Improve the existing user domain template policy:
- better support for the "user_rw_noexattrfile" boolean (enable
write operations on filesystems that do not support extended
attributes, such as FAT or cdrom filesystem);
- add support for a new "user_exec_noexattrfile" boolean to
control the execution of files from filesystems that do not
support extended attributes (potentially dangerous);
- add support for a new "user_write_removable" boolean which
enables write operations on removable devices (such as
external removable USB memory, USB mobile phones, etc).
Note that devices might be removable but support extended
attributes (Linux xattr filesystems on external USB mass storage
devices), so two separate booleans are needed for optimal
configuration flexibility.
Writing to removable mass storage devices is a major cause of
leakage of confidential information, so the new boolean defaults
to false.
Disable raw access for MLS policies (thanks to Christoper
PeBenito for suggesting this).
This new version of the patch correctly includes the definitions
of the new booleans (by including the .te file differences).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Update the lvm module to add a permission needed by cryptsetup.
At the moment the SELinux kernel code is not able yet to distinguish
the sockets in the AF_ALG namespace that are used for interfacing to
the kernel Crypto API.
In the future the SELinux kernel code will be updated to distinguish
the new socket class and so this permission will change its class
from the generic "socket" to the new socket (e.g. "alg_socket").
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Since the awk scripts appear to use some GNU extensions, make sure we always use $(AWK).
Fixes an issue where the system /usr/bin/awk may be another implementation, say mawk on a Ubuntu system.
The "module_load" permission has been recently added to the "system"
class (kernel 4.7).
The following patch updates the Reference Policy so that the new
permission is allowed when a kernel module should be loaded.
To preserve the module encapsulation, a new interface is defined
in the kernel files module and that interface is then used in the
kernel module.
A short note is added about unneeded permissions that set the
kernel scheduling parameters (might lead to service disruption).
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
This makes migrating to container-based infrastructure much easier (all
that is needed is adding "sudo: false" in the file).
Moreover installing the toolchain in a user directory fixes issues when
using the Trusty Beta environment: this toolchain broke the
already-installed Ubuntu packages (with for example policy version
issues between setfiles and checkpolicy). As the packaged tools (version
2.2) are much slower than the latest toolchain release on Trusty, it is
better to keep using the latest release.
As libcap-ng-dev package is not (yet? [1]) whitelisted in Travis-CI
container infrastructure, drop this package and do not build
policycoreutils/sandbox. Do not build policycoreutils/restorecond too as
it requires glib to be installed.
While at it, set the language as "generic" instead of "python".
[1] https://github.com/travis-ci/apt-package-whitelist/issues/1096
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- updated the file contexts for the Xsession script;
- created an interface for chatting over dbus with
xdm (currently used by the userdomain module in
the common user template);
- added permission to chat over dbus with colord.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
cards need to load their firmware) and it should not audit attempts
to load kernel modules directly.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
the dhcp client (another separate patch makes changes to the
ifconfig part).
Create auxiliary interfaces in the ntp module.
The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.
Include revisions from Chris PeBenito.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
domains (e.g. gnome session).
Thanks to Jason Zaman for pointing out the correct interface to
achieve this.
This new version fixes a typographic error in the previous version.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The "module_load" permission has been recently added to the "system"
class (kernel 4.7).
The following patch updates the Reference Policy so that the new
permission can be used to create SELinux policies.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
The following has been in my tree for a few years. It allows initrc_t to stat
devices early in the boot process.
>From ad46ce856a1a780cf6c3a0bb741794019e03edc2 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Sat, 9 Nov 2013 10:45:09 +0100
Subject: [PATCH] init: startpar (initrc_t) gets attributes of /dev/dm-0
(device_t) early on boot, soon later the node context is properly reset
(debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
/etc/sysconfig/libvirtd does not have the executable bit set, so it does
not make sense for it to be labelled bin_t. I can't seem to find the
reason it was set that way originally.
Signed-off-by: Garrett Holmstrom <gholms@devzero.com>
Chris PeBenito
Guido Trentalancia
Jeroen Roovers
Naftuli Tzvi Kay
Nicolas Iooss
Russell Coker
Lukas Vrabec
Garrett Holmstrom
Chris PeBenito
Jason Zaman