Commit Graph

6945 Commits

Author SHA1 Message Date
Chris PeBenito
0af7c312d1
Merge pull request from etbe/write-cgroup
remove cgroup write access for users based on historical security issues
2023-10-05 10:20:03 -04:00
Russell Coker
be2e8970e0 https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
While cgroups2 doesn't have the "feature" of having the kernel run a program
specified in the cgroup the history of this exploit suggests that writing to
cgroups should be restricted and not granted to all users

Signed-off-by: Russell Coker <russell@coker.com.au>
2023-10-05 22:13:54 +11:00
Chris PeBenito
7022e511fc
Merge pull request from pebenito/lnk_file-append
Add append to rw and manage lnk_file permission sets for consistency.
2023-10-02 08:59:33 -04:00
Chris PeBenito
44fd3ebd12
Merge pull request from yizhao1/bind
bind: fix for named service
2023-10-02 08:58:52 -04:00
Chris PeBenito
275e3f0ef9
Merge pull request from yizhao1/systemd-journal-catalog-update
systemd: allow journalctl to create /var/lib/systemd/catalog
2023-10-02 08:57:55 -04:00
Chris PeBenito
6909b4b2f9
Merge pull request from gtrentalancia/openoffice_fixes_pr2
Let openoffice perform temporary file transitions on link files and manage them
2023-10-02 08:57:04 -04:00
Chris PeBenito
680e97dc41 Add append to rw and manage lnk_file permission sets for consistency.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2023-10-02 08:44:00 -04:00
Yi Zhao
0a776a270a bind: fix for named service
Fixes:
avc:  denied  { sqpoll } for  pid=373 comm="named"
scontext=system_u:system_r:named_t:s0-s15:c0.c1023
tcontext=system_u:system_r:named_t:s0-s15:c0.c1023 tclass=io_uring
permissive=0

avc:  denied  { create } for  pid=373 comm="named" anonclass=[io_uring]
scontext=system_u:system_r:named_t:s0-s15:c0.c1023
tcontext=system_u:object_r:named_t:s0 tclass=anon_inode permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2023-10-02 16:38:12 +08:00
Yi Zhao
4ce68f22d8 systemd: allow journalctl to create /var/lib/systemd/catalog
If /var/lib/systemd/catalog doesn't exist at first boot,
systemd-journal-catalog-update.service would fail:

$ systemctl status systemd-journal-catalog-update.service
  systemd-journal-catalog-update.service - Rebuild Journal Catalog
     Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static)
     Active: failed (Result: exit-code) since Sat 2023-09-30 09:46:46 UTC; 50s ago
       Docs: man:systemd-journald.service(8)
             man:journald.conf(5)
    Process: 247 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE)
   Main PID: 247 (code=exited, status=1/FAILURE)

Sep 30 09:46:45 qemux86-64 systemd[1]: Starting Rebuild Journal Catalog...
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to create parent directories of /var/lib/systemd/catalog/database: Permission denied
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to write /var/lib/systemd/catalog/database: Permission denied
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to list catalog: Permission denied
Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE
Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'.
Sep 30 09:46:46 qemux86-64 systemd[1]: Failed to start Rebuild Journal Catalog.

Fixes:
AVC avc:  denied  { getattr } for  pid=247 comm="journalctl" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_journal_init_t
tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0

AVC avc:  denied  { write } for  pid=247 comm="journalctl"
name="systemd" dev="vda" ino=13634
scontext=system_u:system_r:systemd_journal_init_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2023-09-30 18:34:40 +08:00
Guido Trentalancia
701410e7a6 Let openoffice perform temporary file transitions
and manage link files.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/openoffice.te |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
2023-09-29 22:30:14 +02:00
Russell Coker
1c0b2027f9
misc small email changes ()
* Small changes to courier, dovecot, exim, postfix, amd sendmail policy.

Signed-off-by: Russell Coker <russell@coker.com.au>

* Removed an obsolete patch

Signed-off-by: Russell Coker <russell@coker.com.au>

* Added interfaces cron_rw_inherited_tmp_files and systemd_dontaudit_connect_machined

Signed-off-by: Russell Coker <russell@coker.com.au>

* Use create_stream_socket_perms for unix connection to itself

Signed-off-by: Russell Coker <russell@coker.com.au>

* Removed unconfined_run_to

Signed-off-by: Russell Coker <russell@coker.com.au>

* Remove change for it to run from a user session

Signed-off-by: Russell Coker <russell@coker.com.au>

* Changed userdom_use_user_ttys to userdom_use_inherited_user_terminals and
moved it out of the postfix section

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-28 09:57:18 -04:00
Russell Coker
bb90d67768
mon.te patches as well as some fstools patches related to it ()
* Patches for mon, mostly mon local monitoring.

