38839b3e6c
nsd: Merge two rules into one.
2019-01-06 14:03:29 -05:00
ea11d5bbc2
Merge branch 'nsd' of https://github.com/alexminder/refpolicy
2019-01-06 14:02:06 -05:00
82494cedc1
pam_faillock creates files in /run/faillock
...
These are changes needed when pam_fallock creates files in /run/faillock
(which is labeled faillog_t). sudo and xdm (and probably other domains)
will create files in this directory for successful and failed login
attempts.
v3 - Updated based on feedback
type=AVC msg=audit(1545153126.899:210): avc: denied { search } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc: denied { write } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc: denied { add_name } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc: denied { create } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1545153131.091:215): avc: denied { setattr } for pid=8448 comm="lightdm" name="dsugar" dev="tmpfs" ino=87599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1545167205.531:626): avc: denied { search } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc: denied { write } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc: denied { add_name } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc: denied { create } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:faillog_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-06 13:57:18 -05:00
2791589f9e
Allow greeter to start dbus
...
The display manager lightdm (and I think gdm) start a dbus binary.
v3 - Updated based on feedback
type=AVC msg=audit(1544626796.378:201): avc: denied { execute } for pid=9973 comm="dbus-launch" name="dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544626796.378:201): avc: denied { read open } for pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544626796.378:201): avc: denied { execute_no_trans } for pid=9973 comm="dbus-launch" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1544626796.378:201): avc: denied { map } for pid=9973 comm="dbus-daemon" path="/usr/bin/dbus-daemon" dev="dm-1" ino=6695040 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546551459.112:208): avc: denied { getcap } for pid=6275 comm="dbus-daemon" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1546551459.116:209): avc: denied { read } for pid=6275 comm="dbus-daemon" name="995" dev="tmpfs" ino=35210 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546551459.116:209): avc: denied { open } for pid=6275 comm="dbus-daemon" path="/run/systemd/users/995" dev="tmpfs" ino=35210 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1546551459.116:210): avc: denied { getattr } for pid=6275 comm="dbus-daemon" path="/run/systemd/users/995" dev="tmpfs" ino=35210 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_var_run_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-06 13:57:18 -05:00
6780e6d2e2
init: Remove inadvertent merge.
2019-01-06 13:53:02 -05:00
3133587825
cron trivial
...
Here are the most trivial cron patches I have, I would like to get this in
before discussing the more significant cron patches.
2019-01-06 13:50:31 -05:00
61b83b30be
systemd: Rename systemd_list_netif() to systemd_list_networkd_runtime().
...
Move implementation with other networkd_runtime interfaces.
2019-01-06 13:49:02 -05:00
b77b4cd610
missing from previous
...
Here are the things that weren't applied from my previous patches, I think they
are all worthy of inclusion.
2019-01-06 13:44:18 -05:00
ef6c7f155e
systemd misc
...
This patch has policy changes related to systemd and the systemd versions
of system programs.
Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.
2019-01-06 13:11:51 -05:00
150bd4e179
systemd: allow systemd-logind to use getutxent()
...
systemd-logind reads /run/utmp in order to warn users who are currently
logged in about an imminent shutdown. It calls utmp_wall() in
https://github.com/systemd/systemd/blob/v240/src/login/logind-utmp.c#L75-L87
This function calls glibc's getutxent() here:
https://github.com/systemd/systemd/blob/v240/src/shared/utmp-wtmp.c#L401
This function, implemented in
https://sourceware.org/git/?p=glibc.git;a=blob;f=login/utmp_file.c;h=040a5057116bb69d9dfb1ca46f025277a6e20291;hb=3c03baca37fdcb52c3881e653ca392bba7a99c2b
, opens and locks /run/utmp in order to enumerate the users.
2019-01-06 16:28:32 +01:00
49af56f3b5
selinuxutil: allow restorecond to try counting the number of files in cgroup fs
...
When restorecond calls selinux_restorecon(), libselinux scans
/proc/mounts in a function named exclude_non_seclabel_mounts with the
following comment
(https://github.com/SELinuxProject/selinux/blob/libselinux-2.8/libselinux/src/selinux_restorecon.c#L224-L230 ):
/*
* This is called once when selinux_restorecon() is first called.
* Searches /proc/mounts for all file systems that do not support extended
* attributes and adds them to the exclude directory table. File systems
* that support security labels have the seclabel option, return
* approximate total file count.
*/
The "approximate total file count" is computed using statvfs(), which
results in a system call to statfs().
