RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,788 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

5788 Commits

Author SHA1 Message Date
Kenton Groombridge 4e15f5dfe4
apache: add interface for list dir perms on httpd content 
This is needed by some webservers such as nginx when autoindexing is
enabled.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-01-27 15:41:16 -05:00
Chris PeBenito c521270688 memlockd: Fix lint issue. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-25 10:29:42 -05:00
Chris PeBenito 87ffc9472a various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-25 09:48:59 -05:00
Chris PeBenito 9f98b92ee5 memlockd: Whitespace fixes. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-25 09:46:20 -05:00
Chris PeBenito 157b7edcbb memlockd: Move lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-25 09:46:04 -05:00
Russell Coker 88c8189207 latest memlockd patch 
Includes the ifndef(`distro_debian' section that was requested.  Should be
ready for merging now.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-01-25 09:39:26 -05:00
Russell Coker da9b6306ea more Chrome stuff 
Patches for some more Chrome stuff

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-01-25 09:36:56 -05:00
Russell Coker eef53e3ddc remove deprecated from 20190201 
This patch removes every macro and interface that was deprecated in 20190201.

Some of them date back to 2016 or 2017.  I chose 20190201 as that is the one
that is in the previous release of Debian.  For any distribution I don't
think it makes sense to carry interfaces that were deprecated in version N
to version N+1.

One thing that particularly annoys me is when audit2allow -R gives deprecated
interfaces in it's output.  Removing some of these should reduce the
incidence of that.

I believe this is worthy of merging.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-01-25 08:59:34 -05:00
Chris PeBenito 221813c947 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-25 08:27:35 -05:00
Chris PeBenito cb93093f4e Merge pull request #335 from pebenito/drop-dead-modules 2021-01-25 08:22:09 -05:00
Chris PeBenito ea6002ddf9 devices, virt: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 10:08:02 -05:00
Chris PeBenito 6c2432c8bc Merge pull request #333 from 0xC0ncord/feature/virt_evdev_tunable 2021-01-19 10:07:29 -05:00
Chris PeBenito 0179413fa3 certbot: Fix lint issues. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 10:01:27 -05:00
Chris PeBenito 0f6c861dfb various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 09:51:56 -05:00
Chris PeBenito 81b20d6b08 userdomain: Move lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 09:24:14 -05:00
Russell Coker c42c407bdc yet more strict patches fixed 
More little strict patches, much of which are needed for KDE.

With the lines that Chris didn't like removed.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-01-19 09:14:16 -05:00
Chris PeBenito a686e854af miscfiles: Rename miscfiles_manage_generic_tls_privkey_lnk_files. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 09:02:13 -05:00
Chris PeBenito 0f02829c61 certbot: Reorder fc lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 09:01:57 -05:00
Chris PeBenito fb95355f98 certbot: Drop aliases since they have never had the old names in refpolicy. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 09:01:40 -05:00
Chris PeBenito 3927e3ca50 certbot: Whitespace changes. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 09:01:09 -05:00
Russell Coker 08d32dbc2d latest iteration of certbot policy as patch 
Same .te as sent a few days ago, but as a patch and with the other
files needed.  I think this is ready for inclusion.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-01-19 08:49:30 -05:00
Chris PeBenito 437e0c4b97 chromium: Move naclhelper lines. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 08:39:53 -05:00
Chris PeBenito 34a8c10cb9 chromium: Whitespace changes. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-19 08:39:45 -05:00
Russell Coker 31a2b463f7 base chrome/chromium patch fixed 
This patch is the one I described as "another chromium patch" on the 10th of
April last year, but with the issues addressed, and the
chromium_t:file manage_file_perms removed as requested.

I believe it's ready for inclusion.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-01-19 08:39:40 -05:00
Kenton Groombridge fb377e0953
virt: add boolean to allow evdev passthrough 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-01-14 18:22:14 -05:00
Chris PeBenito 7b15003eae Remove modules for programs that are deprecated or no longer supported. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-14 17:14:30 -05:00
Chris PeBenito bf0f6121f5
Merge pull request #334 from dburgener/comment-typo 
Fix typo in comment
 2021-01-14 16:12:20 -05:00
Daniel Burgener 93f5fe30f3 Fix typo in comment 
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
 2021-01-14 15:07:34 -05:00
Chris PeBenito bb471c3f1c various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-13 15:20:47 -05:00
Chris PeBenito d0c10f902b Merge pull request #331 from pebenito/udev-updates 2021-01-13 15:19:55 -05:00
Chris PeBenito df5227d6d7 devicekit: Udisks uses udevadm, it does not exec udev. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-13 15:12:18 -05:00
Chris PeBenito ac51d56ddc udev: Systemd 246 merged udev and udevadm executables. 
Drop init_system_domain() for udevadm to break type transition conflicts.
Also fix interface naming issues for udevadm interfaces.

