RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

yet more tiny stuff 

I think this should be self-explanatory.  I've added an audit trace for the
sys_ptrace access that was previously rejected.

Here is the audit log for sys_ptrace:
type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service
type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/
type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null)
type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc:  denied  { sys_ptrace } for  pid=12750 comm=systemctl capability=sys_ptrace  scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0
This commit is contained in:
Russell Coker 2019-01-22 09:59:28 +11:00 committed by Chris PeBenito
parent bf21c5c0d2
commit eba35802cc
5 changed files with 29 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
policy/modules/admin/logrotate.te
View File

@ -37,7 +37,8 @@ role system_r types logrotate_mail_t;
# Local policy # Local policy
# #
allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource }; # sys_ptrace is for systemctl
allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource };
# systemctl asks for net_admin # systemctl asks for net_admin
dontaudit logrotate_t self:capability net_admin; dontaudit logrotate_t self:capability net_admin;
allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };

5
policy/modules/apps/gpg.te
View File

@ -183,11 +183,6 @@ optional_policy(`
spamassassin_read_spamd_tmp_files(gpg_t) spamassassin_read_spamd_tmp_files(gpg_t)
') ')
optional_policy(`
cron_system_entry(gpg_t, gpg_exec_t)
cron_read_system_job_tmp_files(gpg_t)
')
optional_policy(` optional_policy(`
xserver_use_xdm_fds(gpg_t) xserver_use_xdm_fds(gpg_t)
xserver_rw_xdm_pipes(gpg_t) xserver_rw_xdm_pipes(gpg_t)

6
policy/modules/services/cron.te
View File

@ -521,6 +521,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t)
dev_getattr_mtrr_dev(system_cronjob_t) dev_getattr_mtrr_dev(system_cronjob_t)
dev_read_rand(system_cronjob_t)
dev_read_urand(system_cronjob_t) dev_read_urand(system_cronjob_t)
dev_read_sysfs(system_cronjob_t) dev_read_sysfs(system_cronjob_t)
# for checkarray to write to sync_action # for checkarray to write to sync_action
@ -553,6 +554,7 @@ files_read_var_lib_symlinks(system_cronjob_t)
mls_file_read_to_clearance(system_cronjob_t) mls_file_read_to_clearance(system_cronjob_t)
init_domtrans_script(system_cronjob_t) init_domtrans_script(system_cronjob_t)
init_read_generic_units_links(system_cronjob_t)
init_read_utmp(system_cronjob_t) init_read_utmp(system_cronjob_t)
init_use_script_fds(system_cronjob_t) init_use_script_fds(system_cronjob_t)
@ -624,6 +626,10 @@ optional_policy(`
ftp_read_log(system_cronjob_t) ftp_read_log(system_cronjob_t)
') ')
optional_policy(`
gpg_exec(system_cronjob_t)
')
optional_policy(` optional_policy(`
inn_manage_log(system_cronjob_t) inn_manage_log(system_cronjob_t)
inn_manage_pid(system_cronjob_t) inn_manage_pid(system_cronjob_t)

3
policy/modules/services/irqbalance.te
View File

@ -31,7 +31,8 @@ allow irqbalance_t self:udp_socket create_socket_perms;
allow irqbalance_t self:unix_stream_socket create_stream_socket_perms; allow irqbalance_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t) manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
files_pid_filetrans(irqbalance_t, irqbalance_pid_t, file) manage_sock_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
files_pid_filetrans(irqbalance_t, irqbalance_pid_t, { file sock_file })
kernel_read_network_state(irqbalance_t) kernel_read_network_state(irqbalance_t)
kernel_read_system_state(irqbalance_t) kernel_read_system_state(irqbalance_t)

19
policy/modules/system/init.if
View File

@ -2960,6 +2960,25 @@ interface(`init_search_units',`
fs_search_tmpfs($1) fs_search_tmpfs($1)
') ')
########################################
## <summary>
## Read systemd unit links
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_read_generic_units_links',`
gen_require(`
type systemd_unit_t;
class service status;
')
allow $1 systemd_unit_t:lnk_file read_lnk_file_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Get status of generic systemd units. ## Get status of generic systemd units.