Also added the fsdaemon_read_lib() interface and fstools patch because it
also uses fsdaemon_read_lib() and it's called by monitoring scripts

Signed-off-by: Russell Coker <russell@coker.com.au>

* Added the files_dontaudit_tmpfs_file_getattr() and
storage_dev_filetrans_fixed_disk_control() interfaces needed

Signed-off-by: Russell Coker <russell@coker.com.au>

* Fixed the issues from the review

Signed-off-by: Russell Coker <russell@coker.com.au>

* Specify name to avoid conflicting file trans

Signed-off-by: Russell Coker <russell@coker.com.au>

* fixed dontaudi_ typo

Signed-off-by: Russell Coker <russell@coker.com.au>

* Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for the object class

Signed-off-by: Russell Coker <russell@coker.com.au>

* Remove fsdaemon_read_lib as it was already merged

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-28 09:55:56 -04:00
Russell Coker
c51554cbab
misc small patches for cron policy ()
* Some misc small patches for cron policy

Signed-off-by: Russell Coker <russell@coker.com.au>

* added systemd_dontaudit_connect_machined interface

Signed-off-by: Russell Coker <russell@coker.com.au>

* Remove the line about connecting to tor

Signed-off-by: Russell Coker <russell@coker.com.au>

* remove the dontaudit for connecting to machined

Signed-off-by: Russell Coker <russell@coker.com.au>

* changed to distro_debian

Signed-off-by: Russell Coker <russell@coker.com.au>

* mta: Whitespace changes.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>

* cron: Move lines.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Co-authored-by: Chris PeBenito <pebenito@ieee.org>
2023-09-28 09:46:14 -04:00
Russell Coker
1577b2105a
small systemd patches ()
* Some small systemd patches

Signed-off-by: Russell Coker <russell@coker.com.au>

* Fixed error where systemd.if had a reference to user_devpts_t

Signed-off-by: Russell Coker <russell@coker.com.au>

* removed the init_var_run_t:service stuff as there's already interfaces and a type for it

Signed-off-by: Russell Coker <russell@coker.com.au>

* corecmd_shell_entry_type doesn't seem to be needed

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-27 09:20:52 -04:00
Chris PeBenito
23cf17bfc0
Merge pull request from dsugar100/journalctl_domain
separate domain for journalctl during init
2023-09-26 14:44:28 -04:00
Dave Sugar
f141dccc2a separate domain for journalctl during init
During system boot, when systemd-journal-catalog-update.service is
started, it fails becuase initrc_t doesn't have access to write
systemd_journal_t files/dirs.  This change is to run journalctl in a
different domain during system startup (systemd_journal_init_t) to allow
the access necessary to run.

 × systemd-journal-catalog-update.service - Rebuild Journal Catalog
         Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static)
         Active: failed (Result: exit-code) since Wed 2023-09-13 12:51:28 GMT; 10min ago
           Docs: man:systemd-journald.service(8)
                 man:journald.conf(5)
        Process: 1626 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE)
       Main PID: 1626 (code=exited, status=1/FAILURE)
            CPU: 102ms

    Sep 13 12:51:28 localhost systemd[1]: Starting Rebuild Journal Catalog...
    Sep 13 12:51:28 localhost journalctl[1626]: Failed to open database for writing: /var/lib/systemd/catalog/database: Permission denied
    Sep 13 12:51:28 localhost journalctl[1626]: Failed to write /var/lib/systemd/catalog/database: Permission denied
    Sep 13 12:51:28 localhost journalctl[1626]: Failed to list catalog: Permission denied
    Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE
    Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'.
    Sep 13 12:51:28 localhost systemd[1]: Failed to start Rebuild Journal Catalog.

