RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,469 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

6469 Commits

Author SHA1 Message Date
Chris PeBenito 6230995e33 mcs: Reorganize file. 
Add more comments.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2022-06-23 15:29:50 -04:00
Chris PeBenito c99104ff1a mcs: Remove duplicate node_bind constraint. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2022-06-23 15:24:14 -04:00
Chris PeBenito ab2f8d35f1 mcs: Add missing process permission constraints. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2022-06-23 15:23:25 -04:00
Chris PeBenito a4b870f71b
Merge pull request #512 from pebenito/mcs-updates 
Add additional MCS constraints.
 2022-06-23 12:21:49 -04:00
Chris PeBenito 5e6ede3da6 mcs: Add additional socket constraints. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2022-06-20 14:50:20 -04:00
Chris PeBenito 8e32ade524 mcs: Collapse constraints. 
Collapse file constraints as they are equivalent due to the same expresssions.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2022-06-20 10:54:46 -04:00
Chris PeBenito 3b3e5c9eb0 mcs: Add additional SysV IPC constraints. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2022-06-20 10:52:30 -04:00
Chris PeBenito d698a5594c filesystem: Move ecryptfs interface definitions. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2022-06-03 15:25:59 -04:00
Chris PeBenito 45f1a0d54e
Merge pull request #509 from jcpunk/container-ecryptfs 
container: Boolean for ecryptfs
 2022-06-03 11:39:26 -04:00
Pat Riehecky 9ad002b0f9 container: Boolean for ecryptfs 
Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
 2022-06-03 08:48:56 -05:00
Chris PeBenito d1c15b2c21
Merge pull request #507 from pebenito/various-updates-20220524 
Various updates 20220524
 2022-05-26 11:00:22 -04:00
Chris PeBenito d767ebfef0 systemd: Misc updates. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito 16badfa641 application: Allow apps to use init fds. 
This is needed for console/serial logins:

avc:  denied  { use } for  pid=767 comm="semodule" path="/dev/ttyS0"
dev="devtmpfs" ino=83
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito 136d1b724b container: Getattr generic device nodes. 
There should be no device_t device nodes, but add access in case they
exist. Saw containerd fail to start containers if it couldn't stat() all
devices.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito 1caf5c6dc1 container: Allow container engines to connect to http cache ports. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito 9185562849 systemd: Fixes for coredumps in containers. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito b2f352e2ee files: Make etc_runtime_t a config file. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito 38d43bd770 files: Add prerequisite access for files_mounton_non_security(). 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito 75c5a4c050 storage: Add fc for /dev/ng*n* devices. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito a4f4bc6fb8 devices: Add type for infiniband devices. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito f8739276a5 iptables: Ioctl cgroup dirs. 
avc:  denied  { ioctl } for  pid=7230 comm="ip6tables" path="/sys/fs/cgroup" dev="cgroup2" ino=1
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito 80683a4f0f devices: Add file context for /dev/vhost-vsock. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito 38cc32be73 devices: Add type for SAS management devices. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:51 -04:00
Chris PeBenito a042bc5aa7 container, docker: Fixes for containerd and kubernetes testing. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:18:48 -04:00
Chris PeBenito e0784b866d isns: Updates from testing. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:17:03 -04:00
Chris PeBenito 39657b7f61 systemd: Misc fixes. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:17:03 -04:00
Chris PeBenito ca0d6b74b5 locallogin: Use init file descriptors. 
Without this, some systems have slow or broken console login.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-25 10:16:56 -04:00
Chris PeBenito 3fe6f270e3 lvm: Updates for multipath LVM. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-24 13:13:04 -04:00
Chris PeBenito 05e386bcb3 unconfined: Add missing capability2 perms. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-24 11:09:24 -04:00
Chris PeBenito a4534a76bb systemd: Remove systemd-run domain. 
This command should be run with the privs of the caller.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-24 11:09:20 -04:00
Chris PeBenito 602e1f71c6 logging: Change to systemd interface for tmpfilesd. 
Remove explicit rules for systemd-tmpfiles to manage var_log_t and replace
it with systemd_tmpfilesd_managed().

