Chris PeBenito
a2ec18d2a3
dbus, systemd: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-06 11:40:56 -04:00
Chris PeBenito
ba3818ebcc
dbus: Rename tunable to dbus_pass_tuntap_fd.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-06 11:40:02 -04:00
David Sommerseth
79c7859a48
dbus: Add tunable - dbus_can_pass_tuntap_fd
...
D-Bus services wanting to pass file descriptors for
tun/tap devices need to read/write privileges to /dev/tun.
Without this privilege the following denial will happen:
type=AVC msg=audit(1582227542.557:3045): avc: denied { read write } for pid=1741 comm="dbus-daemon" path="/dev/net/tun" dev="devtmpfs" ino=486 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file permissive=0
This is needed by OpenVPN 3 Linux, where an unprivileged
process (openvpn3-service-client) requests a tun device
from a privileged service (openvpn3-service-netcfg) over
the D-Bus system bus.
GitHub-Issue: #190
Signed-off-by: David Sommerseth <davids@openvpn.net>
2020-04-02 22:40:00 +02:00
Chris PeBenito
b2f72e833b
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-02-29 16:54:39 -05:00
Chris PeBenito
2400f6a74c
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-02-17 13:34:06 -05:00
Jason Zaman
adaea617cd
dbus: add watch perms
...
avc: denied { watch } for pid=10630 comm="dbus-daemon" path="/usr/share/dbus-1/accessibility-services" dev="zfs" ino=244551 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=10622 comm="dbus-daemon" path="/etc/dbus-1/session.d" dev="zfs" ino=262694 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-02-17 13:25:59 -05:00
Chris PeBenito
3e91c2264f
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-01-17 10:50:13 -05:00
Chris PeBenito
e2ac94d08d
dbus: Add directory watches.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-01-16 15:53:36 -05:00
Chris PeBenito
7af9eb3e91
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-01-15 10:42:45 -05:00
Stephen Smalley
161bda392e
access_vectors: Remove unused permissions
...
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 13:41:50 -05:00
Chris PeBenito
45bd96f619
various: Module version bump.
2019-11-23 09:54:36 -05:00
Laurent Bigonville
805f2d9cd4
Allow the systemd dbus-daemon to talk to systemd
...
Recent versions of dbus are started as Type=notify
type=AVC msg=audit(03/10/19 15:32:40.347:64) : avc: denied { write } for pid=809 comm=dbus-daemon name=notify dev="tmpfs" ino=1751 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_runtime_t:s0 tclass=sock_file permissive=1
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-10-31 12:05:05 +01:00
Chris PeBenito
291f68a119
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:39:31 -04:00
Chris PeBenito
61ecff5c31
Remove old aliases.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Chris PeBenito
d6c7154f1c
Reorder declarations based on *_runtime_t renaming.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Chris PeBenito
69a403cd97
Rename *_var_run_t types to *_runtime_t.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Chris PeBenito
8c3893e427
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-06-09 14:05:19 -04:00
Chris PeBenito
e2e4094bd4
various: Module version bump
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-04-16 22:08:11 -04:00
Sugar, David
a49163250f
Add kernel_dgram_send() into logging_send_syslog_msg()
...
This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().
v2 - enclose in ifdef for redhat
v3 - rebase this patch on e41def136a
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-04-16 20:51:55 -04:00
Chris PeBenito
32f3f09dc4
authlogin, dbus, ntp: Module version bump.
2019-03-24 14:43:35 -04:00
Sugar, David
142651a8b4
Resolve denial about logging to journal from dbus
...
type=AVC msg=audit(1553013821.597:9897): avc: denied { sendto } for pid=7377 comm="dbus-daemon" path="/dev/log" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:37:22 -04:00
Chris PeBenito
445cbed7c7
Bump module versions for release.
2019-02-01 15:03:42 -05:00
Chris PeBenito
a7f2394902
various: Module version bump.
2019-01-20 16:45:55 -05:00
Nicolas Iooss
47b09d472e
dbus: allow using dynamic UID
...