    node=localhost type=AVC msg=audit(1692308998.328:136): avc:  denied  { write } for  pid=1631 comm="journalctl" name="catalog" dev="dm-10" ino=131106 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
    node=localhost type=AVC msg=audit(1692308998.328:136): avc:  denied  { add_name } for  pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
    node=localhost type=AVC msg=audit(1692308998.328:136): avc:  denied  { create } for  pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
    node=localhost type=AVC msg=audit(1692308998.328:136): avc:  denied  { write } for  pid=1631 comm="journalctl" path="/var/lib/systemd/catalog/.#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
    node=localhost type=AVC msg=audit(1692308998.330:137): avc:  denied  { setattr } for  pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
    node=localhost type=AVC msg=audit(1692308998.330:138): avc:  denied  { remove_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
    node=localhost type=AVC msg=audit(1692308998.330:138): avc:  denied  { rename } for  pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
    node=localhost type=AVC msg=audit(1692308998.330:138): avc:  denied  { unlink } for  pid=1631 comm="journalctl" name="database" dev="dm-10" ino=131133 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-26 12:47:37 -04:00
Chris PeBenito
3bf196f6a3
Merge pull request from etbe/db
small postgresql and mysql stuff
2023-09-26 09:59:31 -04:00
Russell Coker
bcc92a3038
allow jabbers to create sock file and allow matrixd to read sysfs ()
* Allow jabberd_domain to create sockets in it's var/lib dir
Allow matrixd_t to read sysfs

Signed-off-by: Russell Coker <russell@coker.com.au>

* Changed to manage_sock_file_perms to allow unlink

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-26 09:48:31 -04:00
Chris PeBenito
61fbf428fb
postgresql: Move lines
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2023-09-26 09:43:40 -04:00
Chris PeBenito
1a9143efa3
Merge pull request from yizhao1/fixes
Fixes for mount and loadkeys
2023-09-26 09:40:19 -04:00
Russell Coker
f849e27df3
small storage changes ()
* Changes to storage.fc, smartmon, samba and lvm

Signed-off-by: Russell Coker <russell@coker.com.au>

* Add the interfaces this patch needs

Signed-off-by: Russell Coker <russell@coker.com.au>

* use manage_sock_file_perms for sock_file

Signed-off-by: Russell Coker <russell@coker.com.au>

* Renamed files_watch_all_file_type_dir to files_watch_all_dirs

Signed-off-by: Russell Coker <russell@coker.com.au>

* Use read_files_pattern

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-25 11:46:04 -04:00
Russell Coker
478df0e446
small network patches ()
* Small changes for netutils(ping), firewalld, ftp, inetd, networkmanager, openvpn ppp and rpc

Signed-off-by: Russell Coker <russell@coker.com.au>

* Fixed typo in interface name

Signed-off-by: Russell Coker <russell@coker.com.au>

* Add interface libs_watch_shared_libs_dir

Signed-off-by: Russell Coker <russell@coker.com.au>

* Added sysnet_watch_config_dir interface

Signed-off-by: Russell Coker <russell@coker.com.au>

* renamed libs_watch_shared_libs_dir to libs_watch_shared_libs_dirs

Signed-off-by: Russell Coker <russell@coker.com.au>

* rename sysnet_watch_config_dir to sysnet_watch_config_dirs

Signed-off-by: Russell Coker <russell@coker.com.au>

* Reverted a change as I can't remember why I did it.

Signed-off-by: Russell Coker <russell@coker.com.au>

---------

Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-25 11:44:52 -04:00
Russell Coker
0d77235ecc
small ntp and dns changes ()
* Small changes for ntp, bind, avahi, and dnsmasq

Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-25 11:01:12 -04:00
Chris PeBenito
748980def5
Merge pull request from etbe/fifth
some misc userdomain fixes
2023-09-25 10:57:27 -04:00
Russell Coker
cf1ba82cb9 Added tmpfs file type for postgresql
Small mysql stuff including anon_inode

Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-22 19:09:12 +10:00
Russell Coker
0528990a24
policy patches for anti-spam daemons ()
* Patches for anti-spam related policy

* Added a seperate tunable for execmem, can be enabled for people who need it
which means Debian rspam users and some of the less common SpamAssassin
configurations

Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-21 12:01:24 -04:00
Chris PeBenito
487feedf8e
Merge pull request from yizhao1/systemd-networkd
systemd: allow systemd-networkd to create file in /run/systemd directory
2023-09-21 10:45:47 -04:00
Russell Coker
125e52ef58
policy for the Reliability Availability servicability daemon ()
* policy for the Reliability Availability servicability daemon

Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-21 10:22:36 -04:00
Russell Coker
e349de1507
debian motd.d directory ()
* policy for Debian motd.d dir

Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-21 10:21:25 -04:00
Yi Zhao
8758b782e5 systemd: allow systemd-networkd to create file in /run/systemd directory
systemd-networkd creates files in /run/systemd directory which should be
labeled appropriately.

