Commit Graph

148 Commits

Author SHA1 Message Date
Chris PeBenito e3f90ef0b5 sysadm: Module version bump. 2019-02-13 18:53:56 -05:00
Nicolas Iooss 4aa9acca0a
sysadm: allow resolving dynamic users
On a virtual machine using haveged daemon, running "ps" from a sysadm_t
user leads to the following output:

    $ ps -eH -o label,user,pid,cmd
    ...
    system_u:system_r:init_t        root         1 /sbin/init
    system_u:system_r:syslogd_t     root       223   /usr/lib/systemd/systemd-journald
    system_u:system_r:lvm_t         root       234   /usr/bin/lvmetad -f
    system_u:system_r:udev_t        root       236   /usr/lib/systemd/systemd-udevd
    system_u:system_r:entropyd_t    65306      266   /usr/bin/haveged --Foreground --verbose=1

User 65306 is a dynamic user attributed by systemd:

    $ cat /var/run/systemd/dynamic-uid/65306
    haveged

Running ps leads to the following log:

    type=USER_AVC msg=audit(1549830356.959:1056): pid=278 uid=81
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager
    member=LookupDynamicUserByUID dest=org.freedesktop.systemd1
    spid=12038 tpid=1 scontext=sysadm_u:sysadm_r:sysadm_t
    tcontext=system_u:system_r:init_t tclass=dbus permissive=0
    exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Allow sysadm_t to resolve dynamic users when systemd is used.

After this, "ps" works fine:

    system_u:system_r:entropyd_t    haveged    266   /usr/bin/haveged --Foreground --verbose=1
2019-02-12 21:43:08 +01:00
Chris PeBenito 445cbed7c7 Bump module versions for release. 2019-02-01 15:03:42 -05:00
Chris PeBenito 83ebbd23d3 corecommands, staff, unprivuser, ssh, locallogin, systemd: Module version bump. 2019-02-01 14:21:55 -05:00
Russell Coker 044da0b8b9 more misc stuff
Here's the latest stuff, most of which is to make staff_t usable as a login
domain.  Please merge whatever you think is good and skip the rest.
2019-02-01 14:16:57 -05:00
Chris PeBenito b6396ffe19 various: Module version bump. 2019-01-29 18:59:50 -05:00
Russell Coker 1574ac4a5d chromium
There are several nacl binaries that need labels.

Put an ifdef debian for some chromium paths.

Git policy misses chromium_role() lines, were they in another patch that was
submitted at the same time?

I don't know what this is for but doesn't seem harmful to allow it:
type=PROCTITLE msg=audit(28/01/19 19:31:42.361:3218) : proctitle=/bin/bash /usr/bin/google-chrome
type=SYSCALL msg=audit(28/01/19 19:31:42.361:3218) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x563328f7b590 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=0 ppid=5158 pid=5166 auid=test uid=test gid=test euid=test suid=test fsuid=test egid=test sgid=test fsgid=test tty=pts7 ses=232 comm=google-chrome exe=/bin/bash subj=user_u:user_r:chromium_t:s0 key=(null)
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { associate } for  pid=5166 comm=google-chrome name=63 scontext=user_u:object_r:chromium_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { create } for  pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:object_r:chromium_t:s0 tclass=file
type=AVC msg=audit(28/01/19 19:31:42.361:3218) : avc:  granted  { add_name } for  pid=5166 comm=google-chrome name=63 scontext=user_u:user_r:chromium_t:s0 tcontext=user_u:user_r:chromium_t:s0 tclass=dir

Allow domain_use_interactive_fds() for running via ssh -X.

Allow managing xdg data, cache, and config.

Allow reading public data from apt and dpkg, probably from lsb_release or some
other shell script.

How does the whold naclhelper thing work anyway?  I'm nervous about process
share access involving chromium_sandbox_t, is that really what we want?