When using a systemd service with dynamic UID, dbus-daemon reads
symlinks in /run/systemd/dynamic-uid/:
type=SYSCALL msg=audit(1547313774.993:373): arch=c000003e
syscall=257 success=yes exit=12 a0=ffffff9c a1=7f7ccdc6ec72 a2=90800
a3=0 items=0 ppid=1 pid=282 auid=4294967295 uid=81 gid=81 euid=81
suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295
comm="dbus-daemon" exe="/usr/bin/dbus-daemon"
subj=system_u:system_r:system_dbusd_t key=(null)
type=AVC msg=audit(1547313774.993:373): avc: denied { read } for
pid=282 comm="dbus-daemon" name="dynamic-uid" dev="tmpfs" ino=12688
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=1
type=SYSCALL msg=audit(1547313774.993:374): arch=c000003e
syscall=267 success=yes exit=7 a0=ffffff9c a1=7ffe25cf0800
a2=558ac0043b00 a3=1000 items=0 ppid=1 pid=282 auid=4294967295
uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81
tty=(none) ses=4294967295 comm="dbus-daemon"
exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t
key=(null)
type=AVC msg=audit(1547313774.993:374): avc: denied { read } for
pid=282 comm="dbus-daemon" name="direct:65306" dev="tmpfs" ino=12690
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
permissive=1
This directory looks like this, on Arch Linux with systemd 240:
# ls -alZ /run/systemd/dynamic-uid
drwxr-xr-x. 2 root root system_u:object_r:init_var_run_t 100 2019-01-12 15:53 ./
drwxr-xr-x. 17 root root system_u:object_r:init_var_run_t 420 2019-01-12 15:53 ../
-rw-------. 1 root root system_u:object_r:init_var_run_t 8 2019-01-12 15:53 65306
lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 7 2019-01-12 15:53 direct:65306 -> haveged
lrwxrwxrwx. 1 root root system_u:object_r:init_var_run_t 5 2019-01-12 15:53 direct:haveged -> 65306
2019-01-16 22:13:57 +01:00
Chris PeBenito
e8ba31557d
various: Module version bump.
2019-01-06 14:11:08 -05:00
Chris PeBenito
d6b46686cd
many: Module version bumps for changes from Russell Coker.
2019-01-05 14:33:50 -05:00
Chris PeBenito
e5ac999aab
dbus, xserver, init, logging, modutils: Module version bump.
2018-12-11 17:59:31 -05:00
David Sugar
55c3fab804
Allow dbus to access /proc/sys/crypto/fips_enabled
...
type=AVC msg=audit(1543769401.029:153): avc: denied { search } for
pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { read } for
pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { open } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { search } for
pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { read } for
pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { open } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
Chris PeBenito
65e8f758ca
Bump module versions for release.
2018-07-01 11:02:33 -04:00
Chris PeBenito
3ab07a0e1e
Move all files out of the old contrib directory.
2018-06-23 10:38:58 -04:00
Chris PeBenito
09248fa0db
Move modules to contrib submodule.
2011-09-09 10:10:03 -04:00
Chris PeBenito
aa4dad379b
Module version bump for release.
2011-07-26 08:11:01 -04:00
Chris PeBenito
bdc7622e86
Remove redundant system dbus permissions with cpufreqselector and incorrect xdm dbus permission.
2011-03-16 08:20:28 -04:00
Chris PeBenito
0419373aa7
Allow system dbus to send messages to it's clients.
2011-03-14 11:52:19 -04:00
Chris PeBenito
dc24f36872
Module version bump and changelog for cpufreqselector dbus patch from Guido Trentalancia.
2011-02-22 11:36:15 -05:00
Guido Trentalancia
f8b9fb9391
patch to make cpufreqselector usable with dbus
...
This patch adds a new interface to the cpufreqselector module
to allow dbus chat. It then uses such interface to allow dbus chat
with system_dbusd_t and xdm_t. This patch also adds some other
permissions needed to run cpufreqselector.
2011-02-22 11:23:10 -05:00
Chris PeBenito
826d014241
Bump module versions for release.
2010-12-13 09:12:22 -05:00
Chris PeBenito
befc7ec99f
Module version bump for Dominick's consoletype cleanup.
2010-10-11 09:27:27 -04:00
Dominick Grift
8340621920
Implement miscfiles_cert_type().
...
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.
Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.
Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-10 11:05:46 -04:00
Chris PeBenito
48f99a81c0
Whitespace change: drop unnecessary blank line at the start of .te files.
2010-06-10 08:16:35 -04:00
Chris PeBenito
29af4c13e7
Bump module versions for release.
2010-05-24 15:32:01 -04:00
Chris PeBenito
98ac98623c
Dbus patch from Dan Walsh.
2010-05-03 09:34:42 -04:00
Chris PeBenito
ed3a1f559a
bump module versions for release.
2009-11-17 10:05:56 -05:00
Chris PeBenito
62c80e2546
module version bumps and changelog update for the previous 3 commits.
2009-08-18 13:20:01 -04:00
Chris PeBenito
9570b28801
module version number bump for release 2.20090730 that was mistakenly omitted.
2009-08-05 10:59:21 -04:00
Chris PeBenito
423a4a3a2c
fix dbus type transition conflict.
...
switch dbus ranged calls from daemon domain to system domain. This works
around a type transition conflict. It is also why the non-ranged
init_system_domain() is used instead of init_daemon_domain().
2009-07-28 11:05:19 -04:00
Chris PeBenito
e04438840b
dbus patch from dan
2009-07-27 09:46:35 -04:00
Chris PeBenito
09516cb4be
remove read_default_t tunable
2009-07-23 08:58:35 -04:00
Chris PeBenito
c1262146e0
trunk: Remove node definitions and change node usage to generic nodes.
2009-01-09 19:48:02 +00:00
Chris PeBenito
668b3093ff
trunk: change network interface access from all to generic network interfaces.
2009-01-06 20:24:10 +00:00