The cgroup filesystem supports security label (/proc/mounts shows
"seclabel") so restorecond uses statfs to try counting the number of its
inodes. This result in the following denial:
type=AVC msg=audit(1546727200.623:67): avc: denied { getattr } for
pid=314 comm="restorecond" name="/" dev="cgroup" ino=1
scontext=system_u:system_r:restorecond_t
tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=0
type=SYSCALL msg=audit(1546727200.623:67): arch=c000003e syscall=137
success=no exit=-13 a0=556d2aeb4c37 a1=7fffa4a90a90 a2=556d2aeb4c55
a3=7f043156a9f0 items=0 ppid=1 pid=314 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="restorecond" exe="/usr/bin/restorecond"
subj=system_u:system_r:restorecond_t key=(null)
type=PROCTITLE msg=audit(1546727200.623:67): proctitle="/usr/sbin/restorecond"
Allow this, like commit 5125b8eb2d
2019-01-05 23:51:36 +01:00
3734d7e76c
ssh: use dac_read_search instead of dac_override
...
When creating a session for a new user, sshd performs a stat() call
somewhere:
type=AVC msg=audit(1502951786.649:211): avc: denied {
dac_read_search } for pid=274 comm="sshd" capability=2
scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:sshd_t
tclass=capability permissive=1
type=SYSCALL msg=audit(1502951786.649:211): arch=c000003e syscall=4
success=no exit=-2 a0=480e79b300 a1=7ffe0e09b080 a2=7ffe0e09b080
a3=7fb2aa321b20 items=0 ppid=269 pid=274 auid=1000 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1
comm="sshd" exe="/usr/bin/sshd" subj=system_u:system_r:sshd_t
key=(null)
type=PROCTITLE msg=audit(1502951786.649:211):
proctitle=737368643A2076616772616E74205B707269765D
2019-01-05 21:21:18 +01:00
d6b46686cd
many: Module version bumps for changes from Russell Coker.
2019-01-05 14:33:50 -05:00
da9ff19d94
sudo: Whitespace fix.
2019-01-05 14:17:18 -05:00
e1babbc375
systemd related interfaces
...
This patch has interface changes related to systemd support as well as policy
that uses the new interfaces.
2019-01-05 14:17:01 -05:00
6f12a29ecc
apt, rpm: Remove and move lines to fix fc conflicts.
2019-01-05 14:09:57 -05:00
39881a0e14
dpkg: Rename dpkg_read_script_tmp_links().
2019-01-05 13:56:43 -05:00
5a9982de70
sysnetwork: Move lines.
2019-01-05 13:56:15 -05:00
5125b8eb2d
last misc stuff
...
More tiny patches. Note that this and the other 2 patches I just sent are not
dependent on each other, please apply any that you like.
2019-01-05 13:54:38 -05:00
57df6fa0d5
sysnetwork: Move optional block in sysnet_dns_name_resolve().
2019-01-05 13:42:11 -05:00
73f8b85ef3
misc interfaces
...
This patch has some small interface changes as well as the policy patches to
use the new interfaces.
2019-01-05 13:36:20 -05:00
713f9000b5
networkmanager: Add ICMPv6 comment
2019-01-05 13:34:18 -05:00
678c9e0b7a
misc services patches
...
Lots of little patches to services.
2019-01-05 13:30:30 -05:00
c947258610
Remove unneeded braces from nsd.te.
2019-01-04 15:59:02 +03:00
56b7919589
sigrok: Remove extra comments.
2019-01-03 20:52:26 -05:00
9e6febb049
Add sigrok contrib module
...
Add a SELinux Reference Policy module for the sigrok
signal analysis software suite (command-line interface).
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
2019-01-03 20:51:18 -05:00
65b7fa3f43
lvm, syncthing: Module version bump.
2019-01-03 17:52:03 -05:00
82e652df04
Merge branch 'lvm' of https://github.com/alexminder/refpolicy
2019-01-03 17:45:16 -05:00
9e3bb1bfde
syncthing: Whitespace change
2019-01-03 17:44:48 -05:00
972654cf09
Remove syncthing tunable_policy.
...
kernel_read_network_state already give syncthing to get route information. Backup plan with ifconfig does not required.
2019-01-03 13:26:08 +03:00
29bbe7b958
Add comment for map on lvm_metadata_t.
2019-01-03 10:15:07 +03:00
eca583b86c
Add map permission to lvm_t on lvm_metadata_t.
...
On musl libc system lvm requires map permission.
2018-12-30 18:57:56 +03:00
faa2b15910
Add nsd_admin interface to sysadm.te.
...
Allow users with sysadm_r role to start/stop NSD daemon.
2018-12-30 18:30:23 +03:00
e426b5785f
Add required permissions for nsd_t to be able running.
...
Add required permissions to nsd_t for NSD work properly.
2018-12-30 18:27:30 +03:00
8b2add4140
Allow syncthing_t to execute ifconfig/iproute2.
...
Add new boolean which can allow syncthing_t to execute ifconfig/iproute2 to determinate gateway for NAT-PMP.
2018-12-30 17:43:16 +03:00
2b3473c40c
Allow syncthing_t to read network state.
...
Allow to read network state (/proc/*/route) and proc_t (/proc/cpuinfo, /proc/meminfo).
