Also known as 'vmchannel', a transport mechanism is needed for
communication between the host userspace and guest userspace for
achieving things like making clipboard copy/paste work seamlessly across
the host and guest, locking the guest screen in case the vnc session to
the guest is closed and so on. This can be used in offline cases as
well, for example with libguestfs to probe which file systems the guest
uses, the apps installed, etc.
Virtio-serial is just the transport protocol that will enable such
applications to be written. It has two parts: (a) device emulation in
qemu that presents a virtio-pci device to the guest and (b) a guest
driver that presents a char device interface to userspace applications.
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The script basically does what the name suggests, and additionally it
need to be able to stop and start avahi-daemon via its init script
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Generic interface to platform dependent persistent storage
https://www.kernel.org/doc/Documentation/ABI/testing/pstore
This basically works pretty much the same as cgroup file systems from a
SELinux perspective
Make sure that the installed /sys/fs/pstore directory is labeled
properly so that the pstore file system can be mounted on that
I also removed the files_type() calls as they are duplicate (it is
already called in files_mountpoint)
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
This keytab functionality should be re-evaluated because it does not
make sense in its current implementation
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The grub2-install application runs a few grub2-* commands. Two of those,
grub2-bios-setup and grub2-probe, need read/write access to the (fixed) disks.
Mark those two applications as bootloader_exec_t (as is the case with the "grub"
legacy command in the past) allows the commands to continue.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Back when the SECMARK implementation was new, the packet class was always
checked. Because of that, unlabeled_t packet rules proliferated refpolicy
since the common case was to have no SECMARK rules. Since then, the kernel
has been modified to only enforce the packet class if there are SECMARK
rules. Remove the unlabeled_t packet rules, since users of SECMARK will
likely want no unlabeled_t packet rules, and the common case users will
have no impact since the packet class isn't enforced on their systems.
To have partial SECMARK confinement, the following rule applies:
allow { domain -type_i_want_to_constrain_t } unlabeled_t:packet { send recv };
It seems like over-allowing, but if you have no SECMARK rules, it's the equivalent of:
allow * unlabeled_t:packet { send recv };
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
The chsh application (which runs in the chfn_t domain) requires read access on
the file context definitions. If not, the following error occurs:
Changing the login shell for root
Enter the new value, or press ENTER for the default
Login Shell [/bin/zsh]: /bin/bash
chsh: failure while writing changes to /etc/passwd
The following AVC denials are shown:
Jan 23 20:23:43 lain kernel: [20378.806719] type=1400 audit(1358969023.507:585):
avc: denied { search } for pid=18281 comm="chsh" name="selinux" dev="dm-0"
ino=23724520 scontext=staff_u:sysadm_r:chfn_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
In permissive mode, this goes up to:
Jan 23 20:22:15 lain kernel: [20290.691128] type=1400 audit(1358968935.217:566):
avc: denied { open } for pid=18195 comm="chsh"
path="/etc/selinux/strict/contexts/files/file_contexts" dev="dm-0" ino=23726403
scontext=staff_u:sysadm_r:chfn_t tcontext=staff_u:object_r:file_context_t
tclass=file
Hence, adding in seutil_read_file_contexts().
A second error is that chsh, if available, wants to execute nscd:
Changing the login shell for root
Enter the new value, or press ENTER for the default
Login Shell [/bin/sh]: /bin/bash
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
Similar to most other user admin utilities, we grant it the rights to run nscd.
Changes since v1
- Removed seutil_dontaudit_search_config() call
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Allow sys_nice capability, setsched, allow to search in /var/spool and
syslog_t domain to read network state files in /proc
squash! Add support for rsyslog
Use nscd_use instead of nscd_socket_use. This conditionally allows
nscd_shm_use
Remove the nscd_socket_use from ssh_keygen since it was redundant
already allowed by auth_use_nsswitch
Had to make some ssh_keysign_t rules unconditional else
nscd_use(ssh_keysign_t) would not build (nested booleans) but that does
not matter, the only actual domain transition to ssh_keysign_t is
conditional so the other unconditional ssh_keygen_t rules are
conditional in practice
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Make sure various virt user home content gets created with a type
transition and proper file contexts for common users
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The stunnel init script reads the stunnel configuration to find out where to
store and check for the PID file
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Some cron daemons, including vixie-cron, support using the system logger for
handling their logging events. Hence we allow syslogd_t to manage the cron logs,
and put a file transition in place for the system logger when it creates the
cron.log file.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
If the /run/lock/lvm directory doesn't exist yet, running any of the LVM tools
(like lvscan) will create this directory. Introduce a named file transition for
the lock location when a directory named "lvm" is created and grant the
necessary rights to create the directory.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When starting postgresql, it fails with the (little saying) error message:
pg_ctl: could not start server
In the denials, we notice:
Nov 24 10:41:52 lerya kernel: [1628900.540506] type=1400
audit(1353750112.021:10143): avc: denied { connectto } for pid=20481
comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=...
scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t
tclass=unix_stream_socket
Hence, allow postgresql to connect to its own stream socket.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Just adding zfs to the list of defined filesystems in filesystem.te
Signed-off-by: Matthew Thode <mthode@mthode.org>
In Debian, this initscript is creating both /tmp/.X11-unix and
/tmp/.ICE-unix. This allows the directory to transition to the context
defined in the filecontext.
When the active session is changed, the udev-acl executable is called
by ConsoleKit. It will then read the ConsoleKit database to figure out
which is the active one.
This process is not allowed to interact with subjects or operate on
objects that it would otherwise be able to interact with or operate on
respectively.
This is, i think, to make sure that specified processes cannot interact
with subject or operate on objects regardless of its mcs range.
It is used by svirt and probably also by sandbox
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The /var/log/cron[^/]* line in the context definition takes higher precedence
than the /var/log/cron.* line in the cron.fc file. As a result, when
/var/log/cron.log is created it gets relabeled to var_log_t instead of staying
with the cron_log_t type it should be.
Removing the line so that the definitions in cron.log are used.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When invoking tcpdump, the application creates a netlink_socket and then chroots
into /var/lib/tcpdump.
Without the right to create a netlink_socket:
tcpdump: Can't open netlink socket 13:Permission denied
Without the right on dac_read_search and sys_chroot:
tcpdump: Couldn't chroot/chdir to '/var/lib/tcpdump': Permission denied
See also https://bugs.gentoo.org/show_bug.cgi?id=443624
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The ipset command is used to manage ip sets, used by iptables for a more
flexible management of firewall rules. It has very similar requirements as
iptables for accessing and working with the Linux kernel, so marking ipset as
iptables_exec_t to have it run in the iptables domain.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Create various interfaces using the user_home_content_type attribute for
tmpreaper
user_home_t, user_tmp_t and user_tmpfs_t are user_home_content_type
(why?) We should probably also create user_tmp_content_type and
user_tmpfs_content_type attributes and assign to userdom_tmp_file and
userdom_tmpfs_file respectively
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Since /var/cache/man was previously labeled man_t, make sure that the old
interfaces with regard to man_t also support man_cache_t
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Currently, the files_manage_generic_locks only handles the lock files. If a
domain needs to manage both lock files and the lock directories (like specific
subdirectories in /var/lock that are not owned by a single other domain, such as
Gentoo's /var/lock/subsys location) it also needs the manage permissions on the
directory.
This is to support OpenRC's migration of /var/lock to /run/lock which otherwise
fails:
* Migrating /var/lock to /run/lock
cp: cannot create directory '/run/lock/subsys': Permission denied
rm: cannot remove '/var/lock/subsys': Permission denied
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Gentoo's OpenRC init framework handles the migration of data from /var/run to
/run, and /var/lock to /run/lock. To deal with this, openrc uses "cp -a -r
/var/run /run" and "cp -a -r /var/lock/* /run/lock".
When done, it will create symlinks in /var towards the new locations.
As a result, initrc_t needs to be able to manage symlinks in /var, as well as
manage all pidfile content (needed for the migration of /var/run/* towards
/run).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This interface will be used by domains that need to manage the various pidfile
content (*_var_run_t).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
In Gentoo, the openrc init framework creates the /dev/shm location (within
devtmpfs) using a "mkdir -m 1777 /dev/shm" command. This results in initrc_t
wanting to set the attributes of the /dev/shm directory (at that point still
labeled device_t as tmpfs isn't mounted on it yet).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Content that (at least) common users need to be able to relabel and
create with a type transition
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
gnome_role is deprecated, use gnome_role_template instead
depends on dbus because of gkeyringd
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
To flush the routing cache, ifconfig_t (through the "ip" command) requires
sys_admin capability. If not:
~# ip route flush cache
Cannot flush routing cache
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Support the logging_search_all_log_dirs interface for applications such as
fail2ban-client, who scan through log directories.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Support the logging_getattr_all_logs interface, which will be used by
applications responsible for reviewing the state of log files (without needing
to read them), such as the fail2ban-client application.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Chris PeBenito
Dominick Grift
Sven Vermeulen
Laurent Bigonville
Paul Moore
Matthew Thode
Mika Pflüger
Mika Pflüger