selinux-refpolicy

mirror of https://github.com/SELinuxProject/refpolicy synced 2025-03-11 07:40:18 +00:00

Author	SHA1	Message	Date
Chris PeBenito	0b148c02b6	Merge pull request #730 from gtrentalancia/gpg_fixes2_pr Modify the gpg module so that gpg and the gpg_agent	2023-11-14 11:04:40 -05:00
Guido Trentalancia	8839a7137d	Modify the gpg module so that gpg and the gpg_agent can manage gpg_runtime_t socket files. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/apps/gpg.te \| 2 ++ 1 file changed, 2 insertions(+)	2023-11-11 15:44:24 +01:00
Chris PeBenito	24476b7962	Merge pull request #727 from etbe/brother label some files for the Brother printer drivers	2023-11-10 11:11:28 -05:00
Russell Coker	780adb80af	Simple patch for Brother printer drivers as described in: https://etbe.coker.com.au/2023/10/22/brother-mfc-j4440dw-printer/ Signed-off-by: Russell Coker <russell@coker.com.au>	2023-10-23 00:09:26 +11:00
Chris PeBenito	f3865abfc2	Merge pull request #717 from dsugar100/use_chat_machined_interface Use interface that already exists.	2023-10-09 09:35:59 -04:00
Chris PeBenito	f5eba7176e	Merge pull request #723 from etbe/modemmanager modemmanager and eg25manager changes needed for pinephonepro	2023-10-09 09:34:07 -04:00
Russell Coker	3e39efffdf	patches for nspawn policy (#721 ) * patches to nspawn policy. Allow it netlink operations and creating udp sockets Allow remounting and reading sysfs Allow stat cgroup filesystem Make it create fifos and sock_files in the right context Allow mounting the selinux fs Signed-off-by: Russell Coker <russell@coker.com.au> * Use the new mounton_dir_perms and mounton_file_perms macros Signed-off-by: Russell Coker <russell@coker.com.au> * Corrected macro name Signed-off-by: Russell Coker <russell@coker.com.au> * Fixed description of files_mounton_kernel_symbol_table Signed-off-by: Russell Coker <russell@coker.com.au> * systemd: Move lines in nspawn. No rule changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org> --------- Signed-off-by: Russell Coker <russell@coker.com.au> Signed-off-by: Chris PeBenito <pebenito@ieee.org> Co-authored-by: Chris PeBenito <pebenito@ieee.org>	2023-10-09 09:32:38 -04:00
Chris PeBenito	5213c5105c	Merge pull request #722 from yizhao1/systemd systemd: allow systemd-networkd and sytemd-resolved to write to syste…	2023-10-09 09:06:24 -04:00
Yi Zhao	6eecf51716	systemd: use init_daemon_domain instead of init_system_domain for systemd-networkd and systemd-resolved Systemd-networkd and systemd-resolved are daemons. Fixes: avc: denied { write } for pid=277 comm="systemd-resolve" name="notify" dev="tmpfs" ino=31 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file permissive=1 avc: denied { write } for pid=324 comm="systemd-network" name="notify" dev="tmpfs" ino=31 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2023-10-07 14:41:16 +08:00
Russell Coker	9f7d6ff7a0	Changes to eg25manager and modemmanager needed for firmware upload on pinephonepro Signed-off-by: Russell Coker <russell@coker.com.au>	2023-10-07 13:56:52 +11:00
Chris PeBenito	d542d53698	Merge pull request #720 from etbe/raid small mdadm changes for cron job	2023-10-06 09:26:55 -04:00
Dave Sugar	0a9650901c	Separate label for /run/systemd/notify (#710 ) * Separate label for /run/systemd/notify label systemd_runtime_notify_t Allow daemon domains to write by default Signed-off-by: Dave Sugar <dsugar100@gmail.com> * systemd: Add -s to /run/systemd/notify socket. Signed-off-by: Chris PeBenito <pebenito@ieee.org> --------- Signed-off-by: Dave Sugar <dsugar100@gmail.com> Co-authored-by: Chris PeBenito <pebenito@ieee.org>	2023-10-06 09:06:39 -04:00
Russell Coker	c2a9111a5c	Label checkarray as mdadm_exec_t, allow it to read/write temp files inherited from cron, and dontaudit ps type operations from it Signed-off-by: Russell Coker <russell@coker.com.au>	2023-10-06 21:48:52 +11:00
Dave Sugar	12ad93d167	Use interface that already exists. Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-10-05 17:31:33 -04:00
Chris PeBenito	0af7c312d1	Merge pull request #718 from etbe/write-cgroup remove cgroup write access for users based on historical security issues	2023-10-05 10:20:03 -04:00
Russell Coker	be2e8970e0	https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ While cgroups2 doesn't have the "feature" of having the kernel run a program specified in the cgroup the history of this exploit suggests that writing to cgroups should be restricted and not granted to all users Signed-off-by: Russell Coker <russell@coker.com.au>	2023-10-05 22:13:54 +11:00
Chris PeBenito	7022e511fc	Merge pull request #716 from pebenito/lnk_file-append Add append to rw and manage lnk_file permission sets for consistency.	2023-10-02 08:59:33 -04:00
