selinux-refpolicy

mirror of https://github.com/SELinuxProject/refpolicy synced 2025-03-30 07:16:57 +00:00

Author	SHA1	Message	Date
Chris PeBenito	157b7edcbb	memlockd: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-25 09:46:04 -05:00
Russell Coker	88c8189207	latest memlockd patch Includes the ifndef(`distro_debian' section that was requested. Should be ready for merging now. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-25 09:39:26 -05:00
Russell Coker	da9b6306ea	more Chrome stuff Patches for some more Chrome stuff Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-25 09:36:56 -05:00
Russell Coker	eef53e3ddc	remove deprecated from 20190201 This patch removes every macro and interface that was deprecated in 20190201. Some of them date back to 2016 or 2017. I chose 20190201 as that is the one that is in the previous release of Debian. For any distribution I don't think it makes sense to carry interfaces that were deprecated in version N to version N+1. One thing that particularly annoys me is when audit2allow -R gives deprecated interfaces in it's output. Removing some of these should reduce the incidence of that. I believe this is worthy of merging. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-25 08:59:34 -05:00
Chris PeBenito	221813c947	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-25 08:27:35 -05:00
Chris PeBenito	cb93093f4e	Merge pull request #335 from pebenito/drop-dead-modules	2021-01-25 08:22:09 -05:00
Chris PeBenito	ea6002ddf9	devices, virt: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 10:08:02 -05:00
Chris PeBenito	6c2432c8bc	Merge pull request #333 from 0xC0ncord/feature/virt_evdev_tunable	2021-01-19 10:07:29 -05:00
Chris PeBenito	0179413fa3	certbot: Fix lint issues. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 10:01:27 -05:00
Chris PeBenito	0f6c861dfb	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:51:56 -05:00
Chris PeBenito	81b20d6b08	userdomain: Move lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:24:14 -05:00
Russell Coker	c42c407bdc	yet more strict patches fixed More little strict patches, much of which are needed for KDE. With the lines that Chris didn't like removed. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-19 09:14:16 -05:00
Chris PeBenito	a686e854af	miscfiles: Rename miscfiles_manage_generic_tls_privkey_lnk_files. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:02:13 -05:00
Chris PeBenito	0f02829c61	certbot: Reorder fc lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:01:57 -05:00
Chris PeBenito	fb95355f98	certbot: Drop aliases since they have never had the old names in refpolicy. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:01:40 -05:00
Chris PeBenito	3927e3ca50	certbot: Whitespace changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 09:01:09 -05:00
Russell Coker	08d32dbc2d	latest iteration of certbot policy as patch Same .te as sent a few days ago, but as a patch and with the other files needed. I think this is ready for inclusion. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-19 08:49:30 -05:00
Chris PeBenito	437e0c4b97	chromium: Move naclhelper lines. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 08:39:53 -05:00
Chris PeBenito	34a8c10cb9	chromium: Whitespace changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-19 08:39:45 -05:00
Russell Coker	31a2b463f7	base chrome/chromium patch fixed This patch is the one I described as "another chromium patch" on the 10th of April last year, but with the issues addressed, and the chromium_t:file manage_file_perms removed as requested. I believe it's ready for inclusion. Signed-off-by: Russell Coker <russell@coker.com.au>	2021-01-19 08:39:40 -05:00
Kenton Groombridge	fb377e0953	virt: add boolean to allow evdev passthrough Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-01-14 18:22:14 -05:00
Chris PeBenito	7b15003eae	Remove modules for programs that are deprecated or no longer supported. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-14 17:14:30 -05:00
Daniel Burgener	93f5fe30f3	Fix typo in comment Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>	2021-01-14 15:07:34 -05:00
Chris PeBenito	bb471c3f1c	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 15:20:47 -05:00
Chris PeBenito	df5227d6d7	devicekit: Udisks uses udevadm, it does not exec udev. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 15:12:18 -05:00
Chris PeBenito	ac51d56ddc	udev: Systemd 246 merged udev and udevadm executables. Drop init_system_domain() for udevadm to break type transition conflicts. Also fix interface naming issues for udevadm interfaces. Fixes #292 Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 15:12:18 -05:00
Chris PeBenito	6c69f6e3de	udev: Drop udev_tbl_t. This usage under /dev/.udev has been unused for a very long time and replaced by functionality in /run/udev. Since these have separate types, take this opportunity to revoke these likely unnecessary rules. Fixes #221 Derived from Laurent Bigonville's work in #230 Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 15:12:11 -05:00
Chris PeBenito	8c756108db	corosync, pacemaker: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2021-01-13 14:46:10 -05:00
Kenton Groombridge	03713214e2	devices: add interface for IOCTL on input devices Signed-off-by: Kenton Groombridge <me@concord.sh>	2021-01-13 10:04:53 -05:00
David Schadlich	9fd6bcbcf5	add policy for pcs_snmp_agent create corosync_read_state interface, used by pcs_snmp_agent policy update file context list for corosync to include corosync-cmapctl, this allows pcs_snmp_agent to domtrans when calling it denial for execmem type=AVC msg=audit(1610036202.427:3772): avc: denied { execmem } for pid=10875 comm="ruby" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:pcs_snmp_agent_t:s0 tclass=process permissive=1 create contexts for pcs_snmp_agent_t and allow it some self permissions allow pcs_snmp_agent_t to create allows and transision context of those logs allow pcs_snmp_agent_t to read kernel sysctls allow pcs_snmp_agent_t to exec bin_t allow pcs_snmp_agent_t to access pacemaker's cluster information base (cib) type=AVC msg=audit(1610037438.918:4524): avc: denied { read write } for pid=14866 comm="cibadmin" name="qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037438.918:4524): avc: denied { open } for pid=14866 comm="cibadmin" path="/dev/shm/qb-3925-14866-13-FPiaad/qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1610037438.918:4524): arch=c000003e syscall=2 success=yes exit=5 a0=7ffe28cb09e0 a1=2 a2=180 a3=7ffe28cb02a0 items=1 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null) type=AVC msg=audit(1610037438.919:4525): avc: denied { map } for pid=14866 comm="cibadmin" path="/dev/shm/qb-3925-14866-13-FPiaad/qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1610037438.919:4525): arch=c000003e syscall=9 success=yes exit=140505675866112 a0=0 a1=203c a2=3 a3=1 items=0 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null) type=AVC msg=audit(1610037438.906:4523): avc: denied { connectto } for pid=14866 comm="cibadmin" path=006369625F72770000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=unix_stream_socket permissive=1 type=SYSCALL msg=audit(1610037438.906:4523): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7ffe28cb2a40 a2=6e a3=7ffe28cb2460 items=0 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null) allow pcs_snmp_agent_t to read files with usr_t context type=AVC msg=audit(1610037437.737:4513): avc: denied { getattr } for pid=14857 comm="ruby" path="/usr/share/ruby/json.rb" dev="dm-0" ino=78097 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1610037439.029:4532): avc: denied { read } for pid=14869 comm="crm_mon" name="pacemaker" dev="dm-0" ino=78392 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610037561.019:4615): avc: denied { read } for pid=15257 comm="ruby" name="rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037561.019:4615): avc: denied { open } for pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037561.019:4616): avc: denied { getattr } for pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037561.020:4617): avc: denied { ioctl } for pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 ioctlcmd=5401 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to to get cgroup information type=AVC msg=audit(1610036387.957:3864): avc: denied { getattr } for pid=11499 comm="systemctl" path="/sys/fs/cgroup/systemd/system.slice/pacemaker.service/cgroup.procs" dev="cgroup" ino=31992 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610036480.913:3921): avc: denied { read } for pid=11807 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610036665.036:4019): avc: denied { read } for pid=12401 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610036788.922:4099): avc: denied { read } for pid=12798 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610036944.042:4202): avc: denied { read } for pid=13302 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610036977.714:4223): avc: denied { read } for pid=13416 comm="systemctl" name="cgroup.procs" dev="cgroup" ino=30811 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610036977.714:4223): avc: denied { open } for pid=13416 comm="systemctl" path="/sys/fs/cgroup/systemd/system.slice/corosync.service/cgroup.procs" dev="cgroup" ino=30811 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to read nsswitch type=AVC msg=audit(1610037562.211:4626): avc: denied { open } for pid=15266 comm="cibadmin" path="/etc/nsswitch.conf" dev="dm-0" ino=40445 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037562.212:4627): avc: denied { getattr } for pid=15266 comm="cibadmin" path="/etc/nsswitch.conf" dev="dm-0" ino=40445 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to read zoneinfo type=AVC msg=audit(1610035641.390:3398): avc: denied { search } for pid=3838 comm="pcs_snmp_agent" name="zoneinfo" dev="dm-0" ino=69241 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610035767.532:3480): avc: denied { getattr } for pid=3838 comm="pcs_snmp_agent" path="/usr/share/zoneinfo/GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610035767.664:3481): avc: denied { read } for pid=9488 comm="ruby" name="GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610035767.664:3481): avc: denied { open } for pid=9488 comm="ruby" path="/usr/share/zoneinfo/GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to read certificates type=AVC msg=audit(1610037375.994:4485): avc: denied { getattr } for pid=14660 comm="ruby" path="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037499.874:4565): avc: denied { read } for pid=15055 comm="ruby" name="cert.pem" dev="dm-0" ino=38537 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=1 type=AVC msg=audit(1610037529.975:4584): avc: denied { read } for pid=15144 comm="ruby" name="tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037529.975:4584): avc: denied { open } for pid=15144 comm="ruby" path="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t get service status type=USER_AVC msg=audit(1610034251.683:2349): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/pacemaker.service" cmdline="systemctl status pacemaker.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1610034251.773:2363): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 cmdline="systemctl is-enabled pacemaker.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=s ystem exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1610034252.626:2367): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 cmdline="systemctl status pacemaker_remote.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclas s=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1610034251.757:2361): avc: denied { getattr } for pid=4342 comm="systemctl" path="/etc/systemd/system" dev="dm-0" ino=38595 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1 allow pcs_snmp_agent_t to search init_t dirs type=AVC msg=audit(1610037317.490:4460): avc: denied { search } for pid=14489 comm="systemctl" name="1" dev="proc" ino=9242 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1 allow pcs_snmp_agent_t to connecto to systemd unix socket type=AVC msg=audit(1610037533.196:4600): avc: denied { connectto } for pid=15174 comm="systemctl" path="/run/systemd/private" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1 allow pcs_snmp_agent_t to run corosync in corosync_t domain type=AVC msg=audit(1610037437.793:4515): avc: denied { execute } for pid=14859 comm="ruby" name="corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037437.793:4515): avc: denied { read open } for pid=14859 comm="ruby" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037437.793:4515): avc: denied { execute_no_trans } for pid=14859 comm="ruby" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037437.793:4515): avc: denied { map } for pid=14859 comm="corosync" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610034246.149:2265): avc: denied { execute } for pid=4258 comm="ruby" name="corosync-cmapctl" dev="dm-0" ino=57635 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to read corosync state type=AVC msg=audit(1610037503.610:4570): avc: denied { open } for pid=15101 comm="systemctl" path="/proc/3874/comm" dev="proc" ino=26243 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:corosync_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037503.611:4571): avc: denied { getattr } for pid=15101 comm="systemctl" path="/proc/3874/comm" dev="proc" ino=26243 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:corosync_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to exec hostname type=AVC msg=audit(1610037469.569:4545): avc: denied { execute } for pid=14951 comm="ruby" name="hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037469.569:4545): avc: denied { read open } for pid=14951 comm="ruby" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037469.569:4545): avc: denied { execute_no_trans } for pid=14951 comm="ruby" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037469.569:4545): avc: denied { map } for pid=14951 comm="hostname" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1 allow pcs_snmp_agent_t to connecto to snmp socket type=AVC msg=audit(1610034242.897:2197): avc: denied { write } for pid=3838 comm="pcs_snmp_agent" name="master" dev="tmpfs" ino=30868 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1610034242.897:2197): avc: denied { connectto } for pid=3838 comm="pcs_snmp_agent" path="/var/agentx/master" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=unix_stream_socket permissive=1 allow pcs_snmp_agent_t to read systemd journal files type=AVC msg=audit(1610037472.176:4552): avc: denied { map } for pid=14980 comm="systemctl" path="/var/log/journal/c7aa97546e1f4d3783a3aeffeeb749e3/system.journal" dev="tmpfs" ino=146184 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 type=AVC msg=audit(1610037533.220:4602): avc: denied { read } for pid=15174 comm="systemctl" name="/" dev="tmpfs" ino=10069 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1610037533.220:4602): avc: denied { open } for pid=15174 comm="systemctl" path="/var/log/journal" dev="tmpfs" ino=10069 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 Signed-off-by: David Schadlich <dschadlich@owlcyberdefense.com>	2021-01-12 10:30:32 -05:00
Chris PeBenito	010692dda2	Merge pull request #326 from dburgener/no-self Use self keyword when an AV rule source type matches destination	2021-01-04 09:14:46 -05:00
Chris PeBenito	8a1bc98a31	authlogin, init, systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-17 09:23:18 -05:00
Chris PeBenito	a63c24c6b7	Merge pull request #269 from bauen1/systemd-userdb	2020-12-17 09:22:55 -05:00
Daniel Burgener	37cc0aae1d	Use self keyword when an AV rule source type matches destination This is reported in a new SELint check in soon to be released selint version 1.2.0 Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>	2020-12-15 10:29:52 -05:00
Peter Morrow	b3bfd10ccd	selinux: add selinux_get_all_booleans() interface Allow the caller to read the state of selinuxfs booleans. Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>	2020-12-15 15:19:30 +00:00
Chris PeBenito	cef667fa31	systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-15 09:40:48 -05:00
Chris PeBenito	2c2d27ce70	Merge pull request #324 from dburgener/dburgener/systemd-watch	2020-12-15 09:33:50 -05:00
Daniel Burgener	b3204ea4c1	Allow systemd-ask-password to watch files On systems that use plymouth, systemd-ask-password may set watches on the contents on /run/systemd/ask-password, whereas other scenarions only set watch on the parent directory. Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>	2020-12-11 19:47:13 +00:00
Chris PeBenito	c8c418267d	systemd: Add systemd-tty-ask watch for /run/systemd/ask-password. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2020-12-11 19:45:54 +00:00
Chris PeBenito	87c4adc790	kernel, modutils, userdomain, xserver: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-08 15:13:57 -05:00
Chris PeBenito	97eda18388	Merge pull request #323 from dsugar100/master	2020-12-08 15:09:54 -05:00
Chris PeBenito	7fd6d78c2c	userdomain: Fix error in calling userdom_xdg_user_template(). Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-08 15:09:27 -05:00
Chris PeBenito	cdfcec0e9a	Merge pull request #320 from 0xC0ncord/master	2020-12-08 15:01:27 -05:00
