Nicolas Iooss
4f5f923171
apt: allow transition from apt_t to dpkg_t with NNP
...
On a Debian 10 virtual machine, when running "apt-get update", the
following messages are logged to audit.log, several times:
type=AVC msg=audit(1567717969.162:1639): avc: denied {
nnp_transition } for pid=5538 comm="apt-config"
scontext=sysadm_u:sysadm_r:apt_t tcontext=sysadm_u:sysadm_r:dpkg_t
tclass=process2 permissive=0
type=SELINUX_ERR msg=audit(1567717969.162:1639):
op=security_bounded_transition seresult=denied
oldcontext=sysadm_u:sysadm_r:apt_t
newcontext=sysadm_u:sysadm_r:dpkg_t
type=SYSCALL msg=audit(1567717969.162:1639): arch=c000003e
syscall=59 success=yes exit=0 a0=55ebb33d7780 a1=55ebb33ed610
a2=7ffedd210980 a3=0 items=0 ppid=5537 pid=5538 auid=1000 uid=100
gid=65534 euid=100 suid=100 fsuid=100 egid=65534 sgid=65534
fsgid=65534 tty=(none) ses=45 comm="dpkg" exe="/usr/bin/dpkg"
subj=sysadm_u:sysadm_r:apt_t key=(null)
type=PROCTITLE msg=audit(1567717969.162:1639):
proctitle=2F7573722F62696E2F64706B67002D2D7072696E742D666F726569676E2D61726368697465637475726573
According to strace, this occurs when sub-commands like "apt-config
shell MASTER_KEYRING APT::Key::MasterKeyring" execute
"/usr/bin/dpkg --print-foreign-architectures".
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-06 18:36:25 +02:00
Nicolas Iooss
3edba7f505
portage: really make consoletype module optional
...
All callers of consoletype_exec() put it in an optional_policy() block
but portage. This makes consoletype module mandatory when module portage
is loaded, even when consoletype is not installed.
Fix this issue by introducing an optional_policy() block.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-04 22:13:41 +02:00
Chris PeBenito
6b11dcef89
Various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-08-31 06:55:57 -04:00
Nicolas Iooss
f0cade07b2
Remove unescaped single dot from the policy
...
In a pattern, a dot can match any character, including slash. It makes
sense when it is combined with ?, + or *, but makes little sense when
left alone.
Most of the time, the label was for file containing dots, where the dot
was not escaped. A few times, the dot was really intended to match any
character. In such case, [^/] better suits the intent.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-27 23:38:09 +02:00
Chris PeBenito
921eb37a97
rpm, selinux, sysadm, init: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-07-13 14:07:11 -04:00
Sugar, David
2831598bb5
grant rpm_t permission to map security_t
...
type=AVC msg=audit(1560944462.698:217): avc: denied { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
v2 - Create new interface to allow mapping security_t and use this interface by rpm_t
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-13 14:00:23 -04:00
Chris PeBenito
b85c93b582
rpm: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-07-08 20:49:31 -04:00
Sugar, David
72cc3e9136
Allow rpm scripts to alter systemd services
...
In RPM scripts it is common to enable/start services that are being
installed. This allows rpm_script_t to manage sysemd units
type=USER_AVC msg=audit(1561033935.758:283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpdate.service" cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1561033935.837:286): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpd.service" cmdline="systemctl preset ntpd.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1561059114.937:239): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=n/a uid=0 gid=0 cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-08 20:38:46 -04:00
Sugar, David
66bbd568e4
Allow rpm to map file contexts
...
type=AVC msg=audit(1560944465.365:270): avc: denied { map } for pid=1265 comm="rpm" path="/etc/selinux/clip/contexts/files/file_contexts.bin" dev="dm-0" ino=44911 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-08 20:38:46 -04:00
Sugar, David
79fd6ddb3e
grant rpm permissions to map locale_t
...
type=AVC msg=audit(1560913896.408:217): avc: denied { map } for pid=1265 comm="rpm" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=24721 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-08 20:38:46 -04:00
Sugar, David
8e09ba5637
grant permission for rpm to write to audit log
...