Chris PeBenito	44fd3ebd12	Merge pull request #715 from yizhao1/bind bind: fix for named service	2023-10-02 08:58:52 -04:00
Chris PeBenito	275e3f0ef9	Merge pull request #714 from yizhao1/systemd-journal-catalog-update systemd: allow journalctl to create /var/lib/systemd/catalog	2023-10-02 08:57:55 -04:00
Chris PeBenito	6909b4b2f9	Merge pull request #713 from gtrentalancia/openoffice_fixes_pr2 Let openoffice perform temporary file transitions on link files and manage them	2023-10-02 08:57:04 -04:00
Chris PeBenito	680e97dc41	Add append to rw and manage lnk_file permission sets for consistency. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2023-10-02 08:44:00 -04:00
Yi Zhao	0a776a270a	bind: fix for named service Fixes: avc: denied { sqpoll } for pid=373 comm="named" scontext=system_u:system_r:named_t:s0-s15:c0.c1023 tcontext=system_u:system_r:named_t:s0-s15:c0.c1023 tclass=io_uring permissive=0 avc: denied { create } for pid=373 comm="named" anonclass=[io_uring] scontext=system_u:system_r:named_t:s0-s15:c0.c1023 tcontext=system_u:object_r:named_t:s0 tclass=anon_inode permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2023-10-02 16:38:12 +08:00
Yi Zhao	4ce68f22d8	systemd: allow journalctl to create /var/lib/systemd/catalog If /var/lib/systemd/catalog doesn't exist at first boot, systemd-journal-catalog-update.service would fail: $ systemctl status systemd-journal-catalog-update.service systemd-journal-catalog-update.service - Rebuild Journal Catalog Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static) Active: failed (Result: exit-code) since Sat 2023-09-30 09:46:46 UTC; 50s ago Docs: man:systemd-journald.service(8) man:journald.conf(5) Process: 247 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE) Main PID: 247 (code=exited, status=1/FAILURE) Sep 30 09:46:45 qemux86-64 systemd[1]: Starting Rebuild Journal Catalog... Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to create parent directories of /var/lib/systemd/catalog/database: Permission denied Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to write /var/lib/systemd/catalog/database: Permission denied Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to list catalog: Permission denied Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'. Sep 30 09:46:46 qemux86-64 systemd[1]: Failed to start Rebuild Journal Catalog. Fixes: AVC avc: denied { getattr } for pid=247 comm="journalctl" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_journal_init_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 AVC avc: denied { write } for pid=247 comm="journalctl" name="systemd" dev="vda" ino=13634 scontext=system_u:system_r:systemd_journal_init_t tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2023-09-30 18:34:40 +08:00
Guido Trentalancia	701410e7a6	Let openoffice perform temporary file transitions and manage link files. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/apps/openoffice.te \| 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)	2023-09-29 22:30:14 +02:00
Russell Coker	1c0b2027f9	misc small email changes (#704 ) * Small changes to courier, dovecot, exim, postfix, amd sendmail policy. Signed-off-by: Russell Coker <russell@coker.com.au> * Removed an obsolete patch Signed-off-by: Russell Coker <russell@coker.com.au> * Added interfaces cron_rw_inherited_tmp_files and systemd_dontaudit_connect_machined Signed-off-by: Russell Coker <russell@coker.com.au> * Use create_stream_socket_perms for unix connection to itself Signed-off-by: Russell Coker <russell@coker.com.au> * Removed unconfined_run_to Signed-off-by: Russell Coker <russell@coker.com.au> * Remove change for it to run from a user session Signed-off-by: Russell Coker <russell@coker.com.au> * Changed userdom_use_user_ttys to userdom_use_inherited_user_terminals and moved it out of the postfix section Signed-off-by: Russell Coker <russell@coker.com.au> --------- Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-28 09:57:18 -04:00
Russell Coker	bb90d67768	mon.te patches as well as some fstools patches related to it (#697 ) * Patches for mon, mostly mon local monitoring. Also added the fsdaemon_read_lib() interface and fstools patch because it also uses fsdaemon_read_lib() and it's called by monitoring scripts Signed-off-by: Russell Coker <russell@coker.com.au> * Added the files_dontaudit_tmpfs_file_getattr() and storage_dev_filetrans_fixed_disk_control() interfaces needed Signed-off-by: Russell Coker <russell@coker.com.au> * Fixed the issues from the review Signed-off-by: Russell Coker <russell@coker.com.au> * Specify name to avoid conflicting file trans Signed-off-by: Russell Coker <russell@coker.com.au> * fixed dontaudi_ typo Signed-off-by: Russell Coker <russell@coker.com.au> * Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for the object class Signed-off-by: Russell Coker <russell@coker.com.au> * Remove fsdaemon_read_lib as it was already merged Signed-off-by: Russell Coker <russell@coker.com.au> --------- Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-28 09:55:56 -04:00