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-24 10:44:57 -04:00
Chris PeBenito d76969703d rpm: Add dnf and tdnf labeling. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-24 10:44:52 -04:00
Chris PeBenito d9acee82c5 mount: Get the attributes of all filesystems. 
Remove individual fs rules.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-24 10:42:42 -04:00
Chris PeBenito 27bb8aead9 fstools: Handle resizes of the root filesystem. 
Resize2fs will create a .ismount-test-file temp file in the root of a
filesystem to resize.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-24 10:41:59 -04:00
Chris PeBenito 28ca7991df systemd: Drop systemd_detect_virt_t. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2022-05-24 10:41:42 -04:00
Chris PeBenito 78dde1e1ae
Merge pull request #506 from 0xC0ncord/conmon-exec-typealias 
podman: add alias for conmon executable
 2022-05-24 09:11:54 -04:00
Kenton Groombridge b90cc02311 podman: add alias for conmon executable 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-23 23:00:56 -04:00
Chris PeBenito 802ef7569f
Merge pull request #503 from 0xC0ncord/unconfined-no-container-engine-trans 
Do not transition to container engines for unconfined users
 2022-05-23 10:41:14 -04:00
Chris PeBenito fc1fa1ffbf
Merge pull request #504 from 0xC0ncord/podman-conmon-template 
Rework conmon rules
 2022-05-23 10:40:00 -04:00
Chris PeBenito f1465b9721
Merge pull request #501 from 0xC0ncord/various-20220429 
Another round of various fixes (reopen)
 2022-05-23 10:36:18 -04:00
Kenton Groombridge ec1d3be3f7 systemd: allow systemd-networkd to read init runtime files 
If started from an initrd and the kernel is configured for networking at
early boot, systemd-networkd needs access to files for the network
configuration in /run/systemd/network which are still init_runtime_t
during early boot. systemd will later relabel these files after the
policy is loaded.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:32:45 -04:00
Kenton Groombridge 998ef975f3 systemd, udev: allow udev to read systemd-networkd runtime 
udev searches for .link files and applies custom udev rules to devices
as they come up.

Thanks-To: Zhao Yi
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:32:44 -04:00
Kenton Groombridge 73adba0a39 systemd: add file contexts for systemd-network-generator 
Thanks-To: Zhao Yi
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:32:43 -04:00
Kenton Groombridge f2fe1ae154 systemd: add missing file context for /run/systemd/network 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:32:42 -04:00
Kenton Groombridge 663b62f27c systemd: add file transition for systemd-networkd runtime 
systemd-networkd creates the /run/systemd/network directory which should
be labeled appropriately.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:32:41 -04:00
Kenton Groombridge 06319896b3 certbot: various fixes 
Allow acme-sh to send syslog msgs and dontaudit reading /proc.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 308ab9f69a term, init: allow systemd to watch and watch reads on unallocated ttys 
As of systemd 250, systemd needs to be able to add a watch on and watch
reads on unallocated ttys in order to start getty.

systemd[55548]: getty@tty1.service: Failed to set up standard input: Permission denied
systemd[55548]: getty@tty1.service: Failed at step STDIN spawning /sbin/agetty: Permission denied

time->Fri May  6 21:17:58 2022
type=PROCTITLE msg=audit(1651886278.452:1770): proctitle="(agetty)"
type=PATH msg=audit(1651886278.452:1770): item=0 name="/dev/tty1" inode=18 dev=00:05 mode=020620 ouid=0 ogid=5 rdev=04:01 obj=system_u:object_r:tty_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1651886278.452:1770): cwd="/"
type=SYSCALL msg=audit(1651886278.452:1770): arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=60ba5c21e020 a2=18 a3=23 items=1 ppid=1 pid=55551 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(agetty)" exe="/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1651886278.452:1770): avc:  denied  { watch watch_reads } for  pid=55551 comm="(agetty)" path="/dev/tty1" dev="devtmpfs" ino=18 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 5b59c7611b spamassassin: add file context for rspamd log directory 
rspamd's default log location is /var/log/rspamd.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge dcc90a0c3c container, podman: allow podman to restart container units 
podman auto-update will automatically start the container unit when it
is updated.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00
Kenton Groombridge 43a9841746 container: add separate type for container engine units 
and add a filecon for container units themselves.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2022-05-20 11:27:26 -04:00