Messages like this are added to the audit log when an rpm is installed:
type=SOFTWARE_UPDATE msg=audit(1560913896.581:244): pid=1265 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rpm_t:s0 msg='sw="ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=rpm key_enforce=0 gpg_res=0 root_dir="/" comm="rpm" exe="/usr/bin/rpm" hostname=? addr=? terminal=? res=success'
These are the denials that I'm seeing:
type=AVC msg=audit(1560913896.581:243): avc: denied { audit_write } for pid=1265 comm="rpm" capability=29 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1561298132.446:240): avc: denied { create } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc: denied { write } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc: denied { nlmsg_relay } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.447:243): avc: denied { read } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
v2 - Use interface rather than adding permissions here - this change may
confuse subsequent patches in this set, if so let me know and I will
submit a pull request on github.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-08 20:37:19 -04:00
Sugar, David
c2f504c25e
grant rpm permission to map rpm_var_lib_t
...
type=AVC msg=audit(1560913896.432:218): avc: denied { map } for pid=1265 comm="rpm" path="/var/lib/rpm/__db.001" dev="dm-0" ino=2223 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-07-08 20:37:19 -04:00
Chris PeBenito
8c3893e427
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-06-09 14:05:19 -04:00
Chris PeBenito
3a6b7c1856
logrotate: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-05-27 19:30:24 -04:00
Chris PeBenito
5a8c36f390
logrotate: Make MTA optional.
...
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
2019-05-16 11:48:05 -04:00
Chris PeBenito
2d9ad29d04
dovecot, logrotate: Module version bump.
2019-05-03 20:39:36 -04:00
Laurent Bigonville
83f8240f04
Allow logrotate to execute fail2ban-client
...
fail2ban logrotate configuration runs "fail2ban-client flushlogs" after
rotating the logs
2019-05-03 13:34:16 +02:00
Chris PeBenito
e2e4094bd4
various: Module version bump
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-04-16 22:08:11 -04:00
Sugar, David
a49163250f
Add kernel_dgram_send() into logging_send_syslog_msg()
...
This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().
v2 - enclose in ifdef for redhat
v3 - rebase this patch on e41def136a
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-04-16 20:51:55 -04:00
Chris PeBenito
60b8e08f4f
systemd, udev, usermanage: Module version bump.
2019-03-11 20:59:21 -04:00
Chris PeBenito
5260679657
usermanage: Move kernel_dgram_send(passwd_t) to systemd block.
2019-03-11 20:59:16 -04:00
Sugar, David
1cc0045642
Resolve denial while changing password
...
I'm seeing the following denials reading /proc/sys/crypto/fips_enabled
and sending message for logging. This resolves those denials.
type=AVC msg=audit(1552222811.419:470): avc: denied { search } for pid=7739 comm="passwd" name="crypto" dev="proc" ino=2253 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1552222811.419:470): avc: denied { read } for pid=7739 comm="passwd" name="fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:470): avc: denied { open } for pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:471): avc: denied { getattr } for pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.431:476): avc: denied { sendto } for pid=7739 comm="passwd" path="/dev/log" scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-11 20:54:29 -04:00
Chris PeBenito
712e6056d9
aide, clamav: Module version bump.
2019-02-26 19:21:27 -08:00
Sugar, David
59413b10b8
Allow AIDE to mmap files
...
AIDE has a compile time option WITH_MMAP which allows AIDE to
map files during scanning. RHEL7 has set this option in the
aide rpm they distribute.
Changes made to add a tunable to enable permissions allowing
aide to map files that it needs. I have set the default to
false as this seems perfered (in my mind).
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
e5b8318420
Allow AIDE to read kernel sysctl_crypto_t
...
type=AVC msg=audit(1550799594.212:164): avc: denied { search } for pid=7182 comm="aide" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550799594.212:164): avc: denied { read } for pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.212:164): avc: denied { open } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.213:165): avc: denied { getattr } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Sugar, David
2f063edd88
Allow AIDE to sendto kernel datagram socket
...
type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for pid=7182 comm="aide" path="/dev/log" scontext=system_u:system_r:aide_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-26 19:11:33 -08:00
Chris PeBenito
445cbed7c7
Bump module versions for release.
2019-02-01 15:03:42 -05:00
Chris PeBenito
30a46e5676
various: Module version bump.
2019-01-23 19:02:01 -05:00
Russell Coker
eba35802cc
yet more tiny stuff
...
I think this should be self-explanatory. I've added an audit trace for the
sys_ptrace access that was previously rejected.
Here is the audit log for sys_ptrace:
type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service
type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/
type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null)
type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc: denied { sys_ptrace } for pid=12750 comm=systemctl capability=sys_ptrace scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0
2019-01-23 18:32:41 -05:00
Chris PeBenito
bf21c5c0d2
dpkg: Move interface implementations.
2019-01-23 18:30:15 -05:00
Chris PeBenito
ed79766651
dpkg: Rename dpkg_nnp_transition() to dpkg_nnp_domtrans().
