RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,609 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

2853 Commits

Author SHA1 Message Date
Chris PeBenito 3f6d37aec9 Module version bumps. 2017-11-14 18:33:06 -05:00
Luis Ressel 87b7360837 xserver: Allow xdm_t to map usr_t files 
This is required for gtk-based login managers to access gtk's icon
cache. IIRC, past discussion on the ML came to the conclusion that
adding a new domain for this would be overkill.
 2017-11-14 18:32:46 -05:00
Luis Ressel d23a97ff9c libraries: Add fc entry for musl's ld.so config 2017-11-14 18:32:46 -05:00
Chris PeBenito 523dbe2845 Several module version bumps. 2017-11-09 20:36:54 -05:00
Guido Trentalancia cc91fed88d base: create a type for SSL private keys 
Reserve the tls_privkey_t file label for SSL/TLS private keys (e.g.
files in /etc/pki/*/private/).

Create and use appropriate interfaces for such new scenario (so
that SSL/TLS private keys are protected).

This part (1/2) refers to the base policy changes.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
 2017-11-09 17:28:26 -05:00
Chris PeBenito 2037c8f294 kernel, mls, sysadm, ssh, xserver, authlogin, locallogin, userdomain: Module version bumps. 2017-11-04 14:16:20 -04:00
Jason Zaman 9adc6c5ddb gssproxy: Allow others to stream connect 
kernel AVC:
 * Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
 * start-stop-daemon: failed to start `gssproxy'

type=AVC msg=audit(1490858215.578:386110): avc:  denied  { connectto } for  pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
 2017-11-04 14:00:56 -04:00
Jason Zaman 6efe498a9b Add key interfaces and perms 
Mostly taken from the fedora rawhide policy
 2017-11-04 14:00:56 -04:00
Jason Zaman 09ae441706 mls mcs: Add constraints for key class 
Taken from fedoras policy
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
 2017-11-04 14:00:56 -04:00
Chris PeBenito 5a73eaf64e files, userdomain: Module version bump. 2017-11-01 19:03:30 -04:00
Jason Zaman 7d8ee436d7 files: fcontext for /etc/zfs/zpool.cache 2017-11-01 18:59:17 -04:00
Jason Zaman d5f6a58a77 userdomain: allow admin to rw tape storage 2017-11-01 18:59:17 -04:00
Chris PeBenito 289be9e0b4 Update contrib. 2017-10-30 21:39:46 -04:00
Chris PeBenito 52b53077cd miscfiles: Module version bump. 2017-10-30 21:39:39 -04:00
Russell Coker d97a1cd3c8 refpolicy and certs 
The following patch allows mon_t to set limits for it's children and removes
cert_t labelling from CA public keys (that aren't secret) so that processes
which only need to verify keys (EG https clients) don't need cert_t access.
 2017-10-30 21:38:27 -04:00
Chris PeBenito d2e201495a files, netutils: Module version bump. 2017-10-25 17:21:31 -04:00
Luis Ressel via refpolicy 68690d8e62 netutils: Grant netutils_t map perms for the packet_socket class 
This is required for the PACKET_RX_RING feature used by tcpdump.
 2017-10-25 17:16:06 -04:00
Luis Ressel via refpolicy 75a5ebca75 kernel/files.if: files_list_kernel_modules should grant read perms for symlinks 
files_search_kernel_modules also grant this; there's a couple of
symlinks in /lib/modules/.
 2017-10-25 17:16:06 -04:00
Chris PeBenito 0bdd993c1c Update contrib. 2017-10-22 14:26:43 -04:00
Chris PeBenito 1b405f4a90 files, init, sysnetwork, systemd: Module version bumps. 2017-10-12 18:48:29 -04:00
Chris PeBenito 6128c262bb Merge branch 'systemd-networkd' 
# Conflicts:
#	policy/modules/system/init.te
 2017-10-12 18:40:15 -04:00
David Sugar 4a54f9c1f0 policy for systemd-networkd 
Policy needed for systemd-networkd to function.  This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch).  He was too busy to update and I needed to get it working.

