RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,377 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

3415 Commits

Author SHA1 Message Date
Chris PeBenito 1f6ef018db networkmanager: Fix interface commenting. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-03-19 14:04:13 -04:00
Chris PeBenito ecfaae80de Merge pull request #192 from topimiettinen/raw_memory_access_boolean 2020-03-19 13:07:57 -04:00
Chris PeBenito 7f3f512ef2 Merge pull request #191 from topimiettinen/add-usbguard 2020-03-19 13:07:05 -04:00
Chris PeBenito b3959fb415 Merge pull request #196 from gtrentalancia/watch-perms 2020-03-19 13:05:42 -04:00
Guido Trentalancia bf806fd589 userdomain: add watch perms 
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
--
 policy/modules/system/miscfiles.if  |   19 +++++++++++++++++++
 policy/modules/system/userdomain.if |    6 ++++++
 2 files changed, 25 insertions(+)
 2020-03-19 05:50:42 +01:00
Guido Trentalancia 8c72952ea4 getty: add watch perms 
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
--
 policy/modules/system/getty.te |    1 +
 1 file changed, 1 insertion(+)
 2020-03-19 05:50:11 +01:00
Guido Trentalancia 77174969ba wm: add watch perms 
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
--
 policy/modules/apps/wm.if                 |    4 ++++
 policy/modules/services/networkmanager.if |   18 ++++++++++++++++++
 2 files changed, 22 insertions(+)
 2020-03-19 05:41:43 +01:00
Guido Trentalancia 0cd4068aea mozilla: add watch perms 
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
--
 policy/modules/apps/mozilla.te |    2 ++
 1 file changed, 2 insertions(+)
 2020-03-19 05:41:43 +01:00
Topi Miettinen 1d2fb171b5
Add usbguard 
Usbguard enforces the USB device authorization policy for all USB
devices. Users can be authorized to manage rules and make device
authorization decisions using a command line tool.

Add rules for usbguard. Optionally, allow authorized users to control
the daemon, which requires usbguard-daemon to be able modify its rules
in /etc/usbguard.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-18 20:23:38 +02:00
Topi Miettinen bfb4e60edb
Make raw memory access tunable 
Modern systems shouldn't need direct access to raw memory
devices (/dev/mem, /dev/kmem, /dev/mergemem, dev/oldmem, /dev/port)
anymore, so let's remove the access in most cases and make it tunable
in the rest.

Add dev_read_raw_memory_cond(), dev_write_raw_memory_cond() and
dev_wx_raw_memory_cond(), which are conditional to new boolean
allow_raw_memory_access.

Remove raw memory access for a few domains that should never have
needed it (colord_t, iscsid_t, mdamd_t, txtstat_t), should not need it
anymore (dmidecode_t, Debian devicekit_diskt_t, hald_t, hald_mac_t,
xserver_t) or the domains that should transition to different domain
for this (rpm_t, kudzu_t, dpkg_t).

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-03-16 14:06:16 +02:00
Chris PeBenito 70469fdb16 logging: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-03-15 13:41:16 -04:00
Chris PeBenito 3fbbb6847e Merge pull request #195 from bauen1/fix-journald-restart 2020-03-15 13:40:49 -04:00
bauen1 20bc993628
logging: allow syslogd to remove stale socket file 2020-03-15 15:14:03 +01:00
Dave Sugar ca4282102b Add interface to read/write /dev/ipmi 
/dev/ipmi is labeled, but no interfaces exist to grant access to the device.
Adding interface for read/write access, I'm not sure of read-only access is usefull. ipmitool seems to only read and write
type=AVC msg=audit(1581618155.319:786): avc:  denied  { read write } for pid=4498 comm="ipmitool" name="ipmi0" dev="devtmpfs" ino=10460 scontext=system_u:system_r:ipmi_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1581618155.319:786): avc:  denied  { open } for pid=4498 comm="ipmitool" path="/dev/ipmi0" dev="devtmpfs" ino=10460 scontext=system_u:system_r:ipmi_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1581618155.320:787): avc:  denied  { ioctl } for pid=4498 comm="ipmitool" path="/dev/ipmi0" dev="devtmpfs" ino=10460 ioctlcmd=6910 scontext=system_u:system_r:ipmi_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=1
 2020-03-10 14:26:18 -04:00
Chris PeBenito 1bdbba4fb2 corenetwork, sysadm, sysnetwork: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-03-08 15:52:56 -04:00
Chris PeBenito aafca49ae8 Merge pull request #137 from bigon/aptcacher 2020-03-08 15:44:52 -04:00
Chris PeBenito 4677078b7b terminal, portage: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-03-01 14:54:45 -05:00
Chris PeBenito 128d6f4000 Merge pull request #187 from Jarel1337/patch-2 2020-03-01 14:47:42 -05:00
Chris PeBenito 493492873d Merge pull request #186 from Jarel1337/patch-1 2020-03-01 14:47:37 -05:00
Chris PeBenito b2f72e833b Bump module versions for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-29 16:54:39 -05:00
Vilgot Fredenberg 8bc4c28409
Remove old exception 
This exception goes back 14 years to commit 85c20af3c1 and 11a0508ede.
The tts exception is covered by a distro agnostic rule further up, and the udev rule doesn't even work (it's supposed to be /lib/udev/ not /usr/lib/udev on gentoo) so I seriously doubt anyone is going to miss them.

