modutils.te: 50: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 51: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 52: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 53: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.if: 15: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.if: 52: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.fc: 24: (S): Type modules_object_t is declared in module files, but used in file context here. (S-002)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
- selinuxutil.te: ignore gen_require usage for bool secure_mode
- corenetwork.te: ignore gen_require usage for type unlabeled_t
- files.if: drop unneeded required types in interface
- rpm.if: drop unneeded required type in interface
- xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template
- domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Rename interfaces to bring consistency with previous pid->runtime type
renaming. See PR #106 or 69a403cd original type renaming.
Interfaces that are still in use were renamed with a compatibility
interface. Unused interfaces were fully deprecated for removal.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Add interface similar to files_mountpoint() and add a conditional which
allows mount on non_security_file_type.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
I am seeing the following denial (in dmesg) during system startup:
[ 4.623332] type=1400 audit(1507767947.042:3): avc: denied { relabelto } for pid=1 comm="systemd" name="private" dev="tmpfs" ino=5865 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
It appears that systemd is attempting to relablel the socket file /run/systemd/private to init_var_run_t but doesn't have permission.
Updated to create new interface for relabeling of sock_files rather than adding to existing interface
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Setting this service option to 'full' or 'strict' will also remount the
/etc directory. Allow this in the policy.
This fixes the systemd-networkd service, but will also positively affect
any other service using the above hardening option.
This patch doesn't do everything that is needed to have systemd-nspawn work.
But it does everything that is needed and which I have written in a clear and
uncontroversial way. I think it's best to get this upstream now and then
either have a separate discussion about the more difficult issues, or wait
until I devise a way of solving those problems that's not too hacky.
Who knows, maybe someone else will devise a brilliant solution to the remaining
issues after this is accepted upstream.
Also there's a tiny patch for systemd_machined_t that is required by
systemd_nspawn_t.
Description: systemd-nspawn
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-29
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.
Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-26
This patch adds missing permissions in the kernel module that prevent
to run it without the unconfined module.
This second version improves the comment section of new interfaces:
"Domain" is replaced by "Domain allowed access".
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The "module_load" permission has been recently added to the "system"
class (kernel 4.7).
The following patch updates the Reference Policy so that the new
permission is allowed when a kernel module should be loaded.
To preserve the module encapsulation, a new interface is defined
in the kernel files module and that interface is then used in the
kernel module.
A short note is added about unneeded permissions that set the
kernel scheduling parameters (might lead to service disruption).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Only for services that already have a named init script.
Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
In debian mount was trying to list / on a tmpfs (/run/lock). Since
var_lock_t is a mountpoint type, and so is mnt_t, i decided to implement
a files_list_all_mountpoints() and call that for mount because it makes
sense
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Currently, the files_manage_generic_locks only handles the lock files. If a
domain needs to manage both lock files and the lock directories (like specific
subdirectories in /var/lock that are not owned by a single other domain, such as
Gentoo's /var/lock/subsys location) it also needs the manage permissions on the
directory.
This is to support OpenRC's migration of /var/lock to /run/lock which otherwise
fails:
* Migrating /var/lock to /run/lock
cp: cannot create directory '/run/lock/subsys': Permission denied
rm: cannot remove '/var/lock/subsys': Permission denied
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This interface will be used by domains that need to manage the various pidfile
content (*_var_run_t).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
