RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4,688 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

67 Commits

Author SHA1 Message Date
Dave Sugar 664d932c0f systemd-resolved uses notify to indicate status 
type=AVC msg=audit(1528207926.219:1609): avc:  denied  { write } for  pid=2689 comm="systemd-resolve" name="notify" dev="tmpfs" ino=6277 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1528208016.448:1702): avc:  denied  { sendto } for  pid=2689 comm="systemd-resolve" path="/run/systemd/notify" scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-06-07 20:16:48 -04:00
Dave Sugar fd466a380e Allow systemd-resolved to connect to system dbusd 
type=USER_AVC msg=audit(1527726267.150:134): pid=1170 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { acquire_svc } for service=org.freedesktop.resolve1 spid=1208 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-06-07 20:16:48 -04:00
Dave Sugar 0ddccc81ad Allow systemd_resolved to read systemd_networkd runtime files 
type=AVC msg=audit(1527698299.999:144): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="links" dev="tmpfs" ino=16229 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1527698299.999:145): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527698299.999:145): avc:  denied  { open } for  pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527698300.000:146): avc:  denied  { getattr } for  pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527702014.276:183): avc:  denied  { search } for  pid=1180 comm="systemd-resolve" name="netif" dev="tmpfs" ino=16878 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1527704163.181:152): avc:  denied  { open } for  pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527704163.181:153): avc:  denied  { getattr } for  pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527704163.604:173): avc:  denied  { read } for  pid=1236 comm="systemd-resolve" name="5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-06-07 20:16:47 -04:00
Dave Sugar 1dd2e5aca4 Allow systemd-resolved to read sysctl 
type=AVC msg=audit(1527698300.007:150): avc:  denied  { search } for  pid=1193 comm="systemd-resolve" name="net" dev="proc" ino=8515 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=AVC msg=audit(1527698300.007:150): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:150): avc:  denied  { open } for  pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:151): avc:  denied  { getattr } for  pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file

type=AVC msg=audit(1527698300.006:148): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1527698300.006:148): avc:  denied  { open } for  pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:149): avc:  denied  { getattr } for  pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2018-06-07 20:16:47 -04:00
Chris PeBenito ac9363d662 init, logging, sysnetwork, systemd, udev: Module version bump. 2018-04-17 20:20:27 -04:00
Chris PeBenito e75bcdead0 Module version bumps for patches from James Carter. 2018-04-12 18:49:46 -04:00
James Carter 2268d42fee Removed unnecessary semicolons 
Removed unecessary semicolons in ipsec.te, logging.te, and systemd.te

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 2018-04-12 18:44:50 -04:00
Chris PeBenito 9c0d0e66ff another trivial dbus patch from Russell Coker. 2018-02-18 11:25:29 -05:00
Chris PeBenito 03e2f1a809 Simple map patch from Russell Coker. 2018-02-15 17:10:34 -05:00
Chris PeBenito b492924414 Misc dbus fixes from Russell Coker. 2018-02-15 17:07:08 -05:00
Chris PeBenito 4d5b06428b Bump module versions for release. 2018-01-14 14:08:09 -05:00
Chris PeBenito 8e19b3103e mls, xserver, systemd, userdomain: Module version bump. 2017-12-12 20:25:32 -05:00
David Sugar dd4facd8af Allow systemd_logind to delete user_runtime_content_type files 
Now that objects in /run/user/%{USERID}/* use the attribute user_runtime_content_type use interfaces userdom_delete_all_user_runtime_* to allow deletion of these objects.

type=AVC msg=audit(1511920346.734:199): avc:  denied  { read } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:199): avc:  denied  { open } for  pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:200): avc:  denied  { getattr } for  pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { write } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { remove_name } for  pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { unlink } for  pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file
type=AVC msg=audit(1511920346.734:202): avc:  denied  { rmdir } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-12-12 20:19:10 -05:00
Chris PeBenito 61a31f6cea xserver, sysnetwork, systemd: Module version bump. 2017-12-07 19:02:02 -05:00
Laurent Bigonville 88b7c61bd7 Add private type for systemd logind inhibit files and pipes 2017-12-07 18:50:30 -05:00
Chris PeBenito 6ca6a2e1db corcmd, fs, xserver, init, systemd, userdomain: Module version bump. 2017-12-03 16:48:54 -05:00
David Sugar d7674a5406 Work around systemd-logind patch not in RHEL 7.x yet 
This is probably RHEL only - seeing directories in /run/user/$(UID) created as
 tmpfs_t rather than user_runtime_t.  This appears fixed in newer systemd-logind.
It appears to have been fixed in systemd git repo by Nicolas Iooss 02-Feb-2016
hash 4b51966cf6c06250036e428608da92f8640beb96 probably in systemd-v229
I don't see this merged into RHEL 7.x as of now but as some point it hopefully
will be merged in and this can go away.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-12-03 16:38:39 -05:00
Chris PeBenito 1b405f4a90 files, init, sysnetwork, systemd: Module version bumps. 2017-10-12 18:48:29 -04:00
David Sugar 4a54f9c1f0 policy for systemd-networkd 
Policy needed for systemd-networkd to function.  This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch).  He was too busy to update and I needed to get it working.

I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2017-10-12 18:38:54 -04:00
Chris PeBenito 2ae2b38e6d Module version bumps. 2017-10-10 20:32:43 -04:00
Chris PeBenito 6abb3eb5fc corecommands, xserver, systemd, userdomain: Version bumps. 2017-09-17 11:11:18 -04:00
Russell Coker 25a9bcb405 minor nspawn, dnsmasq, and mon patches 
Label some shell scripts from bridge-utils correctly.  Maybe have ifdef
distro_debian around this, not sure what upstream is doing.

systemd_nspawn_t needs to manage the /etc/localtime symlink if you have a
labeled chroot.

