RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,779 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

6779 Commits

Author SHA1 Message Date
Chris PeBenito 429b26878b
Merge pull request #607 from bluca/mempressure 
Add support for memory pressure notifications protocol
 2023-05-18 09:13:34 -04:00
Chris PeBenito 6f8056dd3f
Merge pull request #618 from plsph/zfs_t-blkid 
Keep context of blkid file/dir when created by zpool.
 2023-05-18 09:13:13 -04:00
Grzegorz Filo 80d52aa4f6 Keep context of blkid file/dir when created by zpool. 
Signed-off-by: Grzegorz Filo <gf578@wp.pl>
 2023-05-15 19:33:41 +02:00
Chris PeBenito 8f563f58ea
Merge pull request #615 from plsph/zfs-dir-transition 
Dir transition goes with dir create perms.
 2023-05-03 09:31:45 -04:00
Chris PeBenito 9ef053d6c5
Merge pull request #614 from plsph/initrc-zfs-config 
Allow initrc_t read zfs config files.
 2023-05-03 09:27:25 -04:00
Grzegorz Filo d769f31966 Dir transition goes with dir create perms. 
Signed-off-by: Grzegorz Filo <gf578@wp.pl>
 2023-05-03 10:54:59 +02:00
Grzegorz Filo 232b4ab271 Shell functions used during boot by initrc_t shall be bin_t and defined in corecommands.fc 
Signed-off-by: Grzegorz Filo <gf578@wp.pl>
 2023-05-03 09:42:34 +02:00
Chris PeBenito d22e18a3d5
Merge pull request #612 from jcpunk/local-path-provisioner 
container: set default context for local-path-provisioner
 2023-04-28 16:47:28 -04:00
Pat Riehecky f52070b3cf container: set default context for local-path-provisioner 
The kubernetes local-path-provisioner uses either
/opt/local-path-provisioner or
/var/local-path-provisioner for its physical volumes

Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
 2023-04-28 15:16:46 -05:00
Chris PeBenito ad527f9f62
Merge pull request #592 from montjoie/update-smart-drivedb 
fsadm: add domain for update-smart-drivedb
 2023-04-17 10:23:49 -04:00
Chris PeBenito 218c42f592
Merge pull request #608 from montjoie/dovecot 
dovecot: add missing permissions
 2023-04-17 10:17:53 -04:00
Corentin LABBE ac6b47c71d dovecot: add missing permissions 
I use dovecot for IMAP hosting and several rules are missing.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
 2023-04-11 10:51:03 +02:00
Corentin LABBE cb068f09d2 smartmon: add domain for update-smart-drivedb 
update-smart-drivedb is a fsadm_t like but with access to network, so
Since it do network access, and dont access any hardware, let's add its own domain.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
 2023-04-11 10:31:52 +02:00
Chris PeBenito 7831981d0d
Merge pull request #609 from freedom1b2830/master 
path marking for vlc(mplayer_t)
 2023-04-06 09:41:39 -04:00
Chris PeBenito 7815e4859c
Merge pull request #610 from gtrentalancia/master 
pulseaudio: restrict network access
 2023-04-06 09:05:02 -04:00
freedom1b2830 a098f2bd52
mplayer:vlc paths 
Signed-off-by: freedom1b2830 <freedom1b2830@gmail.com>
 2023-04-05 17:07:43 +00:00
Guido Trentalancia 8f7064490d The pulseaudio daemon and client do not normally need to use 
the network for most computer systems that need to play and
record audio.

So, network access by pulseaudio should normally be restricted.

This patch restricts all network access by using tunable policy
and a new boolean to control it.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/pulseaudio.te |   47 ++++++++++++++++++++++++--------------
 1 file changed, 30 insertions(+), 17 deletions(-)
 2023-04-05 16:06:19 +02:00
Luca Boccassi d0d4e8fd73 systemd: allow daemons to access memory.pressure 
These services are hooked up to the memory.pressure interface, so
allow them to access the file.