0xC0ncord	1d15c9e009	userdomain, xserver: move xdg rules to userdom_xdg_user_template xdg rules are normally set in xserver. But, if a modular policy is being used and the xserver module is not present, the required rules for users to be able to access xdg content are never created and thus these files and directories cannot be interacted with by users. This change adds a new template that can be called to grant these privileges to userdomain types as necessary. Signed-off-by: Kenton Groombridge <me@concord.sh>	2020-12-08 10:59:17 -05:00
Dave Sugar	ca5f1a5662	Allow systemd-modules-load to search kernel keys I was seeing the following errors from systemd-modules-load without this search permission. Dec 7 14:36:19 systemd-modules-load: Failed to insert 'nf_conntrack_ftp': Required key not available Dec 7 14:36:19 kernel: Request for unknown module key 'Red Hat Enterprise Linux kernel signing key: 3ffb026dadef6e0bc404752a7e7c29095a68eab7' err -13 Dec 7 14:36:19 systemd: systemd-modules-load.service: main process exited, code=exited, status=1/FAILURE Dec 7 14:36:19 audispd: node=loacalhost type=PROCTITLE msg=audit(1607351779.441:3259): proctitle="/usr/lib/systemd/systemd-modules-load" Dec 7 14:36:19 systemd: Failed to start Load Kernel Modules. This is the denial: Dec 7 15:56:52 audispd: node=localhost type=AVC msg=audit(1607356612.877:3815): avc: denied { search } for pid=11715 comm="systemd-modules" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-12-08 10:51:44 -05:00
Chris PeBenito	699268ff41	init, systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-04 13:32:57 -05:00
Chris PeBenito	b31d8308da	systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to systemd_stream_connect_socket_proxyd(). Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-04 13:31:22 -05:00
Chris PeBenito	42b184c2a8	systemd: Whitespace changes. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-12-04 13:31:17 -05:00
(GalaxyMaster)	c98d287fa3	added policy for systemd-socket-proxyd Signed-off-by: (GalaxyMaster) <galaxy4public@users.noreply.github.com>	2020-12-02 17:38:00 +11:00
Chris PeBenito	fe29a74cad	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-11-22 14:03:11 -05:00
Jason Zaman	d03b8ffdf5	systemd: make remaining dbus_* optional Almost all calls to dbus_ interfaces were already optional, this makes the remaining one optional_policy so that the modules can be installed / upgraded easier. Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jason Zaman	6dd6823280	init: upstream fcontexts from gentoo policy Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jason Zaman	c9880f52d5	Add transition on gentoo init_t to openrc Commit "init: replace call to init_domtrans_script" (`be231899f5` in upstream repo) removed the call to init_domtrans_script which removed the openrc domtrans. This adds it back directly in the distro_gentoo block. Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jonathan Davies	b1927e9f39	init: Added fcontext for openrc-shutdown. Signed-off-by: Jonathan Davies <jpds@protonmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jonathan Davies	b7acd3c4f9	init: Added fcontext for openrc-init. Signed-off-by: Jonathan Davies <jpds@protonmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jonathan Davies	1a39e4dfbe	portage: Added /var/cache/distfiles path. Closes: https://github.com/perfinion/hardened-refpolicy/pull/1 Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jason Zaman	0ad23a33ef	getty: allow watching file /run/agetty.reload avc: denied { watch } for pid=2485 comm="agetty" path="/run/agetty.reload" dev="tmpfs" ino=22050 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:getty_runtime_t:s0 tclass=file permissive=0 Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Jason Zaman	a98f25ce73	userdomain: Add watch on home dirs avc: denied { watch } for pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0 avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0 Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Jason Zaman <jason@perfinion.com>	2020-11-22 14:00:34 -05:00
Chris PeBenito	82c0b4dd3e	dbus: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-11-20 09:54:32 -05:00
Daniel Burgener	47c495d6f1	Allow init to mount over the system bus In portable profiles, systemd bind mounts the system bus into process namespaces Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>	2020-11-13 14:44:22 +00:00
Chris PeBenito	f1b83f8ef4	lvm: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-11-09 11:45:32 -05:00
Guido Trentalancia	7122154c19	Add LVM module permissions needed to open cryptsetup devices. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/system/lvm.te \| 2 ++ 1 file changed, 2 insertions(+)	2020-11-09 15:43:01 +01:00
Chris PeBenito	aa8d432584	filesystem, xen: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-11-05 06:55:25 -05:00
Anthony PERARD	4f23a54b52	xen: Allow xenstored to map /proc/xen/xsd_kva xenstored is using mmap() on /proc/xen/xsd_kva, and when the SELinux boolean "domain_can_mmap_files" in CentOS is set to false the mmap() call fails. Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>	2020-11-05 06:55:17 -05:00
Chris PeBenito	493f56b59d	corosync, pacemaker: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-10-13 15:25:24 -04:00
Dave Sugar	871348f040	Allow pacemaker to map/read/write corosync shared memory files Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc: denied { read write } for pid=7173 comm="stonithd" name="qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc: denied { open } for pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2916): avc: denied { map } for pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-10-13 13:44:18 -04:00
Dave Sugar	f36e39b45e	pacemaker systemd permissions Allow pacemaker to get status of all running services and reload systemd Sep 27 01:59:16 localhost audispd: node=virtual type=USER_AVC msg=audit(1601171956.494:2945): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Sep 29 01:46:09 localhost audispd: node=virtual type=USER_AVC msg=audit(1601343969.962:2974): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=n/a uid=0 gid=0 cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Allow pacemaker to start/sotp all units (when enabled) Sep 30 14:37:14 localhost audispd: node=virtual type=USER_AVC msg=audit(1601476634.877:3075): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Allow for dynamic creation of unit files (with private type) By using a private type pacemaker doesn't need permission to read/write all init_runtime_t files. Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { write } for pid=5075 comm="lrmd" name="system" dev="tmpfs" ino=1177 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { add_name } for pid=5075 comm="lrmd" name="target-monitor@my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { create } for pid=5075 comm="lrmd" name="target-monitor@my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc: denied { create } for pid=5075 comm="lrmd" name="50-pacemaker.conf" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc: denied { write open } for pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor@my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3073): avc: denied { getattr } for pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor@my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-10-13 13:44:18 -04:00
Dave Sugar	428cc2ef9c	To get pacemaker working in enforcing Allow pacemaker to map its shared memory Sep 27 00:30:32 localhost audispd: node=virtual type=AVC msg=audit(1601166632.229:2936): avc: denied { map } for pid=7173 comm="cib" path="/dev/shm/qb-7173-7465-14-5Voxju/qb-request-cib_rw-header" dev="tmpfs" ino=39707 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1 Label pacemaker private log file Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { write } for pid=7168 comm="pacemakerd" name="/" dev="tmpfs" ino=13995 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { add_name } for pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { create } for pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { append open } for pid=7168 comm="pacemakerd" path="/var/log/pacemaker.log" dev="tmpfs" ino=32670 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 It writes to log, but also reads Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.381:2892): avc: denied { read } for pid=7177 comm="pengine" name="pacemaker.log" dev="tmpfs" ino=35813 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_log_t:s0 tclass=file permissive=1 Pacemaker can read stuff in /usr/share/pacemaker/ Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc: denied { read } for pid=7173 comm="cib" name="pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc: denied { open } for pid=7173 comm="cib" path="/usr/share/pacemaker/pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 pacemaker dbus related stuff Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc: denied { write } for pid=7175 comm="lrmd" name="system_bus_socket" dev="tmpfs" ino=13960 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=sock_file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc: denied { connectto } for pid=7175 comm="lrmd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.763:2954): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=7175 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.764:2955): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LoadUnit dest=org.freedesktop.systemd1 spid=7175 tpid=1 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.767:2959): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.12 spid=1 tpid=7175 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Pacemaker execute network monitoring Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2962): avc: denied { getattr } for pid=7581 comm="which" path="/usr/sbin/arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.778:2963): avc: denied { execute } for pid=7551 comm="ethmonitor" name="arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.766:2956): avc: denied { getattr } for pid=7556 comm="which" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.767:2957): avc: denied { execute } for pid=7541 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2960): avc: denied { read } for pid=7582 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { open } for pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { execute_no_trans } for pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { map } for pid=7582 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { nlmsg_write } for pid=7617 comm="ip" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=netlink_route_socket permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { net_admin } for pid=7617 comm="ip" capability=12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { net_admin } for pid=7617 comm="ip" capability=12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1 Update pacemaker process perms Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.729:2950): avc: denied { getsched } for pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.730:2951): avc: denied { setsched } for pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 Sep 27 00:30:59 localhost audispd: node=virtual type=AVC msg=audit(1601166659.606:2967): avc: denied { signull } for pid=7178 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 pacemaker network communication Sep 29 01:46:08 localhost audispd: node=virtual type=AVC msg=audit(1601343968.444:2963): avc: denied { node_bind } for pid=7681 comm="send_arp" saddr=192.168.11.12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1 Sep 29 02:08:25 localhost audispd: node=virtual type=AVC msg=audit(1601345305.150:3137): avc: denied { net_raw } for pid=8317 comm="send_arp" capability=13 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1 Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3094): avc: denied { getcap } for pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3095): avc: denied { setcap } for pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1 Let pacemaker exec lib_t files Oct 1 14:48:25 localhost audispd: node=virtual type=AVC msg=audit(1601563705.848:2242): avc: denied { execute_no_trans } for pid=6909 comm="crm_resource" path="/usr/lib/ocf/resource.d/heartbeat/IPsrcaddr" dev="dm-0" ino=82111 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1 Oct 1 15:01:31 localhost audispd: node=virtual type=AVC msg=audit(1601564491.091:2353): avc: denied { execute_no_trans } for pid=8285 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/ethmonitor" dev="dm-0" ino=82129 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1 Oct 1 14:49:21 localhost audispd: node=virtual type=AVC msg=audit(1601563761.158:2265): avc: denied { execute_no_trans } for pid=7307 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/IPaddr2" dev="dm-0" ino=82110 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-10-13 13:43:41 -04:00
Dave Sugar	ea1e0e7a9b	Updates for corosync to work in enforcing Allow corosync to map its own shared memory Sep 26 18:45:02 localhost audispd: node=virtual type=AVC msg=audit(1601145902.400:2972): avc: denied { map } for pid=6903 comm="corosync" path="/dev/shm/qb-6903-7028-31-FGGoGv/qb-request-cmap-header" dev="tmpfs" ino=40759 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1 Setup corosync lock file type Sep 27 17:20:07 localhost audispd: node=virtual type=PATH msg=audit(1601227207.522:3421): item=1 name="/var/lock/subsys/corosync" inode=35029 dev=00:14 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.093:2862): avc: denied { read } for pid=6748 comm="corosync" name="lock" dev="dm-0" ino=13082 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file permissive=1 Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.093:2862): avc: denied { search } for pid=6748 comm="corosync" name="lock" dev="tmpfs" ino=10248 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc: denied { add_name } for pid=7066 comm="touch" name="corosync" scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1 Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc: denied { create } for pid=7066 comm="touch" name="corosync" scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc: denied { write open } for pid=7066 comm="touch" path="/run/lock/subsys/corosync" dev="tmpfs" ino=35048 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1 On RHEL7 systemd executes '/usr/share/corosync/corosync start' to start, label these files. Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-10-13 10:28:00 -04:00
Chris PeBenito	14a45a594b	devices, filesystem, systemd, ntp: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-10-09 09:45:11 -04:00
Chris PeBenito	785677771d	Merge pull request #313 from bootlin/buildroot-systemd-fixes	2020-10-09 09:42:40 -04:00
Chris PeBenito	b5525a3fca	systemd: Move systemd-pstore block up in alphabetical order. No rule change. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-10-09 09:42:31 -04:00
Antoine Tenart	35a417d0ef	ntp: allow systemd-timesyn to setfscreate Fixes: avc: denied { setfscreate } for pid=68 comm="systemd-timesyn" scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:ntpd_t tclass=process permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-10-09 08:58:31 +02:00
Antoine Tenart	32e5008867	ntp: allow systemd-timesyn to watch dbus objects Fixes: avc: denied { watch } for pid=68 comm="systemd-timesyn" path="/run/dbus" dev="tmpfs" ino=2707 scontext=system_u:system_r:ntpd_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir permissive=1 avc: denied { watch } for pid=68 comm="systemd-timesyn" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=2716 scontext=system_u:system_r:ntpd_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-10-09 08:58:31 +02:00
Antoine Tenart	e9228b49bb	systemd: allow systemd-network to list the runtime directory Fixes: avc: denied { read } for pid=58 comm="systemd-network" name="/" dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1 avc: denied { read } for pid=58 comm="systemd-network" name="/" dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-10-09 08:58:31 +02:00
Antoine Tenart	49a0771dd3	systemd: allow systemd-getty-generator to read and write unallocated ttys Fixes: avc: denied { read write } for pid=40 comm="systemd-getty-g" name="ttyS0" dev="devtmpfs" ino=612 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1 avc: denied { open } for pid=40 comm="systemd-getty-g" path="/dev/ttyS0" dev="devtmpfs" ino=612 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1 avc: denied { ioctl } for pid=40 comm="systemd-getty-g" path="/dev/ttyS0" dev="devtmpfs" ino=612 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-10-09 08:58:31 +02:00
Deepak Rawat	f5c8a117d9	Add selinux-policy for systemd-pstore service systemd-pstore is a service to archive contents of pstore. Signed-off-by: Deepak Rawat <drawat.floss@gmail.com>	2020-10-09 03:20:09 +00:00
Chris PeBenito	bc7a84d643	snmp: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-10-05 09:55:13 -04:00
Dave Sugar	9da3f3a131	Allow snmpd to read hwdata Oct 1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2198): avc: denied { getattr } for pid=4114 comm="snmpd" path="/usr/share/hwdata/pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1 Oct 1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2197): avc: denied { read } for pid=4114 comm="snmpd" name="pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1 Oct 1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2197): avc: denied { open } for pid=4114 comm="snmpd" path="/usr/share/hwdata/pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-10-01 22:11:28 -04:00