Added lots of other stuff like searching cgroup dirs etc.
2019-01-29 18:59:33 -05:00
Chris PeBenito e8ba31557d various: Module version bump. 2019-01-06 14:11:08 -05:00
Chris PeBenito ea11d5bbc2 Merge branch 'nsd' of https://github.com/alexminder/refpolicy 2019-01-06 14:02:06 -05:00
Guido Trentalancia 9e6febb049 Add sigrok contrib module
Add a SELinux Reference Policy module for the sigrok
signal analysis software suite (command-line interface).

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
2019-01-03 20:51:18 -05:00
Alexander Miroshnichenko faa2b15910 Add nsd_admin interface to sysadm.te.
Allow users with sysadm_r role to start/stop NSD daemon.
2018-12-30 18:30:23 +03:00
Chris PeBenito 3ab07a0e1e Move all files out of the old contrib directory. 2018-06-23 10:38:58 -04:00
Chris PeBenito 4d5b06428b Bump module versions for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito 2037c8f294 kernel, mls, sysadm, ssh, xserver, authlogin, locallogin, userdomain: Module version bumps. 2017-11-04 14:16:20 -04:00
Jason Zaman 9adc6c5ddb gssproxy: Allow others to stream connect
kernel AVC:
 * Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
 * start-stop-daemon: failed to start `gssproxy'

type=AVC msg=audit(1490858215.578:386110): avc:  denied  { connectto } for  pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
2017-11-04 14:00:56 -04:00
Chris PeBenito f74a91a1a6 sysadm,fstools: Module version bump. 2017-09-14 17:21:56 -04:00
Christian Göttsche e1d795de3b dphysswapfile: add interfaces and sysadm access
v2:

add swapfile file context
2017-09-14 17:19:55 -04:00
Chris PeBenito aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito 6293813020 Module version bump for patches from cgzones. 2017-06-12 18:48:58 -04:00
cgzones c6f76058dc chkrootkit: add interfaces and sysadm permit
v2:
 - add bin_t fc to corecommands
2017-06-12 18:41:56 -04:00
Chris PeBenito 5ab11a8454 Module version bump for patches from cgzones. 2017-06-08 18:53:51 -04:00
cgzones 9ab63a1bdf rkhunter: add interfaces for rkhunter module and sysadm permit 2017-06-08 18:22:53 -04:00
Chris PeBenito 2749bddae8 Module version bumps for patches from Jason Zaman. 2017-05-31 21:09:50 -04:00
Jason Zaman d49027dc40 dirmngr: add to roles 2017-05-31 20:40:47 -04:00
Chris PeBenito 6c2272c613 Module version bump for infiniband policy from Daniel Jurgens. 2017-05-24 19:36:49 -04:00
Chris PeBenito 412fc7e7fd corenet/sysadm: Move lines. 2017-05-24 19:36:04 -04:00
Daniel Jurgens 25a5b24274 refpolicy: Infiniband pkeys and endports
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-24 19:23:18 -04:00
Chris PeBenito 36c79fd3ee Module version bump for libmtp from Guido Trentalancia. 2017-05-22 20:20:47 -04:00
Guido Trentalancia 4f8b753f24 base: role changes for the new libmtp module
This is the base part of the policy needed to support libmtp (an
Initiator implementation of the Media Transfer Protocol).

Signed-off-by: Guido Trentalancia <guido at trentalancia.net>
2017-05-22 20:05:52 -04:00
Chris PeBenito bb8f9f49c3 little misc strict from Russell Coker. 2017-04-29 11:25:13 -04:00
Chris PeBenito 878735f69f Module version bump for patches from Russell Coker and Guido Trentalancia. 2017-04-26 06:39:39 -04:00
Chris PeBenito 8f6f0cf0e2 Rename apm to acpi from Russell Coker.
This patch is slightly more involved than just running sed.  It also adds
typealias rules and doesn't change the FC entries.