2019-01-23 18:28:51 -05:00
Russell Coker
05cd55fb51
tiny stuff for today
...
Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
be necessary.
Lots of little stuff for system_cronjob_t.
Other minor trivial changes that should be obvious.
2019-01-23 18:26:45 -05:00
Chris PeBenito
a7f2394902
various: Module version bump.
2019-01-20 16:45:55 -05:00
Russell Coker
54136fa311
more tiny stuff
...
I think the old timesync labelling wasn't working anyway due to -- for a
directory name.
A couple of patches for devicekit calling dmidecode (this is part of replacing
some kmem access that was discussed on this list and rejected as a misfeature
in Debian DMI related code ages ago).
The rest should be obvious.
2019-01-20 16:20:33 -05:00
Chris PeBenito
4a90eae668
usermanage, cron, selinuxutil: Module version bump.
2019-01-14 17:45:24 -05:00
Russell Coker
dcb2d1d8b8
another trivial
...
This adds a hostnamed rule and also corrects an error in a previous patch I
sent (a copy/paste error).
2019-01-14 17:43:15 -05:00
Chris PeBenito
e6a67f295c
various: Module name bump.
2019-01-12 15:03:59 -05:00
Chris PeBenito
e8b70915b1
Merge branch 'init_rename_pid_interfaces' of git://github.com/fishilico/selinux-refpolicy
2019-01-12 14:55:36 -05:00
Russell Coker
da1de46f66
some little stuff
...
Tiny and I think they are all obvious.
2019-01-12 14:16:33 -05:00
Nicolas Iooss
c3b588bc65
init: rename *_pid_* interfaces to use "runtime"
...
The name of these interfaces is clearer that way.
This comes from a suggestion from
https://lore.kernel.org/selinux-refpolicy/dedf3ce8-4e9f-2313-6799-bbc9dc3a8124@ieee.org/
2019-01-12 17:11:00 +01:00
Chris PeBenito
e8ba31557d
various: Module version bump.
2019-01-06 14:11:08 -05:00
Sugar, David
82494cedc1
pam_faillock creates files in /run/faillock
...
These are changes needed when pam_fallock creates files in /run/faillock
(which is labeled faillog_t). sudo and xdm (and probably other domains)
will create files in this directory for successful and failed login
attempts.
v3 - Updated based on feedback
type=AVC msg=audit(1545153126.899:210): avc: denied { search } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc: denied { write } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc: denied { add_name } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc: denied { create } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1545153131.091:215): avc: denied { setattr } for pid=8448 comm="lightdm" name="dsugar" dev="tmpfs" ino=87599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1545167205.531:626): avc: denied { search } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc: denied { write } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc: denied { add_name } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc: denied { create } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:faillog_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-01-06 13:57:18 -05:00
Russell Coker
b77b4cd610
missing from previous
...
Here are the things that weren't applied from my previous patches, I think they
are all worthy of inclusion.
2019-01-06 13:44:18 -05:00
Russell Coker
ef6c7f155e
systemd misc
...
This patch has policy changes related to systemd and the systemd versions
of system programs.
Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.
2019-01-06 13:11:51 -05:00
Chris PeBenito
d6b46686cd
many: Module version bumps for changes from Russell Coker.
2019-01-05 14:33:50 -05:00
Chris PeBenito
da9ff19d94
sudo: Whitespace fix.
2019-01-05 14:17:18 -05:00
Russell Coker
e1babbc375
systemd related interfaces
...
This patch has interface changes related to systemd support as well as policy
that uses the new interfaces.
2019-01-05 14:17:01 -05:00
Chris PeBenito
6f12a29ecc
apt, rpm: Remove and move lines to fix fc conflicts.
2019-01-05 14:09:57 -05:00
Chris PeBenito
39881a0e14
dpkg: Rename dpkg_read_script_tmp_links().
2019-01-05 13:56:43 -05:00
Russell Coker
5125b8eb2d
last misc stuff
...
More tiny patches. Note that this and the other 2 patches I just sent are not
dependent on each other, please apply any that you like.
2019-01-05 13:54:38 -05:00
Russell Coker
73f8b85ef3
misc interfaces
...
This patch has some small interface changes as well as the policy patches to
use the new interfaces.
2019-01-05 13:36:20 -05:00
Chris PeBenito
e3eba7b7ff
logrotate: Module version bump.
2018-10-13 13:39:18 -04:00
Luis Ressel
14b4c0c8c7
Realign logrotate.fc, remove an obvious comment
2018-10-13 13:39:18 -04:00
Luis Ressel
a604ae7ca2
Add fc for /var/lib/misc/logrotate.status
...
