RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,071 Commits 3 Branches 49 Tags 19 MiB
Commit Graph

1328 Commits

Author SHA1 Message Date
Chris PeBenito 6b11dcef89 Various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-08-31 06:55:57 -04:00
Chris PeBenito b43aebcc2f Merge pull request #70 from fishilico/typo-dot-star-question-fc 2019-08-31 06:26:00 -04:00
Nicolas Iooss d00eddb885
libraries: drop a pattern specific to Python 2.4 
Apply comment https://github.com/SELinuxProject/refpolicy/pull/75#discussion_r318831927

    We don't support any systems that are so old they have Python 2.4.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-29 20:03:02 +02:00
Nicolas Iooss d386950b0d
Fix use of buggy pattern (.*)? 
The pattern "(.*)?" means "match anything including the nothing, or
nothing": the question mark is redundant. This is likely to be a
mispelling for "(/.*)?", which means "match a slash and anthing, or
nothing", or for ".*", or for other patterns.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-29 19:57:05 +02:00
Nicolas Iooss f0cade07b2
Remove unescaped single dot from the policy 
In a pattern, a dot can match any character, including slash. It makes
sense when it is combined with ?, + or *, but makes little sense when
left alone.

Most of the time, the label was for file containing dots, where the dot
was not escaped. A few times, the dot was really intended to match any
character. In such case, [^/] better suits the intent.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-27 23:38:09 +02:00
Chris PeBenito 68b74385a4 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-08-27 00:28:34 -04:00
Nicolas Iooss 1b44cb6c2e
libraries: match a digit in Adobe Reader directories 
Patterns using this have a small issue:

    /opt/Adobe/Reader.?/Reader/intellinux

The issue is that the dot can also match a slash. A bettern pattern
would be:

    /opt/Adobe/Reader[^/]?/Reader/intellinux

In this specific case, the intent is to match digits (like
/opt/Adobe/Reader9). Use [0-9] for this.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2019-08-21 21:43:56 +02:00
Chris PeBenito f191b07166 systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-07-21 14:34:09 -04:00
Laurent Bigonville 6b12bd3aca Allow systemd_modules_load_t to module_request and map modules_object_t files 
[   10.685610] audit: type=1400 audit(1563706740.429:3): avc:  denied  { map } for  pid=394 comm="systemd-modules" path="/usr/lib/modules/4.19.0-5-amd64/kernel/drivers/parport/parport.ko" dev="dm-0" ino=795927 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
[   10.695021] audit: type=1400 audit(1563706740.437:5): avc:  denied  { module_request } for  pid=394 comm="systemd-modules" kmod="parport_lowlevel" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
 2019-07-21 19:46:47 +02:00
Chris PeBenito 921eb37a97 rpm, selinux, sysadm, init: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-07-13 14:07:11 -04:00
Alexander Miroshnichenko 491ae9991a Add knot module 
Add a SELinux Reference Policy module for the
Knot authoritative-only DNS server.

Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
 2019-07-13 14:00:31 -04:00
Chris PeBenito 8c3893e427 Bump module versions for release. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-06-09 14:05:19 -04:00
Chris PeBenito 10784f3b33 various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-06-09 13:37:51 -04:00
Chris PeBenito 91028527fc Merge pull request #55 from pebenito/modules-load 2019-06-09 13:26:43 -04:00
Chris PeBenito b07f7b4495 systemd: modules-load updates. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-06-03 08:42:53 -04:00
Chris PeBenito 4aafedd872 init: Add systemd block to init_script_domain(). 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-05-31 08:57:17 -04:00
Chris PeBenito 5d345b79ee various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-04-27 10:51:06 -04:00
Chris PeBenito 6857cda019 Merge pull request #46 from pebenito/systemd-user 2019-04-27 10:50:32 -04:00
Chris PeBenito da156aea1e systemd: Add initial policy for systemd --user. 
This is just a start; it does not cover all uses.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-04-25 11:18:58 -04:00
Chris PeBenito ff9bd742b7 systemd: Remove unnecessary names in systemd-update-done filetrans. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-04-23 15:22:17 -04:00
Chris PeBenito e2e4094bd4 various: Module version bump 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-04-16 22:08:11 -04:00
Sugar, David a49163250f Add kernel_dgram_send() into logging_send_syslog_msg() 
This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().