Russell Coker	c51554cbab	misc small patches for cron policy (#701 ) * Some misc small patches for cron policy Signed-off-by: Russell Coker <russell@coker.com.au> * added systemd_dontaudit_connect_machined interface Signed-off-by: Russell Coker <russell@coker.com.au> * Remove the line about connecting to tor Signed-off-by: Russell Coker <russell@coker.com.au> * remove the dontaudit for connecting to machined Signed-off-by: Russell Coker <russell@coker.com.au> * changed to distro_debian Signed-off-by: Russell Coker <russell@coker.com.au> * mta: Whitespace changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org> * cron: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org> --------- Signed-off-by: Russell Coker <russell@coker.com.au> Signed-off-by: Chris PeBenito <pebenito@ieee.org> Co-authored-by: Chris PeBenito <pebenito@ieee.org>	2023-09-28 09:46:14 -04:00
Russell Coker	1577b2105a	small systemd patches (#708 ) * Some small systemd patches Signed-off-by: Russell Coker <russell@coker.com.au> * Fixed error where systemd.if had a reference to user_devpts_t Signed-off-by: Russell Coker <russell@coker.com.au> * removed the init_var_run_t:service stuff as there's already interfaces and a type for it Signed-off-by: Russell Coker <russell@coker.com.au> * corecmd_shell_entry_type doesn't seem to be needed Signed-off-by: Russell Coker <russell@coker.com.au> --------- Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-27 09:20:52 -04:00
Chris PeBenito	23cf17bfc0	Merge pull request #686 from dsugar100/journalctl_domain separate domain for journalctl during init	2023-09-26 14:44:28 -04:00
Dave Sugar	f141dccc2a	separate domain for journalctl during init During system boot, when systemd-journal-catalog-update.service is started, it fails becuase initrc_t doesn't have access to write systemd_journal_t files/dirs. This change is to run journalctl in a different domain during system startup (systemd_journal_init_t) to allow the access necessary to run. × systemd-journal-catalog-update.service - Rebuild Journal Catalog Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static) Active: failed (Result: exit-code) since Wed 2023-09-13 12:51:28 GMT; 10min ago Docs: man:systemd-journald.service(8) man:journald.conf(5) Process: 1626 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE) Main PID: 1626 (code=exited, status=1/FAILURE) CPU: 102ms Sep 13 12:51:28 localhost systemd[1]: Starting Rebuild Journal Catalog... Sep 13 12:51:28 localhost journalctl[1626]: Failed to open database for writing: /var/lib/systemd/catalog/database: Permission denied Sep 13 12:51:28 localhost journalctl[1626]: Failed to write /var/lib/systemd/catalog/database: Permission denied Sep 13 12:51:28 localhost journalctl[1626]: Failed to list catalog: Permission denied Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'. Sep 13 12:51:28 localhost systemd[1]: Failed to start Rebuild Journal Catalog. node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { write } for pid=1631 comm="journalctl" name="catalog" dev="dm-10" ino=131106 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { add_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { create } for pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { write } for pid=1631 comm="journalctl" path="/var/lib/systemd/catalog/.#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1692308998.330:137): avc: denied { setattr } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied { remove_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied { rename } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied { unlink } for pid=1631 comm="journalctl" name="database" dev="dm-10" ino=131133 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-09-26 12:47:37 -04:00
Chris PeBenito	3bf196f6a3	Merge pull request #702 from etbe/db small postgresql and mysql stuff	2023-09-26 09:59:31 -04:00
Russell Coker	bcc92a3038	allow jabbers to create sock file and allow matrixd to read sysfs (#705 ) * Allow jabberd_domain to create sockets in it's var/lib dir Allow matrixd_t to read sysfs Signed-off-by: Russell Coker <russell@coker.com.au> * Changed to manage_sock_file_perms to allow unlink Signed-off-by: Russell Coker <russell@coker.com.au> --------- Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-26 09:48:31 -04:00
