RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,675 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

5675 Commits

Author SHA1 Message Date
Antoine Tenart 66c2ff9060 dbus: add two interfaces to allow reading from directories and named sockets 
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-21 16:15:37 +02:00
Antoine Tenart 23f1e4316b sysnetwork: allow to read network configuration files 
Fixes:

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { read } for  pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { read } for  pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { open } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { open } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { getattr } for  pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { read } for  pid=59 comm="systemd-network" name="network"
dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { open } for  pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { search } for  pid=59 comm="systemd-network"
name="network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Antoine Tenart 5c604e806b logging: allow systemd-journal to write messages to the audit socket 
Fixes:

avc:  denied  { nlmsg_write } for  pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1

avc:  denied  { nlmsg_write } for  pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Antoine Tenart 8cb806fbdf locallogin: allow login to get attributes of procfs 
Fixes:
avc:  denied  { getattr } for  pid=88 comm="login" name="/" dev="proc"
ino=1 scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Antoine Tenart 7014af08ff udev: allow udevadm to retrieve xattrs 
Fixes:

avc:  denied  { getattr } for  pid=50 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0

avc:  denied  { getattr } for  pid=52 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Chris PeBenito 2e5eefbfce .travis.yml: Point selint at only the policy dir. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-09-17 09:58:02 -04:00
Chris PeBenito c33866e1f6 selinux, init, systemd, rpm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-09-09 16:55:06 -04:00
Chris PeBenito 4e2b3545c6 Merge pull request #308 from cgzones/systemd_status 2020-09-09 16:54:23 -04:00
Christian Göttsche 24827d8073 selinux: add selinux_use_status_page and deprecate selinux_map_security_files 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-09-09 21:00:47 +02:00
Chris PeBenito a0aee3cbcc bind: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-09-09 11:25:28 -04:00
Dominick Grift 93113bce78 bind: add a few fc specs for unbound 
unbound-checkconf is the unbound bind-checkconf equivalent
unbound-control is the unbound bind ndc equivalent

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
 2020-09-09 11:24:43 -04:00
Christian Göttsche 1103350ee3 init/systemd: allow systemd to map the SELinux status page 
systemd v247 will access the SELinux status page.
This affects all domains currently opening the label database, having
the permission seutil_read_file_contexts.

see https://github.com/systemd/systemd/pull/16821

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-09-08 13:18:18 +02:00
Chris PeBenito dcf7ae9f48 userdomain: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-31 15:36:14 -04:00
Chris PeBenito 58ea9ac7c3 Merge pull request #303 from jpds/optional-userdomain-usbguard 2020-08-31 15:32:18 -04:00
Jonathan Davies 9d3321e4fe userdomain.if: Marked usbguard user modify tunable as optional so usbguard may be excluded. 
Thanks to Dominick Grift for helping me pin-point this.

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2020-08-29 20:43:38 +00:00
Chris PeBenito 72e221fd4d various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-28 15:30:52 -04:00
Chris PeBenito cc15ff2086 Merge pull request #302 from dsugar100/master 2020-08-28 15:26:50 -04:00
Chris PeBenito 74b37e16db Merge pull request #301 from bauen1/fix-selint-s-010 2020-08-28 15:26:47 -04:00
bauen1 fa59d0e9bc
selint: fix S-010 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-08-28 17:39:09 +02:00
Dave Sugar 1627ab361e Looks like this got dropped in pull request #294 
Seeing the following denial - adding back in:
localhost kernel: type=1400 audit(1598497795.109:57): avc:  denied  { map } for  pid=1054 comm="modprobe" path="/usr/lib/modules/3.10.0-1127.19.1.el7.x86_64/modules.dep.bin" dev="dm-0" ino=23711 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2020-08-27 08:10:58 -04:00
Chris PeBenito f8b0c1641c acpi: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-26 12:52:59 -07:00
Chris PeBenito 565f41e474 Merge pull request #299 from jpds/acpid_shutdown 2020-08-26 12:49:20 -07:00
Chris PeBenito 3991ecf54f Merge branch 'acpid_shutdown' of https://github.com/jpds/refpolicy into jpds-acpid_shutdown 2020-08-26 12:49:14 -07:00
Chris PeBenito d655ae7afa
Merge pull request #300 from cgzones/macro 
postfixpolicyd: split multi-class rule
 2020-08-26 15:29:52 -04:00
Jonathan Davies 99ad371868 acpi.te: Removed unnecessary init_write_initctl(). 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2020-08-25 22:53:40 +00:00
Christian Göttsche 850fefc626 postfixpolicyd: split multi-class rule 
The rule uses the permission manage_file_perms on the classes file and
sock_file.  This won't result in a change in the actual policy
generated, but if the definitions of macros are changed going forward,
the mismatches could cause issues.

