Commit Graph

81 Commits

Author SHA1 Message Date
Chris PeBenito a2ec18d2a3 dbus, systemd: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-06 11:40:56 -04:00
Chris PeBenito ba3818ebcc dbus: Rename tunable to dbus_pass_tuntap_fd.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-06 11:40:02 -04:00
David Sommerseth 79c7859a48
dbus: Add tunable - dbus_can_pass_tuntap_fd
D-Bus services wanting to pass file descriptors for
tun/tap devices need to read/write privileges to /dev/tun.

Without this privilege the following denial will happen:

    type=AVC msg=audit(1582227542.557:3045): avc:  denied  { read write } for  pid=1741 comm="dbus-daemon" path="/dev/net/tun" dev="devtmpfs" ino=486 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tun_tap_device_t:s0 tclass=chr_file permissive=0

This is needed by OpenVPN 3 Linux, where an unprivileged
process (openvpn3-service-client) requests a tun device
from a privileged service (openvpn3-service-netcfg) over
the D-Bus system bus.

GitHub-Issue: #190
Signed-off-by: David Sommerseth <davids@openvpn.net>
2020-04-02 22:40:00 +02:00
Chris PeBenito b2f72e833b Bump module versions for release.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-02-29 16:54:39 -05:00
Chris PeBenito 2400f6a74c various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-02-17 13:34:06 -05:00
Jason Zaman adaea617cd dbus: add watch perms
avc:  denied  { watch } for  pid=10630 comm="dbus-daemon" path="/usr/share/dbus-1/accessibility-services" dev="zfs" ino=244551 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=10622 comm="dbus-daemon" path="/etc/dbus-1/session.d" dev="zfs" ino=262694 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_etc_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-02-17 13:25:59 -05:00
Chris PeBenito 3e91c2264f various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-01-17 10:50:13 -05:00
Chris PeBenito e2ac94d08d dbus: Add directory watches.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-01-16 15:53:36 -05:00
Chris PeBenito 7af9eb3e91 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-01-15 10:42:45 -05:00
Stephen Smalley 161bda392e access_vectors: Remove unused permissions
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0.  Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.

The corresponding classmap declarations were removed from the
mainline kernel in:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162

Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }

Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-14 13:41:50 -05:00
Chris PeBenito 45bd96f619 various: Module version bump. 2019-11-23 09:54:36 -05:00
Laurent Bigonville 805f2d9cd4 Allow the systemd dbus-daemon to talk to systemd
Recent versions of dbus are started as Type=notify

type=AVC msg=audit(03/10/19 15:32:40.347:64) : avc:  denied  { write } for  pid=809 comm=dbus-daemon name=notify dev="tmpfs" ino=1751 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_runtime_t:s0 tclass=sock_file permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2019-10-31 12:05:05 +01:00
Chris PeBenito 291f68a119 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:39:31 -04:00
Chris PeBenito 61ecff5c31 Remove old aliases.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Chris PeBenito d6c7154f1c Reorder declarations based on *_runtime_t renaming.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Chris PeBenito 69a403cd97 Rename *_var_run_t types to *_runtime_t.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-30 20:02:43 -04:00
Chris PeBenito 8c3893e427 Bump module versions for release.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-06-09 14:05:19 -04:00
Chris PeBenito e2e4094bd4 various: Module version bump
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-04-16 22:08:11 -04:00
Sugar, David a49163250f Add kernel_dgram_send() into logging_send_syslog_msg()
This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().

v2 - enclose in ifdef for redhat
v3 - rebase this patch on e41def136a

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-04-16 20:51:55 -04:00
Chris PeBenito 32f3f09dc4 authlogin, dbus, ntp: Module version bump. 2019-03-24 14:43:35 -04:00
Sugar, David 142651a8b4 Resolve denial about logging to journal from dbus
type=AVC msg=audit(1553013821.597:9897): avc:  denied  { sendto } for  pid=7377 comm="dbus-daemon" path="/dev/log" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-03-24 14:37:22 -04:00
Chris PeBenito 445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito a7f2394902 various: Module version bump. 2019-01-20 16:45:55 -05:00
Nicolas Iooss 47b09d472e
dbus: allow using dynamic UID
When using a systemd service with dynamic UID, dbus-daemon reads
symlinks in /run/systemd/dynamic-uid/:

    type=SYSCALL msg=audit(1547313774.993:373): arch=c000003e
    syscall=257 success=yes exit=12 a0=ffffff9c a1=7f7ccdc6ec72 a2=90800
    a3=0 items=0 ppid=1 pid=282 auid=4294967295 uid=81 gid=81 euid=81
    suid=81 fsuid=81 egid=81 sgid=81 fsgid=81 tty=(none) ses=4294967295
    comm="dbus-daemon" exe="/usr/bin/dbus-daemon"
    subj=system_u:system_r:system_dbusd_t key=(null)

    type=AVC msg=audit(1547313774.993:373): avc:  denied  { read } for
    pid=282 comm="dbus-daemon" name="dynamic-uid" dev="tmpfs" ino=12688
    scontext=system_u:system_r:system_dbusd_t
    tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=1

    type=SYSCALL msg=audit(1547313774.993:374): arch=c000003e
    syscall=267 success=yes exit=7 a0=ffffff9c a1=7ffe25cf0800
    a2=558ac0043b00 a3=1000 items=0 ppid=1 pid=282 auid=4294967295
    uid=81 gid=81 euid=81 suid=81 fsuid=81 egid=81 sgid=81 fsgid=81
    tty=(none) ses=4294967295 comm="dbus-daemon"
    exe="/usr/bin/dbus-daemon" subj=system_u:system_r:system_dbusd_t
    key=(null)

    type=AVC msg=audit(1547313774.993:374): avc:  denied  { read } for
    pid=282 comm="dbus-daemon" name="direct:65306" dev="tmpfs" ino=12690
    scontext=system_u:system_r:system_dbusd_t
    tcontext=system_u:object_r:init_var_run_t tclass=lnk_file
    permissive=1