Signed-off-by: Vilgot <Vilgot@fredenberg.xyz>
 2020-02-23 17:52:54 +01:00
Vilgot 112929f004
Portage update 
Update portage to follow the new default paths and other (small) fixes.

Signed-off-by: Vilgot <Vilgot@fredenberg.xyz>
 2020-02-23 17:51:30 +01:00
Chris PeBenito e3864c38f7 logging: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-23 09:25:35 -05:00
Chris PeBenito c42f0a6cc8 logging: Whitespace fix. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-23 09:24:43 -05:00
Luca Boccassi 6e9c1cd187 logging: add interface to start/stop syslog units 
Required for example to start/stop systemd-journal-flush.service
which moves the journal storage back and forth between tmpfs and
permanent storage.

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
 2020-02-19 20:43:22 +00:00
Luca Boccassi 6afabe971f journald: allow to remove /run/log/journal 
it happens when switching from tmpfs to persistent storage

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
 2020-02-19 11:07:32 +00:00
Chris PeBenito 2400f6a74c various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-17 13:34:06 -05:00
Jason Zaman 8742aa4e3e gpg: add watch perms for agent 
avc:  denied  { watch } for  pid=10668 comm="gpg-agent" path="/run/user/1000/gnupg" dev="tmpfs" ino=21988 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_runtime_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=10668 comm="gpg-agent" path="/home/jason/.gnupg" dev="zfs" ino=34432 scontext=staff_u:staff_r:gpg_agent_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:gpg_secret_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Jason Zaman 509a639deb chromium: watch etc dirs 
avc:  denied  { watch } for  pid=44464 comm="ThreadPoolForeg" path="/etc" dev="zfs" ino=1436 scontext=staff_u:staff_r:chromium_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Jason Zaman adaea617cd dbus: add watch perms 
avc:  denied  { watch } for  pid=10630 comm="dbus-daemon" path="/usr/share/dbus-1/accessibility-services" dev="zfs" ino=244551 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=10622 comm="dbus-daemon" path="/etc/dbus-1/session.d" dev="zfs" ino=262694 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Jason Zaman dd84b117e2 policykit devicekit: Add watch perms 
avc:  denied  { watch } for  pid=12488 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:devicekit_disk_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=6452 comm="gmain" path="/run/ConsoleKit" dev="tmpfs" ino=17611 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:consolekit_runtime_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=6452 comm="gmain" path="/usr/share/polkit-1/actions" dev="zfs" ino=235638 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=6452 comm="gmain" path="/etc/polkit-1/rules.d" dev="zfs" ino=268215 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Jason Zaman 9f8194fdf4 colord: add watch perms 
avc:  denied  { watch } for  pid=12656 comm="gmain" path="/var/lib/colord/icc" dev="zfs" ino=100677 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12656 comm="gmain" path="/usr/share/color/icc/colord" dev="zfs" ino=67586 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Jason Zaman 575f9494e7 cron: watch cron spool 
avc:  denied  { watch } for  pid=7402 comm="crond" path="/var/spool/cron/crontabs" dev="zfs" ino=7627 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cron_spool_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=7402 comm="crond" path="/etc/cron.d" dev="zfs" ino=60131 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=7402 comm="crond" path="/etc/crontab" dev="zfs" ino=1749860 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_cron_spool_t:s0 tclass=file permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Jason Zaman deafc9df7a accountsd: Add watch perms 
avc:  denied  { watch } for  pid=7134 comm="gmain" path="/var/log" dev="zfs" ino=7092 scontext=system_u:system_r:accounts _t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=7134 comm="gmain" path="/etc" dev="zfs" ino=1436 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Jason Zaman 1387160e0c udev: Add watch perms 
Udev watches all the fixed_disks and udevadm watches the runtime dir.