Chris PeBenito	39e2af539d	corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-09-22 08:27:05 -04:00
Chris PeBenito	941620c89c	Merge pull request #309 from yizhao1/dhcpcd	2020-09-22 08:23:49 -04:00
Antoine Tenart	86476f30cf	corecommands: add entry for Busybox shell Fixes: vc: denied { execute } for pid=87 comm="login" name="sh" dev="vda" ino=408 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:bin_t tclass=file permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:25:09 +02:00
Antoine Tenart	fdda7befa5	systemd: allow systemd-resolve to read in tmpfs Fixes: avc: denied { read } for pid=76 comm="systemd-resolve" name="/" dev="tmpfs" ino=651 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:25:09 +02:00
Antoine Tenart	34547434b8	systemd: allow systemd-network to get attributes of fs Fixes: avc: denied { getattr } for pid=57 comm="systemd-network" name="/" dev="vda" ino=2 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:25:09 +02:00
Antoine Tenart	1ee738f708	systemd: allow systemd-hwdb to search init runtime directories Fixes: avc: denied { search } for pid=54 comm="systemd-hwdb" name="systemd" dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1 avc: denied { search } for pid=54 comm="systemd-hwdb" name="systemd" dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:15:37 +02:00
Antoine Tenart	f71d288e54	systemd: add extra systemd_generator_t rules Fixes: avc: denied { setfscreate } for pid=41 comm="systemd-getty-g" scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=process permissive=1 avc: denied { dac_override } for pid=40 comm="systemd-fstab-g" capability=1 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=capability permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:15:37 +02:00
Antoine Tenart	f99b6907f4	dbus: allow clients to list runtime dirs and named sockets Fixes: avc: denied { read } for pid=77 comm="systemd-resolve" name="dbus" dev="tmpfs" ino=2748 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir permissive=1 avc: denied { read } for pid=77 comm="systemd-resolve" name="system_bus_socket" dev="tmpfs" ino=2765 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file permissive=1 avc: denied { read } for pid=59 comm="systemd-network" name="dbus" dev="tmpfs" ino=2777 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir permissive=1 avc: denied { read } for pid=59 comm="systemd-network" name="system_bus_socket" dev="tmpfs" ino=2791 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:15:37 +02:00
Antoine Tenart	66c2ff9060	dbus: add two interfaces to allow reading from directories and named sockets Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-21 16:15:37 +02:00
Yi Zhao	25251b1f3b	sysnet: allow dhcpcd to create socket file The dhcpcd needs to create socket file under /run/dhcpcd directory. Fixes: AVC avc: denied { create } for pid=331 comm="dhcpcd" name="eth0.sock" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file permissive=0 AVC avc: denied { setattr } for pid=331 comm="dhcpcd" name="eth0.sock" dev="tmpfs" ino=19153 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file permissive=0 AVC avc: denied { sendto } for pid=331 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=unix_dgram_socket permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2020-09-21 14:23:09 +08:00
Antoine Tenart	23f1e4316b	sysnetwork: allow to read network configuration files Fixes: avc: denied { getattr } for pid=55 comm="systemd-udevd" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { getattr } for pid=55 comm="systemd-udevd" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { read } for pid=55 comm="systemd-udevd" name="network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { read } for pid=55 comm="systemd-udevd" name="network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { open } for pid=55 comm="systemd-udevd" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { open } for pid=55 comm="systemd-udevd" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { getattr } for pid=59 comm="systemd-network" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { read } for pid=59 comm="systemd-network" name="network" dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { open } for pid=59 comm="systemd-network" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { search } for pid=59 comm="systemd-network" name="network" dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 avc: denied { getattr } for pid=55 comm="systemd-udevd" path="/etc/systemd/network" dev="vda" ino=128 scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-18 14:34:34 +02:00
Antoine Tenart	5c604e806b	logging: allow systemd-journal to write messages to the audit socket Fixes: avc: denied { nlmsg_write } for pid=46 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket permissive=1 avc: denied { nlmsg_write } for pid=46 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-18 14:34:34 +02:00
Antoine Tenart	8cb806fbdf	locallogin: allow login to get attributes of procfs Fixes: avc: denied { getattr } for pid=88 comm="login" name="/" dev="proc" ino=1 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-18 14:34:34 +02:00
Antoine Tenart	7014af08ff	udev: allow udevadm to retrieve xattrs Fixes: avc: denied { getattr } for pid=50 comm="udevadm" name="/" dev="vda" ino=2 scontext=system_u:system_r:udevadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0 avc: denied { getattr } for pid=52 comm="udevadm" name="/" dev="vda" ino=2 scontext=system_u:system_r:udevadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0 Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>	2020-09-18 14:34:34 +02:00
Chris PeBenito	c33866e1f6	selinux, init, systemd, rpm: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-09-09 16:55:06 -04:00
Chris PeBenito	4e2b3545c6	Merge pull request #308 from cgzones/systemd_status	2020-09-09 16:54:23 -04:00
Christian Göttsche	24827d8073	selinux: add selinux_use_status_page and deprecate selinux_map_security_files Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-09-09 21:00:47 +02:00
Chris PeBenito	a0aee3cbcc	bind: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-09-09 11:25:28 -04:00
Dominick Grift	93113bce78	bind: add a few fc specs for unbound unbound-checkconf is the unbound bind-checkconf equivalent unbound-control is the unbound bind ndc equivalent Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>	2020-09-09 11:24:43 -04:00
Christian Göttsche	1103350ee3	init/systemd: allow systemd to map the SELinux status page systemd v247 will access the SELinux status page. This affects all domains currently opening the label database, having the permission seutil_read_file_contexts. see https://github.com/systemd/systemd/pull/16821 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-09-08 13:18:18 +02:00
Chris PeBenito	dcf7ae9f48	userdomain: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-31 15:36:14 -04:00
Jonathan Davies	9d3321e4fe	userdomain.if: Marked usbguard user modify tunable as optional so usbguard may be excluded. Thanks to Dominick Grift for helping me pin-point this. Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2020-08-29 20:43:38 +00:00
Chris PeBenito	72e221fd4d	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-28 15:30:52 -04:00
Chris PeBenito	cc15ff2086	Merge pull request #302 from dsugar100/master	2020-08-28 15:26:50 -04:00
Chris PeBenito	74b37e16db	Merge pull request #301 from bauen1/fix-selint-s-010	2020-08-28 15:26:47 -04:00
bauen1	fa59d0e9bc	selint: fix S-010 Signed-off-by: bauen1 <j2468h@gmail.com>	2020-08-28 17:39:09 +02:00
Dave Sugar	1627ab361e	Looks like this got dropped in pull request #294 Seeing the following denial - adding back in: localhost kernel: type=1400 audit(1598497795.109:57): avc: denied { map } for pid=1054 comm="modprobe" path="/usr/lib/modules/3.10.0-1127.19.1.el7.x86_64/modules.dep.bin" dev="dm-0" ino=23711 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2020-08-27 08:10:58 -04:00
Chris PeBenito	f8b0c1641c	acpi: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-26 12:52:59 -07:00
Chris PeBenito	3991ecf54f	Merge branch 'acpid_shutdown' of https://github.com/jpds/refpolicy into jpds-acpid_shutdown	2020-08-26 12:49:14 -07:00
Jonathan Davies	99ad371868	acpi.te: Removed unnecessary init_write_initctl(). Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2020-08-25 22:53:40 +00:00
Christian Göttsche	850fefc626	postfixpolicyd: split multi-class rule The rule uses the permission manage_file_perms on the classes file and sock_file. This won't result in a change in the actual policy generated, but if the definitions of macros are changed going forward, the mismatches could cause issues. Found by SELint Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-08-25 20:44:16 +02:00