v2 - enclose in ifdef for redhat
v3 - rebase this patch on e41def136a

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-04-16 20:51:55 -04:00
Chris PeBenito beb4a290b0 init: Module version bump. 2019-04-07 20:56:22 -04:00
Chris PeBenito 4c2f16bb26 Merge pull request #39 from pebenito/revise-init-stopstart 2019-04-07 20:54:40 -04:00
Chris PeBenito b06126dca3 init: Revise conditions in init_startstop_service(). 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-04-05 15:18:29 -04:00
Chris PeBenito df696a3254 kernel, init, systemd, udev: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-03-27 18:58:15 -04:00
Chris PeBenito 98c16077ba Merge pull request #37 from pebenito/master 
Misc system fixes.

Remove use of kernel_unconfined() by systemd_nspawn and udev write to its own executable.
 2019-03-27 18:57:39 -04:00
Chris PeBenito 4f6614ba7f ntp, init, lvm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-03-27 18:49:54 -04:00
Sugar, David d3c4e19f72 Denial of cryptsetup reading cracklib database 
When setting up a LUKS encrypted partition, cryptsetup is reading
the cracklib databases to ensure password strength.  This is
allowing the needed access.

type=AVC msg=audit(1553216939.261:2652): avc:  denied  { search } for  pid=8107 comm="cryptsetup" name="cracklib" dev="dm-1" ino=6388736 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1553216980.909:2686): avc:  denied  { read } for  pid=8125 comm="cryptsetup" name="pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553216980.909:2686): avc:  denied  { open } for  pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwd" dev="dm-1" ino=6388748 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553216980.909:2687): avc:  denied  { getattr } for  pid=8125 comm="cryptsetup" path="/usr/share/cracklib/pw_dict.pwi" dev="dm-1" ino=6388749 scontext=sysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-27 18:48:01 -04:00
Sugar, David 7525ba9c1e Allow ntpd to read unit files 
Adding missing documenation (sorry about that).

type=AVC msg=audit(1553013917.359:9935): avc:  denied  { read } for  pid=16326 comm="systemd-timedat" name="50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553013917.359:9935): avc:  denied  { open } for  pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1
type=AVC msg=audit(1553013917.359:9936): avc:  denied  { getattr } for  pid=16326 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d/50-chronyd.list" dev="dm-1" ino=4870675 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=file permissive=1

type=AVC msg=audit(1553013821.622:9902): avc:  denied  { getattr } for  pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553013821.622:9903): avc:  denied  { read } for  pid=16281 comm="systemd-timedat" name="ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1553013821.622:9903): avc:  denied  { open } for  pid=16281 comm="systemd-timedat" path="/usr/lib/systemd/ntp-units.d" dev="dm-1" ino=4700094 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-27 18:48:01 -04:00
Chris PeBenito 32f3f09dc4 authlogin, dbus, ntp: Module version bump. 2019-03-24 14:43:35 -04:00
Sugar, David 5f14e530ad Resolve denial about logging to journal from chkpwd 
type=AVC msg=audit(1553029357.588:513): avc:  denied  { sendto } for  pid=7577 comm="unix_chkpwd" path="/dev/log" scontext=toor_u:staff_r:chkpwd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-24 14:37:22 -04:00
Chris PeBenito e19f3d658c init: Remove duplicate setenforce rule for init scripts. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-03-20 10:10:23 -04:00
Chris PeBenito 99f967d3b5 udev: Drop write by udev to its executable. 
This removes one vector for arbitrary code execution if udev is
compromised.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-03-20 10:10:10 -04:00
Chris PeBenito 40bf663090 systemd: Drop unconfined kernel access for systemd_nspawn. 
Revise kernel assertion to /proc/kmsg to be more precise.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2019-03-20 10:09:37 -04:00
Chris PeBenito c46eba9c02 sysadm, udev: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-03-17 16:27:34 -04:00
Chris PeBenito ceadf42b75 udev: Move one line and remove a redundant line. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-03-17 16:25:28 -04:00
Chris PeBenito 2297487654 udev: Whitespace fix. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2019-03-17 16:25:03 -04:00
Sugar, David ba31e59cd1 Separate out udevadm into a new domain 
This is the update I have made based on suggestions for the previous
patches to add a udev_run interface.  This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm.

