RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,569 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

554 Commits

Author SHA1 Message Date
Nicolas Iooss 4f5f923171
apt: allow transition from apt_t to dpkg_t with NNP 
On a Debian 10 virtual machine, when running "apt-get update", the
following messages are logged to audit.log, several times:

    type=AVC msg=audit(1567717969.162:1639): avc:  denied  {
    nnp_transition } for  pid=5538 comm="apt-config"
    scontext=sysadm_u:sysadm_r:apt_t tcontext=sysadm_u:sysadm_r:dpkg_t
    tclass=process2 permissive=0

    type=SELINUX_ERR msg=audit(1567717969.162:1639):
    op=security_bounded_transition seresult=denied
    oldcontext=sysadm_u:sysadm_r:apt_t
    newcontext=sysadm_u:sysadm_r:dpkg_t

    type=SYSCALL msg=audit(1567717969.162:1639): arch=c000003e
    syscall=59 success=yes exit=0 a0=55ebb33d7780 a1=55ebb33ed610
    a2=7ffedd210980 a3=0 items=0 ppid=5537 pid=5538 auid=1000 uid=100
    gid=65534 euid=100 suid=100 fsuid=100 egid=65534 sgid=65534
    fsgid=65534 tty=(none) ses=45 comm="dpkg" exe="/usr/bin/dpkg"
    subj=sysadm_u:sysadm_r:apt_t key=(null)

    type=PROCTITLE msg=audit(1567717969.162:1639):
    proctitle=2F7573722F62696E2F64706B67002D2D7072696E742D666F726569676E2D61726368697465637475726573

According to strace, this occurs when sub-commands like "apt-config
shell MASTER_KEYRING APT::Key::MasterKeyring" execute
"/usr/bin/dpkg --print-foreign-architectures".

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-09-06 18:36:25 +02:00
Nicolas Iooss 3edba7f505
portage: really make consoletype module optional 
All callers of consoletype_exec() put it in an optional_policy() block
but portage. This makes consoletype module mandatory when module portage
is loaded, even when consoletype is not installed.

Fix this issue by introducing an optional_policy() block.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-09-04 22:13:41 +02:00
Chris PeBenito 6b11dcef89 Various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-08-31 06:55:57 -04:00
Nicolas Iooss f0cade07b2
Remove unescaped single dot from the policy 
In a pattern, a dot can match any character, including slash. It makes
sense when it is combined with ?, + or *, but makes little sense when
left alone.

Most of the time, the label was for file containing dots, where the dot
was not escaped. A few times, the dot was really intended to match any
character. In such case, [^/] better suits the intent.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-27 23:38:09 +02:00
Chris PeBenito 921eb37a97 rpm, selinux, sysadm, init: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-07-13 14:07:11 -04:00
Sugar, David 2831598bb5 grant rpm_t permission to map security_t 
type=AVC msg=audit(1560944462.698:217): avc:  denied  { map } for pid=1265 comm="rpm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1

v2 - Create new interface to allow mapping security_t and use this interface by rpm_t

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-13 14:00:23 -04:00
Chris PeBenito b85c93b582 rpm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-07-08 20:49:31 -04:00
Sugar, David 72cc3e9136 Allow rpm scripts to alter systemd services 
In RPM scripts it is common to enable/start services that are being
installed.  This allows rpm_script_t to manage sysemd units

type=USER_AVC msg=audit(1561033935.758:283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpdate.service" cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1561033935.837:286): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpd.service" cmdline="systemctl preset ntpd.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1561059114.937:239): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=n/a uid=0 gid=0 cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-08 20:38:46 -04:00
Sugar, David 66bbd568e4 Allow rpm to map file contexts 
type=AVC msg=audit(1560944465.365:270): avc:  denied  { map } for pid=1265 comm="rpm" path="/etc/selinux/clip/contexts/files/file_contexts.bin" dev="dm-0" ino=44911 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-08 20:38:46 -04:00
Sugar, David 79fd6ddb3e grant rpm permissions to map locale_t 
type=AVC msg=audit(1560913896.408:217): avc:  denied  { map } for pid=1265 comm="rpm" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=24721 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-08 20:38:46 -04:00
Sugar, David 8e09ba5637 grant permission for rpm to write to audit log 
Messages like this are added to the audit log when an rpm is installed:
type=SOFTWARE_UPDATE msg=audit(1560913896.581:244): pid=1265 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rpm_t:s0 msg='sw="ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=rpm key_enforce=0 gpg_res=0 root_dir="/" comm="rpm" exe="/usr/bin/rpm" hostname=? addr=?  terminal=? res=success'