2018-12-30 17:42:26 +03:00
eb588f836e
Add corecmd_exec_bin permissions to syncthing_t.
...
corecmd_exec_bin required to run application.
2018-12-30 17:41:31 +03:00
d2569bb877
Add signal_perms setpgid setsched permissions to syncthing_t.
...
setpgid required because of "WARNING: Failed to lower process priority: set process group: permission denied"
setsched required because of "WARNING: Failed to lower process priority: set niceness: permission denied"
signal_perms required to launch app.
2018-12-30 17:39:38 +03:00
e5ac999aab
dbus, xserver, init, logging, modutils: Module version bump.
2018-12-11 17:59:31 -05:00
6167b9b6e5
Allow auditctl_t to read bin_t symlinks.
...
on RHEL7 insmod, rmmod, modprobe (and others?) are a symlinks
to ../bin/kmod. But policy didn't allow auditctl_t to follow
that link.
type=AVC msg=audit(1543853530.925:141): avc: denied { read } for
pid=6937 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.925:143): avc: denied { read } for
pid=6937 comm="auditctl" name="rmmod" dev="dm-1" ino=628387
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.926:145): avc: denied { read } for
pid=6937 comm="auditctl" name="modprobe" dev="dm-1" ino=628386
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853797.766:60): avc: denied { read } for
pid=6942 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
e73e9e7734
Add missing require for 'daemon' attribute.
...
Not sure how I didn't notice this missing require before.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
55c3fab804
Allow dbus to access /proc/sys/crypto/fips_enabled
...
type=AVC msg=audit(1543769401.029:153): avc: denied { search } for
pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { read } for
pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { open } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { search } for
pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { read } for
pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { open } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
241b917d37
Allow kmod to read /proc/sys/crypto/fips_enabled
...
type=AVC msg=audit(1543769402.716:165): avc: denied { search } for
pid=6716 comm="sysctl" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769402.716:165): avc: denied { read } for
pid=6716 comm="sysctl" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.716:165): avc: denied { open } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.717:166): avc: denied { getattr } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
3425d22c24
Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled
...
type=AVC msg=audit(1543761322.221:211): avc: denied { search } for
pid=16826 comm="X" name="crypto" dev="proc" ino=10257
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543761322.221:211): avc: denied { read } for
pid=16826 comm="X" name="fips_enabled" dev="proc" ino=10258
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.221:211): avc: denied { open } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.222:212): avc: denied { getattr } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
249e87ab73
cron, minissdpd, ntp, systemd: Module version bump.
2018-11-17 19:02:54 -05:00
45a8ddd39f
Merge branch 'minissdpd' of https://github.com/bigon/refpolicy
2018-11-17 18:58:09 -05:00
b73758bb97
Interface to read cron_system_spool_t
...
Useful for the case that manage isn't requied.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-17 18:52:31 -05:00
56e8f679b2
interface to enable/disable systemd_networkd service
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-17 18:52:31 -05:00
5deea1b940
Add interfaces to control ntpd_unit_t systemd services
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-17 18:52:31 -05:00
cd4be3dcd0
dnsmasq: Module version bump.
2018-11-17 18:50:18 -05:00
da49b37d87
dnsmasq: Require log files to have .log suffix
...
+ allow log rotate as well.
Signed-off-by: Petr Vorel <pvorel@suse.cz>
2018-11-17 18:49:59 -05:00
a71cc466fc
Allow minissdpd_t to create a unix_stream_socket
...
----
type=PROCTITLE msg=audit(12/11/18 15:37:06.293:231) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6
type=SYSCALL msg=audit(12/11/18 15:37:06.293:231) : arch=x86_64 syscall=listen success=yes exit=0 a0=0x7 a1=0x5 a2=0x6e a3=0x7ffdbca26c50 items=0 ppid=1 pid=1880 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null)
type=AVC msg=audit(12/11/18 15:37:06.293:231) : avc: denied { listen } for pid=1880 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1
----
type=PROCTITLE msg=audit(12/11/18 16:12:29.172:758) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6
type=SYSCALL msg=audit(12/11/18 16:12:29.172:758) : arch=x86_64 syscall=accept success=yes exit=8 a0=0x7 a1=0x0 a2=0x0 a3=0x0 items=0 ppid=1 pid=11460 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null)
type=AVC msg=audit(12/11/18 16:12:29.172:758) : avc: denied { accept } for pid=11460 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1
2018-11-12 16:24:54 +01:00
b4d7c65fc4
Various modules: Version bump.
2018-11-11 15:58:59 -05:00
205b5e705a
Merge branch 'iscsi' of https://github.com/bigon/refpolicy
2018-11-11 15:53:19 -05:00
0e868859c4
Merge branch 'resolved' of https://github.com/bigon/refpolicy
2018-11-11 15:52:51 -05:00
7316be9c2a
Allow iscsid_t to create a netlink_iscsi_socket
...
