RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,675 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

3639 Commits

Author SHA1 Message Date
Antoine Tenart 66c2ff9060 dbus: add two interfaces to allow reading from directories and named sockets 
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-21 16:15:37 +02:00
Antoine Tenart 23f1e4316b sysnetwork: allow to read network configuration files 
Fixes:

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { read } for  pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { read } for  pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { open } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { open } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { getattr } for  pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { read } for  pid=59 comm="systemd-network" name="network"
dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { open } for  pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { search } for  pid=59 comm="systemd-network"
name="network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Antoine Tenart 5c604e806b logging: allow systemd-journal to write messages to the audit socket 
Fixes:

avc:  denied  { nlmsg_write } for  pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1

avc:  denied  { nlmsg_write } for  pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Antoine Tenart 8cb806fbdf locallogin: allow login to get attributes of procfs 
Fixes:
avc:  denied  { getattr } for  pid=88 comm="login" name="/" dev="proc"
ino=1 scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Antoine Tenart 7014af08ff udev: allow udevadm to retrieve xattrs 
Fixes:

avc:  denied  { getattr } for  pid=50 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0

avc:  denied  { getattr } for  pid=52 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
 2020-09-18 14:34:34 +02:00
Chris PeBenito c33866e1f6 selinux, init, systemd, rpm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-09-09 16:55:06 -04:00
Chris PeBenito 4e2b3545c6 Merge pull request #308 from cgzones/systemd_status 2020-09-09 16:54:23 -04:00
Christian Göttsche 24827d8073 selinux: add selinux_use_status_page and deprecate selinux_map_security_files 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-09-09 21:00:47 +02:00
Chris PeBenito a0aee3cbcc bind: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-09-09 11:25:28 -04:00
Dominick Grift 93113bce78 bind: add a few fc specs for unbound 
unbound-checkconf is the unbound bind-checkconf equivalent
unbound-control is the unbound bind ndc equivalent

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
 2020-09-09 11:24:43 -04:00
Christian Göttsche 1103350ee3 init/systemd: allow systemd to map the SELinux status page 
systemd v247 will access the SELinux status page.
This affects all domains currently opening the label database, having
the permission seutil_read_file_contexts.

see https://github.com/systemd/systemd/pull/16821

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-09-08 13:18:18 +02:00
Chris PeBenito dcf7ae9f48 userdomain: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-31 15:36:14 -04:00
Jonathan Davies 9d3321e4fe userdomain.if: Marked usbguard user modify tunable as optional so usbguard may be excluded. 
Thanks to Dominick Grift for helping me pin-point this.

Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2020-08-29 20:43:38 +00:00
Chris PeBenito 72e221fd4d various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-28 15:30:52 -04:00
Chris PeBenito cc15ff2086 Merge pull request #302 from dsugar100/master 2020-08-28 15:26:50 -04:00
Chris PeBenito 74b37e16db Merge pull request #301 from bauen1/fix-selint-s-010 2020-08-28 15:26:47 -04:00
bauen1 fa59d0e9bc
selint: fix S-010 
Signed-off-by: bauen1 <j2468h@gmail.com>
 2020-08-28 17:39:09 +02:00
Dave Sugar 1627ab361e Looks like this got dropped in pull request #294 
Seeing the following denial - adding back in:
localhost kernel: type=1400 audit(1598497795.109:57): avc:  denied  { map } for  pid=1054 comm="modprobe" path="/usr/lib/modules/3.10.0-1127.19.1.el7.x86_64/modules.dep.bin" dev="dm-0" ino=23711 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2020-08-27 08:10:58 -04:00
Chris PeBenito f8b0c1641c acpi: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-26 12:52:59 -07:00
Chris PeBenito 3991ecf54f Merge branch 'acpid_shutdown' of https://github.com/jpds/refpolicy into jpds-acpid_shutdown 2020-08-26 12:49:14 -07:00
Jonathan Davies 99ad371868 acpi.te: Removed unnecessary init_write_initctl(). 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2020-08-25 22:53:40 +00:00
Christian Göttsche 850fefc626 postfixpolicyd: split multi-class rule 
The rule uses the permission manage_file_perms on the classes file and
sock_file.  This won't result in a change in the actual policy
generated, but if the definitions of macros are changed going forward,
the mismatches could cause issues.