Fixes:
avc:  denied  { create } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8"
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { write } for  pid=136 comm="systemd-network"
path="/run/systemd/.#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { setattr } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { rename } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2023-09-21 11:40:24 +08:00
Yi Zhao
ee3ea8ebca loadkeys: do not audit attempts to get attributes for all directories
Fixes:
avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/boot"
dev="vda" ino=15 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/home"
dev="vda" ino=806 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:home_root_t:s0-s15:c0.c1023 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/lost+found"
dev="vda" ino=11 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:lost_found_t:s15:c0.c1023 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=239 comm="loadkeys" path="/media"
dev="vda" ino=810 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023
tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2023-09-20 14:44:45 +08:00
Yi Zhao
0a7f48cb31 mount: allow mount_t to get attributes for all directories
Fixes:
avc:  denied  { getattr } for  pid=130 comm="mount" path="/" dev="tracefs"
ino=1 scontext=system_u:system_r:mount_t:s0-s15:c0.c1023
tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=1

avc:  denied  { getattr } for  pid=166 comm="mount" path="/" dev="configfs"
ino=14220 scontext=system_u:system_r:mount_t:s0-s15:c0.c1023
tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2023-09-20 13:31:50 +08:00
Russell Coker
cb6bf2fe9a some misc userdomain fixes
Allow userdomains to read crypto sysctls (usually /proc/sys/crypto/fips_enabled)
Alow them to read vm overcommit status and fs_systls (things like pipe-max-size)

Allow pipewire to write to user runtime named sockets

Allow the user domain for X access to use user fonts, accept stream connections
from xdm_t, and map xkb_var_lib_t files

Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-20 12:40:59 +10:00
Chris PeBenito
227786eed7
Merge pull request from dsugar100/colord
Resolve some denials with colord
2023-09-19 16:09:52 -04:00
Chris PeBenito
fc3589a04f
Merge pull request from dsugar100/all_users_syslog
Allow all users to send syslog messages
2023-09-19 16:07:10 -04:00
Dave Sugar
17c9b3ac7e Resolve some denials with colord
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:656): avc:  denied  { read } for  pid=2039 comm="colord" name="hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:656): avc:  denied  { open } for  pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:657): avc:  denied  { getattr } for  pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:658): avc:  denied  { map } for  pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.106:18931): avc:  denied  { read } for  pid=2039 comm="gdbus" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1
Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.362:19182): avc:  denied  { getattr } for  pid=2039 comm="colord" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1
Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.362:19183): avc:  denied  { map } for  pid=2039 comm="colord" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc:  denied  { search } for  pid=2039 comm="colord" name="1880" dev="proc" ino=26735 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=dir permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc:  denied  { read } for  pid=2039 comm="colord" name="cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc:  denied  { open } for  pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:679): avc:  denied  { getattr } for  pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:680): avc:  denied  { ioctl } for  pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 ioctlcmd=0x5401 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc:  denied  { search } for  pid=2039 comm="colord" name="sessions" dev="tmpfs" ino=96 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=dir permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc:  denied  { read } for  pid=2039 comm="colord" name="c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc:  denied  { open } for  pid=2039 comm="colord" path="/run/systemd/sessions/c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1
Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:682): avc:  denied  { getattr } for  pid=2039 comm="colord" path="/run/systemd/sessions/c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-19 13:52:50 -04:00
Chris PeBenito
41ac8090f7
Merge pull request from etbe/fifth
power profiles daemon
2023-09-19 11:40:39 -04:00
Dave Sugar
cf58a70881 Allow all users to (optionally) send syslog messages
Aug 29 12:53:06 localhost.localdomain audisp-syslog[1550]: node=localhost type=AVC msg=audit(1693313586.678:437): avc:  denied  { write } for  pid=1757 comm="systemctl" name="socket" dev="tmpfs" ino=58 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
Aug 29 12:53:06 localhost.localdomain audisp-syslog[1550]: node=localhost type=AVC msg=audit(1693313586.678:437): avc:  denied  { sendto } for  pid=1757 comm="systemctl" path="/run/systemd/journal/socket" scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Aug 29 13:10:01 localhost.localdomain audisp-syslog[1545]: node=localhost type=AVC msg=audit(1693314601.860:435): avc:  denied  { write } for  pid=1756 comm="systemctl" name="socket" dev="tmpfs" ino=58 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1
Aug 29 13:10:01 localhost.localdomain audisp-syslog[1545]: node=localhost type=AVC msg=audit(1693314601.860:435): avc:  denied  { sendto } for  pid=1756 comm="systemctl" path="/run/systemd/journal/socket" scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-09-19 09:14:08 -04:00
Russell Coker
e5ea2c99df policy for power profiles daemon, used to change power settings
Signed-off-by: Russell Coker <russell@coker.com.au>
2023-09-19 22:51:22 +10:00
Chris PeBenito
5e2bf62c6f
Merge pull request from gtrentalancia/x_fixes_pr2
Remote X11 TCP/IP functionality is generally insecure: switch it off by default. Strengthen XDM authentication file access.
2023-09-19 08:36:26 -04:00
Chris PeBenito
5fa75724c8
Merge pull request from pebenito/systemd-user-unconfined
unconfined: Keys are linkable by systemd.
2023-09-19 08:11:40 -04:00
Guido Trentalancia
44bfd66186
Merge branch 'main' into x_fixes_pr2
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
2023-09-19 01:31:50 +02:00
Guido Trentalancia
8c562af119 The X display manager uses an authentication
mechanism based on an authorization file which
is critical for X security.

