Chris PeBenito
459a19f18d
Module version bump for debufs mount point fc entry from Laurent Bigonville.
2015-05-06 09:50:14 -04:00
Laurent Bigonville
c738343b7f
Add fc for /sys/kernel/debug as debugfs_t
2015-05-06 09:49:40 -04:00
Chris PeBenito
bc4ea17c62
Update contrib.
2015-04-15 12:17:37 -04:00
Chris PeBenito
dcda0459b5
Module version bump for fstools blkid fix from Jason Zaman
2015-04-15 12:17:30 -04:00
Jason Zaman
9cf1886c68
fstools: add in filetrans for /run dir
...
the blkid tool writes to /run/blkid/. This creates the "fstools_run_t"
type an allows the transition in /run.
type=AVC msg=audit(1428929528.885:149519): avc: denied { write } for pid=5590 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=0
In permissive:
type=AVC msg=audit(1428948565.919:160149): avc: denied { write } for pid=26197 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc: denied { add_name } for pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc: denied { create } for pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=SYSCALL msg=audit(1428948565.919:160149): arch=c000003e syscall=83 success=yes exit=0 a0=2cd79c6d214 a1=1ed a2=ffffffffffffff20 a3=539fe9bc40 items=2 ppid=28115 pid=26197 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="mkfs.ext4" exe="/sbin/mke2fs" subj=staff_u:sysadm_r:fsadm_t key=(null)
type=CWD msg=audit(1428948565.919:160149): cwd="/root/selinux"
type=PATH msg=audit(1428948565.919:160149): item=0 name="/run/" inode=17656 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t nametype=PARENT
type=PATH msg=audit(1428948565.919:160149): item=1 name="/run/blkid" inode=4062404 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_run_t nametype=CREATE
type=UNKNOWN[1327] msg=audit(1428948565.919:160149): proctitle=6D6B66732E65787434002F6465762F7A72616D31
type=AVC msg=audit(1428948565.919:160150): avc: denied { write } for pid=26197 comm="mkfs.ext4" name="blkid" dev="tmpfs" ino=4062404 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc: denied { add_name } for pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc: denied { create } for pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160150): avc: denied { write open } for pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160151): avc: denied { getattr } for pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
Changes from v1:
- only transition on dir, not file.
- add fcontext for /run/fsck too.
- the audit log in the previous version was missing some lines.
2015-04-15 12:16:32 -04:00
Chris PeBenito
600f71a2d9
Update contrib.
2015-03-25 08:28:22 -04:00
Chris PeBenito
51fb40a617
Simplify travis-ci build handling of SELinux toolchain.
...
Overwrite any toolchain parts that may exist on the travis-ci build images
2015-03-05 15:41:30 -05:00
Chris PeBenito
0e9f62f6bd
Undo last commit.
...
Misunderstood the global/matrix keywords.
2015-02-23 09:33:49 -05:00
Chris PeBenito
894a1f104d
Use matrix keyword to simplify travis-ci build definitions.
...
Also eliminate unnecessary heartbeat function.
2015-02-23 09:24:28 -05:00
Chris PeBenito
9a215ef9d9
Update contrib.
2015-02-17 08:35:52 -05:00
Chris PeBenito
bf1d9c5b83
Add validate target for monolithic policy.
2015-02-08 23:15:29 -05:00
Chris PeBenito
1a1b3bd583
Travis CI already exports variables.
...
Explicit exports are redundant
2015-02-13 13:42:11 -05:00
Chris PeBenito
97fd81312c
Add initial Travis CI configuration.
...
Derived from Nicolas Iooss configuration for ArchLinux.
2015-02-13 13:29:12 -05:00
Chris PeBenito
f963d6dafa
Fix domain_mmap_low() to be a proper tunable.
2015-02-09 16:02:36 -05:00
Chris PeBenito
5f0e495887
Update contrib.
2015-01-30 09:13:49 -05:00
Chris PeBenito
68f2c6f44c
Add always_check_network policy capability.
...
Disabled by default, as most systems don't want/need this.