These are the denials that I'm seeing:
type=AVC msg=audit(1560913896.581:243): avc:  denied  { audit_write } for  pid=1265 comm="rpm" capability=29 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=capability permissive=1

type=AVC msg=audit(1561298132.446:240): avc:  denied  { create } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc:  denied  { write } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc:  denied  { nlmsg_relay } for  pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.447:243): avc:  denied  { read } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1

v2 - Use interface rather than adding permissions here - this change may
confuse subsequent patches in this set, if so let me know and I will
submit a pull request on github.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-08 20:37:19 -04:00
Sugar, David c2f504c25e grant rpm permission to map rpm_var_lib_t 
type=AVC msg=audit(1560913896.432:218): avc:  denied  { map } for pid=1265 comm="rpm" path="/var/lib/rpm/__db.001" dev="dm-0" ino=2223 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-07-08 20:37:19 -04:00
Chris PeBenito 8c3893e427 Bump module versions for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-06-09 14:05:19 -04:00
Chris PeBenito 3a6b7c1856 logrotate: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-05-27 19:30:24 -04:00
Chris PeBenito 5a8c36f390 logrotate: Make MTA optional. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-05-16 11:48:05 -04:00
Chris PeBenito 2d9ad29d04 dovecot, logrotate: Module version bump. 2019-05-03 20:39:36 -04:00
Laurent Bigonville 83f8240f04 Allow logrotate to execute fail2ban-client 
fail2ban logrotate configuration runs "fail2ban-client flushlogs" after
rotating the logs
 2019-05-03 13:34:16 +02:00
Chris PeBenito e2e4094bd4 various: Module version bump 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-04-16 22:08:11 -04:00
Sugar, David a49163250f Add kernel_dgram_send() into logging_send_syslog_msg() 
This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().

v2 - enclose in ifdef for redhat
v3 - rebase this patch on e41def136a

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-04-16 20:51:55 -04:00
Chris PeBenito 60b8e08f4f systemd, udev, usermanage: Module version bump. 2019-03-11 20:59:21 -04:00
Chris PeBenito 5260679657 usermanage: Move kernel_dgram_send(passwd_t) to systemd block. 2019-03-11 20:59:16 -04:00
Sugar, David 1cc0045642 Resolve denial while changing password 
I'm seeing the following denials reading /proc/sys/crypto/fips_enabled
and sending message for logging.  This resolves those denials.

type=AVC msg=audit(1552222811.419:470): avc:  denied  { search } for  pid=7739 comm="passwd" name="crypto" dev="proc" ino=2253 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1552222811.419:470): avc:  denied  { read } for  pid=7739 comm="passwd" name="fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:470): avc:  denied  { open } for  pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:471): avc:  denied  { getattr } for  pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

type=AVC msg=audit(1552222811.431:476): avc:  denied  { sendto } for  pid=7739 comm="passwd" path="/dev/log" scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-11 20:54:29 -04:00
Chris PeBenito 712e6056d9 aide, clamav: Module version bump. 2019-02-26 19:21:27 -08:00
Sugar, David 59413b10b8 Allow AIDE to mmap files 
AIDE has a compile time option WITH_MMAP which allows AIDE to
map files during scanning.  RHEL7 has set this option in the
aide rpm they distribute.

Changes made to add a tunable to enable permissions allowing
aide to map files that it needs.  I have set the default to
false as this seems perfered (in my mind).

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-26 19:11:33 -08:00
Sugar, David e5b8318420 Allow AIDE to read kernel sysctl_crypto_t 
type=AVC msg=audit(1550799594.212:164): avc:  denied  { search } for  pid=7182 comm="aide" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550799594.212:164): avc:  denied  { read } for  pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.212:164): avc:  denied  { open } for  pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.213:165): avc:  denied  { getattr } for  pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-26 19:11:33 -08:00
Sugar, David 2f063edd88 Allow AIDE to sendto kernel datagram socket 
type=AVC msg=audit(1550799594.394:205): avc:  denied  { sendto } for  pid=7182 comm="aide" path="/dev/log" scontext=system_u:system_r:aide_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-02-26 19:11:33 -08:00
Chris PeBenito 445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito 30a46e5676 various: Module version bump. 2019-01-23 19:02:01 -05:00
Russell Coker eba35802cc yet more tiny stuff 
I think this should be self-explanatory.  I've added an audit trace for the
sys_ptrace access that was previously rejected.

