbc60d3bd323513f68c7 Mon Sep 17 00:00:00 2001
From: Chance Callahan <ccallaha@redhat.com>
Date: Thu, 6 Oct 2022 11:35:41 -0400
Subject: [PATCH] Base SELinux template.

---
 selinux/wings.fc           |  1 +
 selinux/wings.if           | 40 ++++++++++++++++++++++
 selinux/wings.sh           | 52 ++++++++++++++++++++++++++++
 selinux/wings.te           | 25 ++++++++++++++
 selinux/wings_selinux.spec | 70 ++++++++++++++++++++++++++++++++++++++
 5 files changed, 188 insertions(+)
 create mode 100644 selinux/wings.fc
 create mode 100644 selinux/wings.if
 create mode 100644 selinux/wings.sh
 create mode 100644 selinux/wings.te
 create mode 100644 selinux/wings_selinux.spec

diff --git a/selinux/wings.fc b/selinux/wings.fc
new file mode 100644
index 0000000..09c7b28
--- /dev/null
+++ b/selinux/wings.fc
@@ -0,0 +1 @@
+/usr/local/bin/wings		--	gen_context(system_u:object_r:wings_exec_t,s0)
diff --git a/selinux/wings.if b/selinux/wings.if
new file mode 100644
index 0000000..d267364
--- /dev/null
+++ b/selinux/wings.if
@@ -0,0 +1,40 @@
+
+## <summary>policy for wings</summary>
+
+########################################
+## <summary>
+##	Execute wings_exec_t in the wings domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`wings_domtrans',`
+	gen_require(`
+		type wings_t, wings_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, wings_exec_t, wings_t)
+')
+
+######################################
+## <summary>
+##	Execute wings in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wings_exec',`
+	gen_require(`
+		type wings_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, wings_exec_t)
+')
diff --git a/selinux/wings.sh b/selinux/wings.sh
new file mode 100644
index 0000000..b9cedfb
--- /dev/null
+++ b/selinux/wings.sh
@@ -0,0 +1,52 @@
+#!/bin/sh -e
+
+DIRNAME=`dirname $0`
+cd $DIRNAME
+USAGE="$0 [ --update ]"
+if [ `id -u` != 0 ]; then
+echo 'You must be root to run this script'
+exit 1
+fi
+
+if [ $# -eq 1 ]; then
+	if [ "$1" = "--update" ] ; then
+		time=`ls -l --time-style="+%x %X" wings.te | awk '{ printf "%s %s", $6, $7 }'`
+		rules=`ausearch --start $time -m avc --raw -se wings`
+		if [ x"$rules" != "x" ] ; then
+			echo "Found avc's to update policy with"
+			echo -e "$rules" | audit2allow -R
+			echo "Do you want these changes added to policy [y/n]?"
+			read ANS
+			if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
+				echo "Updating policy"
+				echo -e "$rules" | audit2allow -R >> wings.te
+				# Fall though and rebuild policy
+			else
+				exit 0
+			fi
+		else
+			echo "No new avcs found"
+			exit 0
+		fi
+	else
+		echo -e $USAGE
+		exit 1
+	fi
+elif [ $# -ge 2 ] ; then
+	echo -e $USAGE
+	exit 1
+fi
+
+echo "Building and Loading Policy"
+set -x
+make -f /usr/share/selinux/devel/Makefile wings.pp || exit
+/usr/sbin/semodule -i wings.pp
+
+# Generate a man page off the installed module
+sepolicy manpage -p . -d wings_t
+# Fixing the file context on /usr/local/bin/wings
+/sbin/restorecon -F -R -v /usr/local/bin/wings
+# Generate a rpm package for the newly generated policy
+
+pwd=$(pwd)
+rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build"  -ba wings_selinux.spec
diff --git a/selinux/wings.te b/selinux/wings.te
new file mode 100644
index 0000000..92da82b
--- /dev/null
+++ b/selinux/wings.te
@@ -0,0 +1,25 @@
+policy_module(wings, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type wings_t;
+type wings_exec_t;
+init_daemon_domain(wings_t, wings_exec_t)
+
+permissive wings_t;
+
+########################################
+#
+# wings local policy
+#
+allow wings_t self:fifo_file rw_fifo_file_perms;
+allow wings_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(wings_t)
+
+files_read_etc_files(wings_t)
+
+miscfiles_read_localization(wings_t)
diff --git a/selinux/wings_selinux.spec b/selinux/wings_selinux.spec
new file mode 100644
index 0000000..c97967a
--- /dev/null
+++ b/selinux/wings_selinux.spec
@@ -0,0 +1,70 @@
+# vim: sw=4:ts=4:et
+
+
+%define relabel_files() \
+restorecon -R /usr/local/bin/wings; \
+
+%define selinux_policyver 34.1.29-1
+
+Name:   wings_selinux
+Version:	1.0
+Release:	1%{?dist}
+Summary:	SELinux policy module for wings
+
+Group:	System Environment/Base		
+License:	GPLv2+	
+# This is an example. You will need to change it.
+URL:		http://HOSTNAME
+Source0:	wings.pp
+Source1:	wings.if
+Source2:	wings_selinux.8
+
+
+Requires: policycoreutils, libselinux-utils
+Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
+Requires(postun): policycoreutils
+BuildArch: noarch
+
+%description
+This package installs and sets up the  SELinux policy security module for wings.
+
+%install
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
+install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
+install -d %{buildroot}%{_mandir}/man8/
+install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/wings_selinux.8
+install -d %{buildroot}/etc/selinux/targeted/contexts/users/
+
+
+%post
+semodule -n -i %{_datadir}/selinux/packages/wings.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    %relabel_files
+
+fi;
+exit 0
+
+%postun
+if [ $1 -eq 0 ]; then
+    semodule -n -r wings
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+       %relabel_files
+
+    fi;
+fi;
+exit 0
+
+%files
+%attr(0600,root,root) %{_datadir}/selinux/packages/wings.pp
+%{_datadir}/selinux/devel/include/contrib/wings.if
+%{_mandir}/man8/wings_selinux.8.*
+
+
+%changelog
+* Thu Oct  6 2022 YOUR NAME <YOUR@EMAILADDRESS> 1.0-1
+- Initial version
+