----
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:195) : proctitle=/sbin/iscsid
type=SYSCALL msg=audit(11/11/18 14:02:09.006:195) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x6 a1=0x55bfc5837270 a2=0xc a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(11/11/18 14:02:09.006:195) : avc: denied { bind } for pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1
----
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:194) : proctitle=/sbin/iscsid
type=SYSCALL msg=audit(11/11/18 14:02:09.006:194) : arch=x86_64 syscall=socket success=yes exit=6 a0=netlink a1=SOCK_RAW a2=egp a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(11/11/18 14:02:09.006:194) : avc: denied { create } for pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1
2018-11-11 20:04:21 +01:00
d5d6fe0046
Allow systemd_resolved_t to bind to port 53 and use net_raw
...
resolved also binds against port 53 on lo interface
2018-11-11 14:27:01 +01:00
404dcf2af4
Allow sysnet_dns_name_resolve() to use resolved to resolve DNS names
...
Also allow unconfined_t to talk with the resolved daemon
2018-11-11 13:36:05 +01:00
06588b55b4
Add systemd_dbus_chat_resolved() interface
2018-11-11 13:33:00 +01:00
df58008c2b
Allow ntpd_t to read init state
...
With systemd-timesyncd, the following AVC denials are generated:
type=AVC msg=audit(01/11/18 15:44:39.564:48) : avc: denied { open } for pid=397 comm=systemd-timesyn path=/proc/1/sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
type=AVC msg=audit(01/11/18 15:44:39.564:48) : avc: denied { read } for pid=397 comm=systemd-timesyn name=sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
type=AVC msg=audit(01/11/18 15:44:39.564:49) : avc: denied { getattr } for pid=397 comm=systemd-timesyn path=/proc/1/sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
2018-11-10 19:01:33 +01:00
6060f35f03
Allow semanage_t to connect to system D-Bus bus
...
This is needed as systemd NSS modules is talking to systemd/PID1 over
D-Bus
2018-11-10 19:01:33 +01:00
2f054c67a2
irqbalance now creates an abstract socket
2018-11-10 19:01:28 +01:00
4ff893bca0
dnsmasq: Reorder lines in file contexts.
2018-11-09 19:35:14 -05:00
f583b6b061
dnsmasq: Whitespace fix in file contexts.
2018-11-09 19:34:49 -05:00
1431ba9d41
amavis, apache, clamav, exim, mta, udev: Module version bump.
2018-11-09 19:32:08 -05:00
75dd54edc7
Allow clamd to use sent file descriptor
...
This allows a process connecting to a local clamd server to send
an open file descriptor for A/V scanning. This still requires
the file type to be readable by clamd.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-09 19:09:49 -05:00
2fa76a4b9e
Add interfaces to control clamav_unit_t systemd services
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-09 19:06:01 -05:00
81953475a5
Interface to add domain allowed to be read by ClamAV for scanning.
...
Create an attribute for types that clamd_t and clamscan_t can read
(for scanning purposes) rather than require clamav.te to be modified.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-09 19:06:01 -05:00
03f248c9e1
Allow clamd_t to read /proc/sys/crypt/fips_enabled
...
To fix the following denials:
type=AVC msg=audit(1540821927.216:215): avc: denied { search } for
pid=1726 comm="clamd" name="crypto" dev="proc" ino=68
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
type=AVC msg=audit(1540821927.216:215): avc: denied { read } for
pid=1726 comm="clamd" name="fips_enabled" dev="proc" ino=69
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1540821927.216:215): avc: denied { open } for
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=69 scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1540821927.216:216): avc: denied { getattr } for
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=69 scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-09 19:06:01 -05:00
f0047d0247
Add interface udev_run_domain
...
This interface is useful when using the 'RUN' option in UDEV rules where udev will be executing a user executable to perform some action. This interface allows a domain transition to occur for the run action.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-11-09 19:04:22 -05:00
35463351a0
clamav, ssh, init: Module version bump.
2018-10-27 15:10:10 -04:00
9dd80c6a67
system/init: Give init_spec_daemon_domain()s the "daemon" attribute
...
init_daemon_domain() applies this attribute too.
2018-10-27 14:56:34 -04:00
a42ff404bd
services/ssh: Don't audit accesses from ssh_t to /dev/random
...
OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which
generates spurious denial messages for ssh_t, ssh_keygen_t and probably
various other domains too.
The code only uses /dev/random as a fallback and can cope with an open()
failure just fine, so I'm dontauditing the access. However, I don't have
strong feelings about this -- if someone would prefer to allow these
accesses instead, I'd be okay with that too.
2018-10-27 14:56:34 -04:00
1941eefa13
Interface to allow reading of virus signature files.
...
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-10-27 14:56:34 -04:00
5a3207fb45
miscfiles: Module version bump.
2018-10-14 13:55:21 -04:00
75dcc276c0
miscfiles: Label /usr/share/texmf*/fonts/ as fonts_t
...
fontconfig can be configure to use the TeX Live fonts in addition to
/usr/share/fonts/.
