RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
5,755 Commits 3 Branches 49 Tags 18 MiB
Commit Graph

5755 Commits

Author SHA1 Message Date
Chris PeBenito 6c69f6e3de udev: Drop udev_tbl_t. 
This usage under /dev/.udev has been unused for a very long time and
replaced by functionality in /run/udev.  Since these have separate types,
take this opportunity to revoke these likely unnecessary rules.

Fixes #221

Derived from Laurent Bigonville's work in #230

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-13 15:12:11 -05:00
Chris PeBenito 8c756108db corosync, pacemaker: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-13 14:46:10 -05:00
Chris PeBenito d669ed18df Merge pull request #332 from dschadlich/master 2021-01-13 14:44:53 -05:00
Richard Haines 037ac427f8 Ensure correct monolithic binary policy is loaded 
When building a monolithic policy with 'make load', the
selinux_config(5) file 'SELINUXTYPE' entry determines what policy
is loaded as load_policy(8) does not take a path value (it always loads
the active system policy as defined by /etc/selinux/config).

Currently it is possible to load the wrong binary policy, for example if
the Reference Policy source is located at:
/etc/selinux/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=targeted
Then the /etc/selinux/targeted/policy/policy.<ver> is loaded when
'make load' is executed.
Resolve this by using selinux_binary_policy_path(3) to determine the
current configured policy name and its location.

Another example is that if the Reference Policy source is located at:
/tmp/custom-rootfs/etc/selinux/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=refpolicy
Then the /etc/selinux/refpolicy/policy/policy.<ver> is loaded when
'make DESTDIR=/tmp/custom-rootfs load' is executed (not the
/tmp/custom-rootfs/etc/selinux/refpolicy/policy/policy.<ver> that the
developer thought would be loaded).
Resolve this by checking if DESTDIR has been set.

Remove the '@touch $(tmpdir)/load' line as the file is never referenced.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
 2021-01-13 09:54:48 -05:00
David Schadlich 9fd6bcbcf5 add policy for pcs_snmp_agent 
create corosync_read_state interface, used by pcs_snmp_agent policy

update file context list for corosync to include corosync-cmapctl, this allows pcs_snmp_agent to domtrans when calling it

denial for execmem
type=AVC msg=audit(1610036202.427:3772): avc:  denied  { execmem } for  pid=10875 comm="ruby" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:pcs_snmp_agent_t:s0 tclass=process permissive=1

create contexts for pcs_snmp_agent_t and allow it some self permissions

allow pcs_snmp_agent_t to create allows and transision context of those logs

allow pcs_snmp_agent_t to read kernel sysctls

allow pcs_snmp_agent_t to exec bin_t

allow pcs_snmp_agent_t to access pacemaker's cluster information base (cib)
type=AVC msg=audit(1610037438.918:4524): avc:  denied  { read write } for  pid=14866 comm="cibadmin" name="qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037438.918:4524): avc:  denied  { open } for  pid=14866 comm="cibadmin" path="/dev/shm/qb-3925-14866-13-FPiaad/qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1610037438.918:4524): arch=c000003e syscall=2 success=yes exit=5 a0=7ffe28cb09e0 a1=2 a2=180 a3=7ffe28cb02a0 items=1 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null)
type=AVC msg=audit(1610037438.919:4525): avc:  denied  { map } for  pid=14866 comm="cibadmin" path="/dev/shm/qb-3925-14866-13-FPiaad/qb-request-cib_rw-header" dev="tmpfs" ino=160994 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1610037438.919:4525): arch=c000003e syscall=9 success=yes exit=140505675866112 a0=0 a1=203c a2=3 a3=1 items=0 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null)
type=AVC msg=audit(1610037438.906:4523): avc:  denied  { connectto } for  pid=14866 comm="cibadmin" path=006369625F72770000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=unix_stream_socket permissive=1
type=SYSCALL msg=audit(1610037438.906:4523): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=7ffe28cb2a40 a2=6e a3=7ffe28cb2460 items=0 ppid=14857 pid=14866 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cibadmin" exe="/usr/sbin/cibadmin" subj=system_u:system_r:pcs_snmp_agent_t:s0 key=(null)

