Commit Graph

3501 Commits

Author SHA1 Message Date
Chris PeBenito
6df603e814 apache, bird, ntp: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-05-05 13:35:34 -04:00
Chris PeBenito
370160dcb9 Merge pull request #251 from bauen1/fix-systemd-timesyncd 2020-05-05 13:28:54 -04:00
Chris PeBenito
45733fcfb1 Merge pull request #250 from bauen1/nginx 2020-05-05 13:28:31 -04:00
Chris PeBenito
809c39fa50 Merge pull request #239 from bauen1/fix-bird2 2020-05-05 13:27:55 -04:00
bauen1
5a18466573
ntpd: fixes for systemd-timesyncd after linux 5.4
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-05 18:09:56 +02:00
bauen1
6b90780fdd
apache: add nginx to policy
This is better than the current status quo of running nginx under
initrc_t, a lot of other webservers are already under the apache policy
(e.g. lighttpd) and this requires no additional permissions.

See also the discussion from March 2013 on the selinux-refpolicy mailing
list: https://lore.kernel.org/selinux-refpolicy/20110318110259.GA25236@localhost.localdomain/

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-05-05 12:42:07 +02:00
Chris PeBenito
a7a327a921 sysnetwork, filesystem, userdomain: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-05-04 09:10:54 -04:00
Chris PeBenito
100a3fb02b Merge pull request #233 from fishilico/ip-netns 2020-05-04 09:05:34 -04:00
Chris PeBenito
4ae3713c45 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-05-04 08:55:09 -04:00
Chris PeBenito
a1c97cbab2 Merge pull request #249 from topimiettinen/ping-sendrecv-icmp 2020-05-04 08:47:55 -04:00
Chris PeBenito
271e4bb8c9 Merge pull request #248 from dburgener/remove-outdated-stunnel-port-access 2020-05-04 08:47:07 -04:00
Chris PeBenito
6137441c69 Merge pull request #247 from dburgener/repeated-perms 2020-05-04 08:46:42 -04:00
Chris PeBenito
671d5da3d7 Merge pull request #245 from dburgener/tty-pty-cleanup 2020-05-04 08:46:15 -04:00
Topi Miettinen
a614e755ae
netutils: allow ping to send and receive ICMP packets
Let ping send and receive ICMP packets when Netfilter SECMARK packet
labeling is active.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-05-04 12:43:18 +03:00
Daniel Burgener
a01820155f Remove out of date "hack" from stunnel. The underlying problem needing
a require was fixed back in 2011, so using corenet_tcp_bind_stunnel_port
would be an option now, but stunnel_t already has
corenet_tcp_bind_all_ports, so this access is redundant.

Signed-off-by: Daniel Burgener <Daniel.Burgener@Microsoft.com>
2020-05-02 16:24:53 -04:00
Daniel Burgener
ce8f00538a Remove the second copy of a permission in instances where the exact same permission is repeated twice in a row
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
2020-05-01 12:22:40 -04:00
Daniel Burgener
5ba931d49d Fix a few places where command line applications were only granted one of tty or pty permissions and could be used from either
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
2020-04-30 14:53:31 -04:00
bauen1
56d16a79ae
bird: fixes for bird 2.0
Signed-off-by: bauen1 <j2468h@gmail.com>

bird: allow admin to connect to the bird daemon socket

Signed-off-by: bauen1 <j2468h@gmail.com>

bird: read /proc/sys/crypto/fips_enabled

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-04-29 18:13:21 +02:00
Dave Sugar
a0403b52d8 Interfaces needed to support IMA/EVM keys
I have been working to support IMA/EVM on a system.  It
requires having keys added to the kernel keyring.  Keys
added with keyctl and evmctl.  I am creating keys in the
ima_key_t type.  Once the keys are created, many domains
then need search permission on the type of the key.  The
following changes are needed to get things to work.

Need to add keys to the kernel keyring (keyctl).

type=AVC msg=audit(1585420717.704:1868): avc:  denied  { write } for pid=8622 comm="keyctl" scontext=system_u:system_r:cleanup_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1