Fixes #292

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-13 15:12:18 -05:00
Chris PeBenito 6c69f6e3de udev: Drop udev_tbl_t. 
This usage under /dev/.udev has been unused for a very long time and
replaced by functionality in /run/udev.  Since these have separate types,
take this opportunity to revoke these likely unnecessary rules.

Fixes #221

Derived from Laurent Bigonville's work in #230

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-13 15:12:11 -05:00
Chris PeBenito 8c756108db corosync, pacemaker: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-13 14:46:10 -05:00
Chris PeBenito d669ed18df Merge pull request #332 from dschadlich/master 2021-01-13 14:44:53 -05:00
Kenton Groombridge 03713214e2
devices: add interface for IOCTL on input devices 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-01-13 10:04:53 -05:00
Richard Haines 037ac427f8 Ensure correct monolithic binary policy is loaded 
When building a monolithic policy with 'make load', the
selinux_config(5) file 'SELINUXTYPE' entry determines what policy
is loaded as load_policy(8) does not take a path value (it always loads
the active system policy as defined by /etc/selinux/config).

Currently it is possible to load the wrong binary policy, for example if
the Reference Policy source is located at:
/etc/selinux/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=targeted
Then the /etc/selinux/targeted/policy/policy.<ver> is loaded when
'make load' is executed.
Resolve this by using selinux_binary_policy_path(3) to determine the
current configured policy name and its location.

Another example is that if the Reference Policy source is located at:
/tmp/custom-rootfs/etc/selinux/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=refpolicy
Then the /etc/selinux/refpolicy/policy/policy.<ver> is loaded when
'make DESTDIR=/tmp/custom-rootfs load' is executed (not the
/tmp/custom-rootfs/etc/selinux/refpolicy/policy/policy.<ver> that the
developer thought would be loaded).
Resolve this by checking if DESTDIR has been set.

Remove the '@touch $(tmpdir)/load' line as the file is never referenced.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
 2021-01-13 09:54:48 -05:00
David Schadlich 9fd6bcbcf5 add policy for pcs_snmp_agent 
create corosync_read_state interface, used by pcs_snmp_agent policy

update file context list for corosync to include corosync-cmapctl, this allows pcs_snmp_agent to domtrans when calling it

denial for execmem
type=AVC msg=audit(1610036202.427:3772): avc:  denied  { execmem } for  pid=10875 comm="ruby" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:pcs_snmp_agent_t:s0 tclass=process permissive=1

create contexts for pcs_snmp_agent_t and allow it some self permissions

allow pcs_snmp_agent_t to create allows and transision context of those logs

allow pcs_snmp_agent_t to read kernel sysctls

allow pcs_snmp_agent_t to exec bin_t

allow pcs_snmp_agent_t to access pacemaker's cluster information base (cib)
type=AVC msg=audit(1610037438.918:4524): avc:  denied  { read write } for  pid=14866 comm="cibadmin" name="qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037438.918:4524): avc:  denied  { open } for  pid=14866 comm="cibadmin" path="/dev/shm/qb-3925-14866-13-FPiaad/qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1610037438.918:4524): arch=c000003e syscall=2 success=yes exit=5 a0=7ffe28cb09e0 a1=2 a2=180 a3=7ffe28cb02a0 items=1 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null)
type=AVC msg=audit(1610037438.919:4525): avc:  denied  { map } for  pid=14866 comm="cibadmin" path="/dev/shm/qb-3925-14866-13-FPiaad/qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1610037438.919:4525): arch=c000003e syscall=9 success=yes exit=140505675866112 a0=0 a1=203c a2=3 a3=1 items=0 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null)
type=AVC msg=audit(1610037438.906:4523): avc:  denied  { connectto } for  pid=14866 comm="cibadmin" path=006369625F72770000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=unix_stream_socket permissive=1
type=SYSCALL msg=audit(1610037438.906:4523): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7ffe28cb2a40 a2=6e a3=7ffe28cb2460 items=0 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null)

