RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,223 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

69 Commits

Author SHA1 Message Date
Kenton Groombridge 386d00de34 authlogin, roles: use user exec domain attribute 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-10-13 19:07:34 -04:00
Markus Linnala 9127219358 policy: interfaces: doc: indent param blocks consistently 
There is more than 5000 parameter documentations. Only about 300 are
differently done. Change them to be consistently indented.

param with one space
and content inside with one tab

This was done with:

sed -ri '
/^##[[:space:]]*<param/,/^##[[:space:]]*<[/]param>/{
	s/^##[[:space:]]*/##\t/;
	s/^##[[:space:]]*(<[/]?summary)/##\t\1/;
	s/^##[[:space:]]*(<[/]?param)/## \1/;
}' policy/modules/*/*.if

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
 2021-07-02 12:19:25 +03:00
Chris PeBenito 163c153c33 authlogin: Deprecate auth_domtrans_chk_passwd(). 
This is a duplicate interface.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-23 14:40:46 -04:00
Chris PeBenito 3945473b5e authlogin: Remove redundant rule in auth_domtrans_chk_passwd(). 
This is provided by the auth_use_nsswitch() call.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-20 10:36:23 -04:00
Chris PeBenito 13a32a4616 authlogin: Add tunable for allowing shadow access on non-PAM systems. 
Fixes #342

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-04-20 10:36:07 -04:00
Kenton Groombridge 26e9ec7c43 authlogin: add new type for pwd.lock and others 
This is in response to systemd needing to write to .pwd.lock in support
of dynamic users, which is currently labeled shadow_t despite systemd
seemingly not making any actual modifications to /etc/passwd or
/etc/shadow. Instead of granting potentially overly permissive access,
this commit assigns a new type to these lock files.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2021-04-09 16:42:53 -04:00
Russell Coker ab0367b4b6 machined 
This patch is for systemd-machined.  Some of it will probably need
discussion but some is obviously good, so Chris maybe you could take
the bits you like for this release?

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-02-02 13:46:42 -05:00
Russell Coker a7f3fdabad new version of filetrans patch 
Name changes suggested by Dominick and some more additions.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-02-02 08:31:14 -05:00
Russell Coker 88c8189207 latest memlockd patch 
Includes the ifndef(`distro_debian' section that was requested.  Should be
ready for merging now.

Signed-off-by: Russell Coker <russell@coker.com.au>
 2021-01-25 09:39:26 -05:00
Chris PeBenito 7b15003eae Remove modules for programs that are deprecated or no longer supported. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-14 17:14:30 -05:00
bauen1 fa59d0e9bc
selint: fix S-010 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-08-28 17:39:09 +02:00
Christian Göttsche 3bb507efa6 Fix several misspellings 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-13 14:08:58 +02:00
Chris PeBenito 0992763548 Update callers for "pid" to "runtime" interface rename. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-06-28 16:03:45 -04:00
Chris PeBenito be04bb3e7e Rename "pid" interfaces to "runtime" interfaces. 
Rename interfaces to bring consistency with previous pid->runtime type
renaming.  See PR #106 or 69a403cd original type renaming.

Interfaces that are still in use were renamed with a compatibility
interface.  Unused interfaces were fully deprecated for removal.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-06-28 14:33:17 -04:00
Chris PeBenito 69a403cd97 Rename *_var_run_t types to *_runtime_t. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-09-30 20:02:43 -04:00
Nicolas Iooss c021287125
Allow Debian to generate a dynamic motd when users log in 
Debian's PAM configuration uses a patched pam_motd module that runs
files in /etc/update-motd.d/ in order to generate a dynamic Message Of
The Day (MOTD). By default, there is only one script:

    $ cat /etc/update-motd.d/10-uname
    #!/bin/sh
    uname -snrvm

According to https://wiki.debian.org/motd, the script is executed
through run-parts:

    if (!system("/usr/bin/env -i
    PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    run-parts --lsbsysinit /etc/update-motd.d >
    /run/motd.dynamic.new"))
        rename("/run/motd.dynamic.new", "/run/motd.dynamic");

This requires allowing pam_motd users to execute bin_t commands
(/usr/bin/env) and shells (/bin/sh), and to manage /run/motd.dynamic*
files.

Allow relevant accesses for Debian-based systems.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-09-01 13:44:28 +02:00
Sugar, David 3fd0d7df8b Update cron use to pam interface 
I'm seeing a many denials for cron related to faillog_t, lastlog_t
and wtmp_t.  These are all due to the fact cron is using pam (and my
system is configured with pam_faillog).  I have updated cron to use
auth_use_pam interface to grant needed permissions.

Additional change to allow systemd_logind dbus for cron.

I have included many of the denials I'm seeing, but there are probably
others I didn't capture.

type=AVC msg=audit(1551411001.389:1281): avc:  denied  { read write } for  pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1281): avc:  denied  { open } for  pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1281): arch=c000003e syscall=2 success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins"
type=AVC msg=audit(1551411001.389:1282): avc:  denied  { lock } for  pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1282): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1551411001.389:1283): avc:  denied  { write } for  pid=8807 comm="crond" name="wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1283): avc:  denied  { open } for  pid=8807 comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.489:1513): avc:  denied  { getattr } for  pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc:  denied  { read write } for  pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc:  denied  { open } for  pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1515): avc:  denied  { lock } for  pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551412201.511:1515): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_AVC msg=audit(1551629402.000:21914): pid=7387 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6407 tpid=7395 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-07 19:02:57 -05:00
Sugar, David 82494cedc1 pam_faillock creates files in /run/faillock 
These are changes needed when pam_fallock creates files in /run/faillock
(which is labeled faillog_t).  sudo and xdm (and probably other domains)
will create files in this directory for successful and failed login
attempts.