For example, a common attack is to remove the
file in order to disable authorization.

At the moment permissions on such file and its
parent directory are shared with several other
modules that have nothing to do with XDMCP
authorization, therefore this patch strenghtens
the file access policy by making it exclusive
to XDM and the X server (read-only).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.fc |    1 +
 policy/modules/services/xserver.if |   33 +++++++++++++++++++++++++++++++++
 policy/modules/services/xserver.te |   11 +++++++++++
 3 files changed, 45 insertions(+)
2023-09-19 01:28:10 +02:00
Guido Trentalancia
793d6a29d8 Introduce two new booleans for the X server and
X display manager domains which control whether
or not the respective domains allow the TCP/IP
server networking functionality.

The above mentioned booleans both default to false
as remote X11 has no integrity and confidentiality
protection and is generally insecure.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/xserver.te |   82 +++++++++++++++++++++++--------------
 1 file changed, 52 insertions(+), 30 deletions(-)
2023-09-19 01:23:22 +02:00
Chris PeBenito
d806720c76 unconfined: Keys are linkable by systemd.
Since the systemd --user for unconfined_t runs in unconfined_t too, instead
of a derived domain such as with regular users, e.g., user_systemd_t, this
is required.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2023-09-18 17:05:23 -04:00
Chris PeBenito
6e39f49247
Merge pull request from gtrentalancia/dbus_fixes_pr3
Dbus also creates Unix domain sockets in session mode but has insecure networking code
2023-09-18 11:40:16 -04:00
Chris PeBenito
1ff9b559b7
Merge pull request from gtrentalancia/spamassassin_update_pr
Let spamassassin update its rules from the network
2023-09-18 11:38:57 -04:00
Guido Trentalancia
8331d214ec Introduce a new "dbus_can_network" boolean which
controls whether or not the dbus daemon can act
as a server over TCP/IP networks and defaults to
false, as this is generally insecure, except when
using the local loopback interface.

For reference, see the security warning in the
D-Bus specification:

https://dbus.freedesktop.org/doc/dbus-specification.html#transports-tcp-sockets

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/dbus.te |   31 ++++++++++++++++++++++---------
 1 file changed, 22 insertions(+), 9 deletions(-)
2023-09-18 16:15:50 +02:00
Chris PeBenito
69544a3256
Merge pull request from etbe/fourth
switcheroo daemon for switching apps between Intel and NVidia GPUs
2023-09-18 09:51:25 -04:00
Guido Trentalancia
11d17b2e57 Under request from Christopher PeBenito, merge the
two spamassassin rules updating SELinux domains
introduced in the previous change in order to reduce
the non-swappable kernel memory used by the policy.

This reduces complexity, but unfortunately it
probably also reduces an existing safety margin by
breaking the isolation between network-facing
binaries and binaries such as GPG that potentially
deal with secret information (at the moment there
is no "neverallow" rule protecting the gpg_secret_t
file access).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/services/spamassassin.if |    3 -
 policy/modules/services/spamassassin.te |   56 ++++++--------------------------
 2 files changed, 12 insertions(+), 47 deletions(-)
2023-09-18 15:40:11 +02:00