allow pcs_snmp_agent_t to read files with usr_t context
type=AVC msg=audit(1610037437.737:4513): avc:  denied  { getattr } for  pid=14857 comm="ruby" path="/usr/share/ruby/json.rb" dev="dm-0" ino=78097 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1610037439.029:4532): avc:  denied  { read } for  pid=14869 comm="crm_mon" name="pacemaker" dev="dm-0" ino=78392 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610037561.019:4615): avc:  denied  { read } for  pid=15257 comm="ruby" name="rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037561.019:4615): avc:  denied  { open } for  pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037561.019:4616): avc:  denied  { getattr } for  pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037561.020:4617): avc:  denied  { ioctl } for  pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 ioctlcmd=5401 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to to get cgroup information
type=AVC msg=audit(1610036387.957:3864): avc:  denied  { getattr } for  pid=11499 comm="systemctl" path="/sys/fs/cgroup/systemd/system.slice/pacemaker.service/cgroup.procs" dev="cgroup" ino=31992 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610036480.913:3921): avc:  denied  { read } for  pid=11807 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610036665.036:4019): avc:  denied  { read } for  pid=12401 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610036788.922:4099): avc:  denied  { read } for  pid=12798 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610036944.042:4202): avc:  denied  { read } for  pid=13302 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610036977.714:4223): avc:  denied  { read } for  pid=13416 comm="systemctl" name="cgroup.procs" dev="cgroup" ino=30811 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610036977.714:4223): avc:  denied  { open } for  pid=13416 comm="systemctl" path="/sys/fs/cgroup/systemd/system.slice/corosync.service/cgroup.procs" dev="cgroup" ino=30811 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to read nsswitch
type=AVC msg=audit(1610037562.211:4626): avc:  denied  { open } for  pid=15266 comm="cibadmin" path="/etc/nsswitch.conf" dev="dm-0" ino=40445 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037562.212:4627): avc:  denied  { getattr } for  pid=15266 comm="cibadmin" path="/etc/nsswitch.conf" dev="dm-0" ino=40445 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to read zoneinfo
type=AVC msg=audit(1610035641.390:3398): avc:  denied  { search } for  pid=3838 comm="pcs_snmp_agent" name="zoneinfo" dev="dm-0" ino=69241 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610035767.532:3480): avc:  denied  { getattr } for  pid=3838 comm="pcs_snmp_agent" path="/usr/share/zoneinfo/GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610035767.664:3481): avc:  denied  { read } for  pid=9488 comm="ruby" name="GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610035767.664:3481): avc:  denied  { open } for  pid=9488 comm="ruby" path="/usr/share/zoneinfo/GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to read certificates
type=AVC msg=audit(1610037375.994:4485): avc:  denied  { getattr } for  pid=14660 comm="ruby" path="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037499.874:4565): avc:  denied  { read } for  pid=15055 comm="ruby" name="cert.pem" dev="dm-0" ino=38537 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1610037529.975:4584): avc:  denied  { read } for  pid=15144 comm="ruby" name="tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037529.975:4584): avc:  denied  { open } for  pid=15144 comm="ruby" path="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t get service status

type=USER_AVC msg=audit(1610034251.683:2349): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/pacemaker.service" cmdline="systemctl status pacemaker.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0
tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1610034251.773:2363): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 cmdline="systemctl is-enabled pacemaker.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=s
ystem  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1610034252.626:2367): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 cmdline="systemctl status pacemaker_remote.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclas
s=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

type=AVC msg=audit(1610034251.757:2361): avc:  denied  { getattr } for  pid=4342 comm="systemctl" path="/etc/systemd/system" dev="dm-0" ino=38595 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1

allow pcs_snmp_agent_t to search init_t dirs
type=AVC msg=audit(1610037317.490:4460): avc:  denied  { search } for  pid=14489 comm="systemctl" name="1" dev="proc" ino=9242 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1

allow pcs_snmp_agent_t to connecto to systemd unix socket
type=AVC msg=audit(1610037533.196:4600): avc:  denied  { connectto } for  pid=15174 comm="systemctl" path="/run/systemd/private" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1