bauen1	b172fd71d2	systemd-logind: utilize nsswitch Signed-off-by: bauen1 <j2468h@gmail.com>	2020-08-24 16:37:10 +02:00
bauen1	69b709930a	authlogin: connect to userdb Signed-off-by: bauen1 <j2468h@gmail.com>	2020-08-24 16:37:10 +02:00
bauen1	ada848b352	systemd: private type for /run/systemd/userdb Signed-off-by: bauen1 <j2468h@gmail.com>	2020-08-24 16:37:07 +02:00
Jonathan Davies	ec0ebc8b11	acpi.te: Allow acpid_t to shutdown the system - this is required to handle shutdown calls from libvirt. Fixes #298 . Signed-off-by: Jonathan Davies <jpds@protonmail.com>	2020-08-23 20:00:29 +00:00
Chris PeBenito	d387e79989	Bump module versions for release. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-18 09:09:10 -04:00
Chris PeBenito	ab47695bdb	files, init, modutils, systemd, udev: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-14 09:38:09 -04:00
Chris PeBenito	e10d956f38	Merge pull request #294 from cgzones/selint	2020-08-14 09:36:44 -04:00
Chris PeBenito	60516aaeaa	xserver: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-14 08:53:38 -04:00
Yi Zhao	afb2021524	xserver: allow xserver_t to connect to resmgrd This was probably a typo: resmgr_stream_connect(xdm_t) -> resmgr_stream_connect(xserver_t) Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2020-08-14 11:13:34 +08:00
Yi Zhao	8322f0e0d9	Remove duplicated rules Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2020-08-14 10:55:31 +08:00
Christian Göttsche	09ed84b632	files/modutils: unify modules_object_t usage into files module modutils.te: 50: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001) modutils.te: 51: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001) modutils.te: 52: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001) modutils.te: 53: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001) modutils.if: 15: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011) modutils.if: 52: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011) modutils.fc: 24: (S): Type modules_object_t is declared in module files, but used in file context here. (S-002) Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-08-13 21:23:43 +02:00
Christian Göttsche	e9b2e1ea4f	work on SELint issues - selinuxutil.te: ignore gen_require usage for bool secure_mode - corenetwork.te: ignore gen_require usage for type unlabeled_t - files.if: drop unneeded required types in interface - rpm.if: drop unneeded required type in interface - xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template - domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-08-13 21:23:43 +02:00
Chris PeBenito	fbc60f2319	Merge pull request #296 from cgzones/diff-check whitespace cleanup	2020-08-13 09:19:48 -04:00
Christian Göttsche	72b2c66256	whitespace cleanup Remove trailing white spaces and mixed up indents Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-08-13 14:34:57 +02:00
Christian Göttsche	3bb507efa6	Fix several misspellings Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-08-13 14:08:58 +02:00
Chris PeBenito	71e653980b	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-08-11 08:35:00 -04:00
Chris PeBenito	cd141fa2ea	Merge pull request #290 from pebenito/fs-image	2020-08-11 08:33:26 -04:00
Chris PeBenito	32b2332d36	Merge pull request #289 from pebenito/remove-unlabeled-file	2020-08-11 08:33:22 -04:00
Chris PeBenito	777fe47c19	kernel, fstools, lvm, mount: Update to use filesystem image interfaces. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2020-07-29 14:33:39 -04:00
Chris PeBenito	04fb9404c8	filesystem: Create a filesystem image concept. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2020-07-29 14:29:26 -04:00
Chris PeBenito	27deadbecd	files: Restore mounton access to files_mounton_all_mountpoints(). Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2020-07-28 10:33:09 -04:00
Chris PeBenito	fe737c405d	selinuxuntil, userdomain: Restore relabelfrom access for unlabeled files. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2020-07-28 10:33:07 -04:00
Chris PeBenito	662d55ed5e	kernel: Drop unlabeled_t as a files_mountpoint(). This made unlabeled_t a file and provided much more access than an unlabeled file should have. Access to unlabeled objects should be explicit. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2020-07-28 10:09:24 -04:00
Chris PeBenito	4c7926a3c0	init: Revise init_startstop_service() build option blocks. Revise to use ifelse to have a clear set of criteria for enabling the various options. Additionally, if no options are enabled, run_init permissions are provided as a default. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>	2020-07-27 11:40:36 -04:00
Chris PeBenito	aa6c3f4da3	apt, rpm: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-07-27 09:05:53 -04:00
Laurent Bigonville	e4f0709788	Label /usr/libexec/packagekitd as apt_exec_t on debian The daemon has now moved from /usr/lib/packagekit/packagekitd to /usr/libexec/packagekitd Signed-off-by: Laurent Bigonville <bigon@bigon.be>	2020-07-27 13:26:06 +02:00
Chris PeBenito	c5ac0d52c4	openvpn: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-07-16 09:31:56 -04:00
Chris PeBenito	7f601b8bcf	Merge pull request #284 from alexminder/openvpn	2020-07-16 09:31:06 -04:00
Alexander Miroshnichenko	67c4238e8e	openvpn: update file context regex for ipp.txt Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>	2020-07-14 13:34:58 +03:00
Chris PeBenito	ac02273502	tmp2: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-07-10 08:51:57 -04:00
Alexander Miroshnichenko	aff9c6e91c	openvpn: more versatile file context regex for ipp.txt Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>	2020-07-07 15:22:29 +03:00
Dave Sugar	7a03f4a00f	Interfaces for tpm2 Add interfaces tpm2_use_fds, tpm2_dontaudit_use_fds, and tpm2_read_pipes Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-07-06 22:34:39 -04:00
Chris PeBenito	613708cad6	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-07-04 09:30:45 -04:00
Chris PeBenito	0992763548	Update callers for "pid" to "runtime" interface rename. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-28 16:03:45 -04:00
Chris PeBenito	be04bb3e7e	Rename "pid" interfaces to "runtime" interfaces. Rename interfaces to bring consistency with previous pid->runtime type renaming. See PR #106 or `69a403cd` original type renaming. Interfaces that are still in use were renamed with a compatibility interface. Unused interfaces were fully deprecated for removal. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-28 14:33:17 -04:00
Chris PeBenito	07c08fa41e	kernel: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-18 08:30:42 -04:00
Dave Sugar	50c24ca481	Resolve neverallow failure introduced in #273 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-06-17 19:05:08 -04:00
Chris PeBenito	c63e5410a9	systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-17 08:48:41 -04:00
Chris PeBenito	c2a142d762	systemd: Merge generator domains. If these processes are compromised they can write units to do malicious actions, so trying to tightly protect the resources for each generator is not effective. Made the fstools_exec() optional, although it is unlikely that a system would not have the module. Only aliases for removed types in previous releases are added. The systemd_unit_generator() interface and systemd_generator_type attribute were not released and are dropped without deprecation. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-15 09:47:20 -04:00
Chris PeBenito	71002cdfe0	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-15 08:57:44 -04:00
Chris PeBenito	91087f8ff1	Merge pull request #274 from bauen1/remove-dead-weight	2020-06-15 08:56:42 -04:00
Chris PeBenito	9169113d42	Merge pull request #271 from bauen1/misc-fixes-2	2020-06-15 08:56:40 -04:00
Chris PeBenito	edbe7e9af7	Merge pull request #267 from bauen1/target-systemd-sysusers	2020-06-15 08:56:24 -04:00
bauen1	fc904634ac	dpkg: domaintrans to sysusers if necessary Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:52:53 +02:00
bauen1	77f891c7bf	Remove the ada module, it is unecessary and not touched since ~2008 It is only used to allow the compiler execmem / execstack but we have unconfined_execmem_t for that. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:47:14 +02:00
bauen1	cbdf1fad22	systemd: systemd-tempfiles will relabel tmpfs if mounted over e.g. /tmp Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
bauen1	e12d84181b	corecommands: correct label for debian ssh-agent helper script Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
bauen1	cb2d84b0d1	gpg: don't allow gpg-agent to read /proc/kcore This was probably a typo and shouldn't have been merged. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
bauen1	083e5d1d58	dpkg: dpkg scripts are part of dpkg and therefor also an application domain Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
