RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
3,950 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

3950 Commits

Author SHA1 Message Date
Chris PeBenito 459a19f18d Module version bump for debufs mount point fc entry from Laurent Bigonville. 2015-05-06 09:50:14 -04:00
Laurent Bigonville c738343b7f Add fc for /sys/kernel/debug as debugfs_t 2015-05-06 09:49:40 -04:00
Chris PeBenito bc4ea17c62 Update contrib. 2015-04-15 12:17:37 -04:00
Chris PeBenito dcda0459b5 Module version bump for fstools blkid fix from Jason Zaman 2015-04-15 12:17:30 -04:00
Jason Zaman 9cf1886c68 fstools: add in filetrans for /run dir 
the blkid tool writes to /run/blkid/. This creates the "fstools_run_t"
type an allows the transition in /run.

type=AVC msg=audit(1428929528.885:149519): avc:  denied  { write } for pid=5590 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=0

In permissive:
type=AVC msg=audit(1428948565.919:160149): avc:  denied  { write } for  pid=26197 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc:  denied  { add_name } for  pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc:  denied  { create } for  pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=SYSCALL msg=audit(1428948565.919:160149): arch=c000003e syscall=83 success=yes exit=0 a0=2cd79c6d214 a1=1ed a2=ffffffffffffff20 a3=539fe9bc40 items=2 ppid=28115 pid=26197 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="mkfs.ext4" exe="/sbin/mke2fs" subj=staff_u:sysadm_r:fsadm_t key=(null)
type=CWD msg=audit(1428948565.919:160149):  cwd="/root/selinux"
type=PATH msg=audit(1428948565.919:160149): item=0 name="/run/" inode=17656 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t nametype=PARENT
type=PATH msg=audit(1428948565.919:160149): item=1 name="/run/blkid" inode=4062404 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_run_t nametype=CREATE
type=UNKNOWN[1327] msg=audit(1428948565.919:160149): proctitle=6D6B66732E65787434002F6465762F7A72616D31
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { write } for  pid=26197 comm="mkfs.ext4" name="blkid" dev="tmpfs" ino=4062404 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { add_name } for  pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { create } for  pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { write open } for  pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160151): avc:  denied  { getattr } for  pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1