This directory looks like this, on Arch Linux with systemd 240:

    # ls -alZ /run/systemd/dynamic-uid
    drwxr-xr-x.  2 root root system_u:object_r:init_var_run_t 100 2019-01-12 15:53 ./
    drwxr-xr-x. 17 root root system_u:object_r:init_var_run_t 420 2019-01-12 15:53 ../
    -rw-------.  1 root root system_u:object_r:init_var_run_t   8 2019-01-12 15:53 65306
    lrwxrwxrwx.  1 root root system_u:object_r:init_var_run_t   7 2019-01-12 15:53 direct:65306 -> haveged
    lrwxrwxrwx.  1 root root system_u:object_r:init_var_run_t   5 2019-01-12 15:53 direct:haveged -> 65306
2019-01-16 22:13:57 +01:00
Chris PeBenito e8ba31557d various: Module version bump. 2019-01-06 14:11:08 -05:00
Chris PeBenito d6b46686cd many: Module version bumps for changes from Russell Coker. 2019-01-05 14:33:50 -05:00
Chris PeBenito e5ac999aab dbus, xserver, init, logging, modutils: Module version bump. 2018-12-11 17:59:31 -05:00
David Sugar 55c3fab804 Allow dbus to access /proc/sys/crypto/fips_enabled
type=AVC msg=audit(1543769401.029:153): avc:  denied  { search } for
pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769401.029:153): avc:  denied  { read } for
pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:153): avc:  denied  { open } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:154): avc:  denied  { getattr } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

type=AVC msg=audit(1543845518.175:364): avc:  denied  { search } for
pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543845518.175:364): avc:  denied  { read } for
pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc:  denied  { open } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:365): avc:  denied  { getattr } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-12-11 17:54:44 -05:00
Chris PeBenito 65e8f758ca Bump module versions for release. 2018-07-01 11:02:33 -04:00
Chris PeBenito 3ab07a0e1e Move all files out of the old contrib directory. 2018-06-23 10:38:58 -04:00
Chris PeBenito 09248fa0db Move modules to contrib submodule. 2011-09-09 10:10:03 -04:00
Chris PeBenito aa4dad379b Module version bump for release. 2011-07-26 08:11:01 -04:00
Chris PeBenito bdc7622e86 Remove redundant system dbus permissions with cpufreqselector and incorrect xdm dbus permission. 2011-03-16 08:20:28 -04:00
Chris PeBenito 0419373aa7 Allow system dbus to send messages to it's clients. 2011-03-14 11:52:19 -04:00
Chris PeBenito dc24f36872 Module version bump and changelog for cpufreqselector dbus patch from Guido Trentalancia. 2011-02-22 11:36:15 -05:00
Guido Trentalancia f8b9fb9391 patch to make cpufreqselector usable with dbus
This patch adds a new interface to the cpufreqselector module
to allow dbus chat. It then uses such interface to allow dbus chat
with system_dbusd_t and xdm_t. This patch also adds some other
permissions needed to run cpufreqselector.
2011-02-22 11:23:10 -05:00
Chris PeBenito 826d014241 Bump module versions for release. 2010-12-13 09:12:22 -05:00
Chris PeBenito befc7ec99f Module version bump for Dominick's consoletype cleanup. 2010-10-11 09:27:27 -04:00
Dominick Grift 8340621920 Implement miscfiles_cert_type().
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.

Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-10 11:05:46 -04:00
Chris PeBenito 48f99a81c0 Whitespace change: drop unnecessary blank line at the start of .te files. 2010-06-10 08:16:35 -04:00
Chris PeBenito 29af4c13e7 Bump module versions for release. 2010-05-24 15:32:01 -04:00
Chris PeBenito 98ac98623c Dbus patch from Dan Walsh. 2010-05-03 09:34:42 -04:00
Chris PeBenito ed3a1f559a bump module versions for release. 2009-11-17 10:05:56 -05:00
Chris PeBenito 62c80e2546 module version bumps and changelog update for the previous 3 commits. 2009-08-18 13:20:01 -04:00
Chris PeBenito 9570b28801 module version number bump for release 2.20090730 that was mistakenly omitted. 2009-08-05 10:59:21 -04:00
Chris PeBenito 423a4a3a2c fix dbus type transition conflict.
switch dbus ranged calls from daemon domain to system domain.  This works
around a type transition conflict.  It is also why the non-ranged
init_system_domain() is used instead of init_daemon_domain().
2009-07-28 11:05:19 -04:00
Chris PeBenito e04438840b dbus patch from dan 2009-07-27 09:46:35 -04:00
Chris PeBenito 09516cb4be remove read_default_t tunable 2009-07-23 08:58:35 -04:00
Chris PeBenito c1262146e0 trunk: Remove node definitions and change node usage to generic nodes. 2009-01-09 19:48:02 +00:00
Chris PeBenito 668b3093ff trunk: change network interface access from all to generic network interfaces. 2009-01-06 20:24:10 +00:00