udevd[3010]: inotify_add_watch(6, /dev/sde, 10) failed: Permission denied

avc:  denied  { watch } for  pid=4669 comm="udevadm" path="/run/udev" dev="tmpfs" ino=19464 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=3022 comm="udevd" path="/dev/loop3" dev="devtmpfs" ino=10247 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-02-17 13:25:59 -05:00
Jason Zaman 124d3723d8 fstools: add zfs-auto-snapshot 
Should be in domain fstools_t, and needs to run zpool which is
mount_exec_t.

type=AVC msg=audit(1563084061.269:2472): avc:  denied  { execute } for  pid=4981 comm="env" name="zpool" dev="zfs" ino=259064 scontext=system_u:system_r:fsadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mount_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1563084061.269:2472): arch=c000003e syscall=59 success=no exit=-13 a0=7ffeba786e70 a1=7ffeba787098 a2=55726a69a4e0 a3=7fbff7eb5b00 items=1 ppid=4980 pid=4981 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="env" exe="/bin/env" subj=system_u:system_r:fsadm_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1563084061.269:2472): cwd="/root"
type=PATH msg=audit(1563084061.269:2472): item=0 name="/sbin/zpool" inode=259064 dev=00:17 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mount_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Signed-off-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
 2020-02-17 13:25:59 -05:00
Chris PeBenito 215a8be698 auditadm, secadm, staff, sysadm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-16 11:32:16 -05:00
Chris PeBenito e583966f92 Merge pull request #172 from bauen1/allow-sysadm-staff-pipes 2020-02-16 11:31:38 -05:00
Chris PeBenito 2de17a8c0e systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-16 11:29:21 -05:00
Chris PeBenito 80a3827c04 Merge pull request #183 from bauen1/systemd-user-runtime-dir 2020-02-16 11:28:26 -05:00
Chris PeBenito e272f7cba9 entropyd, networkmanager, ntp: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-16 11:26:49 -05:00
Chris PeBenito 87987636c1 Merge pull request #184 from bauen1/fix-systemd-ntp 2020-02-16 11:12:19 -05:00
Chris PeBenito 3bef33fe20 Merge pull request #182 from topimiettinen/add-iwd-as-networkmanager 2020-02-16 11:11:59 -05:00
Chris PeBenito 26be8f09a6 Merge pull request #181 from topimiettinen/add-jitterentropy-as-entropyd 2020-02-16 11:06:05 -05:00
bauen1 b6352a3de7
sysadm: add sysadm_allow_rw_inherited_fifo tunable to allow writing to 
fifo_files inherited from domains allowed to change role to sysadm_r.

This enables to do e.g. 'echo "..." | sudo -r sysadm_r command' from a
staff_u:staff_r:staff_t context
 2020-02-16 17:05:40 +01:00
Topi Miettinen cdd292a26d
Consider iwd equivalent to NetworkManager etc. 
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-02-15 16:39:38 +02:00
bauen1 16f030a488
systemd-user-runtime-dir: add policy 2020-02-12 22:00:23 +01:00
bauen1 b4ef3f335f
ntp: watch systemd networkd runtime dirs 
This is required for correct function after linux 5.4
 2020-02-12 16:24:25 +01:00
Topi Miettinen 1d6982b0ea
Consider jitterentropy to belong to entropyd family 
Also allow jitterentropy (or rather some libs) to read
/proc/crypto/fips_enabled.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
 2020-02-12 00:00:21 +02:00
Chris PeBenito 0d4e919176 loadkeys, init, systemd, udev: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-02-11 13:13:20 -05:00