While cgroups2 doesn't have the "feature" of having the kernel run a program
specified in the cgroup the history of this exploit suggests that writing to
cgroups should be restricted and not granted to all users
Signed-off-by: Russell Coker <russell@coker.com.au>
* Small changes to courier, dovecot, exim, postfix, amd sendmail policy.
Signed-off-by: Russell Coker <russell@coker.com.au>
* Removed an obsolete patch
Signed-off-by: Russell Coker <russell@coker.com.au>
* Added interfaces cron_rw_inherited_tmp_files and systemd_dontaudit_connect_machined
Signed-off-by: Russell Coker <russell@coker.com.au>
* Use create_stream_socket_perms for unix connection to itself
Signed-off-by: Russell Coker <russell@coker.com.au>
* Removed unconfined_run_to
Signed-off-by: Russell Coker <russell@coker.com.au>
* Remove change for it to run from a user session
Signed-off-by: Russell Coker <russell@coker.com.au>
* Changed userdom_use_user_ttys to userdom_use_inherited_user_terminals and
moved it out of the postfix section
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
* Patches for mon, mostly mon local monitoring.
Also added the fsdaemon_read_lib() interface and fstools patch because it
also uses fsdaemon_read_lib() and it's called by monitoring scripts
Signed-off-by: Russell Coker <russell@coker.com.au>
* Added the files_dontaudit_tmpfs_file_getattr() and
storage_dev_filetrans_fixed_disk_control() interfaces needed
Signed-off-by: Russell Coker <russell@coker.com.au>
* Fixed the issues from the review
Signed-off-by: Russell Coker <russell@coker.com.au>
* Specify name to avoid conflicting file trans
Signed-off-by: Russell Coker <russell@coker.com.au>
* fixed dontaudi_ typo
Signed-off-by: Russell Coker <russell@coker.com.au>
* Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for the object class
Signed-off-by: Russell Coker <russell@coker.com.au>
* Remove fsdaemon_read_lib as it was already merged
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
* Some misc small patches for cron policy
Signed-off-by: Russell Coker <russell@coker.com.au>
* added systemd_dontaudit_connect_machined interface
Signed-off-by: Russell Coker <russell@coker.com.au>
* Remove the line about connecting to tor
Signed-off-by: Russell Coker <russell@coker.com.au>
* remove the dontaudit for connecting to machined
Signed-off-by: Russell Coker <russell@coker.com.au>
* changed to distro_debian
Signed-off-by: Russell Coker <russell@coker.com.au>
* mta: Whitespace changes.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
* cron: Move lines.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Co-authored-by: Chris PeBenito <pebenito@ieee.org>
* Some small systemd patches
Signed-off-by: Russell Coker <russell@coker.com.au>
* Fixed error where systemd.if had a reference to user_devpts_t
Signed-off-by: Russell Coker <russell@coker.com.au>
* removed the init_var_run_t:service stuff as there's already interfaces and a type for it
Signed-off-by: Russell Coker <russell@coker.com.au>
* corecmd_shell_entry_type doesn't seem to be needed
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
* Allow jabberd_domain to create sockets in it's var/lib dir
Allow matrixd_t to read sysfs
Signed-off-by: Russell Coker <russell@coker.com.au>
* Changed to manage_sock_file_perms to allow unlink
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
* Changes to storage.fc, smartmon, samba and lvm
Signed-off-by: Russell Coker <russell@coker.com.au>
* Add the interfaces this patch needs
Signed-off-by: Russell Coker <russell@coker.com.au>
* use manage_sock_file_perms for sock_file
Signed-off-by: Russell Coker <russell@coker.com.au>
* Renamed files_watch_all_file_type_dir to files_watch_all_dirs
Signed-off-by: Russell Coker <russell@coker.com.au>
* Use read_files_pattern
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
* Small changes for netutils(ping), firewalld, ftp, inetd, networkmanager, openvpn ppp and rpc
Signed-off-by: Russell Coker <russell@coker.com.au>
* Fixed typo in interface name
Signed-off-by: Russell Coker <russell@coker.com.au>
* Add interface libs_watch_shared_libs_dir
Signed-off-by: Russell Coker <russell@coker.com.au>
* Added sysnet_watch_config_dir interface
Signed-off-by: Russell Coker <russell@coker.com.au>
* renamed libs_watch_shared_libs_dir to libs_watch_shared_libs_dirs
Signed-off-by: Russell Coker <russell@coker.com.au>
* rename sysnet_watch_config_dir to sysnet_watch_config_dirs
Signed-off-by: Russell Coker <russell@coker.com.au>
* Reverted a change as I can't remember why I did it.
Signed-off-by: Russell Coker <russell@coker.com.au>
---------
Signed-off-by: Russell Coker <russell@coker.com.au>
* Patches for anti-spam related policy
* Added a seperate tunable for execmem, can be enabled for people who need it
which means Debian rspam users and some of the less common SpamAssassin
configurations
Signed-off-by: Russell Coker <russell@coker.com.au>
Allow userdomains to read crypto sysctls (usually /proc/sys/crypto/fips_enabled)
Alow them to read vm overcommit status and fs_systls (things like pipe-max-size)
Allow pipewire to write to user runtime named sockets
Allow the user domain for X access to use user fonts, accept stream connections
from xdm_t, and map xkb_var_lib_t files
Signed-off-by: Russell Coker <russell@coker.com.au>
mechanism based on an authorization file which
is critical for X security.
For example, a common attack is to remove the
file in order to disable authorization.
At the moment permissions on such file and its
parent directory are shared with several other
modules that have nothing to do with XDMCP
authorization, therefore this patch strenghtens
the file access policy by making it exclusive
to XDM and the X server (read-only).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/xserver.fc | 1 +
policy/modules/services/xserver.if | 33 +++++++++++++++++++++++++++++++++
policy/modules/services/xserver.te | 11 +++++++++++
3 files changed, 45 insertions(+)
X display manager domains which control whether
or not the respective domains allow the TCP/IP
server networking functionality.
The above mentioned booleans both default to false
as remote X11 has no integrity and confidentiality
protection and is generally insecure.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/xserver.te | 82 +++++++++++++++++++++++--------------
1 file changed, 52 insertions(+), 30 deletions(-)
Since the systemd --user for unconfined_t runs in unconfined_t too, instead
of a derived domain such as with regular users, e.g., user_systemd_t, this
is required.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
controls whether or not the dbus daemon can act
as a server over TCP/IP networks and defaults to
false, as this is generally insecure, except when
using the local loopback interface.
For reference, see the security warning in the
D-Bus specification:
https://dbus.freedesktop.org/doc/dbus-specification.html#transports-tcp-sockets
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/dbus.te | 31 ++++++++++++++++++++++---------
1 file changed, 22 insertions(+), 9 deletions(-)
two spamassassin rules updating SELinux domains
introduced in the previous change in order to reduce
the non-swappable kernel memory used by the policy.
This reduces complexity, but unfortunately it
probably also reduces an existing safety margin by
breaking the isolation between network-facing
binaries and binaries such as GPG that potentially
deal with secret information (at the moment there
is no "neverallow" rule protecting the gpg_secret_t
file access).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/services/spamassassin.if | 3 -
policy/modules/services/spamassassin.te | 56 ++++++--------------------------
2 files changed, 12 insertions(+), 47 deletions(-)