Here is the audit log for sys_ptrace:
type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service
type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/
type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null)
type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc:  denied  { sys_ptrace } for  pid=12750 comm=systemctl capability=sys_ptrace  scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0
 2019-01-23 18:32:41 -05:00
Chris PeBenito bf21c5c0d2 dpkg: Move interface implementations. 2019-01-23 18:30:15 -05:00
Chris PeBenito ed79766651 dpkg: Rename dpkg_nnp_transition() to dpkg_nnp_domtrans(). 2019-01-23 18:28:51 -05:00
Russell Coker 05cd55fb51 tiny stuff for today 
Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
be necessary.

Lots of little stuff for system_cronjob_t.

Other minor trivial changes that should be obvious.
 2019-01-23 18:26:45 -05:00
Chris PeBenito a7f2394902 various: Module version bump. 2019-01-20 16:45:55 -05:00
Russell Coker 54136fa311 more tiny stuff 
I think the old timesync labelling wasn't working anyway due to -- for a
directory name.

A couple of patches for devicekit calling dmidecode (this is part of replacing
some kmem access that was discussed on this list and rejected as a misfeature
in Debian DMI related code ages ago).

The rest should be obvious.
 2019-01-20 16:20:33 -05:00
Chris PeBenito 4a90eae668 usermanage, cron, selinuxutil: Module version bump. 2019-01-14 17:45:24 -05:00
Russell Coker dcb2d1d8b8 another trivial 
This adds a hostnamed rule and also corrects an error in a previous patch I
sent (a copy/paste error).
 2019-01-14 17:43:15 -05:00
Chris PeBenito e6a67f295c various: Module name bump. 2019-01-12 15:03:59 -05:00
Chris PeBenito e8b70915b1 Merge branch 'init_rename_pid_interfaces' of git://github.com/fishilico/selinux-refpolicy 2019-01-12 14:55:36 -05:00
Russell Coker da1de46f66 some little stuff 
Tiny and I think they are all obvious.
 2019-01-12 14:16:33 -05:00
Nicolas Iooss c3b588bc65
init: rename *_pid_* interfaces to use "runtime" 
The name of these interfaces is clearer that way.

This comes from a suggestion from
https://lore.kernel.org/selinux-refpolicy/dedf3ce8-4e9f-2313-6799-bbc9dc3a8124@ieee.org/
 2019-01-12 17:11:00 +01:00
Chris PeBenito e8ba31557d various: Module version bump. 2019-01-06 14:11:08 -05:00
Sugar, David 82494cedc1 pam_faillock creates files in /run/faillock 
These are changes needed when pam_fallock creates files in /run/faillock
(which is labeled faillog_t).  sudo and xdm (and probably other domains)
will create files in this directory for successful and failed login
attempts.

v3 - Updated based on feedback

type=AVC msg=audit(1545153126.899:210): avc:  denied  { search } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { write } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { add_name } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { create } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1545153131.091:215): avc:  denied  { setattr } for pid=8448 comm="lightdm" name="dsugar" dev="tmpfs" ino=87599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1

type=AVC msg=audit(1545167205.531:626): avc:  denied  { search } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { write } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { add_name } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { create } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:faillog_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-06 13:57:18 -05:00
Russell Coker b77b4cd610 missing from previous 
Here are the things that weren't applied from my previous patches, I think they
are all worthy of inclusion.
 2019-01-06 13:44:18 -05:00
Russell Coker ef6c7f155e systemd misc 
This patch has policy changes related to systemd and the systemd versions
of system programs.

Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.
 2019-01-06 13:11:51 -05:00
Chris PeBenito d6b46686cd many: Module version bumps for changes from Russell Coker. 2019-01-05 14:33:50 -05:00
Chris PeBenito da9ff19d94 sudo: Whitespace fix. 2019-01-05 14:17:18 -05:00
Russell Coker e1babbc375 systemd related interfaces 
This patch has interface changes related to systemd support as well as policy
that uses the new interfaces.
 2019-01-05 14:17:01 -05:00
Chris PeBenito 6f12a29ecc apt, rpm: Remove and move lines to fix fc conflicts. 2019-01-05 14:09:57 -05:00
Chris PeBenito 39881a0e14 dpkg: Rename dpkg_read_script_tmp_links(). 2019-01-05 13:56:43 -05:00
Russell Coker 5125b8eb2d last misc stuff 
More tiny patches.  Note that this and the other 2 patches I just sent are not
dependent on each other, please apply any that you like.
 2019-01-05 13:54:38 -05:00
Russell Coker 73f8b85ef3 misc interfaces 
This patch has some small interface changes as well as the policy patches to
use the new interfaces.
 2019-01-05 13:36:20 -05:00
Chris PeBenito e3eba7b7ff logrotate: Module version bump. 2018-10-13 13:39:18 -04:00
Luis Ressel 14b4c0c8c7 Realign logrotate.fc, remove an obvious comment 2018-10-13 13:39:18 -04:00
Luis Ressel a604ae7ca2 Add fc for /var/lib/misc/logrotate.status 
Some distros configure logrotate to put its status file somewhere else
than the default /var/lib/logrotate.status. Debian puts it in
/var/lib/logrotate/, and Gentoo uses /var/lib/misc/.
 2018-10-13 13:39:18 -04:00
Chris PeBenito 65e8f758ca Bump module versions for release. 2018-07-01 11:02:33 -04:00
Chris PeBenito 3ab07a0e1e Move all files out of the old contrib directory. 2018-06-23 10:38:58 -04:00
Chris PeBenito 4d5b06428b Bump module versions for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito f522bc0b75 dmesg, locallogin, modutils: Module version bump. 2017-11-18 07:32:37 -05:00
Luis Ressel 96c917b41a dmesg: Grant read access to /usr/share/terminfo 
To determine whether the $TERM supports colored output, dmesg checks the
terminfo database, which can be either in /etc or /usr/share.
 2017-11-18 05:53:50 -05:00
Chris PeBenito d2e201495a files, netutils: Module version bump. 2017-10-25 17:21:31 -04:00
Luis Ressel via refpolicy 68690d8e62 netutils: Grant netutils_t map perms for the packet_socket class 
This is required for the PACKET_RX_RING feature used by tcpdump.
 2017-10-25 17:16:06 -04:00
Chris PeBenito 495e2c203b Remove complement and wildcard in allow rules. 
Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.

This patch does not add or remove permissions from any rules.
 2017-08-13 16:21:44 -04:00
Chris PeBenito aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito 4680d9c659 netutils: Module version bump for patch from Luis Ressel. 2017-06-18 19:26:29 -04:00
Luis Ressel b6fe74c67c netutils: Allow tcpdump to reduce its capability bounding set 2017-06-18 19:23:21 -04:00
Luis Ressel 261e2772d1 netutils: Add some permissions required by nmap to traceroute_t 
nmap currently also needs "self:socket create", but I've submitted a
kernel patch to ameliorate this.
 2017-06-18 19:23:13 -04:00
Luis Ressel afe26f2e2f netutils: Mix nmap perms in with the other traceroute_t perms 2017-06-18 19:23:02 -04:00
Chris PeBenito 6293813020 Module version bump for patches from cgzones. 2017-06-12 18:48:58 -04:00
cgzones ea74a35ba7 netutils: update 
v2:
 - keep files_read_etc_files interfaces
 2017-06-12 18:41:56 -04:00
Chris PeBenito a599f28196 Module version bump for /usr/bin fc fixes from Nicolas Iooss. 2017-05-04 08:27:46 -04:00
Chris PeBenito 8ab6ff00f6 Merge branch 'usr_bin_fc' of git://github.com/fishilico/selinux-refpolicy-patched 2017-05-04 08:20:42 -04:00
Chris PeBenito bb8f9f49c3 little misc strict from Russell Coker. 2017-04-29 11:25:13 -04:00
Chris PeBenito 878735f69f Module version bump for patches from Russell Coker and Guido Trentalancia. 2017-04-26 06:39:39 -04:00
Chris PeBenito 8f6f0cf0e2 Rename apm to acpi from Russell Coker. 
This patch is slightly more involved than just running sed.  It also adds
typealias rules and doesn't change the FC entries.

The /dev/apm_bios device doesn't exist on modern systems.  I have left that
policy in for the moment on the principle of making one change per patch.  But
I might send another patch to remove that as it won't exist with modern
kernels.
 2017-04-26 06:36:20 -04:00
Chris PeBenito 57bb7dd471 another bootloader patch from Russell Coker 2017-04-18 21:30:02 -04:00
Chris PeBenito 132cc4b2d5 bootloader from Russell Coker. 
This patch adds a lot of policy that is needed to setup an initramfs and grub
on Debian nowadays.

Also changed a comment about ia64 to correctly mention EFI.
 2017-04-18 20:56:59 -04:00
Chris PeBenito b49d85c83d misc daemons from Russell Coker. 
Put in libx32 subs entries that refer to directories with fc entries.

Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
dpkg-reconfigure.

Some dontaudit rules for mta processes spawned by mon for notification.