Jan 26 08:12:21 localhost audit[202]: AVC avc:  denied  { getattr } for  pid=202 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[379]: AVC avc:  denied  { getattr } for  pid=379 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1463 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:49:01 localhost audit[475]: AVC avc:  denied  { getattr } for  pid=475 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1595 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:49:02 localhost audit[491]: AVC avc:  denied  { getattr } for  pid=491 comm="systemd-portabl" path="/sys/fs/cgroup/system.slice/systemd-portabled.service/memory.pressure" dev="cgroup2" ino=1859 scontext=system_u:system_r:systemd_portabled_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:49:02 localhost audit[490]: AVC avc:  denied  { write } for  pid=490 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1826 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[202]: AVC avc:  denied  { getattr } for  pid=202 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[382]: AVC avc:  denied  { getattr } for  pid=382 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1463 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:57:56 localhost audit[479]: AVC avc:  denied  { getattr } for  pid=479 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1595 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:57:56 localhost audit[493]: AVC avc:  denied  { getattr } for  pid=493 comm="systemd-portabl" path="/sys/fs/cgroup/system.slice/systemd-portabled.service/memory.pressure" dev="cgroup2" ino=1859 scontext=system_u:system_r:systemd_portabled_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:57:56 localhost audit[492]: AVC avc:  denied  { write } for  pid=492 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1826 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[204]: AVC avc:  denied  { getattr } for  pid=204 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=526 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[316]: AVC avc:  denied  { getattr } for  pid=316 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1234 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[359]: AVC avc:  denied  { getattr } for  pid=359 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1564 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[350]: AVC avc:  denied  { write } for  pid=350 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1531 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[203]: AVC avc:  denied  { getattr } for  pid=203 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=526 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[312]: AVC avc:  denied  { getattr } for  pid=312 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1234 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[351]: AVC avc:  denied  { getattr } for  pid=351 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1564 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[342]: AVC avc:  denied  { write } for  pid=342 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1531 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[201]: AVC avc:  denied  { open } for  pid=201 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 13 17:00:57 localhost audit[490]: AVC avc:  denied  { open } for  pid=490 comm="systemd-portabl" path="/sys/fs/cgroup/system.slice/systemd-portabled.service/memory.pressure" dev="cgroup2" ino=1859 scontext=system_u:system_r:systemd_portabled_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
 2023-03-17 13:02:11 +00:00
Luca Boccassi 6ecba6ff80 systemd: also allow to mounton memory.pressure 
Mar 15 22:15:35 localhost audit[1607]: AVC avc:  denied  { mounton } for  pid=1607 comm="(esetinfo)" path="/run/systemd/unit-root/sys/fs/cgroup/system.slice/socresetinfo.service/memory.pressure" dev="cgroup2" ino=2522 scontext=system_u:system_r:init_t tcontext=system_u:object_r:memory_pressure_t tclass=file permissive=1

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
 2023-03-17 13:00:48 +00:00
Luca Boccassi 6dd2c3bcd1 Add separate label for cgroup's memory.pressure files 
Required to enable notifications on memory pressure events, need to
write to the file to start receiving them. This will be used by all
systemd daemons, and eventually external daemons that subscribe to the
same interface too.

See: https://github.com/systemd/systemd/blob/main/docs/MEMORY_PRESSURE.md

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
 2023-03-17 13:00:48 +00:00
Chris PeBenito 8e8f5e3ca3
Merge pull request #606 from yizhao1/systemd-resolved 
systemd: allow systemd-resolved to search directories on tmpfs and ramfs
 2023-03-17 08:40:27 -04:00
Yi Zhao c75a32f2be systemd: allow systemd-resolved to search directories on tmpfs and ramfs 
Fixes:
avc:  denied  { search } for  pid=233 comm="systemd-resolve" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1

avc:  denied  { search } for  pid=233 comm="systemd-resolve" name="/"
dev="ramfs" ino=813 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:ramfs_t tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-03-15 10:57:55 +08:00
Chris PeBenito 7416ac14f9
Merge pull request #603 from 0xC0ncord/various-20230224 
More various fixes
 2023-03-13 09:18:13 -04:00
Kenton Groombridge 9b4e8bd875 kubernetes: allow kubelet to read etc runtime files 
To read /etc/machine-id.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge bf546e4c4f glusterfs: allow glusterd to bind to all TCP unreserved ports 
Port 32767 seems to be needed by glfs_timer

