Since the window managers are not limited by gnome-shell, the
userdomain module is modified by this patch in order to use
separate optional conditionals for the gnome and wm role templates.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).
The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.
Since the second version it includes revisions from Dominick Grift.
Since the third version it should correctly manage files in home
directories and allow some other major functionality.
The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).
The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.
The sixth version of this patch removes obsolete executable
permission from the unconfined module.
The seventh, eighth and nineth versions brings no changes in the base
part of the patch.
All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
This permission is currently granted in an ifdef(systemd) block, but
it's also required on non-systemd systems if signed kernel modules are
being used.
- add systemd service macro sets
- add some documentation
- add some recursion to some macro sets (ipv perm, object class sets)
- deprecate domain_trans and domain_auto_trans
- remove unpriv_socket_class_set
Let unprivileged users list filesystems mounted on mount points such
as /mnt (cdrom, FAT, NTFS and so on).
This makes a great difference to the usability and effectiveness of
graphical filesystem browsers such as Gnome Nautilus and currently
comes at no security penalty because mounted filesystems can be
listed with programs such as the "df" program from GNU coreutils or
by simply reading /proc/mounts.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Let unprivileged and administrative users read symbolic links on
filesystems that do not support extended attributes (xattr) such
as cdroms, FAT, NTFS and so on.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
On Tuesday, 2 August 2016 7:59:28 PM AEDT Chris PeBenito wrote:
> On 07/31/16 08:34, Russell Coker wrote:
> > The following patch deals with a single binary for modutils, so depmod_t,
> > and insmod_t are merged.
>
> Since the main SELinux distros (including RHEL/CentOS 7) all have merged
> modutils these days, I'm open to taking a patch that fully merges these
> domains (in which case renaming to kmod_t, with proper aliasing seems
> the best idea).
>
> However, it's been some time since I used a busybox-based system; does
> busybox still have separated tools? Yes, this is a bit of an obvious
> question since busybox is also single-binary, but IIRC, the embedded
> guys made some tiny helper scripts or executables so proper
> transitioning could occur. Separate domains may still make sense.
As we have had no response from Busybox users in the last 3 months and also no
response to the thread Luis started in 2013 I think it's safe to assume that
they don't need this.
I've attached a new patch which renames to kmod_t as you suggested. Please
consider it for inclusion.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Description: Change modutils policy to match the use of a single binary
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2014-06-25
commit a7334eb0de98af11ec38b6263536fa01bc2a606c
libsemanage: validate and compile file contexts before installing
validates the fcontexts when they are still in /var/lib/selinux. Without
setfiles_t having access to read the files, validation fails and the
policy cannot be updated.
Introduce a new file context for user certificates (user_cert_t)
located in home directories.
Introduce new auxiliary interfaces to read and manage such files
files and directories.
Thanks to Christopher PeBenito for the useful suggestions that
led to this improved version of the patch.
Compared to the previous version, this patch adds the ability to
search the user home directories in the new interfaces.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Improve the existing user domain template policy:
- better support for the "user_rw_noexattrfile" boolean (enable
write operations on filesystems that do not support extended
attributes, such as FAT or cdrom filesystem);
- add support for a new "user_exec_noexattrfile" boolean to
control the execution of files from filesystems that do not
support extended attributes (potentially dangerous);
- add support for a new "user_write_removable" boolean which
enables write operations on removable devices (such as
external removable USB memory, USB mobile phones, etc).
Note that devices might be removable but support extended
attributes (Linux xattr filesystems on external USB mass storage
devices), so two separate booleans are needed for optimal
configuration flexibility.
Writing to removable mass storage devices is a major cause of
leakage of confidential information, so the new boolean defaults
to false.
Disable raw access for MLS policies (thanks to Christoper
PeBenito for suggesting this).
This new version of the patch correctly includes the definitions
of the new booleans (by including the .te file differences).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Update the lvm module to add a permission needed by cryptsetup.
At the moment the SELinux kernel code is not able yet to distinguish
the sockets in the AF_ALG namespace that are used for interfacing to
the kernel Crypto API.
In the future the SELinux kernel code will be updated to distinguish
the new socket class and so this permission will change its class
from the generic "socket" to the new socket (e.g. "alg_socket").
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
cards need to load their firmware) and it should not audit attempts
to load kernel modules directly.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
the dhcp client (another separate patch makes changes to the
ifconfig part).
Create auxiliary interfaces in the ntp module.
The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.
Include revisions from Chris PeBenito.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
domains (e.g. gnome session).
Thanks to Jason Zaman for pointing out the correct interface to
achieve this.
This new version fixes a typographic error in the previous version.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The following has been in my tree for a few years. It allows initrc_t to stat
devices early in the boot process.
>From ad46ce856a1a780cf6c3a0bb741794019e03edc2 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Sat, 9 Nov 2013 10:45:09 +0100
Subject: [PATCH] init: startpar (initrc_t) gets attributes of /dev/dm-0
(device_t) early on boot, soon later the node context is properly reset
(debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
The Portable Hardware Locality (hwloc) software package provides a
portable abstraction (across OS, versions, architectures, ...) of the
hierarchical topology of modern architectures, including NUMA memory
nodes, sockets, shared caches, cores and simultaneous multithreading. It
also gathers various system attributes such as cache and memory
information as well as the locality of I/O devices such as network
interfaces, InfiniBand HCAs or GPUs.
Following changes enable:
- add interface to change dirs in /var/run
- add optional policies for hwloc-dump-hwdata
V3:
Remove files_rw_pid_dirs()
Call hwloc_admin(sysadm_t) instead of hwloc_manage_runtime(sysadm_t)
Adjust calls to renamed hwloc dhwd run and exec interfaces
Signed-off-by: Dominick Grift <dac.override@gmail.com>
When ifdef systemd is enabled, some interfaces from systemd are called
unconditionally. This makes migrating from non-systemd to systemd
complicated since init is part of base and systemd is not so loading
fails. Moving them into optional_policy fixes this.
It's required for agetty on kernels with a recent grsecurity patchset.
(The denial itself has been showing up for quite some time, but it
hasn't had any obvious ill effects until recently.)
At early boot, I get the following messages in dmesg:
audit: type=1400 audit(1452851002.184:3): avc: denied { audit_read } for pid=1 comm="systemd" capability=37 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1
systemd[1]: Listening on Journal Audit Socket.
systemd creates a new network namespace for services which are using
PrivateNetwork=yes.
In the implementation, systemd uses a socketpair as a storage buffer for
the namespace reference file descriptor (c.f.
https://github.com/systemd/systemd/blob/v228/src/core/namespace.c#L660).
One end of this socketpair is locked (hence the need of "lock" access to
self:unix_dgram_socket for init_t) while systemd opens
/proc/self/ns/net, which lives in nsfs.
While at it, add filesystem_type attribute to nsfs_t.
Chris PeBenito
Guido Trentalancia
Luis Ressel
cgzones
Guido Trentalancia via refpolicy
Russell Coker
Naftuli Tzvi Kay
Lukas Vrabec
Chris PeBenito
Jason Zaman
Laurent Bigonville
Dominick Grift
qqo
Nicolas Iooss