Chris PeBenito	61fbf428fb	postgresql: Move lines Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2023-09-26 09:43:40 -04:00
Chris PeBenito	1a9143efa3	Merge pull request #696 from yizhao1/fixes Fixes for mount and loadkeys	2023-09-26 09:40:19 -04:00
Russell Coker	f849e27df3	small storage changes (#706 ) * Changes to storage.fc, smartmon, samba and lvm Signed-off-by: Russell Coker <russell@coker.com.au> * Add the interfaces this patch needs Signed-off-by: Russell Coker <russell@coker.com.au> * use manage_sock_file_perms for sock_file Signed-off-by: Russell Coker <russell@coker.com.au> * Renamed files_watch_all_file_type_dir to files_watch_all_dirs Signed-off-by: Russell Coker <russell@coker.com.au> * Use read_files_pattern Signed-off-by: Russell Coker <russell@coker.com.au> --------- Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-25 11:46:04 -04:00
Russell Coker	478df0e446	small network patches (#707 ) * Small changes for netutils(ping), firewalld, ftp, inetd, networkmanager, openvpn ppp and rpc Signed-off-by: Russell Coker <russell@coker.com.au> * Fixed typo in interface name Signed-off-by: Russell Coker <russell@coker.com.au> * Add interface libs_watch_shared_libs_dir Signed-off-by: Russell Coker <russell@coker.com.au> * Added sysnet_watch_config_dir interface Signed-off-by: Russell Coker <russell@coker.com.au> * renamed libs_watch_shared_libs_dir to libs_watch_shared_libs_dirs Signed-off-by: Russell Coker <russell@coker.com.au> * rename sysnet_watch_config_dir to sysnet_watch_config_dirs Signed-off-by: Russell Coker <russell@coker.com.au> * Reverted a change as I can't remember why I did it. Signed-off-by: Russell Coker <russell@coker.com.au> --------- Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-25 11:44:52 -04:00
Russell Coker	0d77235ecc	small ntp and dns changes (#703 ) * Small changes for ntp, bind, avahi, and dnsmasq Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-25 11:01:12 -04:00
Chris PeBenito	748980def5	Merge pull request #694 from etbe/fifth some misc userdomain fixes	2023-09-25 10:57:27 -04:00
Russell Coker	cf1ba82cb9	Added tmpfs file type for postgresql Small mysql stuff including anon_inode Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-22 19:09:12 +10:00
Russell Coker	0528990a24	policy patches for anti-spam daemons (#698 ) * Patches for anti-spam related policy * Added a seperate tunable for execmem, can be enabled for people who need it which means Debian rspam users and some of the less common SpamAssassin configurations Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-21 12:01:24 -04:00
Chris PeBenito	487feedf8e	Merge pull request #699 from yizhao1/systemd-networkd systemd: allow systemd-networkd to create file in /run/systemd directory	2023-09-21 10:45:47 -04:00
Russell Coker	125e52ef58	policy for the Reliability Availability servicability daemon (#690 ) * policy for the Reliability Availability servicability daemon Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-21 10:22:36 -04:00
Russell Coker	e349de1507	debian motd.d directory (#689 ) * policy for Debian motd.d dir Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-21 10:21:25 -04:00
Yi Zhao	8758b782e5	systemd: allow systemd-networkd to create file in /run/systemd directory systemd-networkd creates files in /run/systemd directory which should be labeled appropriately. Fixes: avc: denied { create } for pid=136 comm="systemd-network" name=".#networkd2c6a2ac2dbf34a8" scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1 avc: denied { write } for pid=136 comm="systemd-network" path="/run/systemd/.#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1 avc: denied { setattr } for pid=136 comm="systemd-network" name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1 avc: denied { rename } for pid=136 comm="systemd-network" name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2023-09-21 11:40:24 +08:00
Yi Zhao	ee3ea8ebca	loadkeys: do not audit attempts to get attributes for all directories Fixes: avc: denied { getattr } for pid=239 comm="loadkeys" path="/boot" dev="vda" ino=15 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1 avc: denied { getattr } for pid=239 comm="loadkeys" path="/home" dev="vda" ino=806 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023 tcontext=system_u:object_r:home_root_t:s0-s15:c0.c1023 tclass=dir permissive=1 avc: denied { getattr } for pid=239 comm="loadkeys" path="/lost+found" dev="vda" ino=11 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lost_found_t:s15:c0.c1023 tclass=dir permissive=1 avc: denied { getattr } for pid=239 comm="loadkeys" path="/media" dev="vda" ino=810 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2023-09-20 14:44:45 +08:00