Lots of tiny changes that are obvious.
 2017-04-18 20:38:13 -04:00
Nicolas Iooss 69c742f11b
Support systems with a single /usr/bin directory 
On systems such as Arch Linux, all programs which are usually located in
/bin, /sbin, /usr/bin and /usr/sbin are present in /usr/bin and the
other locations are symbolic links to this directory.  With such a
configuration, the file contexts which define types for files in
/bin, /sbin and /usr/sbin need to be duplicated to provide definitions
for /usr/bin/...

As the "/bin vs. /usr/bin" part of the needed definitions has already
been done with the "usr merge" patches, the next step consists in
duplicating file contexts for /usr/sbin. This is what this patch does
for all modules which are not in contrib.

This is the second iteration of an idea I have previously posted on
http://oss.tresys.com/pipermail/refpolicy/2017-March/009176.html
 2017-04-15 20:49:07 +02:00
Chris PeBenito 4d028498d8 Module version bumps for fixes from cgzones. 2017-03-05 10:48:42 -05:00
Chris PeBenito 919a478e47 Merge branch 'fix_usr_bin_merge' of git://github.com/cgzones/refpolicy 2017-03-05 09:43:50 -05:00
cgzones 4b79a54b41 modutils: adopt callers to new interfaces 2017-03-03 12:28:17 +01:00
cgzones d2702a4224 corecmd_read_bin_symlinks(): remove deprecated and redundant calls 2017-03-03 12:00:07 +01:00
Chris PeBenito ca04cdb14b Module version bump for patches from cgzones. 2017-02-26 12:23:19 -05:00
Chris PeBenito 10388e1319 auth: Move optional out of auth_use_pam_systemd() to callers. 2017-02-26 12:08:02 -05:00
Chris PeBenito 2170c65ad9 Merge branch 'su_module' of git://github.com/cgzones/refpolicy 2017-02-26 11:48:37 -05:00
Chris PeBenito 53fb3a3ba4 dpkg: Updates from Russell Coker. 2017-02-19 16:13:14 -05:00
cgzones ba0e51c5b0 su: some adjustments 
* systemd fixes
* remove unused attribute su_domain_type
* remove hide_broken_symptoms sections
* dontaudit init_t proc files access
* dontaudit net_admin capability due to setsockopt
 2017-02-18 21:50:45 +01:00
Chris PeBenito 1720e109a3 Sort capabilities permissions from Russell Coker. 2017-02-15 18:47:33 -05:00
Chris PeBenito e9b2a7943c Module version bump for bootloader patch revert. Plus compat alias. 2017-02-11 14:51:21 -05:00
Chris PeBenito 0e80a8a7cf Revert "bootloader: stricter permissions and more tailored file contexts" 
This reverts commit b0c13980d2.
 2017-02-11 14:26:48 -05:00
Chris PeBenito 2e7553db63 Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. 2017-02-04 15:19:35 -05:00
Chris PeBenito 69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito 67c435f1fc Module version bump for fc updates from Nicolas Iooss. 2016-12-28 14:38:05 -05:00
Chris PeBenito b6b7173fb1 Merge branch 'usr-fc' of git://github.com/fishilico/selinux-refpolicy-patched 2016-12-28 14:30:19 -05:00
Nicolas Iooss 85d678bd2f
Add file contexts in /usr for /bin, /usr/sbin and /usr/lib 
Some policy modules define file contexts in /bin, /sbin and /lib without
defining similar file contexts in the same directory under /usr.

Add these missing file contexts when there are outside ifdef blocks.
 2016-12-27 17:06:54 +01:00
Chris PeBenito 19c3addb99 Module version bump for patches from Guido Trentalancia. 2016-12-27 10:51:56 -05:00
Guido Trentalancia b0c13980d2 bootloader: stricter permissions and more tailored file contexts 
Update the bootloader module so that it can manage only its
own runtime files and not all boot_t files (which include,
for example, the common locations for kernel images and
initramfs archives) and so that it can execute only its own
etc files (needed by grub2-mkconfig) and not all etc_t files
which is more dangerous.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
 2016-12-27 10:22:55 -05:00
Chris PeBenito 950fc2cd7e Module version bump for netutils patch from Luis Ressel. 2016-12-11 14:59:14 -05:00
Luis Ressel d73a8bb52c netutils: Label iptstate as netutils_t 
>From the package description: "IP Tables State displays states being kept
by iptables in a top-like format". The netutils_t permission set fits it
snugly.
 2016-12-11 14:58:35 -05:00
cgzones d8cb498284 remove trailing whitespaces 2016-12-06 13:45:13 +01:00