bauen1	583f435c7b	systemd: systemd --user add essential permissions Allow selinux awareness (libselinux) and access to setsockcreatecon to correctly set the label of sockets. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
bauen1	e7fc029a95	dpkg: allow dpkg frontends to acquire lock by labeling it correctly Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:45:07 +02:00
Chris PeBenito	2f097a0c6d	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-15 08:43:30 -04:00
bauen1	66b4101b36	systemd: maintain /memfd:systemd-state Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:43:18 +02:00
bauen1	a42a15dd4d	authlogin: unix_chkpwd is linked to libselinux Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:43:18 +02:00
bauen1	6f7bc3da46	init: systemd will run chkpwd to start user@1000 This was likely also hidden by the unconfined module. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:43:17 +02:00
bauen1	a5c3c70385	thunderbird: label files under /tmp Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:43:17 +02:00
bauen1	6ce9865e6c	systemd: fixed systemd_rfkill_t denial spam Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:41:30 +02:00
bauen1	a9ff07d886	postfix: add filetrans for sendmail and postfix for aliases db operations Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-15 14:41:30 +02:00
bauen1	0f4eb2a324	init: fix systemd boot Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:35 +02:00
bauen1	93beef3ce5	systemd-logind.service sandbox required permissions Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:35 +02:00
bauen1	e20db26b7b	systemd-timesyncd.service sandbox requried permissions For every services sandbox systemd will create a (or more ?) tmpfs including symlinks for various files, e.g.: Jun 11 14:03:17 selinux-pr-test1 audit[284]: AVC avc: granted { create } for pid=284 comm="(imesyncd)" name="stderr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:35 +02:00
bauen1	83a39ad4fd	udev.service sandbox required permissions Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:35 +02:00
bauen1	0a596401f1	logrotate.service sandbox required permissions Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:34 +02:00
bauen1	d9a58c8434	terminal: cleanup term_create interfaces Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:34 +02:00
bauen1	aa6c7f28f2	allow most common permissions for systemd sandboxing options Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-11 19:10:28 +02:00
Chris PeBenito	309f655fdc	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-10 15:02:27 -04:00
bauen1	8f782ae820	systemd-sysusers: add policy On systems without the unconfined module this service needs additional privileges. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-06-04 19:53:47 +02:00
Topi Miettinen	1d8333d7a7	Remove unlabeled packet access When SECMARK or Netlabel packet labeling is used, it's useful to forbid receiving and sending unlabeled packets. If packet labeling is not active, there's no effect. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>	2020-06-03 23:16:19 +03:00
Christian Göttsche	b4180614b6	apache: quote gen_tunable name argument Match the style of tunable_policy and gen_tunable statements in userdomain Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-06-02 20:35:30 +02:00
Christian Göttsche	dcb01ec4cc	devices/storage: quote arguments to tunable_policy Match the overall style and please sepolgen-ifgen Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-06-02 20:35:30 +02:00
Chris PeBenito	c950ada4ea	openvpn: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-06-02 13:35:57 -04:00
McSim85	95c43ef3a4	add rule for the management socket file fixed comments from @bauen1 Signed-off-by: McSim85 <maxim@kramarenko.pro>	2020-06-02 13:58:46 +03:00
Chris PeBenito	b38804e328	init, logging: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-27 11:36:44 -04:00
Chris PeBenito	fe0a8d2542	Merge pull request #261 from bauen1/confined-debian-fixes	2020-05-27 11:35:49 -04:00
bauen1	be231899f5	init: replace call to init_domtrans_script Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 17:09:06 +02:00
Chris PeBenito	c75b2f3642	corecommands, files, filesystem, init, systemd: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-27 10:52:49 -04:00
Chris PeBenito	d8da662d5e	Merge pull request #262 from bauen1/misc-fixes-1	2020-05-27 10:52:07 -04:00
Chris PeBenito	382c5f7c09	domain, setrans: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-27 10:46:47 -04:00
Chris PeBenito	5374e1ac16	Merge pull request #264 from bauen1/reenable-setrans	2020-05-27 10:46:08 -04:00
bauen1	b184f71bed	init: fix init_manage_pid_symlinks to grant more than just create permissions This was introduced in `4e842fe209` by me. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 14:23:18 +02:00
bauen1	ab2c353048	systemd: allow systemd-user-runtime-dir to do its job It requires access to /run/user/UID while running as root Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 14:03:05 +02:00
bauen1	7eae84a8b4	lvm-activation-generator also needs to execute lvm lvm will also try to read localization. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 14:03:05 +02:00
bauen1	ee323d3b9a	filesystem: pathcon for matching tracefs mount Prevent restorecon from trying to relabel /sys/fs/tracing . Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 11:51:36 +02:00
bauen1	c9354399f9	corecommands: proper label for unattended-upgrades helpers Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 11:51:36 +02:00
bauen1	ef0238d2d5	init: watch /etc/localtime even if it's a symlink Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 11:51:36 +02:00
bauen1	70e0d26988	files: add files_watch_etc_symlinks interface Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-27 11:51:36 +02:00
bauen1	9e2e343989	setrans: allow label translation for all domains. This partially reverts commit `65da822c1b` Connecting to setransd is still very much necessary for any domain that uses SELinux labels in any way. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-22 20:53:47 +02:00
bauen1	8784dd0c66	init: allow systemd to activate journald-audit.socket Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-22 20:51:46 +02:00
bauen1	5fb8157616	init: make initrc_t a init_domain to simplify the policy This also allows init_t initrc_t:process2 nnp_transition which can be required if the service isn't targeted. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-22 20:51:39 +02:00
bauen1	51d76f956f	init: allow systemd to setup mount namespaces This is required to boot without the unconfined module. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-22 20:48:13 +02:00
Christian Göttsche	160e2016bb	apache: use correct content types in apache_manage_all_user_content() The content types are named httpd_user_rw_content_t and httpd_user_ra_content_t not httpd_user_content_rw_t and httpd_user_content_ra_t in apache_content_template() Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-05-15 00:01:02 +02:00
Chris PeBenito	5b171c223a	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-14 10:32:30 -04:00
Chris PeBenito	28bf3cb4fb	Merge pull request #258 from bauen1/misc-fixes-1	2020-05-14 10:27:04 -04:00
Chris PeBenito	2ab326ab2d	Merge pull request #253 from cgzones/selint	2020-05-14 10:27:00 -04:00
bauen1	09c028ead9	dnsmasq: watch for new dns resolvers dnsmasq will watch /etc/resolv.conf for any changes to add new dns servers immediately. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-14 09:31:51 +02:00
bauen1	096b8f59f2	semanage: create directories for new policies semodule will try to create a directory under /etc/selinux if the policy it is modifying doesn't exist (e.g. it is being build for the first time). Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-14 09:31:31 +02:00
bauen1	4f9772e309	systemd-fstab-generator needs to know about all mountpoints Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-14 09:31:30 +02:00
bauen1	da561748d0	corecommands: fix atrild label atrild is a daemon shipped by atril, see shell/Makefile.am of https://github.com/mate-desktop/atril Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-14 09:31:30 +02:00
bauen1	955c5c5253	lvm: create /etc/lvm/archive if it doesn't exist Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-14 09:31:27 +02:00
bauen1	67dfa3651f	init: read default context during boot Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-14 09:31:26 +02:00
bauen1	2b11987003	quota: allow quota to modify /aquota even if immutable Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-14 09:31:26 +02:00
bauen1	0ff1f78619	systemd: allow regular users to run systemd-analyze Same deal as with systemd-run this is potentially useful for non privileged users and especially useful for admins. Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-14 09:31:17 +02:00