It seems to meet the needs that I have, but there are some things to
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
   I have granted the permisssions that I need based on denials I was
   seeing during startup (the machine would fail to start without the
   permisions).
2) In the udev.fc file there are other binaries that I don't have on a
   RHEL7 box that maybe should also be labeled udevadm_exec_t.
   e.g. /usr/bin/udevinfo and /usr/bin/udevsend
   But as I don't have those binaries to test, I have not updated the
   type of that binary.
3) There are some places that call udev_domtrans that maybe should now
   be using udevadm_domtrans - rpm.te, hal.te, hotplug.te.  Again,
   these are not things that I am using in my current situation and am
   unable to test the interactions to know if the change is correct.

Other than that, I think this was a good suggestion to split udevadm
into a different domain.

Only change for v4 is to use stream_connect_pattern as suggested.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-17 16:15:21 -04:00
Chris PeBenito 60b8e08f4f systemd, udev, usermanage: Module version bump. 2019-03-11 20:59:21 -04:00
Sugar, David 9d2b68e0ba Allow additional map permission when reading hwdb 
I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
This creates and uses a new interface to allow the needed
permission for udev.

type=AVC msg=audit(1551886176.948:642): avc:  denied  { map } for  pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1

Updated from previous to create a new interface.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-11 20:53:30 -04:00
Sugar, David 3fd0d7df8b Update cron use to pam interface 
I'm seeing a many denials for cron related to faillog_t, lastlog_t
and wtmp_t.  These are all due to the fact cron is using pam (and my
system is configured with pam_faillog).  I have updated cron to use
auth_use_pam interface to grant needed permissions.

Additional change to allow systemd_logind dbus for cron.

I have included many of the denials I'm seeing, but there are probably
others I didn't capture.

type=AVC msg=audit(1551411001.389:1281): avc:  denied  { read write } for  pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1281): avc:  denied  { open } for  pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1281): arch=c000003e syscall=2 success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins"
type=AVC msg=audit(1551411001.389:1282): avc:  denied  { lock } for  pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1282): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1551411001.389:1283): avc:  denied  { write } for  pid=8807 comm="crond" name="wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1283): avc:  denied  { open } for  pid=8807 comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.489:1513): avc:  denied  { getattr } for  pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc:  denied  { read write } for  pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc:  denied  { open } for  pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1515): avc:  denied  { lock } for  pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551412201.511:1515): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_AVC msg=audit(1551629402.000:21914): pid=7387 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6407 tpid=7395 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2019-03-07 19:02:57 -05:00
Chris PeBenito e6dcad5002 systemd: Module version bump. 2019-02-24 08:19:27 -08:00
Nicolas Iooss 2fb15c8268
Update systemd-update-done policy 
systemd-update-done sends logs to journald like other services, as shown
by the following AVC:

    type=AVC msg=audit(1550865504.453:76): avc:  denied  { sendto } for
    pid=277 comm="systemd-update-" path="/run/systemd/journal/socket"
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket
    permissive=1

    type=AVC msg=audit(1550865504.453:76): avc:  denied  { write } for
    pid=277 comm="systemd-update-" name="socket" dev="tmpfs" ino=10729
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1

    type=AVC msg=audit(1550865504.453:76): avc:  denied  { connect } for
    pid=277 comm="systemd-update-"
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:system_r:systemd_update_done_t
    tclass=unix_dgram_socket permissive=1

Moreover it creates /etc/.updated and /var/.updated using temporary
files:

    type=AVC msg=audit(1550865504.463:83): avc:  denied  { setfscreate }
    for  pid=277 comm="systemd-update-"
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:system_r:systemd_update_done_t tclass=process
    permissive=1

    type=AVC msg=audit(1550865504.463:84): avc:  denied  { read write
    open } for  pid=277 comm="systemd-update-"
    path="/etc/.#.updatedTz6oE9" dev="vda1" ino=806171
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:etc_t tclass=file permissive=1

    type=AVC msg=audit(1550865504.463:84): avc:  denied  { create } for
    pid=277 comm="systemd-update-" name=".#.updatedTz6oE9"
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:etc_t tclass=file permissive=1

    [...]