I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-10-12 18:38:54 -04:00
Chris PeBenito 2ec1c9b85c files: Whitespace fix. 2017-10-12 18:00:12 -04:00
David Sugar e7b4159ec5 Denial relabeling /run/systemd/private 
I am seeing the following denial (in dmesg) during system startup:
[    4.623332] type=1400 audit(1507767947.042:3): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="private" dev="tmpfs" ino=5865 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file

It appears that systemd is attempting to relablel the socket file /run/systemd/private to init_var_run_t but doesn't have permission.

Updated to create new interface for relabeling of sock_files rather than adding to existing interface

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-10-12 18:00:12 -04:00
Chris PeBenito 2fca8c8d95 init: Clean up line placement in init_systemd blocks. 
No rule changes.
 2017-10-12 17:42:23 -04:00
Chris PeBenito 3001c50364 ipsec: Module version bump. 2017-10-11 18:45:29 -04:00
David Graziano 99aebc2af5 system/ipsec: Add signull access for strongSwan 
Allows ipsec_supervisor_t domain to signull other
strongSwan domains.

Signed-off-by: David Graziano <david.graziano@rockwellcollins.com>
 2017-10-11 08:17:51 -05:00
Chris PeBenito 2ae2b38e6d Module version bumps. 2017-10-10 20:32:43 -04:00
David Sugar 967ef00181 Fix problem labeling /run/log/journal/* 
Fix the following denials I was seeing in dmesg from init_t (systemd) when attempting to relabel /run/log/journal/*

[    4.758398] type=1400 audit(1507601754.187:3): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="log" dev="tmpfs" ino=1365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
[    4.758541] systemd[1]: Unable to fix SELinux security context of /run/log: Permission denied
[    4.758736] type=1400 audit(1507601754.187:4): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="journal" dev="tmpfs" ino=7004 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir
[    4.758773] systemd[1]: Unable to fix SELinux security context of /run/log/journal: Permission denied
[    4.758928] type=1400 audit(1507601754.187:5): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="791393fb4b8f4a59af4266b634b218e2" dev="tmpfs" ino=7005 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir
[    4.758960] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2: Permission denied
[    4.759144] type=1400 audit(1507601754.187:6): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="system.journal" dev="tmpfs" ino=7006 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file
[    4.759196] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2/system.journal: Permission denied

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-10-10 20:24:18 -04:00
Chris PeBenito 570bfa8cbd devices: Module version bump. 2017-10-09 14:51:56 -04:00
Konrad Rzeszutek Wilk b5c8b1d77d kernel/xen: Add map permission to the dev_rw_xen 
type=AVC msg=audit(1504637347.487:280): avc:  denied  { map } for  pid=857 comm="xenconsoled" path="/dev/xen/privcmd" dev="devtmpfs" ino=16289 scontext=system_u:system_r:xenconsoled_t:s0

Without this we can't use xenconsole (client) to
talk to xenconsoled (server).

Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
 2017-10-09 13:57:47 -04:00
Konrad Rzeszutek Wilk c7d48c3bc2 kernel/xen: Update for Xen 4.6 
libxenstored since git commit 9c89dc95201ffed5fead17b35754bf9440fdbdc0
prefers to use "/dev/xen/xenbus" over the "/proc/xen/xenbus".

Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
 2017-10-09 13:57:47 -04:00
Chris PeBenito f47c35d20c init: Module version bump. 2017-09-27 19:45:01 -04:00
David Sugar c1eac683fa remove interface init_inherit_rlimit 
Update patch to remove init_inherit_rlimit interface and always grant this access for init_t domain (systemd or otherwise).  I hope ordering of the new rules is correct.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-09-27 19:37:19 -04:00
Chris PeBenito de13b68208 corecommands: Module version bump. 2017-09-23 14:36:56 -04:00
David Sugar via refpolicy f3e0a751db label /etc/mcelog/mcelog.setup correctly (for RHEL) 
I am seeing the following denials when mcelog.service is attempting to execute /etc/mcelog/mcelog.setup (on RHEL 7).  It should be labeled bin_t.

Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc:  denied  { execute } for  pid=626 comm="(og.setup)" name="mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc:  denied  { read open } for  pid=626 comm="(og.setup)" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc:  denied  { execute_no_trans } for  pid=626 comm="(og.setup)" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.859:28): arch=c000003e syscall=59 success=yes exit=0 a0=55a0ddd00260 a1=55a0ddcd1be0 a2=55a0ddd02e90 a3=3 items=3 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
Sep 21 02:45:50 localhost audit: type=EXECVE msg=audit(1505961383.859:28): argc=2 a0="/bin/sh" a1="/etc/mcelog/mcelog.setup"
Sep 21 02:45:50 localhost audit: type=PATH msg=audit(1505961383.859:28): item=0 name="/etc/mcelog/mcelog.setup" inode=718731 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mcelog_etc_t:s0 objtype=NORMAL
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.862:29): avc:  denied  { ioctl } for  pid=626 comm="mcelog.setup" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.862:29): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7ffec57f28f0 a3=7ffec57f2690 items=0 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.867:30): avc:  denied  { getattr } for  pid=626 comm="mcelog.setup" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.867:30): arch=c000003e syscall=5 success=yes exit=0 a0=ff a1=7ffec57f2890 a2=7ffec57f2890 a3=7ffec57f25a0 items=0 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-09-23 14:30:35 -04:00
Chris PeBenito 5cb00e5167 Update contrib. 2017-09-19 18:43:55 -04:00
Chris PeBenito c7c53a91af Update contrib. 2017-09-17 21:14:24 -04:00
Chris PeBenito 6abb3eb5fc corecommands, xserver, systemd, userdomain: Version bumps. 2017-09-17 11:11:18 -04:00
Russell Coker 25a9bcb405 minor nspawn, dnsmasq, and mon patches 
Label some shell scripts from bridge-utils correctly.  Maybe have ifdef
distro_debian around this, not sure what upstream is doing.

systemd_nspawn_t needs to manage the /etc/localtime symlink if you have a
labeled chroot.

Another dontaudit for mon_local_test_t to stop it spamming the logs.

Support a .d directory for dnsmasq config files.
 2017-09-17 11:08:06 -04:00
Guido Trentalancia 4afbc35e79 xserver: do not audit ioctl operations on log files 
Do not audit ioctl operation attempts whenever write
operations on the xserver log should not be audited.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
 2017-09-17 10:44:57 -04:00
Chris PeBenito eea649c0f4 init: Remove sm-notify.pid fc entry which collides with the rpc module. 2017-09-16 13:31:12 -04:00
Chris PeBenito d2c047bfd4 authlogin, logging, udev: Module version bump. 2017-09-16 13:30:33 -04:00
Jason Zaman via refpolicy e2db03bb8f sudo: add fcontext for /run/sudo/ts/USERNAME 
This lets restorecon -F set the context properly
 2017-09-16 13:05:53 -04:00
Jason Zaman via refpolicy 18778fcb49 syslog: allow map persist file 2017-09-16 13:05:53 -04:00
Jason Zaman via refpolicy ae482db492 udev: map module objects to load kernel modules 
denied  { map } for  pid=7850 comm="systemd-udevd" path="/lib64/modules/4.13.0-gentoo/kernel/drivers/hid/hid-logitech-hidpp.ko" dev="zfs" ino=709934 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=0
 2017-09-16 13:05:53 -04:00
Chris PeBenito f74a91a1a6 sysadm,fstools: Module version bump. 2017-09-14 17:21:56 -04:00
Christian Göttsche e1d795de3b dphysswapfile: add interfaces and sysadm access 
v2:

add swapfile file context
 2017-09-14 17:19:55 -04:00
Chris PeBenito 09006ca15e spamassassin: Add missing requirement in spamassassin_admin(). 2017-09-13 20:00:45 -04:00
Chris PeBenito 1fa134f2f2 init: Fix XML error. 2017-09-13 19:38:40 -04:00