Changes from v1:
- only transition on dir, not file.
- add fcontext for /run/fsck too.
- the audit log in the previous version was missing some lines.
 2015-04-15 12:16:32 -04:00
Chris PeBenito 600f71a2d9 Update contrib. 2015-03-25 08:28:22 -04:00
Chris PeBenito 51fb40a617 Simplify travis-ci build handling of SELinux toolchain. 
Overwrite any toolchain parts that may exist on the travis-ci build images
 2015-03-05 15:41:30 -05:00
Chris PeBenito 0e9f62f6bd Undo last commit. 
Misunderstood the global/matrix keywords.
 2015-02-23 09:33:49 -05:00
Chris PeBenito 894a1f104d Use matrix keyword to simplify travis-ci build definitions. 
Also eliminate unnecessary heartbeat function.
 2015-02-23 09:24:28 -05:00
Chris PeBenito 9a215ef9d9 Update contrib. 2015-02-17 08:35:52 -05:00
Chris PeBenito bf1d9c5b83 Add validate target for monolithic policy. 2015-02-08 23:15:29 -05:00
Chris PeBenito 1a1b3bd583 Travis CI already exports variables. 
Explicit exports are redundant
 2015-02-13 13:42:11 -05:00
Chris PeBenito 97fd81312c Add initial Travis CI configuration. 
Derived from Nicolas Iooss configuration for ArchLinux.
 2015-02-13 13:29:12 -05:00
Chris PeBenito f963d6dafa Fix domain_mmap_low() to be a proper tunable. 2015-02-09 16:02:36 -05:00
Chris PeBenito 5f0e495887 Update contrib. 2015-01-30 09:13:49 -05:00
Chris PeBenito 68f2c6f44c Add always_check_network policy capability. 
Disabled by default, as most systems don't want/need this.
 2015-01-27 17:25:36 -05:00
Chris PeBenito fd0c07c8b3 Module version bump for optional else block removal from Steve Lawrence. 2015-01-12 08:45:58 -05:00
Steve Lawrence 4bd0277313 Remove optional else block for dhcp ping 
Else blocks with optional statements are not supported in CIL.
Currently, if the pp to CIL compiler comes across one of these in a pp
module, it just drops the block and outputs a warning. Fortunately,
these are very rare. In fact, this is the only place in refpolicy where
an optional else block is used, and it is not clear if it is even
needed. This patch is untested, and is more to spark discussions to see
if there are any thoughts about whether or not this piece of policy is
needed.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
 2015-01-12 08:44:39 -05:00
Chris PeBenito 960e6cd4e8 Update Changelog and VERSION for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito 468185f5f7 Bump module versions for release. 2014-12-03 13:37:38 -05:00
Chris PeBenito b86c6004d4 Module version bump for module store move from Steve Lawrence. 2014-12-03 13:37:02 -05:00
Steve Lawrence 418b3c78bb Update policy for selinux userspace moving the policy store to /var/lib/selinux 
With the new userspace, the only files in /var/lib/selinux are selinux
store related files, so label it and everything inside it as
semanage_store_t. semanage_var_lib_t is completely removed and now
aliases semanage_store_t for backwards compatibility. This differs from
the v2 patch in that it adds back the ability to manage
selinux_config_t, which is necessary to manage the old module store for
things like migrating from the old to new store and backwards
compatability.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
 2014-12-03 13:36:31 -05:00
Chris PeBenito 3e3a966eea Update contrib. 2014-12-03 08:04:56 -05:00
Chris PeBenito 0735f2ca4a Module version bump for misc fixes from Sven Vermeulen. 2014-12-02 10:29:59 -05:00
Nicolas Iooss ad2d828797 Create tmp directory when compiling a .mod.fc file in a modular way 
When compiling modules using support/Makefile.devel (which is installed
in /usr/share/selinux/*/include/Makefile) with "make -j9", the build
fails because tmp/ does not exist.

Add the missing command to create tmp/ when running tmp/%.mod.fc target.

Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=530178
 2014-12-02 09:26:54 -05:00
Sven Vermeulen 1edfad8247 Add /var/lib/racoon as runtime directory for ipsec 2014-12-02 09:16:06 -05:00
Sven Vermeulen 25b232f49a Add gfisk and efibootmgr as fsadm_exec_t 2014-12-02 09:16:05 -05:00
Sven Vermeulen 363daeed61 Add in LightDM contexts 2014-12-02 09:16:05 -05:00
Sven Vermeulen 84fa2ab1f2 Mark f2fs as a SELinux capable file system 
Since Linux kernel 3.11, F2FS supports XATTR and the security namespace.
See commit
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8ae8f1627f39bae505b90cade50cd8a911b8bda6
 2014-12-02 09:16:05 -05:00
Sven Vermeulen 29292968fe xfce4-notifyd is an executable 2014-12-02 09:16:05 -05:00
Sven Vermeulen 2b642954a6 New sudo manages timestamp directory in /var/run/sudo 
Allow sudo (1.8.9_p5 and higher) to handle /var/run/sudo/ts if it does
not exist (given the tmpfs nature of /var/run). This is done when sudo
is run in the user prefixed domain, and requires both the chown
capability as well as the proper file transition when /var/run/sudo is
created.
 2014-12-02 09:16:05 -05:00
Sven Vermeulen f0ebf14176 Add auth_pid_filetrans_pam_var_run 2014-12-02 09:16:05 -05:00
Sven Vermeulen fbdf5f0ef8 Run grub(2)-mkconfig in bootloader domain 
In order to write the grub configuration and perform the preliminary
checks, the grub-mkconfig command should run in the bootloader_t domain.
As such, update the file context definition to be bootloader_exec_t.
 2014-12-02 09:16:05 -05:00
Chris PeBenito f428babc50 Update contrib. 2014-12-02 09:00:54 -05:00
Nicolas Iooss 0692cd24b5 Update Python requirement in INSTALL 
PyXML has not been required to build the policy and its documentation
since at least Python 2.6, which comes with an "xml" module.