Found by SELint

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-25 20:44:16 +02:00
Jonathan Davies ec0ebc8b11 acpi.te: Allow acpid_t to shutdown the system - this is required to handle shutdown calls from libvirt. Fixes #298. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2020-08-23 20:00:29 +00:00
Chris PeBenito bdb9ffd00e Update Changelog and VERSION for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-18 09:23:17 -04:00
Chris PeBenito d387e79989 Bump module versions for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-18 09:09:10 -04:00
Chris PeBenito 80abd29f0d
Merge pull request #297 from cgzones/travis 
travis: resolve Linter tags
 2020-08-18 08:34:07 -04:00
Christian Göttsche f8f87a8085 travis: resolve Linter tags 
root: duplicate key: matrix
root: deprecated key sudo (The key `sudo` has no effect anymore.)
root: missing os, using the default linux
root: key matrix is an alias for jobs, using jobs

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-15 19:40:14 +02:00
Chris PeBenito ab47695bdb files, init, modutils, systemd, udev: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-14 09:38:09 -04:00
Chris PeBenito e10d956f38 Merge pull request #294 from cgzones/selint 2020-08-14 09:36:44 -04:00
Chris PeBenito 60516aaeaa xserver: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-14 08:53:38 -04:00
Chris PeBenito b93ff5fe03 Merge pull request #291 from yizhao1/fix 2020-08-14 08:53:13 -04:00
Yi Zhao afb2021524 xserver: allow xserver_t to connect to resmgrd 
This was probably a typo:
resmgr_stream_connect(xdm_t) -> resmgr_stream_connect(xserver_t)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2020-08-14 11:13:34 +08:00
Yi Zhao 8322f0e0d9 Remove duplicated rules 
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2020-08-14 10:55:31 +08:00
Christian Göttsche 09ed84b632 files/modutils: unify modules_object_t usage into files module 
modutils.te:         50: (W): No explicit declaration for modules_object_t from module files.  You should access it via interface call or use a require block. (W-001)
modutils.te:         51: (W): No explicit declaration for modules_object_t from module files.  You should access it via interface call or use a require block. (W-001)
modutils.te:         52: (W): No explicit declaration for modules_object_t from module files.  You should access it via interface call or use a require block. (W-001)
modutils.te:         53: (W): No explicit declaration for modules_object_t from module files.  You should access it via interface call or use a require block. (W-001)
modutils.if:         15: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.if:         52: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.fc:         24: (S): Type modules_object_t is declared in module files, but used in file context here. (S-002)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-13 21:23:43 +02:00
Christian Göttsche e9b2e1ea4f work on SELint issues 
- selinuxutil.te: ignore gen_require usage for bool secure_mode
- corenetwork.te: ignore gen_require usage for type unlabeled_t
- files.if: drop unneeded required types in interface
- rpm.if: drop unneeded required type in interface
- xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template
- domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-13 21:23:43 +02:00
Christian Göttsche 140ee81094 travis-ci: add SELint 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-13 21:23:43 +02:00
Chris PeBenito fbc60f2319
Merge pull request #296 from cgzones/diff-check 
whitespace cleanup
 2020-08-13 09:19:48 -04:00
Chris PeBenito 5d6f436800
Merge pull request #293 from cgzones/spelling 
Fix several misspellings
 2020-08-13 08:55:28 -04:00
Christian Göttsche 72b2c66256 whitespace cleanup 
Remove trailing white spaces and mixed up indents

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-13 14:34:57 +02:00
Christian Göttsche 3bb507efa6 Fix several misspellings 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-13 14:08:58 +02:00
Chris PeBenito 71e653980b various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-11 08:35:00 -04:00
Chris PeBenito cd141fa2ea Merge pull request #290 from pebenito/fs-image 2020-08-11 08:33:26 -04:00
Chris PeBenito 32b2332d36 Merge pull request #289 from pebenito/remove-unlabeled-file 2020-08-11 08:33:22 -04:00
Chris PeBenito e915d785b2 Merge pull request #288 from pebenito/init-startstop 2020-08-11 08:33:18 -04:00
Chris PeBenito 777fe47c19 kernel, fstools, lvm, mount: Update to use filesystem image interfaces. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-07-29 14:33:39 -04:00
Chris PeBenito 04fb9404c8 filesystem: Create a filesystem image concept. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-07-29 14:29:26 -04:00