Allow all domains to search key

type=AVC msg=audit(1587936822.802:556): avc:  denied  { search } for  pid=5963 comm="kworker/u16:6" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.804:559): avc:  denied  { search } for  pid=5963 comm="systemd-cgroups" scontext=system_u:system_r:systemd_cgroups_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.809:560): avc:  denied  { search } for  pid=5964 comm="(sysctl)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936822.813:562): avc:  denied  { search } for  pid=5964 comm="sysctl" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1
type=AVC msg=audit(1587936823.149:604): avc:  denied  { search } for  pid=5987 comm="setsebool" scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:object_r:ima_key_t:s0 tclass=key permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-04-29 11:50:16 -04:00
Chris PeBenito
4f846ea99d bootloader, filesystem: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-29 10:51:26 -04:00
Topi Miettinen
eae4ecde22
bootloader: add rEFInd and systemd-boot
Add EFI bootloaders rEFInd and systemd-boot. Boot tools which manage
bootloader files in UEFI (DOS) partition need also to manage UEFI boot
variables in efivarfs. Bootctl (systemd-boot tool) verifies the type
of EFI file system and needs to mmap() the files.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-25 13:15:46 +03:00
Chris PeBenito
d401ff2a21 systemd, ssh, wm: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-24 10:22:30 -04:00
Chris PeBenito
9e9490cddf Merge pull request #242 from topimiettinen/wm-add-kwin 2020-04-24 10:10:30 -04:00
Chris PeBenito
292366f88d Merge pull request #241 from bauen1/fix-ssh-agent-debian 2020-04-24 10:03:18 -04:00
bauen1
5124a48bf5
ssh: fix for debian wrapper script
debian ships a wrapper script that moves the ssh-agent socket to
/run/user/$UID/openssh_agent

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-04-24 15:29:17 +02:00
Topi Miettinen
352249fc05
wm: add KWin
Add KWin to list of window managers and allow it to mmap wm_tmpfs_t
files to avoid a crash. Related audit event:
type=AVC msg=audit(04/24/2020 15:39:25.287:679) : avc:  denied  { map } for  pid=1309 comm=kwin_x11 path=/memfd:JSVMStack:/lib/x86_64-linux-gnu/libQt5Qml.so.5 (deleted) dev="tmpfs" ino=45261 scontext=user_u:user_r:user_wm_t:s0 tcontext=user_u:object_r:wm_tmpfs_t:s0 tclass=file permissive=0

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-24 16:19:51 +03:00
bauen1
09c311f57f
allow normal users to use 'systemd-run'
It can also be used to create temporary units under `systemd --user`.

Signed-off-by: bauen1 <j2468h@gmail.com>
2020-04-23 21:48:35 +02:00
Chris PeBenito
01990a484e corenetwork, systemd: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-22 10:21:45 -04:00
Chris PeBenito
4ebd33c46d Merge pull request #234 from topimiettinen/systemd-networkd-allow-icmp-dhcpc 2020-04-22 10:21:16 -04:00
Topi Miettinen
a3b688d1cf
Allow systemd-networkd to handle ICMP and DHCP packets
Allow systemd-networkd to send and receive ICMPv6 Router Solicitation
and Router Advertisement packets (in reality all ICMP/ICMPv6 packets)
and DHCP client packets.

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
2020-04-22 15:46:56 +03:00
Chris PeBenito
24e1e2c8a3 various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-21 11:03:01 -04:00
Chris PeBenito
549bb857c0 Merge pull request #220 from dburgener/fix-macro-usage 2020-04-21 11:01:59 -04:00
Daniel Burgener
962a3adde4 Simplify collection of ssh rules to domtrans_pattern macro
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
2020-04-20 15:46:38 -04:00
Daniel Burgener
04d51e18c8 Switch pipe reading on domtrans to inherited only
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
2020-04-20 15:46:38 -04:00
Daniel Burgener
410a682138 Fix mismatches between object class and permission macro.
In many cases, this won't result in a change in the actual policy generated, but if the definitions of macros are changed going forward, the mismatches could cause issues.

Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
2020-04-20 15:46:33 -04:00
Chris PeBenito
1a972de67f devices, systemd: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-20 15:42:37 -04:00
Chris PeBenito
34ead011bc Merge pull request #232 from fishilico/label-sysdig-device 2020-04-20 15:42:05 -04:00
Nicolas Iooss
c99cfb2c16
sysnetwork: allow using "ip netns"
When using network namespaces with `ip netns`, command `ip` creates
files in `/run/netns` that are mountpoints for `nsfs`. For example:

    $ ip netns add VPN

    $ ls -Z /run/netns/VPN
    system_u:object_r:nsfs_t /run/netns/VPN

    $ findmnt /run/netns/VPN
    TARGET         SOURCE                 FSTYPE OPTIONS
    /run/netns/VPN nsfs[net:[4026532371]] nsfs   rw
    /run/netns/VPN nsfs[net:[4026532371]] nsfs   rw

From a shell CLI, it is possible to retrieve the name of the current
network namespace:

    $ ip netns exec VPN bash
    $ ip netns identify $$
    VPN

This requires reading `/proc/$PID/ns/net`, which is labelled as a user
domain. Allow this access using `userdom_read_all_users_state()`.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-04-19 11:52:29 +02:00
Nicolas Iooss
1a13a5410b
devices: label /dev/sysdig0
`sysdig` is a tool that enables introspecting the system, debugging it,
etc. It uses a driver that creates `/dev/sysdig0`. Define a specific
label in order to be able to allow using it.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-04-19 11:40:59 +02:00
Nicolas Iooss
9de480292c
systemd: allow sd-executor to manage its memfd files
When systemd --user runs helper programs in order to generate user
environment variables, it reads memfd temporary files, which are labeled
tmpfs_t:

    type=AVC msg=audit(1569787627.183:487): avc:  denied  { getattr }
    for  pid=19182 comm="(sd-executor)"
    path=2F6D656D66643A33302D73797374656D642D656E7669726F6E6D656E742D642D67656E657261746F72202864656C6574656429
    dev="tmpfs" ino=50062 scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=sysadm_u:object_r:tmpfs_t tclass=file permissive=1

    type=SYSCALL msg=audit(1569787627.183:487): arch=c000003e syscall=5
    success=yes exit=0 a0=a a1=7ffd324679d0 a2=7ffd324679d0 a3=4 items=0
    ppid=19180 pid=19182 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
    fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=28
    comm="(sd-executor)" exe="/usr/lib/systemd/systemd"
    subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null)

    type=PROCTITLE msg=audit(1569787627.183:487): proctitle="(sd-executor)"

    type=AVC msg=audit(1569787627.183:488): avc:  denied  { read } for
    pid=19182 comm="(sd-executor)"
    path=2F6D656D66643A33302D73797374656D642D656E7669726F6E6D656E742D642D67656E657261746F72202864656C6574656429
    dev="tmpfs" ino=50062 scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=sysadm_u:object_r:tmpfs_t tclass=file permissive=1

    type=SYSCALL msg=audit(1569787627.183:488): arch=c000003e syscall=0
    success=yes exit=0 a0=a a1=559bf537abb0 a2=1000 a3=559bf5376010
    items=0 ppid=19180 pid=19182 auid=1000 uid=1000 gid=1000 euid=1000
    suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none)
    ses=28 comm="(sd-executor)" exe="/usr/lib/systemd/systemd"
    subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null)

    type=PROCTITLE msg=audit(1569787627.183:488): proctitle="(sd-executor)"

The hexadecimal path is "/memfd:30-systemd-environment-d-generator
(deleted)".

The name "(sd-executor)" is the name of a child process (cf.
https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L222)
and the name of the memfd file comes from "open_serialization_fd(name)"
in
https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L213.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-04-19 08:43:26 +02:00
Chris PeBenito
dd04789465 systemd: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-18 18:27:01 -04:00
Nicolas Iooss
5ad80e255c
systemd: make systemd --user run generators without transition
On Debian 10, ``systemd --user`` runs some generators in
/usr/lib/systemd/user-environment-generators when a user session starts.
Here is what is logged in audit.log for a sysadm user.

    type=AVC msg=audit(1586962888.516:65): avc:  denied  { getattr } for
    pid=309 comm="(sd-executor)"
    path="/usr/lib/systemd/user-environment-generators/90gpg-agent"
    dev="vda1" ino=662897 scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=system_u:object_r:systemd_generator_exec_t tclass=file
    permissive=1

    type=AVC msg=audit(1586962888.516:66): avc:  denied  { map } for
    pid=310 comm="30-systemd-envi"
    path="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator"
    dev="vda1" ino=655822 scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=system_u:object_r:systemd_generator_exec_t tclass=file
    permissive=1

    type=AVC msg=audit(1586962888.516:66): avc:  denied
    { execute_no_trans } for  pid=310 comm="(direxec)"
    path="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator"
    dev="vda1" ino=655822 scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=system_u:object_r:systemd_generator_exec_t tclass=file
    permissive=1

Run these program without domain transition.

This follows a discussion that took place in
https://github.com/SELinuxProject/refpolicy/pull/224

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-04-18 20:00:57 +02:00
Chris PeBenito
f028ac96fc dbus, dpm2: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-16 16:27:55 -04:00
Dave Sugar
8f5cbc7779 Setup domain for tpm2_* binaries
The various /bin/tpm2_* binaries use dbus to communicate
with tpm2-abrmd and also can directly access /dev/tpmrm0.  This
seems like a way to help limit access to the TPM by running the
tpm_* binaries in their own domain.

I setup this domain because I have a process that needs to use
tpm2_hmac to encode something, but didn't want that domain to
have direct access to the TPM.  I did some basic testing to verify
that the other tpm2_* binaries have basically the same access needs.
But it wasn't through testing of all the tpm2_* binaries.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-04-16 15:40:09 -04:00
Dave Sugar
fd19ce9e91 fix require from 5b78c1c86b
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-04-15 22:59:07 -04:00
Chris PeBenito
acd45b66b4 mozilla, mailman, init, modutils: Module version bump.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-04-14 14:16:49 -04:00
Chris PeBenito
782cd81a4b Merge pull request #217 from bauen1/init-confined-keyring 2020-04-14 14:08:18 -04:00
Chris PeBenito
504f931980 Merge pull request #216 from bauen1/fix-modutils-nnp 2020-04-14 14:08:16 -04:00
Chris PeBenito
499c73dc95 Merge pull request #215 from bauen1/fix-unescaped-dot 2020-04-14 14:08:14 -04:00
bauen1
f6ca80e336
allow init_t to link kernel_t key
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-04-14 19:37:57 +02:00