Moreover, some support scripts requires Python 2.6 or above (and are
compatible with Python 3.4, maybe also with other versions of Python 3).
Add the minimum supported version of Python in INSTALL.

ML thread: http://oss.tresys.com/pipermail/refpolicy/2014-November/007440.html
 2014-11-11 08:42:12 -05:00
Chris PeBenito ce0d545b2e Merge pull request #5 from bigon/audit_read 
Add new audit_read access vector in capability2 class
 2014-11-10 07:57:10 -05:00
Laurent Bigonville cbb1f36ef5 Add new audit_read access vector in capability2 class 
This AV has been added in 3.16 in commit
3a101b8de0d39403b2c7e5c23fd0b005668acf48
 2014-11-09 11:11:15 +01:00
Chris PeBenito 8a3a8c7e1b Module version bump for /sbin/iw support from Nicolas Iooss. 2014-10-23 08:51:53 -04:00
Chris PeBenito 0820cfe75d Add comment for iw generic netlink socket usage 2014-10-23 08:50:18 -04:00
Nicolas Iooss 5fb1249f37 Use create_netlink_socket_perms when allowing netlink socket creation 
create_netlink_socket_perms is defined as:

    { create_socket_perms nlmsg_read nlmsg_write }

This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.

Clean up things without allowing anything new.
 2014-10-23 08:07:44 -04:00
Nicolas Iooss d6af57e5e7 Allow iw to create generic netlink sockets 
iw uses generic netlink socket to configure WiFi properties.  For
example, "strace iw dev wlan0 set power_save on" outputs:

    socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
    setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
    setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0
    bind(3, {sa_family=AF_NETLINK, pid=7836, groups=00000000}, 12) = 0

Some AVC denials are reported in audit.log:

    type=AVC msg=audit(1408829044.820:486): avc:  denied  { create } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:487): avc:  denied  { setopt } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:488): avc:  denied  { bind } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:489): avc:  denied  { getattr }
    for  pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:490): avc:  denied  { write } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1

Allowing ifconfig_t to create generic netlink sockets fixes this.

(On a side note, the AVC denials were caused by TLP, a tool which
applies "laptop configuration" when switching between AC and battery
with the help of a udev script)
 2014-10-23 08:07:44 -04:00
Nicolas Iooss f91e07baa9 Label /sbin/iw as ifconfig_exec_t 
iw manpage says "iw - show / manipulate wireless devices and their
configuration".  Label this command ifconfig_exec_t to allow it to
manage wireless communication devices.

Debian installs iw in /sbin/iw, Fedora in /usr/sbin/iw and Arch Linux in
/usr/bin/iw (with /usr/sbin being a symlink to /usr/bin).
 2014-10-23 08:07:44 -04:00
Chris PeBenito 6a24d9dba0 Module version bump for Debian arping fc entries from Laurent Bigonville. 2014-10-06 09:50:58 -04:00
Chris PeBenito da451633ef Merge pull request #4 from fishilico/minor-typo 
Fix minor typo in init.if
 2014-10-06 09:07:43 -04:00
Chris PeBenito 58b700e214 Merge pull request #3 from bigon/arping 
Add arping paths for debian
 2014-10-06 09:07:25 -04:00
Nicolas Iooss 836a282439 Fix minor typo in init.if 2014-10-04 10:53:50 +02:00
Laurent Bigonville 740a1746bf Debian also ship a different arping implementation 
In addition to the iputils arping implementation, Debian also ships an
other implementation which is installed under /usr/sbin/arping
 2014-10-03 14:35:58 +02:00
Laurent Bigonville a9594fc684 On Debian iputils-arping is installed in /usr/bin/arping 2014-10-03 14:29:05 +02:00
Chris PeBenito 6624f9cf7a Drop RHEL4 and RHEL5 support. 2014-09-24 13:10:37 -04:00
Chris PeBenito 35860e6459 Module version bump for CIL fixes from Yuli Khodorkovskiy. 2014-09-17 14:00:08 -04:00