allow pcs_snmp_agent_t to read files with usr_t context
type=AVC msg=audit(1610037437.737:4513): avc:  denied  { getattr } for  pid=14857 comm="ruby" path="/usr/share/ruby/json.rb" dev="dm-0" ino=78097 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1610037439.029:4532): avc:  denied  { read } for  pid=14869 comm="crm_mon" name="pacemaker" dev="dm-0" ino=78392 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610037561.019:4615): avc:  denied  { read } for  pid=15257 comm="ruby" name="rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037561.019:4615): avc:  denied  { open } for  pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037561.019:4616): avc:  denied  { getattr } for  pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037561.020:4617): avc:  denied  { ioctl } for  pid=15257 comm="ruby" path="/usr/share/rubygems/rubygems.rb" dev="dm-0" ino=78469 ioctlcmd=5401 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to to get cgroup information
type=AVC msg=audit(1610036387.957:3864): avc:  denied  { getattr } for  pid=11499 comm="systemctl" path="/sys/fs/cgroup/systemd/system.slice/pacemaker.service/cgroup.procs" dev="cgroup" ino=31992 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610036480.913:3921): avc:  denied  { read } for  pid=11807 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610036665.036:4019): avc:  denied  { read } for  pid=12401 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610036788.922:4099): avc:  denied  { read } for  pid=12798 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610036944.042:4202): avc:  denied  { read } for  pid=13302 comm="systemctl" name="pacemaker.service" dev="cgroup" ino=31990 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610036977.714:4223): avc:  denied  { read } for  pid=13416 comm="systemctl" name="cgroup.procs" dev="cgroup" ino=30811 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610036977.714:4223): avc:  denied  { open } for  pid=13416 comm="systemctl" path="/sys/fs/cgroup/systemd/system.slice/corosync.service/cgroup.procs" dev="cgroup" ino=30811 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to read nsswitch
type=AVC msg=audit(1610037562.211:4626): avc:  denied  { open } for  pid=15266 comm="cibadmin" path="/etc/nsswitch.conf" dev="dm-0" ino=40445 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037562.212:4627): avc:  denied  { getattr } for  pid=15266 comm="cibadmin" path="/etc/nsswitch.conf" dev="dm-0" ino=40445 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to read zoneinfo
type=AVC msg=audit(1610035641.390:3398): avc:  denied  { search } for  pid=3838 comm="pcs_snmp_agent" name="zoneinfo" dev="dm-0" ino=69241 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610035767.532:3480): avc:  denied  { getattr } for  pid=3838 comm="pcs_snmp_agent" path="/usr/share/zoneinfo/GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610035767.664:3481): avc:  denied  { read } for  pid=9488 comm="ruby" name="GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610035767.664:3481): avc:  denied  { open } for  pid=9488 comm="ruby" path="/usr/share/zoneinfo/GMT" dev="dm-0" ino=71453 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to read certificates
type=AVC msg=audit(1610037375.994:4485): avc:  denied  { getattr } for  pid=14660 comm="ruby" path="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037499.874:4565): avc:  denied  { read } for  pid=15055 comm="ruby" name="cert.pem" dev="dm-0" ino=38537 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1610037529.975:4584): avc:  denied  { read } for  pid=15144 comm="ruby" name="tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037529.975:4584): avc:  denied  { open } for  pid=15144 comm="ruby" path="/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" dev="dm-0" ino=38862 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t get service status

type=USER_AVC msg=audit(1610034251.683:2349): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/pacemaker.service" cmdline="systemctl status pacemaker.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0
tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1610034251.773:2363): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 cmdline="systemctl is-enabled pacemaker.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=s
ystem  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1610034252.626:2367): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 cmdline="systemctl status pacemaker_remote.service" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclas
s=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

type=AVC msg=audit(1610034251.757:2361): avc:  denied  { getattr } for  pid=4342 comm="systemctl" path="/etc/systemd/system" dev="dm-0" ino=38595 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1

allow pcs_snmp_agent_t to search init_t dirs
type=AVC msg=audit(1610037317.490:4460): avc:  denied  { search } for  pid=14489 comm="systemctl" name="1" dev="proc" ino=9242 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=1