The /dev/apm_bios device doesn't exist on modern systems.  I have left that
policy in for the moment on the principle of making one change per patch.  But
I might send another patch to remove that as it won't exist with modern
kernels.
2017-04-26 06:36:20 -04:00
Chris PeBenito 73d8b3026c Systemd-related changes from Russell Coker. 2017-04-06 17:37:50 -04:00
Chris PeBenito 603f0e1e6e Module version bump for monit patch from cgzones 2017-03-25 13:24:56 -04:00
cgzones f438513a8a sysadm: add monit admin permissions 2017-03-09 13:24:51 +01:00
Chris PeBenito 4d028498d8 Module version bumps for fixes from cgzones. 2017-03-05 10:48:42 -05:00
cgzones 4b79a54b41 modutils: adopt callers to new interfaces 2017-03-03 12:28:17 +01:00
Chris PeBenito 3726cd58f6 Module version bump for changes from cgzones. 2017-02-18 12:28:38 -05:00
cgzones 60983561be sysadm: fix denials
allow to read kmesg and the selinux policy
2017-02-16 16:00:14 +01:00
Chris PeBenito 1720e109a3 Sort capabilities permissions from Russell Coker. 2017-02-15 18:47:33 -05:00
Chris PeBenito 69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito 49545aad8f Module version bump for patches from Guido Trentalancia. 2016-12-30 14:15:06 -05:00
Guido Trentalancia via refpolicy 84176263dd sysadm: add the shutdown role
Add the shutdown role interface call to the sysadm role module.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-30 13:13:58 -05:00
Chris PeBenito f8489c13e4 Module version bump for xscreensaver patch from Guido Trentalancia. 2016-12-21 14:30:03 -05:00
Guido Trentalancia 997706aba3 base: enable the xscreensaver role
This patch enables the xscreensaver role so that the
xscreensaver module is used on those systems where the
corresponding application is installed.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-21 14:00:19 -05:00
Chris PeBenito 6e3c5476ca Module version bumps for patches from Guido Trentalancia. 2016-12-17 09:00:36 -05:00
Guido Trentalancia 20e8fb4b9c wm: update the window manager (wm) module and enable its role template (v7)
Enable the window manager role (wm contrib module) and update
the module to work with gnome-shell.

This patch requires the following recently posted patch for the
games module:

[PATCH v3 1/2] games: general update and improved pulseaudio integration
http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html

This patch has received some testing with the following two
configurations:
- gnome-shell executing in normal mode (with display managers
other than gdm, such as xdm from XOrg);
- gnome-shell executing in gdm mode (with the Gnome Display
Manager).

Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
in conjunction with gdm.

Since the window managers are not limited by gnome-shell, this latter
version of the patch (along with part 2/5) uses separate optional
conditionals for the gnome and wm role templates.

The new wm_application_domain() interface introduced in the sixth
version of this patch is an idea of Jason Zaman.

This patch also fixes a minor bug in the way the pulseaudio_role()
interface is optionally included by the role templates (pulseaudio
does not depend on dbus).

This seventh version splits the 1/5 patch in two separate patches:
one for the base policy and one for the contrib policy.

THIS IS THE BASE POLICY PART.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-17 08:15:10 -05:00
Chris PeBenito 1113e38307 Module version bumps for openoffice patches from Guido Trentalancia. 2016-12-06 20:19:18 -05:00
Guido Trentalancia ab0b758ed7 Apache OpenOffice module (base policy part)
This is a patch that I have created and tested to support Apache
OpenOffice with its own module (base policy part, 1/2).

The file contexts (and initial tests) are based on the default
installation path for version 4 of the office suite.

Since the second version it includes revisions from Dominick Grift.

Since the third version it should correctly manage files in home
directories and allow some other major functionality.

The fourth version of the patch introduces a boolean to enable or
disable software updates from the network (application and/or
extensions).

The fifth version of the patch adds the ability to connect to the
X display manager (XDM) using Unix domain sockets (interface
xserver_stream_connect_xdm()). Also the fifth version splits the
whole patch into separate base policy / contrib policy patches as
required.

The sixth version of this patch removes obsolete executable
permission from the unconfined module.

The seventh, eighth and nineth versions brings no changes in the base
part of the patch.

All released versions are safe to apply, each new version just
brings improved application functionality and better integration
with other desktop applications.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-06 20:08:06 -05:00
Chris PeBenito 34055cae87 Bump module versions for release. 2016-10-23 16:58:59 -04:00