Found by SELint

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-25 20:44:16 +02:00
Jonathan Davies ec0ebc8b11 acpi.te: Allow acpid_t to shutdown the system - this is required to handle shutdown calls from libvirt. Fixes #298. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
 2020-08-23 20:00:29 +00:00
Chris PeBenito d387e79989 Bump module versions for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-18 09:09:10 -04:00
Chris PeBenito ab47695bdb files, init, modutils, systemd, udev: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-14 09:38:09 -04:00
Chris PeBenito e10d956f38 Merge pull request #294 from cgzones/selint 2020-08-14 09:36:44 -04:00
Chris PeBenito 60516aaeaa xserver: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-14 08:53:38 -04:00
Yi Zhao afb2021524 xserver: allow xserver_t to connect to resmgrd 
This was probably a typo:
resmgr_stream_connect(xdm_t) -> resmgr_stream_connect(xserver_t)

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2020-08-14 11:13:34 +08:00
Yi Zhao 8322f0e0d9 Remove duplicated rules 
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2020-08-14 10:55:31 +08:00
Christian Göttsche 09ed84b632 files/modutils: unify modules_object_t usage into files module 
modutils.te:         50: (W): No explicit declaration for modules_object_t from module files.  You should access it via interface call or use a require block. (W-001)
modutils.te:         51: (W): No explicit declaration for modules_object_t from module files.  You should access it via interface call or use a require block. (W-001)
modutils.te:         52: (W): No explicit declaration for modules_object_t from module files.  You should access it via interface call or use a require block. (W-001)
modutils.te:         53: (W): No explicit declaration for modules_object_t from module files.  You should access it via interface call or use a require block. (W-001)
modutils.if:         15: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.if:         52: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.fc:         24: (S): Type modules_object_t is declared in module files, but used in file context here. (S-002)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-13 21:23:43 +02:00
Christian Göttsche e9b2e1ea4f work on SELint issues 
- selinuxutil.te: ignore gen_require usage for bool secure_mode
- corenetwork.te: ignore gen_require usage for type unlabeled_t
- files.if: drop unneeded required types in interface
- rpm.if: drop unneeded required type in interface
- xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template
- domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-13 21:23:43 +02:00
Chris PeBenito fbc60f2319
Merge pull request #296 from cgzones/diff-check 
whitespace cleanup
 2020-08-13 09:19:48 -04:00
Christian Göttsche 72b2c66256 whitespace cleanup 
Remove trailing white spaces and mixed up indents

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-13 14:34:57 +02:00
Christian Göttsche 3bb507efa6 Fix several misspellings 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2020-08-13 14:08:58 +02:00
Chris PeBenito 71e653980b various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-08-11 08:35:00 -04:00
Chris PeBenito cd141fa2ea Merge pull request #290 from pebenito/fs-image 2020-08-11 08:33:26 -04:00
Chris PeBenito 32b2332d36 Merge pull request #289 from pebenito/remove-unlabeled-file 2020-08-11 08:33:22 -04:00
Chris PeBenito 777fe47c19 kernel, fstools, lvm, mount: Update to use filesystem image interfaces. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-07-29 14:33:39 -04:00
Chris PeBenito 04fb9404c8 filesystem: Create a filesystem image concept. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-07-29 14:29:26 -04:00
Chris PeBenito 27deadbecd files: Restore mounton access to files_mounton_all_mountpoints(). 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-07-28 10:33:09 -04:00
Chris PeBenito fe737c405d selinuxuntil, userdomain: Restore relabelfrom access for unlabeled files. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-07-28 10:33:07 -04:00
Chris PeBenito 662d55ed5e kernel: Drop unlabeled_t as a files_mountpoint(). 
This made unlabeled_t a file and provided much more access than an
unlabeled file should have.  Access to unlabeled objects should be
explicit.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-07-28 10:09:24 -04:00
Chris PeBenito 4c7926a3c0 init: Revise init_startstop_service() build option blocks. 
Revise to use ifelse to have a clear set of criteria for enabling the
various options.  Additionally, if no options are enabled, run_init
permissions are provided as a default.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-07-27 11:40:36 -04:00
Chris PeBenito aa6c3f4da3 apt, rpm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-07-27 09:05:53 -04:00
Laurent Bigonville e4f0709788 Label /usr/libexec/packagekitd as apt_exec_t on debian 
The daemon has now moved from /usr/lib/packagekit/packagekitd to
/usr/libexec/packagekitd

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2020-07-27 13:26:06 +02:00
Chris PeBenito c5ac0d52c4 openvpn: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-07-16 09:31:56 -04:00
Chris PeBenito 7f601b8bcf Merge pull request #284 from alexminder/openvpn 2020-07-16 09:31:06 -04:00
Alexander Miroshnichenko 67c4238e8e openvpn: update file context regex for ipp.txt 
Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
 2020-07-14 13:34:58 +03:00
Chris PeBenito ac02273502 tmp2: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-07-10 08:51:57 -04:00
Alexander Miroshnichenko aff9c6e91c openvpn: more versatile file context regex for ipp.txt 
Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
 2020-07-07 15:22:29 +03:00