2015-01-27 17:25:36 -05:00
Chris PeBenito
fd0c07c8b3
Module version bump for optional else block removal from Steve Lawrence.
2015-01-12 08:45:58 -05:00
Steve Lawrence
4bd0277313
Remove optional else block for dhcp ping
...
Else blocks with optional statements are not supported in CIL.
Currently, if the pp to CIL compiler comes across one of these in a pp
module, it just drops the block and outputs a warning. Fortunately,
these are very rare. In fact, this is the only place in refpolicy where
an optional else block is used, and it is not clear if it is even
needed. This patch is untested, and is more to spark discussions to see
if there are any thoughts about whether or not this piece of policy is
needed.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2015-01-12 08:44:39 -05:00
Chris PeBenito
960e6cd4e8
Update Changelog and VERSION for release.
2014-12-03 13:37:38 -05:00
Chris PeBenito
468185f5f7
Bump module versions for release.
2014-12-03 13:37:38 -05:00
Chris PeBenito
b86c6004d4
Module version bump for module store move from Steve Lawrence.
2014-12-03 13:37:02 -05:00
Steve Lawrence
418b3c78bb
Update policy for selinux userspace moving the policy store to /var/lib/selinux
...
With the new userspace, the only files in /var/lib/selinux are selinux
store related files, so label it and everything inside it as
semanage_store_t. semanage_var_lib_t is completely removed and now
aliases semanage_store_t for backwards compatibility. This differs from
the v2 patch in that it adds back the ability to manage
selinux_config_t, which is necessary to manage the old module store for
things like migrating from the old to new store and backwards
compatability.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-12-03 13:36:31 -05:00
Chris PeBenito
3e3a966eea
Update contrib.
2014-12-03 08:04:56 -05:00
Chris PeBenito
0735f2ca4a
Module version bump for misc fixes from Sven Vermeulen.
2014-12-02 10:29:59 -05:00
Nicolas Iooss
ad2d828797
Create tmp directory when compiling a .mod.fc file in a modular way
...
When compiling modules using support/Makefile.devel (which is installed
in /usr/share/selinux/*/include/Makefile) with "make -j9", the build
fails because tmp/ does not exist.
Add the missing command to create tmp/ when running tmp/%.mod.fc target.
Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=530178
2014-12-02 09:26:54 -05:00
Sven Vermeulen
1edfad8247
Add /var/lib/racoon as runtime directory for ipsec
2014-12-02 09:16:06 -05:00
Sven Vermeulen
25b232f49a
Add gfisk and efibootmgr as fsadm_exec_t
2014-12-02 09:16:05 -05:00
Sven Vermeulen
363daeed61
Add in LightDM contexts
2014-12-02 09:16:05 -05:00
Sven Vermeulen
84fa2ab1f2
Mark f2fs as a SELinux capable file system
...
Since Linux kernel 3.11, F2FS supports XATTR and the security namespace.
See commit
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8ae8f1627f39bae505b90cade50cd8a911b8bda6
2014-12-02 09:16:05 -05:00
Sven Vermeulen
29292968fe
xfce4-notifyd is an executable
2014-12-02 09:16:05 -05:00
Sven Vermeulen
2b642954a6
New sudo manages timestamp directory in /var/run/sudo
...
Allow sudo (1.8.9_p5 and higher) to handle /var/run/sudo/ts if it does
not exist (given the tmpfs nature of /var/run). This is done when sudo
is run in the user prefixed domain, and requires both the chown
capability as well as the proper file transition when /var/run/sudo is
created.
2014-12-02 09:16:05 -05:00
Sven Vermeulen
f0ebf14176
Add auth_pid_filetrans_pam_var_run
2014-12-02 09:16:05 -05:00
Sven Vermeulen
fbdf5f0ef8
Run grub(2)-mkconfig in bootloader domain
...
In order to write the grub configuration and perform the preliminary
checks, the grub-mkconfig command should run in the bootloader_t domain.
As such, update the file context definition to be bootloader_exec_t.
2014-12-02 09:16:05 -05:00
Chris PeBenito
f428babc50
Update contrib.
2014-12-02 09:00:54 -05:00
Nicolas Iooss
0692cd24b5
Update Python requirement in INSTALL
...