type=SYSCALL msg=audit(1678151692.991:193): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=43bc7241350 a2=10 a3=3968 items=0 ppid=1 pid=2401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glfs_timer" exe="/usr/bin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1678151692.991:193): avc:  denied  { name_bind } for pid=2401 comm="glfs_timer" src=32767 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge 228e8e3f15 fstools: allow fsadm to read utab 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge 6ad1768065 raid: allow mdadm to create generic links in /dev/md 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge 69e6c33c46 raid: allow mdadm to read udev runtime files 
This fixes this AVC:

avc:  denied  { getattr } for  pid=2238 comm="mdadm" path="/run/udev" dev="tmpfs" ino=52 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge edef7a8469 init: allow initrc_t to create netlink_kobject_uevent_sockets 
Needed by rdma-rdd, which is automatically started by udev when an RDMA
device with a node description is present.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge 5b0aa89da7 systemd: allow systemd-resolved to bind to UDP port 5353 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge 9307110277 init: allow systemd-init to set the attributes of unallocated terminals 
type=AVC msg=audit(1678150061.367:292): avc:  denied  { setattr } for pid=1 comm="systemd" name="tty1" dev="devtmpfs" ino=18 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge 104e2014ea fs, init: allow systemd-init to set the attributes of efivarfs files 
avc:  denied  { setattr } for  pid=1 comm="systemd" name="LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=1049 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge 48af8ca656 systemd: allow systemd-pcrphase to read generic certs 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge 20fbb550b7 systemd: add rules for systemd-zram-generator 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge 716f47dbd5 files, systemd: allow systemd-tmpfiles to relabel config file symlinks 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge eed80c888c logging, systemd: allow relabelfrom,relabelto on systemd journal 
files by systemd-journald

journald's journal-offline will relabel log files. It should be noted
however that this happens even if the files already have the correct
label.

avc:  granted  { relabelfrom } for  pid=11440 comm="journal-offline" name=".#system@97c1c6b7d7ed4333b671d09d9deee851-00000000003d4f26-0005f63f0972fd4c.journalb23e70204ab1737e" dev="dm-0" ino=418415 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=0
avc:  granted  { relabelto } for  pid=11440 comm="journal-offline" name=".#system@97c1c6b7d7ed4333b671d09d9deee851-00000000003d4f26-0005f63f0972fd4c.journalb23e70204ab1737e" dev="dm-0" ino=418415 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:58 -05:00
Chris PeBenito f625d5b788
Merge pull request #579 from montjoie/portage-misc 
portage: add misc mising rules
 2023-03-10 14:58:38 -05:00
Kenton Groombridge 02e558be0f fs, udev: allow systemd-udevd various cgroup perms 
Needed for systemd-udevd to create files under
/sys/fs/cgroup/system.slice/systemd-udevd.service/udev

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:32:41 -05:00
Kenton Groombridge dea2090ac3 logging: allow systemd-journald to list cgroups 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:47 -05:00
Kenton Groombridge d1593345df systemd: allow systemd-userdbd to getcap 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:47 -05:00
Kenton Groombridge 5ad60847c6 init: allow initrc_t to getcap 
Many AVCs are observed on a systemd system and various services.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:47 -05:00
Kenton Groombridge 9af88f2bf7 init, systemd: allow init to create userdb runtime symlinks 
At boot, systemd-init will create symlinks in /run/systemd/userdb. This
fixes these AVCs:

avc:  denied  { create } for  pid=1 comm="systemd" name="io.systemd.NameServiceSwitch" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=0
avc:  denied  { create } for  pid=1 comm="systemd" name="io.systemd.DropIn" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:46 -05:00
Kenton Groombridge 079de3d496 various: make /etc/machine-id etc_runtime_t 
This file is updated at boot by systemd.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge 064a66c509 init: make init_runtime_t useable for systemd units 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge 011aadef16 zfs: add runtime filetrans for dirs 
Needed by zfs recv.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge 18c1eeb654 zfs: allow sending signals to itself 
Required for zfs snapshot.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge 214149b637 kernel, zfs: add filetrans for kernel creating zpool cache file 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge 1d8b309808 netutils: fixes for iftop 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge 181077dd47 podman, selinux: move lines, add missing rules for --network=host 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00
Kenton Groombridge 1aab07e154 redis: add missing rules for runtime filetrans 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 11:31:02 -05:00