semodule will try to create a directory under /etc/selinux if the policy
it is modifying doesn't exist (e.g. it is being build for the first time).
Signed-off-by: bauen1 <j2468h@gmail.com>
Same deal as with systemd-run this is potentially useful for non
privileged users and especially useful for admins.
Signed-off-by: bauen1 <j2468h@gmail.com>
* Drop permissions implied by domtrans_pattern
* Use fifo_file permission macro for fifo_file class
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The attribute systemdunit is defined in the file init.te, so interfaces
granting access on it should be defined in init.if
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The condition `use_alsa` is nowhere defined, and the contained interface
`alsa_domain` does not exist.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Commit 69a403cd97 renamed smbd_var_run_t to smbd_runtime_t,
but smbd_runtime_t does not exist.
Commit 61ecff5c31 removed the alias smbd_var_run_t to samba_runtime_t.
Use samba_runtime_t instead.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
This is better than the current status quo of running nginx under
initrc_t, a lot of other webservers are already under the apache policy
(e.g. lighttpd) and this requires no additional permissions.
See also the discussion from March 2013 on the selinux-refpolicy mailing
list: https://lore.kernel.org/selinux-refpolicy/20110318110259.GA25236@localhost.localdomain/
Signed-off-by: bauen1 <j2468h@gmail.com>
a require was fixed back in 2011, so using corenet_tcp_bind_stunnel_port
would be an option now, but stunnel_t already has
corenet_tcp_bind_all_ports, so this access is redundant.
Signed-off-by: Daniel Burgener <Daniel.Burgener@Microsoft.com>
I have been working to support IMA/EVM on a system. It
requires having keys added to the kernel keyring. Keys
added with keyctl and evmctl. I am creating keys in the
ima_key_t type. Once the keys are created, many domains
then need search permission on the type of the key. The
following changes are needed to get things to work.
Need to add keys to the kernel keyring (keyctl).
type=AVC msg=audit(1585420717.704:1868): avc: denied { write } for pid=8622 comm="keyctl" scontext=system_u:system_r:cleanup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1
Allow all domains to search key
type=AVC msg=audit(1587936822.802:556): avc: denied { search } for pid=5963 comm="kworker/u16:6" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.804:559): avc: denied { search } for pid=5963 comm="systemd-cgroups" scontext=system_u:system_r:systemd_cgroups_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.809:560): avc: denied { search } for pid=5964 comm="(sysctl)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.813:562): avc: denied { search } for pid=5964 comm="sysctl" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936823.149:604): avc: denied { search } for pid=5987 comm="setsebool" scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Add EFI bootloaders rEFInd and systemd-boot. Boot tools which manage
bootloader files in UEFI (DOS) partition need also to manage UEFI boot
variables in efivarfs. Bootctl (systemd-boot tool) verifies the type
of EFI file system and needs to mmap() the files.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Chris PeBenito
bauen1
Christian Göttsche
Topi Miettinen
Daniel Burgener
Dave Sugar