Another dontaudit for mon_local_test_t to stop it spamming the logs.

Support a .d directory for dnsmasq config files.
 2017-09-17 11:08:06 -04:00
Chris PeBenito 095ad7923a Several module version bumps. 2017-09-11 20:34:13 -04:00
Chris PeBenito 1fdac56605 systemd, udev: Module version bump. 2017-09-06 11:04:11 -04:00
Russell Coker 1ca7df474f systemd nspawn and backlight 
The following patch allows systemd_nspawn_t to create directories under /tmp
and use them as mountpoints.  Also allows systemd_nspawn_t to umount cgroup
filesystems.

Allows systemd_backlight_t to search /var/lib.
 2017-09-06 10:46:28 -04:00
Krzysztof Nowicki d9861c32ad Add policy for systemd GPT generator 2017-09-06 10:08:48 -04:00
Chris PeBenito aa0eecf3e3 Bump module versions for release. 2017-08-05 12:59:42 -04:00
Chris PeBenito 5e49dcea60 apt/dpkg strict patches from Russell Coker. 
The following are needed for correct operation of apt and dpkg on a "strict"
configuration.
 2017-04-29 11:14:15 -04:00
Chris PeBenito 60114027f7 more systemd stuff from Russell Coker 
This patch adds an interface to manage systemd_passwd_var_run_t symlinks that
I'll add another patch to use shortly.

It has a number of changes needed by systemd_logind_t to set permissions for
local logins.

It has some more permissions that systemd_machined_t needs, I don't think it's
everything that systemd_machined_t needs but it's a start.

It has some changes for udev_t for systemd-udevd.
 2017-04-16 19:48:04 -04:00
Chris PeBenito 73d8b3026c Systemd-related changes from Russell Coker. 2017-04-06 17:37:50 -04:00
Chris PeBenito 2cd92db5cd systemd-nspawn again 
This patch doesn't do everything that is needed to have systemd-nspawn work.
But it does everything that is needed and which I have written in a clear and
uncontroversial way.  I think it's best to get this upstream now and then
either have a separate discussion about the more difficult issues, or wait
until I devise a way of solving those problems that's not too hacky.

Who knows, maybe someone else will devise a brilliant solution to the remaining
issues after this is accepted upstream.

Also there's a tiny patch for systemd_machined_t that is required by
systemd_nspawn_t.

Description: systemd-nspawn
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-29
 2017-04-01 12:08:42 -04:00
Chris PeBenito 160d08f3ae systemd-resolvd, sessions, and tmpfiles take2 
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.

Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-26
 2017-03-28 18:51:35 -04:00
Chris PeBenito b411e4b300 another version of systemd cgroups hostnamed and logind 
From Russell Coker
 2017-03-25 13:45:37 -04:00
Chris PeBenito 4dcbc032cf Module version bump from /var/run fixes from cgzones. 2017-03-25 13:05:13 -04:00
Chris PeBenito 5e20a0ee5b /var/run -> /run again 
Here's the latest version of my patch to remove all /var/run when it's not
needed.  I have removed the subst thing from the patch, but kept a
distro_debian bit that relies on it.  So with this patch the policy won't
install if you build it with distro_debian unless you have my subst patch.
Chris, if your automated tests require that it build and install with
distro_debian then skip the patch for sysnetwork.fc.

From Russell Coker
 2017-03-25 12:56:03 -04:00
Chris PeBenito 4d028498d8 Module version bumps for fixes from cgzones. 2017-03-05 10:48:42 -05:00
cgzones 4d0d7cfc6f systemd-tmpfiles: refactor runtime configs 
handle runtime configuration files under /run/tmpfiles.d as 3rd party content, like /run or /var/lib
 2017-02-27 19:32:20 +01:00
Chris PeBenito e527ebaadf systemd: Further revisions from Russell Coker. 2017-02-25 09:35:10 -05:00
Chris PeBenito c3c767bae2 Module version bump for CI fixes. 2017-02-23 20:32:10 -05:00
Chris PeBenito 2087bde934 Systemd fixes from Russell Coker. 2017-02-23 20:03:23 -05:00
Chris PeBenito 498fb3c6e8 Module version bump for cgroups systemd fix from cgzones. 2017-02-20 11:21:00 -05:00
Chris PeBenito e72556c6dd Merge branch 'cgroups_fix' of git://github.com/cgzones/refpolicy 2017-02-20 11:13:07 -05:00
Chris PeBenito 132db642bd Module version bump for selinuxutil and systmd changes from cgzones. 2017-02-20 10:57:50 -05:00
Chris PeBenito 53fb3a3ba4 dpkg: Updates from Russell Coker. 2017-02-19 16:13:14 -05:00
cgzones 8266424bcb systemd_cgroups_t: fix denials 2017-02-18 18:41:45 +01:00
Chris PeBenito 1720e109a3 Sort capabilities permissions from Russell Coker. 2017-02-15 18:47:33 -05:00
Chris PeBenito 7aafe9d8b7 Systemd tmpfiles fix for kmod.conf from Russell Coker. 2017-02-07 19:03:59 -05:00
Chris PeBenito 2e7553db63 Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker. 2017-02-04 15:19:35 -05:00
Chris PeBenito 69ede859e8 Bump module versions for release. 2017-02-04 13:30:53 -05:00
Chris PeBenito 67c435f1fc Module version bump for fc updates from Nicolas Iooss. 2016-12-28 14:38:05 -05:00