allow pcs_snmp_agent_t to connecto to systemd unix socket
type=AVC msg=audit(1610037533.196:4600): avc:  denied  { connectto } for  pid=15174 comm="systemctl" path="/run/systemd/private" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1

allow pcs_snmp_agent_t to run corosync in corosync_t domain
type=AVC msg=audit(1610037437.793:4515): avc:  denied  { execute } for  pid=14859 comm="ruby" name="corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037437.793:4515): avc:  denied  { read open } for  pid=14859 comm="ruby" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037437.793:4515): avc:  denied  { execute_no_trans } for  pid=14859 comm="ruby" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037437.793:4515): avc:  denied  { map } for  pid=14859 comm="corosync" path="/usr/sbin/corosync" dev="dm-0" ino=57633 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:corosync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610034246.149:2265): avc:  denied  { execute } for  pid=4258 comm="ruby" name="corosync-cmapctl" dev="dm-0" ino=57635 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to read corosync state
type=AVC msg=audit(1610037503.610:4570): avc:  denied  { open } for  pid=15101 comm="systemctl" path="/proc/3874/comm" dev="proc" ino=26243 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:corosync_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037503.611:4571): avc:  denied  { getattr } for  pid=15101 comm="systemctl" path="/proc/3874/comm" dev="proc" ino=26243 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:corosync_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to exec hostname
type=AVC msg=audit(1610037469.569:4545): avc:  denied  { execute } for  pid=14951 comm="ruby" name="hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037469.569:4545): avc:  denied  { read open } for  pid=14951 comm="ruby" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037469.569:4545): avc:  denied  { execute_no_trans } for  pid=14951 comm="ruby" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037469.569:4545): avc:  denied  { map } for  pid=14951 comm="hostname" path="/usr/bin/hostname" dev="dm-0" ino=54047 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=1

allow pcs_snmp_agent_t to connecto to snmp socket
type=AVC msg=audit(1610034242.897:2197): avc:  denied  { write } for  pid=3838 comm="pcs_snmp_agent" name="master" dev="tmpfs" ino=30868 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1610034242.897:2197): avc:  denied  { connectto } for  pid=3838 comm="pcs_snmp_agent" path="/var/agentx/master" scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=unix_stream_socket permissive=1

allow pcs_snmp_agent_t to read systemd journal files
type=AVC msg=audit(1610037472.176:4552): avc:  denied  { map } for  pid=14980 comm="systemctl" path="/var/log/journal/c7aa97546e1f4d3783a3aeffeeb749e3/system.journal" dev="tmpfs" ino=146184 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1610037533.220:4602): avc:  denied  { read } for  pid=15174 comm="systemctl" name="/" dev="tmpfs" ino=10069 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1610037533.220:4602): avc:  denied  { open } for  pid=15174 comm="systemctl" path="/var/log/journal" dev="tmpfs" ino=10069 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1

Signed-off-by: David Schadlich <dschadlich@owlcyberdefense.com>
 2021-01-12 10:30:32 -05:00
Chris PeBenito 26ed37c991 Makefile: Add -E to setfiles labeling targets. 
This will cause setfiles to error if there are conflicting labeling
specifications for files due to hardlinks.

closes #218

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2021-01-06 13:53:46 -05:00
Chris PeBenito 010692dda2
Merge pull request #326 from dburgener/no-self 
Use self keyword when an AV rule source type matches destination
 2021-01-04 09:14:46 -05:00
Chris PeBenito 8a1bc98a31 authlogin, init, systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-17 09:23:18 -05:00
Chris PeBenito a63c24c6b7 Merge pull request #269 from bauen1/systemd-userdb 2020-12-17 09:22:55 -05:00
Chris PeBenito 2a660fb6f6
Merge pull request #325 from pdmorrow/selinux_getbools 
selinux: add selinux_get_all_booleans() interface
 2020-12-15 11:10:12 -05:00
Daniel Burgener 37cc0aae1d Use self keyword when an AV rule source type matches destination 
This is reported in a new SELint check in soon to be released selint version 1.2.0

Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
 2020-12-15 10:29:52 -05:00
Peter Morrow b3bfd10ccd selinux: add selinux_get_all_booleans() interface 
Allow the caller to read the state of selinuxfs booleans.

Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
 2020-12-15 15:19:30 +00:00
Chris PeBenito cef667fa31 systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-15 09:40:48 -05:00
Chris PeBenito 2c2d27ce70 Merge pull request #324 from dburgener/dburgener/systemd-watch 2020-12-15 09:33:50 -05:00
Daniel Burgener b3204ea4c1 Allow systemd-ask-password to watch files 
On systems that use plymouth, systemd-ask-password may set watches on
the contents on /run/systemd/ask-password, whereas other scenarions only
set watch on the parent directory.

Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
 2020-12-11 19:47:13 +00:00
Chris PeBenito c8c418267d systemd: Add systemd-tty-ask watch for /run/systemd/ask-password. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2020-12-11 19:45:54 +00:00
Chris PeBenito 87c4adc790 kernel, modutils, userdomain, xserver: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-08 15:13:57 -05:00
Chris PeBenito 97eda18388 Merge pull request #323 from dsugar100/master 2020-12-08 15:09:54 -05:00
Chris PeBenito 7fd6d78c2c userdomain: Fix error in calling userdom_xdg_user_template(). 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-08 15:09:27 -05:00
Chris PeBenito cdfcec0e9a Merge pull request #320 from 0xC0ncord/master 2020-12-08 15:01:27 -05:00
Chris PeBenito d7c3c78c2d Drop criteria on github actions. 
Either they do not have the desired effects or they are broken.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-08 12:31:00 -05:00
0xC0ncord 1d15c9e009
userdomain, xserver: move xdg rules to userdom_xdg_user_template 
xdg rules are normally set in xserver. But, if a modular policy is being
used and the xserver module is not present, the required rules for users
to be able to access xdg content are never created and thus these files
and directories cannot be interacted with by users. This change adds a
new template that can be called to grant these privileges to userdomain
types as necessary.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2020-12-08 10:59:17 -05:00
Dave Sugar ca5f1a5662 Allow systemd-modules-load to search kernel keys 
I was seeing the following errors from systemd-modules-load without this search permission.

Dec  7 14:36:19 systemd-modules-load: Failed to insert 'nf_conntrack_ftp': Required key not available
Dec  7 14:36:19 kernel: Request for unknown module key 'Red Hat Enterprise Linux kernel signing key: 3ffb026dadef6e0bc404752a7e7c29095a68eab7' err -13
Dec  7 14:36:19 systemd: systemd-modules-load.service: main process exited, code=exited, status=1/FAILURE
Dec  7 14:36:19 audispd: node=loacalhost type=PROCTITLE msg=audit(1607351779.441:3259): proctitle="/usr/lib/systemd/systemd-modules-load"
Dec  7 14:36:19 systemd: Failed to start Load Kernel Modules.

This is the denial:

Dec  7 15:56:52 audispd: node=localhost type=AVC msg=audit(1607356612.877:3815): avc:  denied { search } for  pid=11715 comm="systemd-modules" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
 2020-12-08 10:51:44 -05:00
Chris PeBenito 699268ff41 init, systemd: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-04 13:32:57 -05:00
Chris PeBenito b31d8308da systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to systemd_stream_connect_socket_proxyd(). 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-04 13:31:22 -05:00
Chris PeBenito 42b184c2a8 systemd: Whitespace changes. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-04 13:31:17 -05:00
Chris PeBenito b4dd2ae0cc Merge pull request #315 from galaxy4public/systemd-socket-proxyd 2020-12-04 13:29:55 -05:00
Chris PeBenito 8d7ea992e2
Merge pull request #322 from pebenito/github-actions 
Switch to GitHub actions for CI actions.
 2020-12-03 10:10:01 -05:00
Chris PeBenito e7b9598865 Switch to GitHub actions for CI actions. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-12-03 10:07:05 -05:00
(GalaxyMaster) c98d287fa3 added policy for systemd-socket-proxyd 
Signed-off-by: (GalaxyMaster) <galaxy4public@users.noreply.github.com>
 2020-12-02 17:38:00 +11:00
Chris PeBenito fe29a74cad various: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-11-22 14:03:11 -05:00
Jason Zaman d03b8ffdf5 systemd: make remaining dbus_* optional 
Almost all calls to dbus_ interfaces were already optional, this makes
the remaining one optional_policy so that the modules can be installed /
upgraded easier.

Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-11-22 14:00:34 -05:00
Jason Zaman 6dd6823280 init: upstream fcontexts from gentoo policy 
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-11-22 14:00:34 -05:00
Jason Zaman c9880f52d5 Add transition on gentoo init_t to openrc 
Commit "init: replace call to init_domtrans_script"
(be231899f5 in upstream repo)
removed the call to init_domtrans_script which removed the openrc
domtrans. This adds it back directly in the distro_gentoo block.

Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-11-22 14:00:34 -05:00
Jonathan Davies b1927e9f39 init: Added fcontext for openrc-shutdown. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-11-22 14:00:34 -05:00
Jonathan Davies b7acd3c4f9 init: Added fcontext for openrc-init. 
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-11-22 14:00:34 -05:00
Jonathan Davies 1a39e4dfbe portage: Added /var/cache/distfiles path. 
Closes: https://github.com/perfinion/hardened-refpolicy/pull/1
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-11-22 14:00:34 -05:00
Jason Zaman 0ad23a33ef getty: allow watching file /run/agetty.reload 
avc:  denied  { watch } for  pid=2485 comm="agetty" path="/run/agetty.reload" dev="tmpfs" ino=22050 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:getty_runtime_t:s0 tclass=file permissive=0

Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-11-22 14:00:34 -05:00
Jason Zaman a98f25ce73 userdomain: Add watch on home dirs 
avc:  denied  { watch } for  pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
avc:  denied  { watch } for  pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
 2020-11-22 14:00:34 -05:00
Chris PeBenito 82c0b4dd3e dbus: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-11-20 09:54:32 -05:00
Chris PeBenito becac418b4 Merge pull request #318 from dburgener/dburgener/system-bus-bindmount 2020-11-20 09:54:08 -05:00
Daniel Burgener 47c495d6f1 Allow init to mount over the system bus 
In portable profiles, systemd bind mounts the system bus into process
namespaces

Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
 2020-11-13 14:44:22 +00:00
Chris PeBenito f1b83f8ef4 lvm: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-11-09 11:45:32 -05:00
Chris PeBenito 67814510fc Merge pull request #317 from gtrentalancia/master 2020-11-09 11:44:51 -05:00
Guido Trentalancia 7122154c19 Add LVM module permissions needed to open cryptsetup devices. 
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/lvm.te |    2 ++
 1 file changed, 2 insertions(+)
 2020-11-09 15:43:01 +01:00
Chris PeBenito aa8d432584 filesystem, xen: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-11-05 06:55:25 -05:00
Anthony PERARD 4f23a54b52 xen: Allow xenstored to map /proc/xen/xsd_kva 
xenstored is using mmap() on /proc/xen/xsd_kva, and when the SELinux
boolean "domain_can_mmap_files" in CentOS is set to false the mmap()
call fails.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
 2020-11-05 06:55:17 -05:00
Chris PeBenito cc4cc5c66d
Merge pull request #314 from shammancer/patch-1 
access_vectors: Add new capabilities to cap2
 2020-10-25 15:21:56 -04:00
Dannick Pomerleau b5bc33bc9c access_vectors: Add new capabilities to cap2 
Updated location of capability definitions to point to current location within kernel source code.

CAP_BPF and CAP_PERFMON mainlined in: cb8e59cc87201af93dfbb6c3dccc8fcad72a09c2, original commit: a17b53c4a4b55ec322c132b6670743612229ee9c
CAP_CHECKPOINT_RESTORE mainlined in: 74858abbb1032222f922487fd1a24513bbed80f9, original commit: 124ea650d3072b005457faed69909221c2905a1f

The missing capabilities were noticed on archlinux with kernel 5.8.14-arch1-1.

Signed-off-by: Dannick Pomerleau <dannickp@hotmail.com>
 2020-10-15 20:55:35 -04:00
Chris PeBenito 493f56b59d corosync, pacemaker: Module version bump. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2020-10-13 15:25:24 -04:00