Some distros configure logrotate to put its status file somewhere else
than the default /var/lib/logrotate.status. Debian puts it in
/var/lib/logrotate/, and Gentoo uses /var/lib/misc/.
2018-10-13 13:39:18 -04:00
Chris PeBenito
65e8f758ca
Bump module versions for release.
2018-07-01 11:02:33 -04:00
Chris PeBenito
3ab07a0e1e
Move all files out of the old contrib directory.
2018-06-23 10:38:58 -04:00
Chris PeBenito
4d5b06428b
Bump module versions for release.
2018-01-14 14:08:09 -05:00
Chris PeBenito
f522bc0b75
dmesg, locallogin, modutils: Module version bump.
2017-11-18 07:32:37 -05:00
Luis Ressel
96c917b41a
dmesg: Grant read access to /usr/share/terminfo
...
To determine whether the $TERM supports colored output, dmesg checks the
terminfo database, which can be either in /etc or /usr/share.
2017-11-18 05:53:50 -05:00
Chris PeBenito
d2e201495a
files, netutils: Module version bump.
2017-10-25 17:21:31 -04:00
Luis Ressel via refpolicy
68690d8e62
netutils: Grant netutils_t map perms for the packet_socket class
...
This is required for the PACKET_RX_RING feature used by tcpdump.
2017-10-25 17:16:06 -04:00
Chris PeBenito
495e2c203b
Remove complement and wildcard in allow rules.
...
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
2017-08-13 16:21:44 -04:00
Chris PeBenito
aa0eecf3e3
Bump module versions for release.
2017-08-05 12:59:42 -04:00
Chris PeBenito
4680d9c659
netutils: Module version bump for patch from Luis Ressel.
2017-06-18 19:26:29 -04:00
Luis Ressel
b6fe74c67c
netutils: Allow tcpdump to reduce its capability bounding set
2017-06-18 19:23:21 -04:00
Luis Ressel
261e2772d1
netutils: Add some permissions required by nmap to traceroute_t
...
nmap currently also needs "self:socket create", but I've submitted a
kernel patch to ameliorate this.
2017-06-18 19:23:13 -04:00
Luis Ressel
afe26f2e2f
netutils: Mix nmap perms in with the other traceroute_t perms
2017-06-18 19:23:02 -04:00
Chris PeBenito
6293813020
Module version bump for patches from cgzones.
2017-06-12 18:48:58 -04:00
cgzones
ea74a35ba7
netutils: update
...
v2:
- keep files_read_etc_files interfaces
2017-06-12 18:41:56 -04:00
Chris PeBenito
a599f28196
Module version bump for /usr/bin fc fixes from Nicolas Iooss.
2017-05-04 08:27:46 -04:00
Chris PeBenito
8ab6ff00f6
Merge branch 'usr_bin_fc' of git://github.com/fishilico/selinux-refpolicy-patched
2017-05-04 08:20:42 -04:00
Chris PeBenito
bb8f9f49c3
little misc strict from Russell Coker.
2017-04-29 11:25:13 -04:00
Chris PeBenito
878735f69f
Module version bump for patches from Russell Coker and Guido Trentalancia.
2017-04-26 06:39:39 -04:00
Chris PeBenito
8f6f0cf0e2
Rename apm to acpi from Russell Coker.
...
This patch is slightly more involved than just running sed. It also adds
typealias rules and doesn't change the FC entries.
The /dev/apm_bios device doesn't exist on modern systems. I have left that
policy in for the moment on the principle of making one change per patch. But
I might send another patch to remove that as it won't exist with modern
kernels.
2017-04-26 06:36:20 -04:00
Chris PeBenito
57bb7dd471
another bootloader patch from Russell Coker
2017-04-18 21:30:02 -04:00
Chris PeBenito
132cc4b2d5
bootloader from Russell Coker.
...
This patch adds a lot of policy that is needed to setup an initramfs and grub
on Debian nowadays.
Also changed a comment about ia64 to correctly mention EFI.
2017-04-18 20:56:59 -04:00
Chris PeBenito
b49d85c83d
misc daemons from Russell Coker.
...
Put in libx32 subs entries that refer to directories with fc entries.
Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
dpkg-reconfigure.
Some dontaudit rules for mta processes spawned by mon for notification.
Lots of tiny changes that are obvious.
2017-04-18 20:38:13 -04:00
Nicolas Iooss
69c742f11b
Support systems with a single /usr/bin directory
...