Yi Zhao	0a7f48cb31	mount: allow mount_t to get attributes for all directories Fixes: avc: denied { getattr } for pid=130 comm="mount" path="/" dev="tracefs" ino=1 scontext=system_u:system_r:mount_t:s0-s15:c0.c1023 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=1 avc: denied { getattr } for pid=166 comm="mount" path="/" dev="configfs" ino=14220 scontext=system_u:system_r:mount_t:s0-s15:c0.c1023 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2023-09-20 13:31:50 +08:00
Russell Coker	cb6bf2fe9a	some misc userdomain fixes Allow userdomains to read crypto sysctls (usually /proc/sys/crypto/fips_enabled) Alow them to read vm overcommit status and fs_systls (things like pipe-max-size) Allow pipewire to write to user runtime named sockets Allow the user domain for X access to use user fonts, accept stream connections from xdm_t, and map xkb_var_lib_t files Signed-off-by: Russell Coker <russell@coker.com.au>	2023-09-20 12:40:59 +10:00
Chris PeBenito	227786eed7	Merge pull request #693 from dsugar100/colord Resolve some denials with colord	2023-09-19 16:09:52 -04:00
Chris PeBenito	fc3589a04f	Merge pull request #676 from dsugar100/all_users_syslog Allow all users to send syslog messages	2023-09-19 16:07:10 -04:00
Dave Sugar	17c9b3ac7e	Resolve some denials with colord Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:656): avc: denied { read } for pid=2039 comm="colord" name="hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1 Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:656): avc: denied { open } for pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1 Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:657): avc: denied { getattr } for pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1 Sep 13 19:20:51 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632851.771:658): avc: denied { map } for pid=2039 comm="colord" path="/etc/udev/hwdb.bin" dev="dm-1" ino=393952 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1 Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.106:18931): avc: denied { read } for pid=2039 comm="gdbus" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1 Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.362:19182): avc: denied { getattr } for pid=2039 comm="colord" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1 Sep 13 19:21:39 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632899.362:19183): avc: denied { map } for pid=2039 comm="colord" path="/home/toor/.local/share/icc/edid-bb6ad72dc802b000932c73ad20996ae5.icc" dev="dm-9" ino=129692 scontext=system_u:system_r:colord_t:s0 tcontext=toor_u:object_r:xdg_data_t:s0 tclass=file permissive=1 Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc: denied { search } for pid=2039 comm="colord" name="1880" dev="proc" ino=26735 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=dir permissive=1 Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc: denied { read } for pid=2039 comm="colord" name="cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1 Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:678): avc: denied { open } for pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1 Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:679): avc: denied { getattr } for pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1 Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.046:680): avc: denied { ioctl } for pid=2039 comm="colord" path="/proc/1880/cgroup" dev="proc" ino=25503 ioctlcmd=0x5401 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:system_r:xdm_t:s0 tclass=file permissive=1 Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc: denied { search } for pid=2039 comm="colord" name="sessions" dev="tmpfs" ino=96 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=dir permissive=1 Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc: denied { read } for pid=2039 comm="colord" name="c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1 Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:681): avc: denied { open } for pid=2039 comm="colord" path="/run/systemd/sessions/c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1 Sep 13 19:20:55 localhost.localdomain audisp-syslog[1531]: node=localhost type=AVC msg=audit(1694632855.047:682): avc: denied { getattr } for pid=2039 comm="colord" path="/run/systemd/sessions/c1" dev="tmpfs" ino=1692 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:systemd_sessions_runtime_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-09-19 13:52:50 -04:00

... 2 3 4 5 6 ...

7109 Commits