2018-10-14 13:50:27 -04:00
e3eba7b7ff
logrotate: Module version bump.
2018-10-13 13:39:18 -04:00
14b4c0c8c7
Realign logrotate.fc, remove an obvious comment
2018-10-13 13:39:18 -04:00
a604ae7ca2
Add fc for /var/lib/misc/logrotate.status
...
Some distros configure logrotate to put its status file somewhere else
than the default /var/lib/logrotate.status. Debian puts it in
/var/lib/logrotate/, and Gentoo uses /var/lib/misc/.
2018-10-13 13:39:18 -04:00
65da822c1b
Remove unused translate permission in context userspace class.
...
mcstransd never implemented this permission. To keep permission indices
lined up, replace the permission with "unused_perm" to make it clear that
it has no effect.
2018-10-13 13:39:18 -04:00
bf16b6d4b9
xserver: Module version bump.
2018-10-03 22:08:23 -04:00
9be8cfac19
xserver: Allow user fonts (and caches) to be mmap()ed.
...
Applications can optionally map fonts and fontconfig caches into memory.
miscfiles_read_fonts() already grants those perms, but it seems
xserver_use_user_fonts() was forgotten.
2018-10-03 22:07:59 -04:00
b3a1e8a8f8
corecommands: Module version bump.
2018-09-28 15:20:46 -04:00
e751959925
corecommands: Fix /usr/share/apr* fc
...
Both apr and apr-1 are possible
2018-09-28 15:14:43 -04:00
3899825c1c
fstools: Module version bump.
2018-08-04 08:51:00 -04:00
094409b735
fstools: label e2mmpstatus as fsadm_exec_t
...
e2fsprogs 1.44.3 installs e2mmpstatus as a hard link to dumpe2fs. This
makes "restorecon -Rv /usr/bin" relabels this file with conflicting
contexts:
Relabeled /usr/bin/e2mmpstatus from system_u:object_r:fsadm_exec_t to system_u:object_r:bin_t
Relabeled /usr/bin/dumpe2fs from system_u:object_r:bin_t to system_u:object_r:fsadm_exec_t
Fix this by labelling e2mmpstatus like dumpe2fs.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-04 08:50:06 -04:00
e1caae17a2
ipsec: Module version bump.
2018-07-28 09:02:22 -04:00
305bd29f65
ipsec: add missing permissions for pluto
...
When using libreswan, pluto needs permissions for building the
Security Association Database and for setting contexts on IPSec
policy and SAs.
Signed-off-by: Yuli Khodorkovskiy <yuli@crunchydata.com>
2018-07-28 08:58:34 -04:00
e9eec95de4
devices: Module version bump.
2018-07-15 16:56:51 -04:00
ce4fe74fe3
vhost: Add /dev/vhost-scsi device of type vhost_device_t.
...
Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
2018-07-15 16:43:45 -04:00
d301e83161
mozilla, devices, selinux, xserver, init, iptables: Module version bump.
2018-07-10 20:11:40 -04:00
6bf506ec68
iptables: fcontexts for 1.8.0
...
The binary changed from /sbin/xtables-multi to xtables-legacy-multi and
xtables-nft-multi
2018-07-10 17:25:11 -04:00
d53047dc58
Allow map xserver_misc_device_t for nvidia driver
2018-07-10 17:25:11 -04:00
871d47888b
xserver: label .cache/fontconfig as user_fonts_cache_t
2018-07-10 17:25:11 -04:00
3c4f0dfaae
mozilla: xdg updates
2018-07-10 17:25:11 -04:00
181298ab8b
selinux: compute_access_vector requires creating netlink_selinux_sockets
2018-07-10 17:25:11 -04:00
65e8f758ca
Bump module versions for release.
2018-07-01 11:02:33 -04:00
87b0512036
xdg, xserver, mplayer, games: Module version bump.
2018-06-24 20:32:02 -04:00
452c100212
apps: rw mesa_shader_cache
2018-06-24 19:11:14 -04:00
6f32775885
xserver: Add mesa_shader_cache for GLSL in ~/.cache/mesa_shader_cache/
2018-06-24 19:11:14 -04:00
5b85f31124
xdg: Introduce xdg_search_cache_dirs
2018-06-24 19:11:14 -04:00
49a5d06120
xdg: filetrans should not add filetrans from user_home_dir
...
SELinux 2.8 is stricter with duplicate filetrans and these rules cause
problems if a domain needs more than one xdg dir.
Domains should call xdg_generic_user_home_dir_filetrans_data directly if
needed.
2018-06-24 19:11:14 -04:00
b9bbe78f9e
xdg: Add map perms, also make lnk_file, dirs consistent
2018-06-24 19:11:14 -04:00
a6313231d6
sysnetwork: Module version bump.