PyXML has not been required to build the policy and its documentation
since at least Python 2.6, which comes with an "xml" module.
Moreover, some support scripts requires Python 2.6 or above (and are
compatible with Python 3.4, maybe also with other versions of Python 3).
Add the minimum supported version of Python in INSTALL.
ML thread: http://oss.tresys.com/pipermail/refpolicy/2014-November/007440.html
2014-11-11 08:42:12 -05:00
Chris PeBenito
ce0d545b2e
Merge pull request #5 from bigon/audit_read
...
Add new audit_read access vector in capability2 class
2014-11-10 07:57:10 -05:00
Laurent Bigonville
cbb1f36ef5
Add new audit_read access vector in capability2 class
...
This AV has been added in 3.16 in commit
3a101b8de0d39403b2c7e5c23fd0b005668acf48
2014-11-09 11:11:15 +01:00
Chris PeBenito
8a3a8c7e1b
Module version bump for /sbin/iw support from Nicolas Iooss.
2014-10-23 08:51:53 -04:00
Chris PeBenito
0820cfe75d
Add comment for iw generic netlink socket usage
2014-10-23 08:50:18 -04:00
Nicolas Iooss
5fb1249f37
Use create_netlink_socket_perms when allowing netlink socket creation
...
create_netlink_socket_perms is defined as:
{ create_socket_perms nlmsg_read nlmsg_write }
This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.
Clean up things without allowing anything new.
2014-10-23 08:07:44 -04:00
Nicolas Iooss
d6af57e5e7
Allow iw to create generic netlink sockets
...
iw uses generic netlink socket to configure WiFi properties. For
example, "strace iw dev wlan0 set power_save on" outputs:
socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0
bind(3, {sa_family=AF_NETLINK, pid=7836, groups=00000000}, 12) = 0
Some AVC denials are reported in audit.log:
type=AVC msg=audit(1408829044.820:486): avc: denied { create } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:487): avc: denied { setopt } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:488): avc: denied { bind } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:489): avc: denied { getattr }
for pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:490): avc: denied { write } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
Allowing ifconfig_t to create generic netlink sockets fixes this.
(On a side note, the AVC denials were caused by TLP, a tool which
applies "laptop configuration" when switching between AC and battery
with the help of a udev script)
2014-10-23 08:07:44 -04:00
Nicolas Iooss
f91e07baa9
Label /sbin/iw as ifconfig_exec_t
...
iw manpage says "iw - show / manipulate wireless devices and their
configuration". Label this command ifconfig_exec_t to allow it to
manage wireless communication devices.
Debian installs iw in /sbin/iw, Fedora in /usr/sbin/iw and Arch Linux in
/usr/bin/iw (with /usr/sbin being a symlink to /usr/bin).
2014-10-23 08:07:44 -04:00
Chris PeBenito
6a24d9dba0
Module version bump for Debian arping fc entries from Laurent Bigonville.
2014-10-06 09:50:58 -04:00
Chris PeBenito
da451633ef
Merge pull request #4 from fishilico/minor-typo
...
Fix minor typo in init.if
2014-10-06 09:07:43 -04:00
Chris PeBenito
58b700e214
Merge pull request #3 from bigon/arping
...
Add arping paths for debian
2014-10-06 09:07:25 -04:00
Nicolas Iooss
836a282439
Fix minor typo in init.if
2014-10-04 10:53:50 +02:00
Laurent Bigonville
740a1746bf
Debian also ship a different arping implementation
...
In addition to the iputils arping implementation, Debian also ships an
other implementation which is installed under /usr/sbin/arping
2014-10-03 14:35:58 +02:00
Laurent Bigonville
a9594fc684
On Debian iputils-arping is installed in /usr/bin/arping
2014-10-03 14:29:05 +02:00
Chris PeBenito
6624f9cf7a
Drop RHEL4 and RHEL5 support.
2014-09-24 13:10:37 -04:00
Chris PeBenito
35860e6459
Module version bump for CIL fixes from Yuli Khodorkovskiy.
2014-09-17 14:00:08 -04:00