Policy needed for systemd-networkd to function. This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch). He was too busy to update and I needed to get it working.
I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
python3.6 will error out with the message "invalid escape sequence"
in genhomedircon.py. This patch fixes these errors by turning the string
in the into a raw string.
type=AVC msg=audit(1504637347.487:280): avc: denied { map } for pid=857 comm="xenconsoled" path="/dev/xen/privcmd" dev="devtmpfs" ino=16289 scontext=system_u:system_r:xenconsoled_t:s0
Without this we can't use xenconsole (client) to
talk to xenconsoled (server).
Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
libxenstored since git commit 9c89dc95201ffed5fead17b35754bf9440fdbdc0
prefers to use "/dev/xen/xenbus" over the "/proc/xen/xenbus".
Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
Avoid memory leakages in the fc_sort executable (now passes
all valgrind AND Clang static analyzer tests fine).
Some NULL pointer checks with or without associated error
reporting.
Some white space and comment formatting fixes.
Optimization: avoid unnecessary operations (unnecessary
memory allocation/deallocation and list copying).
Reverts 7821eb6f37 as such
trick is no longer needed, given that all memory leakages
have now been fixed.
This is the sixth version of this patch. Please do not use
the first version as it introduces a serious bug.
For reference, the original issue reported by the Cland
static analyzer is as follows:
support/fc_sort.c:494:6: warning: Potential leak of memory
pointed to by 'head'
malloc(sizeof(file_context_bucket_t));
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Acked-by: William Roberts <william.c.roberts@intel.com>
Update patch to remove init_inherit_rlimit interface and always grant this access for init_t domain (systemd or otherwise). I hope ordering of the new rules is correct.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Label some shell scripts from bridge-utils correctly. Maybe have ifdef
distro_debian around this, not sure what upstream is doing.
systemd_nspawn_t needs to manage the /etc/localtime symlink if you have a
labeled chroot.
Another dontaudit for mon_local_test_t to stop it spamming the logs.
Support a .d directory for dnsmasq config files.
Do not audit ioctl operation attempts whenever write
operations on the xserver log should not be audited.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Create new interface init_rlimit_inherit to allow a process started by init to inherit resource limits. systemd allows for setting of resource limits [1] but the default from SELinux is to not allow the inheritance of those limits as a service is started. This interface allows that resource limit inheritance.
The systemd .service options are LimitCPU=, LimitFSIZE=, LimitDATA=, LimitSTACK=, LimitCORE=, LimitRSS=, LimitNOFILE=, LimitAS=, LimitNPROC=, LimitMEMLOCK=, LimitLOCKS=, LimitSIGPENDING=, LimitMSGQUEUE=, LimitNICE=, LimitRTPRIO=, LimitRTTIME=
[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Alter interface init_startstop_service to also allow for the status permission. systemctl start <foo> and systemctl stop <foo> work correctly. But systemctl restart <foo> will fail as restart uses status to determine the action to take.
This interface is used by many other modules (like iptables, logging, apache, cron, etc... - see 'admin' interface). This allows restart to work for all these services.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
We have a use case on a system where we have a systemd .service unit file that is using the SELinuxContext= [1] option to specify a context for the service being started. The same .service file (/lib/systemd/system/foo@.service) is used to start multiple instances of the same executable that are customized with a different drop-in .conf file for each. The context is customized in /lib/systemd/system/foo@.service file (based on using SELinuxContext=system_u:system_r:foo_%i_t:s0) [2]
We then create /etc/systemd/system/foo@bar.service.d/bar.conf so the final running process is in the domain foo_bar_t
We have created the following interface (in init.if) to meet our needs. The interface is very much like init_daemon_domain except for the use of spec_domtrans_pattern rather than domtrans_pattern because the automatic transition doesn't work in this case.
[1] The SELinuxContext option for systemd is explained https://www.freedesktop.org/software/systemd/man/systemd.exec.html
[2] The systemd %i (and other specifiers) along with drop-in files are explained https://www.freedesktop.org/software/systemd/man/systemd.unit.html
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Those mmap() calls are non-essential, though. They're issued by
fdopen(), which can also fall back to read().
Since there are few reasons to grant read access to audit logs other
than for using ausearch, I've added the dontaudits directly to the
relevant read interfaces.
David Sugar
Chris PeBenito
David Graziano
Adam Duskett
Konrad Rzeszutek Wilk
Guido Trentalancia
David Sugar via refpolicy
Russell Coker
Christian Göttsche
Jason Zaman
Luis Ressel