2018-06-23 10:50:14 -04:00
66a0e1b8eb
Label /etc/hosts.allow as net_conf_t
...
/etc/hosts.deny is labeled as net_conf_t so it makes sense to label
hosts.allow the same way
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2018-06-23 10:50:01 -04:00
3ab07a0e1e
Move all files out of the old contrib directory.
2018-06-23 10:38:58 -04:00
0f3132c795
Re-add policy modules from old refpolicy-contrib submodule.
2018-06-23 09:00:56 -04:00
afb14bd300
Remove refpolicy-contrib submodule.
2018-06-23 08:55:49 -04:00
54f0118bc7
XDG: Module version bump.
2018-06-10 13:40:20 -04:00
8bb4fdfc29
userdom: remove filetrans from userdom_user_content_access_template
2018-06-10 13:23:58 -04:00
b64a53494f
tunable-managed user content access template
...
To simplify policy management on the various application domains with
respect to user content access, a template is introduced which generates
four tunable_policy() blocks.
- The *_read_generic_user_content boolean will enable the application
domain to read generic user resources (labeled with user_home_t).
- The *_read_all_user_content boolean does the same, but for all user
resources (those associated with the user_home_content_type attribute).
- The *_manage_generic_user_content boolean enables the application to
manage generic user resources (labeled with user_home_t)
- The *_manage_all_user_content boolean does the same, but for all user
reosurces (those associated with the user_home_content_type attribute).
Although it would be even better to generate the booleans themselves as
well (which is what Gentoo does with this template), it would result in
booleans without proper documentation. Calls such as "semanage boolean
-l" would fail to properly show a description on the boolean - something
Gentoo resolves by keeping this documentation separate in a
doc/gentoo_tunables.xml file.
In this patch, we assume that the calling modules will define the
booleans themselves (with appropriate documentation). The template
checks for the existence of the booleans. This approach is more in
line with how domain-specific booleans are managed up to now.
Changes since v2:
- Fix typo in gen_require (had a closing : instead of ;)
Changes since v1:
- Use in-line XML comment and tunable definition
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-06-10 13:23:01 -04:00
d4dad1950d
helper interfaces to read/manage all user content
...
To facilitate handling user home content (through the
user_home_content_type attribute) the following interfaces are provided:
- userdom_read_all_user_home_content
- userdom_manage_all_user_home_content
Domains that are granted these privileges are able to read (or manage)
all user home content, so not only the generic one (user_home_t) but all
types that have been assigned the user_home_content_type attribute. This
is more than just user_home_t and the XDG types, so the use should not
be granted automatically.
As part of the larger XDG patch set, these interfaces are called through
the *_read_all_user_content and *_manage_all_user_content booleans which
are by default not enabled.
Changes since v2:
- Fix typo in pattern call
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-06-10 13:23:01 -04:00
442849be7f
Allow X server users to manage all xdg resources
...
With the introduction of the freedesktop XDG location support in the
policy, end users need to be allowed to manage these locations from their
main user domain.
The necessary privileges are added to the xserver_role() interface, which is
in use by the unconfined user domain as well as the main other user domains
(like user, sysadm and staff).
The necessary file transitions for the directories are added as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-06-10 13:23:01 -04:00
0a4d55da7a
freedesktop location support
...
Introduce various freedesktop locations, based on the base directory
specification [1]. The new locations are introduced as a separate module
to keep the rules related to these specifications isolated from the main
user domain (which is already one of the biggest modules code-wise).
Right now, two distinct location groups are provided, one being the set
of locations that will have domain-specific types, and one that remains
generic for end users.
The first set of types are:
- XDG Cache location, meant for non-essential cached data. The base type
here is xdg_cache_t, which is generally at $HOME/.cache
- XDG Data location, for user-specific data. The base type here is
xdg_data_t, which is generally at $HOME/.local
- XDG Config location, for user-specific configuration files. The base
type here is xdg_config_t, which is generally at $HOME/.config
The idea here is to provide support for domain-specific files as well.
For instance, Chromium has its user-specific configuration files in
~/.config/chromium, which is then marked as chromium_xdg_config_t.
This allows for isolation of potentially sensitive information from
regular user application domains. Firefox for instance should not be
able to read user configuration data from unrelated applications.
The second set of types are:
- User documents, with xdg_documents_t as the type. This is
generally for the ~/Documents location.
- User downloads, with xdg_downloads_t as the type. This is
generally for the ~/Downloads location.
- User music, with xdg_music_t as the type. This is generally for
the ~/Music location.
- User pictures, with xdg_pictures_t as the type. This is generally
for the ~/Pictures location.
- User videos, with xdg_videos_t as the type. This is generally for
the ~/Videos location.
Alongside the type definitions, a number of access interfaces are
defined to support the use of these types, and for the first set to
enable the necessary file transitions.
[1] https://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2018-06-10 13:23:01 -04:00
e2bae7b65d
corecommands: Module version bump.