Christian Göttsche	57d570f01c	chromium/libraries: move lib_t filecontext to defining module Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-05-12 20:09:44 +02:00
Christian Göttsche	2884cfe4bc	files/miscfiles: move usr_t filecontext to defining module Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-05-12 20:09:44 +02:00
Christian Göttsche	75b3bcaf3e	files/logging: move var_run_t filecontext to defining module Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-05-12 20:09:44 +02:00
Chris PeBenito	e7dad518eb	application: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-12 11:24:40 -04:00
Chris PeBenito	5387a29b40	Merge pull request #255 from bauen1/fix-sudo-ssh	2020-05-12 11:24:10 -04:00
bauen1	dd8ed0ba14	application: applications can be executed from ssh without pty For example ansible uses `ssh localhost sudo id` to become root. This doesn't appear to be necessary in redhat due to https://src.fedoraproject.org/rpms/openssh/blob/master/f/openssh-6.6p1-privsep-selinux.patch Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-12 16:52:59 +02:00
Chris PeBenito	68a076bf43	dirmngr: Module version bump Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-12 10:50:57 -04:00
Christian Göttsche	0ac9f4cb22	tpm2: small fixes * Drop permissions implied by domtrans_pattern * Use fifo_file permission macro for fifo_file class Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-05-11 21:42:50 +02:00
Christian Göttsche	d769c71848	init/systemd: move systemd_manage_all_units to init_manage_all_units The attribute systemdunit is defined in the file init.te, so interfaces granting access on it should be defined in init.if Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-05-11 21:42:50 +02:00
Christian Göttsche	e683d67f46	portage: drop bizarre conditional TODO blocks Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-05-11 21:42:50 +02:00
Christian Göttsche	8f308eb846	unconfined: clarify unconfined_t stub usage in unconfined_domain_noaudit() Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-05-11 21:42:50 +02:00
Christian Göttsche	f6a7365cc0	consolesetup: drop unused requires Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-05-11 21:42:50 +02:00
Christian Göttsche	31153edcb4	chromium: drop dead conditional block The condition `use_alsa` is nowhere defined, and the contained interface `alsa_domain` does not exist. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-05-11 21:42:50 +02:00
Christian Göttsche	c7d77a32b9	samba: fix wrong interface context smbd_runtime_t Commit `69a403cd97` renamed smbd_var_run_t to smbd_runtime_t, but smbd_runtime_t does not exist. Commit `61ecff5c31` removed the alias smbd_var_run_t to samba_runtime_t. Use samba_runtime_t instead. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2020-05-11 21:42:50 +02:00
bauen1	3cdae47364	dirmngr: ~/.gnupg/crls.d might not exist Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-10 14:44:41 +02:00
bauen1	a356bce2d4	dirmngr: also requires access to /dev/urandom Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-10 14:44:41 +02:00
bauen1	5bd2650602	dirmngr: allow to probe for tor dirmngr will test if tor is running, even if it isn't and this check fails dirmngr will fail to retrieve any keys, this is the default (see https://www.gnupg.org/documentation/manuals/gnupg/Dirmngr-Options.html for --use-tor) Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-10 14:44:40 +02:00
Chris PeBenito	6df603e814	apache, bird, ntp: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-05 13:35:34 -04:00
Chris PeBenito	370160dcb9	Merge pull request #251 from bauen1/fix-systemd-timesyncd	2020-05-05 13:28:54 -04:00
Chris PeBenito	45733fcfb1	Merge pull request #250 from bauen1/nginx	2020-05-05 13:28:31 -04:00
Chris PeBenito	809c39fa50	Merge pull request #239 from bauen1/fix-bird2	2020-05-05 13:27:55 -04:00
bauen1	5a18466573	ntpd: fixes for systemd-timesyncd after linux 5.4 Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-05 18:09:56 +02:00
bauen1	6b90780fdd	apache: add nginx to policy This is better than the current status quo of running nginx under initrc_t, a lot of other webservers are already under the apache policy (e.g. lighttpd) and this requires no additional permissions. See also the discussion from March 2013 on the selinux-refpolicy mailing list: https://lore.kernel.org/selinux-refpolicy/20110318110259.GA25236@localhost.localdomain/ Signed-off-by: bauen1 <j2468h@gmail.com>	2020-05-05 12:42:07 +02:00
Chris PeBenito	a7a327a921	sysnetwork, filesystem, userdomain: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-04 09:10:54 -04:00
Chris PeBenito	100a3fb02b	Merge pull request #233 from fishilico/ip-netns	2020-05-04 09:05:34 -04:00
Chris PeBenito	4ae3713c45	various: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-05-04 08:55:09 -04:00
Chris PeBenito	a1c97cbab2	Merge pull request #249 from topimiettinen/ping-sendrecv-icmp	2020-05-04 08:47:55 -04:00
Chris PeBenito	271e4bb8c9	Merge pull request #248 from dburgener/remove-outdated-stunnel-port-access	2020-05-04 08:47:07 -04:00
Chris PeBenito	6137441c69	Merge pull request #247 from dburgener/repeated-perms	2020-05-04 08:46:42 -04:00
Chris PeBenito	671d5da3d7	Merge pull request #245 from dburgener/tty-pty-cleanup	2020-05-04 08:46:15 -04:00
Topi Miettinen	a614e755ae	netutils: allow ping to send and receive ICMP packets Let ping send and receive ICMP packets when Netfilter SECMARK packet labeling is active. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>	2020-05-04 12:43:18 +03:00
Daniel Burgener	a01820155f	Remove out of date "hack" from stunnel. The underlying problem needing a require was fixed back in 2011, so using corenet_tcp_bind_stunnel_port would be an option now, but stunnel_t already has corenet_tcp_bind_all_ports, so this access is redundant. Signed-off-by: Daniel Burgener <Daniel.Burgener@Microsoft.com>	2020-05-02 16:24:53 -04:00
Daniel Burgener	ce8f00538a	Remove the second copy of a permission in instances where the exact same permission is repeated twice in a row Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>	2020-05-01 12:22:40 -04:00
Daniel Burgener	5ba931d49d	Fix a few places where command line applications were only granted one of tty or pty permissions and could be used from either Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>	2020-04-30 14:53:31 -04:00
bauen1	56d16a79ae	bird: fixes for bird 2.0 Signed-off-by: bauen1 <j2468h@gmail.com> bird: allow admin to connect to the bird daemon socket Signed-off-by: bauen1 <j2468h@gmail.com> bird: read /proc/sys/crypto/fips_enabled Signed-off-by: bauen1 <j2468h@gmail.com>	2020-04-29 18:13:21 +02:00
Dave Sugar	a0403b52d8	Interfaces needed to support IMA/EVM keys I have been working to support IMA/EVM on a system. It requires having keys added to the kernel keyring. Keys added with keyctl and evmctl. I am creating keys in the ima_key_t type. Once the keys are created, many domains then need search permission on the type of the key. The following changes are needed to get things to work. Need to add keys to the kernel keyring (keyctl). type=AVC msg=audit(1585420717.704:1868): avc: denied { write } for pid=8622 comm="keyctl" scontext=system_u:system_r:cleanup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1 Allow all domains to search key type=AVC msg=audit(1587936822.802:556): avc: denied { search } for pid=5963 comm="kworker/u16:6" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1 type=AVC msg=audit(1587936822.804:559): avc: denied { search } for pid=5963 comm="systemd-cgroups" scontext=system_u:system_r:systemd_cgroups_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1 type=AVC msg=audit(1587936822.809:560): avc: denied { search } for pid=5964 comm="(sysctl)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1 type=AVC msg=audit(1587936822.813:562): avc: denied { search } for pid=5964 comm="sysctl" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1 type=AVC msg=audit(1587936823.149:604): avc: denied { search } for pid=5987 comm="setsebool" scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com>	2020-04-29 11:50:16 -04:00
Chris PeBenito	4f846ea99d	bootloader, filesystem: Module version bump. Signed-off-by: Chris PeBenito <pebenito@ieee.org>	2020-04-29 10:51:26 -04:00
Topi Miettinen	eae4ecde22	bootloader: add rEFInd and systemd-boot Add EFI bootloaders rEFInd and systemd-boot. Boot tools which manage bootloader files in UEFI (DOS) partition need also to manage UEFI boot variables in efivarfs. Bootctl (systemd-boot tool) verifies the type of EFI file system and needs to mmap() the files. Signed-off-by: Topi Miettinen <toiwoton@gmail.com>	2020-04-25 13:15:46 +03:00

... 3 4 5 6 7 ...

3930 Commits