v3 - Updated based on feedback

type=AVC msg=audit(1545153126.899:210): avc:  denied  { search } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { write } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { add_name } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545153131.090:214): avc:  denied  { create } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1545153131.091:215): avc:  denied  { setattr } for pid=8448 comm="lightdm" name="dsugar" dev="tmpfs" ino=87599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1

type=AVC msg=audit(1545167205.531:626): avc:  denied  { search } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { write } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { add_name } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1545167205.531:627): avc:  denied  { create } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:faillog_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-01-06 13:57:18 -05:00
Russell Coker 73f8b85ef3 misc interfaces 
This patch has some small interface changes as well as the policy patches to
use the new interfaces.
 2019-01-05 13:36:20 -05:00
Chris PeBenito efa32d9b56 Remove deprecated interfaces older than one year old. 
Additionally one deprecated attribute removed.
 2017-08-06 17:03:17 -04:00
Chris PeBenito 10388e1319 auth: Move optional out of auth_use_pam_systemd() to callers. 2017-02-26 12:08:02 -05:00
Chris PeBenito 2170c65ad9 Merge branch 'su_module' of git://github.com/cgzones/refpolicy 2017-02-26 11:48:37 -05:00
Chris PeBenito 2087bde934 Systemd fixes from Russell Coker. 2017-02-23 20:03:23 -05:00
cgzones 4d413fd0cb authlogin: introduce auth_use_pam_systemd 
add special interface for pam_systemd module permissions
 2017-02-18 21:50:45 +01:00
Guido Trentalancia edf4f0a313 authlogin: indentation/whitespace fix 
Indentation/whitespace fix for one authlogin interface.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
 2016-12-15 19:19:17 -05:00
Chris PeBenito 3639880cf6 Implement core systemd policy. 
Significant contributions from the Tresys CLIP team.

Other changes from Laurent Bigonville.
 2015-10-23 10:16:59 -04:00
Sven Vermeulen f0ebf14176 Add auth_pid_filetrans_pam_var_run 2014-12-02 09:16:05 -05:00
Laurent Bigonville 98fbab18f1 authlogin.if: Add auth_create_pam_console_data_dirs and auth_pid_filetrans_pam_var_console interfaces 
On Debian /var/run/console directory might be created by consolekit, we
need these new interfaces to achieve this.
 2012-12-07 00:27:38 -05:00
Dominick Grift 0805dd800c Changes to various policy modules 
pcscd_read_pub_files is deprecated use pcscd_read_pid_files instead

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
 2012-10-19 08:59:22 -04:00
Chris PeBenito 330b13a4a2 nss_domain attribute patch 1, Miroslav Grepl 2012-07-10 08:43:31 -04:00
James Carter 8959338324 Change interfaces in authlogin.if to use new interfaces in files.if 
Changed all interfaces that used auth_file_type to call the new
corresponding interface in files.if.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2012-05-04 08:47:42 -04:00
Chris PeBenito a4912ae653 Whitespace fix in authlogin.if. 2011-07-18 13:46:18 -04:00
Matthew Ife 61fb2009ad Create a new attribute for auth_file types. Add shadow as an auth_file type. Add new interfaces to manage auth_file types Deprecate *_except_shadow macros in favour of *_except_auth_files 2011-07-18 13:40:37 -04:00
Chris PeBenito 1bc5de22c0 Start pulling in pieces of Fedora policy in system layer. 2011-03-31 13:29:59 -04:00
Chris PeBenito 9262d3c958 Whitespace fixes in authlogin. 2011-02-28 09:22:26 -05:00
Dominick Grift 8340621920 Implement miscfiles_cert_type(). 
This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.

Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.

Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-09-10 11:05:46 -04:00
Dominick Grift a0546c9d1c System layer xml fixes. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-08-05 09:25:55 -04:00
Chris PeBenito 153ed8751a Authlogin patch from Dan Walsh. 2010-03-18 08:59:25 -04:00
Dominick Grift 38fc1bd180 Likewise policy. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
 2010-03-17 08:48:45 -04:00
Chris PeBenito d24a7df15c Improve the documentation of auth_use_nsswitch(). 2010-03-03 10:37:37 -05:00
Dominick Grift 03dd57fe7b Fix auth_domtrans_chk_passwd to use read_file_perms to surpress open AVC denials. 
Signed-off-by: Dominick Grift <domg472@gmail.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
 2010-03-01 13:30:28 -05:00
Chris PeBenito aadcb968f9 Move netlink route sockets from nsswitch to DNS name resolve. 2010-02-17 20:28:59 -05:00
Chris PeBenito 3f67f722bb trunk: whitespace fixes 2009-06-26 14:40:13 +00:00
Chris PeBenito 30425aa876 trunk: 1 patch from dan. 2009-06-12 15:30:15 +00:00
Chris PeBenito 296273a719 trunk: merge UBAC. 2008-11-05 16:10:46 +00:00
Chris PeBenito 932c3536f8 trunk: additional open fixes. 2008-11-04 14:37:05 +00:00
Chris PeBenito 82d2775c92 trunk: more open perm fixes. 2008-10-20 16:10:42 +00:00
Chris PeBenito 2cca6b79b4 trunk: remove redundant shared lib calls. 2008-10-17 17:31:04 +00:00
Chris PeBenito 0b36a2146e trunk: Enable open permission checks policy capability. 2008-10-16 16:09:20 +00:00
Chris PeBenito 7cbfeb97cf trunk: uncomment set loginuid for functional login programs under strict. 2008-01-03 18:30:45 +00:00