2018-06-10 13:19:13 -04:00
ece7bdc282
corecommands: adjust gcc fcontext to also work on musl
2018-06-10 13:05:57 -04:00
0252046c95
systemd: Move lines.
2018-06-07 20:17:15 -04:00
f4713393ae
policy for systemd-hwdb
...
systemd-hwdb rebuilds /etc/udev/hwdb.bin from files in /var/lib/udev/hwdb.d/*
making a temp file first in /etc/udev/ then moving the tmp file
over hwdb.bin when complete. It also relabels based in file_contexts
This provides private type for /etc/udev/hwdb.bin
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
2408d45a3d
policy for systemd-update-done
...
systemd-update-done needs to be able to create /etc/.updated and /var/.updated
Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied
Jun 6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied
Jun 6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE
Jun 6 13:11:58 localhost systemd: Failed to start Update is Completed.
Jun 6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state.
Jun 6 13:11:58 localhost systemd: systemd-update-done.service failed.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
664d932c0f
systemd-resolved uses notify to indicate status
...
type=AVC msg=audit(1528207926.219:1609): avc: denied { write } for pid=2689 comm="systemd-resolve" name="notify" dev="tmpfs" ino=6277 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1528208016.448:1702): avc: denied { sendto } for pid=2689 comm="systemd-resolve" path="/run/systemd/notify" scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
fd466a380e
Allow systemd-resolved to connect to system dbusd
...
type=USER_AVC msg=audit(1527726267.150:134): pid=1170 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { acquire_svc } for service=org.freedesktop.resolve1 spid=1208 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:48 -04:00
0ddccc81ad
Allow systemd_resolved to read systemd_networkd runtime files
...
type=AVC msg=audit(1527698299.999:144): avc: denied { read } for pid=1193 comm="systemd-resolve" name="links" dev="tmpfs" ino=16229 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1527698299.999:145): avc: denied { read } for pid=1193 comm="systemd-resolve" name="3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527698299.999:145): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527698300.000:146): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527702014.276:183): avc: denied { search } for pid=1180 comm="systemd-resolve" name="netif" dev="tmpfs" ino=16878 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1527704163.181:152): avc: denied { open } for pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527704163.181:153): avc: denied { getattr } for pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527704163.604:173): avc: denied { read } for pid=1236 comm="systemd-resolve" name="5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:47 -04:00
1dd2e5aca4
Allow systemd-resolved to read sysctl
...
type=AVC msg=audit(1527698300.007:150): avc: denied { search } for pid=1193 comm="systemd-resolve" name="net" dev="proc" ino=8515 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=AVC msg=audit(1527698300.007:150): avc: denied { read } for pid=1193 comm="systemd-resolve" name="disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:150): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:151): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1527698300.006:148): avc: denied { read } for pid=1193 comm="systemd-resolve" name="disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1527698300.006:148): avc: denied { open } for pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:149): avc: denied { getattr } for pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-06-07 20:16:47 -04:00
6b0abaf880
init: Module version bump.
2018-05-02 17:22:52 -04:00
9219bde71e
init: Add filetrans for /run/initctl
...
sysvinit 2.89 moved /dev/initctl to /run/initctl.
Reported-by: revel
2018-05-02 17:12:01 -04:00
c95e835170
sysnetwork: Module version bump.
2018-04-25 17:34:13 -04:00
71b2ed038c
sysnetwork: Move lines in sysnet_read_config().
2018-04-25 17:33:51 -04:00
0ae2abab2e
sysnetwork: put systemd_read_resolved_runtime in an ifdef
...
commit f865919872
2018-04-25 17:28:59 -04:00
ac9363d662
init, logging, sysnetwork, systemd, udev: Module version bump.
2018-04-17 20:20:27 -04:00
f865919872
Interface to read /run/systemd/resolve/resolv.conf
...
With systemd, /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to read network configuration to read this file.
Please note, this can't be in optional due to tunable_policy in nis_authenticate interface.
type=AVC msg=audit(1523455881.596:214): avc: denied { search } for pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir
type=AVC msg=audit(1523455881.596:214): avc: denied { read } for pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:214): avc: denied { open } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:215): avc: denied { getattr } for pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-04-17 20:14:50 -04:00
ceec13419f
Fix problems booting with fips=1
...
Seeing the following problem when booting in enforcing with FIPS mode enabled.