allow pcs_snmp_agent_t to run corosync in corosync_t domain
type=AVC msg=audit(1610037437.793:4515): avc:  denied  { execute } for  pid=14859 comm="ruby" name="corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037437.793:4515): avc:  denied  { read open } for  pid=14859 comm="ruby" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037437.793:4515): avc:  denied  { execute_no_trans } for  pid=14859 comm="ruby" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037437.793:4515): avc:  denied  { map } for  pid=14859 comm="corosync" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610034246.149:2265): avc:  denied  { execute } for  pid=4258 comm="ruby" name="corosync-cmapctl" dev="dm-0" ino=57635 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to read corosync state
type=AVC msg=audit(1610037503.610:4570): avc:  denied  { open } for  pid=15101 comm="systemctl" path="/proc/3874/comm" dev="proc" ino=26243 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:corosync_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037503.611:4571): avc:  denied  { getattr } for  pid=15101 comm="systemctl" path="/proc/3874/comm" dev="proc" ino=26243 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:corosync_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to exec hostname
type=AVC msg=audit(1610037469.569:4545): avc:  denied  { execute } for  pid=14951 comm="ruby" name="hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037469.569:4545): avc:  denied  { read open } for  pid=14951 comm="ruby" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037469.569:4545): avc:  denied  { execute_no_trans } for  pid=14951 comm="ruby" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037469.569:4545): avc:  denied  { map } for  pid=14951 comm="hostname" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to connecto to snmp socket
type=AVC msg=audit(1610034242.897:2197): avc:  denied  { write } for  pid=3838 comm="pcs_snmp_agent" name="master" dev="tmpfs" ino=30868 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1610034242.897:2197): avc:  denied  { connectto } for  pid=3838 comm="pcs_snmp_agent" path="/var/agentx/master" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=unix_stream_socket permissive=1

allow pcs_snmp_agent_t to read systemd journal files
type=AVC msg=audit(1610037472.176:4552): avc:  denied  { map } for  pid=14980 comm="systemctl" path="/var/log/journal/c7aa97546e1f4d3783a3aeffeeb749e3/system.journal" dev="tmpfs" ino=146184 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037533.220:4602): avc:  denied  { read } for  pid=15174 comm="systemctl" name="/" dev="tmpfs" ino=10069 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610037533.220:4602): avc:  denied  { open } for  pid=15174 comm="systemctl" path="/var/log/journal" dev="tmpfs" ino=10069 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1

Signed-off-by: David Schadlich <dschadlich@owlcyberdefense.com>
 2021-01-12 10:30:32 -05:00
Chris PeBenito 26ed37c991 Makefile: Add -E to setfiles labeling targets. 
This will cause setfiles to error if there are conflicting labeling
specifications for files due to hardlinks.

closes #218

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-06 13:53:46 -05:00
Chris PeBenito 010692dda2
Merge pull request #326 from dburgener/no-self 
Use self keyword when an AV rule source type matches destination
 2021-01-04 09:14:46 -05:00
Chris PeBenito 8a1bc98a31 authlogin, init, systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-17 09:23:18 -05:00
Chris PeBenito a63c24c6b7 Merge pull request #269 from bauen1/systemd-userdb 2020-12-17 09:22:55 -05:00
Chris PeBenito 2a660fb6f6
Merge pull request #325 from pdmorrow/selinux_getbools 
selinux: add selinux_get_all_booleans() interface
 2020-12-15 11:10:12 -05:00
Daniel Burgener 37cc0aae1d Use self keyword when an AV rule source type matches destination 
This is reported in a new SELint check in soon to be released selint version 1.2.0

Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
 2020-12-15 10:29:52 -05:00
Peter Morrow b3bfd10ccd selinux: add selinux_get_all_booleans() interface 
Allow the caller to read the state of selinuxfs booleans.

Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
 2020-12-15 15:19:30 +00:00
Chris PeBenito cef667fa31 systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-15 09:40:48 -05:00
Chris PeBenito 2c2d27ce70 Merge pull request #324 from dburgener/dburgener/systemd-watch 2020-12-15 09:33:50 -05:00
Daniel Burgener b3204ea4c1 Allow systemd-ask-password to watch files 
On systems that use plymouth, systemd-ask-password may set watches on
the contents on /run/systemd/ask-password, whereas other scenarions only
set watch on the parent directory.

Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
 2020-12-11 19:47:13 +00:00
Chris PeBenito c8c418267d systemd: Add systemd-tty-ask watch for /run/systemd/ask-password. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-12-11 19:45:54 +00:00
Chris PeBenito 87c4adc790 kernel, modutils, userdomain, xserver: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-08 15:13:57 -05:00