Else blocks with optional statements are not supported in CIL.
Currently, if the pp to CIL compiler comes across one of these in a pp
module, it just drops the block and outputs a warning. Fortunately,
these are very rare. In fact, this is the only place in refpolicy where
an optional else block is used, and it is not clear if it is even
needed. This patch is untested, and is more to spark discussions to see
if there are any thoughts about whether or not this piece of policy is
needed.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
With the new userspace, the only files in /var/lib/selinux are selinux
store related files, so label it and everything inside it as
semanage_store_t. semanage_var_lib_t is completely removed and now
aliases semanage_store_t for backwards compatibility. This differs from
the v2 patch in that it adds back the ability to manage
selinux_config_t, which is necessary to manage the old module store for
things like migrating from the old to new store and backwards
compatability.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Allow sudo (1.8.9_p5 and higher) to handle /var/run/sudo/ts if it does
not exist (given the tmpfs nature of /var/run). This is done when sudo
is run in the user prefixed domain, and requires both the chown
capability as well as the proper file transition when /var/run/sudo is
created.
In order to write the grub configuration and perform the preliminary
checks, the grub-mkconfig command should run in the bootloader_t domain.
As such, update the file context definition to be bootloader_exec_t.
create_netlink_socket_perms is defined as:
{ create_socket_perms nlmsg_read nlmsg_write }
This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.
Clean up things without allowing anything new.
iw manpage says "iw - show / manipulate wireless devices and their
configuration". Label this command ifconfig_exec_t to allow it to
manage wireless communication devices.
Debian installs iw in /sbin/iw, Fedora in /usr/sbin/iw and Arch Linux in
/usr/bin/iw (with /usr/sbin being a symlink to /usr/bin).
-This patch is needed since CIL does not allow duplicate
role declarations. The roles for system_r, staff_r, sysadm_r, and
user_r were already declared in kernel.te. Since the roles are
pulled in from require statements in the appropriate interfaces,
the duplicate role declarations could be deleted in modules for
auditadm, staff, sysadm, and userdomain.
-Move a role declaration that used an argument passed into the
userdom_base_user_template into a gen_require statement.
Since commit 0fd9dc55, logging.te contains:
term_write_all_user_ttys(syslogd_t)
As "write" is a superset of "append", this rule is no longer needed:
term_append_unallocated_ttys(syslogd_t)
While at it, add a comment which explains why
term_dontaudit_setattr_unallocated_ttys is needed.
audit.log shows that journald needs to read the kernel read buffer:
avc: denied { syslog_read } for pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
Moreover journald uses RW access to /dev/kmsg, according to its code:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394
Chris PeBenito
Steve Lawrence
Sven Vermeulen
Laurent Bigonville
Nicolas Iooss
Chris PeBenito
Yuli Khodorkovskiy