    type=AVC msg=audit(1550865504.463:87): avc:  denied  { unlink } for
    pid=277 comm="systemd-update-" name=".updated" dev="vda1" ino=793017
    scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:etc_t tclass=file permissive=1

    type=AVC msg=audit(1550865504.463:87): avc:  denied  { rename } for
    pid=277 comm="systemd-update-" name=".#.updatedTz6oE9" dev="vda1"
    ino=806171 scontext=system_u:system_r:systemd_update_done_t
    tcontext=system_u:object_r:etc_t tclass=file permissive=1
 2019-02-24 11:08:20 +01:00
Chris PeBenito 2623984b83 logging, selinuxutil: Module version bump. 2019-02-23 19:30:58 -08:00
Chris PeBenito 0805aaca8d Merge branch 'restorecond-no-read-all' of git://github.com/fishilico/selinux-refpolicy 2019-02-23 18:43:02 -08:00
Nicolas Iooss 0ab9035efa
Remove a broad read-files rule for restorecond 
When the policy for restorecond was introduced, it contained a rule
which allowed restorecond to read every file except shadow_t (cf.
724925579d (diff-301316a33cafb23299e43112dc2bf2deR439)
):

    auth_read_all_files_except_shadow(restorecond_t)

Since 2006, the policy changed quite a bit, but this access remained.
However restorecond does not need to read every available file.

This is related to this comment:
https://github.com/SELinuxProject/refpolicy/pull/22#issuecomment-454976379
 2019-02-23 21:20:21 +01:00
Nicolas Iooss 7bb9172b67
Allow restorecond to read customizable_types 
When trying to remove files_read_non_auth_files(restorecond_t), the
following AVC denial occurs:

    type=AVC msg=audit(1550921968.443:654): avc:  denied  { open } for
    pid=281 comm="restorecond"
    path="/etc/selinux/refpolicy/contexts/customizable_types" dev="vda1"
    ino=928006 scontext=system_u:system_r:restorecond_t
    tcontext=system_u:object_r:default_context_t tclass=file
    permissive=1

    type=AVC msg=audit(1550921968.443:654): avc:  denied  { read } for
    pid=281 comm="restorecond" name="customizable_types" dev="vda1"
    ino=928006 scontext=system_u:system_r:restorecond_t
    tcontext=system_u:object_r:default_context_t tclass=file
    permissive=1

As /etc/selinux/${SELINUXTYPE}/contexts/customizable_types is needed by
restorecond, allow this access.
 2019-02-23 21:14:10 +01:00
Nicolas Iooss 5250bd4863
Allow systemd-journald to use kill(pid, 0) on its clients 
Since systemd 241, systemd-journald is using kill(pid, 0) in order to
find dead processes and reduce its cache. The relevant commit is
91714a7f42
("journald: periodically drop cache for all dead PIDs"). This commit
added a call to pid_is_unwaited(c->pid), which is a function implemented in
https://github.com/systemd/systemd/blob/v241/src/basic/process-util.c#L936 :

    bool pid_is_unwaited(pid_t pid) {
        /* Checks whether a PID is still valid at all, including a zombie */
        if (pid < 0)
                return false;
        if (pid <= 1) /* If we or PID 1 would be dead and have been waited for, this code would not be running */
                return true;
        if (pid == getpid_cached())
                return true;
        if (kill(pid, 0) >= 0)
                return true;
        return errno != ESRCH;
    }

This new code triggers the following AVC denials:

    type=AVC msg=audit(1550911933.606:332): avc:  denied  { signull }
    for  pid=224 comm="systemd-journal"
    scontext=system_u:system_r:syslogd_t
    tcontext=system_u:system_r:auditd_t tclass=process permissive=1

    type=AVC msg=audit(1550911933.606:333): avc:  denied  { signull }
    for  pid=224 comm="systemd-journal"
    scontext=system_u:system_r:syslogd_t
    tcontext=system_u:system_r:dhcpc_t tclass=process permissive=1

    type=AVC msg=audit(1550911933.606:334): avc:  denied  { signull }
    for  pid=224 comm="systemd-journal"
    scontext=system_u:system_r:syslogd_t
    tcontext=system_u:system_r:sshd_t tclass=process permissive=1
 2019-02-23 20:55:17 +01:00
Chris PeBenito 5986fdc4df logging, miscfiles, authlogin: Module version bump. 2019-02-20 19:38:55 -08:00