On systems such as Arch Linux, all programs which are usually located in
/bin, /sbin, /usr/bin and /usr/sbin are present in /usr/bin and the
other locations are symbolic links to this directory. With such a
configuration, the file contexts which define types for files in
/bin, /sbin and /usr/sbin need to be duplicated to provide definitions
for /usr/bin/...
As the "/bin vs. /usr/bin" part of the needed definitions has already
been done with the "usr merge" patches, the next step consists in
duplicating file contexts for /usr/sbin. This is what this patch does
for all modules which are not in contrib.
This is the second iteration of an idea I have previously posted on
http://oss.tresys.com/pipermail/refpolicy/2017-March/009176.html
2017-04-15 20:49:07 +02:00
Chris PeBenito
4d028498d8
Module version bumps for fixes from cgzones.
2017-03-05 10:48:42 -05:00
Chris PeBenito
919a478e47
Merge branch 'fix_usr_bin_merge' of git://github.com/cgzones/refpolicy
2017-03-05 09:43:50 -05:00
cgzones
4b79a54b41
modutils: adopt callers to new interfaces
2017-03-03 12:28:17 +01:00
cgzones
d2702a4224
corecmd_read_bin_symlinks(): remove deprecated and redundant calls
2017-03-03 12:00:07 +01:00
Chris PeBenito
ca04cdb14b
Module version bump for patches from cgzones.
2017-02-26 12:23:19 -05:00
Chris PeBenito
10388e1319
auth: Move optional out of auth_use_pam_systemd() to callers.
2017-02-26 12:08:02 -05:00
Chris PeBenito
2170c65ad9
Merge branch 'su_module' of git://github.com/cgzones/refpolicy
2017-02-26 11:48:37 -05:00
Chris PeBenito
53fb3a3ba4
dpkg: Updates from Russell Coker.
2017-02-19 16:13:14 -05:00
cgzones
ba0e51c5b0
su: some adjustments
...
* systemd fixes
* remove unused attribute su_domain_type
* remove hide_broken_symptoms sections
* dontaudit init_t proc files access
* dontaudit net_admin capability due to setsockopt
2017-02-18 21:50:45 +01:00
Chris PeBenito
1720e109a3
Sort capabilities permissions from Russell Coker.
2017-02-15 18:47:33 -05:00
Chris PeBenito
e9b2a7943c
Module version bump for bootloader patch revert. Plus compat alias.
2017-02-11 14:51:21 -05:00
Chris PeBenito
0e80a8a7cf
Revert "bootloader: stricter permissions and more tailored file contexts"
...
This reverts commit b0c13980d2
.
2017-02-11 14:26:48 -05:00
Chris PeBenito
2e7553db63
Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.
2017-02-04 15:19:35 -05:00
Chris PeBenito
69ede859e8
Bump module versions for release.
2017-02-04 13:30:53 -05:00
Chris PeBenito
67c435f1fc
Module version bump for fc updates from Nicolas Iooss.
2016-12-28 14:38:05 -05:00
Chris PeBenito
b6b7173fb1
Merge branch 'usr-fc' of git://github.com/fishilico/selinux-refpolicy-patched
2016-12-28 14:30:19 -05:00
Nicolas Iooss
85d678bd2f
Add file contexts in /usr for /bin, /usr/sbin and /usr/lib
...
Some policy modules define file contexts in /bin, /sbin and /lib without
defining similar file contexts in the same directory under /usr.
Add these missing file contexts when there are outside ifdef blocks.
2016-12-27 17:06:54 +01:00
Chris PeBenito
19c3addb99
Module version bump for patches from Guido Trentalancia.
2016-12-27 10:51:56 -05:00
Guido Trentalancia
b0c13980d2
bootloader: stricter permissions and more tailored file contexts
...
Update the bootloader module so that it can manage only its
own runtime files and not all boot_t files (which include,
for example, the common locations for kernel images and
initramfs archives) and so that it can execute only its own
etc files (needed by grub2-mkconfig) and not all etc_t files
which is more dangerous.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-27 10:22:55 -05:00
Chris PeBenito
950fc2cd7e
Module version bump for netutils patch from Luis Ressel.
2016-12-11 14:59:14 -05:00
Luis Ressel
d73a8bb52c
netutils: Label iptstate as netutils_t
...
>From the package description: "IP Tables State displays states being kept
by iptables in a top-like format". The netutils_t permission set fits it
snugly.
2016-12-11 14:58:35 -05:00
cgzones
d8cb498284
remove trailing whitespaces
2016-12-06 13:45:13 +01:00