When getting dumps from a crash in a mount namespace, systemd wants to run stat on the root in that namespace
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
Allow class sets , e.g. defined in policy/support/obj_perm_sets.spt, to
be used in default_* statements in the file policy/context_defaults
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
According to IANA, winshadow is port 3261 for both TCP and UDP.
3161 for TCP looks like a typo that slipped through.
Signed-off-by: Florian Schmidt <flosch@nutanix.com>
There is a STIG requirement (CCE-27326-8) that all files in /dev be labeled (something other than 'device_t'). On the systems I am working on there are a few files labeled device_t.
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Usbguard enforces the USB device authorization policy for all USB
devices. Users can be authorized to manage rules and make device
authorization decisions using a command line tool.
Add rules for usbguard. Optionally, allow authorized users to control
the daemon, which requires usbguard-daemon to be able modify its rules
in /etc/usbguard.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Modern systems shouldn't need direct access to raw memory
devices (/dev/mem, /dev/kmem, /dev/mergemem, dev/oldmem, /dev/port)
anymore, so let's remove the access in most cases and make it tunable
in the rest.
Add dev_read_raw_memory_cond(), dev_write_raw_memory_cond() and
dev_wx_raw_memory_cond(), which are conditional to new boolean
allow_raw_memory_access.
Remove raw memory access for a few domains that should never have
needed it (colord_t, iscsid_t, mdamd_t, txtstat_t), should not need it
anymore (dmidecode_t, Debian devicekit_diskt_t, hald_t, hald_mac_t,
xserver_t) or the domains that should transition to different domain
for this (rpm_t, kudzu_t, dpkg_t).
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
/dev/ipmi is labeled, but no interfaces exist to grant access to the device.
Adding interface for read/write access, I'm not sure of read-only access is usefull. ipmitool seems to only read and write
type=AVC msg=audit(1581618155.319:786): avc: denied { read write } for pid=4498 comm="ipmitool" name="ipmi0" dev="devtmpfs" ino=10460 scontext=system_u:system_r:ipmi_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1581618155.319:786): avc: denied { open } for pid=4498 comm="ipmitool" path="/dev/ipmi0" dev="devtmpfs" ino=10460 scontext=system_u:system_r:ipmi_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1581618155.320:787): avc: denied { ioctl } for pid=4498 comm="ipmitool" path="/dev/ipmi0" dev="devtmpfs" ino=10460 ioctlcmd=6910 scontext=system_u:system_r:ipmi_t:s0 tcontext=system_u:object_r:ipmi_device_t:s0 tclass=chr_file permissive=1
This exception goes back 14 years to commit 85c20af3c1 and 11a0508ede.
The tts exception is covered by a distro agnostic rule further up, and the udev rule doesn't even work (it's supposed to be /lib/udev/ not /usr/lib/udev on gentoo) so I seriously doubt anyone is going to miss them.
Signed-off-by: Vilgot <Vilgot@fredenberg.xyz>
Required for example to start/stop systemd-journal-flush.service
which moves the journal storage back and forth between tmpfs and
permanent storage.
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Chris PeBenito
Christian Göttsche
Daniel Burgener
Florian Schmidt
Laurent Bigonville
Dave Sugar
Guido Trentalancia
Topi Miettinen
bauen1
Vilgot Fredenberg
Luca Boccassi
Jason Zaman