Request for unknown module key 'CentOS Linux kernel signing key: c757a9fbbd0d82c9e54052029a0908d17cf1adc7' err -13
Then seeing the system halt
Fixing the following denials:
[ 4.492635] type=1400 audit(1523666552.903:4): avc: denied { search } for pid=894 comm="systemd-journal" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
[ 4.496621] type=1400 audit(1523666552.907:5): avc: denied { read } for pid=894 comm="systemd-journal" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[ 4.499741] type=1400 audit(1523666552.910:6): avc: denied { open } for pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[ 4.502969] type=1400 audit(1523666552.914:7): avc: denied { getattr } for pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[ 4.950021] type=1400 audit(1523666553.360:8): avc: denied { search } for pid=952 comm="systemctl" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
[ 4.986551] type=1400 audit(1523666553.397:9): avc: denied { read } for pid=952 comm="systemctl" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[ 5.028737] type=1400 audit(1523666553.439:10): avc: denied { open } for pid=952 comm="systemctl" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=1400 audit(1512501270.176:3): avc: denied { search } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-04-17 20:14:50 -04:00
2c54bc4eaf
Update contrib.
2018-04-12 19:11:36 -04:00
e75bcdead0
Module version bumps for patches from James Carter.
2018-04-12 18:49:46 -04:00
93238de580
Remove undeclared identifiers from xserver interface
...
The interface xserver_manage_xdm_spool_files() uses the undeclared type
xdm_spool_t. Removed statements referring to this type and marked the
interface as deprecated because it is now empty.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-04-12 18:44:50 -04:00
b8d528ea62
Remove undeclared identifiers from interfaces
...
These interfaces are not being called in the policy.
corenetwork.if.in:corenet_sctp_bind_generic_port(),
corenet_dontaudit_sctp_bind_generic_port(), and
corenet_sctp_connect_generic_port()
Removed references to undeclared type ephemeral_port_t.
corenetwork.if.in:corenet_sctp_recvfrom_unlabeled()
Removed references to undeclared type attribute corenet_unlabled_type.
devices.if:dev_read_printk()
Removed references to undeclared type printk_device_t and marked
interface as deprecated because it is now empty.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-04-12 18:44:50 -04:00
90b214c004
Move use of user_devpts_t from terminal.fc to userdomain.fc
...
The type user_devpts_t is actually declared in userdomain.te and moving it
removes a dependency of the base module (which terminal is a part) on a
module.
Moved the file contexts to label slave pseudo terminals with the
user_devpts_t type from terminal.fc to userdomain.fc.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-04-12 18:44:50 -04:00
6226181924
Move use of systemd_unit_t from systemd.fc to init.fc
...
The type systemd_unit_t is actually declared in init.te.
Moved the file contexts to label transient systemd files with the
systemd_unit_t type from systemd.fc to init.fc.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-04-12 18:44:50 -04:00
d172b3b45d
Move the use of initrc_var_run_t from files.fc to init.fc
...
The type initrc_var_run_t is actually declared in init.te and moving it
removes a dependency of the base module (which files is a part) on a
module.
Moved the file contexts to label motd for debian systems with the
initrc_var_run_t type from files.fc to init.fc.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-04-12 18:44:50 -04:00
f43db58687
Move the use of var_log_t from authlogin.fc to logging.fc
...
The type var_log_t is actually declared in logging.te.
Moved the file contexts to label dmesg and syslog files with the
var_log_t type from authlogin.fc to logging.fc.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-04-12 18:44:50 -04:00
da0cf8e721
Mark unused parameters as unused
...
Marked unused parameters as unused in the interfaces listed below.
userdomain.if:userdom_ro_home_role()
userdomain.if:userdom_manage_home_role()
userdomain.if:userdom_manage_tmp_role()
userdomain.if:userdom_manage_tmpfs_role()
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-04-12 18:44:50 -04:00
2268d42fee
Removed unnecessary semicolons
...
Removed unecessary semicolons in ipsec.te, logging.te, and systemd.te
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-04-12 18:44:50 -04:00
ed60abef70
corenetwork, init: Module version bump.
2018-03-21 14:17:22 -04:00
7b6042b29c
add definition of bpf class and systemd perms
2018-03-21 14:16:52 -04:00
437e48ac53
refpolicy: Update for kernel sctp support
...
Add additional entries to support the kernel SCTP implementation
introduced in kernel 4.16
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2018-03-21 14:14:37 -04:00
d0bac9a48e
Update contrib.
2018-03-09 17:10:00 -05:00
94e3f48a8e
iptables: Module version bump.
2018-03-09 17:09:50 -05:00
b0b4bc947c
xtables-multi wants to getattr of the proc fs
2018-03-01 12:32:22 +01:00
9c0d0e66ff
another trivial dbus patch from Russell Coker.
2018-02-18 11:25:29 -05:00
03e2f1a809
Simple map patch from Russell Coker.
2018-02-15 17:10:34 -05:00
b492924414
Misc dbus fixes from Russell Coker.
2018-02-15 17:07:08 -05:00
Chris PeBenito
Sugar, David
Russell Coker
Nicolas Iooss
Alexander Miroshnichenko
Guido Trentalancia
Petr Vorel
Laurent Bigonville
Luis Ressel
Yuli Khodorkovskiy
Jagannathan Raman
Jason Zaman
Sven Vermeulen
James Carter
Christian Göttsche
Richard Haines
Miroslav Grepl